November 8, 2024
EP 65 – Machine Identities, AI and the Future of Security with the ‘Identity Jedi’
In this episode of the Trust Issues podcast, host David Puner and David Lee, aka “The Identity Jedi,” delve into the evolving landscape of identity security. They discuss the critical challenges and advancements in securing both human and machine identities. Lee shares insights on the fear and misconceptions surrounding AI, drawing parallels to pop culture references like Marvel’s Jarvis. They explore the potential of autonomous AI in monitoring and managing security tasks, emphasizing the need for real time data analysis and context understanding. The conversation highlights the importance of providing context on both human and machine sides to enhance security measures. They also touch on the role of investors in the identity security space and the need for better storytelling in the industry.
We don’t know what we don’t know. I’ve heard that quite a bit recently, including a couple of times in today’s episode. It seems almost like a Yogi-ism, as in Yogi Berra, the late Hall of Fame New York Yankees catcher, and coiner of sayings like, “Nobody goes there anymore; it’s too crowded.” It contradicts, and it’s also somehow true.
Yogi was sort of an inadvertent Jedi wordsmith of sorts. Today’s guest is a self-proclaimed Jedi, David Lee, aka the Identity Jedi.
[00:01:00] In our conversation, we get to the bottom of what we do know and what we don’t know about the complexities of AI in identity security and many other points related to the past, present, and future of identity management.
Thanks to David, who’s been in the identity space for a long time and has worn several hats. Now, among other things, he’s the host of the Identity Jedi podcast and a sought-after speaker.
So, why am I talking about Yogi Berra and Yogi-isms? Well, we recorded this episode right before the start of this year’s fall classic—baseball, that is. And at the end of this episode, David and I, a Los Angeles Dodgers fan and a Yankees fan, make serious predictions. And let’s just say mine was very incorrect. The cyber lesson? Just like basic cyber hygiene, you can’t win if you don’t execute on the fundamentals. And you can’t know what you don’t know.
[00:02:00] Congrats to David Lee and all you Dodgers fans in B2B land. As Yogi Berra once said, “The future ain’t what it used to be.” Here’s my conversation with David Lee.
[00:02:30] David Puner: David Lee, the identity Jedi. Welcome to Trust Issues. Thanks for coming on the podcast.
[00:02:36] David Lee: Oh, thanks for having me, man. This is, uh, it’s, it’s, it’s an honor to be here. I, um, when you sent out the message, I looked it up and was like, “Oh, man, they’ve had some good interviews on here.” So I’m honored to join the list of interviewees who’ve been on Trust Issues.
[00:02:51] David Puner: We are super excited to have you. And I guess maybe to start things off, because the name, the moniker kind of calls for this, when did you start thinking about identity, and how did you become the Identity Jedi?
[00:03:00] David Lee: I started thinking about identity 20 years ago. I mean, it was by accident. I got assigned to a project that called for J2EE developers.
My background’s in computer science. I’m a software engineer by trade. So I came into this project thinking, “Hey, I’m going to build this cool system. I get to flex my development skills.” And instead, what I got was Sun IDM, right? The architect walks in, places these books on my desk, and goes, “Hey, I need you to read this, understand what this program is. I’m going on vacation for two weeks. Have something ready by the time I get back,” and walked out the door. “Oh, by the way, welcome to the project.” Like, okay.
[00:03:34] David Puner: All right.
[00:03:35] David Lee: And so that’s kind of when I started thinking about identity. The way my mind works, when I’m looking at something, I want to understand everything about it so I can understand exactly what I’m working on.
An analogy I like to use is if I’m going to grab a screwdriver, I like to understand everything else that’s in the toolbox, right? What’s the toolbox? What it’s for? What are these other tools? What are these things? Okay, now that I know that, let me go use this screwdriver because it helps me understand, “Hey, I’m using this tool for the right purpose.” Right? You can cut [00:04:00] a tree down with a hammer if you want to, but it’s probably a lot easier if you use a saw, right? So if you know which tools to use, it kind of makes things easier. And that’s kind of how I approached identity. I started learning all these things about Sun IDM and access management, LDAP.
And then look up 20 years later, I’m still doing it. The identity Jedi moniker came around five years ago. There was an Identiverse call for papers. At the time, I was working for SailPoint, and, you know, when you start submitting for these call-for-papers, right, you’re just submitting and submitting. So I just got a little cheeky and thought, “Oh, let me put together a title like ‘How to Become an Identity Jedi.’ That sounds pretty cool,” right? At the time, everybody was doing this thing, like, “Oh, I’m your customer support ninja” or this, that, or whatever. And I’m a huge Star Wars nerd.
So I said, “How to Become an Identity Jedi.” And it got accepted. I gave the talk. People loved it. Everybody that showed up came after me to talk to me afterward. And after that, at Identiverse, people would be like, “Hey, you’re the Jedi guy, right?” Like, “Oh my God, I make everybody watch that video when they come to my team.” It kind of stuck, and I just kept rolling with it. And then five years later, it’s turned into [00:05:00] a podcast and a newsletter. So I just kind of rolled with it.
[00:05:02] David Puner: Well, that’s a great story. So, the podcast and the newsletter, we should point out, is, uh, and perhaps obviously, you can find it at theidentityjedi.com. It’s the Identity Jedi Newsletter and the Identity Jedi Podcast. So was there, like, a Yoda-type of figure in your life, or is that kind of where the actual Jedi parallel comes in?
[00:05:20] David Lee: There were a couple; there wasn’t just one. There were a couple over the years, and it wasn’t so much about identity but more about mentors that I was lucky enough to have early on in life. So yeah, the analogy starts to get a little thin the more you play it out, but yeah, I’ve had a couple of really, really good mentors in my life, and I’ve been lucky to call my mentors and friends. So, it’s been great.
[00:05:48] David Puner: So when considering identity and identity security right now, in this day and age, what are some significant trends and challenges that come to mind?
[00:05:57] David Lee: Yeah. The biggest trend that first comes to mind is consolidation, right? We’re in this wave in identity where we’re swinging on the pendulum from best of breed back to platform. And I say back to platform because some of us who’ve been around a little bit—seasoned, got a little gray in the beard—remember a time when we tried to do this platform approach.
You had big companies like Oracle roll out these huge, big stacks, IBM, right? And it fell flat, right? It just absolutely fell flat. They were monolithic. They were slow, required huge amounts of customization, and just didn’t work. So we went best of breed. And now we’re starting to see with SaaS and IDaaS, right? We’re starting to understand that hey, we can kind of do this better together with more standards. This should be a platform, right? It got too expensive to do best of breed with integration. So, that’s one big trend we’re seeing. And we’re seeing it in the marketplace from competitors and vendors who became competitors who used to be strategic allies. And now they’re just kind of like, hey, we’re all going to do the same things. But you’re also seeing it from the investment side, like investors investing into this, right? We’ve seen Thoma Bravo the last, you know, a couple of years as a PE firm, just kind of bought up all these little companies. We all think they’re going to put something together and push them out, and they’ve done a little bit of that.
[00:07:00] So that’s the one big trend, right? It’s this consolidation, giving the customer everything in one, making it easier for them. The second one is just the term “identity security,” right? That’s fairly new within the last couple of years as we’ve been marketing this pitch like “identity is the new perimeter” and “identity is at the center of security” and yada yada yada. But what we’re actually starting to see is, like, what does it mean to make identity more security-like? For most of its existence, identity has been more administrative-focused, right? “Let me help you with access reviews. Let me help you provision more access. Let me help you reduce tickets,” things like that. It hasn’t really been focused on, “Let me actually help you secure your identity and how this fits into your security framework.” And so, we’re starting to see more of that. So we get things like identity security posture management tools, we get identity threat detection tools, right? We’re starting to see these things where, as we’re looking at identities and access, we’re able to take these things such as risk and contextualize them and say, “Here’s what this means within your organization from a security perspective.” That is another big trend we’re seeing. And even customers and CISOs are starting to ask these questions of vendors: “How does this actually play into my security standpoint?” which is excellent, right? It’s something I think we’ve needed for a long time.
[00:08:10] David Puner: So an identity security approach is built on a foundation of privileged access management, which secures all identities, human or machine, throughout the cycle of accessing critical assets. You had mentioned something to me earlier about how you had seen a similar pattern with privilege and identity like 10 or 15 years ago. I thought that was really interesting. Can you maybe rehash that a bit for the audience?
[00:08:31] David Lee: So right now, like, the hot thing in the streets is non-human identity. Everybody’s like, “Oh yeah, non-human, non-human.” And, like, VCs are throwing cash like it’s the first of the month and they just got their checks, right? I mean, there’s a new non-human identity organization popping up just about every other month, and there’s all this investment into it, which is good because it’s an area that needs to be established. But, like, non-human identity has this very similar pattern to privileged access management about 10 or 15 years ago. You look at it, and you say, “Yes, customers will tell you, ‘I absolutely understand that I need to get a handle on this. There are all these things I don’t know. I don’t have good visibility. I’ve got to better discover these things and the governance around it.’ Yeah, yeah, yeah, I got it. But, like, just these normal identities are still kicking my butt. I still can’t figure this part out, and now you’re telling me you want me to go handle this stuff? I’ll get to it. I’ll get to it. I’ll get to it.’”
Let’s jump in our time machine and go back 15 years ago. This is the exact same conversation with privileged access management, right? We were talking to companies saying, “Hey, like, hey, these accounts over here, like, we know you need to manage all these accounts, but these, like, 10, 15, 20, 100 accounts depending on the size of your organization, right? Like, these control the keys to the kingdom. We should really be focused on those.” It’s like, “Got it. Totally. No, it’s important. I’m trying to figure out these things. I’ll get to that. I’ll get to that. I’ll get to that,” right?
And so, that same type of thing where it’s like, it’s so weird where we realize the importance of it. Like, “Hey, this is more than likely going to be where the breach happens. If we have any kind of incident, it’s going to deal with these types of accounts. Here’s where it’s happening.” But our focus is elsewhere. It is so very weird that the customers do that, but most of it—and again, the pattern that I recognize—is that back then, you couldn’t really explain privileged access management to the business side of the customers. The admins got it. Think about it: you were talking about Linux accounts, mainframe admin accounts, all these different admin accounts. It’s just a small group of people who really understand that world, and trying to explain to your executives why this is important—it’s the same thing with non-human, right?
[00:10:37] The same thing with non-human, which makes it kind of even worse, is that the scale of non-human is bigger. With privileged access management, it was like, okay, if I’ve got 10,000 identities, I’ll probably get, like, 500 privileged identities, hopefully, right? It’s usually a smaller percentage of privileged access management to identities. With non-human, it’s the exact opposite. You have 10,000, and you probably have 30,000, upwards of maybe 40,000 to 50,000 when you get to non-human because it’s just the world we live in, where we connect with APIs and API secrets and keys—all these things that we do. It creates all these credentials and this access in a non-human way that just outnumbers the sheer amount of human identities. So now you’re saying, “Hey, there’s this thing to really understand. Oh, by the way, it’s so much bigger. There’s a whole bunch of data with it. So we’re just gonna throw it at you,” and customers do what they normally do and go, “Yeah, I’m not going to deal with that.”
[00:11:30] David Puner: Right. So I want to stay on the machine identities track, but first, just to sort of give the audience an understanding of where you are with organizations and customers, who are you talking to on a regular basis? How are you keeping a finger on the pulse of what’s going on out there?
[00:11:46] David Lee: I have this very interesting kind of network, which is super cool. So I get a chance to talk to both product companies and, more focused on, like, identity leaders who are doing this day in and day out and trying to put together strategies. So I’m usually talking to them about their strategies, what they’re approaching, what they’re struggling with, and how to go about this as they deal with things like, “Hey, we’re seeing this consolidation or trying to consolidate. We’re at this phase with an identity where it’s the next evolution for software.”
[00:12:16] I’ll give you an example. We’ve got organizations. I had one gentleman, um, who is a CISO of an organization. They have three different PAM vendors that they’ve bought over the course of six years. And he’s like, “So we’ve got three PAM tools. We’ve got one IGA tool that we hate. We want to bring in a new one, and then we’ve got Azure.” And so they’re looking at all this and going, like, “How do we refactor this? I want to get this down, you know, simplified as much as possible. What should I be looking at, and what’s my strategy on top of that?”
On the other side, I get to talk to vendors, a lot of startup vendors that are coming in, just kind of helping them on either product strategy or just really messaging, right? I think one of the things that’s interesting right now—this might be a little harsh—but we, as an industry, kind of suck at telling stories about identity.
[00:13:02] David Puner: And when you say “we,” who do you mean by “we”?
[00:13:05] David Lee: “We” as in the vendor industry. We who develop products and put those out to customers and say, “Hey, we have your solutions.” We don’t tell stories very well about what the solution does and how it helps. I have a lot of conversations with product leaders or marketing leaders about what their product is, how they tell their story, how to connect to the customer as far as what the customer is really going through, and how they can point to, “Here’s what the actual solution is, and here’s what we do. We differ here. We’re the same here. We’re this here.”
And I tell people, just lean into that. Don’t do this thing where it’s like, “It’s not the same market; we can do this whole, like, ‘we kind of do everything’ thing.” Be really vague. We do this here. And it’s like, that’s not going to work. You’ve got to be very to the point: “We solve this.”
[00:14:00] David Puner: Right.
[00:14:01] David Lee: To go back to answer your question, those are kind of the two conversations that I have the most. Mostly with security identity leaders and then with the leaders on the smaller vendors, right? The bigger vendors, they’ve got their own direction, right, wrong, or indifferent. I just write about them and judge them from afar because it’s fun. So, you know.
[00:14:22] David Puner: Going back to machine identities, with the increasing complexity of environments, including cloud and hybrid environments, how do you see the role of machine identities evolving, and what are the critical challenges organizations face in managing these identities?
[00:14:36] David Lee: I want to start with the challenge. The challenge is the scale, because machine identities are much more automated than the human identity, right? Like, the lifecycle is automated and quicker with machine identities. To give a concrete example, with a simple API call, you could stand up an identity that needs to go access something, and it does it maybe for a couple of hours. It shuts itself down again, and then it’s gone. Right. And that’s kind of getting, like, a little bit of a longer workload.
But the point is, you can do that with bots or even now AI agents, or, like, something that needs to go out and connect. So, you have the actual identity that connects in real-time, and it’s not quite always there. So its lifecycle could be very short. And then you also have, like, the credential side of it, where we usually give it long-standing credentials. And so just the scale and the mass of what’s going on there and the ability to get the connectivity to understand what this identity is connecting to, what access it has, and what it means, that’s one of the biggest challenges, right?
[00:15:32] And it’s a big challenge because we struggle—we’re just now getting to the point where we can provide that context on the human side. And now we’ve got to turn around and provide that context on the machine side. And you have to, because at least with humans, I’m looking at something like, “Oh, I know David. I know his manager. I can go talk to her and figure something out.” Like, you have a path to go figure things out. With machine identity, it’s like, “Uh, there’s this thing here, and it accesses something, right? Whose machine is this? What is this thing?” Right?
And so that context is super important. That’s the biggest challenge there to get over. And then the trend is more so, like, I hate to say it, but it’s really governance. It’s the same aspects we took on the human identity side, and now we’ve got to govern all these things. So, it’s about taking those same playbooks, those same workflows, and I’m using those words very generically, but those same things that we did for humans like, “Hey, was it assigned? How to review it? When do we get access to it? Let’s make sure this access is good. Do we have any policies that this thing shouldn’t have?” And we should apply the same thing over there on a machine.
[00:16:31] In some ways, part of this we should solve easier. We’ve been doing governance for 20 years now. Like, we know how to do that. So, we just apply those same techniques over here.
[00:16:41] David Puner: So then it comes down to magnitude, really?
[00:16:44] David Lee: Yeah, it’s really the magnitude and, honestly, the relationships. Looking at how we model those relationships and understanding that when we focused on identities, human identities, we did a very, very, like, okay, human-manager-application-entitlement type of—it was a very set structure of relationships, right? And we didn’t really look past that. We’re just now starting to see, like, okay, well, let’s look at everything. Let’s look at how an application to an entitlement to a human to a user to a role—let’s look at the spread of what that really means.
[00:17:15] I’m a big fan of graphs and trees when you look at this because you need to see the responsibility of this access, right? If I have access to this entitlement, it gives me access to this machine. What does that mean? What can I do with this access? So, as we’re starting to understand that, that is critically important on the machine side, because you have to understand what all these things mean.
At the end of the day, back to identity security, we’re trying to actually be more secure with this stuff now. So what’s the blast radius of this? If this machine identity wakes up every Thursday and connects to move data over and is using this role in this AWS account for access, what does it actually give it access to? If this gets compromised, what can somebody do? What’s the blast radius of this access? That context is so important because that’s going to drive your policies and how you govern those machine identities.
[00:18:02] Because you say, “No, this thing needs to run every Thursday morning. No problem.” So we have no problem with it having the access. We just need to understand it and know the patterns. So then, if we ever see something that’s off about that, it’s like, “Wait, but it’s Friday, and somebody’s logging in with David’s account, using that thing and trying to do that.” Hey, that’s not right. Right? But right now, it’s all just noise because we don’t have any context there.
[00:18:26] David Puner: So then, getting back to the organizational level, how do you think organizations can align their identity security strategies with their overall business objectives? And have you seen any kind of examples or best practices that you can share?
[00:18:38] David Lee: How they do it—you’ve got to talk to the business.
[00:18:41] David Puner: Okay.
[00:18:42] David Lee: It really is that simple. As an identity security leader, you’ve got to look at an initiative and then—I’ll kind of walk you through an example recently of somebody we talked to on the pod—but you’ve got to talk to your level of business unit and say, “What are you trying to accomplish?”
To get very, very concrete, let’s say you’re the identity leader, and you sit under the CIO’s office. The CIO says, “Okay, you now own identity, and we need to roll out passwordless.” Okay, great. Cool. We’re gonna roll out passwordless. So now it’s your job to either ask your CIO, “Hey, so why are we rolling out passwordless? Like, who wants this, and what benefit is it going to give to the business?”
[00:19:20] And your CIO says, “Well, legal asked for it because whatever.” Cool. Let’s go talk to legal. “Hey, legal, what are you looking for when you look at passwordless? How is this going to affect you day in, day out? What’s going to make it easier for you? What’s going to make it harder for you?” Great. Now let’s go talk to the applications that we’re going to put into passwordless and roll in. Let’s talk to the application owners. Let’s talk to, like, how they administer this. “What’s this going to look like?”
You need to have these conversations with your business and align them and say, “Okay, legal, you said this was really important to you. When do you want to have it rolled out? CIO, when do you want to have this done?” Okay. These are our dates. This is what we need to do. Now we know why we’re doing something, and we know that we have a goal to go hit, not just from a technical standpoint, because we can say, “Hey, we rolled out passwordless to 30 percent of our applications.” Great. Nobody cares. But in this case, we know that the business cares. So let’s find out why they care, why it’s important to them. And now you have your objectives.
[00:20:10] And now that you have those objectives, you then work backward from there and say, “Okay, well, this is what we’re going to meet for our goals,” right? So based on these objectives, you want all of your—let’s say legal said, “We want all of our SOC compliance or our most heavily regulated applications that access personal data within our organization. We want those using passwordless because we feel like that’s the strongest, right? CISO proved this, that that’s the strongest.” Cool. All right. Well, then now we know the business objective. We’re going to work back from there and make our goals.
The reason why this is so important, and I walk through that specific example, is because as you start hitting your milestones, your milestones match up to what the business wants to do. Identity projects go to die when you mark off a milestone, and it’s, like, the total opposite direction of what the business wants to do, or, more than likely, what happens, the business just doesn’t care. “Hey, we deprovisioned a hundred accounts today,” and the business is like, “And?”
[00:21:00] David Puner: Is it fair to say that this is in part a communication issue?
[00:21:03] David Lee: It is very fair to say, and it is absolutely a communication issue. We have not figured out the right language to communicate the value of what we’re doing in identity to match the value of what happens in business.
[00:21:14] David Lee: And to give an example of that recently, we had a gentleman on the pod who just rolled out a new IGA deployment. He’s got an interesting responsibility set. He’s the first identity leader I’ve met in a while who’s had such a wide range of responsibilities. Not only did he own infrastructure, but he also owned identity. He had a little bit of ops operation. So, he had a very wide range of where he could exert some control, which was good.
But he could also bring those organizations in together, right? When you’re trying to get something done, it’s easier when you have somebody that says, “Hey, I’m your boss, so do it.” Right? Like, that wasn’t a request; that was an order. Right? “Okay, I guess I’m showing up to this meeting.”
[00:21:48] David Puner: Yeah.
[00:21:49] David Lee: So that was one very unique thing. But what he did was, as he was getting ready to roll it out, he went and talked to the different business users of IGA and said, “Hey, this is what we want to roll out. What apps should be important when you’re doing access reviews? What’s your biggest pain point? So if we did these and automated these access reviews for these applications, would this work for you?” Yes. Like, he made sure that his team was working with the business. And then, when they had something ready, they said, “Okay, we’re going to go do this. Let’s go show it to the business. Hey, let’s get in front of you. Is this what you…” “Yes, absolutely. This looks great.” “Okay, now let’s keep rolling.” So, he was able to get his kind of first rollout in about four months. They loved it. Now they’re rolling on to the next one.
[00:22:29] And so that’s what I mean about engaging and communicating with the business. This isn’t something that we can just go off into the corner and develop and then go, “Business, you’re going to like it because we’re security.” Well, that’s a way to not get them to like it. You’ve got to make sure they have an active voice and that they’re walking with you side by side in deploying that. And when you do that, that’s when you see really, really successful identity programs.
[00:22:54] David Puner: Is the CISO the person and the role that should carry that weight, or are you talking about another role, like the Chief Identity Officer? Or does it not really matter what the title is?
[00:23:06] David Lee: It doesn’t really matter what the title is, to be honest. It just needs to get done. I think, though, that we will see the Chief Identity Officer role kind of step up because I think what needs to happen is that CISOs right now are completely overwhelmed as it is. They’ve got so much to answer for, and CISOs are learning how to develop the skills needed to be the security person but also to handle the “C” that’s in their title. They’re a Chief Security Officer, right? So they’ve got to care about revenue, business costs—all these things that we don’t really talk about on the technical security side. They’ve got to care about those things. They’ve got to turn the security conversations into those business conversations.
Add to that, they’ve got to understand identity. That’s a lot to ask. And I think having a—and I don’t know if it’ll eventually be a C-level position—but having somebody that basically owns identity within your organization, that’s at that higher level, so like right under the CISO or a peer to the CIO, that’s going out and saying, “Hey, look, we’re going to own this. We’re going to have these conversations. We’re going to help the CIO or CISO, whoever they’re reporting to, map those values back into business values.” I think that’s going to be critical over this next evolution that we see of identity. Right? Especially as we start making this more of a security play. It’s going to have to be there because, right now, I just think it’s too much to ask the CISO to take on that as well. I don’t think it’s going to turn out very well.
[00:24:34] David Puner: Right. CISOs are definitely overburdened, to say the least. Going back, then, to machine identity management, and I know you’re a futurist of sorts, so looking ahead, what future trends do you expect we’ll see with machine identity management, particularly in the context of hybrid and multi-cloud environments?
[00:24:52] David Lee: I really think that’s where automation and AI will have the biggest play. I don’t see a successful path with machine identity management taking the same evolutionary path we took with human identity management—those same steps. And here’s what I mean by that. What we did historically in the identity industry is when we deliver product, the first thing we do is visibility, right? Okay, cool. So, we’ll make a product that makes sure you can see everything that’s out there, and that’s the only feature you get—visibility. “You can’t secure what you can’t see,” right? So, we start with visibility. Then, after visibility, we go, “Let’s do some governance,” right? Now that we see it, let’s group it together, let’s apply some policies. Cool, that’s awesome. And then we can give them back to you and show them to you in these nice reports. Awesome. Do you do anything? No, not yet. Then we go to take action, right? And now we can provision by sending a ticket. Oh my God, it’s just this painful walkthrough process.
[00:25:51] The scale is just way too much. So, I think looking ahead with machine identity management, we’re going to see this roll into that kind of DevOps shift-left, where it’s like, okay, a lot of this stuff is very fluid, happening very quickly, very automated. I think the tools need to be the same way, and it’s going to be more so, “Hey, we’re going to roll out these policies. We’ve got discovery. We see these things,” and then it’s like, “Hey, based on the policies that we have within access and the entitlements and things you’re accessing, yes, you’re approved, no, you’re not approved.” We’re tracking the lifecycle, and it’s more of when these things are being provisioned or deprovisioned or happening. Those are more of the reports, and we’re seeing those actions, but, like, the policy enforcement and what they’re getting is more real-time.
[00:26:37] So, I see machine identity turning into this access management kind of enforcement play, with the lifecycle being the after-action report. Like, “Hey, I’ll just pull up a report that says, ‘We had 10 machine identities spin up this morning. This one had access here, this one had access here. This was approved by this policy, this was denied by this policy. A request was sent to so-and-so to go investigate.’” We can see the lifecycle, but we’re not necessarily trying to control the lifecycle to where it’s like, “David needs to go log into the production server, so he put in a request to go get it.” We don’t have time for that. David needed to go get his work done, or he’s pushing out a new build or whatever’s happening. So, he needed the access at that time. We’re tracking and seeing the lifecycle, and we’re authorizing and enforcing least privilege at that time and managing it that way.
[00:27:31] And anything that goes out of policy is when we’ll step up and go, “Hey, okay, David, I know you wanted this, or this machine is doing this. Hey, this is really risky, really out of policy. Now we’re going to put in some friction. Now we’ll do the approval thing and figure that out.” Why? Because we want to pause and stop something from happening. Everything else we can just kind of report on after. I think it’s going to have to go in that way because I just can’t see the rigorous process of what we do now, dropping that in on your business and going, “This is now how you access these machine identities. Here’s how you get an API secret, here’s where you save it.” There’s no way; it’s just going to bring things almost to a halt.
[00:28:10] David Puner: So, AI and ML being baked into the solution, obviously, is one side of the equation. On the other side of the equation, you’ve got the new AI-driven attack techniques and threats that are rolling out and evolving, and who knows where they’re going. How are you thinking about that? How do you anticipate for what we don’t know and what’s coming?
[00:28:30] David Lee: I’m a big fan of AI. I see the dangers, I absolutely do, but again, my background—I’m a computer scientist. I studied this stuff, and I was always fascinated by it. So we don’t know what we don’t know. Like, I’m a big fan of looking at how we actually start to evolve and create autonomous AI that is looking at these things. And it becomes kind of like that helper mechanism. I say this a lot, but I have a huge Marvel fan base, right? Like, when I saw Iron Man for the first time back in 2008, and I saw Jarvis, I was like, “That’s it.”
[00:28:58] David Puner: Okay.
[00:28:59] David Lee: That is every engineer’s dream—to have an autonomous intelligence that can help you with the administrative work. Like, “Hey, do this, do this, grab this, okay, we’re going to put this together, okay, run this calculation for me, okay, great, that’s how we do this, okay, go do that.” And so, I look at going forward with what we’re going to have to do with AI, and it’s like, a lot of the things that we do with these products really don’t require humans, right? It’s very heavily administrative tasks, however advanced they may be.
So now, it’s going and looking at this and having something I could monitor and look at things in real-time. Not quite Skynet to where it’s completely taking all actions and doing all these things or whatever, but it’s looking at data that’s coming in, looking at context, looking at configurations. And it’s something that a security practitioner or identity practitioner can interact with and go, “Okay, hey, tell me what’s going on in my network today.”
“Here are the patterns that we’re seeing. Here are things that are happening. We’re seeing a lot of heavy activity going against, you know, these servers using possible known threats. Here’s this information. This is probably what we should do, and here’s how we apply this.” Like, it’s a conversation.
What I would tell somebody to do is, like, ChatGPT—what they’re doing over there at OpenAI is amazing. Go check out ChatGPT’s latest 4.0 reasoning model and do the voice interaction with it. And just kind of go back and forth and ask it questions. It’s like me and you talking, dude. It’s like I ask you a question, and it responds, and it’s super quick for what it’s been used to. I see that type of thing coming to be able to help us understand and work through what’s going on against threats against our networks and security vectors, because I just don’t think the average practitioner is going to be able to consume enough data and look at enough things to catch everything at the rate and speed at which these attacks are going to start happening.
[00:30:19] David Puner: Are there any particular trends that you think organizations should be aware of when it comes to the identity security landscape and how it’s going to evolve over the next few years?
[00:30:30] David Lee: I think it’s not a big trend now. Here’s what I would say to look at: what all this stuff means at the end of the day is you really need to understand your data models underneath. Not just permissions and entitlements or accounts, but all of the metadata information that connects with that. What does an identity relationship mean within my organization, and what is that in relation to risk?
Where is all this data at, and can I see most of this data? How am I collecting most of this data? Where is this data being stored? Because it is there, whether you can see it or not, and it’s probably in different places. I would really start focusing on understanding, “Do I have a clear picture and understanding of my identity data?” Because all these things that we’ve been talking about and all these new features these vendors are talking about and what they’re going to do with, quote-unquote, “AI,” it all depends on data.
This goes back to, like, a 10-year-old statement where “data is the new oil,” right? Absolutely. So, like, if you don’t have a clear understanding of where your data is or access to your data, that is going to be kind of like your crown jewel. It is going to kind of help you going forward. And so, that’s the trend I would start to see. Because you’re not going to be able to take advantage of a lot of these features without understanding some kind of data quality issues or what you have going there.
And these vendors are going to struggle to deliver the things they’re telling you because they’re dependent on that data, right? So, how that shapes up is going to be interesting. Not saying that every company needs to go off and go do data cleanup. Nobody ever wants to do that, and nobody ever will, but it’s going to become an issue. Now, whether the vendors end up solving it or something else comes up that makes it easier—great. But that’s what I would tell people: put that in the back of your head. Don’t go out and spend your budget today, or I’m not saying you’ve got to abandon other stuff, but be thinking about that, right? If you’ve got the bandwidth, assign one or two people who are like, “Hey, go track this trend and see what’s going on there.”
[00:32:15] David Puner: On that Marvel thread, you made an interesting point. And I’m wondering, is the fear that you’re hearing or that you’re receiving on the receiving end of when it comes to AI and AI consciousness potentially one day—that we’re hearing a lot about—is this fear irrational or rational? And what about it and why, I guess?
[00:32:32] David Lee: It’s only special—it’s a rational fear. And the fear is speed and the unknown, and I’ll break those two things down. We are seeing, publicly, the AI movement moving so fast and being able to do so many things, I think that’s really where the fear comes from. It’s like, “Whoa, whoa, whoa!” And then also you just got to look at, like, pop culture. We’ve been trained over the last 30, 40 years to think of all this scary super stuff that could happen with AI and all these things, right?
[00:33:02] And then we’re starting to see things mimic that. I mean, look at Tesla a week ago or two weeks ago, right? They did a little event, and it was literally right out of I, Robot. Like, everything they designed looked like it was out of I, Robot. So, it’s like, “Oh my God, it’s these things come to life!” And so, I think the fears of the speed are like, “Oh, this is kind of happening too fast.”
There is some rationale to it in that the ability to be able to do a lot of these things so quickly can be a little overwhelming. The feasibility of it is more likely than unlikely. We’ve done a ton of research—when I say “we,” like, the computing industry has done a ton of research. AI has been a topic for half a century, right, and researched and things like that. And over the last 10 years, we’ve gotten a lot of developments for us to see the things that we see now. But we’re starting to see, like, autonomous movements, autonomous actions where you can give this thing just general instructions, and it learns what to go do, and it moves and goes from there.
And so, the ability for this to then say, “Okay, well, we can always give it guardrails,” it’s like, well, eventually, that’s what we’re training models not to have—guardrails. It’s like, “Hey, just go do this and figure it out,” right? And that’s the part where that’s a rational fear, like, “Hey, no, this thing is actually figuring stuff out. I didn’t tell it anything, and it just went and did more things,” right?
[00:34:30] And so, that’s where the fear comes from. A perfect phrase always is in Malcolm. We look and say, “Can we do something?” We never stop and say, “Well, should we do it?” We keep pushing because that’s what scientists do.
[00:34:44] David Puner: Yeah.
[00:34:45] David Lee: And so, that part is a little rational because we don’t know what we don’t know there. I think we’re a couple—maybe two, three decades—from seeing that. There’s a lot on the computation side, the resource side that would have to happen. Quantum computing is a wild card in there, right? If that becomes a real and viable thing in the next decade or so, then that changes things, right? And the ability to harness even more computing and quantum computing’s ability to do certain things could give it kind of more power to do this computation.
[00:35:15] So, all of that to say, right, it’s complicated. I’ll ease it like this: There’s a lot of irrational fear out there, right? On the feasibility of something taking over and, “Oh my gosh, we’re all going to have machine overlords in the next five years.” That’s irrational. The more rational side is caution versus fear. It’s like, some of these things are actually really, really possible now.
[00:35:42] David Puner: Yeah. There’s a lot to think about, and that’s actually humans thinking about it—not necessarily AIs thinking about it. Going back to your futurist take on things, what do you see as the biggest challenges around identity over the next few years, and how can organizations prepare for these challenges?
[00:35:58] David Lee: I think the biggest challenge for organizations is just scale, right? I think we are seeing identity challenges at a scale we’ve never quite seen before at the regular business level. And kind of here’s what I mean by that:
[00:36:11] David Puner: And when you mean, like, the number of identities?
[00:36:13] David Lee: Yes, the number of identities, permissions, and things that you have to manage. This cloud and hybrid kind of environments, right? There’s just a lot more. Things were simpler and easier 20 years ago. Everything was in my network. I see everything. I control it. That’s it. Or even 10 years ago, where it’s like, I’m in the cloud and on-prem, right?
And now you’ve got this hybrid thing, right? And hybrid was really for the old folks who couldn’t move out their mainframes. But now people are just going hybrid. “Hey, I want access here. I want this thing.” And so, the speed at which we’re creating applications, creating access, and proliferating data means more and more access and more and more identities, and it is a problem.
[00:36:48] And so, I think as we are looking at, “Okay, we want to centralize this thing, and we want to centralize around a platform and be better about this,” the challenge they have is, how do I get a hold of this? How do I structure it within my organization to make sure they have the— and I’ll use this term “political power” within the organization—to knock the changes?
And then how do I ramp up the practitioners that I need for this? Because with identity security, typically identity practitioners have been IT kind of based, right? And most organizations, it’s administrators, and they’re used to provisioning tickets, handling certain things. It’s more of a “care and feeding.” We’re just coming in, like, everything did its thing, close the tickets, or re-provision. Great.
[00:37:34] Security practitioners, you’re active. You’re in it every day. You’re looking for—you’re hunting down threats, trying to see what’s going on, looking at different vulnerabilities. Identity hasn’t had those muscles to flex, and so now they’ve got to start learning how to flex those. So scalability, and then just your resources in building that team, I think, are the biggest challenges in the short term for organizations to figure out how to do that and what this looks like.
And then, the scary thing that I would say, “Okay, sure, everybody gets this platform, and everything’s all in one,” but what happens when that goes down? Right? We’ve done a lot, and I think we’ve gotten really lazy with SaaS in that we forget about disaster recovery and backup. Like, all of a sudden, if everything that’s managing your access and your sign-on is in the cloud, and that goes down, what do you do now?
And so, those kinds of discussions and this shared responsibility model that became popular with SaaS, I think we need to start rethinking that and making sure we’re clearly drawing those lines and knowing where that is. Those are kind of the two of the things as I look into the future that I think are going to be important in how you look at that and structure this. It’s going to cause a change. I’m so excited to see what organizations look like 10 years from now and how they’re structured. I think it’s going to be completely different than how they are right now.
[00:39:01] David Puner: Really interesting stuff, David. I’m going to ask you to look into the short-term future one last time because we’re coming to the end of this podcast. We’re recording this toward the end of October. The World Series is going to be starting tomorrow. You’re an LA Dodgers fan. You grew up in LA. I’m a New York Yankees fan, live in Boston, grew up in New York. Exciting stuff. Who’s going to win? How many games? This is coming out after the World Series is over. So, what are we looking at?
[00:39:30] David Lee: Dodgers in six, man.
[00:39:32] David Puner: All right. We’re starting in LA, so you think you’re going to come up with a couple of quick wins there?
[00:39:35] David Lee: Nope. I think they’re going to come out of the gates pretty fast and kind of catch the Yankees off guard, but that Yankees lineup, man, that’s nothing to— they will not be silenced.
[00:39:45] David Puner: Nothing to trifle with. Yes.
[00:39:46] David Lee: Yeah. I think it’s going to be a hard-fought match, but I mean, I got to go Dodgers in six. I can’t—I can’t.
[00:39:51] David Puner: Yeah.
[00:39:52] David Lee: Dodgers in six. I think, either way, this is going to be a great World Series, though.
[00:39:57] David Puner: I’m super excited for it. And I guess I’ve got to make my pick now too. I haven’t really thought about it, but I know I want the Yankees to win. I think the Yankees are going to win. Hopefully, the long layoff isn’t going to mean that they’re going to be rusty, but I’m thinking Yankees in seven.
[00:40:12] David Lee: Okay.
[00:40:13] David Puner: I think MLB would like that too.
[00:40:15] David Lee: Yeah, I bet they would.
[00:40:16] David Puner: Yeah. David Lee, the identity Jedi. Check out his newsletter and subscribe over there at theidentityjedi.com. You got a newsletter, you got a podcast, you got a lot of things going on. It’s been really fabulous having you on the podcast, and we hope to talk to you sometime down the road again.
[00:40:30] David Lee: Hey man, appreciate you having me on. I’m happy to come back anytime.
[00:40:34] David Puner: Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And don’t miss new episodes. Make sure you’re following us wherever you get your podcasts and, oh yeah, drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it are kind of like comments. Our email address is trustissues, all one word, at cyberark.com. See you next time.