Identity in Organizations is Too Entrenched to Warrant a Rethink
Join our host Joshua Gonzales, Beyond Identity's CTO Jasson Casey, Product Evangelist Nelson Melo, VP of Product Strategy Husnain Bajwa (HB), and special guest Eric Olden, CEO of Strata as they discuss identity in organizations and how that affects cybersecurity.
Hello, and welcome to the "Cybersecurity Hot Takes" podcast. I am Joshua Gonzales, your host for today's episode, normally the podcast producer. However, our esteemed host, Reece Guida, is off traveling the country, conquering the world. But don't worry, she will be back.
But today it is me. And we have a very, very exciting episode for you today, featuring Eric Olden, CEO of Strata. And also with us today we have...
And Nelson Melo. Who are you, Nelson?
I'm a founding engineer.
Nice. And we also have over here on this side of me...
Should I continue the broken introductions?
Jasson. And, Jasson, what is your role here?
I'm the CTO here at Beyond Identity.
Nice. And then lastly, but definitely not least, we have, joining us all the way from Austin...
I'm HB responsible for product strategy here at Beyond Identity, and, hopefully, getting Jasson to speak closer into his mic.
Awesome. Perfect note. Yes, let's get that mic closer. All right. The little production heart in me is so happy. Thank you, HB. So, actually, HB is going to kick off the conversation today with the hot take.
HB, why don't you lay that hot take on us?
Yeah. So with Eric here and everything, it just seemed like a good moment to talk about identity in organizations and, sort of, prevailing opinions that might exist within a lot of folks who work in this space that especially in large organizations or more mature organizations.
The technologies and solutions that they have in place are too mature and entrenched to be reconsidered from scratch or transformed significantly, regardless of what's going on in the industry right now. And, yeah, that was the topic that think we'd like to start off on.
Yeah, well, I think it's a great topic. I live it every day, and I'd imagine the rest of the crew here sees it as well. You know, I think there's a, the couple things I'd mention on that. One is that the way that you describe that sounds like kind of a nice positioning of lock-in, and the way that vendors that have, for years, have kind of held their customers captive with legacy technology.
And, you know, this coming from someone who formerly ran the Identity and Security Division for Oracle, I know a lot about enterprise software, know a lot about legacy, and I also know a lot about the software life cycle. And as products initially come out, they've got all the great features and functionality that's cutting edge at the time.
But in identity, this has been going on for over 25 years. I started in identity in 1995 with my first company, Securant, and there are still shops that run ClearTrust today which is shocking. And, you know, I think a lot of what we see customers asking for is a way out of that lock-in as a way to say, "Look, we can't abide any longer with the status quo."
And so they're looking for ways to break out of that. Now, the challenge is that most of the time, that meant you have to rewrite your applications. And if you are a big enterprise, and you've got hundreds or thousands of applications, that's a nonstarter.
Typical cost just to refactor your identity interface can go anywhere from $50,000 to $150,000 per application. So if you're trying to look at a digital transformation and move to the cloud, you have to. You have no choice but to find a way to move from the legacy to the modern, and fortunately, there's new technology that is out called identity orchestration.
And one of the things that I think is kind of funny is my company, at Strata, we build that software. And one of the first use cases we have is for getting people off of CA SiteMinder. Has anyone here ever had the luxury or joy of working with that?
I say that in jest because it's very difficult to work with. And my company, Strata, was probably the first company that's written software for SiteMinder in 20 years so...
Including CA, yeah. It's exactly, HB. So just because it's hard doesn't mean it's impossible, and just because it's hard doesn't mean you shouldn't try. And, you know, we've really found a lot of success getting people out of that lock-in, so now they can run on Azure. They can run on Amazon. They can run on Google.
Whatever they want to do, they can use great new technologies, too, like Beyond Identity and they can use passwordless without having to change the application. So that's what we're seeing a lot of right now.
Yeah, I think my quick reaction to what you said, HB, to start with is I'm too entrenched, therefore, I don't want to move off almost kind of belays the fact that we're not actually getting security results out of our existing identity stacks, right?
If we were, 70% to 80% of the security incidents we're responding to would not be valid credentials misuse, would not be MFA bypass, would not be essentially exploiting the fact that most existing identity systems provide almost zero security benefit.
And, in a lot of ways, like, that makes a lot of sense, right? Twenty-five-year-old technology still in use is not reflective of modern cloud transformation, or moving to the cloud, much less cloud-first and cloud-native architectures.
And I think that that's an important thing, that this entire world of lock-in and enterprise software has to sort of be revisited. And the tools are really having a renaissance right now, where we're finally getting the kinds of visual guides and low code tools to be able to do cool stuff.
What do you guys think are sort of the key drivers that really unlock that ability to make changes, and what are the security drivers that we need to be thinking about, particularly on, like, endpoints and sort of the minimum level of security that's available for a cloud-centric world?
Should I take the first pass, or Nelson, or Jasson? Okay. Well, you know, I think Jasson brought up a good point about the security impact. And, you know, what I would underscore is that, if you're still thinking about the cloud with an on-premises mindset, that's the first place to start, right?
Think about the problem that you're trying to solve in a new frame of reference. I don't know who said it, but to paraphrase someone else, you can't think of the solution with the thinking of the problem, right? You got to take a fresh perspective. And a lot of what I'm seeing in organizations today is that, you know, the things that they need are really...they're the same things that they've always needed, but the threats have evolved, namely, authentication, huge, huge area of vulnerability and risk, passwords are the root of it, and we've known that for a long time.
And I sold two of my companies to RSA, so I'm very, kind of, close to the whole, kind of, security, behind authentication and so forth. But the problem that I think the old technologies of multi-factor, they were good for their time, but things have gotten more sophisticated.
So if you could take a fresh look, you'd probably be looking at multi-factor capabilities, like biometrics that are in the phones and so forth and saying, "Look, now we've solved a lot of the complexity because everyone has their second factor in the sense of their phone."
So why don't we reevaluate how and where we can use strong authentication because it used to be such a hassle, and you would only use it for certain things. And that left a lot of attack surface where you weren't protecting it with MFA. So now, if can you say, "Look, we'll get rid of passwords for the entire organization," imagine a world where you don't have passwords in any way, shape, or form, then you would have the security so much more effective.
And that's going to come from identity because it's the identity layer that links the authentication to the applications. At least that's our thinking about it. So I think if we take a fresh look at how to solve security side of identity, I would start with passwords and getting rid of those.
But I'd love to hear what Nelson, and Jasson, and you think about that, HB, you guys live this, I would imagine.
So, yes, this is definitely near and dear to our heart. So, yeah, passwords are certainly a problem, right? And when you peel them back, fundamentally, the reason they're a problem, they're a shared secret. Actually, all shared secrets are a problem. Your JWTs that you pass around like a Willy Wonka magic ticket, that's a problem, too. But we'll come back to that a little point later.
The reason it's a problem, when I pass things between devices, they have to go over connections. They never go to the machine I actually want immediately. They always go through load balancers, reverse proxies, forward proxies, other devices. Every time I go through a piece of software on a machine, I end up with a memory residue. Every time I'm in memory, there's a possibility to swap the disk. There's a possibility of crashing and ended up crashing the disk.
So the surface area of anything that I share, I have no ability to control. It spreads everywhere. So the ability to steal symmetric secrets is fundamental in the concept that they are shared, right? So can I move to something that's not shared, right? Public private key. I can use private key to prove I have the private key, right, digital signatures, but that's not a guarantee that the private key is not moving around, right?
So private keys aren't enough. You have to introduce enclaves. Enclaves, if I create a key pair in an enclave, I can get a receipt. I can get a receipt from that enclave and then I can make a choice. Do I trust Infineon as a TPM 2.0 manufacturer? If I trust Infineon, then there's a protocol that's been reviewed, and I can actually go through it and I can have proof, I can have evidence of a key pair created in an enclave with a guarantee that it can't move, right?
So that takes credential theft off the table. What it doesn't take off the table is signing full attacks, which we're seeing a big rise of right now, right? Anyone who has this much proficiency can download Evilginx2, but there's a bunch of other toolkits, point it at a victim and man in the middle of their connection.
TOTP is vulnerable to this. Magic Link is vulnerable to this. Microsoft number match is vulnerable to this, right? If you are not using modern authentication that actually realizes you can't divorce the identity of a person from the identity of a machine, if you're not using modern authentication that actually joins these two things in a cryptographically sound way, and is actually leveraging this modern trust stack that we have in almost any piece of hardware that you buy after 2016, you're not paying attention.
Anyway, I have some thoughts on that area.
You can tell.
Yeah, it's kind of interesting, when I joined Beyond Identity, I came from a very large tech company that had acquired a company that I had been working for prior that wasn't small to begin with either. And the first thing that I noticed, you know, early days talking to Nelson, was it dawned on me that Y Combinator sometimes says that the difference between a small company and a big company is that in a big company, one no shuts you down, and in a small company, one yes gets you going.
And that's possibly never been more true than Nelson getting one yes from Jim Clark to go off and work on it, and then Jasson getting to sort of run with building it out into a security program. And when I look at a lot of these like lock-in situations with big vendors, I still hear a lot of like, sort of, lamenting and insisting that these are big programs.
But to my mind, like, all of these changes that are happening, the need to integrate a bunch of platforms that need to migrate off of old stuff, it feels like this is a moment where it's hard for me to even imagine what the future for big companies looks like in this space. Like, in a world where one no sets you back and you need to plan one to three years in advance, how is anyone ever going to return to, like, the old model of having these giants sort of controlling identity for, you know, decades at a time with complete lock-in?
I just have a hard time even imagining it.
Well, one thing we see is that in a lot of the merger and acquisition in divestiture world, that is a huge forcing function. Because you have a lot of the politics that you're referring to where, you know, there's a handful of people that, you know, say, "Thou shalt do the following."
And then you've got the pragmatic reality of, "We're going to spin off this division with 20,000 employees and 500,000 customers, and we're going to do that, and we're going to do that by September 30 of this year." So nothing gets in the way of those kinds of things.
And so we've seen that kind of milestone-driven... We have to change. There's no option to not do it because, if we can't pull the systems apart, and break the apps and the users, and be able to move, some go some stay, if we can't do that, we can't do the merger.
We can't do the divestiture. And so that's when you get to the highest level, the CEO says, "Well, we're doing that. So figure out what you need to do and come back to me with a plan on how you're going to do it." And so we've seen those kinds of actions really flip the script in terms of getting the priority. And then people say, "Okay, now let's actually think through how we're going to do what previously would have been easier to kick down the road."
That's when people start to panic, because they realize, "Oh, we've got a lot more applications that we've got to refactor." And there's one company we're working with now, they're big enterprise divestiture use case. And the number of applications that they need to move and modernize is in the thousands.
It's over 2,000. And what they have been doing up until now was taking... They took a year, and they couldn't even get through 100 of the applications. And so now they're looking at a countdown that has, you know, just a couple years.
And they did the math, and they said, "There's no way we can do this the way that we were trying before, you got to take a different approach." And so that kind of opened the door for the innovation that Strata brings to use orchestration to decouple the legacy and allow you to deploy to the modern without rewriting your app. And it, all a sudden, it gets a whole lot of momentum because we can prove it very quickly and get people realizing, "Ah, this isn't smoke and mirrors. We've got production scenarios, and it works, so now let's focus on the divestiture or the acquisition in that case."
So a lot of times you need a big forcing function to change that political inertia.
So put it another way, your driver right now is really kind of like this organizational dynamics change, companies split, companies buy other companies?
Well, that's one very, very significant use case where that happens. Others are like digital transformations where they're trying to move, you know, offline processes online. We do a lot of work with grocery chains, for instance, Kroger, the U.S.'s largest chain, has been one of our earliest customers.
And I would have never thought that we'd sell so much into the retail vertical, but they went through a huge amount of change because of COVID and how people get their groceries. And so I think Andreessen said at some point, to paraphrase, "Every company is a software company."
And when you get to the ones that, you know, 15 years ago, they would have said, "No, we're a grocery chain," or, "We build tractors. We're not a software company," I don't think you can say that anymore. And I think that's the digital transformation where people are realizing how do they go online. And so as they start to do those transformations, they come into, "Well, how do we deal with our customers on a digital basis? How do we ensure those transactions are reliable, and secure, and trusted? How do we manage compliance in a remote zero-trust world, where we can't use VPNs for one reason or the other?"
So, we need to rethink how our workforce does what they do. So, yeah, I'd say digital transformation writ large. But then, in particular, the M&A use cases within that are both very fertile ground for change.
The drivers that we see a lot of, you just hit on one of them, it's probably the same thing. I would have described it differently for us, the the way we got there is some companies going through an audit, maybe they're going public, maybe there's some sort of compelling event where they're kind of reevaluating their existing understanding of worker trust or customer trust. Why do I believe, in fact, I think this software came from Nelson as opposed to someone who just wrote Nelson on the git commit, right?
And when they peel back the onion, they realize they don't necessarily have any sort of audit log that they can stand behind on who really is coming into this machine or the service. And even more importantly than that, what security controls are actually present on the device they're operating from that they're going to pull the data back to? So that's kind of one thing that we've seen.
The other thing that we've seen that kind of, and this doesn't surprise us, but we didn't necessarily plan on it is kind of incident-driven opportunity. We've seen fairly active campaigns by adversaries in the last 12 months focused on some of the big SSO providers. I'm sure you've probably heard about, like, Octopus, and Octopus roasting, and whatnot.
We've also seen various flavors of MFA bypass where essentially, the TOTP or push was actually in place with strong password policies, and a series of important accounts were still compromised and whatnot. And, again, it's actually pretty easy to do the big change now versus before is, "I don't have to build the toolkit, I can just do git clone and get the toolkit," right?
So the barrier to entry is a lot lower. And then, of course, passwordless. I personally try to steer clear of passwordless because passwordless is very much a, it's kind of an end-user experience thing. It's not really a security thing, and many companies define passwordless in their own way, right?
So a password manager that's hiding the password from the end user might describe themselves as passwordless. And it's not really anything like what we do, but, you know, there's a certain segment of the enterprise population that have active initiatives where they want to improve the life of their workers, they want to remove the password from the experience, and it's more kind of that experiential thing.
And maybe they're also trying to cut down on things like account lockouts and password resets. But interesting, the similarities and differences.
I have a question for Eric. I got really curious when you said in your world, what is old and what is new? You're helping customers migrate from applications that are legacy, been there for 25 years, maybe they're using LDAP as an authentication protocol.
Is that the majority of the use cases, or what else is migrating over?
Yeah, I think, you know, the old stuff, if we, you know, unpack that a little bit, then what we see most of the time are identity technologies. And you have to, again, put it into context, early 2000s, where people were getting web access management and WAM systems like SiteMinder and Obelix, now Oracle, ClearTrust, now RSA.
A lot of those things are, you know, really entrenched and are tied into LDAP directories and some SQL databases and things like that. But all of those things are writ large, they're all on-premises.
And if I were to say that the single biggest shift is where this stuff runs, and in the cloud, delivered as a service, that is really kind of the simplified bucket of modern. And so you can parse that a bit more specifically and say, "Well, you know, what are people getting rid of?"
And most of the things, their on-prem or Active Directory. Nobody wants that anymore, but it's so entrenched in Windows environments. They want to get rid of ADFS. And, you know, it's a bit more modern, but still not nearly as capable of what you can get today. So you have technologies like that, the Oracles, the SiteMinders, and so on.
In terms of the protocols, that hasn't really been the problem, right? So if you think about LDAP as a built-for-purpose thing, that was a great protocol. So people still use that. SAML, another one, you know, I was one of the early co-authors of that, and, you know, we built it for a lot of the issues that you mentioned earlier, Jasson, right?
The underlying piece that I'm most proud of with SAML is that it's cryptographically based, right? Your use certificates, don't use, you know, passwords and, and so forth. And we did that in, like 1999, 2000, and that means that we can still use SAML today, right? You can implement anything in the wrong way.
So, I'm not saying just because it's SAML, it's secure. But I'm saying it's got the capability to do that in a secure way. So people are still using these older protocols and standards because that helps them in their agility, their ability to swap out one SAML IDP with another. So that's cool.
But then there's more modern ones. So, for instance, if I were implementing something today, and I wanted federation, I'm going to start with OIDC rather than SAML. Why? It's easier, right? It's just worked out a lot of the kinks and faster. The toolkits are simple. And so we're still doing federation, and we're still can do it in a secure way, but I may use a more modern implementation of federation and switch the protocol.
But it's not a one-size-fits-all thing. That's the other piece that I've noticed. There's a big kind of push around, open source is a given, standards are prioritized. But, you know, there's just a lot of interest in saying, "Well, how do we get off the treadmill?" Right?
Because there's this treadmill, like once you get on it, and you're like working your apps initially to work with SAML, oh, you want to use something else. Or before SAML, there were cookies and all the problems that come with that. So you've replaced that with SAML. And then someone says, "Well, there's a more lightweight way to do it with OIDC." Or, "We want to use pass keys or something like that," right? And so there's this treadmill that people feel like they're stuck on, and I think abstraction layers allow you to get off the treadmill.
And that's really, kind of the innovation that we see, is how to build a layer to decouple infrastructure and applications. And once you have that layer, you can do all sorts of really cool innovation. And that's really where I think our customers are pushing us is, "Let us do what we want. Don't limit our choices to one standard or protocol. Just get us so that we can do what we want, when we want and not have to do anything that we don't want."
Interesting. It seems like some similarities between things that we all see in the industry is everyone wants kind of like an Easy button. How do we make it easy for us to do what we want, make our users happy, make us happy, make us secure, make us...?
You know, I think the solutions that will, you know, implement all of those things and make it easier will win. And I guess we will see how that works out, right?
And I also think that the timing seems to be right, right? Like when we hear about all of these technologies, the confluence of the technologies, and the maturity of cloud, it's time for people to right-size their existing, like, legacy on-premise kind of solutions and think about the whole thing from scratch. And if they need an inventory of all the new technologies that are available to help them out, I think there's a rich startup ecosystem that would love to help them there.
Well, thank you so much, Eric, for being on the episode of the podcast. Thank you so much for everyone listening. Reece will be back, no worries. But in the meantime, be sure to like, share, subscribe. We'll put all of Eric's links in the show notes. And thank you so much for listening.