1 00:00:05,280 --> 00:00:10,440 This is identity at the center. If it has anything to do with 2 00:00:10,560 --> 00:00:17,960 IAM, this is the go to podcast now your hosts Jim McDonald and 3 00:00:17,960 --> 00:00:23,000 Jeff Stedman. Welcome to the Identity at the 4 00:00:23,000 --> 00:00:25,000 Center podcast. I'm Jeff and that's Jim. 5 00:00:25,000 --> 00:00:26,120 Hey, Jim. Hey. 6 00:00:26,120 --> 00:00:28,320 Jeff, how are you? Oh, not so bad yourself. 7 00:00:28,880 --> 00:00:30,920 Fantastic. I'm excited about this new 8 00:00:31,120 --> 00:00:33,440 adventure or venture however you want to call it. 9 00:00:34,040 --> 00:00:36,520 Maybe it's a little bit of both. I feel like the shackles are off 10 00:00:36,520 --> 00:00:38,520 today, You know, what does that mean? 11 00:00:38,880 --> 00:00:40,880 Do we want to talk about that? Absolutely. 12 00:00:41,120 --> 00:00:42,680 Yeah. So this is sort of a new series 13 00:00:42,680 --> 00:00:44,680 that we're starting. It's called Sponsor Spotlight. 14 00:00:44,960 --> 00:00:46,120 Like I said, the shackles are off. 15 00:00:46,120 --> 00:00:48,720 Our typical normal show is we try to be vendor neutral as much 16 00:00:48,720 --> 00:00:51,360 as possible. This is not that we are 17 00:00:51,360 --> 00:00:53,800 definitely going to have discussions around specific 18 00:00:54,080 --> 00:00:56,840 topics, viewpoints, This is something that we've done in 19 00:00:56,840 --> 00:00:58,640 collaboration with our sponsor today. 20 00:00:58,640 --> 00:01:02,960 So to make it very and hopefully crystal clear, this is a fully 21 00:01:02,960 --> 00:01:05,400 sponsored episode. This is what's giving us access 22 00:01:05,400 --> 00:01:09,120 to have these in depth insights experts on the podcast and the 23 00:01:09,120 --> 00:01:12,600 show and ask kind of direct questions directly to our 24 00:01:12,600 --> 00:01:14,480 sponsor. Anything you want to add before 25 00:01:14,480 --> 00:01:16,440 I introduce them? Yeah, yeah. 26 00:01:16,440 --> 00:01:21,560 I think the shackles off is a good way to look at it because I 27 00:01:21,560 --> 00:01:26,400 mean being vendor neutral is not always easy and there are some 28 00:01:26,400 --> 00:01:30,720 areas where I wish we could kind of dive into how does your 29 00:01:30,720 --> 00:01:34,160 product work. But staying true to, you know, 30 00:01:34,160 --> 00:01:39,120 this is not a sponsored episode. It's not about the company that 31 00:01:39,120 --> 00:01:43,080 we're talking to and you know our normal episodes, which we're 32 00:01:43,080 --> 00:01:45,840 going to continue, right, just because we're doing the sponsor 33 00:01:45,840 --> 00:01:48,440 spotlight. It's in addition to the normal 34 00:01:48,440 --> 00:01:50,680 content we do. But I felt like that's been a 35 00:01:50,680 --> 00:01:54,160 limiting factor in some ways. So I'm kind of excited that you 36 00:01:54,160 --> 00:01:56,640 know what we're going to do today is we're still going to 37 00:01:56,640 --> 00:02:00,480 talk about problems and solutions, but we'll also ask 38 00:02:00,480 --> 00:02:03,680 our guests to talk about, you know, how does their product 39 00:02:03,840 --> 00:02:06,000 solve this problem for the industry. 40 00:02:06,560 --> 00:02:07,880 Yeah, that's all the stuff that I like to hear. 41 00:02:07,880 --> 00:02:09,880 It's like, OK, that's cool, cool, cool. 42 00:02:09,880 --> 00:02:13,000 Let's stop talking and let's start doing And they're doing is 43 00:02:13,000 --> 00:02:15,040 the hard part. So why don't we go ahead and get 44 00:02:15,040 --> 00:02:17,320 this thing started. Joining us today, we've got 45 00:02:17,320 --> 00:02:20,200 Sandy Byrd. He's the Co founder and CTO of 46 00:02:20,200 --> 00:02:22,480 Sunri Security. We're gonna talk about Clyde 47 00:02:22,480 --> 00:02:24,400 Denning Security. Welcome to the show, Sandy. 48 00:02:24,960 --> 00:02:27,040 Hey, thanks. It's great to be here. 49 00:02:27,600 --> 00:02:28,560 Yeah. Thanks so much for taking the 50 00:02:28,560 --> 00:02:30,200 time with us. One of the things we like to do 51 00:02:30,200 --> 00:02:32,680 is we always like to find out sort of the origin stories. 52 00:02:32,680 --> 00:02:34,880 The folks that we have on the show, you've got a background in 53 00:02:34,880 --> 00:02:37,000 this for sure, so why don't we start there? 54 00:02:37,000 --> 00:02:38,600 Tell us a little about Sandy Byrd. 55 00:02:38,960 --> 00:02:42,000 You know, how did you get into the digital identity field and 56 00:02:42,080 --> 00:02:44,400 is it something that you chose or did it choose you? 57 00:02:45,720 --> 00:02:49,040 It's funny, I think security is general, you know, chose me. 58 00:02:49,040 --> 00:02:52,880 I ended up ending up in security many, many years ago. 59 00:02:53,720 --> 00:02:56,520 I started a company called Q1 Labs with a couple other people. 60 00:02:56,520 --> 00:02:59,280 I was one of the Co founders and we did a lot of, we'll call it 61 00:02:59,280 --> 00:03:01,560 threat based security right. We found a lot of security 62 00:03:01,560 --> 00:03:04,040 intelligence stuff, did a lot of looking at log data, those types 63 00:03:04,040 --> 00:03:06,200 of things. The company was great, it was 64 00:03:06,200 --> 00:03:08,680 very successful. It was acquired by IBM though 65 00:03:08,680 --> 00:03:13,240 and when I went to IBMI ended up in the role of the CTO of their 66 00:03:13,320 --> 00:03:15,800 security division. And as that I had all the 67 00:03:15,800 --> 00:03:19,480 security products and if you know IBM and it's history, lots 68 00:03:19,480 --> 00:03:22,600 of identity products, right. So I had a lot of identity 69 00:03:22,600 --> 00:03:25,120 products and learned a ton about, you know, everything from 70 00:03:25,120 --> 00:03:27,960 access management to directories and all the crazy things that 71 00:03:27,960 --> 00:03:31,200 happen in identity. And that was really interesting 72 00:03:31,200 --> 00:03:33,640 to me because it was a space I hadn't spent as much time on. 73 00:03:33,800 --> 00:03:37,760 At the same time that I was at IBM though they were also, you 74 00:03:37,760 --> 00:03:39,960 know, transitioning tons of stuff to the cloud. 75 00:03:40,240 --> 00:03:42,760 And in some ways at that time IBM was even trying to build a 76 00:03:42,760 --> 00:03:44,000 cloud. I think you know they do a lot 77 00:03:44,000 --> 00:03:46,720 more partnership with the the major cloud preventers now. 78 00:03:47,320 --> 00:03:49,680 But because of that I kind of had both sides of this going on 79 00:03:49,680 --> 00:03:51,560 at the same time. I was learning about identity 80 00:03:51,560 --> 00:03:53,760 and all these things and at the same time I was learning about 81 00:03:53,760 --> 00:03:57,160 you know cloud solutions. You know how you scale stuff do 82 00:03:57,160 --> 00:04:00,040 this thing in the cloud. And the the common thread in 83 00:04:00,040 --> 00:04:04,480 that was that in cloud the identities were the controls for 84 00:04:04,480 --> 00:04:06,080 everything. They were in some ways like the 85 00:04:06,080 --> 00:04:09,240 firewall of the old on Prem you controlled who could do what, 86 00:04:09,240 --> 00:04:11,640 what workloads could do what. All of these things by 87 00:04:11,640 --> 00:04:16,000 identities, including how you deny things from happening using 88 00:04:16,000 --> 00:04:17,920 identities. And so it was this kind of 89 00:04:17,920 --> 00:04:21,800 interesting kind of mesh coming together for me. 90 00:04:22,079 --> 00:04:23,640 I really wanted to get into this. 91 00:04:23,640 --> 00:04:26,720 You know how do we secure cloud platforms? 92 00:04:26,760 --> 00:04:29,760 And so we founded Summary Security to do just that 93 00:04:29,760 --> 00:04:32,640 actually. And the the premise behind most 94 00:04:32,640 --> 00:04:35,800 of the primary controls in summary are identity based. 95 00:04:35,800 --> 00:04:38,480 And so you know, security found me. 96 00:04:38,600 --> 00:04:41,000 I found Identity a little bit coming out of the other side of 97 00:04:41,000 --> 00:04:44,480 it and it's an exciting topic and super happy to be here. 98 00:04:44,480 --> 00:04:47,480 I think this is your inaugural vendor spotlight now. 99 00:04:47,480 --> 00:04:50,360 So it's the first one, so super happy to be here with you guys. 100 00:04:50,760 --> 00:04:52,480 Yeah, thanks for that. I think you know we're figuring 101 00:04:52,480 --> 00:04:55,520 out so kind of joke like we'll do it live, kind of figure this 102 00:04:55,520 --> 00:04:58,000 out as we go. You mentioned Sundry Security 103 00:04:58,000 --> 00:05:01,520 and I guess this cloud Identity security. 104 00:05:01,880 --> 00:05:04,160 Well, obviously we feel like Identity is at the center, why 105 00:05:04,160 --> 00:05:06,640 the podcast is named what it is? Tell us something about more 106 00:05:06,640 --> 00:05:09,880 about the organization. What is the sweet spot, where 107 00:05:09,880 --> 00:05:12,200 are you kind of focusing on your efforts? 108 00:05:12,200 --> 00:05:15,520 Is it cloud specifically? Are there different clouds or 109 00:05:15,520 --> 00:05:17,640 are there multi clouds like how do you look at it? 110 00:05:18,240 --> 00:05:22,400 Yeah, we again, as you do a start up, you have to focus 111 00:05:22,400 --> 00:05:24,600 somewheres, right? You know, identity and clouds 112 00:05:24,600 --> 00:05:26,480 are both very big things and very big topics. 113 00:05:27,000 --> 00:05:30,120 We took the primary cloud providers where people are 114 00:05:30,120 --> 00:05:33,680 building applications, so AWS, Azure and GCP. 115 00:05:33,720 --> 00:05:36,120 We support a few of the other ones to Oracle and things, but 116 00:05:36,120 --> 00:05:39,160 the primary ones are definitely AWS, Azure and GCP. 117 00:05:39,280 --> 00:05:41,240 As you look at that and you say you know how is the 118 00:05:41,240 --> 00:05:43,680 organization's agent set up, like where would you focus your 119 00:05:43,680 --> 00:05:45,400 time? I would split those, you know, 120 00:05:45,400 --> 00:05:49,880 one third, one third, one third. They have completely different 121 00:05:49,880 --> 00:05:52,240 identity models. Every one of them is so 122 00:05:52,240 --> 00:05:53,680 different compared to the other one. 123 00:05:53,680 --> 00:05:58,400 And they all have their their quirks for sure and they all 124 00:05:58,400 --> 00:06:00,200 have their features, which is which is interesting. 125 00:06:00,200 --> 00:06:02,800 And when you dive into each one in depth, you can, you can 126 00:06:02,800 --> 00:06:05,640 really uncover some interesting things that maybe you did or 127 00:06:05,640 --> 00:06:08,080 didn't know about those those cloud providers and the way that 128 00:06:08,080 --> 00:06:10,840 they deal with identities, the way they deal with audit, the 129 00:06:10,840 --> 00:06:11,920 way they deal with all these things. 130 00:06:11,920 --> 00:06:15,480 And so from Sunri as a company, we focus a lot on that, 131 00:06:15,480 --> 00:06:18,960 specializing in what makes up identity in these clouds, how 132 00:06:18,960 --> 00:06:21,640 you control it, how you get it to least privilege all of those 133 00:06:21,640 --> 00:06:25,520 types of things. So the name Sunri, Where is this 134 00:06:25,520 --> 00:06:28,560 coming from? So another great thing, if you 135 00:06:28,880 --> 00:06:32,360 create a startup now, you have to have a domain name that's 136 00:06:32,360 --> 00:06:35,440 important, 100% you got to have a domain name. 137 00:06:35,640 --> 00:06:38,960 However, if you wanted to create a domain name with identity or 138 00:06:38,960 --> 00:06:40,720 data in it, well, they're all gone. 139 00:06:40,760 --> 00:06:44,560 And they were gone long ago. So we had to figure out, OK, 140 00:06:44,560 --> 00:06:47,640 well you know what's another way that we can, we can talk about 141 00:06:47,640 --> 00:06:49,760 this. And at the time, we had a lot of 142 00:06:49,760 --> 00:06:52,320 focus on how does an identity get access to data. 143 00:06:52,320 --> 00:06:55,080 Because the premises is if you had your most sensitive data and 144 00:06:55,080 --> 00:06:57,520 you knew everything that can access it, every identity that 145 00:06:57,520 --> 00:07:00,520 can get access to this data, you had a hope of securing that 146 00:07:00,520 --> 00:07:04,800 data. Well data in Gaelic Irish is 147 00:07:04,800 --> 00:07:06,920 Sunri, so it actually means data. 148 00:07:06,920 --> 00:07:08,880 It's a kind of a nice domain name. 149 00:07:09,200 --> 00:07:12,920 Now the what we would say the I on the end is not actually an I 150 00:07:12,920 --> 00:07:15,000 in Irish Gaelic. It has a fidal on the end and a 151 00:07:15,000 --> 00:07:17,240 little a little accent. We own that domain too. 152 00:07:17,240 --> 00:07:18,520 I don't think anyone's ever gone to it. 153 00:07:18,520 --> 00:07:21,760 But anyway, we own the one with the the, the interesting Irish 154 00:07:21,760 --> 00:07:25,840 spelling of of Sunri as well. But it's a good story and it's 155 00:07:25,840 --> 00:07:27,160 kind of fun, actually. So. 156 00:07:27,160 --> 00:07:28,640 And no one can pronounce it, of course. 157 00:07:28,640 --> 00:07:30,000 That's the yeah, that. Was my next question. 158 00:07:30,000 --> 00:07:34,120 It's like how many people have called it San Ray or San Rhee or 159 00:07:34,120 --> 00:07:36,440 whatever variations are. We've gotten them all, 160 00:07:36,480 --> 00:07:38,440 definitely. Sun Ray is a favorite of many, 161 00:07:38,920 --> 00:07:41,600 for sure, So we we go with it. No matter what people say. 162 00:07:41,600 --> 00:07:43,480 It's like, Yep, we know that they're talking about us, so 163 00:07:43,480 --> 00:07:45,000 it's fine. Well, that's the hard thing. 164 00:07:45,000 --> 00:07:46,200 I think about text on the web, right? 165 00:07:46,200 --> 00:07:48,920 It's kind of like you see it. And then at least for me, I 166 00:07:48,920 --> 00:07:51,800 start hearing it in my head, my inner voice, and I start 167 00:07:51,800 --> 00:07:53,720 pronouncing it that way. And the next thing you know, 168 00:07:53,720 --> 00:07:56,200 that's just the way it is. Well, I'm glad you got the, I'm 169 00:07:56,200 --> 00:07:58,400 glad you got the domain names because whether you're starting 170 00:07:58,440 --> 00:08:01,040 a company or a podcast, you need to have the domain name, you 171 00:08:01,040 --> 00:08:03,480 know, set up for that. Let's talk about this field of 172 00:08:03,480 --> 00:08:06,800 cybersecurity because Sun REI guess I'd like to understand 173 00:08:06,800 --> 00:08:10,360 where does it fit because there are so many tools in this space. 174 00:08:10,840 --> 00:08:12,720 There are a lot of tools just in the cloud space, right? 175 00:08:12,720 --> 00:08:16,080 If you think about this as like a Galaxy, there are probably 176 00:08:16,080 --> 00:08:19,040 solar systems full of things that are, you know, related to 177 00:08:19,040 --> 00:08:21,040 cloud. I guess where do you guys 178 00:08:21,040 --> 00:08:23,800 position yourself from a market perspective? 179 00:08:24,160 --> 00:08:27,200 And then if there are any like unique gaps or challenges or 180 00:08:27,200 --> 00:08:30,600 things like that where you know this is our sweet spot. 181 00:08:30,600 --> 00:08:32,919 You know, if I if it was a fastball down the middle, what 182 00:08:32,919 --> 00:08:35,480 would you crank and turn around, to use a baseball analogy, which 183 00:08:35,480 --> 00:08:36,760 I know Jim will will be happy with. 184 00:08:38,400 --> 00:08:42,000 Look, and again, sometimes we get to define these things and 185 00:08:42,000 --> 00:08:43,360 sometimes the market defines them. 186 00:08:43,360 --> 00:08:47,720 And so what's happened in the security space is there are 187 00:08:47,720 --> 00:08:50,800 definitely a flavor of solutions that are cloud based, right. 188 00:08:50,800 --> 00:08:53,920 And you can see that happening through lots of the different 189 00:08:53,920 --> 00:08:55,440 analysts. They have many acronyms for 190 00:08:55,440 --> 00:08:58,440 these things. And so I always split this 191 00:08:58,440 --> 00:09:02,160 between what the world is currently causing. 192 00:09:02,160 --> 00:09:04,760 They're going to call it CNAP, Cloud native application 193 00:09:04,760 --> 00:09:08,360 protection, which involves everything and literally 194 00:09:08,360 --> 00:09:11,440 everything here from like developer infrastructures, code 195 00:09:11,440 --> 00:09:15,920 scanning, Kubernetes, security, all of what they call CIAM which 196 00:09:15,920 --> 00:09:18,120 we specialize in the cloud infrastructure entitlements 197 00:09:18,120 --> 00:09:20,400 management as vulnerability scanning. 198 00:09:20,400 --> 00:09:22,920 And it has everything, It's like a whole gamut, it's its own 199 00:09:22,920 --> 00:09:27,240 solar system but only for cloud. And then on the other side of 200 00:09:27,240 --> 00:09:31,400 it, you have Pam vendors, so Privileged Access Management, 201 00:09:31,400 --> 00:09:34,920 you have the Just in Time access solutions. 202 00:09:35,920 --> 00:09:38,320 We have a bridge into that. So we kind of sit in between 203 00:09:38,320 --> 00:09:40,800 these two sides and we really you know if you had to throw a 204 00:09:40,800 --> 00:09:43,280 baseball down the middle, we literally land in between this 205 00:09:43,280 --> 00:09:47,040 kind of cloud native application protection and this world of you 206 00:09:47,040 --> 00:09:48,880 know Pam. And and the other side of this, 207 00:09:49,600 --> 00:09:53,320 we really do specialize in the the identity entitlements 208 00:09:53,320 --> 00:09:56,360 infrastructure side of the side. That's where we focus at Gartner 209 00:09:56,360 --> 00:10:00,600 would call it Kim C i.e. M However, you know, we believe 210 00:10:00,600 --> 00:10:03,600 in the future that probably lives somewhere else in one of 211 00:10:03,600 --> 00:10:06,200 these other families. It's not just a singular thing. 212 00:10:06,400 --> 00:10:08,320 So yeah. I've heard it marked it as like 213 00:10:08,320 --> 00:10:10,640 Kim Keem. I feel. 214 00:10:10,640 --> 00:10:13,000 Kind of feel like is this Pam 2.0? 215 00:10:13,000 --> 00:10:14,440 I don't know. You know, I kind of asked this 216 00:10:14,440 --> 00:10:15,640 question. Of course, like, OK, well, if 217 00:10:15,920 --> 00:10:18,520 everybody's moving to the cloud, infrastructure's moving to the 218 00:10:18,520 --> 00:10:20,240 cloud, that's where your privileges are. 219 00:10:20,640 --> 00:10:24,080 Are we just evolving into another iteration of privilege 220 00:10:24,080 --> 00:10:27,840 access management or is it truly a separate space like cloud 221 00:10:27,840 --> 00:10:31,840 infrastructure entitlement? Management again the the future 222 00:10:31,840 --> 00:10:33,520 will tell us the complete answer to that. 223 00:10:33,840 --> 00:10:36,240 But there's a couple of interesting things when we think 224 00:10:36,240 --> 00:10:39,600 about Pam vendors traditionally you know we could lot of talk 225 00:10:39,600 --> 00:10:41,640 about lots of vendors cyber arc, whichever that have been in the 226 00:10:41,640 --> 00:10:44,560 space forever. They classically would look at 227 00:10:44,560 --> 00:10:47,680 workload identities as a vaulting problem. 228 00:10:47,760 --> 00:10:49,480 You got to take the secret, I got to put it in the vault. 229 00:10:49,480 --> 00:10:51,720 The workload has to grab the secret out of the vault, use it. 230 00:10:51,720 --> 00:10:53,160 We rotate that from time to time. 231 00:10:53,160 --> 00:10:57,760 Life is good and then Pam is more of an human thing, right. 232 00:10:57,760 --> 00:10:59,360 Is it the privilege that the human gets? 233 00:11:00,040 --> 00:11:03,200 When you move into these cloud vendors though, the blur of 234 00:11:03,200 --> 00:11:05,920 these two things comes together really, really quickly. 235 00:11:06,120 --> 00:11:09,240 Because even in something simple like AWS, if you're using like 236 00:11:09,240 --> 00:11:13,120 SSO for single sign on, once you've signed on with SSO, 237 00:11:13,120 --> 00:11:16,720 you're now a role inside of AWS, which is not really a human 238 00:11:16,720 --> 00:11:18,720 identity anymore. It's a thing that goes and does 239 00:11:18,720 --> 00:11:21,040 stuff. And then all of the workloads 240 00:11:21,040 --> 00:11:25,320 also use roles so that they Lambda function that's there 241 00:11:25,680 --> 00:11:27,880 becomes a role and then that role does work. 242 00:11:28,360 --> 00:11:30,480 And then what really complicates things, the roles can become 243 00:11:30,480 --> 00:11:33,160 other roles through a role assumption and the pattern goes 244 00:11:33,160 --> 00:11:34,920 on. And so now when you're 245 00:11:34,920 --> 00:11:37,880 controlling identity in these cloud platforms for privileged 246 00:11:37,880 --> 00:11:41,760 access, the problems of humans and workloads start to come 247 00:11:41,760 --> 00:11:44,160 together in some ways. And you have to have a way to 248 00:11:44,160 --> 00:11:47,120 look at all of that in totality because the humans can assume 249 00:11:47,120 --> 00:11:48,720 the workload roles and vice versa. 250 00:11:48,720 --> 00:11:50,880 And so you got to secure that whole thing. 251 00:11:51,400 --> 00:11:55,080 So again to your your question, you know, does this become Pam 2 252 00:11:55,080 --> 00:11:58,240 dot O? There's definitely parts of Pam 253 00:11:58,240 --> 00:12:00,880 that end up in the solution for sure, right? 254 00:12:01,160 --> 00:12:05,240 However, the clouds have done a pretty good job of dealing with 255 00:12:05,240 --> 00:12:07,320 these. What we would have called, you 256 00:12:07,320 --> 00:12:10,440 know, workload identities which you know had these keys and 257 00:12:10,440 --> 00:12:13,880 tokens and things that we had to rotate all the time in cloud. 258 00:12:13,880 --> 00:12:16,480 When you're using the cloud native stuff like an Amazon 259 00:12:16,480 --> 00:12:18,760 role, as you're already using a short lived token, you don't 260 00:12:18,760 --> 00:12:20,520 have to rotate that, it's doing it for you. 261 00:12:20,520 --> 00:12:23,560 It's actually a better process than what we had on Prem. 262 00:12:24,280 --> 00:12:27,520 However, you have to control what net canal can use the role 263 00:12:27,520 --> 00:12:29,800 in all these things. So it's just it is different. 264 00:12:30,080 --> 00:12:33,000 You know, I think the future will tell us exactly where this 265 00:12:33,000 --> 00:12:35,000 thing lands. Is it Pam 2 dot O that now 266 00:12:35,000 --> 00:12:37,680 includes a lot of different ways of managing workload identities. 267 00:12:38,040 --> 00:12:39,520 We'll see as things move forward. 268 00:12:40,240 --> 00:12:42,320 Yeah, I think this is a fascinating conversation. 269 00:12:42,320 --> 00:12:46,720 It got me thinking about, OK, I I think when we think of the 270 00:12:46,720 --> 00:12:50,640 cloud, we try to think of how we did it on Prem and how we're 271 00:12:50,640 --> 00:12:54,080 going to do it in the cloud. I actually think with what 272 00:12:54,080 --> 00:12:59,360 Sundry does and you know the idea of identifying over 273 00:12:59,360 --> 00:13:02,840 provisioned accounts is something that I say, well, how 274 00:13:02,840 --> 00:13:07,800 do we do that on Prem because the problem and we've always had 275 00:13:07,800 --> 00:13:10,520 that problem on Prem, but we haven't had a solution. 276 00:13:10,720 --> 00:13:13,320 So I think it's fantastic that it's being done in the cloud. 277 00:13:13,960 --> 00:13:17,520 There, there is interesting, Jim, like in cloud, so many 278 00:13:17,520 --> 00:13:20,800 things have happened that enable us to do things we've never been 279 00:13:20,800 --> 00:13:22,560 able to do before. You know, you see that just in 280 00:13:22,560 --> 00:13:25,880 the massive scale that comes out of cloud, you can scale yourself 281 00:13:25,880 --> 00:13:27,800 into an insecure network pretty quickly too. 282 00:13:27,800 --> 00:13:29,760 But the reality is there are things you can do. 283 00:13:29,760 --> 00:13:32,640 And so when we try to do least privilege, what's interesting 284 00:13:32,640 --> 00:13:36,600 about the clouds are because there's a bill for everything 285 00:13:36,600 --> 00:13:38,800 you create, you create a new VM, there's a bill for it, you got 286 00:13:38,800 --> 00:13:40,200 to pay. If you create a Lambda function 287 00:13:40,200 --> 00:13:42,280 and it it runs, you got to pay the bill for that. 288 00:13:42,960 --> 00:13:45,160 Because of that they have to audit this stuff and because 289 00:13:45,160 --> 00:13:47,480 they can audit it, we can now build lease privilege roles 290 00:13:47,480 --> 00:13:49,880 because everything becomes audited in a central way. 291 00:13:50,280 --> 00:13:53,440 Now I will say there's a little, whatever you want to call it, 292 00:13:53,440 --> 00:13:55,760 gotchas and all these clouds, they don't audit everything. 293 00:13:55,760 --> 00:13:58,160 Actually there's some permissions that are audited and 294 00:13:58,160 --> 00:14:01,280 some permissions that are not. There are some permissions that 295 00:14:01,320 --> 00:14:04,600 when you run them, you know they they come out in the log data. 296 00:14:04,600 --> 00:14:07,680 So we want to get into details. You know when you create a new 297 00:14:07,680 --> 00:14:10,640 VM, there would be a log message that says new VM was created. 298 00:14:11,200 --> 00:14:14,840 However, if you pass that a role at the same time, so that that 299 00:14:15,080 --> 00:14:17,840 VM that's being created is now going to use an identity in the 300 00:14:17,840 --> 00:14:21,080 cloud that uses a permission called pass role. 301 00:14:21,520 --> 00:14:25,120 Pass role is not audited in the cloud data, it's actually part 302 00:14:25,120 --> 00:14:29,840 of the create instance message. And so there's some some things 303 00:14:29,840 --> 00:14:32,320 we have to do to understand exactly how all of the 304 00:14:32,320 --> 00:14:35,040 permissions and the API calls and all the things link into the 305 00:14:35,040 --> 00:14:38,480 audit, that the audit is there for the first time where I'm on 306 00:14:38,480 --> 00:14:40,680 Prem, we'd have to go to 50 different places to get this 307 00:14:40,680 --> 00:14:43,360 data and and try to do what is is least privileged. 308 00:14:43,360 --> 00:14:45,960 So it really does allow us to do things that we haven't done 309 00:14:45,960 --> 00:14:49,040 before. The other thing is, is that when 310 00:14:49,040 --> 00:14:53,000 you're dealing with custom built on Prem applications, the 311 00:14:53,000 --> 00:14:55,080 permission space is almost infinite. 312 00:14:55,080 --> 00:14:56,960 You don't know what everybody did, so you don't know what 313 00:14:56,960 --> 00:14:59,280 permissions are there. When we deal with the cloud 314 00:14:59,280 --> 00:15:02,120 providers because these are services and they have public AP 315 00:15:02,120 --> 00:15:04,960 is we know every single permission that's there and so 316 00:15:04,960 --> 00:15:07,440 we can inventory those. We can actually say, you know 317 00:15:07,440 --> 00:15:10,600 this permission, you know create Internet Gateway is super 318 00:15:10,600 --> 00:15:12,760 sensitive because it's going to poke holes in your network. 319 00:15:13,160 --> 00:15:16,080 This permission list bucket, OK, well, you can see a list of the 320 00:15:16,080 --> 00:15:18,400 S3 buckets, but it's not that sensitive. 321 00:15:18,720 --> 00:15:22,400 And so you can risk rank all of these permissions in a way so 322 00:15:22,400 --> 00:15:24,400 that when you're going to least privilege, you know we always 323 00:15:24,720 --> 00:15:27,480 say sometimes you know least privilege is really complicated 324 00:15:27,480 --> 00:15:29,960 like the truest sense of it, you know, use it or lose it. 325 00:15:30,160 --> 00:15:31,560 I don't think anyone ever gets there. 326 00:15:32,320 --> 00:15:34,920 My marketing team may say so, but I'm not sure that it's real. 327 00:15:35,400 --> 00:15:38,920 However, for the really sensitive permissions, you can't 328 00:15:38,920 --> 00:15:41,120 leave those things hanging out there for things that don't use 329 00:15:41,120 --> 00:15:42,760 them. And so because we can risk rank 330 00:15:42,760 --> 00:15:45,840 all that, we can build least privileged policies that work 331 00:15:45,840 --> 00:15:48,840 really well but aren't super restrictive to the general user 332 00:15:48,840 --> 00:15:51,080 when they log in. The console doesn't break those 333 00:15:51,080 --> 00:15:54,080 types of things, so yeah. Yeah, I I feel like a large part 334 00:15:54,080 --> 00:15:58,440 of my day job now is, you know, looking at Identity in the 335 00:15:58,440 --> 00:16:01,920 cloud. I mean really doing an identity 336 00:16:01,920 --> 00:16:05,720 strategy assessment of recommendations without pulling 337 00:16:05,720 --> 00:16:10,200 in kind of a cloud focuses, you know, that's so yesteryear at 338 00:16:10,200 --> 00:16:13,680 this point. But what I feel like is the big 339 00:16:13,680 --> 00:16:17,280 driver, maybe this is the killer use case that you know you and 340 00:16:17,280 --> 00:16:22,560 Jeff were talking about earlier is I haven't seen a situation 341 00:16:22,560 --> 00:16:28,560 where a company said, hey, we're thinking about using AWS or GCP, 342 00:16:28,760 --> 00:16:33,440 let's stop and pull in the information security department 343 00:16:33,440 --> 00:16:36,360 and do in the most secure fashion possible. 344 00:16:36,680 --> 00:16:40,520 No, what I've seen the most is the developers go out there and 345 00:16:40,520 --> 00:16:43,840 they build this thing and then they move on and build the next 346 00:16:43,840 --> 00:16:47,640 thing and the next thing and then information security says, 347 00:16:47,640 --> 00:16:49,840 well, we really need to get our arms around this. 348 00:16:49,960 --> 00:16:54,440 We need to secure this thing as well as our on Prem. 349 00:16:55,080 --> 00:16:56,840 It's got to follow the same policies. 350 00:16:56,840 --> 00:17:00,520 We need to have visibility into this environment. 351 00:17:00,760 --> 00:17:04,599 And then how do we do that without becoming the progress 352 00:17:04,599 --> 00:17:07,960 prevention department? To me, that feels like one of 353 00:17:07,960 --> 00:17:13,640 the biggest security threats any organization faces when it comes 354 00:17:13,640 --> 00:17:16,319 to the cloud, and I'm wondering if you see it the same way or 355 00:17:16,319 --> 00:17:20,319 there's something I'm missing. Now you've you've you've hit it 356 00:17:20,319 --> 00:17:22,800 exactly. The whatever we can use the 357 00:17:22,800 --> 00:17:25,359 technical debt term here for sure, right? 358 00:17:25,359 --> 00:17:28,200 The the developers built and it worked. 359 00:17:28,520 --> 00:17:30,320 They were able to scale stuff. They were able to do stuff they 360 00:17:30,320 --> 00:17:32,080 weren't able to do before. So then they put another 361 00:17:32,080 --> 00:17:34,000 workload in the cloud and another workload in the cloud. 362 00:17:34,000 --> 00:17:35,800 And so this is frigging great. It's amazing. 363 00:17:35,920 --> 00:17:38,160 Then they turn the security features on and it got a little 364 00:17:38,160 --> 00:17:39,720 more expensive, but it was still fast. 365 00:17:39,720 --> 00:17:43,200 So we continued down that path and then the infosec guy showed 366 00:17:43,200 --> 00:17:44,520 up and said whoa, what are we doing here? 367 00:17:44,520 --> 00:17:46,560 We've got public S3 buckets. We got to close those down. 368 00:17:46,560 --> 00:17:48,800 So we started to actually do some, you know, whatever, cloud, 369 00:17:48,800 --> 00:17:52,040 security, posture management, CSPM, we started to do that. 370 00:17:52,960 --> 00:17:55,320 It's just now really the identity teams are starting to 371 00:17:55,320 --> 00:17:56,320 get involved. You know what I mean? 372 00:17:56,320 --> 00:17:58,120 For the first time, they're taking a look under the covers 373 00:17:58,120 --> 00:18:00,800 and said so. So where did happen to all those 374 00:18:00,800 --> 00:18:03,080 vaulted identities we used to have in cyber? 375 00:18:03,080 --> 00:18:04,160 Where did they go? Anywhere. 376 00:18:04,160 --> 00:18:06,240 So, oh, well, they're we use, we use rolls. 377 00:18:06,240 --> 00:18:07,400 Now you there's just lots of them. 378 00:18:07,400 --> 00:18:08,360 You don't have to do that anymore. 379 00:18:08,360 --> 00:18:10,200 It's like, well, who inventoried the rolls? 380 00:18:10,200 --> 00:18:12,120 Are they supposed to be there? What permissions do they have, 381 00:18:12,120 --> 00:18:15,760 all these things, you know, it's definitely I've I've seen maybe 382 00:18:15,760 --> 00:18:18,400 one customer that tried to plan up front for what they were 383 00:18:18,400 --> 00:18:20,000 going to do. Everybody else is just, you 384 00:18:20,000 --> 00:18:22,160 know, it's the Wild West to the point that they try to gain 385 00:18:22,160 --> 00:18:24,160 controls in it and that's what you get in some really 386 00:18:24,160 --> 00:18:25,880 interesting differences in the cloud. 387 00:18:26,400 --> 00:18:32,160 In AWS and GCP you have a a model where a deny wins and it 388 00:18:32,160 --> 00:18:35,640 allows you some semblance of centralized control if you want 389 00:18:35,640 --> 00:18:37,440 it. It's pretty easy to break stuff, 390 00:18:37,440 --> 00:18:40,400 but the reality is you can actually say don't allow X to 391 00:18:40,400 --> 00:18:42,600 happen and it will be denied across that whole 392 00:18:42,600 --> 00:18:45,840 infrastructure. In Azure, it's an allow model. 393 00:18:45,840 --> 00:18:48,360 If any one thing gives you permission, you've got 394 00:18:48,360 --> 00:18:49,720 permission. Doesn't matter what all the 395 00:18:49,720 --> 00:18:52,480 other rules say. And so it's to look at the two 396 00:18:52,480 --> 00:18:53,880 different clouds. When you're doing these 397 00:18:53,880 --> 00:18:56,880 assessments, you have to think about that stuff because again, 398 00:18:56,880 --> 00:18:58,800 the way the permissions are laid out and the controls are 399 00:18:58,800 --> 00:19:01,360 different in each one of them. And so again, rather than using 400 00:19:01,360 --> 00:19:03,920 sundry, you know, we have great ways to analyze all that, 401 00:19:03,920 --> 00:19:07,600 understand how the complex rules get, you know, put together. 402 00:19:07,600 --> 00:19:09,520 And then do you actually have permission or do you know? 403 00:19:09,560 --> 00:19:12,840 And then can we build you a better role, better policy, or 404 00:19:12,840 --> 00:19:15,600 even just you trying to do a manual assessment of it. 405 00:19:15,640 --> 00:19:18,120 You have to understand how each cloud works and how the identity 406 00:19:18,120 --> 00:19:19,480 models work in it to do it right. 407 00:19:20,200 --> 00:19:24,400 Yeah, Speaking of sundry. So is this the time where you 408 00:19:24,480 --> 00:19:28,360 know and information security steps in and says we need to 409 00:19:28,360 --> 00:19:30,240 have visibility into what's going on? 410 00:19:30,600 --> 00:19:34,200 Do they at that point look at Sunream and say, oh, this 411 00:19:34,200 --> 00:19:37,960 provides us that that window into what's going on? 412 00:19:37,960 --> 00:19:41,720 Or is it that development team as they're building things, they 413 00:19:41,720 --> 00:19:44,800 say, oh this, that's all we need to get things set up? 414 00:19:46,080 --> 00:19:49,240 It and this is an interesting history of this company in 415 00:19:49,240 --> 00:19:51,200 general. I think when we started the 416 00:19:51,200 --> 00:19:54,960 company you know we thought that the developers would want to get 417 00:19:54,960 --> 00:19:57,000 to least privilege. I don't know why we thought that 418 00:19:57,000 --> 00:19:59,280 who would ever want to get to least privilege but but you know 419 00:19:59,280 --> 00:20:03,000 you thought that the that the the goal of these teams was to 420 00:20:03,000 --> 00:20:06,720 build a beautiful kind of secure platform and least privilege and 421 00:20:06,720 --> 00:20:09,680 then you Fast forward and what you realize is is that every 422 00:20:09,680 --> 00:20:12,520 time we tell somebody you know this workload is over 423 00:20:12,520 --> 00:20:14,600 provisioned you have to fix this role. 424 00:20:14,960 --> 00:20:18,080 We can automate that using bots and all these things, but it's 425 00:20:18,080 --> 00:20:20,360 work for somebody because anybody with a really mature 426 00:20:20,360 --> 00:20:22,680 development process needs to do that in development. 427 00:20:22,880 --> 00:20:25,440 They need to promote it to UAT, they need to run all their 428 00:20:25,440 --> 00:20:27,760 automated tasks, They needed to promote it to prod. 429 00:20:28,120 --> 00:20:30,480 And there's a we would love to say it's completely automated. 430 00:20:30,480 --> 00:20:32,480 There's a human involved somewheres in that process if 431 00:20:32,480 --> 00:20:34,640 you have a good software development process. 432 00:20:35,280 --> 00:20:39,280 Whereas you know you look at it now and I actually think it is 433 00:20:39,280 --> 00:20:41,920 more the backwards tonight. It's the info sex guys coming in 434 00:20:41,920 --> 00:20:43,440 saying we need to get visibility. 435 00:20:43,440 --> 00:20:46,080 What's going on here? We need to see how bad of a 436 00:20:46,080 --> 00:20:49,920 situation we're in and then build plans to figure out how to 437 00:20:50,120 --> 00:20:53,760 take some of this risk back out in big swatches. 438 00:20:53,760 --> 00:20:56,080 Not just like, OK, we're going to fix one roll. 439 00:20:56,240 --> 00:20:58,400 Where are the big things? What are the big swings we can 440 00:20:58,400 --> 00:21:01,480 take with the bat to fix this? So again, when you look at it 441 00:21:01,480 --> 00:21:04,240 that way, that's more the, the common pattern and we've split 442 00:21:04,240 --> 00:21:07,320 our our product into two ways of doing that. 443 00:21:07,760 --> 00:21:11,480 If it's a, we'll call it a a company that's still looking for 444 00:21:11,480 --> 00:21:14,440 that initial hit of visibility. They just don't know be like we 445 00:21:14,440 --> 00:21:15,600 don't know how bad it is we want to see. 446 00:21:15,880 --> 00:21:18,280 We have something called a cloud identity diagnostic. 447 00:21:18,320 --> 00:21:20,960 It's kind of a once and done, we run the thing, we analyze the 448 00:21:20,960 --> 00:21:22,600 whole thing. We find all the lateral movement 449 00:21:22,600 --> 00:21:24,360 paths, all the least privileged policies, whatever. 450 00:21:24,360 --> 00:21:27,080 And we presented as a report. We say, you know this is how 451 00:21:27,080 --> 00:21:29,880 many administrators you have. Some of them are people, some of 452 00:21:29,880 --> 00:21:31,120 them aren't. Some of them are getting the 453 00:21:31,120 --> 00:21:32,920 permissions directly, some of them are getting them 454 00:21:32,920 --> 00:21:35,400 undirectly, whatever. And we give you this nice report 455 00:21:35,400 --> 00:21:37,640 that kind of shows everything and then you can figure out from 456 00:21:37,640 --> 00:21:40,720 there like, OK, systemically they have a really big problem 457 00:21:40,720 --> 00:21:42,640 with unused identities. Most of our identities are 458 00:21:42,640 --> 00:21:43,800 unused. I'm going to go fix that. 459 00:21:44,280 --> 00:21:46,920 The other company profile is they already know they have a 460 00:21:46,920 --> 00:21:51,480 problem and they're trying to get a system in place to 461 00:21:51,480 --> 00:21:54,640 actually start to drive. OK, what's the biggest risk we 462 00:21:54,640 --> 00:21:58,400 have from all of these over permission roles that are there? 463 00:21:59,000 --> 00:22:01,280 Again, I use the word role, that's an AWS thing. 464 00:22:01,280 --> 00:22:04,360 In Azure, the role is also a role, but it's it's done 465 00:22:04,360 --> 00:22:06,960 differently. But whichever way, we need to 466 00:22:06,960 --> 00:22:10,000 basically build some form of least privilege and what level 467 00:22:10,000 --> 00:22:13,080 of that is and have a way to basically measure that to make 468 00:22:13,080 --> 00:22:15,120 sure we're getting better over time, right. 469 00:22:15,120 --> 00:22:18,000 And so we have both patterns. We have the the people that run 470 00:22:18,000 --> 00:22:20,320 it 24/7. It's always looking at the cloud 471 00:22:20,320 --> 00:22:22,040 all the time. It's always generating new least 472 00:22:22,040 --> 00:22:24,320 privileged policies. It's always finding risk from 473 00:22:24,320 --> 00:22:26,000 lateral movement. And then we have the customers 474 00:22:26,000 --> 00:22:27,920 that are the well once and done right. 475 00:22:27,920 --> 00:22:31,120 I just need to see what's going on for one shot so I can build a 476 00:22:31,120 --> 00:22:33,800 plan a year from now on how I'm how I'm going to deal with this. 477 00:22:34,880 --> 00:22:39,240 Yeah, it seems to me those are are fantastic examples. 478 00:22:39,480 --> 00:22:45,280 Seems to me that one of the areas that the Kim space really 479 00:22:45,280 --> 00:22:51,440 excels at is for organizations where you've got multi cloud. 480 00:22:51,720 --> 00:22:54,680 So that's interesting. I work with a lot of 481 00:22:54,680 --> 00:22:58,560 organizations and they're always have a plan to get down to as 482 00:22:58,560 --> 00:23:01,760 few clouds as possible. But to me, it's like the clouds 483 00:23:01,760 --> 00:23:04,320 are like continents. It's like, yeah, we live in 484 00:23:04,320 --> 00:23:09,800 North America and Europe and Asia, but we're just going to 485 00:23:09,800 --> 00:23:13,000 have homes in Asia and North America going forward. 486 00:23:13,240 --> 00:23:16,240 Like, OK, well, that's still a lot of real estate. 487 00:23:16,240 --> 00:23:20,320 And you know, what's your plan to get from one to the next? 488 00:23:20,720 --> 00:23:24,240 Put that aside. I mean why is it that a Kim 489 00:23:24,240 --> 00:23:29,600 solution really helps with and Sundry for example? 490 00:23:30,840 --> 00:23:37,280 Specifically, how how does the platform help manage that multi 491 00:23:37,280 --> 00:23:40,680 cloud environment? Yeah and multi cloud is an 492 00:23:40,680 --> 00:23:43,240 interesting, you have a whole other conversation about you 493 00:23:43,240 --> 00:23:45,880 know multi cloud versus singular cloud and what people actually 494 00:23:45,880 --> 00:23:49,200 do and what we see in the field. When you have multi cloud though 495 00:23:49,760 --> 00:23:53,280 you need to have some form of governing rules right. 496 00:23:53,360 --> 00:23:56,760 We need to make sure that we don't over provision identities 497 00:23:56,760 --> 00:23:59,400 that can create network resources or whatever it is. 498 00:24:00,360 --> 00:24:03,400 The way that that's done in each of the three clouds will be will 499 00:24:03,400 --> 00:24:05,080 be different. You know we need to have key 500 00:24:05,080 --> 00:24:07,800 rotation that'll be done differently in in the different 501 00:24:07,800 --> 00:24:10,360 clouds. And so when you're trying to 502 00:24:10,360 --> 00:24:13,560 measure that at the top level, so you're somebody that has 503 00:24:13,560 --> 00:24:15,880 multiple different clouds, multiple different teams 504 00:24:15,880 --> 00:24:19,520 building and you need a common way to measure team A against 505 00:24:19,520 --> 00:24:21,960 team B to understand where you need to put your resources to 506 00:24:21,960 --> 00:24:24,280 fix things. We really help solve that 507 00:24:24,280 --> 00:24:26,400 problem. We have a maturity model where 508 00:24:26,400 --> 00:24:28,840 we can kind of grade the teams based on the maturity. 509 00:24:29,160 --> 00:24:30,960 And even though they're building in different clouds, we can tell 510 00:24:30,960 --> 00:24:33,840 you that this team needs more help than this team in terms of 511 00:24:34,040 --> 00:24:37,160 least privilege or in terms of access or wherever those those 512 00:24:37,160 --> 00:24:39,440 areas are. So it's a great way to measure 513 00:24:39,440 --> 00:24:42,680 and compare teams, gamify it a bit, right, try to get everybody 514 00:24:42,680 --> 00:24:45,760 to the the moderate level or the advanced level of maturity 515 00:24:45,920 --> 00:24:47,120 regardless of which cloud they're in. 516 00:24:47,440 --> 00:24:50,240 So that's great on the measurement side, it also allows 517 00:24:50,240 --> 00:24:53,680 you, let's say that you're primarily in one cloud, you're 518 00:24:53,680 --> 00:24:56,280 mainly in Azure, and you know Azure really, really well, but 519 00:24:56,280 --> 00:24:59,280 you have a a side project in GCP. 520 00:24:59,840 --> 00:25:03,120 Well, you may not know how all of your controls that you've 521 00:25:03,120 --> 00:25:07,560 done an amazing job implementing in Azure Translate to GCP. 522 00:25:08,240 --> 00:25:10,760 But when you use a platform like Sundry, we're going to be able 523 00:25:10,760 --> 00:25:13,240 to measure those Azure workloads and say, yeah, these look really 524 00:25:13,240 --> 00:25:16,360 clean actually you don't have problems in this area, this area 525 00:25:16,360 --> 00:25:19,080 and this area. But in GCP it doesn't look like 526 00:25:19,080 --> 00:25:21,360 you're doing a good job on service accounts because you're 527 00:25:21,360 --> 00:25:23,720 allowing the service accounts to do things that you would never 528 00:25:23,720 --> 00:25:25,840 have allowed them to do in, in Azure, right. 529 00:25:26,160 --> 00:25:28,720 And so you can see that delta between those two clouds and say 530 00:25:28,720 --> 00:25:30,680 look we, we got to make sure that we put these controls in 531 00:25:30,680 --> 00:25:32,760 place because we're obviously doing a good job in this cloud 532 00:25:32,760 --> 00:25:35,200 and and not in this cloud. And so it gives you a vendor 533 00:25:35,200 --> 00:25:37,360 that's kind of building out all that content for you in that 534 00:25:37,360 --> 00:25:39,680 common measuring of of those things. 535 00:25:39,680 --> 00:25:42,960 So again, most of our customers I would say are multi cloud, but 536 00:25:42,960 --> 00:25:46,280 it's classically that we're primarily in one and we've got a 537 00:25:46,280 --> 00:25:49,920 side secondary cloud. I think a lot of times you know 538 00:25:49,920 --> 00:25:53,400 companies have it for even disaster recovery or whatever 539 00:25:53,400 --> 00:25:55,360 you want to get your data out of that cloud just in case. 540 00:25:55,520 --> 00:25:58,040 I I can't imagine what the day would look like when Amazon went 541 00:25:58,040 --> 00:26:00,040 away, but it would. It would be a. 542 00:26:00,360 --> 00:26:02,720 A bad day for all of us, but if it did happen, you know if you 543 00:26:02,720 --> 00:26:05,040 write these plans up for a company, it says you've got to 544 00:26:05,040 --> 00:26:07,400 have your data in two places and that's the way to get it in two. 545 00:26:07,400 --> 00:26:10,240 Places. So is that what makes the cloud 546 00:26:10,240 --> 00:26:12,800 difficult? Is it the multi cloud aspect of 547 00:26:12,800 --> 00:26:15,480 it and the fact that each of the clouds has basically their own 548 00:26:15,480 --> 00:26:19,160 operating system and their own language to security controls? 549 00:26:19,160 --> 00:26:21,600 I guess I'd like to understand specifically like how do you 550 00:26:21,600 --> 00:26:25,000 guys make that translation to say hey I want to remediate this 551 00:26:25,000 --> 00:26:29,040 issue, we have this policy and we don't want that to work. 552 00:26:29,360 --> 00:26:32,000 Can I click a button and somehow it figures it out? 553 00:26:32,000 --> 00:26:33,040 Magic. Figures it out, yeah. 554 00:26:33,480 --> 00:26:36,120 And it's not even. There's this level of analytics 555 00:26:36,120 --> 00:26:39,240 even before the fix that says maybe it's already fixed. 556 00:26:39,240 --> 00:26:42,240 So if you were to look at any one of the clouds and you were 557 00:26:42,240 --> 00:26:45,920 to only look at Jeff's direct entitlements, right? 558 00:26:45,920 --> 00:26:47,560 And you looked at your entitlements and it said, you 559 00:26:47,560 --> 00:26:50,120 know, Jeff can do this very nefarious thing, whatever you 560 00:26:50,120 --> 00:26:52,320 can. GCP has these interesting things 561 00:26:52,320 --> 00:26:55,160 where you can act as something, so you can basically act as 562 00:26:55,160 --> 00:26:57,920 something else with the scope that you have, you would look at 563 00:26:57,920 --> 00:26:59,480 that and say, wow, that's that's bad. 564 00:26:59,480 --> 00:27:03,680 We should we should fix that. But the reality is GCP allows 565 00:27:03,680 --> 00:27:07,520 for deny statements that are above that point that inherit 566 00:27:07,520 --> 00:27:08,000 down. And. 567 00:27:08,000 --> 00:27:11,200 So if the deny statement says that Jeff can't do that, then 568 00:27:11,200 --> 00:27:13,520 Jeff can't do that right? And you may have a full deny. 569 00:27:13,840 --> 00:27:16,240 And so you have to do some analytics to understand what the 570 00:27:16,240 --> 00:27:20,600 real effective permission is for any given identity so that 571 00:27:20,600 --> 00:27:22,880 you're not, you know, sending off false alarms saying this 572 00:27:22,880 --> 00:27:25,680 permission is way too sensitive for this identity to have when 573 00:27:25,680 --> 00:27:30,360 in reality you as a great cloud architect have architected the 574 00:27:30,360 --> 00:27:32,840 identity system to not allow that to happen anyway. 575 00:27:33,360 --> 00:27:37,440 So in AWS is a similar thing. They have SCPS that actually 576 00:27:37,440 --> 00:27:39,240 block these things. So you have to understand this, 577 00:27:39,920 --> 00:27:42,040 every one of the clouds, those completely different in how they 578 00:27:42,040 --> 00:27:44,560 do that. You know IDEA AWS has about 11 579 00:27:44,560 --> 00:27:47,000 different ways that you can add or remove permissions through 580 00:27:47,000 --> 00:27:50,400 this tree and they support wild cards and other things that that 581 00:27:50,400 --> 00:27:53,760 caused a GCP has a much simpler model which is very much an 582 00:27:53,760 --> 00:27:56,600 inheritance model. But scopes are really important 583 00:27:56,600 --> 00:27:58,920 in GCP because you want to make sure that you get it's almost 584 00:27:58,920 --> 00:28:00,760 like least access instead of least privilege. 585 00:28:00,760 --> 00:28:02,880 You want to get the scopes of these permissions down to the 586 00:28:03,040 --> 00:28:04,320 most granular thing that you can get. 587 00:28:04,320 --> 00:28:08,000 Especially things that are sensitive like act as and so you 588 00:28:08,000 --> 00:28:10,720 have to, depending on the cloud, completely translate what 589 00:28:10,720 --> 00:28:12,800 they've done into something that's actionable. 590 00:28:13,000 --> 00:28:15,040 Then you get to the button. So now we're finally at the 591 00:28:15,040 --> 00:28:18,160 point that we have the the thing we have the least privileged 592 00:28:18,160 --> 00:28:20,720 policies not appropriate. We want to put it on there. 593 00:28:21,120 --> 00:28:23,560 Now you need to actually go and press that button. 594 00:28:24,160 --> 00:28:26,440 Some of the things are direct fixes, Jeff. 595 00:28:26,440 --> 00:28:28,400 It's so great. You know it's like OK, well this 596 00:28:28,400 --> 00:28:32,480 identity has the ability to act as it's never used it or it only 597 00:28:32,480 --> 00:28:34,840 uses it in one scope. Press the button, we fix it, 598 00:28:34,840 --> 00:28:39,320 it's done and over super easy. Some of them are not so easy. 599 00:28:39,320 --> 00:28:42,080 So in AWS you can assume a role and you can do that across 600 00:28:42,080 --> 00:28:43,560 accounts and so you may have one. 601 00:28:43,560 --> 00:28:45,880 We have these lateral movement change which could hop from 602 00:28:46,400 --> 00:28:48,600 literally one account to the next account to the next account 603 00:28:48,600 --> 00:28:51,240 to the next account. And they've parts of them have 604 00:28:51,240 --> 00:28:52,560 never been used. They were all put there 605 00:28:52,560 --> 00:28:55,560 intentionally for little parts of the path to work, but never 606 00:28:55,560 --> 00:28:56,920 for the whole thing to be combined. 607 00:28:57,280 --> 00:28:59,840 And so when you look at that, the fix for it is often not on 608 00:28:59,840 --> 00:29:02,040 the thing that starts it and not at the thing at the end. 609 00:29:02,040 --> 00:29:04,280 It's somewhere in the middle and we will find the thing in the 610 00:29:04,280 --> 00:29:06,680 middle that you can break that chain and and cut it off. 611 00:29:07,160 --> 00:29:09,200 So that's another kind of interesting thing when you look 612 00:29:09,200 --> 00:29:12,520 at fixing it. Now the development teams have 613 00:29:12,520 --> 00:29:14,480 really messed this up, though I shouldn't say messed it up. 614 00:29:14,480 --> 00:29:17,680 They've done an amazing job. They deploy infrastructure's 615 00:29:17,680 --> 00:29:21,080 codes, so they use Terraform or whatever they're using Those 616 00:29:21,440 --> 00:29:24,680 infrastructure's code platforms have state in them and they know 617 00:29:24,680 --> 00:29:27,720 when the state drifts. So now pretend you press the 618 00:29:27,720 --> 00:29:31,600 button, but the state now drifts and they redeploy it. 619 00:29:31,800 --> 00:29:34,440 It fixes it. So now there's a problem that we 620 00:29:34,440 --> 00:29:37,360 automate to fix, which then the Terraform puts back and you end 621 00:29:37,360 --> 00:29:39,640 up in this fighting world between them. 622 00:29:39,760 --> 00:29:43,600 Who wins, right? And so you have to be aware of 623 00:29:43,600 --> 00:29:47,640 the cloud architecture, how? What created this resource, how 624 00:29:47,640 --> 00:29:50,720 is it being maintained so that you can tell them how to fix it 625 00:29:50,720 --> 00:29:53,480 properly. Is it fixed by pressing the 626 00:29:53,480 --> 00:29:56,640 button and that's going to work? Is it fixed through some form of 627 00:29:56,640 --> 00:29:59,720 automation or do you actually have to create a ticket clear 628 00:29:59,720 --> 00:30:02,520 back to the development team and say this piece of Terraform 629 00:30:02,520 --> 00:30:04,840 needs to be adjusted because it doesn't have the right policy 630 00:30:04,840 --> 00:30:07,320 attached to it and so you have to be aware of that whole thing 631 00:30:07,320 --> 00:30:11,800 kind of end to end as you do it. I have a theory which is that 632 00:30:12,400 --> 00:30:16,200 all of the the senior information security folks like 633 00:30:16,200 --> 00:30:20,320 myself, we had a heyday. The heyday would be when you 634 00:30:20,320 --> 00:30:23,840 would sit there and read technical articles or books 635 00:30:24,000 --> 00:30:27,280 while you were eating your meals because you couldn't break away 636 00:30:27,280 --> 00:30:30,960 from it and you really understood all the technical 637 00:30:30,960 --> 00:30:35,160 aspects at that time. And over the years or decades 638 00:30:35,360 --> 00:30:37,840 things have changed. So I remember the days where you 639 00:30:37,840 --> 00:30:43,480 would put ACD or DVD in a drive and you would build the server 640 00:30:43,480 --> 00:30:47,280 from you maybe boot to a diskette, etcetera. 641 00:30:47,400 --> 00:30:50,800 And then there was VMS and hypervisors. 642 00:30:50,800 --> 00:30:54,280 And I remember trying to explain to my management what was going 643 00:30:54,280 --> 00:30:57,720 on with VMS and hypervisors and they looked at me like I had 644 00:30:57,720 --> 00:31:00,840 three heads. Later on you get to the forum 645 00:31:00,840 --> 00:31:04,760 where there's not even servers, you know. 646 00:31:04,960 --> 00:31:09,520 And so I I think that's where things and how they operate in 647 00:31:09,520 --> 00:31:13,720 the cloud become so abstract from what your basis of 648 00:31:13,720 --> 00:31:17,200 technology knowledge is. Anyway, this is a little bit of 649 00:31:17,200 --> 00:31:20,760 a rant for me, but I I actually don't think that the cloud is 650 00:31:20,760 --> 00:31:24,880 necessarily more complicated or complex than on Prem. 651 00:31:25,200 --> 00:31:29,440 I just think it's it's different and I actually think that the 652 00:31:29,440 --> 00:31:34,000 Kim tools and the ability to do over provisioned account 653 00:31:34,000 --> 00:31:39,880 analysis is a major breakthrough because I I think what it boils 654 00:31:39,880 --> 00:31:44,240 down to is that the the cloud platforms have the logs and 655 00:31:44,240 --> 00:31:48,440 you're on Prem generally doesn't have all the logs needed to say 656 00:31:48,640 --> 00:31:50,120 this account has too much access. 657 00:31:50,120 --> 00:31:52,280 You should start ripping off that access. 658 00:31:52,520 --> 00:31:55,160 You rip off that access and it might have unintended 659 00:31:55,160 --> 00:31:59,040 consequences. So again, that's just kind of my 660 00:31:59,040 --> 00:32:02,920 rant, but I did want to, I was also thinking of something that, 661 00:32:03,160 --> 00:32:06,840 you know, as you and Jeff were talking is I run into a lot of 662 00:32:06,840 --> 00:32:10,080 clients these days. And you know, Microsoft is kind 663 00:32:10,080 --> 00:32:14,680 of making a stance in every aspect of identity, including 664 00:32:15,200 --> 00:32:18,080 cloud identity, including Privileged Identity Management, 665 00:32:18,080 --> 00:32:23,120 especially when it has to do with the Azure data center 666 00:32:23,120 --> 00:32:25,960 environment. And it got me thinking, OK, 667 00:32:26,160 --> 00:32:30,040 well, is that all the solution that certain organization need, 668 00:32:30,080 --> 00:32:32,440 maybe like to hear your input on that? 669 00:32:32,680 --> 00:32:35,240 But then when is the switch flipped? 670 00:32:35,240 --> 00:32:40,880 Where it's like, OK, now, now I need Sunri because there's some 671 00:32:40,880 --> 00:32:45,600 kind of gap in what I've got and what I need and and how does how 672 00:32:45,600 --> 00:32:48,800 does the practitioner who's listening to this podcast know 673 00:32:48,800 --> 00:32:50,920 when that switch has been flipped? 674 00:32:51,800 --> 00:32:54,120 Yeah, that. So first of all the multi cloud 675 00:32:54,120 --> 00:32:56,200 thing always comes up, right? If you have more than one cloud, 676 00:32:56,200 --> 00:32:59,280 then the the Entra solutions which they've nicely renamed. 677 00:32:59,280 --> 00:33:01,400 The Entra used to be Azure Active Directory and a whole 678 00:33:01,400 --> 00:33:02,680 bunch of different tools. Now it's Entra. 679 00:33:02,880 --> 00:33:06,320 That solution you know probably starts to wear pretty thin if 680 00:33:06,320 --> 00:33:08,120 you're trying to use it to manage Amazon and stuff. 681 00:33:08,120 --> 00:33:10,480 It will do some things in Amazon, but it's it's pretty 682 00:33:10,480 --> 00:33:12,560 weak in what it does. However, let's pretend you're an 683 00:33:12,560 --> 00:33:14,840 Azure only customer and that's all you've done. 684 00:33:15,120 --> 00:33:17,400 Then Entra actually does some nice stuff there, right? 685 00:33:17,400 --> 00:33:20,280 You know, you can actually get it to do PIM as an example, 686 00:33:20,280 --> 00:33:22,600 Privileged Identity Management and you can build assignments. 687 00:33:22,920 --> 00:33:26,200 It's sometimes hard to get it to scale to the, you know, massive 688 00:33:26,200 --> 00:33:28,240 management group structure and all the subscriptions you have 689 00:33:28,240 --> 00:33:30,760 and figure out who the owners and everything are for these 690 00:33:30,760 --> 00:33:32,600 things. But it has the basics of it 691 00:33:32,600 --> 00:33:33,920 built into it, which is quite nice. 692 00:33:34,160 --> 00:33:36,760 It does have some semblance of least privilege for certain 693 00:33:36,760 --> 00:33:39,400 things, so it will generate some least privileged roles. 694 00:33:39,400 --> 00:33:40,840 We have to use the right words in Microsoft. 695 00:33:40,840 --> 00:33:43,360 Their roles, they least privileged roles for some 696 00:33:43,360 --> 00:33:46,720 things. What's interesting about Sunri 697 00:33:46,720 --> 00:33:51,680 is is that we tried to create this balance between perfection 698 00:33:52,200 --> 00:33:56,400 and usable and we can build you perfect, perfect roles. 699 00:33:56,640 --> 00:33:59,720 But the problem is, say you have 100,000 identities in Azure, 700 00:34:00,360 --> 00:34:03,040 that's 100,000 custom roles, and I don't think anyone wants to 701 00:34:03,040 --> 00:34:06,400 manage 100,000 custom roles. However, we can get you good 702 00:34:06,400 --> 00:34:07,960 enough. What if we take the people that 703 00:34:07,960 --> 00:34:10,840 were contributors, which have basically all of the permissions 704 00:34:10,840 --> 00:34:14,639 except being able to grant other permissions and move those to 705 00:34:14,639 --> 00:34:18,280 something that looked a lot more like a security auditor role for 706 00:34:18,280 --> 00:34:21,000 the stuff that they don't use. But for the two services they do 707 00:34:21,000 --> 00:34:24,159 use, we still give you the the the you know, the create, 708 00:34:24,159 --> 00:34:27,320 update, deletes that you need. That's a much easier to consume 709 00:34:27,320 --> 00:34:30,719 role that you can use across many identities and probably 710 00:34:30,719 --> 00:34:33,239 doesn't break the console if that happens to be a person that 711 00:34:33,239 --> 00:34:36,600 logs in later or when you add 1 new feature to that app that it 712 00:34:36,600 --> 00:34:38,960 was gonna use. And so we find that works quite 713 00:34:38,960 --> 00:34:40,440 well. Entra's not so great at that. 714 00:34:40,440 --> 00:34:42,800 They're good at sometimes the perfection and not so much the 715 00:34:43,239 --> 00:34:46,800 the usable on that side. Yeah, you've got your head in 716 00:34:46,800 --> 00:34:48,639 the clouds so often. And I mean that in a positive 717 00:34:48,639 --> 00:34:50,639 way. Yeah, You've got to have some 718 00:34:50,639 --> 00:34:52,920 horror stories. Like is there a particular, 719 00:34:52,920 --> 00:34:56,800 like, oh man, it's really bad, or something else kind of like 720 00:34:57,480 --> 00:34:58,800 you're willing to share. I don't want you to name and 721 00:34:58,800 --> 00:35:00,840 shame anybody, but maybe it's just the situation. 722 00:35:01,680 --> 00:35:04,880 We have had so many interesting things over the years, I can't 723 00:35:04,880 --> 00:35:09,400 even begin to describe them. One of my favorite ones was 724 00:35:09,400 --> 00:35:14,560 there was This Doesn't Matter organization and they had a lot 725 00:35:14,560 --> 00:35:16,960 of like automation and workloads that they had built and the 726 00:35:16,960 --> 00:35:21,040 workloads and the cloud services would assume these identities. 727 00:35:21,040 --> 00:35:23,720 In this case it happened to be in in AWS, but it doesn't really 728 00:35:23,720 --> 00:35:24,960 matter. They would assume these 729 00:35:24,960 --> 00:35:27,280 identities and then those identities would do the things 730 00:35:27,760 --> 00:35:30,200 for the developers. Found it amazingly hard to 731 00:35:30,200 --> 00:35:31,800 troubleshoot this when it wasn't working. 732 00:35:32,160 --> 00:35:35,960 And so in all of these cases across insane numbers of roles 733 00:35:36,480 --> 00:35:39,600 AWS, they added a trust relationship to trust the 734 00:35:39,600 --> 00:35:42,560 account that it was in. So and again, we'd have to get 735 00:35:42,560 --> 00:35:44,560 into super details here. But in AWS you have a role. 736 00:35:44,720 --> 00:35:47,200 It trusts something. It might be an SSO provider, it 737 00:35:47,200 --> 00:35:49,600 might be another entity, it might be a cloud service, or it 738 00:35:49,600 --> 00:35:52,000 can be an account. And by account it means 739 00:35:52,000 --> 00:35:55,760 basically any identity in that account can use that that thing 740 00:35:55,960 --> 00:35:58,680 with some conditions. This made it super easy for them 741 00:35:58,680 --> 00:36:01,200 to troubleshoot because now the developer in the account could 742 00:36:01,200 --> 00:36:02,880 just assume that role and do anything that he wants. 743 00:36:03,120 --> 00:36:06,680 However, what it also meant was every identity in that account 744 00:36:06,680 --> 00:36:08,960 could do the same thing. So if an attacker got even a 745 00:36:09,360 --> 00:36:12,000 semblance of a role anywhere in the, they could become anything 746 00:36:12,000 --> 00:36:14,680 they wanted across their like whole way that they built 747 00:36:14,680 --> 00:36:17,560 development. And you're like, but it seems so 748 00:36:17,560 --> 00:36:19,920 obvious to the developer, Oh, if I just add this one line, it's 749 00:36:19,920 --> 00:36:22,040 so easy to troubleshoot, it's amazing. 750 00:36:22,440 --> 00:36:24,640 But they didn't understand the impact that they were truly 751 00:36:24,640 --> 00:36:27,760 giving everything in those accounts access to to do this 752 00:36:27,760 --> 00:36:28,440 right? And it was. 753 00:36:28,600 --> 00:36:30,800 It was an unintended consequence they never meant for. 754 00:36:31,280 --> 00:36:34,240 They had another customer one time that had an issue where 755 00:36:35,000 --> 00:36:38,880 they were using Cloudfront and they had given Cloudfront needed 756 00:36:38,880 --> 00:36:43,080 to read data out of data stores and that was fine, but they gave 757 00:36:43,080 --> 00:36:45,000 it read and write because it was easy to. 758 00:36:45,000 --> 00:36:47,040 I'm not even exactly sure why they did, but the problem is 759 00:36:47,040 --> 00:36:51,240 Cloudfront's an Internet facing identity that now can write data 760 00:36:51,240 --> 00:36:53,480 to the thing that it's supposed to be reading data from. 761 00:36:53,880 --> 00:36:56,960 It's really easy to manipulate the website that it's facing on 762 00:36:56,960 --> 00:36:59,080 the other side. And so he's like no one ever 763 00:36:59,080 --> 00:37:00,800 thought I was like, oh, the cloud front can do that. 764 00:37:00,800 --> 00:37:02,440 It's like, yes, you gave it permission to do it. 765 00:37:02,440 --> 00:37:05,400 If the attacker can manipulate it in a way to get it to write 766 00:37:05,400 --> 00:37:08,560 the right thing, then you know you can you can change things. 767 00:37:08,560 --> 00:37:11,560 And so there's many horror stories over the years that we 768 00:37:11,720 --> 00:37:15,200 we run into in these ways. And again, we will, we will keep 769 00:37:15,200 --> 00:37:17,480 everybody nameless that those things happen to. 770 00:37:17,480 --> 00:37:21,720 But lots of fun stories. So I want to pivot to a blog 771 00:37:21,720 --> 00:37:24,760 article that's on your website. It's called 4 Steps to Secure 772 00:37:24,760 --> 00:37:27,120 Cloud Identities. If you're stuck, first of all, 773 00:37:27,360 --> 00:37:30,040 great SEO. So yeah, that's a great title, 774 00:37:30,080 --> 00:37:32,800 people pick that up and it's actually and I and I hate to say 775 00:37:32,800 --> 00:37:35,000 this because I'm, you know, dump on vendors all the time, but 776 00:37:35,160 --> 00:37:39,280 it's actually a good article and it's a good entry into things 777 00:37:39,280 --> 00:37:41,640 that people should be thinking about from a identity 778 00:37:41,640 --> 00:37:45,560 perspective in the cloud. I guess why write this like, who 779 00:37:45,560 --> 00:37:48,200 is this blog for? Is this for the admin? 780 00:37:48,600 --> 00:37:51,360 Is this for somebody who's doesn't know where to start? 781 00:37:51,480 --> 00:37:54,160 Help me kind of take me behind the mindset of of how this came 782 00:37:54,160 --> 00:37:57,240 about. I I we actually wrote this blog 783 00:37:57,240 --> 00:38:01,680 mainly because we had I'll call them customers sometimes 784 00:38:01,680 --> 00:38:04,160 prospects people we were talking to in the industry that were 785 00:38:04,160 --> 00:38:07,920 super frustrated with the state of identity in their clouds. 786 00:38:08,200 --> 00:38:11,120 So we run these cloud identity diagnostics and we would come in 787 00:38:11,120 --> 00:38:14,240 and we would say, you know, you have, let's say 20,000 788 00:38:14,240 --> 00:38:15,480 identities that aren't even used. 789 00:38:15,480 --> 00:38:18,080 If you want to break your lateral movement paths, you 790 00:38:18,080 --> 00:38:20,080 should delete those first. That's going to be the easiest 791 00:38:20,080 --> 00:38:22,000 solution. And people are like, wow, we 792 00:38:22,000 --> 00:38:25,960 didn't even know, right. And so we found that everyone 793 00:38:25,960 --> 00:38:29,200 would come talking to us with like these really complex 794 00:38:29,200 --> 00:38:30,920 identity problems. We want to get to least 795 00:38:30,920 --> 00:38:32,560 privilege. We want to put perfect policies 796 00:38:32,560 --> 00:38:34,880 on anything. We want to basically automate 797 00:38:34,880 --> 00:38:37,320 the developers getting the code right as they come in and all 798 00:38:37,320 --> 00:38:39,240 the stuff. And we would look at them and 799 00:38:39,240 --> 00:38:42,920 say, but that's not where you should actually start. 800 00:38:43,360 --> 00:38:45,960 You should start by saying you have a lot of administrative 801 00:38:45,960 --> 00:38:48,640 accounts in your cloud. Some of them are not used. 802 00:38:49,200 --> 00:38:51,440 You need to basically say which administrative accounts are 803 00:38:51,440 --> 00:38:53,520 break glass. They're not used, but they're 804 00:38:53,520 --> 00:38:56,600 supposed to be there and which ones are stale and need to be 805 00:38:56,600 --> 00:38:58,040 removed. And you need to do that first 806 00:38:58,040 --> 00:39:03,160 before you do anything else. If you do that, then we now know 807 00:39:03,280 --> 00:39:07,120 the unused identities that are supposed to be there. 808 00:39:07,640 --> 00:39:09,960 And what that means is now when you look at the 20,000 809 00:39:09,960 --> 00:39:13,560 identities that are completely unused, you can delete them with 810 00:39:13,560 --> 00:39:16,640 automation because you know that they're not supposed to be there 811 00:39:16,640 --> 00:39:18,520 and they're unused. Great. 812 00:39:19,200 --> 00:39:22,920 That actually will break huge numbers of lateral movement 813 00:39:22,920 --> 00:39:26,040 chains, and it will remove a whole bunch of work you were 814 00:39:26,040 --> 00:39:28,880 supposed to do for least privilege, because now those are 815 00:39:28,880 --> 00:39:30,520 at least privileged, they don't exist anymore. 816 00:39:31,480 --> 00:39:33,840 And what that leaves you with is when you then build your least 817 00:39:33,840 --> 00:39:37,160 privilege, the amount of work you have to do is far less. 818 00:39:38,000 --> 00:39:40,320 And when you fix the least privilege, most of the lateral 819 00:39:40,320 --> 00:39:42,680 movement chains will break and then you'll be at the point 820 00:39:42,680 --> 00:39:46,760 where you're actually in a huge improvement over where you were 821 00:39:47,400 --> 00:39:49,240 maybe as much as just a couple months ago. 822 00:39:49,240 --> 00:39:51,280 If you do this work right and get it done, you could probably 823 00:39:51,280 --> 00:39:53,680 automate it all in a day. But big enterprises take longer 824 00:39:53,680 --> 00:39:56,200 to do things than that. But you can do that. 825 00:39:56,480 --> 00:39:59,160 But we found a lot of customers coming to us that would want to 826 00:39:59,160 --> 00:40:01,400 do these very complex things and they would want to do all these 827 00:40:01,400 --> 00:40:03,760 crazy tasks and you're like, but you need to start with the 828 00:40:03,760 --> 00:40:06,480 basics. And it reminded me so much of 829 00:40:06,480 --> 00:40:09,280 my. Career earlier in you know the 830 00:40:09,280 --> 00:40:11,600 security and threat intelligence and we would go and people would 831 00:40:11,600 --> 00:40:14,160 want to do machine learning on log data and they would want to 832 00:40:14,160 --> 00:40:15,960 do all these anomaly detection whatever. 833 00:40:15,960 --> 00:40:18,800 And we would ask them simple questions like did you salt the 834 00:40:18,800 --> 00:40:23,120 password file They'd be like no. Like you need to go back there 835 00:40:23,120 --> 00:40:25,480 and do that first then we'll do anomaly detection. 836 00:40:25,720 --> 00:40:28,680 And this is a similar thing. People have to start at the easy 837 00:40:28,680 --> 00:40:31,720 stuff and automate it and get their their process in place. 838 00:40:31,720 --> 00:40:34,600 And if they do that, they will be in such a better place than 839 00:40:34,600 --> 00:40:37,440 where they are today. Other than being frozen in, I 840 00:40:37,440 --> 00:40:40,080 don't know what to do. It seems so complicated, right? 841 00:40:40,120 --> 00:40:42,040 And it's not. And there's other ways to do, 842 00:40:42,040 --> 00:40:44,640 like again, the blogs about us and how we solve things. 843 00:40:44,640 --> 00:40:47,320 But you know what? You can go to the AWS console 844 00:40:47,320 --> 00:40:49,720 and look for your unused roles. You don't need a fancy tool for 845 00:40:49,720 --> 00:40:51,360 that. You can go and get that data out 846 00:40:51,360 --> 00:40:53,480 of the AWS console and start removing those, right? 847 00:40:53,480 --> 00:40:55,920 You need a process to certify your administrators. 848 00:40:56,120 --> 00:40:57,800 You can do that with summary Security. 849 00:40:58,240 --> 00:40:59,840 There are other ways you could do it, right? 850 00:40:59,840 --> 00:41:03,320 So just doing that and getting the muscle memory on how to do 851 00:41:03,320 --> 00:41:05,960 it allows you to automate it and do it fast and great. 852 00:41:06,600 --> 00:41:10,120 It's amazing how much of security and identity security 853 00:41:10,400 --> 00:41:12,240 is building block based in my mind. 854 00:41:12,320 --> 00:41:17,200 Like if you don't tackle the basics, yeah everything that you 855 00:41:17,200 --> 00:41:19,000 do on top of that is just going to topple over. 856 00:41:19,000 --> 00:41:20,680 It's like a really bad game of Jenga. 857 00:41:21,400 --> 00:41:25,320 And so I kind of look at it. There was 1 statistic in here 858 00:41:25,320 --> 00:41:29,520 that I thought was interesting and it was basically up to 15% 859 00:41:29,520 --> 00:41:30,840 of identities. I'm reading it right now. 860 00:41:31,240 --> 00:41:33,520 Can self escalate their privileges? 861 00:41:33,960 --> 00:41:35,720 Can you talk about what that means? 862 00:41:36,440 --> 00:41:39,240 Yeah, it's it's different in every cloud and the way that 863 00:41:39,240 --> 00:41:42,920 they work in AWS, it often means you will have given this 864 00:41:42,920 --> 00:41:45,840 identity the ability. As an example, we see this a lot 865 00:41:45,840 --> 00:41:48,440 where it can modify a policy or something. 866 00:41:48,840 --> 00:41:51,560 Well, if it has a policy attached to it, it's identity, 867 00:41:51,600 --> 00:41:54,120 it can change the policy to give it more permissions and now it 868 00:41:54,120 --> 00:41:56,000 has escalated its own permissions. 869 00:41:56,720 --> 00:41:59,560 In AWS you have something called assume role which allows this 870 00:41:59,560 --> 00:42:01,720 role to become another role. Well if that role that it can 871 00:42:01,720 --> 00:42:04,320 assume has more permissions than itself, it can escalate its own 872 00:42:04,320 --> 00:42:07,080 permissions. In GCP you have similar 873 00:42:07,080 --> 00:42:10,800 scenarios where if you can, you know set IM policy on something, 874 00:42:10,800 --> 00:42:13,640 Well if you can set IM policy on something you can get to, you 875 00:42:13,640 --> 00:42:16,240 can give yourself more permissions and there by the 876 00:42:16,240 --> 00:42:17,720 way, there's hundreds of these examples. 877 00:42:17,720 --> 00:42:20,480 It's insane how many there are. And when we measure all of the 878 00:42:20,480 --> 00:42:24,680 identities across the cloud, we discover that basically 15% of 879 00:42:24,680 --> 00:42:27,400 them have this ability. That's really high. 880 00:42:27,400 --> 00:42:30,600 Like if you think about a good identity system, you would never 881 00:42:30,600 --> 00:42:34,160 have 15% of the identities can generate other identities and 882 00:42:34,160 --> 00:42:36,520 give them permission. That's a really big set of 883 00:42:36,520 --> 00:42:39,160 identities that could do that. But yet in cloud, we, a lot of 884 00:42:39,160 --> 00:42:41,520 them are workload identities, but we allow them to do that. 885 00:42:41,520 --> 00:42:44,520 And it's kind of unacceptable, but it's the reality of the 886 00:42:44,520 --> 00:42:46,800 statistics that come out when you measure across lots of 887 00:42:46,800 --> 00:42:49,840 customers. Is that something on the concept 888 00:42:49,840 --> 00:42:52,120 of like 0 standing privileges as sort of like the opposite of 889 00:42:52,120 --> 00:42:56,560 that where some of these maybe you know admin privileges are 890 00:42:56,760 --> 00:43:00,360 self escalating for the right reasons because there is there 891 00:43:00,360 --> 00:43:03,160 situations where yeah that actually is OK or is it? 892 00:43:03,160 --> 00:43:05,320 Always bad. It absolutely is. 893 00:43:05,320 --> 00:43:08,120 And we we have, it's interesting we do these cloud diagnostics. 894 00:43:08,120 --> 00:43:11,560 We have some kind of statistics that say you know generally on 895 00:43:11,560 --> 00:43:14,960 average people should be in these ranges and we like to see 896 00:43:14,960 --> 00:43:17,720 those the ones that are intentionally kind of self 897 00:43:17,720 --> 00:43:20,160 escalating and can add, maybe they're not even self escalated, 898 00:43:20,160 --> 00:43:22,560 they just have admins. We like to see those in those 899 00:43:22,880 --> 00:43:25,160 one 2% ranges. That's where we want to see 900 00:43:25,160 --> 00:43:27,520 those numbers, right. We don't want to see them at 901 00:43:27,520 --> 00:43:30,440 15%. And you know, the reality of 902 00:43:30,440 --> 00:43:34,480 clouds, when we look at it, it's often the machine identities 903 00:43:34,480 --> 00:43:36,560 that are actually over privileged, not always the human 904 00:43:36,560 --> 00:43:38,040 ones. Everybody wants to run their 905 00:43:38,040 --> 00:43:41,000 build role star, you say, but you only use 20 services out of 906 00:43:41,000 --> 00:43:42,640 the 200 available. Do you really think it needs 907 00:43:42,640 --> 00:43:44,640 them all? But we'll use them tomorrow. 908 00:43:44,880 --> 00:43:47,200 OK, so let's make an exception for the build process. 909 00:43:47,200 --> 00:43:49,280 Now let's go down the list of all of the things that came 910 00:43:49,280 --> 00:43:51,480 after the build on automation process that have the same 911 00:43:51,480 --> 00:43:54,280 problem, right. And so it is quite out of 912 00:43:54,280 --> 00:43:55,600 control. In a lot of cases in these 913 00:43:55,600 --> 00:43:59,440 clouds, it seems to me like this is a indicator of when Skynet is 914 00:43:59,440 --> 00:44:04,120 about to become self aware. It's a different, yeah, it's a 915 00:44:04,120 --> 00:44:06,800 different podcast. We'll go into the whole Skynet 916 00:44:06,800 --> 00:44:09,800 thing and that side. I want to ask some product 917 00:44:09,800 --> 00:44:11,600 specific questions. I kind of mentioned the shackles 918 00:44:11,600 --> 00:44:14,040 being, you know, off. In a conversation like this, 919 00:44:14,400 --> 00:44:16,800 what does it take to implement something like this? 920 00:44:17,200 --> 00:44:20,880 If I want to set this up, do I need I'm I'm assuming and feel 921 00:44:20,880 --> 00:44:22,920 free to correct me if I'm wrong, I need some sort of admin 922 00:44:22,920 --> 00:44:26,480 credentials to give to your product to say, hey, connect to 923 00:44:26,480 --> 00:44:28,880 this environment, this tenant, whatever it might be, right? 924 00:44:28,880 --> 00:44:31,120 Those sorts of things. Walk me through what it's like 925 00:44:31,120 --> 00:44:34,160 to set this up. Yeah, there's there's two sets 926 00:44:34,160 --> 00:44:35,680 of permissions you always have to talk about. 927 00:44:36,120 --> 00:44:38,280 There's a set of permissions needed to deploy it and then the 928 00:44:38,280 --> 00:44:41,880 set of permissions needed for it to run, and we separate those 929 00:44:41,880 --> 00:44:43,560 two. The person deploying it needs 930 00:44:43,560 --> 00:44:45,360 pretty sensitive permissions because they have to be able to 931 00:44:45,360 --> 00:44:48,640 put roles and accounts and and do things like that, and so 932 00:44:48,640 --> 00:44:50,840 they're creating permissions and entitlements and stuff like 933 00:44:50,840 --> 00:44:52,600 that. So it needs to be fairly 934 00:44:52,600 --> 00:44:54,960 administrative in that scenario. And every cloud's a little 935 00:44:54,960 --> 00:44:56,360 different. You know how it's done. 936 00:44:57,120 --> 00:45:00,040 The system itself, if you're looking for the visibility 937 00:45:00,040 --> 00:45:02,560 component of it, runs more like a security auditor. 938 00:45:02,640 --> 00:45:04,800 It really doesn't have any administrator permissions at 939 00:45:04,800 --> 00:45:06,040 all. It's really just gaining 940 00:45:06,040 --> 00:45:09,400 visibility as to what's there, and it's suggesting this is what 941 00:45:09,400 --> 00:45:12,800 the policies should look like in production or wherever you're 942 00:45:12,800 --> 00:45:15,000 running them. However, if you're going to run 943 00:45:15,000 --> 00:45:18,240 any of the automation, the bots to clean stuff up, the bots to 944 00:45:18,240 --> 00:45:22,320 delete identities, every one of those bots has a set of 945 00:45:22,320 --> 00:45:24,600 permissions that it needs, and we try to do this in this kind 946 00:45:24,600 --> 00:45:27,080 of least privileged way. If you're only going to run 5 947 00:45:27,080 --> 00:45:29,720 bots, then you just need to use the five permissions that those 948 00:45:29,720 --> 00:45:32,480 need and no more than that, and that allows them not to be one 949 00:45:32,480 --> 00:45:34,760 of those things that can escalate out of control as well 950 00:45:34,760 --> 00:45:36,960 in your cloud. So it works fairly well, but you 951 00:45:36,960 --> 00:45:39,760 will have to like we'll use the unused identity one, super 952 00:45:39,760 --> 00:45:43,920 simple to clean up. But actually to delete an IM 953 00:45:43,920 --> 00:45:46,240 user or roll out of AWS you don't need one permission. 954 00:45:46,240 --> 00:45:49,160 You need actually more like 9 or 10 because you have to remove 955 00:45:49,160 --> 00:45:51,320 the policies from it. You have to, you know, remove 956 00:45:51,320 --> 00:45:53,160 its access keys. You have to clean up after 957 00:45:53,160 --> 00:45:55,720 itself or the command to delete the identity will fail. 958 00:45:56,080 --> 00:45:58,960 And so again, each one of these has their own unique set of 959 00:45:58,960 --> 00:46:00,720 permissions to do it. But generally to get the 960 00:46:00,720 --> 00:46:03,520 visibility security auditors fine, you don't need anything 961 00:46:03,520 --> 00:46:05,480 too serious. It's only when you want to run 962 00:46:05,480 --> 00:46:07,320 the automation that you need a little more permission. 963 00:46:08,000 --> 00:46:10,600 How long does this take to run to collect all that information? 964 00:46:10,600 --> 00:46:12,560 Is it like I need to run it overnight? 965 00:46:12,560 --> 00:46:14,080 Is it days? Months. 966 00:46:14,080 --> 00:46:16,280 Seconds. It's easy to measure. 967 00:46:16,280 --> 00:46:18,800 The diagnostics are the easy ones to measure because that's 968 00:46:18,800 --> 00:46:21,520 kind of a once and done so like once to the point that you're at 969 00:46:21,520 --> 00:46:23,360 the state that you know everything that's going on. 970 00:46:24,040 --> 00:46:27,480 There is a always a a sizing question to how big is the cloud 971 00:46:27,480 --> 00:46:30,360 and there's another question as to how far back in time do you 972 00:46:30,360 --> 00:46:31,960 want to go to understand history. 973 00:46:32,200 --> 00:46:34,520 Generally 24 hours is what you're looking at. 974 00:46:35,320 --> 00:46:38,320 If you have a really big cloud, a lot of accounts and you want 975 00:46:38,320 --> 00:46:42,680 to go back 90 days in the past or 180 days in the past, it just 976 00:46:42,680 --> 00:46:44,280 takes time to read that log data. 977 00:46:44,280 --> 00:46:47,400 You can, you can scale it, you know, as you go, but at some 978 00:46:47,400 --> 00:46:49,920 point in time you run out of calls to grab the data across 979 00:46:49,920 --> 00:46:52,240 and transfer. So you know, maybe as much in a 980 00:46:52,240 --> 00:46:54,320 really big cloud, three or four days or something like that. 981 00:46:54,320 --> 00:46:56,680 But it's not. It's not forever by any means. 982 00:46:56,680 --> 00:46:58,920 It's it's measured in in hours and days. 983 00:46:59,720 --> 00:47:02,000 And what's it doing? It's capturing the data and then 984 00:47:02,000 --> 00:47:05,200 is it doing like a differential? Yeah, that's exactly what you 985 00:47:05,200 --> 00:47:07,240 can think of. So the, the, the discovery part 986 00:47:07,240 --> 00:47:09,040 of it is looking at all the current entitlements. 987 00:47:09,040 --> 00:47:10,440 You know, what does Jeff have for entitlements? 988 00:47:10,440 --> 00:47:12,120 What does the build role have for entitlements? 989 00:47:12,280 --> 00:47:15,120 You know, what has been deployed for resource policies on 990 00:47:15,120 --> 00:47:17,400 resources, things of that nature because they all control 991 00:47:17,400 --> 00:47:19,720 identities. Then it's looking at the audit 992 00:47:19,720 --> 00:47:23,360 data again cloud trail and AWS activity logs in Azure, whatever 993 00:47:23,360 --> 00:47:25,480 it happens to be. But it's going back those and 994 00:47:25,480 --> 00:47:27,960 it's comparing the delta between what you've been provisioned 995 00:47:27,960 --> 00:47:30,360 with versus what's actually been used to build those least 996 00:47:30,360 --> 00:47:33,040 privileged policies. And you do need that history. 997 00:47:33,040 --> 00:47:38,040 You know, people will often say, you know, I need, you know, two 998 00:47:38,040 --> 00:47:39,600 weeks of history and I believe I'll be fine. 999 00:47:39,600 --> 00:47:41,560 I think that's true in most workload identities. 1000 00:47:41,560 --> 00:47:43,400 If you can get a two week period, you probably know what's 1001 00:47:43,400 --> 00:47:46,120 going on. Humans are far less predictable. 1002 00:47:46,160 --> 00:47:49,920 You need much longer time frames to understand what humans do and 1003 00:47:49,920 --> 00:47:51,800 what types of least privileged policies you want to give them 1004 00:47:51,800 --> 00:47:53,120 and. Then I would assume there's 1005 00:47:53,120 --> 00:47:55,120 probably some sort of alerting or something like that to say, 1006 00:47:55,120 --> 00:47:56,960 hey, if I'm detected like an anomaly, right? 1007 00:47:56,960 --> 00:47:59,480 Or something's not the way I want it to be from a policy 1008 00:47:59,480 --> 00:48:01,560 perspective. How do I become aware of that? 1009 00:48:01,960 --> 00:48:04,760 Yep, there's there's, there's two. 1010 00:48:05,120 --> 00:48:06,680 I'll use it. You can use the word anomaly, 1011 00:48:06,680 --> 00:48:08,800 which is interesting. I will say there's two ways. 1012 00:48:08,800 --> 00:48:12,120 One is we have this insights view, we call it, which brings 1013 00:48:12,120 --> 00:48:15,240 to light all of the, you know, the misconfigurations and the 1014 00:48:15,240 --> 00:48:17,640 odd things that are going on. And it has some activity stuff 1015 00:48:17,640 --> 00:48:19,880 in it to say, hey, somebody just granted a new administrator 1016 00:48:19,880 --> 00:48:21,000 permission or something like that. 1017 00:48:21,000 --> 00:48:23,560 So that's more of an explore interface. 1018 00:48:23,560 --> 00:48:25,160 You can go in and explore what's going on. 1019 00:48:25,160 --> 00:48:28,040 You can explore how bad things are, how good things are, gives 1020 00:48:28,040 --> 00:48:29,760 you a nice risk score, things like that. 1021 00:48:30,360 --> 00:48:33,360 Then there's the I want to operationalize something. 1022 00:48:33,360 --> 00:48:36,920 I want to know if an identity has too much permission, or I 1023 00:48:36,920 --> 00:48:39,400 want to know if an identity hasn't been used in 90 days or I 1024 00:48:39,400 --> 00:48:43,040 want to know whatever those are. Those are, we call them 1025 00:48:43,040 --> 00:48:45,480 operationalized policies. And basically in that scenario, 1026 00:48:45,480 --> 00:48:49,520 you you define A-Team, you say we want them to react to this, 1027 00:48:49,520 --> 00:48:51,520 and then you define an integration for how you want to 1028 00:48:51,520 --> 00:48:53,160 talk to them. Maybe it's through Slack, maybe 1029 00:48:53,160 --> 00:48:54,800 it's through JIRA, maybe it's through Harvard. 1030 00:48:55,320 --> 00:48:57,600 You actually go and do that. Those same triggers can be 1031 00:48:57,600 --> 00:49:00,320 automated, so they can also run a bot and and automate that 1032 00:49:00,320 --> 00:49:01,840 process. So there's there's kind of two 1033 00:49:01,840 --> 00:49:04,880 parts to it. Then you used anomaly part of 1034 00:49:04,960 --> 00:49:09,200 and this isn't, is it the CIM space or is it UEBA or whatever. 1035 00:49:09,200 --> 00:49:11,840 You can talk about all these different spaces, but we 1036 00:49:11,840 --> 00:49:14,640 actually do a lot of profiling on the identities and when they 1037 00:49:14,640 --> 00:49:17,640 do odd behaviors and stuff, we generate alarms for those as 1038 00:49:17,640 --> 00:49:19,640 well. That's a whole another space. 1039 00:49:19,640 --> 00:49:21,560 I don't even know if it belongs in the CIM space, but it's 1040 00:49:21,560 --> 00:49:25,080 another thing that we do so. And as far as integration with 1041 00:49:25,160 --> 00:49:29,080 sort of other IT tools, I'm thinking of things like ITSM or 1042 00:49:29,320 --> 00:49:31,720 you know other SIM type tools. How does that work from like a 1043 00:49:31,720 --> 00:49:35,440 log perspective and working with other platforms that might be 1044 00:49:35,440 --> 00:49:38,320 the environment? Yeah, we're so we're obviously a 1045 00:49:38,320 --> 00:49:43,520 a SAS which sometimes is amazing and then sometimes terrible 1046 00:49:43,520 --> 00:49:45,680 depending on if you're dealing with an enterprise that has all 1047 00:49:45,680 --> 00:49:47,640 their tooling on Prem versus wherever. 1048 00:49:47,880 --> 00:49:51,840 So if it's the integrations with other SAS platforms, super easy, 1049 00:49:51,840 --> 00:49:53,080 right? You want to send stuff to Splunk 1050 00:49:53,080 --> 00:49:56,280 Cloud, you want to send stuff to, you know, the Jira Cloud, 1051 00:49:56,280 --> 00:49:57,840 the Elastin platform. That's all fine. 1052 00:49:58,280 --> 00:50:00,920 But say somebody has Jira on premise, right? 1053 00:50:01,160 --> 00:50:04,840 OK, well, that Jira, we can't talk to it. 1054 00:50:04,840 --> 00:50:06,800 It's no way to get in there. So it has to call out. 1055 00:50:06,800 --> 00:50:10,400 So we have things like apps that you put on Jira that call our 1056 00:50:10,400 --> 00:50:13,200 APIs to do that work and that works fairly well. 1057 00:50:13,200 --> 00:50:16,160 So we it's again, we have integrations with all of those 1058 00:50:16,160 --> 00:50:19,320 types of tools, The Sims or tools, all of the, you know, the 1059 00:50:19,320 --> 00:50:21,800 ticketing management system tools, all of the communication 1060 00:50:21,800 --> 00:50:23,720 tools for that. But the way you integrate with 1061 00:50:23,720 --> 00:50:27,200 them all depends a lot if that tool is a SAS platform or if 1062 00:50:27,200 --> 00:50:29,800 that tool is something deployed on Prem, there's a different way 1063 00:50:29,800 --> 00:50:32,280 of integrating with them. Any closing thoughts before 1064 00:50:32,280 --> 00:50:33,240 this? Because I want to talk to you a 1065 00:50:33,240 --> 00:50:35,280 little bit about EVs and electric vehicles. 1066 00:50:35,280 --> 00:50:37,720 I think you and I seem to be both be fans, but is there 1067 00:50:37,720 --> 00:50:40,920 anything that you'd like to kind of share as far as like anything 1068 00:50:40,920 --> 00:50:43,480 about sundry or what should people take away from this 1069 00:50:43,480 --> 00:50:45,520 conversation around cloud security? 1070 00:50:46,320 --> 00:50:48,120 Look, I think there's there's two profiles. 1071 00:50:48,520 --> 00:50:53,160 If you're the type of company enterprise and you really just 1072 00:50:53,160 --> 00:50:55,720 want to get that initial hit of visibility to see where you are, 1073 00:50:55,720 --> 00:50:57,400 you don't know and you're sitting there saying, I really 1074 00:50:57,400 --> 00:51:00,880 don't know where we sit in this, this gamut that cloud identity 1075 00:51:00,880 --> 00:51:03,080 diagnostic works well. You could reach identity of our 1076 00:51:03,080 --> 00:51:04,520 sales team. They would love to do one of 1077 00:51:04,520 --> 00:51:06,960 those with you. It's a super simple process, low 1078 00:51:06,960 --> 00:51:09,080 friction. In two weeks, you're done. 1079 00:51:09,080 --> 00:51:10,600 You have the report, it's yours to keep. 1080 00:51:10,840 --> 00:51:13,080 If you want to run one again in six more months, you can do 1081 00:51:13,080 --> 00:51:15,160 that. If you're the type of customer 1082 00:51:15,160 --> 00:51:16,840 that actually feels like you've got a handle on it. 1083 00:51:16,840 --> 00:51:20,400 You've written all of the deny policies and SCPS and Amazon, 1084 00:51:20,400 --> 00:51:23,120 you've built a beautiful identity model and you're really 1085 00:51:23,120 --> 00:51:25,440 worried that you missed something, that lateral 1086 00:51:25,440 --> 00:51:27,880 movement. Then Sunroof Security is your 1087 00:51:27,880 --> 00:51:30,120 company to basically figure out the stuff that you've 1088 00:51:30,120 --> 00:51:32,480 architected wrong in that in that platform. 1089 00:51:32,880 --> 00:51:34,840 And that's a different personality. 1090 00:51:34,840 --> 00:51:37,160 It's it's somebody that really cares a lot about their identity 1091 00:51:37,160 --> 00:51:38,560 models. We see it a lot in, you know, 1092 00:51:38,560 --> 00:51:42,800 large finance and places like that where they have put teams 1093 00:51:42,840 --> 00:51:45,320 of people actually building just phenomenal identity models in 1094 00:51:45,320 --> 00:51:48,200 their cloud. It it's almost kind of like the 1095 00:51:48,200 --> 00:51:50,920 best scenario is that you don't find anything, right? 1096 00:51:50,920 --> 00:51:52,800 It's like, hey, we were on a scan and hey, nothing came. 1097 00:51:52,880 --> 00:51:54,880 Up, nothing came up great. That's what you want, right? 1098 00:51:54,880 --> 00:51:56,800 That's what you want? I don't know if it ever happens, 1099 00:51:56,800 --> 00:51:58,600 but if it ever does, it's gonna be great. 1100 00:51:58,960 --> 00:51:59,960 Right. All right. 1101 00:51:59,960 --> 00:52:02,000 I wanna talk to you a little bit about EVs. 1102 00:52:02,000 --> 00:52:04,440 You and I are both EV fans. We were kind of talking before, 1103 00:52:04,600 --> 00:52:07,160 you know, the show started. And one of the things we do, and 1104 00:52:07,160 --> 00:52:09,840 this is still an identity at the Center episode, is we end on a 1105 00:52:09,840 --> 00:52:12,560 lighter note. And we're kind of talking about, 1106 00:52:12,760 --> 00:52:14,600 I wanted to come up with something EV related. 1107 00:52:14,600 --> 00:52:16,320 And so I'm gonna start with this one. 1108 00:52:17,080 --> 00:52:21,720 Imagine you could take any historical figure on a drive in 1109 00:52:21,720 --> 00:52:24,440 a modern electric vehicle. Your choice. 1110 00:52:24,440 --> 00:52:27,320 Whatever electric vehicle you want to use, who would you pick 1111 00:52:27,640 --> 00:52:30,000 and where are you gonna take them for a spin? 1112 00:52:30,960 --> 00:52:33,480 That's It's so interesting. And so I'm a car guy. 1113 00:52:33,480 --> 00:52:35,760 It doesn't even have to be an EV 'cause I just love cars in 1114 00:52:35,760 --> 00:52:38,320 general. And you know, if you had to take 1115 00:52:38,320 --> 00:52:40,840 some historical figure, I don't even need to go back for a fire 1116 00:52:40,840 --> 00:52:42,960 and pass, you know, like, take Carroll Shelby somewhere, that 1117 00:52:42,960 --> 00:52:45,200 would be kind of fun, right? Maybe I want him to drive. 1118 00:52:45,200 --> 00:52:46,400 I don't know. It's be interesting. 1119 00:52:46,880 --> 00:52:50,680 But I think, you know, people that ever built the original 1120 00:52:50,680 --> 00:52:55,200 race cars in like the, you know, 50s and 60s in that era and you 1121 00:52:55,200 --> 00:52:59,360 put them in a modern EV, it would be interesting to see 1122 00:52:59,360 --> 00:53:02,640 their face in some of the the rate and pace of these cars 1123 00:53:02,640 --> 00:53:05,640 accelerate for Rd. cars, right. You know, it's stuff my my 1124 00:53:05,640 --> 00:53:07,480 family often builds drag cars, right? 1125 00:53:07,480 --> 00:53:11,680 And they do crazy fast quarter mile times and then you take 1126 00:53:11,680 --> 00:53:14,200 them for a drive and a Tesla plot or something and you're 1127 00:53:14,200 --> 00:53:16,920 like holy, this is a road car. It's like, yes, it is a road 1128 00:53:16,920 --> 00:53:17,880 car. It's kind of amazing. 1129 00:53:18,240 --> 00:53:21,560 Now I will admit the handling of some of these E VS is not so 1130 00:53:21,560 --> 00:53:23,840 great. I'd rather have a very light car 1131 00:53:23,840 --> 00:53:26,680 versus an EV in many cases. But you say where to go. 1132 00:53:27,040 --> 00:53:30,240 You know, man, the Salt Flats would be a pretty cool spot to 1133 00:53:30,240 --> 00:53:31,440 go for a drive. One of these, because of the 1134 00:53:31,440 --> 00:53:32,800 acceleration and those types of things. 1135 00:53:32,800 --> 00:53:35,560 Somewhere where you can really, you know, unlock these cars over 1136 00:53:35,560 --> 00:53:38,320 a distance at speed and at pace would be would be fun. 1137 00:53:38,640 --> 00:53:41,840 You probably wouldn't pick, you know, the twisty turny back 1138 00:53:41,840 --> 00:53:44,160 roads of Isle of Man or something, which would be more 1139 00:53:44,160 --> 00:53:46,760 fun in a lighter car. So anyway, that's what I would 1140 00:53:46,760 --> 00:53:49,080 do. I would take care of Shelby to 1141 00:53:49,080 --> 00:53:52,560 the Salt Flats and we would jump in something crazy fast, like a 1142 00:53:52,840 --> 00:53:55,600 Tesla Model Plaid or some crazy lucid and we would just open the 1143 00:53:55,600 --> 00:53:56,720 thing up. It would be awesome. 1144 00:53:57,720 --> 00:53:59,520 Jim, what about yourself? I know you're not so much on the 1145 00:53:59,560 --> 00:54:01,440 EV side, but you got this giant truck. 1146 00:54:01,560 --> 00:54:04,160 Let's pretend you've got an EV. Who are you going to take on a 1147 00:54:04,160 --> 00:54:06,640 ride with that? Well, actually, you know, one of 1148 00:54:06,640 --> 00:54:09,400 the great things about identity at the center is I can turn my 1149 00:54:09,400 --> 00:54:12,920 question into whatever I want and I don't care at all about 1150 00:54:12,920 --> 00:54:14,680 EVs. So I'm going to twist the 1151 00:54:14,680 --> 00:54:17,560 question of I could take somebody from the future where 1152 00:54:17,560 --> 00:54:21,680 everybody's driving EVs and I could pull them into the past 1153 00:54:21,880 --> 00:54:27,040 and drive them around in a fossil fuel burning truck and 1154 00:54:27,040 --> 00:54:29,160 show them what that was like. That's what I would do. 1155 00:54:29,520 --> 00:54:31,600 With a respirator and something else, right? 1156 00:54:31,600 --> 00:54:35,800 So they don't, they don't die. Hey, I don't know. 1157 00:54:36,200 --> 00:54:39,720 You know, maybe the the error's worse in the future. 1158 00:54:40,320 --> 00:54:43,200 Never know, you know you. Leave it to me to bring things 1159 00:54:43,200 --> 00:54:44,360 down there, yeah? Way to go Jim. 1160 00:54:44,440 --> 00:54:47,000 As always, Sandy, you mentioned the Salt Flats and I was kind of 1161 00:54:47,000 --> 00:54:50,840 thinking the same thing as like someplace where I can floor it 1162 00:54:50,840 --> 00:54:54,800 and keep it forward for a while. I would be, I would be afraid 1163 00:54:54,800 --> 00:54:58,680 of, you know, hitting like a Pebble at like 160 miles an hour 1164 00:54:58,680 --> 00:55:01,480 and like flipping. I'd like to bring somebody like 1165 00:55:01,480 --> 00:55:04,760 Nikola Tesla or somebody like that to say like, you know, 1166 00:55:04,800 --> 00:55:08,880 someone who was ahead of their time bringing them forward and 1167 00:55:09,880 --> 00:55:13,000 you know, hey, look, this car is named after you, right? 1168 00:55:13,000 --> 00:55:15,640 That kind of thing. And just to kind of see kind of 1169 00:55:15,640 --> 00:55:20,040 the expression of you know the the building blocks that came 1170 00:55:20,040 --> 00:55:22,360 before us to build that. But yeah, I'd love to get it 1171 00:55:22,360 --> 00:55:24,760 like a a lucid. Those are crazy fast. 1172 00:55:24,760 --> 00:55:27,840 I mean definitely the plaids on the Tesla, I have a performance 1173 00:55:27,840 --> 00:55:31,480 wise, so no slouch I'm I'm doing pretty well with that one and my 1174 00:55:31,480 --> 00:55:35,680 favorite thing to do in it is to surprise my wife and goose it 1175 00:55:35,960 --> 00:55:39,720 when she's least expecting it. So that's just a little thing 1176 00:55:39,720 --> 00:55:41,200 that I like to do to show that I love her. 1177 00:55:42,160 --> 00:55:44,760 Exactly. Her neck slams back against the 1178 00:55:44,880 --> 00:55:47,240 headdress. And it's usually followed by 1179 00:55:47,240 --> 00:55:49,800 some sort of cry or or something like that. 1180 00:55:50,080 --> 00:55:51,720 So that's how I that's the way I like to roll. 1181 00:55:52,040 --> 00:55:54,480 OK well, I think this has been a great conversation and thank you 1182 00:55:54,480 --> 00:55:56,000 so much Sandy. We're going to have a whole 1183 00:55:56,000 --> 00:55:58,360 bunch of links in our show notes for people to check out more 1184 00:55:58,360 --> 00:56:02,440 about Sun Reece Security SONRAI security.com. 1185 00:56:02,640 --> 00:56:05,360 I'm going to try to use the other eye, the Irish version of 1186 00:56:05,360 --> 00:56:06,360 it. We'll just go with that. 1187 00:56:06,640 --> 00:56:09,120 We'll have a link in our show notes to the four steps to 1188 00:56:09,120 --> 00:56:10,960 secure cloud and easy. You're stuck again. 1189 00:56:10,960 --> 00:56:13,640 Great SEO name. So kudos to whoever's put coming 1190 00:56:13,640 --> 00:56:15,920 up with those blog titles. And then of course Sandy, if 1191 00:56:15,920 --> 00:56:18,080 you're open to it, we'll have a a link in our show notes for 1192 00:56:18,080 --> 00:56:19,320 people to connect with you on LinkedIn. 1193 00:56:19,320 --> 00:56:21,400 If they've got questions or wanna get more information, 1194 00:56:21,640 --> 00:56:24,400 hopefully you're good with that. I did do a demo of your product 1195 00:56:24,400 --> 00:56:26,720 in the real world outside the product, I was really impressed. 1196 00:56:26,720 --> 00:56:29,880 So I would definitely encourage people to take a look at it and 1197 00:56:29,880 --> 00:56:31,080 see what you guys are kicking around over there. 1198 00:56:31,080 --> 00:56:33,040 It's it's pretty good. Anything else you wanna add 1199 00:56:33,040 --> 00:56:35,880 before you wrap things up? No, look, thanks for having me 1200 00:56:35,880 --> 00:56:39,200 today on the inaugural, whatever you're calling this particular 1201 00:56:39,200 --> 00:56:41,960 series, but I'm glad to be the first and hopefully all the 1202 00:56:41,960 --> 00:56:45,200 other ones are just as exciting. Yeah, we appreciate that. 1203 00:56:45,200 --> 00:56:47,280 And yeah, well, we, we did it live. 1204 00:56:47,280 --> 00:56:49,080 I feel pretty good about the way the conversation turned out. 1205 00:56:49,080 --> 00:56:51,880 It was very educational. I learned a lot and we'll go 1206 00:56:51,880 --> 00:56:54,440 ahead and leave it there. So you can find us on the web, 1207 00:56:54,440 --> 00:56:57,560 IDC, podcast.com. And thanks everybody for 1208 00:56:57,560 --> 00:56:59,280 listening and we'll talk with everyone in the next one. 1209 00:57:00,920 --> 00:57:03,840 You've been listening to Identity at the Center. 1210 00:57:04,160 --> 00:57:08,240 We hope you've enjoyed the show. Make sure to like, rate and 1211 00:57:08,240 --> 00:57:11,880 review and we'll be back soon. But in the meantime, hit the 1212 00:57:11,880 --> 00:57:16,040 website at identity@thecenter.com and find 1213 00:57:16,040 --> 00:57:23,440 us on Twitter at IDAC Podcast. See you next time on Identity at 1214 00:57:23,440 --> 00:57:24,400 the Center.