Strong Authentication is the Nexus of Zero Trust
Listen to Patrick McBride, Chief Marketing Officer at Beyond Identity, and Marcos Christodonte II, Global Chief Information Security Officer at Unqork, about how zero trust and strong authentication work together.
Hello, and welcome to yet another episode of "Cybersecurity Hot Takes." It's me, your host, Reece Guida. But today, I'm not gonna be on the episode. Instead, you'll get to hear from the bright mind of former Gartner CISO, Marcos Christodonte, who is now with Unqork, a no-code platform. He's in conversation with our CMO, Patrick McBride, about this hot take, "Strong authentication is the nexus of zero trust." Keep listening if you'd like to hear their conversation. And as always, don't forget to like and subscribe to the podcast. Thank you.
Hey, it's great to see a bunch of faces actually in person. So, welcome to day one. I'm Patrick McBride, and today we're going to be talking about the "Nexus of Strong Authentication and Zero Trust." And apparently, that's a good topic. They moved us up to a bigger room. So, thanks for joining Marcos and I. Just by way of quick introductions for both of us.
I'm the chief marketing officer at Beyond Identity. I'm probably best described as a reformed analyst. I sat in that seat for a while. I also sat in the seat of a CIO and a CISO, so I've kind of sat on your guys' side of the table, but I spent, you know, the last decade or so on the vendor side, or the dark side, as some of my former CISO friends like to call it.
I am delighted to have the draw here. I know you guys didn't come to see me, but we've got Marcos Christodonte who is the global CISO of Unqork. And I'll have him tell you a little bit about that in a second. But Marcos was the former CISO at Gartner too, so pretty familiar with this setup as well. And I'll have Marcos do a little bit of introduction of himself and Unqork in a second.
Just by way of introduction, I wanted to give you just, you know, five minutes intro to what Beyond Identity is and does, and actually hit a couple of announcements. So, we like to think of ourselves as the absolute strongest multi-factor authentication on the planet. So, in our case, it's passwordless and...
I guess, we'll get another slide there. Hit the arrow. Yeah, we're good. I'll come back to that in a second. So, yeah. The strongest multi-factor authentication on the planet. And we couple that with what we think is really the best user experience.
And those are two issues that we tried to solve, you know, really put the security in MFA and make it super usable. And we'll come to this slide in a second. You can kind of think of us maybe as a FIDO solution on steroids. We leveraged FIDO where we can, we filled in a lot of the gaps for use cases that FIDO doesn't yet address, and then we've extended authentication to be not just user authentication, but also to be device authentication and device trust.
So, we include kind of all those things when we're talking about that. We do that… Really, kind of our core technology, and we'd be happy to talk to you about this at the booth, is cryptographically tying the user identity to the device. And that single thing gives us a couple of really interesting properties. First of all, with cryptographic certainty, we can know who the user is.
And with cryptographic certainty, we can know that they're logging in with the device that we've authorized them to log in with. We don't stop there though. We also check the device, a bunch of security posture settings, and make sure that that device meets your security policy before you let the device in. And that's an interesting side case that people don't always think about.
Certainly, understanding the device security posture is an important thing. But even, you know, with traditional MFA, I can go to pretty much any workstation, say, the hotel lobby computer, and log in, get my push notification or get my SMS code, and I'm off and running. We all know in cyber security that that machine is likely malware infested.
So, you know, whether it's that or the coffee shop or any other thing. And then the same thing plays out, you know, when we're talking about not just our workers, but also consultants and contractors that need to get into our environment. And we can't necessarily install all of the security controls there, so can we also have some evidence that the device security posture for that device is appropriate?
So, we do all those things for a combination of your workforce, so, your employees, consultants, contractors, etc. We do that for the CIAM use case, the customer or consumer-oriented use case. And we actually do that for your DevOps teams as well. And there's some really interesting use cases in there that we'd love to talk to you about. I've got two kind of…before I jump in and sit down with Marcos, I've got a couple of, you know, cool announcements that we've actually came out with today.
First of all, we announced the general availability of our continuous authentication. So, the things that I told you, high trust in the user, high trust in the device and checking the device, we do that at every authentication. That's not continuous, not certainly in the way that Gartner defines it with CARTA and things that you might have read about. So, now our cloud can pull that device at 10-minute intervals, check all those same dozens of security policy and security posture settings and make sure that the device continues to meet the security controls throughout the day.
So, it's not a set it and forget it, you know, kind of thing. We just let you in and then, you know… Because anything can change. You can change... You can turn off your biometric, you can turn off your PIN code, you can turn off your firewall. Lots of things you can do on the device to take it to a posture that you really wouldn't want available. So, that's something we've just added...or actually, that's something we've just GA-ed. We've actually had it in kind of early release status for almost a quarter now because, listen, if you're selling front doors, you got to make sure that they open and work, and so it was worth a whole lot of extra testing for that feature.
So, super excited about that. I know Marcos is excited about that one as well. Secondarily, we also added an integration with CrowdStrike. We just dropped that, you know, from our engineering team today. It allows us to do a couple of really interesting things to really put some meat behind the zero trust. First of all, we can check for the presence of the CrowdStrike Falcon agent, make sure it's installed and running on the devices as part of our authentication check.
But we can also now check the zero trust score. Many of you may know that CrowdStrike agent is providing a zero trust score depending on the device. And we can pull that and leverage that in our policy engine so you guys can set thresholds in making sure that the device is above the zero trust threshold that you want. And then thirdly, if anything happens, whether during the authentication transaction, we find some issue, the device isn't meeting security posture, or in one of the continuous auth transactions, we can now quarantine the device.
We would do a call-out to CrowdStrike and have that device quarantined. So, a lot of you understand the idea that identity is the new perimeter, but it's really a bit of a misnomer. It's the identity and the device. Those are the two things that the bad guys go after, and so the things you protect. And that's what we're in the business of doing. This slide, I'm going to be a little bit controversial with. I'm a fan of MFA until I wasn't.
Traditional MFA was perfectly fine until it wasn't. And the issue is right now a lot of the MFA, the vast majority of MFA out there is insecure. I don't think a lot of your users jump up and down and say, "I love grabbing my extra device, grabbing PIN codes out, you know, hitting the push notification," all those kinds of things to log on.
And it's missing that device access control piece. It doesn't do that as part of the authentication transaction. It wasn't designed for that. I had a really nice argument with Ant Allan at one time, one of the Gartner analysts, and we finally figured out we were talking past each other and he told me, "But Patrick, you know, MFA wasn't designed to do that." And I said, "Yeah, you're right, but it should as part of a serious authentication regime." And you don't have to take my word, you know, for the MFA that's out there.
This is pulled directly from the January 26th zero trust document that OMB put out, you know, with obviously a lot of input from the CSA and a lot of input from the NIST folks. All the modern or all the traditional MFA that's out there they basically threw a lot of cold water on. And it's not...wasn't just in… This wasn't an issue with just, like, sophisticated nation-state actors.
This is, as they say, you know, in their words, the attacks can be fully automated and operate cheaply at scale. So, this is right in, you know, the wheelhouse of financially motivated attackers as well. So, bypassing the password, we all know is easy, but now a lot of the MFA out there is barely a speed bump.
So, that's where we come in. So, with that, let me sit down and…since, you know, we've had the chance to work with Marcos in the past, I know two things about him. He would never say. He's way too humble for it. But he's a badass CISO that's very forward-leaning. And as we've had a chance to work with him, I just wanted to get him on stage and, you know, it's much more important to hear from him exactly what's going on. So, first of all, why don't we start with a little bit about Unqork?
Sure. Thank you, Patrick. So, I'm Marcos Christodonte. I'm the CISO at Unqork. Unqork, we are a no-code enterprise-grade SaaS platform. So, essentially, we're allowing companies to build out enterprise-grade applications without writing code. I know there's a lot of talk and dialogue about that, happy to go into it.
But we serve customers in financial services, healthcare, federal government, and also insurance. A bit about my background. As Patrick mentioned, I was at Gartner for about four years as our global CISO. Prior to that, I spent some time in financial services. I was a consultant as well. I also spent some time in the military, all focused on cyber security.
Awesome. So, he also is, like I said, he is humble, he wouldn't tell you that Unqork is also a badass company with a unicorn valuation. They're really doing some things right and growing really fast. So, pretty interesting story, definitely worth looking into. Since the title of it is this idea of "Nexus of Strong Authentication and Zero Trust," kind of how do you think about that?
Sure. I think, first, I would say I've always shied away from buzzwords. It took me a while to even use zero trust in a presentation, but, you know, similar to cybersecurity years ago. But I think there's definitely a lot of sort of anchoring on it now across the industry. You look at what you just, you know, pulled up the executive order from the White House. So, I think when I look at zero trust, there's definitely a number of principles that are defined as to what that means, but I think, for me, I sort of unpack it as passwordless, you know, first and foremost.
And I think that both addresses the issue of bad password hygiene, users reusing passwords on their personal accounts, things of that nature. So, I think we've got to get away from passwords altogether. Another aspect is the architecture. How are we ensuring device trust through cryptography, kind of as you alluded to, ensuring that those private keys are stored in a location that's untouchable so that it cannot be compromised, for example, in a secure enclave, you know, the hardware of the Mac OS, the MacBook, or the Trusted Platform Module, TPM, from the Windows' perspective.
So, I think that's a key component. Device authentication, as you mentioned, ensuring that that private key is able to be cryptographically validated. And then I think two other pieces, the aspect of ensuring that we're able to validate the posture, the security posture of that particular application as part of that entire sort of chain of trust.
And that could be things such as, are the appropriate security controls in place? You mentioned file vault as an example. Is the hard drive encrypted? Do we have our expected security settings in place, whether it's a certain OS patching level or whether it's a certain EDR solution? And then finally that continuous verification. And so to your point around the new announcement, which I just learned about today as well, which is great, we've been talking about that.
We shouldn't have surprised him, by the way.
But ensuring that we're not just validating or checking those different controls at that time of authentication of an application, but we're also doing that continuously. So, being able to pull and make certain that that posture is not out of line with our policy is important. So, I think the amalgamation of those things together and anchoring on those zero trust principles is what I think about in terms of that nexus.
What do you think some of the keys to getting that, you know, pulled together and implemented are?
Sure. I think understanding the architecture is important. What are you trying to achieve? I think when I originally looked at Beyond Identity, it was really just trying to understand my requirements. Am I focused on user experience more so than security, or am I heavily weighting security over user experience?
Because there's definitely a user experience aspect to it. The cryptography piece, how does that actually work practically? There are some… I'll just be frank. There's some vendors that are out there that they don't rotate the keys at that time of authentication. And so, you know, some were asking me, you know, "How's Beyond Identity doing that?" So, not to make it a Beyond Identity commercial, but I think that's a key element as well.
So, really just understanding those requirements. And what I'm looking for, for me, I was weighing more on the security side understanding how I can use it to upscale the authentications and validate my device posture, and not so much heavily weighing on the user experience or the user interface side.
It was interesting when the zero trust article came out, and like a lot of folks I was reading through it, and I was kind of surprised, to be perfectly honest. I go back to the early NIST documents and I've read kind of most of the 800 series that many of you have probably gone through. I was surprised in two ways. First of all, that was a pretty well-written document. If you haven't pulled it, it's, I think, really… It's not just sleepy time reading, which most of those documents are.
It's quite good. And I was really surprised, and I'll get your take on this, that they actually called out, you know, some of the MFA thing, you know, that they actually went all the way there and said that, "You can't use this." I assume that the CISA must have had, you know, an impact on that. I know they're watching, defending, you know, all the systems there, but I was surprised of two things, A, that they called those things out, but they also told the federal agencies that they had to make that change in two years.
Heck, the Feds, you know, pardon for any… A lot of great people at the federal agencies. But getting an agency to roll over in bed in two years is hard enough. And so that was pretty interesting. But I'd be interested in, you know, you've been a fan of MFA for a long time. You've used it before. What do you…
So, the way I think about it is, you know, MFA is table stakes today, in that, you know, you've… I think about it like health. You've got to eat your vegetables, but you can't just eat your vegetables and be healthy, you've got to also exercise and have, you know, other factors.
Wait a minute. I got to exercise?
You do. You do. But, again, it's table stakes. And so I've actually been burned by MFA and that, you know, you rely on it almost as a silver bullet, but, you know, users sometimes get an unprompted MFA push and they accept it. I'm sure that may have happened to others, but it's definitely happened to me. So, you get that over-reliance on it.
And I think, again, it's good, but it's no longer enough. So, for me, it's about ensuring that you're able to have that passwordless experience. You want to remove the need to use a password at all, but then, again, validating that device from a device trust perspective, constantly authenticating that device and the security posture of it as well so that way we're not relying on what I think is kind of almost old school, it's not been that old, but almost old school, traditional MFA at this point in time.
Right. So, you know, when you started looking around, you know, what problem were you… You've mentioned a couple of those problems. You were trying to solve anything else, and you had also mentioned the kind of the edging towards higher security or user experience. How did those requirements look, you know, for you when you were looking at that?
Sure. Sure. I think, for me, it's… So, Unqork, we're cloud native. We're remote first. And so all of our employees are, you know, wherever they live. I moved actually when I went to work at Unqork. And so understanding that and the fact that, you know, as we use an IDP that's also in the cloud, while they also have an MFA, I wanted to make sure that I can couple it with all those other requirements.
And so that was what I did. I sort of unpacked. What are the things that I need, whether it's the passwordless, the device authentication aspect that I mentioned, the device posture checks? And then there's also a level of just understanding the roadmap as well. What's the future looking like for that particular company?
Are they thinking about things like continuous, you know, verification? Are they… We talked about the cryptography piece as well, so another key component. So, I think, you know, just understanding those requirements is really what I looked at when I was weighing the two. The one thing I would say that's probably interesting and I'm sure everyone's experienced this in the past where, you know, you have a POC, I think that's very indicative as well of kind of the rollout.
And for me, the POC process was very smooth. We went through it really well and it was not bumpy, whereas some of the other POCs that I experienced similar solutions that are out there, it was quite bumpy. And, you know, maybe it was the engineer and so forth, but, for me it's all about putting your best foot forward within those POCs. And so that's, I think, what really tipped the scales for me as well.
Yeah. Hopefully, it's a combination of our engineers and our tech, which we spent a lot of time kind of… That was one of our design principles. I mean, just to make it easy to implement and working with the IDPs and things like that, that had to be, like, you know, job one, two, and three, it had to integrate with the rest of the tech stack. So, I'm glad you actually found it to be true.
What kind of caught your eye? When you looked at a bunch of stuff, you know, what really caught your eye about what we were doing, you know, that, you know, made us unique?
I would say two things, one, the cryptography. I know I kind of mentioned that already, but that was a key piece. Again, there are other solutions they use static keys as opposed to rotating those keys. Using that asymmetric encryption, cryptography was a big factor. So, the security strength was a big component.
The second component was integrations with security tools that I used from an EDR perspective. And so being able to make certain that that particular solution was in place in that the settings that I've set from a security perspective, from an OS perspective, from a patching level perspective was also there as well. So, a lot of flexibility from a policy standpoint.
That was one of the biggest tipping points for me as well.
How did the implementation go? I asked him this question before because my dad's a lawyer, he says, "Don't ask any questions you don't already know the answer to." So, this is a…
Yeah. From an implementation perspective, my goal was about 90 days, so rolled it out in about a quarter.
We did run into some bumps from a reporting perspective, so ended up getting to about 90% in about four months. But overall, I was pleased with the rollout.
And you had… There was… Every time you, you know, work with customers kind of in the wild, they tend to use your tool a little bit differently than you kind of rolled it out. They always find some unique things. You were mentioning the other day that you were using it to find some…to actually monitor some things that, you know, we didn't really kind of think about it from an engineering perspective.
Sure. Yeah. I think that speaks to the policy and the flexibility of the policy. One of the things that I wanted to do was kind of turn everything on right away, meaning is my EDR present? Do we have file vault enabled because, you know, we're a Mac shop, so is that hard drive encryption in place?
Etc., etc. And so as part of that, I just said, "Hey, you know, my technology team is telling me that all these controls are in place and we've got, you know, metrics and so forth that are telling us that that's the case. So, I'm just going to turn on all these policies day one and see how it works." And so we absolutely had some authentications that were not successful, let's just put it that way. But it was good.
So, that then informed me that, okay, well, something is not right with reporting. Some of the metrics that we had, for example, some endpoints that did not have firewall enabled but we thought it was enabled. So, it was a good kind of check.
For the CISOs in the audience, they've never had that problem, by the way. All the other guys, their environment is perfect and when they plug stuff in, it works exactly as predicted, right?
For sure. Absolutely.
Yeah. It's almost...you know, there's obviously a lot of tools as we thought about, it's almost like years ago at another vendor, the team and I would actually bartend at the party that we threw and it was kind of because everybody would come to the bar. You're going to get a chance to talk to everybody if you do that. It's a little bit like authentication. Everybody is going to come through the front door at some point. If you can check them when they're going through the front door, it's probably a pretty good…and check their device, it's a pretty good idea.
We wanted to save…we've got a couple of minutes to save for the audience. We definitely wanted to get… So, I can do raise of hands. I don't know if we've got a Rover mic, but if you do it, I'll go ahead and repeat the question. Definitely wanted to get some, you know, whether it's zero trust writ large, or authentication, or any of those, we'd be happy to take some from the audience.
What is the feedback?
Yeah. Great question. So, users love the fact that it's passwordless. That was first and foremost. But from a… Because we're remote first and cloud-first they're now asking for more, so they're saying, "Hey, this local laptop password, you know, can we get passwordless for that as well?" So, it's been a positive sentiment.
And actually, that's one of the things I'm also waiting on is that desktop login, which is you probably can speak to kind of timing from a roadmap perspective. But, absolutely, users have been very positive on it. I think the upside is the fact that you can allow authentication and enforce all of those different policies that I mentioned, but without the user knowing is important and effective from a user experience standpoint because they don't know that, you know, I'm checking for file vault and EDR and things of that nature.
We had one in the back.
I think the way we thought about it when we were going into… There's a couple of comments on that.
First of all, if you think about zero trust and the nexus, it's check every time. And we've always had this as security professionals, you know, and not unique to MFA, not unique to identity, but we've always had this issue where it seems like every control we put in a place, it made the user experience go to crap. And in the last couple of years, you know, I've monitored a lot of CISO events and discussions, and I've been shocked at how often user experience comes up, like, you know, off the bat, I don't even ask about it anymore.
So, being able to have security and the user experience is important. And in this way, thinking about it with zero trust, you know, if people turn it off or your execs don't want to use the MFA that you've given them because it's just kind of a pain, they'll find other ways to get around stuff.
And we know that. Our customers and our users are quite creative, and they'll either go around it or if they're customers and it's not a workforce scenario, they just won't turn it on. I mean, think the traditional MFA, you know, token things are in the low 10%, 15% implementation. The only place where you've got relatively high implementation of MFA is in financial services, banks where they're requiring it, require you to turn it on, but, you know, for most of the other applications, you know, user community just, you know, avoids it because it's… So, if you can solve that trade-off piece, you can do some really interesting things.
I think that's generic to security if we engineer user experience into all those things. And that's where we started. So, you know, checking multiple factors, in our case, it's a biometric or a PIN code that's both stored in the TPM, as Marcos noted. And then that other factor, we actually do a cryptographic exchange to public-private key crypto, you know, kind of an exchange, so you don't actually have anything moving across the network that can be phished because that's the security part of it.
A lot of the stuff you can either socially engineer somebody to do, as Marcos noted, and as, you know, a lot of CISOs noted to me, they've… And actually, stories that I can't actually share, but, you know, the CIO or the head of operations, you know, getting a push during the dinner, you know, meal and just saying, "Yeah, whatever. Yes." And thinking one of his, you know, employees is trying to get into something and he is just helping him out and, you know, that didn't end well, obviously.
Or, you know, any other codes. A lot of the codes you can either socially engineer or just phish. You know, with a reverse proxy kind of thing, they're just easy to pull off the network. Any other questions in the audience? Yep.
Is your solution more geared towards the employees, internal employees versus external customers?
A great question. So, the question was, is ours geared more towards the internal employees or customers? We started with the workforce, you know, the way that Marcos is using us, you know, directly. But the platform is the same for the customer experience piece too. We launched, you know, perfect honesty, from the head of marketing, you know, by the way. We launched our CIAM, you know, consumer product, very early on purpose, we just wanted to get something out there and get a lot of feedback from people.
And we learned very quickly. One of the things, you know, that we have on our platform, you know, Marcos and the teams, they either send it out via, you know, your MDM or software distribution kinds of tools. We have an agent that runs on each of the platforms that you're authenticating in and that's how we can pull all those signals. And that became very clear that, you know, a retail outlet wasn't going to have a two-step.
You got to download the retail app and then you got to download some other authenticator. So, we really weren't ready for that market for a while until we actually had built that into an SDK and an API that they could incorporate into their app. So, there was some use cases that we didn't meet the mark for, user experience and security. The security piece was there, but the user experience was.
And we kind of early released it and then iterated, but now we're in full release and we support both of those. You got to… This is something that you're not using from us, but I'd be interested in, you know, if you guys are looking into the whole DevOps, and, you know, are you looking into…as a CISO, just in general, are you looking into those environments, and worried about that or not?
Potentially. I know there's a… I know we've talked about exploring that with the others that code signing aspect, so to validate code providence. Who actually, you know, checked in a particular line of code and making sure that it's tied to the user experience that they see today from Beyond on any perspective. So, I have not explored that one with you all yet, but I know that's another added use case that you cover.
Yeah. We did that for both the engineers and developers. It was actually one of our other customers that came at us and said, "Hey." Also a deep forward-thinking guy, really understood the architecture, says, "I got another problem. I got my engineers submitting code, you know, either pulling it down from the repo or submitting it from kind of any machine. And I don't want him to submit it from any machine. I only want him to be able to, you know, commit code into our repository from machine that, you know, I've issued and I know has all my controls on it."
So, all the same things that Marcos was saying, he wanted to bring to his engineer. And as Marcos said, he says, "Oh, by the way, you can also fix this code signing thing because we've got a bunch of different keys and, you know, we see in our repository Mickey Mouse and Goofy and Donald Duck submitted code. We don't know who the hell actually put it in there. And even if we find something like with one of our scanning tools, you know, post-facto, we can't really trace it back to who put it in there."
So, when you get kind of a core tech out there and, you know, roll with it, you end up…your customers are pretty ingenious people and they push you in different directions. A lot of that, by the way, I didn't mention in the beginning, so, in kind of the Beyond Identity intro, it's not surprising that we're using public-private key crypto.
Our founder is a guy named Jim Clark. You may remember, at least the gray-haired guys and gals like me, Jim founded a company called Silicon Graphics and then he went on to hire a couple of engineers out of the University of Illinois, and put them up in Silicon Valley and they invented…they created Netscape. People think about Netscape as a browser company, but they tend to forget the part that they invented SSL, Secure Socket Layer, which we all know now as TLS and the lock in our browser.
And so we're using a lot of those fundamental principles of that tech in the environment. We use FIDO where we can because, you know, they've done some really nice things there, but in many places that, you know, just they haven't solved all the use cases. Any other audience questions?
I love the idea of continuous authentication. My question is, are you authenticating the device at a different rate than the user? Because I can see where a device might change every 10 minutes, but a user, unless he actually goes away, which is bad on him, it probably shouldn't. And I can see where a user would get really annoyed if he has to punch his PIN every 10 minutest.
It's mostly… Yeah. They don't have to punch in their PIN. I mean, actually, let me say, that's by policy. If you want your users to punch in your PIN into a step-up authentication every 10 minutes, you can do it. Not our recommendation. You're probably going to have the users coming at you with pitchforks, but, yeah, we're taking mostly a look at the device security posture on a 10-minute basis and seeing if it still passes policy.
I'll give you one really interesting use case. And this is, you know, some of the reasons they want it. Somebody logs in today, you know, with their MacBook, you know, like in your environment. They put their biometric on. We do the key exchange on the backend, so we've got those two factors. Check the device and everything is hunky dory, and then they turn their PIN code off, you know, in the Apple console and leave the thing in a cab. Probably a bad idea, right, because now, you know, not only they're already logged in, they've got access to all the cloud-based applications.
So, in 10 minutes, we'll check that device again, find out that it's, hey, you know, somebody turned off their primary authentication device or the authentication method, and then we can quarantine it or do what we need. But yeah, the concept is not trying to bug the user every 10 minutes. There's behavioral things that we can look at under the cover. So, you know, travel and impossible travel, and things like that also are user elements or user behavioral things that you'd want to look at.
But yeah, a lot of that's… The continuous pieces authenticated is re-validating the device still meets policy.
They're waving at us saying we're out of time.
Oh, okay. Here we go. I'll take it up here. Thank you, everybody. Really appreciate it.