1 00:00:05,480 --> 00:00:10,440 This is identity at the center. If it has anything to do with 2 00:00:10,560 --> 00:00:17,960 IAM, this is the go to podcast now your hosts Jim McDonald and 3 00:00:17,960 --> 00:00:23,160 Jeff Stedman. Welcome to the Identity at the 4 00:00:23,160 --> 00:00:24,920 Center podcast. I'm Jeff and that's Jim. 5 00:00:24,920 --> 00:00:26,720 Hey, Jim. Hey, Jeff, how are you? 6 00:00:27,440 --> 00:00:30,120 Not so bad yourself. I'm doing well. 7 00:00:30,120 --> 00:00:34,760 I mean, you know, I'm going on vacation next week, so yay for 8 00:00:34,760 --> 00:00:38,280 vacation. But you know, and I think 9 00:00:38,280 --> 00:00:41,680 everybody can probably relate to this, the week before vacation 10 00:00:41,920 --> 00:00:45,880 and the week after vacation is like hell on earth in terms of 11 00:00:46,160 --> 00:00:48,640 your work life. You've got to get everything 12 00:00:48,640 --> 00:00:51,240 done before vacation. Then you come back and it's like 13 00:00:51,800 --> 00:00:54,640 your inbox has 1000 emails or whatever. 14 00:00:55,840 --> 00:00:58,840 But as you know, I live in Augusta, GA. 15 00:00:59,040 --> 00:01:02,680 It's Masters week. We're the center of the world's 16 00:01:02,680 --> 00:01:07,240 attention for one week out of the year, and that's next week. 17 00:01:07,240 --> 00:01:13,360 So I'm looking forward to it. And damn the damn the stress. 18 00:01:14,120 --> 00:01:16,520 Well, there's no such thing as vacation, I think, and kind of a 19 00:01:16,520 --> 00:01:19,760 job that you and I have. It's just periods of work you're 20 00:01:19,760 --> 00:01:21,360 hitting pause on. It doesn't mean the work 21 00:01:21,360 --> 00:01:24,320 disappeared while you're gone and you'll spend some time 22 00:01:24,320 --> 00:01:28,040 catching up. Yeah, and but I'm going to spend 23 00:01:28,040 --> 00:01:32,240 the week like doing all kinds of yard work and things that I 24 00:01:32,240 --> 00:01:36,560 don't have time to do the rest of the rest of the year. 25 00:01:36,560 --> 00:01:42,480 The the other weeks, I feel like weekends you have to have at 26 00:01:42,480 --> 00:01:47,000 least one day to do something fun where your life just goes by 27 00:01:47,000 --> 00:01:49,800 and you do nothing. Like, I just can't stand 28 00:01:49,800 --> 00:01:54,400 spending my whole weekend going to the store and doing laundry 29 00:01:54,400 --> 00:01:58,320 and XY and Z and spending your whole weekend and you've done 30 00:01:58,320 --> 00:02:00,520 nothing fun. So I feel like you have to do 31 00:02:00,520 --> 00:02:04,600 one thing fun, so I never get to things like, you know, updating 32 00:02:04,600 --> 00:02:06,520 the flower bed and stuff like that. 33 00:02:06,840 --> 00:02:08,639 I can imagine updating the flower bed. 34 00:02:08,840 --> 00:02:10,840 That's not something that I'd normally picture you doing. 35 00:02:12,000 --> 00:02:15,280 It's not something I normally would do, but Denise and I are 36 00:02:15,280 --> 00:02:19,520 going to go to the nursery and buy stuff because I've only been 37 00:02:19,520 --> 00:02:23,320 in this house for like 2 years and basically the entire flower 38 00:02:23,320 --> 00:02:25,960 bed died, which I don't know how that happened. 39 00:02:25,960 --> 00:02:29,720 I think they bought all kind of like low end plants to get ready 40 00:02:29,720 --> 00:02:33,000 to sell and they probably didn't put a lot of effort into 41 00:02:33,000 --> 00:02:38,000 planting them and they probably just sat and you know, never 42 00:02:38,000 --> 00:02:42,160 rooted etcetera. So anyway, my flower bed is just 43 00:02:42,160 --> 00:02:46,040 like, you know in the South you use pine straw rather than wood 44 00:02:46,040 --> 00:02:49,480 chips because we have like termites. 45 00:02:49,800 --> 00:02:51,440 Termites is a major issue in the South. 46 00:02:51,720 --> 00:02:54,840 So you use this pine straw and basically my flower beds are 47 00:02:54,840 --> 00:02:56,400 pine straw with nothing coming out of. 48 00:02:56,400 --> 00:03:00,320 It that sounds real attractive. Well, good luck with to to you 49 00:03:00,400 --> 00:03:06,720 and your fun vacation in quotes. We're gonna have a couple 50 00:03:06,720 --> 00:03:07,760 conferences. Gonna be at those. 51 00:03:07,760 --> 00:03:09,760 Those aren't vacations, but those are fun, right? 52 00:03:10,960 --> 00:03:13,080 They're fun. They're like work vacations. 53 00:03:13,080 --> 00:03:14,400 Yeah, you want to tell us about Identiverse? 54 00:03:15,080 --> 00:03:17,440 Yeah, I mean, I'm always excited about Identiverse. 55 00:03:17,440 --> 00:03:19,400 We're going to have a lot going on there. 56 00:03:20,560 --> 00:03:23,960 We're going to have a couple of events which I'm not ready to 57 00:03:23,960 --> 00:03:28,320 announce, but there'll be opportunities to interact with 58 00:03:28,320 --> 00:03:32,360 us, maybe see us put on the podcast in kind of a a live 59 00:03:32,360 --> 00:03:35,800 setting. And for those people who haven't 60 00:03:35,800 --> 00:03:40,320 registered yet, we're going to have a link in the show notes. 61 00:03:40,520 --> 00:03:43,960 But essentially you can go to identverse.com and use their 62 00:03:43,960 --> 00:03:52,120 discount code which is IDV 24, Dash IDAC 25, so you can go and 63 00:03:52,400 --> 00:03:55,080 there's still like a version of early bird. 64 00:03:55,320 --> 00:04:00,360 Price hasn't gone to the maximum amount I think at the near the 65 00:04:00,360 --> 00:04:02,680 end of April. So don't take my word for the 66 00:04:02,680 --> 00:04:04,560 exact date. I thought it was like April 67 00:04:04,560 --> 00:04:08,440 26th, but if you missed the date for early bird pricing, don't 68 00:04:08,440 --> 00:04:11,920 say Jim McDonald, you know, gave us this misinformation. 69 00:04:11,920 --> 00:04:14,120 So I want the discount. That ain't happening. 70 00:04:14,600 --> 00:04:16,399 You need to go out there and check for yourself. 71 00:04:16,720 --> 00:04:19,959 The conference is, I can get this part right for sure. 72 00:04:19,959 --> 00:04:24,120 The conference is May 28th through the 31st. 73 00:04:24,400 --> 00:04:29,560 Is that the Aria in Las Vegas, which I love Las Vegas, I mean, 74 00:04:29,600 --> 00:04:33,080 I don't gamble. I do drink a little bit, but I'm 75 00:04:33,080 --> 00:04:37,520 not like, I don't go crazy. I know it's in city, but I don't 76 00:04:37,520 --> 00:04:40,280 go there and like sin extravagantly. 77 00:04:40,480 --> 00:04:43,600 But I do have a good time. I mean, the food is great. 78 00:04:44,000 --> 00:04:45,880 I know you're real into the people watching. 79 00:04:45,880 --> 00:04:49,960 I like doing that as well and I just have a good time overall. 80 00:04:50,240 --> 00:04:51,720 Yeah, the people and the food I like. 81 00:04:51,720 --> 00:04:53,520 I think that should be like your your tagline. 82 00:04:53,520 --> 00:04:57,320 I don't sin extravagantly. That's the motto for that, for 83 00:04:57,320 --> 00:05:01,000 the podcast. Yeah, I don't sin extravagantly, 84 00:05:01,000 --> 00:05:03,200 but that doesn't mean it don't sin at all. 85 00:05:04,080 --> 00:05:05,040 Yeah. So we'll have that link in a 86 00:05:05,040 --> 00:05:09,720 show note, IDV 2 four dash, IDAC 2/5 is 25% off. 87 00:05:09,720 --> 00:05:11,600 Then right after that, I know a lot of people are hopping on a 88 00:05:11,600 --> 00:05:12,880 plane. Basically they're going straight 89 00:05:12,880 --> 00:05:17,000 from there over to Europe and Berlin, specifically for the 90 00:05:17,000 --> 00:05:18,560 European Identity and Cloud conference. 91 00:05:18,960 --> 00:05:22,240 So our friends over at Kubner Cole have given us a discount as 92 00:05:22,240 --> 00:05:26,720 well. EIC 24, IDAC 25 gets you 25% 93 00:05:26,720 --> 00:05:28,920 off. Unfortunately, Jim and I won't 94 00:05:28,920 --> 00:05:30,640 be there this year, but we hope make it next year. 95 00:05:30,640 --> 00:05:31,800 I think that's kind of on our bucket list. 96 00:05:31,800 --> 00:05:33,480 We've been talking about that for a while, but it would be 97 00:05:33,480 --> 00:05:37,400 cool to go to that finally after the, I think, I feel like like 98 00:05:37,400 --> 00:05:39,000 two or three years now of us talking about it. 99 00:05:40,120 --> 00:05:42,600 You know, I think that one of the other cool things that we 100 00:05:42,600 --> 00:05:46,440 should point out is that for the years that we've been doing this 101 00:05:46,440 --> 00:05:50,040 podcast, we've always been. I think that the listeners of 102 00:05:50,040 --> 00:05:54,280 podcasts have been weighted more towards the United States and 103 00:05:54,280 --> 00:05:58,360 now we are actually a majority of listeners outside of the 104 00:05:58,360 --> 00:06:00,560 United States, which I think is super cool. 105 00:06:01,440 --> 00:06:07,000 And I think we always try to remember that there's so many 106 00:06:07,000 --> 00:06:09,440 people listening who are not in the United States and I don't 107 00:06:09,440 --> 00:06:12,720 think we always nail it. Sometimes we forget and we have 108 00:06:12,720 --> 00:06:18,240 our US centric statements. It's not anything intentional, 109 00:06:18,240 --> 00:06:21,040 of course, it's just we're just it's just a matter of 110 00:06:21,040 --> 00:06:24,600 convenience, if you will. But yeah, a lot of people, that 111 00:06:25,000 --> 00:06:26,840 conference was probably right in their backyard. 112 00:06:27,320 --> 00:06:30,120 Yeah, easy to get to, but yeah, that's something we want to get 113 00:06:30,120 --> 00:06:32,440 to next year. And then Speaking of worldwide, 114 00:06:32,480 --> 00:06:34,760 we've got Identity Week coming up later this year. 115 00:06:34,760 --> 00:06:37,560 There's Europe, which is June 11th and 12th in Amsterdam, 116 00:06:37,560 --> 00:06:40,960 America, September 11th and 12th in Washington DC That's where 117 00:06:40,960 --> 00:06:44,680 you and I will be at. And then Asia is October 22nd, 118 00:06:44,680 --> 00:06:49,360 23rd in Singapore, if you use the code IDAC 3 Zero 30% off. 119 00:06:49,680 --> 00:06:52,040 And that code works for all of those conferences, which is 120 00:06:52,040 --> 00:06:54,280 super cool. So I know you and I are looking 121 00:06:54,280 --> 00:06:58,320 forward to the one in DC and we'll be doing podcasting things 122 00:06:58,320 --> 00:07:01,360 there And and I think I was supposed to host like a panel. 123 00:07:01,360 --> 00:07:03,680 Don't know what we're going to talk about or with who yet, but 124 00:07:03,680 --> 00:07:05,200 we'll make it. We'll make it work. 125 00:07:06,800 --> 00:07:07,840 I'd like to. I'd. 126 00:07:08,200 --> 00:07:11,920 I'd be more excited actually to go to the one in Europe and in 127 00:07:11,920 --> 00:07:13,800 Singapore. I've never been to Singapore, 128 00:07:14,720 --> 00:07:18,080 but I really want to fly first class if we go, or at least 129 00:07:18,080 --> 00:07:19,720 business class. We have to get a few more 130 00:07:19,720 --> 00:07:21,920 sponsors, I think, for that. So if you want to sponsor an 131 00:07:21,920 --> 00:07:24,080 episode of the podcast, hit our website. 132 00:07:25,280 --> 00:07:28,640 All right, let's talk Turkey or Cloud. 133 00:07:28,640 --> 00:07:31,720 In this case, I wanna welcome to the show her first time on it, 134 00:07:31,960 --> 00:07:34,320 Kat Traxler. She's a security researcher at 135 00:07:34,320 --> 00:07:36,760 Trust on Cloud. Welcome to the show, Kat. 136 00:07:36,920 --> 00:07:38,920 Hey, guys and hey, everybody. Thanks for having me. 137 00:07:39,080 --> 00:07:41,240 Yeah, thanks for making an appearance with us. 138 00:07:41,520 --> 00:07:44,840 You're currently holding either lump or Yawn, I'm not sure 139 00:07:44,840 --> 00:07:47,120 which. On your lap, one of your two 140 00:07:47,320 --> 00:07:49,600 dachshunds. Yeah, I have Mr. Lump. 141 00:07:49,600 --> 00:07:51,880 Here he is. He was whining to get out of my 142 00:07:51,880 --> 00:07:54,640 lap, so if we don't want to hear him whining through the entire 143 00:07:54,640 --> 00:07:56,520 episode, I think it's best I just hold them. 144 00:07:56,920 --> 00:07:59,600 Well, I'm a dog fan and I think dogs are the best people, so I'm 145 00:07:59,600 --> 00:08:02,080 totally OK with that. We're not doing video for this 146 00:08:02,080 --> 00:08:05,320 episode, so people just have to take my word for it that that is 147 00:08:05,320 --> 00:08:07,160 one adorable puppy on your on your lap. 148 00:08:07,720 --> 00:08:10,400 Let's talk about though, your identity background, because one 149 00:08:10,400 --> 00:08:12,640 of the things we do when we have someone on for the first time is 150 00:08:12,640 --> 00:08:15,800 really to kind of understand how did they get into the identity 151 00:08:15,800 --> 00:08:18,040 space. So tell us a little bit about 152 00:08:18,120 --> 00:08:21,040 sort of how you got up into this you know, area. 153 00:08:21,080 --> 00:08:23,680 Is it something that you chose or did it choose? 154 00:08:24,800 --> 00:08:28,360 You very much the latter. You know I have an I have a 155 00:08:28,360 --> 00:08:34,720 background in application development and then web app pen 156 00:08:34,720 --> 00:08:37,520 testing. That was my initial pivot into 157 00:08:37,520 --> 00:08:42,520 security and a number of years ago and in that realm of 158 00:08:43,159 --> 00:08:48,520 internal white box testing. One of the large testing 159 00:08:48,520 --> 00:08:54,480 projects I was able to do was a white box test of a new IDP. 160 00:08:56,000 --> 00:09:02,160 My employer was looking to switch ID PS and needed to have 161 00:09:02,160 --> 00:09:09,080 an independent look at the on Prem systems, the connections, 162 00:09:09,080 --> 00:09:13,080 the, the configurations and assertions that we're going to 163 00:09:13,080 --> 00:09:16,800 be creating. And I mean my memory has it that 164 00:09:16,800 --> 00:09:19,400 I probably spent six months tearing this thing apart. 165 00:09:19,400 --> 00:09:25,560 And you know it was that that experience that really showed me 166 00:09:25,560 --> 00:09:31,080 the impact that Identity had across a major enterprise and 167 00:09:31,080 --> 00:09:36,720 kind of got me into becoming this, yeah, I mean I I guess you 168 00:09:36,720 --> 00:09:38,400 could say identity junkie, right. 169 00:09:38,400 --> 00:09:40,480 But it was really more of like an impact junkie. 170 00:09:40,480 --> 00:09:47,920 Like I wanted to work on systems that had the most impact to my 171 00:09:47,920 --> 00:09:50,920 customers and to my employers. And that was just like identity, 172 00:09:50,920 --> 00:09:54,400 clearly. And having been, you know, so 173 00:09:54,400 --> 00:09:58,360 deep inside of an IDP and seeing the guts and glory of it. 174 00:09:59,080 --> 00:10:03,640 And from there I knew that if I wanted to be at like having 175 00:10:03,640 --> 00:10:07,080 packed full work, it was going to be centered in identity. 176 00:10:07,720 --> 00:10:10,680 And you've got a lot of, you know, pans in the fires. 177 00:10:10,680 --> 00:10:12,320 We like to say a lot of stuff that you work on. 178 00:10:12,640 --> 00:10:15,800 You've got your own consulting firm, Nanuke Security. 179 00:10:16,120 --> 00:10:18,000 You're working with trust on cloud now it's a security 180 00:10:18,000 --> 00:10:19,640 researcher. You also do work with Stans 181 00:10:19,640 --> 00:10:23,760 Institute, IANS, Defcon. I mean, tell me about some of 182 00:10:23,760 --> 00:10:24,960 the other. I don't want to call them 183 00:10:24,960 --> 00:10:27,560 extracurricular activities, but tell me the other things that 184 00:10:27,560 --> 00:10:30,480 you kind of work on and help me kind of understand as second 185 00:10:30,480 --> 00:10:33,720 part of that question, what does a security researcher do? 186 00:10:34,080 --> 00:10:35,920 It's like a really, really good question. 187 00:10:35,920 --> 00:10:41,320 It's so broad, you know, what does the security researcher do? 188 00:10:41,320 --> 00:10:45,200 And that's that explanation is going to be different from 10 189 00:10:45,200 --> 00:10:46,760 different researchers you talked to. 190 00:10:47,640 --> 00:10:53,320 But I like to think of it like I take complex amorphous systems 191 00:10:53,320 --> 00:10:57,400 and try to break them down to their essential parts and 192 00:10:57,560 --> 00:11:03,120 through that process try to identify the the security 193 00:11:03,120 --> 00:11:06,120 weaknesses typically at the joints where two trust 194 00:11:06,120 --> 00:11:08,720 boundaries meet, where two systems interact. 195 00:11:09,200 --> 00:11:17,520 And so it's that process of distilling and really like fully 196 00:11:17,520 --> 00:11:20,120 understanding that within the complex system there is no 197 00:11:20,120 --> 00:11:22,920 magic. And if you can say there's no 198 00:11:22,920 --> 00:11:25,400 magic in here, it all is understandable. 199 00:11:25,400 --> 00:11:29,560 If you want to distill it to its essential parts, that's 200 00:11:29,560 --> 00:11:32,400 ultimately like what research is, is trying to distill it to 201 00:11:32,400 --> 00:11:39,040 its essential parts and then understand where you have, you 202 00:11:39,040 --> 00:11:43,360 know, security relevant issues. I might stumble across a lot of 203 00:11:43,360 --> 00:11:46,360 bugs here and there, but determining whether or not it's 204 00:11:46,360 --> 00:11:53,240 security relevant is kind of like the the unique, unique 205 00:11:53,560 --> 00:11:56,560 skill to have. You know, what ticketing system 206 00:11:56,560 --> 00:11:59,800 do you submit this to? Do you submit this to a general 207 00:11:59,800 --> 00:12:02,400 public issue tracker where everybody can see Because it's 208 00:12:02,400 --> 00:12:06,840 like not security relevant and hey, I fixed this, or do you 209 00:12:06,840 --> 00:12:09,720 submit to this like private bug boundary where it should be kept 210 00:12:09,720 --> 00:12:14,080 confidential? So yeah, that's what I do in my 211 00:12:14,080 --> 00:12:20,240 day job with Trustmont Cloud. The work product is threat 212 00:12:20,240 --> 00:12:25,560 models, GCP services specifically, where ultimately 213 00:12:25,560 --> 00:12:30,560 there is a diagram of all of the flows and interactions of the 214 00:12:30,560 --> 00:12:33,520 service, and then a list of all of the threats I've enumerated 215 00:12:33,960 --> 00:12:38,800 and then all of the controls. I do similar work. 216 00:12:40,000 --> 00:12:44,400 I had done similar work with past employers with SANS. 217 00:12:44,400 --> 00:12:49,960 I wrote a course, the SEC 549 Enterprise Cloud Security 218 00:12:50,000 --> 00:12:54,040 Architecture course. Less threat focused, more just 219 00:12:54,040 --> 00:12:55,880 like what are the overarching controls? 220 00:12:55,880 --> 00:12:59,840 Lot of identity, surprise, surprise, big big identity 221 00:12:59,840 --> 00:13:02,840 course. What was the other thing? 222 00:13:02,840 --> 00:13:07,280 Oh, Defcon, right? I for years I've helped run the 223 00:13:07,280 --> 00:13:10,360 local Defcon chapter here. So everybody knows there's the 224 00:13:10,360 --> 00:13:15,600 big Defcon Vegas thing. I personally hate Vegas. 225 00:13:16,600 --> 00:13:18,800 I like it's torture for me being there. 226 00:13:20,080 --> 00:13:22,320 But there's also these, like, local chapters in every 227 00:13:22,320 --> 00:13:25,560 community that meet, and I've helped run that for many years. 228 00:13:26,360 --> 00:13:29,800 I think that covers some of the extracurricular stuff, yeah. 229 00:13:31,040 --> 00:13:34,000 Now I feel like you need to defend Vegas, but I'm not going 230 00:13:34,000 --> 00:13:36,360 to you. You form your opinion, I'll form 231 00:13:36,360 --> 00:13:39,600 my opinion. We can still be friends but I 232 00:13:39,600 --> 00:13:43,320 had did have a follow up on the security researcher thing which 233 00:13:43,840 --> 00:13:51,000 is like how why what what drives people to become security 234 00:13:51,000 --> 00:13:55,120 researchers or do the kind of research and get these you know 235 00:13:55,120 --> 00:13:58,680 find these zero days and things like that. 236 00:13:59,080 --> 00:14:04,360 My understanding is OK, there can be bounties that are paid 237 00:14:05,240 --> 00:14:08,080 and then the other is like street cred. 238 00:14:08,200 --> 00:14:12,920 Like I found this zero day and like I can become famous as a 239 00:14:12,920 --> 00:14:16,800 security researcher, But since you brought it up, I mean what 240 00:14:16,800 --> 00:14:19,360 is the motivation? I mean those are two of them 241 00:14:19,360 --> 00:14:24,040 also, you know there's also the do good part, you know that just 242 00:14:24,040 --> 00:14:27,040 we want subsistence more secure. That's definitely a factor. 243 00:14:28,360 --> 00:14:31,840 I'm working on a project now that because of the kind of 244 00:14:31,840 --> 00:14:36,800 research it is, I won't get any bounty, might not actually get 245 00:14:36,800 --> 00:14:39,600 any St. credit of it, but if it works out, it's actually going 246 00:14:39,600 --> 00:14:43,960 to be really impactful for people and secure a lot of 247 00:14:43,960 --> 00:14:47,040 systems in the future. So you're always balancing those 248 00:14:47,040 --> 00:14:51,040 three and like you do it because you're just like insatiably 249 00:14:51,040 --> 00:14:55,000 curious and you know and you you try to just balance that 250 00:14:55,000 --> 00:14:59,840 between, you know, having a life and you know, enjoying non tech 251 00:14:59,840 --> 00:15:02,040 things and not have it take over your life. 252 00:15:02,800 --> 00:15:05,600 But I know when people first start out, it can really be 253 00:15:05,600 --> 00:15:10,400 consuming just this insatiable curiosity of systems and trying 254 00:15:10,400 --> 00:15:14,760 to break them and understand them and dissect them. 255 00:15:16,080 --> 00:15:19,760 Yeah, yeah, definitely got the sense that that's a a big 256 00:15:19,760 --> 00:15:23,800 motivator for you from the different things that I've seen 257 00:15:23,800 --> 00:15:26,320 you do on like YouTube and things like that. 258 00:15:26,760 --> 00:15:32,160 And you know, one of the things that attracted us to ask you to 259 00:15:32,160 --> 00:15:36,040 be on the show was that, you know you're in this IAM space, 260 00:15:36,040 --> 00:15:38,600 but you're also focused on the cloud. 261 00:15:39,320 --> 00:15:44,240 You kind of spend a lot of time on GCP, Google's cloud, a lot of 262 00:15:44,240 --> 00:15:48,640 time on AWS. And I'm just going to start with 263 00:15:48,640 --> 00:15:53,160 kind of like one of the questions I think every identity 264 00:15:53,160 --> 00:15:57,000 practitioner has either faced or is facing now as they're 265 00:15:57,000 --> 00:16:02,920 transitioning having to manage you know on premise environments 266 00:16:03,360 --> 00:16:07,560 and having to manage cloud environments from an IAM 267 00:16:07,560 --> 00:16:12,000 perspective. And I'm wondering, you know, the 268 00:16:12,000 --> 00:16:17,920 investments that we've made over time in IAM tools, can the same 269 00:16:18,120 --> 00:16:22,080 tools that we bought for on Prem be used for the cloud? 270 00:16:22,160 --> 00:16:25,400 Is it black and white? You need different tools or is 271 00:16:25,400 --> 00:16:27,400 it there's some kind of like Gray area? 272 00:16:29,800 --> 00:16:33,160 I will have the most, you know, probably frustrating answer and 273 00:16:33,160 --> 00:16:37,240 saying maybe maybe you need new tools. 274 00:16:37,320 --> 00:16:40,680 I think, I think that's like the Holy Grail right? 275 00:16:40,680 --> 00:16:47,320 Like I have this, I have this permission catalog that stood up 276 00:16:47,320 --> 00:16:52,280 in my enterprise and like can't I just like put all of my AWS 277 00:16:52,360 --> 00:16:56,960 rules in here and then have those roles be auto assigned to 278 00:16:56,960 --> 00:17:00,000 the people and then deprovisioned after a time? 279 00:17:00,520 --> 00:17:05,319 And that's all I think possible and some of the big vendors are 280 00:17:05,319 --> 00:17:09,040 incorporating it. But I think it's it's not a, 281 00:17:09,280 --> 00:17:13,920 it's not a natural externalization of cloud 282 00:17:13,920 --> 00:17:17,880 concepts. I think like what's natural to 283 00:17:17,920 --> 00:17:21,680 externalize from the cloud is authentication. 284 00:17:22,640 --> 00:17:30,400 So like you can naturally you know, externalize your to your 285 00:17:30,400 --> 00:17:36,320 IDP and you can naturally externalize to say your group 286 00:17:36,320 --> 00:17:40,440 memberships and have those carried through over, you know, 287 00:17:40,440 --> 00:17:44,040 SAML authentication. But when it comes to your like 288 00:17:44,240 --> 00:17:50,040 roles and your authorization, that's a harder nut to crack and 289 00:17:50,040 --> 00:17:55,920 I think there's just less less kind of all in When I say all in 290 00:17:55,920 --> 00:18:01,440 one, I mean like it'll handle all of your, you know, on Prem 291 00:18:01,440 --> 00:18:08,080 privileged assignments and your in the cloud, you know, 292 00:18:08,080 --> 00:18:11,290 developer roles. There's just less all in 293 00:18:22,800 --> 00:18:27,680 Is there authorization concepts? See, I think This is why I 294 00:18:27,680 --> 00:18:31,920 wanted to get you onto the show because I didn't even feel like 295 00:18:31,920 --> 00:18:35,400 I asked the question well, but your answer was perfect and 296 00:18:35,400 --> 00:18:39,720 exactly what I was looking for. You you've really focused in on 297 00:18:39,720 --> 00:18:44,480 kind of the core technologies of Identity, you know from the on 298 00:18:44,480 --> 00:18:47,720 Prem world. There are a couple of other 299 00:18:47,720 --> 00:18:51,440 technologies that you didn't touch on that I'd like to throw 300 00:18:51,440 --> 00:18:54,600 them out there and just kind of get your take and whether or not 301 00:18:54,760 --> 00:18:56,320 like how much value you see in them. 302 00:18:56,520 --> 00:18:59,560 And the first one I'm going to touch on is, you know, kind of 303 00:18:59,560 --> 00:19:03,960 built for the cloud, the space called Kim or C i.e. 304 00:19:03,960 --> 00:19:06,480 M cloud infrastructure entitlement management. 305 00:19:07,240 --> 00:19:11,800 What's your take on that? I mean those those folks are 306 00:19:11,800 --> 00:19:16,320 trying to solve like the the huge problem of both lease 307 00:19:16,320 --> 00:19:20,960 privilege and trying to time box privilege assignments around, 308 00:19:22,360 --> 00:19:24,000 you know, doing that just in time. 309 00:19:25,720 --> 00:19:29,560 I mean my take is that it's a massively hard problem to solve. 310 00:19:29,960 --> 00:19:33,000 At some point when you're large enough and you have a large 311 00:19:33,000 --> 00:19:36,320 enough enterprise, bringing some of that tooling in makes sense. 312 00:19:37,040 --> 00:19:40,120 And is it? It's probably not going to be 313 00:19:40,120 --> 00:19:45,600 the same tooling though as your on Prem permission catalogue. 314 00:19:46,160 --> 00:19:52,720 That's why they have that whole CI space and yeah. 315 00:19:53,800 --> 00:19:55,880 It's like I said built for the cloud. 316 00:19:55,880 --> 00:20:00,160 And I think a lot of people are determining whether and whether 317 00:20:00,160 --> 00:20:02,320 or not they need to be spending money on that. 318 00:20:03,680 --> 00:20:08,720 The next one is kind of more traditional on Prem tool, 319 00:20:08,720 --> 00:20:11,040 Privileged Access Management or Pam. 320 00:20:11,440 --> 00:20:15,640 And kind of it's a, it's always been to me like a bunch of 321 00:20:15,640 --> 00:20:18,680 capabilities kind of put together in terms of what they 322 00:20:18,680 --> 00:20:21,440 call Pam. But I'm just wondering like. 323 00:20:22,040 --> 00:20:26,160 You talk about like traditional Pam technologists say, like a 324 00:20:26,160 --> 00:20:32,240 Cyber Ark or Beyond Trust or the Delineia Suite, like is that the 325 00:20:32,240 --> 00:20:35,600 place to start? Is that the place to build your 326 00:20:35,840 --> 00:20:38,280 privileged Access management for the cloud? 327 00:20:38,640 --> 00:20:40,320 Likely not. No. 328 00:20:40,320 --> 00:20:44,520 I mean, I mean the Cyber Ark people will probably you know 329 00:20:44,680 --> 00:20:49,560 shake their fists at me, but I I don't see that it's, I haven't 330 00:20:49,560 --> 00:20:53,600 seen that it's moving at the speed that folks need. 331 00:20:54,200 --> 00:20:58,800 And I'm thinking about like the usages of Cyber Ark being this 332 00:20:59,320 --> 00:21:08,040 I'm going to everyday then do you this privileged user and 333 00:21:08,040 --> 00:21:13,280 it's going to be bended out to a small hand handful of your you 334 00:21:13,280 --> 00:21:18,720 know, your sys admins, your your DAS. 335 00:21:19,200 --> 00:21:24,000 But now in the cloud who has I'll use airports privilege like 336 00:21:24,000 --> 00:21:26,920 all your developers like so many people. 337 00:21:28,160 --> 00:21:33,160 So maybe the first thing to do is to figure out how to have 338 00:21:33,640 --> 00:21:40,200 instead of having 500 developers needing privilege, maybe the 339 00:21:40,200 --> 00:21:43,960 first thing to do is to try to figure out how to have zero 340 00:21:43,960 --> 00:21:48,240 touch production where nobody actually is logging into that 341 00:21:48,240 --> 00:21:52,800 system. And like the the ways that the 342 00:21:52,800 --> 00:22:00,320 cloud and privilege identity has evolved has been different than 343 00:22:00,320 --> 00:22:04,640 it evolved 20 years ago in like the on Prem systems to where I 344 00:22:04,640 --> 00:22:10,240 don't know that your traditional Pam vendors shoehorn in great. 345 00:22:11,160 --> 00:22:15,960 Yeah, I mean I think, I think my answer to this or my feeling on 346 00:22:15,960 --> 00:22:18,880 this has to do with how you went to the cloud. 347 00:22:19,280 --> 00:22:22,840 If if your approach was like let's lift and shift our 348 00:22:23,360 --> 00:22:27,880 internal environment and you're doing little virtualization 349 00:22:27,880 --> 00:22:34,720 where little infrastructure as code, then maybe it's just a 350 00:22:34,720 --> 00:22:39,320 bunch of servers that you are renting from someone else and 351 00:22:39,720 --> 00:22:42,640 that model would work. I don't think it's going to 352 00:22:42,960 --> 00:22:45,040 really help you too much for your console. 353 00:22:45,480 --> 00:22:49,120 But in terms of like, hey, we're not doing any kind of automated 354 00:22:49,360 --> 00:22:54,280 management of these server instances and that's what our 355 00:22:54,280 --> 00:22:58,520 cloud happens to be, then I think yes, traditional Pam 356 00:22:58,880 --> 00:23:00,600 probably would work in that model. 357 00:23:00,880 --> 00:23:03,520 If you're doing a lot of automation, you're using a lot 358 00:23:03,520 --> 00:23:08,640 of, you know, service accounts and you're using Docker and 359 00:23:08,640 --> 00:23:12,800 things like that, I mean, it starts to chip away at what 360 00:23:13,320 --> 00:23:17,160 value kind of extending that privilege access management 361 00:23:17,960 --> 00:23:21,280 would bring to you securing your cloud. 362 00:23:21,320 --> 00:23:26,760 I think how much, how much effort might go into deploying a 363 00:23:26,760 --> 00:23:32,160 Pam solution, say for like your server instances, right? 364 00:23:33,000 --> 00:23:35,840 I worry that somebody might end up missing the forest for the 365 00:23:35,840 --> 00:23:41,720 trees, because even if you have, you know say a a lift and shift 366 00:23:41,720 --> 00:23:48,680 style fleet of IAS and that's really all you're using, you're 367 00:23:48,680 --> 00:23:54,400 missing the entire control plane which is through your most juicy 368 00:23:54,400 --> 00:23:57,560 target. You might spend a ton of effort 369 00:23:57,560 --> 00:24:04,000 securing these SSH credentials or just securing this like 1 370 00:24:04,000 --> 00:24:08,760 jump post ingress, but you've completely missed your entire 371 00:24:08,760 --> 00:24:11,080 control plan. That's right. 372 00:24:11,080 --> 00:24:14,520 That's what I was calling it, the the console, but it's really 373 00:24:14,520 --> 00:24:17,000 more the control plane. Yeah, yeah. 374 00:24:17,000 --> 00:24:19,760 Which just comes along for the ride, really, no matter what. 375 00:24:21,360 --> 00:24:24,360 What do you think that those privilege access management 376 00:24:24,360 --> 00:24:26,240 tools are kind of missing the mark there? 377 00:24:26,240 --> 00:24:31,040 Is it just it's very hard for a third party product to, you 378 00:24:31,040 --> 00:24:34,520 know, manage that in a more secure way than kind of comes 379 00:24:34,520 --> 00:24:37,600 out-of-the-box or? I just think it comes down to 380 00:24:37,600 --> 00:24:40,120 like when you have a hammer, everything looks like a nail. 381 00:24:41,200 --> 00:24:44,080 You know, that's they've had a very successful business doing 382 00:24:44,080 --> 00:24:47,080 this thing. And how do they appear to have 383 00:24:47,080 --> 00:24:50,320 coverage for this new thing? They have a hammer. 384 00:24:50,680 --> 00:24:53,080 Let's try to make the hammer work in some way. 385 00:24:55,680 --> 00:25:00,720 So the last group of technology that I really wanted to bounce 386 00:25:00,720 --> 00:25:08,240 off you was monitoring technology seem and the new, the 387 00:25:08,240 --> 00:25:15,400 new cousin ITDR. Do you need to enhance the 388 00:25:15,480 --> 00:25:21,680 monitoring of the cloud with external products or use what is 389 00:25:21,680 --> 00:25:25,040 kind of built into the cloud? All right, you got to help me 390 00:25:25,080 --> 00:25:28,360 out here. Itdr What was? 391 00:25:28,360 --> 00:25:31,000 Identity, threat detection and response. 392 00:25:31,040 --> 00:25:33,400 Oh, OK. Interesting. 393 00:25:33,840 --> 00:25:36,640 So my previous employer, I probably did that. 394 00:25:36,800 --> 00:25:40,040 We called it Cdr, Cloud Detection response. 395 00:25:40,520 --> 00:25:43,320 And maybe this is just an evolving girl, right. 396 00:25:45,440 --> 00:25:47,840 So yes. Do we need new things? 397 00:25:47,840 --> 00:25:53,120 Yeah. So you're going to need, you're 398 00:25:53,120 --> 00:25:56,720 going to have the same problems with monitoring that you know 399 00:25:56,760 --> 00:26:00,120 folks in the soccer always had, which is this data normalization 400 00:26:00,120 --> 00:26:03,600 issue. But you're going to have it 401 00:26:04,120 --> 00:26:10,640 times 10 because you're going to have audit logs from likely 402 00:26:10,640 --> 00:26:15,560 three different clouds and you're going to have additional 403 00:26:15,560 --> 00:26:21,600 system logs from a number of different IAS and SAS services. 404 00:26:22,240 --> 00:26:27,160 So with all of these logs comes a ton for data normalization. 405 00:26:27,760 --> 00:26:29,280 And then what do you do with them? 406 00:26:29,280 --> 00:26:34,080 Do you dump them in your your Splunk and start adding extra 407 00:26:34,080 --> 00:26:39,440 zeros to your checks and that's an option that people do and 408 00:26:39,440 --> 00:26:42,360 they start cross correlating just in one big central 409 00:26:42,360 --> 00:26:45,920 location? Or do you do the thing that says 410 00:26:46,520 --> 00:26:49,960 I want to gain insights? I will use air quotes against 411 00:26:50,000 --> 00:26:55,880 insights at the edge, which means which means that you you 412 00:26:55,880 --> 00:27:00,960 find the uniqueness and you find the vadnais you monitor in those 413 00:27:00,960 --> 00:27:05,760 clouds using cloud native monitoring technologies, likely 414 00:27:05,760 --> 00:27:10,840 from the CSPS because they have the insights as to what uniquely 415 00:27:10,840 --> 00:27:13,320 you need to look for in that specific cloud. 416 00:27:13,440 --> 00:27:17,640 And then you pull pull not the logs, but you pull the insights 417 00:27:18,320 --> 00:27:21,720 to a central location where you can do correlation. 418 00:27:22,520 --> 00:27:24,960 Personally for larger organizations, it really more 419 00:27:24,960 --> 00:27:29,360 looks like the latter. And so you in both cases you do 420 00:27:29,360 --> 00:27:33,960 end up using new technologies, but in the latter solution you 421 00:27:34,000 --> 00:27:39,160 end up using quite a bit more cloud native detection 422 00:27:39,160 --> 00:27:42,720 technologies because you're doing that insights at the edge 423 00:27:42,720 --> 00:27:46,920 thing and and centralizing only the insights. 424 00:27:48,240 --> 00:27:50,440 We kind of jumped right into a bunch of different technologies 425 00:27:50,440 --> 00:27:52,720 and I want to take a step back a moment because I think one of 426 00:27:52,720 --> 00:27:54,680 the things that at least that I've discovered myself 427 00:27:54,680 --> 00:27:58,920 personally is GCP for example, maybe is not as well known as 428 00:27:58,920 --> 00:28:02,320 some of the other ones like AWS and Azure and sort of things 429 00:28:02,320 --> 00:28:04,000 like that. And I think this is the thing 430 00:28:04,000 --> 00:28:07,160 that a lot of people struggle with is every cloud provider 431 00:28:07,240 --> 00:28:10,520 kind of does identity or insecurity a little bit 432 00:28:10,520 --> 00:28:13,400 differently from each other. Totally, yeah. 433 00:28:14,160 --> 00:28:15,800 I mean, it's it's like a totally different language and we're 434 00:28:15,800 --> 00:28:17,880 seeing some of these tools pop up where they're like trying to 435 00:28:17,880 --> 00:28:19,880 be the Rosetta Stone between all three. 436 00:28:20,280 --> 00:28:22,920 And so I can certainly see, you know, some of the cloud posture, 437 00:28:22,920 --> 00:28:25,200 management, cloud detection, response, right, all that, all 438 00:28:25,200 --> 00:28:29,360 those things, they're meant to help, but they don't replace 439 00:28:29,760 --> 00:28:32,040 true knowledge of how things work, right? 440 00:28:32,040 --> 00:28:34,600 I mean, you need to know how this stuff works, What's the 441 00:28:34,600 --> 00:28:38,760 best way to pick up and start to learn things like like GCP 442 00:28:38,760 --> 00:28:41,040 'cause I think you wrote a blog about this, didn't you? 443 00:28:42,640 --> 00:28:48,800 Yeah, I mean I put out you know, a basic like one-on-one series 444 00:28:48,800 --> 00:28:53,080 on my website several years ago and I just, I just refreshed it 445 00:28:53,080 --> 00:28:56,120 recently. Have you ever had, have you ever 446 00:28:56,120 --> 00:28:59,760 had the thing where you go back to things you've written a few 447 00:28:59,760 --> 00:29:01,840 years later and you said, oh, this is garbage? 448 00:29:02,360 --> 00:29:02,920 Recorded. Yeah. 449 00:29:03,120 --> 00:29:04,680 Yeah. Yeah. 450 00:29:05,280 --> 00:29:06,920 So that's that happened recently. 451 00:29:07,640 --> 00:29:10,800 I put out the 101 series, I think in 2020 and I went back to 452 00:29:10,800 --> 00:29:12,800 it. I was like, oh oh, this is 453 00:29:12,800 --> 00:29:15,120 garbage. And so I I I rewrote it well. 454 00:29:15,280 --> 00:29:16,840 It might not have been garbage at the time though, right? 455 00:29:16,840 --> 00:29:19,240 Isn't this the challenge with any technology as things change 456 00:29:19,240 --> 00:29:20,560 over time and? Your. 457 00:29:20,720 --> 00:29:24,200 Standings and yeah, it's like, OK, well, this is the way it 458 00:29:24,200 --> 00:29:25,960 used to be. It's time to update it. 459 00:29:25,960 --> 00:29:27,440 I think that's just a natural refresh, right? 460 00:29:28,080 --> 00:29:31,320 That's yeah, thank you for thank you for bolstering my 461 00:29:31,320 --> 00:29:35,320 confidence. I remember just you know kind of 462 00:29:35,320 --> 00:29:38,320 rage updating it. But yeah I know that's correct. 463 00:29:38,520 --> 00:29:41,200 It needed to be refreshed because so many, so much 464 00:29:41,200 --> 00:29:45,600 terminology had changed. And then I think the longer you 465 00:29:45,600 --> 00:29:49,880 work in a system, the more crispy your understanding 466 00:29:49,880 --> 00:29:53,920 becomes. And that's, that's what I really 467 00:29:53,920 --> 00:29:57,160 wanted the 101 series to be, was crisp. 468 00:29:58,840 --> 00:30:03,240 There's documentation from the cloud providers, you can go to 469 00:30:03,240 --> 00:30:06,720 their websites, you can read all about their IEM models. 470 00:30:07,320 --> 00:30:12,800 But I didn't see anywhere where it was just like the TLDR, you 471 00:30:12,800 --> 00:30:17,280 know, prioritizing brevity, prioritizing you know the 472 00:30:17,280 --> 00:30:21,440 crispest way you could get your point across and then breaking 473 00:30:21,440 --> 00:30:25,600 them down into these like minimum bite size pieces. 474 00:30:26,360 --> 00:30:31,080 And part of it for me was just this like exercise of like how 475 00:30:31,600 --> 00:30:37,360 few words could I use to give somebody 99% of the picture. 476 00:30:37,880 --> 00:30:42,360 You know how how little could I write as opposed to how much 477 00:30:42,360 --> 00:30:44,520 could I write and how much could I tell somebody. 478 00:30:44,840 --> 00:30:47,280 I wanted to see how little could I write and still give him a 479 00:30:47,320 --> 00:30:52,880 huge part piece of the pie. There's still a A2O1 series that 480 00:30:52,880 --> 00:30:56,840 I owe people, but one O 1 in GCP gets you really far. 481 00:30:57,560 --> 00:31:00,360 So we'll have a link in our show notes to that cattracksor.cloud. 482 00:31:00,480 --> 00:31:02,880 I think it's as of right now it's like the top thing on the 483 00:31:02,880 --> 00:31:05,920 list that I remember seeing. But it is good. 484 00:31:05,920 --> 00:31:09,520 And I think there's a real skill and an art form into. 485 00:31:09,520 --> 00:31:11,560 You took the word that I was immediately thinking it was 486 00:31:11,560 --> 00:31:14,360 brevity is how do you get to the point quickly, right. 487 00:31:14,840 --> 00:31:17,560 Everybody's watched a cooking video where they spend the first 488 00:31:17,560 --> 00:31:20,440 half hour talking about the history behind the parchment 489 00:31:20,440 --> 00:31:22,560 that they use to write this recipe. 490 00:31:22,560 --> 00:31:24,640 And it's like not just get to the facts like I don't care. 491 00:31:25,240 --> 00:31:28,960 Right. So I appreciate short bits of 492 00:31:28,960 --> 00:31:30,560 content that are direct to the point. 493 00:31:30,560 --> 00:31:32,760 Tell me what I need to know. Guess what. 494 00:31:32,760 --> 00:31:35,560 I'm gonna come back. I'm gonna keep reading and I 495 00:31:35,560 --> 00:31:37,720 feel like if I want to learn more, sure, right? 496 00:31:37,720 --> 00:31:40,120 There's other things like that, but sometimes I I just love 497 00:31:40,120 --> 00:31:43,960 those little bite sized things. So I'm I'm excited to scan it 498 00:31:43,960 --> 00:31:46,560 over and start to get into it because I think GCP is one of 499 00:31:46,560 --> 00:31:49,200 the areas I personally just I don't have really any experience 500 00:31:49,200 --> 00:31:51,560 with. It's been all 80 WS and Azure to 501 00:31:51,560 --> 00:31:55,400 date. Do you see GCP growing? 502 00:31:56,240 --> 00:31:58,600 Shrinking? Is it better suited for maybe 503 00:31:58,600 --> 00:32:01,520 certain businesses and certain applications than others? 504 00:32:01,720 --> 00:32:05,520 Because I've kind of heard like GCP is great for some things and 505 00:32:05,520 --> 00:32:08,560 not as great for other things, but like where if I'm out there 506 00:32:08,560 --> 00:32:11,480 as an IAM person, like where should I expect to see? 507 00:32:11,480 --> 00:32:14,240 Oh yeah, we're probably going to be using GCP in that type of 508 00:32:14,240 --> 00:32:18,600 context. Yeah, I mean, whenever I hear of 509 00:32:18,600 --> 00:32:24,320 somebody using GCPI think are you using it for data science? 510 00:32:24,320 --> 00:32:26,080 That's really popular in that respect. 511 00:32:27,520 --> 00:32:34,080 It's really popular for its offerings around like Kubernetes 512 00:32:34,120 --> 00:32:36,240 and like serverless containerization. 513 00:32:36,840 --> 00:32:42,880 And it's not as popular for say just like workhorse workloads 514 00:32:42,880 --> 00:32:48,360 like, you know you need like you know some some VMS, start up a 515 00:32:48,360 --> 00:32:50,320 load balancer and get a database up. 516 00:32:50,320 --> 00:32:53,920 Like that's really just like your bread and butter AWS stuff. 517 00:32:55,280 --> 00:33:00,520 I can't tell you if you know GCP would be competitive, would not 518 00:33:00,520 --> 00:33:04,080 be competitive. It's just I typically don't see 519 00:33:04,080 --> 00:33:07,080 them playing in that space as much. 520 00:33:07,480 --> 00:33:13,600 It's more of the big data data science area that you know if 521 00:33:13,600 --> 00:33:17,880 you're if you have GCP it's it's in that scenario which again is 522 00:33:17,880 --> 00:33:21,480 very cool because for me that's impact you know that's that's 523 00:33:21,480 --> 00:33:24,880 high impact data that needs to be protected. 524 00:33:26,000 --> 00:33:27,760 So let's give people a kick start here. 525 00:33:28,200 --> 00:33:32,760 If I guess what is the most important thing that people 526 00:33:32,760 --> 00:33:35,720 should know when they start to look at GCP from an Identity 527 00:33:35,720 --> 00:33:42,240 perspective? The one thing that GCP has that 528 00:33:42,880 --> 00:33:47,280 is not prevalent in AWS is this resource hierarchy. 529 00:33:47,840 --> 00:33:55,440 This concept of a hierarchical model starts at the organization 530 00:33:55,560 --> 00:33:58,680 flows down to folders and projects and then underneath 531 00:33:58,680 --> 00:34:04,840 resources where each of those points on the hierarchy. 532 00:34:04,840 --> 00:34:11,440 Those positions are attachment points for policy, and then 533 00:34:11,440 --> 00:34:14,440 policy can then be inherited down the hierarchy. 534 00:34:15,080 --> 00:34:21,960 That whole hierarchy inheritance model, you know, characteristic 535 00:34:23,239 --> 00:34:28,320 is the most powerful thing in Google Cloud, and it's the thing 536 00:34:28,320 --> 00:34:31,280 that people just completely forget. 537 00:34:32,000 --> 00:34:35,440 It's the thing that's just not in the forefront of people's 538 00:34:35,440 --> 00:34:38,400 minds, especially coming from an AWS background. 539 00:34:40,400 --> 00:34:43,400 Is that something that from, you know, your day job as security 540 00:34:43,400 --> 00:34:45,560 researcher, you're starting to look at maybe those policies, 541 00:34:45,560 --> 00:34:48,840 attachments and say, hey, something misconfigured, is that 542 00:34:49,360 --> 00:34:52,360 a valid way or a viable way or a most common way, Like what are 543 00:34:52,360 --> 00:34:53,679 you looking for in those kinds of areas? 544 00:34:54,600 --> 00:34:58,120 Yeah, yeah. I mean, that's this is the this 545 00:34:58,120 --> 00:35:07,440 is the best way to provide scope right To to attach grants to 546 00:35:07,440 --> 00:35:12,400 attach permissions at a resource level. 547 00:35:12,760 --> 00:35:17,800 Provides the scope, tells you how far those permissions can 548 00:35:17,800 --> 00:35:21,720 roam. And because it's not in the 549 00:35:21,720 --> 00:35:25,880 forefront of people's minds, I think a lot of times things are 550 00:35:25,880 --> 00:35:29,360 attached, say, at the project level, which is the equivalent 551 00:35:29,360 --> 00:35:34,480 of an AWS account. And that's conflated with the 552 00:35:34,600 --> 00:35:40,280 idea of an identity based policy in AWS where you're assigning a 553 00:35:40,520 --> 00:35:45,240 person a policy and that user lives in an account. 554 00:35:45,360 --> 00:35:49,840 So these two contradictory models that actually aren't the 555 00:35:49,840 --> 00:35:51,840 same are conflated with each other. 556 00:35:52,000 --> 00:35:57,680 And what that results in in GCP is over permission, where 557 00:35:57,840 --> 00:36:02,200 somebody is provided the ability to, say, administer all compute 558 00:36:02,200 --> 00:36:06,320 instances because they have their permission attached at the 559 00:36:06,320 --> 00:36:10,280 project level when it really should be attached at say a 560 00:36:10,280 --> 00:36:12,600 compute instance. That's actually not a valid 561 00:36:12,600 --> 00:36:14,640 example because I don't think you can dash that the compute 562 00:36:14,640 --> 00:36:18,200 instance, but the lowest resource level possible. 563 00:36:18,280 --> 00:36:23,680 I'll say you know, somebody has the ability to administer all 564 00:36:23,680 --> 00:36:30,600 buckets because that permission is assigned at the project level 565 00:36:31,000 --> 00:36:34,360 as opposed to really at the very specific bucket that it matters 566 00:36:34,360 --> 00:36:38,120 at. Is there something similar for 567 00:36:38,760 --> 00:36:39,880 AWS? Is that on the road map? 568 00:36:39,880 --> 00:36:41,560 Would you think you would ever tackle it like that or something 569 00:36:41,560 --> 00:36:42,760 already exists that you feel like? 570 00:36:44,680 --> 00:36:48,440 No, it's. It's this lack of a hierarchy 571 00:36:48,440 --> 00:36:53,040 and this lack of policy inheritance was sort of like the 572 00:36:53,520 --> 00:36:58,200 part of the EWS original sin. It was, it was the, you know, 573 00:36:58,200 --> 00:37:01,440 the founding of the founding and creation of their resource model 574 00:37:01,440 --> 00:37:05,480 just never included that. And and So what they've had to 575 00:37:05,480 --> 00:37:10,520 do over the years is create these mechanisms to kind of 576 00:37:11,240 --> 00:37:14,320 create scope. So there's things like 577 00:37:14,680 --> 00:37:20,320 permission boundaries, conditionals, and then a handful 578 00:37:20,320 --> 00:37:23,440 of resources. A handful have the ability to 579 00:37:24,360 --> 00:37:28,720 create attach policies at the resource level as opposed to the 580 00:37:28,720 --> 00:37:30,880 identity. But now you have a problem. 581 00:37:31,680 --> 00:37:35,040 The problem you have is now you have two different competing 582 00:37:35,520 --> 00:37:37,640 models. You have the identity based 583 00:37:37,640 --> 00:37:40,400 model and then you have the resource based model competing 584 00:37:40,400 --> 00:37:43,960 against each other in AWS for supremacy and so now you have 585 00:37:43,960 --> 00:37:46,520 have to have all these complex rules about like which one takes 586 00:37:46,520 --> 00:37:51,400 presence in which situation depending on which resource and 587 00:37:51,400 --> 00:37:55,040 things become complicated. Is that the main difference 588 00:37:55,040 --> 00:37:56,960 between GCP and anybody else or are there? 589 00:37:56,960 --> 00:38:02,920 Other things you know there are There are 1,000,000 scenarios in 590 00:38:02,920 --> 00:38:05,960 which they are different. However, it all rolls up to the 591 00:38:05,960 --> 00:38:10,040 same issue. It all rolls up to the same 592 00:38:10,040 --> 00:38:16,840 issue of AWS not having the resource hierarchy and AWS not 593 00:38:16,880 --> 00:38:24,560 having the the policy inheritance model and all of 594 00:38:24,560 --> 00:38:27,200 subsequently all of the changes that they've had to make to 595 00:38:27,200 --> 00:38:30,800 their original resource model just sort of craft this idea of 596 00:38:30,800 --> 00:38:35,760 scoped. You know, I know we've been 597 00:38:35,760 --> 00:38:41,240 talking about I am so much and I think that securing the cloud 598 00:38:41,240 --> 00:38:46,600 goes well beyond I am certainly other areas, certainly other 599 00:38:46,600 --> 00:38:51,120 layers, but I even think it kind of starts with having a good 600 00:38:51,120 --> 00:38:53,840 asset inventory knowing what you're protecting. 601 00:38:55,360 --> 00:38:59,760 Do you find that kind of that traditional approach to an asset 602 00:38:59,760 --> 00:39:05,400 inventory or CMDB that kind of like been popular in the IT 603 00:39:05,400 --> 00:39:10,760 space for as long as we've been in the IT space makes sense 604 00:39:11,000 --> 00:39:14,200 given the cloud or is it there's some kind of shift where IT 605 00:39:14,200 --> 00:39:16,200 actually has to be looked at differently? 606 00:39:17,960 --> 00:39:22,240 I was thinking about this about like a cloud asset inventory 607 00:39:22,240 --> 00:39:25,600 because that that actually is a very specific service from 608 00:39:25,600 --> 00:39:29,080 Google, the cloud asset inventory knowing you know, the 609 00:39:29,080 --> 00:39:32,800 ability to carry what's in your account, I apologize. 610 00:39:32,800 --> 00:39:36,560 Now I think my dogs are it's. The best part of the show so 611 00:39:36,560 --> 00:39:37,480 far? No offense to angry. 612 00:39:38,520 --> 00:39:42,320 It's all good. I think the Mailman's more 613 00:39:42,320 --> 00:39:46,880 around and so they're they're wrong with everybody, no like so 614 00:39:46,880 --> 00:39:49,000 like fundamentally. And I just love getting to like 615 00:39:49,000 --> 00:39:51,720 the philosophical level, like philosophically like what's the 616 00:39:51,720 --> 00:39:56,040 difference between these two things because it's really easy 617 00:39:56,040 --> 00:39:59,520 to have an inventory of your assets in the cloud, the cloud 618 00:39:59,520 --> 00:40:02,920 at home programmatic. You can make you know a series 619 00:40:02,920 --> 00:40:08,280 of API calls and you can get a a deadly accurate list of 620 00:40:08,280 --> 00:40:12,040 everything that's in your cloud. Now, what makes that different 621 00:40:12,040 --> 00:40:18,440 than your traditional autocom enterprise asset inventory? 622 00:40:18,440 --> 00:40:21,320 Like, I'm thinking like ServiceNow or something, right? 623 00:40:21,320 --> 00:40:24,520 Like there's a ServiceNow that tells you what are all the 624 00:40:24,520 --> 00:40:26,840 servers, what are their names, what are their first names, Who 625 00:40:26,920 --> 00:40:31,200 hones it. The big difference is, is that 626 00:40:31,200 --> 00:40:37,360 we're assuming that that list that classic asset inventory on 627 00:40:37,360 --> 00:40:39,600 Prem. We have every, every reason to 628 00:40:39,600 --> 00:40:44,680 assume that that's correct. And then that's what the world 629 00:40:44,680 --> 00:40:49,120 should look like. The world should look like these 630 00:40:49,400 --> 00:40:54,760 five servers with these five host names and Bob and Jane from 631 00:40:54,960 --> 00:40:57,400 them. When we pull from the cloud, and 632 00:40:57,400 --> 00:41:01,320 we pull directly from the AP is. We have no context on whether or 633 00:41:01,320 --> 00:41:06,960 not this is correct, this is malicious, this is misconfigured 634 00:41:06,960 --> 00:41:10,080 in some way. There's no context around 635 00:41:10,640 --> 00:41:13,160 whether or not this is good, bad, or indifferent. 636 00:41:15,480 --> 00:41:18,720 Yeah, I kind of feel like there's also, I mean this debate 637 00:41:18,720 --> 00:41:23,560 isn't new for the cloud, but I think is it, is it exacerbated 638 00:41:23,560 --> 00:41:27,320 by the cloud or that might be not be the right word, but the 639 00:41:27,320 --> 00:41:30,840 idea around there's logical groupings of things called 640 00:41:30,840 --> 00:41:35,440 applications, but then behind the scenes it's all these either 641 00:41:36,320 --> 00:41:40,320 hardware or services and then there's different owners and 642 00:41:40,320 --> 00:41:45,360 different groupings within. So I think that that's always 643 00:41:45,360 --> 00:41:48,600 been the challenge though I think when everything's a 644 00:41:48,600 --> 00:41:52,400 service and everything's logical, it just may be either 645 00:41:52,400 --> 00:41:56,240 exacerbates or maybe to some extent simplifies it. 646 00:41:56,320 --> 00:41:59,600 I'm not sure. But I think that's something 647 00:41:59,600 --> 00:42:03,280 that that debate won't be solved on this call. 648 00:42:03,880 --> 00:42:07,520 But I saw you speak simplifies it and complicates it. 649 00:42:10,440 --> 00:42:12,720 I saw you speaking on another podcast. 650 00:42:13,040 --> 00:42:17,640 And this has been kind of a hot topic within this identity 651 00:42:17,640 --> 00:42:23,400 community around least privilege versus serious standing, 652 00:42:23,400 --> 00:42:28,960 privilege versus good old role management over provision roles, 653 00:42:28,960 --> 00:42:32,720 if you will. And to me, there's a time and 654 00:42:32,720 --> 00:42:38,800 place for all of those. Do you agree with that? 655 00:42:40,200 --> 00:42:43,800 Or do you agree with like throwing certain things of that 656 00:42:43,800 --> 00:42:46,560 stack out the door? No I wouldn't throw any of it 657 00:42:46,560 --> 00:42:53,960 out the door. It reminds me of Google's cloud 658 00:42:53,960 --> 00:42:57,840 maturity road map. I think maybe we can include 659 00:42:57,840 --> 00:43:03,280 that in the show knots Then what they have in that is this, you 660 00:43:03,280 --> 00:43:05,840 know this kind of crawl, walk, run model. 661 00:43:05,840 --> 00:43:10,760 And then they describe, I'm, I'm, it's not actually called 662 00:43:10,760 --> 00:43:12,520 mark one. But say say somebody in the 663 00:43:12,520 --> 00:43:15,520 cloud is crawling and they describe here's all the 664 00:43:15,520 --> 00:43:19,280 behaviors that you might be doing if you are say crawling. 665 00:43:19,760 --> 00:43:25,640 And in that maybe they are, you know, simply provisioning some 666 00:43:25,640 --> 00:43:28,960 very coarse grained rules and they're walking, maybe they're 667 00:43:28,960 --> 00:43:32,640 doing some efforts around these privileged around those rules. 668 00:43:33,040 --> 00:43:36,080 And then when they're running maybe they're going and they're 669 00:43:36,080 --> 00:43:40,440 doing that 0 standing privilege to do it just in time stuff. 670 00:43:40,520 --> 00:43:46,520 But it's like all of that's valid, but it's it's about where 671 00:43:46,520 --> 00:43:51,000 you are in your cloud maturity life cycle. 672 00:43:51,320 --> 00:43:55,400 And there's a lot of people process technology to get to 673 00:43:55,400 --> 00:44:01,360 that model of we're only going to provision you just amount of 674 00:44:01,360 --> 00:44:06,120 access you need for the exact time you need it and then pull 675 00:44:06,120 --> 00:44:08,680 it back. There's a lot you need to do to 676 00:44:08,680 --> 00:44:13,400 get to that point. So having this privilege around 677 00:44:13,400 --> 00:44:18,040 you, you know always on roles is still a very valid place to be 678 00:44:19,360 --> 00:44:21,160 as your Blues. Seems almost a little 679 00:44:21,160 --> 00:44:24,160 unrealistic. Yeah, And well, it's it's 680 00:44:24,160 --> 00:44:28,880 unrealistic if that's the only thing that you think is good. 681 00:44:30,200 --> 00:44:34,200 I know that like I mean that can be a, you know, like you said 682 00:44:34,200 --> 00:44:38,840 like a crawl, crawl, walk, run, it can be a goal at some point. 683 00:44:39,200 --> 00:44:43,120 But you have to balance that out against everything you're doing 684 00:44:43,120 --> 00:44:49,320 to secure your data and whether or not investments to move from 685 00:44:50,320 --> 00:44:53,920 all these privileged model to a jet model, whether those 686 00:44:53,920 --> 00:44:58,680 investments are valid as opposed to say, giddling a handle on, 687 00:44:58,680 --> 00:45:02,040 say, detection or any other control. 688 00:45:03,440 --> 00:45:06,560 Yeah, I said. My perspective was all of them 689 00:45:06,560 --> 00:45:09,960 have their place. I don't think everybody has the 690 00:45:09,960 --> 00:45:14,760 0 standing privilege infrastructure at hand, but 691 00:45:14,760 --> 00:45:20,240 let's assume that someone does. I would say you still don't want 692 00:45:20,240 --> 00:45:23,840 to try to use it like a grenade, right? 693 00:45:23,840 --> 00:45:26,080 You want to use it like more like a scalpel. 694 00:45:26,400 --> 00:45:29,840 You know, very specific use cases where super standing 695 00:45:29,840 --> 00:45:33,760 privileges make sense, least privileged. 696 00:45:33,760 --> 00:45:37,520 I think it's just another step down from that where it's like, 697 00:45:37,840 --> 00:45:40,600 hey, you're really trying to do your best. 698 00:45:40,760 --> 00:45:43,000 I think it's a journey. I don't think it's black and 699 00:45:43,000 --> 00:45:46,040 white. It's like, you know, if you're 700 00:45:46,040 --> 00:45:48,520 trying to get to least privilege, the closer you can 701 00:45:48,520 --> 00:45:52,600 get to that the better. But then there's certain levels 702 00:45:52,600 --> 00:45:59,960 of privilege which the resources are so low risk, it's like a a 703 00:45:59,960 --> 00:46:04,040 role probably is good enough. Now The funny thing is when you 704 00:46:04,040 --> 00:46:08,440 see most IT security policies, it's like we're least 705 00:46:08,440 --> 00:46:10,200 privileged. All we allow is least 706 00:46:10,200 --> 00:46:12,160 privileged. And it's like, yeah, it's nice 707 00:46:12,160 --> 00:46:14,960 to say that, but it's it's not realistic. 708 00:46:15,240 --> 00:46:19,640 So I I kind of feel like that's like the the hierarchy of needs 709 00:46:19,640 --> 00:46:24,880 if you will is like 0 standing where it's absolutely critical 710 00:46:25,280 --> 00:46:28,800 based on risk, least privilege is kind of your in between where 711 00:46:28,800 --> 00:46:32,280 it's still high risk or medium risk, but it's not maybe the 712 00:46:32,280 --> 00:46:34,680 highest and it's also not the lowest. 713 00:46:34,920 --> 00:46:37,360 When I think you're when you're talking low risk, things like 714 00:46:37,720 --> 00:46:41,560 throw it in A roll, maybe not give it to everybody, but you 715 00:46:41,560 --> 00:46:44,000 know, like don't lose sleep over it. 716 00:46:44,240 --> 00:46:46,880 I just want to go back to a 0 standing privilege grenade. 717 00:46:46,920 --> 00:46:49,840 I think we've stumbled upon a new product here that we can use 718 00:46:49,840 --> 00:46:52,960 to really clean up environments. Just Chuck that into the cloud. 719 00:46:53,160 --> 00:46:56,800 I just really appreciated your like breakdown. 720 00:46:56,800 --> 00:47:02,680 All the three approaches to IEM and I'm thinking about like you 721 00:47:02,680 --> 00:47:08,320 know the like the owner role in Google and Google cloud say this 722 00:47:08,320 --> 00:47:12,360 is the owner role. Literally every permission if 723 00:47:12,360 --> 00:47:17,320 5000 of unless I check probably maybe even 6000 assigned at the 724 00:47:17,320 --> 00:47:21,240 project level. Your initial blush would be Oh 725 00:47:21,240 --> 00:47:24,280 no could possibly ever assign this ever. 726 00:47:24,360 --> 00:47:29,480 There are no scenarios. But then you know you have 727 00:47:29,480 --> 00:47:35,240 sandbox projects where you you say that it's you know it's 728 00:47:35,240 --> 00:47:37,520 going to be turned off once it hits $50. 729 00:47:38,080 --> 00:47:41,360 And this is a sandbox account for a developer to do certain 730 00:47:41,360 --> 00:47:43,920 things. And you've limited the blast 731 00:47:43,920 --> 00:47:47,600 radius of this so that yeah, giving them the owner role on 732 00:47:47,600 --> 00:47:52,200 this sandbox account to have $50.00 worth of fun is perfectly 733 00:47:52,200 --> 00:47:55,640 acceptable. 'Cause they can always go back 734 00:47:55,640 --> 00:47:59,160 and ask for for more money to to stop that account. 735 00:47:59,760 --> 00:48:03,520 Yeah. So other than reading your blog 736 00:48:03,760 --> 00:48:08,120 and the GCP 101, what are some other ways that people can 737 00:48:08,200 --> 00:48:09,960 really get up to speed on cloud security? 738 00:48:09,960 --> 00:48:12,400 I know you and I were talking about some conferences that are 739 00:48:12,400 --> 00:48:14,040 coming up. You wanna talk about that? 740 00:48:14,600 --> 00:48:19,640 Yeah, yeah. I'm a huge fan of the Four Cloud 741 00:48:19,640 --> 00:48:23,080 SEC Conference. It's been going on since 2020 742 00:48:23,080 --> 00:48:27,720 and was its and unfortunately was its inaugural year and so 743 00:48:27,720 --> 00:48:31,440 it'll be its fifth year coming up here in June in DC. 744 00:48:32,080 --> 00:48:34,880 So this conference, I think there'll be 40 some tracks. 745 00:48:35,840 --> 00:48:38,640 Everything from, you know, classic Builder talks of like 746 00:48:38,640 --> 00:48:43,280 how do you secure this piece of infrastructure to open source 747 00:48:43,280 --> 00:48:47,040 projects to we found this crazy hack and it's going to make the 748 00:48:47,040 --> 00:48:49,240 news and it's going to make the news here. 749 00:48:49,640 --> 00:48:53,880 So it's like it's really great breadth of the top research and 750 00:48:53,880 --> 00:48:55,840 this will be the first year that'll there'll be an EU 751 00:48:55,840 --> 00:48:59,080 version 2. So folks that didn't want to 752 00:48:59,080 --> 00:49:01,920 make the trip over to the States can find it in Brussels in 753 00:49:01,920 --> 00:49:05,080 September. I'll be at both and come by and 754 00:49:05,080 --> 00:49:09,560 say hi and if you're looking for like just some great practical 755 00:49:09,600 --> 00:49:16,880 hands on cloud security, a friend of mine Rich put together 756 00:49:16,880 --> 00:49:24,080 the the slaw labs like coleslaw, SLAW and those are like bite 757 00:49:24,080 --> 00:49:28,480 sized pieces of content around AWS and then practical hands on 758 00:49:28,480 --> 00:49:32,840 labs that you could do. Sounds pretty cool. 759 00:49:33,320 --> 00:49:36,800 We focus a lot on identity conferences and I think this is 760 00:49:36,800 --> 00:49:38,840 probably just the natural extension where you start 761 00:49:38,840 --> 00:49:41,120 talking about cloud Cloud's not a fad, right? 762 00:49:41,120 --> 00:49:42,320 It's gonna stick around for a while. 763 00:49:42,320 --> 00:49:45,720 I'm looking to get a ticket for the one in North America and it 764 00:49:45,720 --> 00:49:49,560 says it's sold out. It's yeah, you know, it's sold 765 00:49:49,560 --> 00:49:54,920 out in in seconds, but I think there is a waiting list and in 766 00:49:54,920 --> 00:49:57,720 the, you know, in the couple days before the conference, 767 00:49:57,720 --> 00:50:02,120 people do return tickets. So get on the waiting list and 768 00:50:03,200 --> 00:50:08,200 if you're have the ability to travel relatively last minute, 769 00:50:08,720 --> 00:50:11,560 you'll be able to get in. So this isn't something with 770 00:50:11,560 --> 00:50:14,840 cloud security, but I'm on the Eventbrite website and it's, you 771 00:50:14,840 --> 00:50:18,280 know, it says sold out other events you might like Shrimp 772 00:50:18,280 --> 00:50:23,240 Blast 2024. So obviously it knows me and 773 00:50:23,240 --> 00:50:24,280 it's like, hey, this guy likes food. 774 00:50:24,280 --> 00:50:27,160 Yeah, they know you. You must have some cookies on 775 00:50:27,160 --> 00:50:30,560 your on your computer. Other than shrimp, I guess. 776 00:50:31,800 --> 00:50:33,480 Yeah. I just kind of imagine, Kat, 777 00:50:33,480 --> 00:50:35,480 like, you know, you're at the conference and there's like it's 778 00:50:35,480 --> 00:50:37,640 like a sporting event, right? Hey, looking for two, looking 779 00:50:37,640 --> 00:50:39,440 for two. Cloud security looking for two, 780 00:50:39,440 --> 00:50:40,480 right? Yeah. 781 00:50:41,240 --> 00:50:45,080 And I think people have also done some, some watch parties 782 00:50:45,080 --> 00:50:46,280 too. So people who couldn't get 783 00:50:46,280 --> 00:50:49,040 tickets, they've done some like off site watch parties where 784 00:50:49,040 --> 00:50:52,480 they will stream the talks. And so you could have a sort of 785 00:50:52,480 --> 00:50:58,440 a a mini conference feel or just come to Brussels, Brussels would 786 00:50:58,440 --> 00:50:59,880 be great. Yeah, that's easy. 787 00:51:00,280 --> 00:51:02,680 I love the idea of having like watch parties because one of the 788 00:51:02,680 --> 00:51:04,480 things that I run into and cat, I don't know if you're the same, 789 00:51:04,480 --> 00:51:06,920 but it's like there's too much content sometimes in a 790 00:51:06,920 --> 00:51:07,920 conference. And it's like you have to 791 00:51:07,920 --> 00:51:12,400 choose, Am I gonna go see this thing, watch this thing, or am I 792 00:51:12,400 --> 00:51:14,600 gonna get stuck in a hallway, you know, talking with somebody 793 00:51:14,600 --> 00:51:15,600 or. Because I want to right. 794 00:51:15,600 --> 00:51:18,280 Or or something like that. So I love the idea of being able 795 00:51:18,280 --> 00:51:19,520 to watch it in kind of after the fact. 796 00:51:19,520 --> 00:51:21,520 So that's always my recommendation for anybody to 797 00:51:21,520 --> 00:51:24,600 put in a conference is have some way for people to, like, catch 798 00:51:24,600 --> 00:51:26,280 up for things. I don't know if you struggle 799 00:51:26,280 --> 00:51:28,840 with that same. Ah, yeah. 800 00:51:28,840 --> 00:51:33,560 I'm all about the Holloway Con. I mean, I'm lucky if I watch two 801 00:51:33,560 --> 00:51:36,640 or three talks in the whole conference because I'm just 802 00:51:36,640 --> 00:51:39,160 catching up with people I haven't seen since the previous 803 00:51:40,480 --> 00:51:43,160 previous year. You know, I think we all end up 804 00:51:43,160 --> 00:51:47,040 becoming fast friends. And yeah, and so this is our 805 00:51:47,040 --> 00:51:48,360 chance to kind of see each other. 806 00:51:48,960 --> 00:51:50,480 And then we'd watch everything on YouTube. 807 00:51:52,240 --> 00:51:54,880 All right, well, let's start to wrap up this conversation. 808 00:51:54,920 --> 00:51:57,120 I'm gonna pause a scenario here for us. 809 00:51:57,560 --> 00:52:02,800 Jim walked in with a IDAC branded zero standing privilege 810 00:52:02,800 --> 00:52:05,320 grenade and chucked it into the cloud. 811 00:52:05,600 --> 00:52:10,480 And identity security is done. Or it's so screwed up now that 812 00:52:10,480 --> 00:52:12,560 you're like, I'm outta here. Like I'm done. 813 00:52:13,440 --> 00:52:16,320 What is it that you're gonna do with your life? 814 00:52:16,320 --> 00:52:20,040 What is your job? Whatever you wanna call it that 815 00:52:20,080 --> 00:52:21,640 you're quit and say I'm out of this. 816 00:52:21,720 --> 00:52:24,760 I'm not working on technology. Oh that's a good one. 817 00:52:24,760 --> 00:52:27,560 Yeah. The the, the, the JIT grenade 818 00:52:27,720 --> 00:52:30,960 came came in. Yeah. 819 00:52:30,960 --> 00:52:36,440 I think my, my long standing you know, I've quit technology job 820 00:52:36,440 --> 00:52:40,320 has always been to start ACSA right to just you know have sort 821 00:52:40,320 --> 00:52:44,840 of a, you know the intent would be to create a small hobby farm 822 00:52:44,880 --> 00:52:49,040 and it would quickly get out of hand into chicken and goats and 823 00:52:49,520 --> 00:52:52,400 quickly get out of hand that I'd have to start ACSA because I'd 824 00:52:52,400 --> 00:52:54,480 be growing way too many vegetables. 825 00:52:55,040 --> 00:53:01,840 And yeah, I'm probably just, you know, one small, you know, cloud 826 00:53:01,840 --> 00:53:04,680 security issue away from becoming a farmer, so. 827 00:53:05,000 --> 00:53:08,480 So CSA is Community Supported Agriculture or something? 828 00:53:08,480 --> 00:53:12,480 Else Community Supported Agriculture yes and not not not 829 00:53:12,480 --> 00:53:16,720 join the CSA as in received vegetables, but grow so many 830 00:53:16,720 --> 00:53:20,000 vegetables I have to then sell them to my neighbors. 831 00:53:20,200 --> 00:53:21,640 Yeah, you go to the farmers market. 832 00:53:21,640 --> 00:53:23,080 I mean, hey, come on down to Asheville. 833 00:53:23,120 --> 00:53:25,400 We got tons of that down here, I'm sure. 834 00:53:25,440 --> 00:53:27,920 What would be the, what would be your crop? 835 00:53:28,000 --> 00:53:29,200 What's your What are you growing? 836 00:53:29,880 --> 00:53:32,040 Oh, it's always too many tomatoes, yeah. 837 00:53:32,400 --> 00:53:34,440 We call it Summer of Tomato whenever they start to bloom 838 00:53:34,440 --> 00:53:36,680 here and then 'cause my wife is. Into this as well. 839 00:53:37,040 --> 00:53:41,280 I got her a hydroponic garden, so that has really accelerated 840 00:53:41,280 --> 00:53:42,920 things. So I got her the fancy one 841 00:53:42,920 --> 00:53:45,520 that's like the tall one that has like the different things. 842 00:53:46,080 --> 00:53:48,600 And So what she does is she starts them there and then when 843 00:53:48,600 --> 00:53:52,440 they're too big for that, she moves them out into the soil and 844 00:53:52,440 --> 00:53:54,320 just is continually growing stuff. 845 00:53:54,440 --> 00:53:57,720 So things are starting to to appear. 846 00:53:58,480 --> 00:54:00,480 Well, you're you. You're lucky with your growing 847 00:54:00,480 --> 00:54:03,760 season, where I still have a good six weeks until I can plant 848 00:54:03,760 --> 00:54:05,840 anything, but I make I make use of my time. 849 00:54:06,560 --> 00:54:08,800 Well, the problem is the bears then come out and eat it. 850 00:54:09,200 --> 00:54:11,760 So you have to be concerned about that, Yeah. 851 00:54:12,160 --> 00:54:15,920 Wow, I don't have that issue. I just have have have squirrels, 852 00:54:16,280 --> 00:54:19,280 no bears. But what about you? 853 00:54:19,560 --> 00:54:20,800 Yeah. Yeah, I want to find out what 854 00:54:20,800 --> 00:54:23,280 Jim wants to do if he's not doing technology. 855 00:54:23,280 --> 00:54:26,360 Well, first of all, I want to make a farmers market comment. 856 00:54:26,360 --> 00:54:28,280 I'm more of a buyer than a seller. 857 00:54:29,200 --> 00:54:32,360 I like farmers markets. But when I go to one and I see 858 00:54:32,360 --> 00:54:37,840 them selling like bananas or you know, any kind of fruit that can 859 00:54:37,840 --> 00:54:41,440 be only grown in like South America, I'm like, no, that's 860 00:54:41,440 --> 00:54:42,960 not the point of the farmers market. 861 00:54:42,960 --> 00:54:45,560 That's what we have the grocery store for. 862 00:54:45,960 --> 00:54:48,760 So I did want to make that comment because that happens a 863 00:54:48,760 --> 00:54:56,040 lot, at least here in, in Georgia, OK, my rage quit job or 864 00:54:56,120 --> 00:54:58,960 I shouldn't even call it a rage quit job because I'm taking the 865 00:54:58,960 --> 00:55:00,160 question a little bit differently. 866 00:55:00,160 --> 00:55:04,480 So I throw that grenade, and I'm going to assume the grenade was 867 00:55:04,480 --> 00:55:06,320 so successful. So you admit it that? 868 00:55:06,320 --> 00:55:09,240 It actually turned into. This is Exhibit A fortune, and 869 00:55:10,080 --> 00:55:11,880 this is Exhibit A in the defense. 870 00:55:12,280 --> 00:55:18,080 You're admitting it right here. Yeah, well, I'm only going to do 871 00:55:18,080 --> 00:55:21,400 it if it's going to be a winner. So grenade is thrown. 872 00:55:21,800 --> 00:55:26,520 I make millions of dollars and now I can do what I want to do 873 00:55:27,160 --> 00:55:32,120 and I think what I would do. So I took a class in college 874 00:55:32,600 --> 00:55:38,120 called sculpting and it was basically how to create bronze 875 00:55:38,120 --> 00:55:42,040 statues. OK, so most of most of the 876 00:55:42,040 --> 00:55:46,920 projects were much smaller than statues, but I could literally 877 00:55:46,920 --> 00:55:51,040 envision how you could build statues or make art, but 878 00:55:51,040 --> 00:55:55,760 basically 3D art out of bronze. And I love that class. 879 00:55:56,160 --> 00:56:01,680 I was not a Fine Arts major or anything, but I feel like I 880 00:56:01,680 --> 00:56:04,600 would want to go back and take that to the next level. 881 00:56:04,600 --> 00:56:08,720 And I would do it in college because they have all the 882 00:56:08,720 --> 00:56:11,240 equipment there. So it costs the same as any 883 00:56:11,240 --> 00:56:14,040 other course. But you have access to a 884 00:56:14,920 --> 00:56:17,840 bronzing lab. And I mean, you're not just 885 00:56:17,840 --> 00:56:19,880 going to buy that equipment for yourself. 886 00:56:20,440 --> 00:56:22,840 And then the other thing I would do is I probably create a 887 00:56:22,840 --> 00:56:25,640 YouTube channel, 'cause I think people would be really 888 00:56:25,640 --> 00:56:29,240 interested in learning about this and seeing it happen and 889 00:56:29,240 --> 00:56:31,760 all that. So that's what I would do. 890 00:56:32,080 --> 00:56:36,560 I'd become a sculptor and I would, you know, create a 891 00:56:36,560 --> 00:56:38,800 YouTube channel. But that's technology, YouTube, 892 00:56:38,840 --> 00:56:40,840 which is fine because hey, whatever. 893 00:56:41,080 --> 00:56:46,000 So we got a bronze worker, we've got a farmer, I guess for 894 00:56:46,720 --> 00:56:49,600 keeping it simple. So you guys are looking at 895 00:56:49,600 --> 00:56:55,000 skills that are like viable, needed by human beings and I 896 00:56:55,000 --> 00:56:58,200 have none of that. I don't think I could ever get 897 00:56:58,200 --> 00:57:01,040 out of technology. I I just, I've this has been who 898 00:57:01,040 --> 00:57:04,560 I am forever man. If I had to do something that 899 00:57:04,560 --> 00:57:06,960 was not technology, I honestly don't know what I would do 900 00:57:07,280 --> 00:57:10,080 because I, Jim knows I'm constantly tinkering. 901 00:57:10,080 --> 00:57:13,400 I mean, we, I spent the weekend video editing and trying 902 00:57:13,400 --> 00:57:15,640 different tools and all kinds of different softwares and stuff 903 00:57:15,640 --> 00:57:18,120 like that, trying to, trying to, you know, work on different 904 00:57:18,120 --> 00:57:20,640 things. Like that's just who I am, is 905 00:57:20,640 --> 00:57:22,400 like a technology person. I mean, it would be probably 906 00:57:22,400 --> 00:57:24,800 something with the podcast, but podcast is technology. 907 00:57:25,160 --> 00:57:28,440 I don't want to be outside, 'cause I don't like hot weather, 908 00:57:28,480 --> 00:57:31,960 I don't like bugs, I like Wi-Fi, I like air conditioning. 909 00:57:32,680 --> 00:57:34,920 So I need to find something that's like inside. 910 00:57:34,920 --> 00:57:38,160 And I'm not artistic, so I'm not gonna be, you know, the next 911 00:57:38,160 --> 00:57:41,840 great sculptor with Jim and his massive bronze structures as 912 00:57:41,840 --> 00:57:44,120 testaments to identity at the center in the sky. 913 00:57:44,680 --> 00:57:47,240 I'm not growing stuff, 'cause that's just not my thing. 914 00:57:47,240 --> 00:57:49,240 I don't know what I would do. Do you guys have suggestions? 915 00:57:49,240 --> 00:57:50,640 Like what? What should I do? 916 00:57:52,880 --> 00:57:55,280 Stunned silence. Without technology, without 917 00:57:55,800 --> 00:57:57,960 technology, I can't think of anything. 918 00:57:58,600 --> 00:58:00,720 I I mean without. If it was outside of IAM, I 919 00:58:00,720 --> 00:58:04,200 could probably come up with like 100 different things you could 920 00:58:04,200 --> 00:58:05,640 do. I was actually thinking one 921 00:58:05,640 --> 00:58:11,440 thing that you used to really be into was collecting bags so that 922 00:58:11,440 --> 00:58:15,520 you could travel with one bag. So I kind of feel like that's 923 00:58:15,520 --> 00:58:17,680 one of your areas of expertise, hey. 924 00:58:17,960 --> 00:58:20,480 Now you're talking. But I think also you have to 925 00:58:20,480 --> 00:58:23,840 sell the bag somehow. And who buys bags in person 926 00:58:23,840 --> 00:58:25,760 anymore? You buy them on the Internet. 927 00:58:25,760 --> 00:58:26,880 Yeah, but you got a YouTube channel. 928 00:58:26,880 --> 00:58:28,280 Let's go with this because I that's a good idea. 929 00:58:28,280 --> 00:58:32,960 I didn't think about that. I I have a affinity for bags, 930 00:58:33,400 --> 00:58:35,280 travel bags, other variety things. 931 00:58:35,280 --> 00:58:37,760 I'm constantly in a search for the one bag to rule them all. 932 00:58:38,280 --> 00:58:40,680 So yeah, I don't know if it's a tailor or something like that, 933 00:58:40,680 --> 00:58:46,440 but I I feel like I can design the world's greatest, you know, 934 00:58:46,440 --> 00:58:49,920 travel bag for me and my purposes. 935 00:58:50,320 --> 00:58:52,480 So maybe some sort of? To get everything down to one 936 00:58:52,480 --> 00:58:55,320 bag that you're but you're pretty much there. 937 00:58:55,320 --> 00:58:58,040 I mean that, but that was your goal for so long and then you 938 00:58:58,040 --> 00:59:01,760 finally achieved it if. You're traveling and you're on 939 00:59:01,760 --> 00:59:04,480 flights and you can get away with just sticking something 940 00:59:04,480 --> 00:59:06,360 under the seat in front of you and you've got everything you 941 00:59:06,360 --> 00:59:08,000 need. I gotta tell you, it's so 942 00:59:08,000 --> 00:59:09,520 freeing. You don't have to worry about 943 00:59:09,520 --> 00:59:12,400 overhead space. You can bore blast. 944 00:59:12,880 --> 00:59:16,120 Your stuff doesn't get lost. I mean, I never check a bag, but 945 00:59:16,240 --> 00:59:19,280 I do, you know, say 5050 will have an overhead carry on or 946 00:59:19,280 --> 00:59:20,840 something like that just because of whatever. 947 00:59:20,840 --> 00:59:23,800 But yeah, if you can get away with just that one bag fits 948 00:59:23,800 --> 00:59:25,920 under the seat. Now we're talking, baby. 949 00:59:27,280 --> 00:59:28,480 Yeah. All right. 950 00:59:28,480 --> 00:59:31,360 Well, they can't lose that. No, I yeah, I the the quest 951 00:59:31,360 --> 00:59:33,760 continues. I do have a lot of bags. 952 00:59:33,760 --> 00:59:35,560 It's kind of hard to see. But I have. 953 00:59:35,560 --> 00:59:38,280 This is just a small sampling I was looking at here we've got 954 00:59:38,280 --> 00:59:43,080 12345, probably another closet full of another 30 and I'm 955 00:59:43,080 --> 00:59:45,840 constantly rotating stuff out. The quest continues. 956 00:59:46,280 --> 00:59:49,640 Cat is like shocked. She's like, who is this nerd and 957 00:59:49,640 --> 00:59:50,200 what? Did I get? 958 00:59:50,200 --> 00:59:53,960 No, I I can't wait to ask you for for for Rex. 959 00:59:54,080 --> 00:59:56,160 I need some advice. I've got a very important 960 00:59:57,520 --> 01:00:01,880 gentleman birthday coming up soon who also is obsessed with 961 01:00:01,880 --> 01:00:06,080 bags, but he's really into one very specific brand and I want 962 01:00:06,080 --> 01:00:07,360 to kind of like float that by you. 963 01:00:07,560 --> 01:00:09,560 OK. Yes, we will talk about that, I 964 01:00:09,560 --> 01:00:11,760 am. But no unpaid sponsorships I'm 965 01:00:11,760 --> 01:00:13,640 gonna keep. No, I hey, I would love to be 966 01:00:13,640 --> 01:00:15,520 sponsored by and these these bags are expensive. 967 01:00:15,520 --> 01:00:18,760 I mean, they're anywhere. Like a good bag is anywhere 968 01:00:18,760 --> 01:00:22,680 between 200 and $700.00. Now these are bags you buy at 969 01:00:22,680 --> 01:00:26,200 once and you should be good. And unless you're like me and 970 01:00:26,200 --> 01:00:28,400 you find like the smallest tiny detail that nobody in the right 971 01:00:28,400 --> 01:00:30,640 line would care about. But I do and the and the quest 972 01:00:30,640 --> 01:00:32,600 continues. But anyway, let's talk about 973 01:00:32,600 --> 01:00:35,040 that offline. Let's go ahead and wrap it up 974 01:00:35,080 --> 01:00:37,240 for this week. Kat, thank you so much for being 975 01:00:37,240 --> 01:00:38,760 part of this. We talked. 976 01:00:39,120 --> 01:00:41,360 We're gonna try and get dinner next time in in in the 977 01:00:41,360 --> 01:00:43,040 Minneapolis area here in a couple weeks. 978 01:00:43,040 --> 01:00:47,000 I'm looking forward to that. I will have links in our show 979 01:00:47,000 --> 01:00:51,560 notes to your blog around GCP 101 series. 980 01:00:52,400 --> 01:00:55,280 Also have a link to Trust on cloud trust on cloud.com. 981 01:00:55,520 --> 01:00:58,120 So be able to check out what you do over there as well as links 982 01:00:58,120 --> 01:01:01,560 to the forward Cloud SEC conference so that people can 983 01:01:01,760 --> 01:01:04,400 either get on the waiting list or, you know, maybe just hanging 984 01:01:04,400 --> 01:01:06,680 out on the street and you know, looking for two, looking for 985 01:01:06,680 --> 01:01:09,120 two. And with that we'll go ahead and 986 01:01:09,120 --> 01:01:10,880 leave it. So thanks everyone for 987 01:01:10,880 --> 01:01:12,440 listening. You can find us on the web, 988 01:01:12,440 --> 01:01:17,400 idacpodcast.com, on Twitter, X, whatever you want to call it at 989 01:01:17,400 --> 01:01:22,120 IDAC Podcast and now Mastodon at IDAC Podcast, at Infosec, dot 990 01:01:22,120 --> 01:01:25,640 exchange, Send Gemini a note. And YouTube and YouTube. 991 01:01:25,640 --> 01:01:28,840 Yeah, we're still working on the YouTube channel, so more to come 992 01:01:28,880 --> 01:01:31,640 on that. And yeah, connect with us on 993 01:01:31,640 --> 01:01:35,240 LinkedIn, like subscribe, do all those fun, you know, social 994 01:01:35,600 --> 01:01:39,160 things to help us grow the show. And thanks for listening. 995 01:01:39,160 --> 01:01:40,680 We'll talk to everybody in the next one. 996 01:01:42,160 --> 01:01:44,600 Listening to Identity at the Center. 997 01:01:44,920 --> 01:01:49,040 We hope you've enjoyed the show. Make sure to like, rate and 998 01:01:49,040 --> 01:01:52,680 review and we'll be back soon. But in the meantime, hit the 999 01:01:52,680 --> 01:01:56,800 website at identity@thecenter.com and find 1000 01:01:56,800 --> 01:02:04,240 us on Twitter at ID AC podcast. See you next time on Identity at 1001 01:02:04,240 --> 01:02:05,200 the Center.