Security Unfiltered Podcast: The Future of Device Authentication is Here
.png)
TL;DR
- Identity drives security: Most breaches stem from credential and identity failures, not sophisticated exploits.
- Device-bound keys stop attacks: Hardware-backed, non-movable credentials eliminate theft, stuffing, and MFA bypass.
- Authentication must include device posture: Every login should verify the user and the safety of the device.
- Security now includes agents and machines: The same identity model applies to drones, robots, servers, and AI agents.
- Startup scale requires culture: Jasson highlights how trust, alignment, and avoiding burnout fuel outsized impact.
Full Transcript
How's it going, Jasson? It's great to get you on the podcast finally. I think we've been talking about doing this thing for a couple months at this point and, you know, I I felt so bad. I think I had to reschedule like three times on you, but I'm really glad to finally get you on.
No worries. I'm glad to be here. And it has been a bit of a crazy summer, so it's no big deal.
Yeah. It's it's been such a crazy year just just overall. You know? Like, I feel like because so I have a two and a half year old, and I have a six month old. And I I feel like once you get into a rhythm with one, right, the second one comes, it's like, this changes, like, my entire schedule and everything is just jacked up, you know, and, you know, there's so many nights that you can go with no sleep. It's just, you know, that's what you're doing. It's crazy.
Yeah. Yeah. No. This year definitely feels like, if you blink, you'll miss it.
Yeah. It feels like it just flew by.
Yeah. Twenty five if it's, like, it's a don't get me wrong. It's been a good year, but I like, this is the year where I think I requalified for one k by March.
In the last, like this week is an amazing week for me because it's like one week where I get to be home. The previous six weeks, it was like two weeks across Europe, a week in Japan, two weeks across the US, a week in Mexico. And I've only ever gotten like a week or two off between these six week tours. So like, yeah, this, this, this year is this year is like the scale testing year.
Wow. That is that's fascinating. So, like, what are you doing, you know, on these tours? Are you are you giving talks or what does that look like?
It's a little bit of everything, but we started so our business started to evolve over the last twelve twelve to eighteen months where we started getting a lot more inbound from large organizations, specifically critical infrastructure, ministries of defense, departments of defense, governments. And, the gist of it was it it really it's actually pretty simple. Right? It boils down to at the end of the day, most security incidents are identity problems.
And, you know, for all sorts of reasons we get into later, like identity truly is the future of security, like solving things properly, not just like putting the fires out quickly, but like preventing forest fires. And and so, yeah, the business has, has changed a bit and it's a combination of talks and like prospect and customer visits. But, you know, in Europe, it's a combination of kind of cyber crime as well as kind of act more active call it gray warfare. Right?
So like with the war, with the Russian war in Ukraine, there is a lot going on in Europe around kind of sabotage operations, cyber operations that kind of blend into the physical. And so we're seeing a lot of critical infrastructure get serious about kind of plugging their holes. And it's very kind of state actor driven. Similar thing in Asia, we're seeing a lot more adventurous exercises being carried out by various Chinese threat actors.
And it's usually against the usual suspects, right? Like us and American allies. And and so as a byproduct, we're seeing again, critical infrastructure everything from like energy production to transportation to finance really getting serious about kind of plugging some of these holes. But the other intro, you know, the other thing that just to, to remind everyone, you know, you said this would be like a conversation at a bar.
The first thing that usually someone says after you mentioned all the travel is like, man, that sounds glamorous. That sounds awesome. You get to see all the places.
And, you know, on one hand it is a privilege to be able to visit these places, but what you get to see is usually from the Uber ride. And, you know, if you're lucky and I have gotten a little bit better at this, you know, you can, you can maybe budget an hour a day just to keep exercising and like not go insane, but it's exhausting. And, yeah, six weeks of that and my, my fit, my fitness app was basically, I was using it to actually track the residual heart rate, like my resting heart rate. You can literally see it change dramatically in the first four days after that six week trip when I was home.
And you can also see it in like my sleep time. So like the first four nights I sleep for ten to twelve hours and my heart rate, my resting heart rate is actually pretty high. And then by day five, it's like back to six to seven hours. The resting heart rate is like down to where it should be in like the fifties and sixties.
Yeah.
It's exhausting.
Yeah. Yeah. I'm I'm also a bit of a health data nerd with my own trackers and whatnot.
I noticed that too. Like, when I travel, even if it's a place that I've been, you know, ten times, like, if I go to Vegas, you know, and I'm staying in the same hotel that I always stay in, right, like, still, you know, those first, like, three, four nights, sometimes it's just the entire trip. Is just complete garbage sleep whether I drink or not, you know, like, it's irrespective of that whether I go to sleep at a normal time for me or not. Like, it's terrible.
And I always come back. I'm just so exhausted. It takes me, like, two, three days to recover. Same thing when I go overseas or anything like that.
I try to I mean, this is just me. Right? But when I when I goes like somewhere new for work, I try to take, you know, a couple days couple days extra and Just go and, you know, see around and sightseeing and whatnot. I was going to go to Japan one time for work, and I told my boss, like, straight up, I was like, alright.
Well, I'm taking two weeks vacation after my week of work in Japan. Like, I'm telling you that right now. Can you just book my flight to come home on this date? You know?
And, like, they were totally fine doing it. Right? Because I one, I had the time. And two, it's like, you go that far.
It's like, man, I don't wanna make another twenty hour flight to come out here and see everything again that I should have seen the first time.
Yeah. On on one hand, what is it? Boom aerospace. They can't get here fast enough.
Right? It does take forever to get places. Yeah. Actually, you know what? That's kind of the lure that we use.
So we have a have an overseas engineering office as well. And, it's distributed teams are always difficult. Right. And so like, how do you promote the mixing of your engineers between offices or at least locations?
And that was essentially the, the, right that we would always offer is like, look, if you're willing to go for at least three weeks and work out of this office for three weeks, I'll pay for your spouse to go with you.
Like that kind of stuff. Right? Yeah. And that actually worked really well for us at my previous company. We haven't quite done it that way here just because when we were building out, COVID was happening and it wasn't that wasn't even possible. But, I mean, we'd support the same thing here too. It's just we're we're a little bit further built along.
Yeah. Yeah. No. That's a that's a fantastic perk. It's always nice to see when leadership is is taking care of their employees, you know, and actually, like, caring about their own lives outside of work and whatnot like that.
It's always refreshing to see that because you don't always see that. You'll see it with, like, your direct manager, you know, sometimes, but to see it up the chain really speaks volumes to the company's cultural role.
Yeah. Well, I mean, I think I think a lot of companies actually do do care. It's just things do get lost in the moment. Right?
And, like it's, like startups are such a unique thing. Right? Like at the end of the day, a startup is not a normal job. It's not for everybody.
It's really, really hard. And, you know, it is a marathon. It's not a race. And like, but it, but it's not a singular race either.
Right? Like the team has to finish. And so there is a lot of give and take. Right?
Like, you're gonna spend more time with your colleagues in a startup than you are your spouse. So there does have to be there does have to be like friendship. There does have to be relationships. There does have to be mutual respect and that sort of thing.
You know, I'd say the the the tricky thing in startups is actually mismanaging that expectation. Right? Like when you get people, good people, but like they're not down for that style of mission. It can, it can kind of, you know, breed conflict and whatnot that can kind of come off as as as various things there.
Like we ran into that early on in our, in our history, but but but, yeah, for where we are right now, like, look at it, like, we need the full team. Right? We're only a hundred people. We're trying to compete with organizations that have five thousand plus people.
We need everything out of everybody.
And, you know, if you burn people out, then then, like, you're you're you're you're lopping off an arm or lopping off a leg. So you've gotta find ways of making it work. You've gotta find ways of making it fun. You've gotta actually like the people you work with. Otherwise, why do it?
Yeah. No, it's fascinating. Well, you know, Jasson, we kinda just dove right in, right, with giving your background or anything like that. So why don't we why don't we dial it back, you know, a couple couple years, right, and talk to us about, you know, how you got into into it, how you got into security, what piqued your interest to get into the industry? And you know, maybe even like what made you want to go and like become an entrepreneur and do startups and get into companies at that at that level?
So it's more than a couple years.
Back to the whole time flies faster than you can imagine. But, you know, I was I was I was fortunate enough to where I grew up in a house of engineers. We everybody always worked on stuff. Right?
Like my dad would, would, would refuse to buy stuff around the house. He would build it. Right? Like whether it was bookshelves or cabinets or whatnot to working on the car, you know, he wouldn't bring it to the shop to get serviced.
He would do a lot of it himself at least early on. And you know, I guess by osmosis or adjacency, like even though I ruined my toys, I tended to like, you know, a lot of kids did this, right? You took your toys apart, try and figure out how it worked. And you're like, you're, you're, you're pulling capacitors and resistors and inductors off a circuit board thinking, you know, you're a doogie howser doing surgery and reality is you're just breaking your toy.
But I don't know, for as long as I can remember, I've always been interested in tinkering and engineering. Right. And like taking apart electronics and building Legos was the thing. And when I got into junior high and high school, I was able and fortunate to actually get into these like robotics competitions where you've got to build a thing that really did move and go and do stuff.
And I had learned how to write software mostly as a hack to, to go through my math homework faster. But then I started realizing that like, Hey, this is more than just for hacking out your, your math software or your math homework. You can, actually get your software to run on this processor and control this robot and make it do x and y instead of, like, you know, the the baby circuits. Right?
Where you have, like, a a photoresistor. And as the the light shines stronger, it gets more current, which means it steers a little bit more to the right than to the left, that kind of stuff. So, you know, I would say tinkering and and building stuff was a was a kind of an early childhood thing. Going from there to IT was pretty natural.
Right? Like, you build you build and tinker with stuff. You play games. You wonder how it works.
You know, this was we had the internet, but it was cooler to actually get your modem to call your friend's modem, establish a PPP link between your two computers. And then you could really dog fight with the, with the, the combat simulator. Right. So like that kind of stuff is pretty much what I was doing in my teenage years.
And the entrepreneurial bit was more of necessity. Right? Like you get to college, you, you think you're rich because you've saved all the money you've earned in your high school job. You got like two whole thousand dollars and you're like, this is gonna last, you know, I'm not gonna have I'm just gonna be able to enjoy this.
I'm gonna be able to go to a party from time to time. And long long of it, you know, that doesn't get you very far at all. And I had to get a job. And I found a job actually writing software.
And, obviously, I was very, very young at the time, but because I had a lot of experience writing basically math in C or implementing certain types of math functions in C, I got hired as a research assistant. It's for like a geoscience, sort of company.
And, I don't know. I think that gave me the idea that like, you know, you don't procedure and protocol and decorum are what society suggests you ought to have, but if you just want to do something you can. And, from there, two years later, I joined an actual startup in Austin, Texas and, as an engineer. And again, I was super young for what they were asking me to do, but I happened to be in the right place at the right time and I had experience and, you know, I loved it right at the startup that gave you, I like food. Right.
And I like a good buffet and a startup felt like showing up at the best buffet ever. Right. Like there's miles and miles of all of these cool, interesting problems. And, you know, there's only three people to help you eat your way through the buffet.
So no one's going to get angry. No one's going to get possessive. No one's going to get territorial. If you want to eat anything, they're going to help.
And they're going say, knock yourself out. But if you start, you got to finish. And I don't know. I love that about a startup.
Like you could, there is no problem you couldn't work on as long as you're willing to own the outcomes. The, the learning aspect of it too. Right? Like in a, in a startup, you can't afford to hire experts in all the verticals that touch whatever problem you're on.
You have to figure it out. And for me, and, you know, there's a lot of people that are this way. Like, the joy of figuring something out is kind of like a drug. Right?
Almost so to where you have to be a little bit careful. Right? Because the startup is there to to build a business and to make money and return, stuff to shareholders, not just for learning stuff. But, you know, I, I, I fell in, I fell into startups and entrepreneurship out of necessity.
I needed, I needed money and they needed someone with my background at the time, but, but it quickly became what I've been doing for twenty some odd years because it's, it's it's one of those places where ultimately you kinda have complete freedom.
Yeah. Yeah. That is it's fascinating how you describe it like that because it's it's so true. And I started my career at startups, and it was an interesting experience, you know, because at the startup I was doing a little bit of everything, you know, like application engineering, doing customer related work, help desk, you know, just just about everything and I wanted to get into cybersecurity and so I kind of took over the, you know, vulnerability management program of this startup for our solution, you know, like, and that was exactly what you said was exactly what my VP told me.
He goes, once you start it, you gotta own it through and through. Like there's no going back and you know, me not knowing what that is young twenty something year old kid. Right? I got into it and luckily I enjoyed it, you know?
But that that was the mentality. And then from there, I went to, like, really large companies and it's a totally different mentality. I mean, there's people there for thirty years and they're there for a reason for thirty years. You know, you can literally just fly under the radar, do the bare minimum, get your paycheck, you know, and not really learn anything new.
Like, it's possible in those environments. And for me, that's like the complete opposite of who I am. You know, like, I didn't start this podcast out of comfortability of talking to people. Right?
I kind of started it because it's kind of pushed me outside of my box every time I do it, you know, and makes me better. It makes me different. Right? In startups, now I'm now I'm finally back at a startup and I, you know, I I basically own my entire vertical and the CEO is just like, however you want to run your side of the business is how you want to run it.
If it succeeds, it's on you. If it fails, it's on you. Like, it's up to you to make to make this thing work. We believe in you, you know, and it's all about leveraging, you know, other team members and their skills and getting their feedback and what worked, what didn't work and you know, implementing it in the, in the my side of the house, right?
It's, it's a totally different feel. And I always go back, you know, you don't always have to be the number one guy, the CEO of a company, the founder of a company to be, you know, successful financially. Right? Like, you look at, like, Steve Ballmer or or the the CEO of Microsoft.
Right? I mean, they they were what? The number five guy in the hierarchy for for years.
I mean, Steve Oh, yeah.
Steve was a janitor for a while in the beginning. Like, he did everything, you know? He discusses it very openly. So it just shows you, you know, you can you could still come out alright and be, you know, the tenth or the fifteenth guy in line to the to the CEO when you believe in a mission and, you know, see it through.
You know, one of those stories that I heard early in my career that that that kind of submitted itself similar to that was this was the late nineties. There was a company called Level three Communications. They're still around. You know them today as CenturyLink.
But their innovation at the time was just realizing that, like, hey, the Internet's gonna change everything. Right? And everybody's gonna get connected to the Internet. And so we're gonna need fast, connections.
And, fast basically means fiber, means means lasers. Now these things called this technology that was basically wave division multiplexing and dense wave division multiplexing. Basically in one fiber, you can actually have more than one signal. You just shift the different signals by essentially the wavelength.
And what level three realized was, Hey, this technology is gonna evolve pretty much every two years, but it would be a mechanical engineering nightmare to try and trench new stuff every two years across the continental US. And so they came up with this system that is kind of like the revolver magazine, the magazine of a revolver. And so what they, what they, they laid this conduit across the us and they came up with a couple of interesting things, right? One was this train car that basically had this big arm that would lay the conduit on the side of the rails.
So that's kind of how they did it in a mechanical fast way. But the second part that I found more ingenious was the conduit had this revolver magazine like structure, right? Like imagine like five or six hollow tubes. And what they could do is they had these flanges that they would mount to fiber and they would all, they would be able to just blow with air pressure, the new whatever the new fiber technology is down the latest shoot.
And so like two shoots were always active, Two shoots were being decommissioned and two shoots were always being developed. And they didn't have to retrench. They didn't have to rerun rail. It was literally just like a they figured out that ninety percent of their architecture could be fixed and ten percent could be modular.
So like, that was one of the things that stuck with me. But the, the, the thing that was related to your story was the receptionist made like almost two million dollars at the IPO there. And I, and I thought if the receptionist can become successful, everyone at the company can be successful. And they were, they were like, I don't know, five, eight hundred people at this point.
It wasn't even like a ten person job. So so, yeah, if, you know, not all startups get these sorts of outcomes, but if you do it right, it can it can work for everybody.
Yeah. Yeah. It's a really good point. But, You know, what what is what's the problem that beyond identity is solving? What what what what was the problem in the marketplace that you guys identified, you know, as an issue?
Because I've worked with identity, I've worked in I'm that's kind of where I cut my teeth for, you know, security. And it's very easy for it to become a mess.
A lot of the times it's a mess regardless, you know?
Yeah. So we looked at it and a couple different ways, but so my previous company or my my previous role, I was a CTO company called security scorecard. And we we had a ton of data and research through collaborations with our partners on breached companies. And we had all the data analysis of what correlates, so not cause, but what correlates generally, right?
What data signals and behavioral signals correlate to breach. And what was striking was three or four signals were incredibly strong in their correlation. And then everything else was kinda close to zero. Right?
And those signals were all about the identity system. How are passwords managed? How is the endpoint? How are passwords managed?
Is 2FA present? And then the third one, which I'll argue is related, but may seem a little bit different is do they have an endpoint patching program in place? Endpoint hardening and patching. And, you know, we looked at so so so that's kind of an interesting thing.
Right? Like, I take a step back and then I just think about it. Right? No matter the organization, no matter if you're an employee or contractor or cuss or even a customer, and no matter if you're working on a managed device or an unmanaged device, you're gonna cross the identity bridge to get to any service or data.
So number one, identity is like the structural high ground. It sees everything by definition. Right. So that's kind of one observation.
Number two, it's the strong mishandling of it is the strongest corollary breach. And, and, and, you know, since we got started, this has been proven out as well by like Mandiant and crowd Strike and Verizon, where they track security incidents. Eighty plus percent of all security incidents are identity failures. Right?
So this is kind of like the topical observation, but like, what about fifty thousand foot? Like what what's going on a little deeper? Well, a little bit deeper. It's not hard to reason about that.
Identity historically is not a security function. It's a productivity function. It's IT. If I run identity, I'm judged by getting you to work fast.
I'm not necessarily judged for security outcomes. We hired some security folks for that. Right? Like blame them.
And, so the incentives aren't necessarily there, I would argue, for identity companies to be security companies historically. But then when we get into the technicalities of it, right, that's where things become really, really interesting. The most common technique that an adversary will use to compromise an identity system is a variation of credential theft. I can steal the credential from you.
I can steal the credential from somewhere that you've used it. I can steal credential from a third party ecosystem that you don't realize kind of handles your credential in one way, shape or form. Right? There there's there's probably twenty different enumerations of this.
Fundamentally, I steal your credential. I bypass the MFA or I push bomb MFA or a man in the middle MFA. And then I hijacked the session at the end of it. Right.
I copy the cookie out. I copy the access token out. I copy the barrier token. So in all of those statements, there's a symmetric credential that can move.
So that's kind of interesting. We think of now, now let's, let's think about computer science. Like, like let's take ourselves back to like teenage years. What does that mean?
A credential that can move? Well, it means it's in memory. It means I copy it from my memory to someone else's memory. And now let's think about a traditional connection between your browser and some service, maybe ChatGPT.
Does TLS guarantee the protection of that credential that you're moving back and forth?
We all kind of assume yes, but it actually doesn't. There is no end to end TLS anymore. And there maybe never was. If you're in a big enterprise, Palo or F5 or Zscaler is terminating that TLS before it even leaves your enterprise.
Right? Then it goes to Akamai or Cloudflare, Amazon CloudFront, right? For content distribution. Then it probably goes through an application load balancer layer in how the service is distributing itself across regions and zones.
And then if your engineers are doing what's new and exciting, they've deployed a Kubernetes cluster, which means you go through a service mesh, which can re terminate your TLS connection. Right? So you're probably not managing any of these. They're probably all third party managed.
So now the footprint of where your credential lives is like three or four third parties that you have no ability to track that represents credential theft that they can, they can basically represent insider threat as well as, exploitation. So again, this is just one example of like, why are credentials so easy to steal? But our insight was, well, what if a credential didn't have to move? What if we could move from symmetric credentials to asymmetric credentials?
Right? An asymmetric cryptography for signatures is clearly an old technology. It's been around. People know how to do that.
But what if we could take it one step further? What if we could guarantee the signing key cannot move? And the observation one of our engineers made early on was like, hey, HSMs can do that. And HSMs exist in servers, but they're expensive.
But wait a minute. I think because of mobile payments, things have changed. And it turns out, yes, because of how the mobile payments industry drove a change in the chip manufacturing industry. You almost cannot buy modern electronics today that does not have a version of an HSM in it.
Your phone has an HSM. Your laptop has an HSM. That drone that you bought, that you're flying around your yard, it has an HSM. Right?
So if these HSMs exist everywhere, then what if we move primary authentication to be asymmetric where the private key can't move? If it can't move that surface area that I described a minute ago, shrinks to a single point and credential theft doesn't work. Stuffing doesn't work. Guessing doesn't work.
If I'm on the device you're working from, it's actually rather trivial to then start detecting things like man in the middle, man in the browser, attacker in the middle, that sort of And then that third comment, remember endpoint patching and point hardening, that sort of thing. Well, when you get on an airplane, it's not enough for you to be the right person on the ticket. You also need to make sure you have no guns, no knives, no bobs. Right?
You have to be safe enough for the environment you're asking for. Again, if we're managing the credential on the device you're actually working from, then it's rather trivial for us as part of authentication to also comment on the safety of this device relative to the service it's asking for. We can basically check the posture and say, Hey, this device is hardened. This device does have the security controls you would expect relative to what it's asking for.
That can be attested and kind of sealed over. And that is kind of the essence of what we do, the foundations. We plug into your existing identity stack. We don't displace it.
And we transform how authentication works in your organization to where there is no movement of credentials. So there is nothing to steal. And you cannot man in the middle of the connection because we can detect it. And every authentication, whether it's the initial access attempt or reauthorization for continuous off, always checks the full posture of the device.
And, you know, we started off doing that for workers, employees, contractors. The typical movement early for us was a customer would have, a contractor audience, contract software developers, contract marketing, contract PR executives with exemptions for personal devices. But they had to maintain compliance. They had to be able to show that even though these folks were working on their data, that it was still secure, the controls they expect were still present.
And so we could do that simply. Where we've now moved into is because of how we built our authentication technology and how it's kind of universal. Our authenticator works on Linux and because it works on Linux, it's actually rather trivial to make it work on this drone. And if I have a bunch of drones flying around and I want to know what drone is mine versus someone else's, I can just zap it with an eight zero two next challenge.
And I can get back a full attestation from our authenticator. You can run it on a humanoid robot and get, get identity. You can actually run it on a server based agent and start solving some of the agent identity problems that are coming up. So it's, it really foundationally it's about attacking the the primary security vulnerability, which is identity, which is credentials that move and and lack of understanding of the device the credentials are bound to.
But I I probably talked for too long.
No. It's, it's fascinating that, like, my PhD is actually like, I'm researching essentially the exact same thing with encryption keys Yeah. On satellites.
Okay. Cool. Cool. Cool. Yeah.
There there's a big issue, right, where there's just no real way to secure satellites for the future. Right? As soon as they leave the ground, you have, you know, a ten to fifteen minute window to connect with it, patch it, test it, make sure that it's still working, and then it, you know, rotates around. And, yeah, you can you can switch ground stations and whatnot, but it becomes very tedious and it's difficult.
It's really hard. And, you know, a lot of the satellite people that I was talking to, they said, oh, you know, what you're trying to do probably isn't gonna work. It's gonna be too delayed or whatnot. And, I mean, my my theory was, well, can we just throw it in an HSM, put the keys there, authenticate the keys on an interval, you know, when we need to communicate throughout the network and then call that zero trust?
Like, doesn't that meet the requirements for zero trust? And if it meets those requirements, can it use, you know, post quantum encryption to communicate off of? And all like, now everyone that I'm talking to, the people that are, like, actually in the post quantum encryption world and, you know, the satellites and everything else, they're saying like but, yeah, that's totally doable. That's, like, totally possible.
It's it's fascinating because, for two years yeah. For two years, I was literally thinking, man, is this thing even gonna work? You know? But it's fascinating to hear you explain it because that's literally what I'm gonna be doing with encryption keys, just utilizing the HSM module that's already on there.
Yeah. The so so funny thing there. So if you've got a TPM, the TPM is the is basically the gold standard. The downside with the TPM, and I'm gonna forget the precise numbers, but it's very limited in bit rate.
So I think you the max the max bit rate you're gonna get, you're gonna push through a TPM is, I remember it like eight meg or like forty meg or something like that, but it's pretty low. With that said, it's it's fast enough for you to use it to then generate short ephemeral session keys. And, and then like every now and then do like the stronger attestation. So like, there's a lot of things you can do with TPM, but then like, you know, trust zone gives you a lot.
You're probably working on arm, right? In that environment, ARM based Linux.
I I may know a little bit about this because of some of our newest customers.
Yeah. No. That that's that's fascinating. It's interesting.
I I wanna get your opinion on it. Right? Because I I remember in the first startup that I was a part of, I ran the the DOD, the the federal contracts that we had. And I was talking to the to my sales guy at the time.
You know, I asked him, I was like, well, how did we even, like, get into, you know, doing government contracts and whatnot? And he he literally said it took four years to get the first one. And once you got the first one, like, we got, like, twelve others in the same year. Right? Because it's like all about it's all about like the circle of trust. If you get into the circle of trust, everyone goes to you for that same thing. But if you can't get into one place, basically, no one trusts you.
Yeah. It very much is a all or nothing. And you know, it works it works like that with mission partners too. Right?
So, like, when you go over and you wanna talk to MOD over in the UK or whatnot, usually the first question they ask is who in the US DOD are you already working with? Right? So it's a but like, let's zoom out. Right?
Like at the end of the day, no one has truly enough time to do all the diligence that that that that that you would truly need to do to know everything on your own. Right? So like reputation via peers that you trust is it is how the world works and it is a major influence point in decision making. I know I I do that in some of the decisions that I make.
Right? If I don't really have time to think through everything, which is very often, it's like, well, who do I know that I actually trust for that area? So it makes sense.
Yep. Yeah. No. It's it's a great way to do it too. And that's why I always tell people to, like, really build up build out their network, you know, like, don't don't take it for granted, you know, actually engage with people and whatnot and and, you know, build it up, right?
Because you never know when an interesting opportunity is gonna come along and, you know, you need to reach out to someone and say like, hey, is this a real thing? Does it work like this? You know, all that sort of stuff. Kinda have a candid conversation with someone.
I've I've had that so many times, you know, even even with the podcast. Right?
I I had, like, one of my first sponsors, you know, they reached out to me and they were asking for some forums and I reached out to, like, my business slash podcast mentor. And I was like, hey. What what are they asking for? He goes, hey, man.
It means that, like, you're doing good. You need to provide them this. I, like, couldn't I just, like, couldn't figure it out. You know?
It's just it's fascinating how that works.
The yeah. No. Opportunity a lot of opportunity is serendipitous.
My, I ended up doing my PhD because of serendipity, right? Like at the right place, right time at the right person. I ended up working for the general Keith Alexander through serendipity, right. Former director of the NSA. I ended up actually ended up meeting Jim Clark through serendipity here at Beyond Identity. You know, you need to be good at what you do and hard work matters, but like luck does play a role.
Yeah.
That's that's fascinating. There was a couple times where, I mean, you might be the fifth person that I've talked to that knows Keith Alexander and, like, looking for ways to bring him on. I'd love to have a conversation with him, you know, and just, like, pick his pick his brain for an for an hour. The things that he that he has seen, you know, and has knowledge of, like, it's just so it's a different world. Totally different, it's so fascinating to me.
Think about it. Right? The director the dual headed director of NSA and Cyber Command from two thousand four to two thousand fourteen when the world literally transitioned from kinda pure cyber espionage to actual cyber physical attack. And then all of the world events that happened in that timeframe as well. Like it's yeah, it's a pretty interest. I mean, it's pretty interesting period in history.
I mean, yeah, as is today, but yeah, that timeframe really changed everything with cybersecurity, you know, forever.
It's for a long time. And I I read the book on on Stuxnet. It's zero day, right, by, like, Kim Remember that? Kim Zayner.
And, you know, they mentioned in the book that, you know, cyber security and, you know, malware and, you know, worms, this whole world of malware never really crossed over into the physical realm until someone put together a piece of malware that made a generator operate at an RPM that it wasn't supposed to be operating at, and then it explodes over at Idaho National Laboratory. Right? And there was some general there that was watching it. And I I don't know if it was Keith Alexander.
It was someone someone important was watching it, and it was like a light bulb, you know, that that came on in their head. I was like, this is this has real world implications. That was like the first time that they ever really, you know, tested it out and whatnot. And then you fast forward, you know, probably ten years.
Right? And we we saw it again with like Ukraine's power grid when Russia first first invaded. Right? The very first thing that they did was take over those computers and, you know, they were they were operating the mouse and going through everything, shutting things down and they had no clue what was happening.
Luckily, because of how their power grid is, they're used to manually operating it but god forbid that happens in America. There's like no chance that we would be able to efficiently and effectively manually start operating the power grid because our digital systems were taken over.
You know, when you think about cyber physical, it's pretty interesting. Right? So like we've, we've lived with denial of service for a long time, right? Like denial of service tax, product tax.
But imagine denial of service that it's more of like a physical, a cyber physical denial of service, right? Like if I've got bots, but my bots were light bulbs or my bots were smart devices, right? Smart toilets. If I flushed all the smart toilets of New York in one moment in time, could I actually physically stress the sewer system?
I actually don't know the answer to that question. However, if I could turn on a current draw on a bunch of smart devices at the same amount of time, I do know that I could break fuses. Right. And junction points.
And then there's a question of how long does it take to replace those? What's the manufacturing pipeline even look like? So like they're they're, I mean, the good news is we are taking these sorts of things seriously now. Right.
But the, you know, the bad news, I guess it's just the asymmetry of cyber operations is in a highly connected modern economy. Everything is up for remote control. Right?
Yeah. Yeah. Everything is up for the taking. I feel like people don't people don't really understand that, you know? And even when you go to like, I I spent a long time in, you know, internal security teams for companies.
And it seems like the only industry that, like, fully understands it and doesn't care how much money they have to throw at the problem is the banking industry.
Yeah. I was about to say finance.
Yeah. Not even not even like the the private investment firms, you know, like, they're they're still trying to, you know, cut costs as much as they can and be as cost efficient. I was talking to some people at at Bank of America because they were they were looking to bring me on maybe a year ago. And I was asking what the budget was for for cloud security.
And they were like, you don't ever have to worry about what the budget is. And I said, well, why? And he said, the budget this year is one point five billion for cloud security. It's like, there's literally no cost that we, like, even blink at.
And it makes sense because they they understand like, oh, if, you know, if Bank of America, JP Morgan Chase get breached and I mean, they have everything. They have your mortgage. They have your social security number. They have your address, your phone numbers.
They have your entire identity history. Right? Because how often do you change banks? I mean, I changed banks once fifteen years ago and I haven't even considered changing one time since then, you know?
Well, they're they're also like beyond just like consumer banking. Right? They underwrite they underwrite the transactions that drives the entire economy.
Right.
So like with that, the, the, the thing that's really easy to forget is, you know, the size of the economy is not based on raw dollar value. It's based on like the velocity of money and transactions itself. So like slowing things down is actually harmful. Right?
No, it makes a lot of sense. I mean, there's a reason why people don't go and buy things with gold, you know, like you still have to convert that gold. Like it has value, but you still gotta go and convert it to dollars and you're probably not gonna pay for it with cash. Those dollars go into a bank account, you know?
Like, it it makes things a whole lot more streamlined. Like, I'm not gonna go to, you know, some online web store and try and give them a gold coin. Like, that thing doesn't it doesn't even exist in the real world, you know? Like, it's a digital store.
But that that that's a really good point that it's it's more about, you know, high speed frequency of the money that's actually changing hands rather than the physical dollar itself. I never thought about it like that. I think I've I've heard it before for sure. I just didn't think about it like that.
You've definitely heard it. If you ever taken an economic class, they call it money velocity.
Yeah.
But it's easy to you you're not in that space.
It's easy to forget. Right?
Yeah. Yeah. I mean, you know, I actually I took economics, and I I was one class away from getting my minor in it when I was doing my bachelor's. I'm still kinda frustrated that I didn't get that I didn't get that that minor in it because I was literally one class away.
But it was really fascinating to me. I don't know. Something with numbers. Right? Like, I I feel like if I had to do my bachelor's over again, it would be in math, honestly.
It wasn't necessarily the easiest for me but, you know, there's something with math that's very elegant where you can go forwards and backwards with it. You could start in the middle and go to the end. You can start in the middle, go to the beginning.
Again, you know, like if you really understand how everything is working together, you can do that. When I grasped that, you know, in my mind, it was it just like opened the door completely in a new way to me that was like, this is like really interesting, you know? And if I had to go back and do it again, I I totally would get my degree in math and I'd probably be in in cryptography now.
Yeah. Well, I mean, math underwrites everything we do. It's useful and valuable to know.
Yeah. Absolutely. So where do you see the identity space going? I mean, it sounds like Beyond Identity is already operating in kind of that futuristic area of IAM overall. Where do you see it going from here?
So I really do think the future of security is identity. And I think it's born out, at the fifty thousand foot level, it's born out like the gross statistics. Like most security incidents are identity failures. I think they're actually preventable, right?
Most of the industry is focused on detection and response, but now that everybody's got an HSM in their pocket or on their device or on their drone, we can actually prevent some of these forest fires from ever happening in the first place. Right. Which means it's cheaper, it's faster, it's better. We get better outcomes.
We can shift and work on a new set of problems. This doesn't change just because the computing platform changes. So the way you solve it for a human is actually not unlike the way you solve it for a drone or for an agent. For instance, I want to know what agent is running on what machine with what posture, and I want to know what model it's running.
And traditionally we might think of a user as like what user on what machine with what posture. And for the user, we'd think about like what factor do they possess? What are they right? Like a biometric or what do they know?
Like a knowledge. And how do we do that with an agent? Well, agents are programs and programs can, you can think of programs as being biometric. A program is a running process.
That's loaded from an actual file. That file is traditionally signed by the OEM that gave it to you. You can actually run those comparisons. You can decide if you trust the loader.
You can trace the process through the loader back to the EXE. Like, all of this can become part of a quasi checksum for even unlocking the HSM key that proves the identity for that particular agent. There are ways of doing device bound hardware backed multifactor agent authentication that actually are almost the same way that you buy a cup of coffee with Apple Pay or Google Pay. So I, you know, think the, I think where we're going in security is identity is gonna play a deeper and bigger role.
Identity is the only thing that sees everything. And I think the, the, the explosion you're seeing in agents right now is gonna prove that out even more. The easiest way of understanding what your people are doing with identity, what services they're plugging into their agents, where they may even be exposing data leakage is actually the identity system, right? Cause the identity system can offer trusted MCP servers, trusted data servers, trusted vector DBEs to the agents.
They can offer trusted models or vetted models to the workforce, right? To make sure that, you know, you're helping the workforce as opposed to impeding the workforce. So, I think the future of security really is identity. And I think these new platforms, whether it's drones, humanoid robots, or agents are really just carrying the same old problems forward.
Like, you can't, you've gotta, you've gotta like reassess how you solve them And changing the equation, moving from these symmetric credentials to immovable asymmetric credentials is kind of the first step in that journey.
Yeah. Yeah. No. That's very true. I totally agree with with everything you just said. You know?
Like, the cloud kind of put it at the forefront, right? Where identity is now the perimeter of your security environment. It used to be able to think of it as like your firewall, but now everything's identity based. If I want to get into your environment, it's literally a login screen and hey, now I have access to your environment.
Right? I mean, was it the MGM hack or the Caesars hack? Was someone just calling up the help desk saying, hey, I'm locked out. Can you reset my MFA and my password?
Yeah. It was just a login. You know? It wasn't it wasn't, hey, I'm gonna go and probe their firewall to see what ports they have open, you know, get in and redirect some stuff and whatnot.
It was identity based.
You no longer have a network. Right? You have the Internet.
And the only way the only thing so if if you no longer have your network, if you only have the internet, then you've gotta start thinking in like control plane or like overlay sorts of things. Right? And the only natural overlay you have across your organization is identity. That's it.
That really is it. Everything else is almost artificial. Right? Like you could say, well, I'll I'll construct a network overlay.
I'll force everything to that network overlay. So I have visibility and you, you can do that. It won't work for everything. It'll be expensive and it'll give you network issues, but identity is already there.
And if you're using an identity system that actually uses device bound credentials from the device they're working from, right, not pull out a second device, but like from the device they're working from, you can also comment on the security of that device. You can comment on its control and data plane without actually having to to to carry the burden of its traffic.
Yeah. It's a really fascinating area. And, unfortunately, we're at the top of our time here, and I'm I'm trying to be very conscious of, you know, the time that I set. Right?
I know everyone's so busy, and I'm probably unfortunately gonna go jump into more meetings after this. But, Jasson, I I really do appreciate you taking the time to finally come on the podcast and talk about this. I I would love to have you back on for sure, you know, talking about new product evolutions and stuff that you see in the space. I think that'll be great.
Absolutely. Well, thanks for having me.
Yeah. Absolutely. Well, before I let you go, how about you tell my audience where they can connect with you if they wanted to connect with you and where they could find your company if they wanted to learn more?
Yeah. So I'm easy to reach. Hit me up on LinkedIn, our website, Beyondidentity.com, hosts and talks about almost everything, that I've mentioned. Also Claude and ChatGPT know a lot about us as well. So they can they can give you some context and and point you at some of our materials as well. But yeah, hit me up on LinkedIn or even X.
Awesome. Well, thanks everyone. I hope you enjoyed this episode.
TL;DR
- Identity drives security: Most breaches stem from credential and identity failures, not sophisticated exploits.
- Device-bound keys stop attacks: Hardware-backed, non-movable credentials eliminate theft, stuffing, and MFA bypass.
- Authentication must include device posture: Every login should verify the user and the safety of the device.
- Security now includes agents and machines: The same identity model applies to drones, robots, servers, and AI agents.
- Startup scale requires culture: Jasson highlights how trust, alignment, and avoiding burnout fuel outsized impact.
Full Transcript
How's it going, Jasson? It's great to get you on the podcast finally. I think we've been talking about doing this thing for a couple months at this point and, you know, I I felt so bad. I think I had to reschedule like three times on you, but I'm really glad to finally get you on.
No worries. I'm glad to be here. And it has been a bit of a crazy summer, so it's no big deal.
Yeah. It's it's been such a crazy year just just overall. You know? Like, I feel like because so I have a two and a half year old, and I have a six month old. And I I feel like once you get into a rhythm with one, right, the second one comes, it's like, this changes, like, my entire schedule and everything is just jacked up, you know, and, you know, there's so many nights that you can go with no sleep. It's just, you know, that's what you're doing. It's crazy.
Yeah. Yeah. No. This year definitely feels like, if you blink, you'll miss it.
Yeah. It feels like it just flew by.
Yeah. Twenty five if it's, like, it's a don't get me wrong. It's been a good year, but I like, this is the year where I think I requalified for one k by March.
In the last, like this week is an amazing week for me because it's like one week where I get to be home. The previous six weeks, it was like two weeks across Europe, a week in Japan, two weeks across the US, a week in Mexico. And I've only ever gotten like a week or two off between these six week tours. So like, yeah, this, this, this year is this year is like the scale testing year.
Wow. That is that's fascinating. So, like, what are you doing, you know, on these tours? Are you are you giving talks or what does that look like?
It's a little bit of everything, but we started so our business started to evolve over the last twelve twelve to eighteen months where we started getting a lot more inbound from large organizations, specifically critical infrastructure, ministries of defense, departments of defense, governments. And, the gist of it was it it really it's actually pretty simple. Right? It boils down to at the end of the day, most security incidents are identity problems.
And, you know, for all sorts of reasons we get into later, like identity truly is the future of security, like solving things properly, not just like putting the fires out quickly, but like preventing forest fires. And and so, yeah, the business has, has changed a bit and it's a combination of talks and like prospect and customer visits. But, you know, in Europe, it's a combination of kind of cyber crime as well as kind of act more active call it gray warfare. Right?
So like with the war, with the Russian war in Ukraine, there is a lot going on in Europe around kind of sabotage operations, cyber operations that kind of blend into the physical. And so we're seeing a lot of critical infrastructure get serious about kind of plugging their holes. And it's very kind of state actor driven. Similar thing in Asia, we're seeing a lot more adventurous exercises being carried out by various Chinese threat actors.
And it's usually against the usual suspects, right? Like us and American allies. And and so as a byproduct, we're seeing again, critical infrastructure everything from like energy production to transportation to finance really getting serious about kind of plugging some of these holes. But the other intro, you know, the other thing that just to, to remind everyone, you know, you said this would be like a conversation at a bar.
The first thing that usually someone says after you mentioned all the travel is like, man, that sounds glamorous. That sounds awesome. You get to see all the places.
And, you know, on one hand it is a privilege to be able to visit these places, but what you get to see is usually from the Uber ride. And, you know, if you're lucky and I have gotten a little bit better at this, you know, you can, you can maybe budget an hour a day just to keep exercising and like not go insane, but it's exhausting. And, yeah, six weeks of that and my, my fit, my fitness app was basically, I was using it to actually track the residual heart rate, like my resting heart rate. You can literally see it change dramatically in the first four days after that six week trip when I was home.
And you can also see it in like my sleep time. So like the first four nights I sleep for ten to twelve hours and my heart rate, my resting heart rate is actually pretty high. And then by day five, it's like back to six to seven hours. The resting heart rate is like down to where it should be in like the fifties and sixties.
Yeah.
It's exhausting.
Yeah. Yeah. I'm I'm also a bit of a health data nerd with my own trackers and whatnot.
I noticed that too. Like, when I travel, even if it's a place that I've been, you know, ten times, like, if I go to Vegas, you know, and I'm staying in the same hotel that I always stay in, right, like, still, you know, those first, like, three, four nights, sometimes it's just the entire trip. Is just complete garbage sleep whether I drink or not, you know, like, it's irrespective of that whether I go to sleep at a normal time for me or not. Like, it's terrible.
And I always come back. I'm just so exhausted. It takes me, like, two, three days to recover. Same thing when I go overseas or anything like that.
I try to I mean, this is just me. Right? But when I when I goes like somewhere new for work, I try to take, you know, a couple days couple days extra and Just go and, you know, see around and sightseeing and whatnot. I was going to go to Japan one time for work, and I told my boss, like, straight up, I was like, alright.
Well, I'm taking two weeks vacation after my week of work in Japan. Like, I'm telling you that right now. Can you just book my flight to come home on this date? You know?
And, like, they were totally fine doing it. Right? Because I one, I had the time. And two, it's like, you go that far.
It's like, man, I don't wanna make another twenty hour flight to come out here and see everything again that I should have seen the first time.
Yeah. On on one hand, what is it? Boom aerospace. They can't get here fast enough.
Right? It does take forever to get places. Yeah. Actually, you know what? That's kind of the lure that we use.
So we have a have an overseas engineering office as well. And, it's distributed teams are always difficult. Right. And so like, how do you promote the mixing of your engineers between offices or at least locations?
And that was essentially the, the, right that we would always offer is like, look, if you're willing to go for at least three weeks and work out of this office for three weeks, I'll pay for your spouse to go with you.
Like that kind of stuff. Right? Yeah. And that actually worked really well for us at my previous company. We haven't quite done it that way here just because when we were building out, COVID was happening and it wasn't that wasn't even possible. But, I mean, we'd support the same thing here too. It's just we're we're a little bit further built along.
Yeah. Yeah. No. That's a that's a fantastic perk. It's always nice to see when leadership is is taking care of their employees, you know, and actually, like, caring about their own lives outside of work and whatnot like that.
It's always refreshing to see that because you don't always see that. You'll see it with, like, your direct manager, you know, sometimes, but to see it up the chain really speaks volumes to the company's cultural role.
Yeah. Well, I mean, I think I think a lot of companies actually do do care. It's just things do get lost in the moment. Right?
And, like it's, like startups are such a unique thing. Right? Like at the end of the day, a startup is not a normal job. It's not for everybody.
It's really, really hard. And, you know, it is a marathon. It's not a race. And like, but it, but it's not a singular race either.
Right? Like the team has to finish. And so there is a lot of give and take. Right?
Like, you're gonna spend more time with your colleagues in a startup than you are your spouse. So there does have to be there does have to be like friendship. There does have to be relationships. There does have to be mutual respect and that sort of thing.
You know, I'd say the the the tricky thing in startups is actually mismanaging that expectation. Right? Like when you get people, good people, but like they're not down for that style of mission. It can, it can kind of, you know, breed conflict and whatnot that can kind of come off as as as various things there.
Like we ran into that early on in our, in our history, but but but, yeah, for where we are right now, like, look at it, like, we need the full team. Right? We're only a hundred people. We're trying to compete with organizations that have five thousand plus people.
We need everything out of everybody.
And, you know, if you burn people out, then then, like, you're you're you're you're lopping off an arm or lopping off a leg. So you've gotta find ways of making it work. You've gotta find ways of making it fun. You've gotta actually like the people you work with. Otherwise, why do it?
Yeah. No, it's fascinating. Well, you know, Jasson, we kinda just dove right in, right, with giving your background or anything like that. So why don't we why don't we dial it back, you know, a couple couple years, right, and talk to us about, you know, how you got into into it, how you got into security, what piqued your interest to get into the industry? And you know, maybe even like what made you want to go and like become an entrepreneur and do startups and get into companies at that at that level?
So it's more than a couple years.
Back to the whole time flies faster than you can imagine. But, you know, I was I was I was fortunate enough to where I grew up in a house of engineers. We everybody always worked on stuff. Right?
Like my dad would, would, would refuse to buy stuff around the house. He would build it. Right? Like whether it was bookshelves or cabinets or whatnot to working on the car, you know, he wouldn't bring it to the shop to get serviced.
He would do a lot of it himself at least early on. And you know, I guess by osmosis or adjacency, like even though I ruined my toys, I tended to like, you know, a lot of kids did this, right? You took your toys apart, try and figure out how it worked. And you're like, you're, you're, you're pulling capacitors and resistors and inductors off a circuit board thinking, you know, you're a doogie howser doing surgery and reality is you're just breaking your toy.
But I don't know, for as long as I can remember, I've always been interested in tinkering and engineering. Right. And like taking apart electronics and building Legos was the thing. And when I got into junior high and high school, I was able and fortunate to actually get into these like robotics competitions where you've got to build a thing that really did move and go and do stuff.
And I had learned how to write software mostly as a hack to, to go through my math homework faster. But then I started realizing that like, Hey, this is more than just for hacking out your, your math software or your math homework. You can, actually get your software to run on this processor and control this robot and make it do x and y instead of, like, you know, the the baby circuits. Right?
Where you have, like, a a photoresistor. And as the the light shines stronger, it gets more current, which means it steers a little bit more to the right than to the left, that kind of stuff. So, you know, I would say tinkering and and building stuff was a was a kind of an early childhood thing. Going from there to IT was pretty natural.
Right? Like, you build you build and tinker with stuff. You play games. You wonder how it works.
You know, this was we had the internet, but it was cooler to actually get your modem to call your friend's modem, establish a PPP link between your two computers. And then you could really dog fight with the, with the, the combat simulator. Right. So like that kind of stuff is pretty much what I was doing in my teenage years.
And the entrepreneurial bit was more of necessity. Right? Like you get to college, you, you think you're rich because you've saved all the money you've earned in your high school job. You got like two whole thousand dollars and you're like, this is gonna last, you know, I'm not gonna have I'm just gonna be able to enjoy this.
I'm gonna be able to go to a party from time to time. And long long of it, you know, that doesn't get you very far at all. And I had to get a job. And I found a job actually writing software.
And, obviously, I was very, very young at the time, but because I had a lot of experience writing basically math in C or implementing certain types of math functions in C, I got hired as a research assistant. It's for like a geoscience, sort of company.
And, I don't know. I think that gave me the idea that like, you know, you don't procedure and protocol and decorum are what society suggests you ought to have, but if you just want to do something you can. And, from there, two years later, I joined an actual startup in Austin, Texas and, as an engineer. And again, I was super young for what they were asking me to do, but I happened to be in the right place at the right time and I had experience and, you know, I loved it right at the startup that gave you, I like food. Right.
And I like a good buffet and a startup felt like showing up at the best buffet ever. Right. Like there's miles and miles of all of these cool, interesting problems. And, you know, there's only three people to help you eat your way through the buffet.
So no one's going to get angry. No one's going to get possessive. No one's going to get territorial. If you want to eat anything, they're going to help.
And they're going say, knock yourself out. But if you start, you got to finish. And I don't know. I love that about a startup.
Like you could, there is no problem you couldn't work on as long as you're willing to own the outcomes. The, the learning aspect of it too. Right? Like in a, in a startup, you can't afford to hire experts in all the verticals that touch whatever problem you're on.
You have to figure it out. And for me, and, you know, there's a lot of people that are this way. Like, the joy of figuring something out is kind of like a drug. Right?
Almost so to where you have to be a little bit careful. Right? Because the startup is there to to build a business and to make money and return, stuff to shareholders, not just for learning stuff. But, you know, I, I, I fell in, I fell into startups and entrepreneurship out of necessity.
I needed, I needed money and they needed someone with my background at the time, but, but it quickly became what I've been doing for twenty some odd years because it's, it's it's one of those places where ultimately you kinda have complete freedom.
Yeah. Yeah. That is it's fascinating how you describe it like that because it's it's so true. And I started my career at startups, and it was an interesting experience, you know, because at the startup I was doing a little bit of everything, you know, like application engineering, doing customer related work, help desk, you know, just just about everything and I wanted to get into cybersecurity and so I kind of took over the, you know, vulnerability management program of this startup for our solution, you know, like, and that was exactly what you said was exactly what my VP told me.
He goes, once you start it, you gotta own it through and through. Like there's no going back and you know, me not knowing what that is young twenty something year old kid. Right? I got into it and luckily I enjoyed it, you know?
But that that was the mentality. And then from there, I went to, like, really large companies and it's a totally different mentality. I mean, there's people there for thirty years and they're there for a reason for thirty years. You know, you can literally just fly under the radar, do the bare minimum, get your paycheck, you know, and not really learn anything new.
Like, it's possible in those environments. And for me, that's like the complete opposite of who I am. You know, like, I didn't start this podcast out of comfortability of talking to people. Right?
I kind of started it because it's kind of pushed me outside of my box every time I do it, you know, and makes me better. It makes me different. Right? In startups, now I'm now I'm finally back at a startup and I, you know, I I basically own my entire vertical and the CEO is just like, however you want to run your side of the business is how you want to run it.
If it succeeds, it's on you. If it fails, it's on you. Like, it's up to you to make to make this thing work. We believe in you, you know, and it's all about leveraging, you know, other team members and their skills and getting their feedback and what worked, what didn't work and you know, implementing it in the, in the my side of the house, right?
It's, it's a totally different feel. And I always go back, you know, you don't always have to be the number one guy, the CEO of a company, the founder of a company to be, you know, successful financially. Right? Like, you look at, like, Steve Ballmer or or the the CEO of Microsoft.
Right? I mean, they they were what? The number five guy in the hierarchy for for years.
I mean, Steve Oh, yeah.
Steve was a janitor for a while in the beginning. Like, he did everything, you know? He discusses it very openly. So it just shows you, you know, you can you could still come out alright and be, you know, the tenth or the fifteenth guy in line to the to the CEO when you believe in a mission and, you know, see it through.
You know, one of those stories that I heard early in my career that that that kind of submitted itself similar to that was this was the late nineties. There was a company called Level three Communications. They're still around. You know them today as CenturyLink.
But their innovation at the time was just realizing that, like, hey, the Internet's gonna change everything. Right? And everybody's gonna get connected to the Internet. And so we're gonna need fast, connections.
And, fast basically means fiber, means means lasers. Now these things called this technology that was basically wave division multiplexing and dense wave division multiplexing. Basically in one fiber, you can actually have more than one signal. You just shift the different signals by essentially the wavelength.
And what level three realized was, Hey, this technology is gonna evolve pretty much every two years, but it would be a mechanical engineering nightmare to try and trench new stuff every two years across the continental US. And so they came up with this system that is kind of like the revolver magazine, the magazine of a revolver. And so what they, what they, they laid this conduit across the us and they came up with a couple of interesting things, right? One was this train car that basically had this big arm that would lay the conduit on the side of the rails.
So that's kind of how they did it in a mechanical fast way. But the second part that I found more ingenious was the conduit had this revolver magazine like structure, right? Like imagine like five or six hollow tubes. And what they could do is they had these flanges that they would mount to fiber and they would all, they would be able to just blow with air pressure, the new whatever the new fiber technology is down the latest shoot.
And so like two shoots were always active, Two shoots were being decommissioned and two shoots were always being developed. And they didn't have to retrench. They didn't have to rerun rail. It was literally just like a they figured out that ninety percent of their architecture could be fixed and ten percent could be modular.
So like, that was one of the things that stuck with me. But the, the, the thing that was related to your story was the receptionist made like almost two million dollars at the IPO there. And I, and I thought if the receptionist can become successful, everyone at the company can be successful. And they were, they were like, I don't know, five, eight hundred people at this point.
It wasn't even like a ten person job. So so, yeah, if, you know, not all startups get these sorts of outcomes, but if you do it right, it can it can work for everybody.
Yeah. Yeah. It's a really good point. But, You know, what what is what's the problem that beyond identity is solving? What what what what was the problem in the marketplace that you guys identified, you know, as an issue?
Because I've worked with identity, I've worked in I'm that's kind of where I cut my teeth for, you know, security. And it's very easy for it to become a mess.
A lot of the times it's a mess regardless, you know?
Yeah. So we looked at it and a couple different ways, but so my previous company or my my previous role, I was a CTO company called security scorecard. And we we had a ton of data and research through collaborations with our partners on breached companies. And we had all the data analysis of what correlates, so not cause, but what correlates generally, right?
What data signals and behavioral signals correlate to breach. And what was striking was three or four signals were incredibly strong in their correlation. And then everything else was kinda close to zero. Right?
And those signals were all about the identity system. How are passwords managed? How is the endpoint? How are passwords managed?
Is 2FA present? And then the third one, which I'll argue is related, but may seem a little bit different is do they have an endpoint patching program in place? Endpoint hardening and patching. And, you know, we looked at so so so that's kind of an interesting thing.
Right? Like, I take a step back and then I just think about it. Right? No matter the organization, no matter if you're an employee or contractor or cuss or even a customer, and no matter if you're working on a managed device or an unmanaged device, you're gonna cross the identity bridge to get to any service or data.
So number one, identity is like the structural high ground. It sees everything by definition. Right. So that's kind of one observation.
Number two, it's the strong mishandling of it is the strongest corollary breach. And, and, and, you know, since we got started, this has been proven out as well by like Mandiant and crowd Strike and Verizon, where they track security incidents. Eighty plus percent of all security incidents are identity failures. Right?
So this is kind of like the topical observation, but like, what about fifty thousand foot? Like what what's going on a little deeper? Well, a little bit deeper. It's not hard to reason about that.
Identity historically is not a security function. It's a productivity function. It's IT. If I run identity, I'm judged by getting you to work fast.
I'm not necessarily judged for security outcomes. We hired some security folks for that. Right? Like blame them.
And, so the incentives aren't necessarily there, I would argue, for identity companies to be security companies historically. But then when we get into the technicalities of it, right, that's where things become really, really interesting. The most common technique that an adversary will use to compromise an identity system is a variation of credential theft. I can steal the credential from you.
I can steal the credential from somewhere that you've used it. I can steal credential from a third party ecosystem that you don't realize kind of handles your credential in one way, shape or form. Right? There there's there's probably twenty different enumerations of this.
Fundamentally, I steal your credential. I bypass the MFA or I push bomb MFA or a man in the middle MFA. And then I hijacked the session at the end of it. Right.
I copy the cookie out. I copy the access token out. I copy the barrier token. So in all of those statements, there's a symmetric credential that can move.
So that's kind of interesting. We think of now, now let's, let's think about computer science. Like, like let's take ourselves back to like teenage years. What does that mean?
A credential that can move? Well, it means it's in memory. It means I copy it from my memory to someone else's memory. And now let's think about a traditional connection between your browser and some service, maybe ChatGPT.
Does TLS guarantee the protection of that credential that you're moving back and forth?
We all kind of assume yes, but it actually doesn't. There is no end to end TLS anymore. And there maybe never was. If you're in a big enterprise, Palo or F5 or Zscaler is terminating that TLS before it even leaves your enterprise.
Right? Then it goes to Akamai or Cloudflare, Amazon CloudFront, right? For content distribution. Then it probably goes through an application load balancer layer in how the service is distributing itself across regions and zones.
And then if your engineers are doing what's new and exciting, they've deployed a Kubernetes cluster, which means you go through a service mesh, which can re terminate your TLS connection. Right? So you're probably not managing any of these. They're probably all third party managed.
So now the footprint of where your credential lives is like three or four third parties that you have no ability to track that represents credential theft that they can, they can basically represent insider threat as well as, exploitation. So again, this is just one example of like, why are credentials so easy to steal? But our insight was, well, what if a credential didn't have to move? What if we could move from symmetric credentials to asymmetric credentials?
Right? An asymmetric cryptography for signatures is clearly an old technology. It's been around. People know how to do that.
But what if we could take it one step further? What if we could guarantee the signing key cannot move? And the observation one of our engineers made early on was like, hey, HSMs can do that. And HSMs exist in servers, but they're expensive.
But wait a minute. I think because of mobile payments, things have changed. And it turns out, yes, because of how the mobile payments industry drove a change in the chip manufacturing industry. You almost cannot buy modern electronics today that does not have a version of an HSM in it.
Your phone has an HSM. Your laptop has an HSM. That drone that you bought, that you're flying around your yard, it has an HSM. Right?
So if these HSMs exist everywhere, then what if we move primary authentication to be asymmetric where the private key can't move? If it can't move that surface area that I described a minute ago, shrinks to a single point and credential theft doesn't work. Stuffing doesn't work. Guessing doesn't work.
If I'm on the device you're working from, it's actually rather trivial to then start detecting things like man in the middle, man in the browser, attacker in the middle, that sort of And then that third comment, remember endpoint patching and point hardening, that sort of thing. Well, when you get on an airplane, it's not enough for you to be the right person on the ticket. You also need to make sure you have no guns, no knives, no bobs. Right?
You have to be safe enough for the environment you're asking for. Again, if we're managing the credential on the device you're actually working from, then it's rather trivial for us as part of authentication to also comment on the safety of this device relative to the service it's asking for. We can basically check the posture and say, Hey, this device is hardened. This device does have the security controls you would expect relative to what it's asking for.
That can be attested and kind of sealed over. And that is kind of the essence of what we do, the foundations. We plug into your existing identity stack. We don't displace it.
And we transform how authentication works in your organization to where there is no movement of credentials. So there is nothing to steal. And you cannot man in the middle of the connection because we can detect it. And every authentication, whether it's the initial access attempt or reauthorization for continuous off, always checks the full posture of the device.
And, you know, we started off doing that for workers, employees, contractors. The typical movement early for us was a customer would have, a contractor audience, contract software developers, contract marketing, contract PR executives with exemptions for personal devices. But they had to maintain compliance. They had to be able to show that even though these folks were working on their data, that it was still secure, the controls they expect were still present.
And so we could do that simply. Where we've now moved into is because of how we built our authentication technology and how it's kind of universal. Our authenticator works on Linux and because it works on Linux, it's actually rather trivial to make it work on this drone. And if I have a bunch of drones flying around and I want to know what drone is mine versus someone else's, I can just zap it with an eight zero two next challenge.
And I can get back a full attestation from our authenticator. You can run it on a humanoid robot and get, get identity. You can actually run it on a server based agent and start solving some of the agent identity problems that are coming up. So it's, it really foundationally it's about attacking the the primary security vulnerability, which is identity, which is credentials that move and and lack of understanding of the device the credentials are bound to.
But I I probably talked for too long.
No. It's, it's fascinating that, like, my PhD is actually like, I'm researching essentially the exact same thing with encryption keys Yeah. On satellites.
Okay. Cool. Cool. Cool. Yeah.
There there's a big issue, right, where there's just no real way to secure satellites for the future. Right? As soon as they leave the ground, you have, you know, a ten to fifteen minute window to connect with it, patch it, test it, make sure that it's still working, and then it, you know, rotates around. And, yeah, you can you can switch ground stations and whatnot, but it becomes very tedious and it's difficult.
It's really hard. And, you know, a lot of the satellite people that I was talking to, they said, oh, you know, what you're trying to do probably isn't gonna work. It's gonna be too delayed or whatnot. And, I mean, my my theory was, well, can we just throw it in an HSM, put the keys there, authenticate the keys on an interval, you know, when we need to communicate throughout the network and then call that zero trust?
Like, doesn't that meet the requirements for zero trust? And if it meets those requirements, can it use, you know, post quantum encryption to communicate off of? And all like, now everyone that I'm talking to, the people that are, like, actually in the post quantum encryption world and, you know, the satellites and everything else, they're saying like but, yeah, that's totally doable. That's, like, totally possible.
It's it's fascinating because, for two years yeah. For two years, I was literally thinking, man, is this thing even gonna work? You know? But it's fascinating to hear you explain it because that's literally what I'm gonna be doing with encryption keys, just utilizing the HSM module that's already on there.
Yeah. The so so funny thing there. So if you've got a TPM, the TPM is the is basically the gold standard. The downside with the TPM, and I'm gonna forget the precise numbers, but it's very limited in bit rate.
So I think you the max the max bit rate you're gonna get, you're gonna push through a TPM is, I remember it like eight meg or like forty meg or something like that, but it's pretty low. With that said, it's it's fast enough for you to use it to then generate short ephemeral session keys. And, and then like every now and then do like the stronger attestation. So like, there's a lot of things you can do with TPM, but then like, you know, trust zone gives you a lot.
You're probably working on arm, right? In that environment, ARM based Linux.
I I may know a little bit about this because of some of our newest customers.
Yeah. No. That that's that's fascinating. It's interesting.
I I wanna get your opinion on it. Right? Because I I remember in the first startup that I was a part of, I ran the the DOD, the the federal contracts that we had. And I was talking to the to my sales guy at the time.
You know, I asked him, I was like, well, how did we even, like, get into, you know, doing government contracts and whatnot? And he he literally said it took four years to get the first one. And once you got the first one, like, we got, like, twelve others in the same year. Right? Because it's like all about it's all about like the circle of trust. If you get into the circle of trust, everyone goes to you for that same thing. But if you can't get into one place, basically, no one trusts you.
Yeah. It very much is a all or nothing. And you know, it works it works like that with mission partners too. Right?
So, like, when you go over and you wanna talk to MOD over in the UK or whatnot, usually the first question they ask is who in the US DOD are you already working with? Right? So it's a but like, let's zoom out. Right?
Like at the end of the day, no one has truly enough time to do all the diligence that that that that that you would truly need to do to know everything on your own. Right? So like reputation via peers that you trust is it is how the world works and it is a major influence point in decision making. I know I I do that in some of the decisions that I make.
Right? If I don't really have time to think through everything, which is very often, it's like, well, who do I know that I actually trust for that area? So it makes sense.
Yep. Yeah. No. It's it's a great way to do it too. And that's why I always tell people to, like, really build up build out their network, you know, like, don't don't take it for granted, you know, actually engage with people and whatnot and and, you know, build it up, right?
Because you never know when an interesting opportunity is gonna come along and, you know, you need to reach out to someone and say like, hey, is this a real thing? Does it work like this? You know, all that sort of stuff. Kinda have a candid conversation with someone.
I've I've had that so many times, you know, even even with the podcast. Right?
I I had, like, one of my first sponsors, you know, they reached out to me and they were asking for some forums and I reached out to, like, my business slash podcast mentor. And I was like, hey. What what are they asking for? He goes, hey, man.
It means that, like, you're doing good. You need to provide them this. I, like, couldn't I just, like, couldn't figure it out. You know?
It's just it's fascinating how that works.
The yeah. No. Opportunity a lot of opportunity is serendipitous.
My, I ended up doing my PhD because of serendipity, right? Like at the right place, right time at the right person. I ended up working for the general Keith Alexander through serendipity, right. Former director of the NSA. I ended up actually ended up meeting Jim Clark through serendipity here at Beyond Identity. You know, you need to be good at what you do and hard work matters, but like luck does play a role.
Yeah.
That's that's fascinating. There was a couple times where, I mean, you might be the fifth person that I've talked to that knows Keith Alexander and, like, looking for ways to bring him on. I'd love to have a conversation with him, you know, and just, like, pick his pick his brain for an for an hour. The things that he that he has seen, you know, and has knowledge of, like, it's just so it's a different world. Totally different, it's so fascinating to me.
Think about it. Right? The director the dual headed director of NSA and Cyber Command from two thousand four to two thousand fourteen when the world literally transitioned from kinda pure cyber espionage to actual cyber physical attack. And then all of the world events that happened in that timeframe as well. Like it's yeah, it's a pretty interest. I mean, it's pretty interesting period in history.
I mean, yeah, as is today, but yeah, that timeframe really changed everything with cybersecurity, you know, forever.
It's for a long time. And I I read the book on on Stuxnet. It's zero day, right, by, like, Kim Remember that? Kim Zayner.
And, you know, they mentioned in the book that, you know, cyber security and, you know, malware and, you know, worms, this whole world of malware never really crossed over into the physical realm until someone put together a piece of malware that made a generator operate at an RPM that it wasn't supposed to be operating at, and then it explodes over at Idaho National Laboratory. Right? And there was some general there that was watching it. And I I don't know if it was Keith Alexander.
It was someone someone important was watching it, and it was like a light bulb, you know, that that came on in their head. I was like, this is this has real world implications. That was like the first time that they ever really, you know, tested it out and whatnot. And then you fast forward, you know, probably ten years.
Right? And we we saw it again with like Ukraine's power grid when Russia first first invaded. Right? The very first thing that they did was take over those computers and, you know, they were they were operating the mouse and going through everything, shutting things down and they had no clue what was happening.
Luckily, because of how their power grid is, they're used to manually operating it but god forbid that happens in America. There's like no chance that we would be able to efficiently and effectively manually start operating the power grid because our digital systems were taken over.
You know, when you think about cyber physical, it's pretty interesting. Right? So like we've, we've lived with denial of service for a long time, right? Like denial of service tax, product tax.
But imagine denial of service that it's more of like a physical, a cyber physical denial of service, right? Like if I've got bots, but my bots were light bulbs or my bots were smart devices, right? Smart toilets. If I flushed all the smart toilets of New York in one moment in time, could I actually physically stress the sewer system?
I actually don't know the answer to that question. However, if I could turn on a current draw on a bunch of smart devices at the same amount of time, I do know that I could break fuses. Right. And junction points.
And then there's a question of how long does it take to replace those? What's the manufacturing pipeline even look like? So like they're they're, I mean, the good news is we are taking these sorts of things seriously now. Right.
But the, you know, the bad news, I guess it's just the asymmetry of cyber operations is in a highly connected modern economy. Everything is up for remote control. Right?
Yeah. Yeah. Everything is up for the taking. I feel like people don't people don't really understand that, you know? And even when you go to like, I I spent a long time in, you know, internal security teams for companies.
And it seems like the only industry that, like, fully understands it and doesn't care how much money they have to throw at the problem is the banking industry.
Yeah. I was about to say finance.
Yeah. Not even not even like the the private investment firms, you know, like, they're they're still trying to, you know, cut costs as much as they can and be as cost efficient. I was talking to some people at at Bank of America because they were they were looking to bring me on maybe a year ago. And I was asking what the budget was for for cloud security.
And they were like, you don't ever have to worry about what the budget is. And I said, well, why? And he said, the budget this year is one point five billion for cloud security. It's like, there's literally no cost that we, like, even blink at.
And it makes sense because they they understand like, oh, if, you know, if Bank of America, JP Morgan Chase get breached and I mean, they have everything. They have your mortgage. They have your social security number. They have your address, your phone numbers.
They have your entire identity history. Right? Because how often do you change banks? I mean, I changed banks once fifteen years ago and I haven't even considered changing one time since then, you know?
Well, they're they're also like beyond just like consumer banking. Right? They underwrite they underwrite the transactions that drives the entire economy.
Right.
So like with that, the, the, the thing that's really easy to forget is, you know, the size of the economy is not based on raw dollar value. It's based on like the velocity of money and transactions itself. So like slowing things down is actually harmful. Right?
No, it makes a lot of sense. I mean, there's a reason why people don't go and buy things with gold, you know, like you still have to convert that gold. Like it has value, but you still gotta go and convert it to dollars and you're probably not gonna pay for it with cash. Those dollars go into a bank account, you know?
Like, it it makes things a whole lot more streamlined. Like, I'm not gonna go to, you know, some online web store and try and give them a gold coin. Like, that thing doesn't it doesn't even exist in the real world, you know? Like, it's a digital store.
But that that that's a really good point that it's it's more about, you know, high speed frequency of the money that's actually changing hands rather than the physical dollar itself. I never thought about it like that. I think I've I've heard it before for sure. I just didn't think about it like that.
You've definitely heard it. If you ever taken an economic class, they call it money velocity.
Yeah.
But it's easy to you you're not in that space.
It's easy to forget. Right?
Yeah. Yeah. I mean, you know, I actually I took economics, and I I was one class away from getting my minor in it when I was doing my bachelor's. I'm still kinda frustrated that I didn't get that I didn't get that that minor in it because I was literally one class away.
But it was really fascinating to me. I don't know. Something with numbers. Right? Like, I I feel like if I had to do my bachelor's over again, it would be in math, honestly.
It wasn't necessarily the easiest for me but, you know, there's something with math that's very elegant where you can go forwards and backwards with it. You could start in the middle and go to the end. You can start in the middle, go to the beginning.
Again, you know, like if you really understand how everything is working together, you can do that. When I grasped that, you know, in my mind, it was it just like opened the door completely in a new way to me that was like, this is like really interesting, you know? And if I had to go back and do it again, I I totally would get my degree in math and I'd probably be in in cryptography now.
Yeah. Well, I mean, math underwrites everything we do. It's useful and valuable to know.
Yeah. Absolutely. So where do you see the identity space going? I mean, it sounds like Beyond Identity is already operating in kind of that futuristic area of IAM overall. Where do you see it going from here?
So I really do think the future of security is identity. And I think it's born out, at the fifty thousand foot level, it's born out like the gross statistics. Like most security incidents are identity failures. I think they're actually preventable, right?
Most of the industry is focused on detection and response, but now that everybody's got an HSM in their pocket or on their device or on their drone, we can actually prevent some of these forest fires from ever happening in the first place. Right. Which means it's cheaper, it's faster, it's better. We get better outcomes.
We can shift and work on a new set of problems. This doesn't change just because the computing platform changes. So the way you solve it for a human is actually not unlike the way you solve it for a drone or for an agent. For instance, I want to know what agent is running on what machine with what posture, and I want to know what model it's running.
And traditionally we might think of a user as like what user on what machine with what posture. And for the user, we'd think about like what factor do they possess? What are they right? Like a biometric or what do they know?
Like a knowledge. And how do we do that with an agent? Well, agents are programs and programs can, you can think of programs as being biometric. A program is a running process.
That's loaded from an actual file. That file is traditionally signed by the OEM that gave it to you. You can actually run those comparisons. You can decide if you trust the loader.
You can trace the process through the loader back to the EXE. Like, all of this can become part of a quasi checksum for even unlocking the HSM key that proves the identity for that particular agent. There are ways of doing device bound hardware backed multifactor agent authentication that actually are almost the same way that you buy a cup of coffee with Apple Pay or Google Pay. So I, you know, think the, I think where we're going in security is identity is gonna play a deeper and bigger role.
Identity is the only thing that sees everything. And I think the, the, the explosion you're seeing in agents right now is gonna prove that out even more. The easiest way of understanding what your people are doing with identity, what services they're plugging into their agents, where they may even be exposing data leakage is actually the identity system, right? Cause the identity system can offer trusted MCP servers, trusted data servers, trusted vector DBEs to the agents.
They can offer trusted models or vetted models to the workforce, right? To make sure that, you know, you're helping the workforce as opposed to impeding the workforce. So, I think the future of security really is identity. And I think these new platforms, whether it's drones, humanoid robots, or agents are really just carrying the same old problems forward.
Like, you can't, you've gotta, you've gotta like reassess how you solve them And changing the equation, moving from these symmetric credentials to immovable asymmetric credentials is kind of the first step in that journey.
Yeah. Yeah. No. That's very true. I totally agree with with everything you just said. You know?
Like, the cloud kind of put it at the forefront, right? Where identity is now the perimeter of your security environment. It used to be able to think of it as like your firewall, but now everything's identity based. If I want to get into your environment, it's literally a login screen and hey, now I have access to your environment.
Right? I mean, was it the MGM hack or the Caesars hack? Was someone just calling up the help desk saying, hey, I'm locked out. Can you reset my MFA and my password?
Yeah. It was just a login. You know? It wasn't it wasn't, hey, I'm gonna go and probe their firewall to see what ports they have open, you know, get in and redirect some stuff and whatnot.
It was identity based.
You no longer have a network. Right? You have the Internet.
And the only way the only thing so if if you no longer have your network, if you only have the internet, then you've gotta start thinking in like control plane or like overlay sorts of things. Right? And the only natural overlay you have across your organization is identity. That's it.
That really is it. Everything else is almost artificial. Right? Like you could say, well, I'll I'll construct a network overlay.
I'll force everything to that network overlay. So I have visibility and you, you can do that. It won't work for everything. It'll be expensive and it'll give you network issues, but identity is already there.
And if you're using an identity system that actually uses device bound credentials from the device they're working from, right, not pull out a second device, but like from the device they're working from, you can also comment on the security of that device. You can comment on its control and data plane without actually having to to to carry the burden of its traffic.
Yeah. It's a really fascinating area. And, unfortunately, we're at the top of our time here, and I'm I'm trying to be very conscious of, you know, the time that I set. Right?
I know everyone's so busy, and I'm probably unfortunately gonna go jump into more meetings after this. But, Jasson, I I really do appreciate you taking the time to finally come on the podcast and talk about this. I I would love to have you back on for sure, you know, talking about new product evolutions and stuff that you see in the space. I think that'll be great.
Absolutely. Well, thanks for having me.
Yeah. Absolutely. Well, before I let you go, how about you tell my audience where they can connect with you if they wanted to connect with you and where they could find your company if they wanted to learn more?
Yeah. So I'm easy to reach. Hit me up on LinkedIn, our website, Beyondidentity.com, hosts and talks about almost everything, that I've mentioned. Also Claude and ChatGPT know a lot about us as well. So they can they can give you some context and and point you at some of our materials as well. But yeah, hit me up on LinkedIn or even X.
Awesome. Well, thanks everyone. I hope you enjoyed this episode.
TL;DR
- Identity drives security: Most breaches stem from credential and identity failures, not sophisticated exploits.
- Device-bound keys stop attacks: Hardware-backed, non-movable credentials eliminate theft, stuffing, and MFA bypass.
- Authentication must include device posture: Every login should verify the user and the safety of the device.
- Security now includes agents and machines: The same identity model applies to drones, robots, servers, and AI agents.
- Startup scale requires culture: Jasson highlights how trust, alignment, and avoiding burnout fuel outsized impact.
Full Transcript
How's it going, Jasson? It's great to get you on the podcast finally. I think we've been talking about doing this thing for a couple months at this point and, you know, I I felt so bad. I think I had to reschedule like three times on you, but I'm really glad to finally get you on.
No worries. I'm glad to be here. And it has been a bit of a crazy summer, so it's no big deal.
Yeah. It's it's been such a crazy year just just overall. You know? Like, I feel like because so I have a two and a half year old, and I have a six month old. And I I feel like once you get into a rhythm with one, right, the second one comes, it's like, this changes, like, my entire schedule and everything is just jacked up, you know, and, you know, there's so many nights that you can go with no sleep. It's just, you know, that's what you're doing. It's crazy.
Yeah. Yeah. No. This year definitely feels like, if you blink, you'll miss it.
Yeah. It feels like it just flew by.
Yeah. Twenty five if it's, like, it's a don't get me wrong. It's been a good year, but I like, this is the year where I think I requalified for one k by March.
In the last, like this week is an amazing week for me because it's like one week where I get to be home. The previous six weeks, it was like two weeks across Europe, a week in Japan, two weeks across the US, a week in Mexico. And I've only ever gotten like a week or two off between these six week tours. So like, yeah, this, this, this year is this year is like the scale testing year.
Wow. That is that's fascinating. So, like, what are you doing, you know, on these tours? Are you are you giving talks or what does that look like?
It's a little bit of everything, but we started so our business started to evolve over the last twelve twelve to eighteen months where we started getting a lot more inbound from large organizations, specifically critical infrastructure, ministries of defense, departments of defense, governments. And, the gist of it was it it really it's actually pretty simple. Right? It boils down to at the end of the day, most security incidents are identity problems.
And, you know, for all sorts of reasons we get into later, like identity truly is the future of security, like solving things properly, not just like putting the fires out quickly, but like preventing forest fires. And and so, yeah, the business has, has changed a bit and it's a combination of talks and like prospect and customer visits. But, you know, in Europe, it's a combination of kind of cyber crime as well as kind of act more active call it gray warfare. Right?
So like with the war, with the Russian war in Ukraine, there is a lot going on in Europe around kind of sabotage operations, cyber operations that kind of blend into the physical. And so we're seeing a lot of critical infrastructure get serious about kind of plugging their holes. And it's very kind of state actor driven. Similar thing in Asia, we're seeing a lot more adventurous exercises being carried out by various Chinese threat actors.
And it's usually against the usual suspects, right? Like us and American allies. And and so as a byproduct, we're seeing again, critical infrastructure everything from like energy production to transportation to finance really getting serious about kind of plugging some of these holes. But the other intro, you know, the other thing that just to, to remind everyone, you know, you said this would be like a conversation at a bar.
The first thing that usually someone says after you mentioned all the travel is like, man, that sounds glamorous. That sounds awesome. You get to see all the places.
And, you know, on one hand it is a privilege to be able to visit these places, but what you get to see is usually from the Uber ride. And, you know, if you're lucky and I have gotten a little bit better at this, you know, you can, you can maybe budget an hour a day just to keep exercising and like not go insane, but it's exhausting. And, yeah, six weeks of that and my, my fit, my fitness app was basically, I was using it to actually track the residual heart rate, like my resting heart rate. You can literally see it change dramatically in the first four days after that six week trip when I was home.
And you can also see it in like my sleep time. So like the first four nights I sleep for ten to twelve hours and my heart rate, my resting heart rate is actually pretty high. And then by day five, it's like back to six to seven hours. The resting heart rate is like down to where it should be in like the fifties and sixties.
Yeah.
It's exhausting.
Yeah. Yeah. I'm I'm also a bit of a health data nerd with my own trackers and whatnot.
I noticed that too. Like, when I travel, even if it's a place that I've been, you know, ten times, like, if I go to Vegas, you know, and I'm staying in the same hotel that I always stay in, right, like, still, you know, those first, like, three, four nights, sometimes it's just the entire trip. Is just complete garbage sleep whether I drink or not, you know, like, it's irrespective of that whether I go to sleep at a normal time for me or not. Like, it's terrible.
And I always come back. I'm just so exhausted. It takes me, like, two, three days to recover. Same thing when I go overseas or anything like that.
I try to I mean, this is just me. Right? But when I when I goes like somewhere new for work, I try to take, you know, a couple days couple days extra and Just go and, you know, see around and sightseeing and whatnot. I was going to go to Japan one time for work, and I told my boss, like, straight up, I was like, alright.
Well, I'm taking two weeks vacation after my week of work in Japan. Like, I'm telling you that right now. Can you just book my flight to come home on this date? You know?
And, like, they were totally fine doing it. Right? Because I one, I had the time. And two, it's like, you go that far.
It's like, man, I don't wanna make another twenty hour flight to come out here and see everything again that I should have seen the first time.
Yeah. On on one hand, what is it? Boom aerospace. They can't get here fast enough.
Right? It does take forever to get places. Yeah. Actually, you know what? That's kind of the lure that we use.
So we have a have an overseas engineering office as well. And, it's distributed teams are always difficult. Right. And so like, how do you promote the mixing of your engineers between offices or at least locations?
And that was essentially the, the, right that we would always offer is like, look, if you're willing to go for at least three weeks and work out of this office for three weeks, I'll pay for your spouse to go with you.
Like that kind of stuff. Right? Yeah. And that actually worked really well for us at my previous company. We haven't quite done it that way here just because when we were building out, COVID was happening and it wasn't that wasn't even possible. But, I mean, we'd support the same thing here too. It's just we're we're a little bit further built along.
Yeah. Yeah. No. That's a that's a fantastic perk. It's always nice to see when leadership is is taking care of their employees, you know, and actually, like, caring about their own lives outside of work and whatnot like that.
It's always refreshing to see that because you don't always see that. You'll see it with, like, your direct manager, you know, sometimes, but to see it up the chain really speaks volumes to the company's cultural role.
Yeah. Well, I mean, I think I think a lot of companies actually do do care. It's just things do get lost in the moment. Right?
And, like it's, like startups are such a unique thing. Right? Like at the end of the day, a startup is not a normal job. It's not for everybody.
It's really, really hard. And, you know, it is a marathon. It's not a race. And like, but it, but it's not a singular race either.
Right? Like the team has to finish. And so there is a lot of give and take. Right?
Like, you're gonna spend more time with your colleagues in a startup than you are your spouse. So there does have to be there does have to be like friendship. There does have to be relationships. There does have to be mutual respect and that sort of thing.
You know, I'd say the the the tricky thing in startups is actually mismanaging that expectation. Right? Like when you get people, good people, but like they're not down for that style of mission. It can, it can kind of, you know, breed conflict and whatnot that can kind of come off as as as various things there.
Like we ran into that early on in our, in our history, but but but, yeah, for where we are right now, like, look at it, like, we need the full team. Right? We're only a hundred people. We're trying to compete with organizations that have five thousand plus people.
We need everything out of everybody.
And, you know, if you burn people out, then then, like, you're you're you're you're lopping off an arm or lopping off a leg. So you've gotta find ways of making it work. You've gotta find ways of making it fun. You've gotta actually like the people you work with. Otherwise, why do it?
Yeah. No, it's fascinating. Well, you know, Jasson, we kinda just dove right in, right, with giving your background or anything like that. So why don't we why don't we dial it back, you know, a couple couple years, right, and talk to us about, you know, how you got into into it, how you got into security, what piqued your interest to get into the industry? And you know, maybe even like what made you want to go and like become an entrepreneur and do startups and get into companies at that at that level?
So it's more than a couple years.
Back to the whole time flies faster than you can imagine. But, you know, I was I was I was fortunate enough to where I grew up in a house of engineers. We everybody always worked on stuff. Right?
Like my dad would, would, would refuse to buy stuff around the house. He would build it. Right? Like whether it was bookshelves or cabinets or whatnot to working on the car, you know, he wouldn't bring it to the shop to get serviced.
He would do a lot of it himself at least early on. And you know, I guess by osmosis or adjacency, like even though I ruined my toys, I tended to like, you know, a lot of kids did this, right? You took your toys apart, try and figure out how it worked. And you're like, you're, you're, you're pulling capacitors and resistors and inductors off a circuit board thinking, you know, you're a doogie howser doing surgery and reality is you're just breaking your toy.
But I don't know, for as long as I can remember, I've always been interested in tinkering and engineering. Right. And like taking apart electronics and building Legos was the thing. And when I got into junior high and high school, I was able and fortunate to actually get into these like robotics competitions where you've got to build a thing that really did move and go and do stuff.
And I had learned how to write software mostly as a hack to, to go through my math homework faster. But then I started realizing that like, Hey, this is more than just for hacking out your, your math software or your math homework. You can, actually get your software to run on this processor and control this robot and make it do x and y instead of, like, you know, the the baby circuits. Right?
Where you have, like, a a photoresistor. And as the the light shines stronger, it gets more current, which means it steers a little bit more to the right than to the left, that kind of stuff. So, you know, I would say tinkering and and building stuff was a was a kind of an early childhood thing. Going from there to IT was pretty natural.
Right? Like, you build you build and tinker with stuff. You play games. You wonder how it works.
You know, this was we had the internet, but it was cooler to actually get your modem to call your friend's modem, establish a PPP link between your two computers. And then you could really dog fight with the, with the, the combat simulator. Right. So like that kind of stuff is pretty much what I was doing in my teenage years.
And the entrepreneurial bit was more of necessity. Right? Like you get to college, you, you think you're rich because you've saved all the money you've earned in your high school job. You got like two whole thousand dollars and you're like, this is gonna last, you know, I'm not gonna have I'm just gonna be able to enjoy this.
I'm gonna be able to go to a party from time to time. And long long of it, you know, that doesn't get you very far at all. And I had to get a job. And I found a job actually writing software.
And, obviously, I was very, very young at the time, but because I had a lot of experience writing basically math in C or implementing certain types of math functions in C, I got hired as a research assistant. It's for like a geoscience, sort of company.
And, I don't know. I think that gave me the idea that like, you know, you don't procedure and protocol and decorum are what society suggests you ought to have, but if you just want to do something you can. And, from there, two years later, I joined an actual startup in Austin, Texas and, as an engineer. And again, I was super young for what they were asking me to do, but I happened to be in the right place at the right time and I had experience and, you know, I loved it right at the startup that gave you, I like food. Right.
And I like a good buffet and a startup felt like showing up at the best buffet ever. Right. Like there's miles and miles of all of these cool, interesting problems. And, you know, there's only three people to help you eat your way through the buffet.
So no one's going to get angry. No one's going to get possessive. No one's going to get territorial. If you want to eat anything, they're going to help.
And they're going say, knock yourself out. But if you start, you got to finish. And I don't know. I love that about a startup.
Like you could, there is no problem you couldn't work on as long as you're willing to own the outcomes. The, the learning aspect of it too. Right? Like in a, in a startup, you can't afford to hire experts in all the verticals that touch whatever problem you're on.
You have to figure it out. And for me, and, you know, there's a lot of people that are this way. Like, the joy of figuring something out is kind of like a drug. Right?
Almost so to where you have to be a little bit careful. Right? Because the startup is there to to build a business and to make money and return, stuff to shareholders, not just for learning stuff. But, you know, I, I, I fell in, I fell into startups and entrepreneurship out of necessity.
I needed, I needed money and they needed someone with my background at the time, but, but it quickly became what I've been doing for twenty some odd years because it's, it's it's one of those places where ultimately you kinda have complete freedom.
Yeah. Yeah. That is it's fascinating how you describe it like that because it's it's so true. And I started my career at startups, and it was an interesting experience, you know, because at the startup I was doing a little bit of everything, you know, like application engineering, doing customer related work, help desk, you know, just just about everything and I wanted to get into cybersecurity and so I kind of took over the, you know, vulnerability management program of this startup for our solution, you know, like, and that was exactly what you said was exactly what my VP told me.
He goes, once you start it, you gotta own it through and through. Like there's no going back and you know, me not knowing what that is young twenty something year old kid. Right? I got into it and luckily I enjoyed it, you know?
But that that was the mentality. And then from there, I went to, like, really large companies and it's a totally different mentality. I mean, there's people there for thirty years and they're there for a reason for thirty years. You know, you can literally just fly under the radar, do the bare minimum, get your paycheck, you know, and not really learn anything new.
Like, it's possible in those environments. And for me, that's like the complete opposite of who I am. You know, like, I didn't start this podcast out of comfortability of talking to people. Right?
I kind of started it because it's kind of pushed me outside of my box every time I do it, you know, and makes me better. It makes me different. Right? In startups, now I'm now I'm finally back at a startup and I, you know, I I basically own my entire vertical and the CEO is just like, however you want to run your side of the business is how you want to run it.
If it succeeds, it's on you. If it fails, it's on you. Like, it's up to you to make to make this thing work. We believe in you, you know, and it's all about leveraging, you know, other team members and their skills and getting their feedback and what worked, what didn't work and you know, implementing it in the, in the my side of the house, right?
It's, it's a totally different feel. And I always go back, you know, you don't always have to be the number one guy, the CEO of a company, the founder of a company to be, you know, successful financially. Right? Like, you look at, like, Steve Ballmer or or the the CEO of Microsoft.
Right? I mean, they they were what? The number five guy in the hierarchy for for years.
I mean, Steve Oh, yeah.
Steve was a janitor for a while in the beginning. Like, he did everything, you know? He discusses it very openly. So it just shows you, you know, you can you could still come out alright and be, you know, the tenth or the fifteenth guy in line to the to the CEO when you believe in a mission and, you know, see it through.
You know, one of those stories that I heard early in my career that that that kind of submitted itself similar to that was this was the late nineties. There was a company called Level three Communications. They're still around. You know them today as CenturyLink.
But their innovation at the time was just realizing that, like, hey, the Internet's gonna change everything. Right? And everybody's gonna get connected to the Internet. And so we're gonna need fast, connections.
And, fast basically means fiber, means means lasers. Now these things called this technology that was basically wave division multiplexing and dense wave division multiplexing. Basically in one fiber, you can actually have more than one signal. You just shift the different signals by essentially the wavelength.
And what level three realized was, Hey, this technology is gonna evolve pretty much every two years, but it would be a mechanical engineering nightmare to try and trench new stuff every two years across the continental US. And so they came up with this system that is kind of like the revolver magazine, the magazine of a revolver. And so what they, what they, they laid this conduit across the us and they came up with a couple of interesting things, right? One was this train car that basically had this big arm that would lay the conduit on the side of the rails.
So that's kind of how they did it in a mechanical fast way. But the second part that I found more ingenious was the conduit had this revolver magazine like structure, right? Like imagine like five or six hollow tubes. And what they could do is they had these flanges that they would mount to fiber and they would all, they would be able to just blow with air pressure, the new whatever the new fiber technology is down the latest shoot.
And so like two shoots were always active, Two shoots were being decommissioned and two shoots were always being developed. And they didn't have to retrench. They didn't have to rerun rail. It was literally just like a they figured out that ninety percent of their architecture could be fixed and ten percent could be modular.
So like, that was one of the things that stuck with me. But the, the, the thing that was related to your story was the receptionist made like almost two million dollars at the IPO there. And I, and I thought if the receptionist can become successful, everyone at the company can be successful. And they were, they were like, I don't know, five, eight hundred people at this point.
It wasn't even like a ten person job. So so, yeah, if, you know, not all startups get these sorts of outcomes, but if you do it right, it can it can work for everybody.
Yeah. Yeah. It's a really good point. But, You know, what what is what's the problem that beyond identity is solving? What what what what was the problem in the marketplace that you guys identified, you know, as an issue?
Because I've worked with identity, I've worked in I'm that's kind of where I cut my teeth for, you know, security. And it's very easy for it to become a mess.
A lot of the times it's a mess regardless, you know?
Yeah. So we looked at it and a couple different ways, but so my previous company or my my previous role, I was a CTO company called security scorecard. And we we had a ton of data and research through collaborations with our partners on breached companies. And we had all the data analysis of what correlates, so not cause, but what correlates generally, right?
What data signals and behavioral signals correlate to breach. And what was striking was three or four signals were incredibly strong in their correlation. And then everything else was kinda close to zero. Right?
And those signals were all about the identity system. How are passwords managed? How is the endpoint? How are passwords managed?
Is 2FA present? And then the third one, which I'll argue is related, but may seem a little bit different is do they have an endpoint patching program in place? Endpoint hardening and patching. And, you know, we looked at so so so that's kind of an interesting thing.
Right? Like, I take a step back and then I just think about it. Right? No matter the organization, no matter if you're an employee or contractor or cuss or even a customer, and no matter if you're working on a managed device or an unmanaged device, you're gonna cross the identity bridge to get to any service or data.
So number one, identity is like the structural high ground. It sees everything by definition. Right. So that's kind of one observation.
Number two, it's the strong mishandling of it is the strongest corollary breach. And, and, and, you know, since we got started, this has been proven out as well by like Mandiant and crowd Strike and Verizon, where they track security incidents. Eighty plus percent of all security incidents are identity failures. Right?
So this is kind of like the topical observation, but like, what about fifty thousand foot? Like what what's going on a little deeper? Well, a little bit deeper. It's not hard to reason about that.
Identity historically is not a security function. It's a productivity function. It's IT. If I run identity, I'm judged by getting you to work fast.
I'm not necessarily judged for security outcomes. We hired some security folks for that. Right? Like blame them.
And, so the incentives aren't necessarily there, I would argue, for identity companies to be security companies historically. But then when we get into the technicalities of it, right, that's where things become really, really interesting. The most common technique that an adversary will use to compromise an identity system is a variation of credential theft. I can steal the credential from you.
I can steal the credential from somewhere that you've used it. I can steal credential from a third party ecosystem that you don't realize kind of handles your credential in one way, shape or form. Right? There there's there's probably twenty different enumerations of this.
Fundamentally, I steal your credential. I bypass the MFA or I push bomb MFA or a man in the middle MFA. And then I hijacked the session at the end of it. Right.
I copy the cookie out. I copy the access token out. I copy the barrier token. So in all of those statements, there's a symmetric credential that can move.
So that's kind of interesting. We think of now, now let's, let's think about computer science. Like, like let's take ourselves back to like teenage years. What does that mean?
A credential that can move? Well, it means it's in memory. It means I copy it from my memory to someone else's memory. And now let's think about a traditional connection between your browser and some service, maybe ChatGPT.
Does TLS guarantee the protection of that credential that you're moving back and forth?
We all kind of assume yes, but it actually doesn't. There is no end to end TLS anymore. And there maybe never was. If you're in a big enterprise, Palo or F5 or Zscaler is terminating that TLS before it even leaves your enterprise.
Right? Then it goes to Akamai or Cloudflare, Amazon CloudFront, right? For content distribution. Then it probably goes through an application load balancer layer in how the service is distributing itself across regions and zones.
And then if your engineers are doing what's new and exciting, they've deployed a Kubernetes cluster, which means you go through a service mesh, which can re terminate your TLS connection. Right? So you're probably not managing any of these. They're probably all third party managed.
So now the footprint of where your credential lives is like three or four third parties that you have no ability to track that represents credential theft that they can, they can basically represent insider threat as well as, exploitation. So again, this is just one example of like, why are credentials so easy to steal? But our insight was, well, what if a credential didn't have to move? What if we could move from symmetric credentials to asymmetric credentials?
Right? An asymmetric cryptography for signatures is clearly an old technology. It's been around. People know how to do that.
But what if we could take it one step further? What if we could guarantee the signing key cannot move? And the observation one of our engineers made early on was like, hey, HSMs can do that. And HSMs exist in servers, but they're expensive.
But wait a minute. I think because of mobile payments, things have changed. And it turns out, yes, because of how the mobile payments industry drove a change in the chip manufacturing industry. You almost cannot buy modern electronics today that does not have a version of an HSM in it.
Your phone has an HSM. Your laptop has an HSM. That drone that you bought, that you're flying around your yard, it has an HSM. Right?
So if these HSMs exist everywhere, then what if we move primary authentication to be asymmetric where the private key can't move? If it can't move that surface area that I described a minute ago, shrinks to a single point and credential theft doesn't work. Stuffing doesn't work. Guessing doesn't work.
If I'm on the device you're working from, it's actually rather trivial to then start detecting things like man in the middle, man in the browser, attacker in the middle, that sort of And then that third comment, remember endpoint patching and point hardening, that sort of thing. Well, when you get on an airplane, it's not enough for you to be the right person on the ticket. You also need to make sure you have no guns, no knives, no bobs. Right?
You have to be safe enough for the environment you're asking for. Again, if we're managing the credential on the device you're actually working from, then it's rather trivial for us as part of authentication to also comment on the safety of this device relative to the service it's asking for. We can basically check the posture and say, Hey, this device is hardened. This device does have the security controls you would expect relative to what it's asking for.
That can be attested and kind of sealed over. And that is kind of the essence of what we do, the foundations. We plug into your existing identity stack. We don't displace it.
And we transform how authentication works in your organization to where there is no movement of credentials. So there is nothing to steal. And you cannot man in the middle of the connection because we can detect it. And every authentication, whether it's the initial access attempt or reauthorization for continuous off, always checks the full posture of the device.
And, you know, we started off doing that for workers, employees, contractors. The typical movement early for us was a customer would have, a contractor audience, contract software developers, contract marketing, contract PR executives with exemptions for personal devices. But they had to maintain compliance. They had to be able to show that even though these folks were working on their data, that it was still secure, the controls they expect were still present.
And so we could do that simply. Where we've now moved into is because of how we built our authentication technology and how it's kind of universal. Our authenticator works on Linux and because it works on Linux, it's actually rather trivial to make it work on this drone. And if I have a bunch of drones flying around and I want to know what drone is mine versus someone else's, I can just zap it with an eight zero two next challenge.
And I can get back a full attestation from our authenticator. You can run it on a humanoid robot and get, get identity. You can actually run it on a server based agent and start solving some of the agent identity problems that are coming up. So it's, it really foundationally it's about attacking the the primary security vulnerability, which is identity, which is credentials that move and and lack of understanding of the device the credentials are bound to.
But I I probably talked for too long.
No. It's, it's fascinating that, like, my PhD is actually like, I'm researching essentially the exact same thing with encryption keys Yeah. On satellites.
Okay. Cool. Cool. Cool. Yeah.
There there's a big issue, right, where there's just no real way to secure satellites for the future. Right? As soon as they leave the ground, you have, you know, a ten to fifteen minute window to connect with it, patch it, test it, make sure that it's still working, and then it, you know, rotates around. And, yeah, you can you can switch ground stations and whatnot, but it becomes very tedious and it's difficult.
It's really hard. And, you know, a lot of the satellite people that I was talking to, they said, oh, you know, what you're trying to do probably isn't gonna work. It's gonna be too delayed or whatnot. And, I mean, my my theory was, well, can we just throw it in an HSM, put the keys there, authenticate the keys on an interval, you know, when we need to communicate throughout the network and then call that zero trust?
Like, doesn't that meet the requirements for zero trust? And if it meets those requirements, can it use, you know, post quantum encryption to communicate off of? And all like, now everyone that I'm talking to, the people that are, like, actually in the post quantum encryption world and, you know, the satellites and everything else, they're saying like but, yeah, that's totally doable. That's, like, totally possible.
It's it's fascinating because, for two years yeah. For two years, I was literally thinking, man, is this thing even gonna work? You know? But it's fascinating to hear you explain it because that's literally what I'm gonna be doing with encryption keys, just utilizing the HSM module that's already on there.
Yeah. The so so funny thing there. So if you've got a TPM, the TPM is the is basically the gold standard. The downside with the TPM, and I'm gonna forget the precise numbers, but it's very limited in bit rate.
So I think you the max the max bit rate you're gonna get, you're gonna push through a TPM is, I remember it like eight meg or like forty meg or something like that, but it's pretty low. With that said, it's it's fast enough for you to use it to then generate short ephemeral session keys. And, and then like every now and then do like the stronger attestation. So like, there's a lot of things you can do with TPM, but then like, you know, trust zone gives you a lot.
You're probably working on arm, right? In that environment, ARM based Linux.
I I may know a little bit about this because of some of our newest customers.
Yeah. No. That that's that's fascinating. It's interesting.
I I wanna get your opinion on it. Right? Because I I remember in the first startup that I was a part of, I ran the the DOD, the the federal contracts that we had. And I was talking to the to my sales guy at the time.
You know, I asked him, I was like, well, how did we even, like, get into, you know, doing government contracts and whatnot? And he he literally said it took four years to get the first one. And once you got the first one, like, we got, like, twelve others in the same year. Right? Because it's like all about it's all about like the circle of trust. If you get into the circle of trust, everyone goes to you for that same thing. But if you can't get into one place, basically, no one trusts you.
Yeah. It very much is a all or nothing. And you know, it works it works like that with mission partners too. Right?
So, like, when you go over and you wanna talk to MOD over in the UK or whatnot, usually the first question they ask is who in the US DOD are you already working with? Right? So it's a but like, let's zoom out. Right?
Like at the end of the day, no one has truly enough time to do all the diligence that that that that that you would truly need to do to know everything on your own. Right? So like reputation via peers that you trust is it is how the world works and it is a major influence point in decision making. I know I I do that in some of the decisions that I make.
Right? If I don't really have time to think through everything, which is very often, it's like, well, who do I know that I actually trust for that area? So it makes sense.
Yep. Yeah. No. It's it's a great way to do it too. And that's why I always tell people to, like, really build up build out their network, you know, like, don't don't take it for granted, you know, actually engage with people and whatnot and and, you know, build it up, right?
Because you never know when an interesting opportunity is gonna come along and, you know, you need to reach out to someone and say like, hey, is this a real thing? Does it work like this? You know, all that sort of stuff. Kinda have a candid conversation with someone.
I've I've had that so many times, you know, even even with the podcast. Right?
I I had, like, one of my first sponsors, you know, they reached out to me and they were asking for some forums and I reached out to, like, my business slash podcast mentor. And I was like, hey. What what are they asking for? He goes, hey, man.
It means that, like, you're doing good. You need to provide them this. I, like, couldn't I just, like, couldn't figure it out. You know?
It's just it's fascinating how that works.
The yeah. No. Opportunity a lot of opportunity is serendipitous.
My, I ended up doing my PhD because of serendipity, right? Like at the right place, right time at the right person. I ended up working for the general Keith Alexander through serendipity, right. Former director of the NSA. I ended up actually ended up meeting Jim Clark through serendipity here at Beyond Identity. You know, you need to be good at what you do and hard work matters, but like luck does play a role.
Yeah.
That's that's fascinating. There was a couple times where, I mean, you might be the fifth person that I've talked to that knows Keith Alexander and, like, looking for ways to bring him on. I'd love to have a conversation with him, you know, and just, like, pick his pick his brain for an for an hour. The things that he that he has seen, you know, and has knowledge of, like, it's just so it's a different world. Totally different, it's so fascinating to me.
Think about it. Right? The director the dual headed director of NSA and Cyber Command from two thousand four to two thousand fourteen when the world literally transitioned from kinda pure cyber espionage to actual cyber physical attack. And then all of the world events that happened in that timeframe as well. Like it's yeah, it's a pretty interest. I mean, it's pretty interesting period in history.
I mean, yeah, as is today, but yeah, that timeframe really changed everything with cybersecurity, you know, forever.
It's for a long time. And I I read the book on on Stuxnet. It's zero day, right, by, like, Kim Remember that? Kim Zayner.
And, you know, they mentioned in the book that, you know, cyber security and, you know, malware and, you know, worms, this whole world of malware never really crossed over into the physical realm until someone put together a piece of malware that made a generator operate at an RPM that it wasn't supposed to be operating at, and then it explodes over at Idaho National Laboratory. Right? And there was some general there that was watching it. And I I don't know if it was Keith Alexander.
It was someone someone important was watching it, and it was like a light bulb, you know, that that came on in their head. I was like, this is this has real world implications. That was like the first time that they ever really, you know, tested it out and whatnot. And then you fast forward, you know, probably ten years.
Right? And we we saw it again with like Ukraine's power grid when Russia first first invaded. Right? The very first thing that they did was take over those computers and, you know, they were they were operating the mouse and going through everything, shutting things down and they had no clue what was happening.
Luckily, because of how their power grid is, they're used to manually operating it but god forbid that happens in America. There's like no chance that we would be able to efficiently and effectively manually start operating the power grid because our digital systems were taken over.
You know, when you think about cyber physical, it's pretty interesting. Right? So like we've, we've lived with denial of service for a long time, right? Like denial of service tax, product tax.
But imagine denial of service that it's more of like a physical, a cyber physical denial of service, right? Like if I've got bots, but my bots were light bulbs or my bots were smart devices, right? Smart toilets. If I flushed all the smart toilets of New York in one moment in time, could I actually physically stress the sewer system?
I actually don't know the answer to that question. However, if I could turn on a current draw on a bunch of smart devices at the same amount of time, I do know that I could break fuses. Right. And junction points.
And then there's a question of how long does it take to replace those? What's the manufacturing pipeline even look like? So like they're they're, I mean, the good news is we are taking these sorts of things seriously now. Right.
But the, you know, the bad news, I guess it's just the asymmetry of cyber operations is in a highly connected modern economy. Everything is up for remote control. Right?
Yeah. Yeah. Everything is up for the taking. I feel like people don't people don't really understand that, you know? And even when you go to like, I I spent a long time in, you know, internal security teams for companies.
And it seems like the only industry that, like, fully understands it and doesn't care how much money they have to throw at the problem is the banking industry.
Yeah. I was about to say finance.
Yeah. Not even not even like the the private investment firms, you know, like, they're they're still trying to, you know, cut costs as much as they can and be as cost efficient. I was talking to some people at at Bank of America because they were they were looking to bring me on maybe a year ago. And I was asking what the budget was for for cloud security.
And they were like, you don't ever have to worry about what the budget is. And I said, well, why? And he said, the budget this year is one point five billion for cloud security. It's like, there's literally no cost that we, like, even blink at.
And it makes sense because they they understand like, oh, if, you know, if Bank of America, JP Morgan Chase get breached and I mean, they have everything. They have your mortgage. They have your social security number. They have your address, your phone numbers.
They have your entire identity history. Right? Because how often do you change banks? I mean, I changed banks once fifteen years ago and I haven't even considered changing one time since then, you know?
Well, they're they're also like beyond just like consumer banking. Right? They underwrite they underwrite the transactions that drives the entire economy.
Right.
So like with that, the, the, the thing that's really easy to forget is, you know, the size of the economy is not based on raw dollar value. It's based on like the velocity of money and transactions itself. So like slowing things down is actually harmful. Right?
No, it makes a lot of sense. I mean, there's a reason why people don't go and buy things with gold, you know, like you still have to convert that gold. Like it has value, but you still gotta go and convert it to dollars and you're probably not gonna pay for it with cash. Those dollars go into a bank account, you know?
Like, it it makes things a whole lot more streamlined. Like, I'm not gonna go to, you know, some online web store and try and give them a gold coin. Like, that thing doesn't it doesn't even exist in the real world, you know? Like, it's a digital store.
But that that that's a really good point that it's it's more about, you know, high speed frequency of the money that's actually changing hands rather than the physical dollar itself. I never thought about it like that. I think I've I've heard it before for sure. I just didn't think about it like that.
You've definitely heard it. If you ever taken an economic class, they call it money velocity.
Yeah.
But it's easy to you you're not in that space.
It's easy to forget. Right?
Yeah. Yeah. I mean, you know, I actually I took economics, and I I was one class away from getting my minor in it when I was doing my bachelor's. I'm still kinda frustrated that I didn't get that I didn't get that that minor in it because I was literally one class away.
But it was really fascinating to me. I don't know. Something with numbers. Right? Like, I I feel like if I had to do my bachelor's over again, it would be in math, honestly.
It wasn't necessarily the easiest for me but, you know, there's something with math that's very elegant where you can go forwards and backwards with it. You could start in the middle and go to the end. You can start in the middle, go to the beginning.
Again, you know, like if you really understand how everything is working together, you can do that. When I grasped that, you know, in my mind, it was it just like opened the door completely in a new way to me that was like, this is like really interesting, you know? And if I had to go back and do it again, I I totally would get my degree in math and I'd probably be in in cryptography now.
Yeah. Well, I mean, math underwrites everything we do. It's useful and valuable to know.
Yeah. Absolutely. So where do you see the identity space going? I mean, it sounds like Beyond Identity is already operating in kind of that futuristic area of IAM overall. Where do you see it going from here?
So I really do think the future of security is identity. And I think it's born out, at the fifty thousand foot level, it's born out like the gross statistics. Like most security incidents are identity failures. I think they're actually preventable, right?
Most of the industry is focused on detection and response, but now that everybody's got an HSM in their pocket or on their device or on their drone, we can actually prevent some of these forest fires from ever happening in the first place. Right. Which means it's cheaper, it's faster, it's better. We get better outcomes.
We can shift and work on a new set of problems. This doesn't change just because the computing platform changes. So the way you solve it for a human is actually not unlike the way you solve it for a drone or for an agent. For instance, I want to know what agent is running on what machine with what posture, and I want to know what model it's running.
And traditionally we might think of a user as like what user on what machine with what posture. And for the user, we'd think about like what factor do they possess? What are they right? Like a biometric or what do they know?
Like a knowledge. And how do we do that with an agent? Well, agents are programs and programs can, you can think of programs as being biometric. A program is a running process.
That's loaded from an actual file. That file is traditionally signed by the OEM that gave it to you. You can actually run those comparisons. You can decide if you trust the loader.
You can trace the process through the loader back to the EXE. Like, all of this can become part of a quasi checksum for even unlocking the HSM key that proves the identity for that particular agent. There are ways of doing device bound hardware backed multifactor agent authentication that actually are almost the same way that you buy a cup of coffee with Apple Pay or Google Pay. So I, you know, think the, I think where we're going in security is identity is gonna play a deeper and bigger role.
Identity is the only thing that sees everything. And I think the, the, the explosion you're seeing in agents right now is gonna prove that out even more. The easiest way of understanding what your people are doing with identity, what services they're plugging into their agents, where they may even be exposing data leakage is actually the identity system, right? Cause the identity system can offer trusted MCP servers, trusted data servers, trusted vector DBEs to the agents.
They can offer trusted models or vetted models to the workforce, right? To make sure that, you know, you're helping the workforce as opposed to impeding the workforce. So, I think the future of security really is identity. And I think these new platforms, whether it's drones, humanoid robots, or agents are really just carrying the same old problems forward.
Like, you can't, you've gotta, you've gotta like reassess how you solve them And changing the equation, moving from these symmetric credentials to immovable asymmetric credentials is kind of the first step in that journey.
Yeah. Yeah. No. That's very true. I totally agree with with everything you just said. You know?
Like, the cloud kind of put it at the forefront, right? Where identity is now the perimeter of your security environment. It used to be able to think of it as like your firewall, but now everything's identity based. If I want to get into your environment, it's literally a login screen and hey, now I have access to your environment.
Right? I mean, was it the MGM hack or the Caesars hack? Was someone just calling up the help desk saying, hey, I'm locked out. Can you reset my MFA and my password?
Yeah. It was just a login. You know? It wasn't it wasn't, hey, I'm gonna go and probe their firewall to see what ports they have open, you know, get in and redirect some stuff and whatnot.
It was identity based.
You no longer have a network. Right? You have the Internet.
And the only way the only thing so if if you no longer have your network, if you only have the internet, then you've gotta start thinking in like control plane or like overlay sorts of things. Right? And the only natural overlay you have across your organization is identity. That's it.
That really is it. Everything else is almost artificial. Right? Like you could say, well, I'll I'll construct a network overlay.
I'll force everything to that network overlay. So I have visibility and you, you can do that. It won't work for everything. It'll be expensive and it'll give you network issues, but identity is already there.
And if you're using an identity system that actually uses device bound credentials from the device they're working from, right, not pull out a second device, but like from the device they're working from, you can also comment on the security of that device. You can comment on its control and data plane without actually having to to to carry the burden of its traffic.
Yeah. It's a really fascinating area. And, unfortunately, we're at the top of our time here, and I'm I'm trying to be very conscious of, you know, the time that I set. Right?
I know everyone's so busy, and I'm probably unfortunately gonna go jump into more meetings after this. But, Jasson, I I really do appreciate you taking the time to finally come on the podcast and talk about this. I I would love to have you back on for sure, you know, talking about new product evolutions and stuff that you see in the space. I think that'll be great.
Absolutely. Well, thanks for having me.
Yeah. Absolutely. Well, before I let you go, how about you tell my audience where they can connect with you if they wanted to connect with you and where they could find your company if they wanted to learn more?
Yeah. So I'm easy to reach. Hit me up on LinkedIn, our website, Beyondidentity.com, hosts and talks about almost everything, that I've mentioned. Also Claude and ChatGPT know a lot about us as well. So they can they can give you some context and and point you at some of our materials as well. But yeah, hit me up on LinkedIn or even X.
Awesome. Well, thanks everyone. I hope you enjoyed this episode.
Trending Resources
.jpg)
How Beyond Identity & Nametag Stop Identity Fraud at Onboarding & Recovery
November 19, 2025
.jpg)
New: Self Remediation Features to Reduce Help Desk Tickets and Improve UX
November 13, 2025
.jpg)
NYDFS Part 500 in 2025: Key Deadlines, New Requirements, and Compliance Strategies
October 28, 2025
From Reactive to Proactive: A Practitioner's Guide to Zero Trust After the F5 Breach
October 17, 2025
.jpg)
FIDO Is Not Enough for Enterprise Security
October 9, 2025
.jpg)
CVE-2025-59363: OneLogin Breach Highlights Urgent Need to Secure Non-Human Identities
October 2, 2025
.jpg)
The Unpatchable User: The Case for Continuous Device Security
October 1, 2025
.jpg)
Goodbye Legacy Microsoft MFA: Future-Proofing with Modern Authentication
September 25, 2025
Make Identity-Based Attacks Impossible
August 11, 2025
Meeting CJIS Compliance with WDL
May 27, 2025
PCI DSS Compliance with Beyond Identity
March 6, 2025
.jpeg)
Online Job Board Safety: How and Why To Avoid a Scam
March 7, 2024
ChatGPT's Dark Side: Cyber Experts Warn AI Will Aid Cyberattacks in 2023
February 29, 2024
Improving User Access and Identity Management to Address Modern Enterprise Risk
February 20, 2024
Okta Cyber Trust Report
January 5, 2024
Securing Remote Work: Insights into Cyber Threats and Solutions
October 30, 2023
Networking Dinner with MightyID and Tevora
December 9, 2025
Alphinia CISO Mastermind Dinner
December 1, 2025
Myriad360 Client Appreciation Celebration
November 20, 2025
GuidePoint Security Movie Premeire of Wicked
November 19, 2025
.png)
How AI Is Accelerating Threats: The Inside Scoop on Emerging Phishing GPTs
November 18, 2025
GuidePoint Security 3rd Annual Houston Golf Outing
November 13, 2025
GuidePoint Security's Pinehurst Golf Outing
November 12, 2025
GuidePoint Security Public Sector Vendor Fair
November 5, 2025
