Podcasts
Threat Vector
Ep 31
Threat Vector 8.22.24
Ep 31 | 8.22.24

Identity Under Siege: Insights with Okta

Show Notes
Transcript

Jamie Fitz-Gerald: I used to be a fitness instructor, where I taught spinning classes for many, many, many years.

David Moulton: So, you're one of those guys that turns people's legs into jelly.

Jamie Fitz-Gerald: Yes. It was something that I definitely took pride in, which was that people who were extremely into cycling would take my class and feel the pain, even though I'm not really a cyclist [chuckling]. [ Music ]

David Moulton: Welcome to "Threat Vector," The Palo Alto Network's podcast. I'm your host, David Moulton, Director of Thought Leadership. Today, I'm excited to be joined by Jamie Fitz-Gerald, from Okta. At Okta, Jamie focuses on access management, devices, and security and risk. [ Music ] In today's episode, we're going to talk about the evolution of identity security and its role as the new perimeter in today's hybrid work environment. The importance of strong identity controls, including multi-factor authentication, passwordless authentication, and other advanced security measures, how identity is the foundation of a zero-trust security strategy, and the emerging trends in technologies that will shape the future of identity security. Here's our conversation. Jamie, thanks for coming on "Threat Vector" today. I know we're going to get into the conversation around identity, but I wanted to start by asking you about your career. Take us through that journey.

Jamie Fitz-Gerald: Yeah, it's a pretty lucky journey, I guess, I'll call it, that started off with software engineering, and I kind of worked my way into that world, and I was working in a Defense contract, I had kind of grown my career there, and had a team, and all that good stuff, but this is really a story of network, not networking, which is going to come later, but it was about my network, and I had a good friend whom I had gone to Undergrad with, and had gone off to business school, and he ended up at some tiny, little cybersecurity startup that he had asked me to check out with him. It was this thing called Palo Alto Networks, ironically. And I quickly said absolutely not, I'm doing so great in my Defense contractor software engineering career, and then I kind of got word that he was in the Silicon Valley, and he was doing this thing, and we stayed in touch, and it was about that time that I gave him a call and said hey, are you still at that startup? How is it doing? And he said "I am at that startup, it's going really well, and you should come." And the next thing you know, I moved to the bay, and started this new crazy career in cybersecurity. And really, I started off by kind of owning the way that you manage intel's networks next-generation firewalls, and then my career really kind of just-it was the incredible growth of Palo Alto Network allowed me to have multiple careers within Palo Alto Networks, and which I owned the, you know, threat prevention, IPS subscription on app ID, device ID, decryption, you know, many different aspects of the Palo Alto Networks next-gen firewall platform, and then I owned Identity at Palo Alto Networks, and it became really interesting to me. I started to see, you know, different threat vectors that I had not seen. I had been at Palo for almost 11 years, and it was time for me to see something else, and see what's out there, and therefore, I got an opportunity to go to Okta, and take on Okta Verify, the way you actually authenticate and promote people, and I always loved it. I thought it was a really easy, smooth, user-friendly experience, even though we were like, purposely adding footing to an off story and as we're going to probably talk about later, identity is going to become more and more important in the security landscape.

David Moulton: Yeah, so Jamie, you said something and I think it's an under-appreciated opportunity, when you can move around your career within the same company. I want you to talk about that a little bit, and how cross-pollination can reinvigorate your passion and your interest?

Jamie Fitz-Gerald: Totally. You look backwards, and you kind of see this path, but when you're in the moment, you don't necessarily know where it's going. And I think that my, like, TLDR, this you know, be great at what you do, and be curious to learn about other areas, and let people kind of see that you know, you can execute, you can learn, you can talk about the product, you can try to find ways to integrate, because then people will say hey, there is a new opportunity here. There is a new opportunity there, and next thing you know, I was able to kind of expand from, like I said, management into centralized management, and then we really wanted to get into this concept of analytics. It was kind of like the next major step. And we had introduced and created this new data link thing, and-but the concept was really taking a bit of a chance, but it's the lowest risk chance you can take, being inside the same company with a great reputation ideally, for you to kind of say what's new.

David Moulton: Right.

Jamie Fitz-Gerald: How can I add value, and how can I, you know, kind of drive the next step of where this company can go. I highly encourage it to anybody that is, you know, thinking of career moves.

David Moulton: I remember years ago I called it my year of yes, probably six or seven years ago. And the idea was that no matter the opportunity that came up, I had a bias toward saying yes. It was exhausting at the time, but it was also an incredible payoff. My network grew. My skills grew. I found myself doing things I had no business doing, but with people who are willing to pitch in, to teach me, to help me out. And that led to a lot of new opportunities, that led to a reputation as someone who was willing to try, and once you have tried a bunch of different things, you can make connections that others don't readily see. And I think that leads to innovation, to fresh perspectives. I think you and I are both able to look back and see the path or the patterns, but when you're doing it, it isn't always clear. What is clear is going in with a mindset. A mindset that says yes, I'm going to try something new, I'm going to invent the future, and especially at a place like Palo Alto, or a technology company where a lot of the answers are unclear. A willingness to ignore the ambiguous and to try is-it's the right attitude. It's the right approach.

Jamie Fitz-Gerald: Totally.

David Moulton: In today's cybersecurity landscape, why is it that identity is considered the new perimeter?

Jamie Fitz-Gerald: Yeah, I think that it's, again, in my mind, having to do with the world that we live in today, the modern work force, the hybrid reality of life, which is, you know, historical brick and mortar, the traditional perimeter has been evolving. I think as, I'll kind of say this, that identity is the one door [chuckling]. It is the one place where you can ensure you have some security control no matter what. Now, it becomes tricky, in a modern environment, where you have BYOD, so what security controls do you have there? Well, you might have contractors and business partners, and in that world, you may or may not have security controls. You might have to trust someone else to have security controls. I think that when you just look at that, and you look at that landscape, you start to ask what controls do I have all the time? Well, ideally, you have identity as part of your core strategy to protect your most important resources all the time in every deployment, no matter how you run your organization, or how you have to run your organization frankly, if you have a security practitioner-sometimes you would love to do something more, but you feel like you can't. Or there is business need to do something else, and so I find it really important to think about the identity as the perimeter because it is unanimously and ubiquitously deployed. There is no other way in ideally to access resources than through your identity deployment, whereas you may not have your end point, or your network, or all the other things that you'd like to have in place, in every one of those aspects. So I think that it becomes the new perimeter. Now, I'm not suggesting you should not have a defensive and depth strategy. You should absolutely have a defense and depth strategy. I'm just saying that identity should be at the core of it. Because there should be no use case where you don't at least enforce the cure alls, the best practices you can lay there, and putting your best foot forward when it comes to accessing resources, even in an environment where you don't have the rest of your security stack in place. For whatever. [ Music ]

David Moulton: I've got to figure that there were some real pivotal moments or influences that shaped your perspective on cybersecurity. Could you talk about one or two of those?

Jamie Fitz-Gerald: Where do I start? I'll give you one example of one that I thought was fun. I had a friend who, we used to work together at this defense contractor. And you know, he was always interested in cybersecurity. And he was like one of the sharpest guys. Again, part of your network, the guy that you kind of look at and go wow! That guy is going to do great things. And [chuckling] he was the guy who also would do things that you're like I'm not going to do. Like, he downloaded the U.S. Department of Defense's report on China's Cyber Usage. This was back in like 2009, or 10. And somehow, I'm guessing, there was some type of malicious software that was embedded into this link that he clicked, and next thing you know, he went off to some vacation, came back home, and again, we worked at a defense contractor, so he walked up to his desk, and his computer was gone. And he was like, what is going on here? Because both of us happened to be in grad school at the same time, and he was working on his Master's thesis, and the only copy of it was on that machine, because we weren't like Cloud, and the world has evolved a lot since that time. And so it turned out that lo and behold, there was some type of backdoor that was installed, probably when he downloaded this thing to read, and they discovered it and took his laptop away, and he had to get Senior Vice President approval to just get his thesis off of this machine. And that was the day that like I was like, oh! This is real. Like, this is not just something that people talk about, it's not just on the news, like, this is the new frontier, as we're sitting in a defense contractor, realizing that actual espionage is taking place.

David Moulton: This isn't an academic exercise-

Jamie Fitz-Gerald: It's not academic. Exactly. And I think, you know, not everyone gets to have that hands-on, literally right next to you, you're like feeling it, and this man like, you know, panicking his life-his whole education career is sitting on this thing. The good news is, he ended up getting his thesis back, and he got his Masters and he actually is in cybersecurity as a superstar, a VP, and all that, but it turned out that that was one of those pivotal moments that I kind of started-it actually got my eye on this. And it wasn't the moment that I decided to move and change my career, but it was one of the key moments for me to realize that this is something that the world is going to know a lot about here, if you didn't really know it yet.

David Moulton: I think that experience, that willingness to observe what's going on around you, maybe you didn't feel it personally, but you certainly saw it up close and personal, is absolutely influential, and a lot of us have had that moment. I go back to our GM at my previous career at IBM, and he made a comment that really resonated with me. He told a story about the first piece of mail that your baby gets and that it's this letter that says that their identity has been compromised due to a breech at a healthcare provider, or an insurer. And you have this cute little baby child, and you've got this form letter, and you're looking at the two, and you see that you need to protect their identity, and you realize, these two things should never have to go together. And that really resonated with me at that point in my life as a dad, and I've never forgotten it. It's been one of those things that says how do I push back against these things being a reality? And I think as we get into this conversation around identity, I look at it, and I'd ask you to school me on this, but to me, identity is a proxy for trust. If I don't know who you are, I can't let you in. If you don't know who I am, why would you give me access? Why would you give me information? Why would you let me into your systems? That is the new perimeter, and maybe that's the thing we should talk about. What are some of the concerning threat vectors that you've been observing recently, and how are those evolving?

Jamie Fitz-Gerald: So, I guess, first I want to comment on I think it's an amazing story and terrifying in one way, and I just-about the hospital and the child, because I know that feeling, and it's real. So I just wanted to kind of comment, and act that, I think, you know, we see all these attacks that are taking place, and you know, the role that we have in this industry is actually helping to make sure that those emails aren't coming. And so I take that really seriously. So I just, I wanted to connect to that, because I think it's a really important role in the world. So I hope that everyone who is listening to this can kind of take some pride and to know that you're doing really important work. So! There's that. I think as we talk about identity and the threats that we have, I do think that when you talk about, it is about trust. It is all about trust. And I think that it's interesting how there's a lot of good analogies between the physical world, and identity on the internet, and in corporate networks. And really what it comes down to is, you know, I don't know who you are, David, until we got a chance to meet. Until I got introduced. Until I either trusted someone else to introduce me to you, or you provided an identification of some sort to prove you are who you are. You know, a lot of those kind of systems that we've had in place in our everyday lives, we've tried to make, you know, analogies, or you know, similar systems in the corporate world. And so I think that we've done good jobs in certain cases, and not so good jobs in other cases. We'll probably cover some of that, as we walk through. But I think if you talk about the threats that are taking place, and like the evolution of it, I would say a couple of different things. Number one, I think that the world changed. And when the world changes, adversaries adjust. And what I mean by that is, we work from home more than ever. COVID fast-forwarded that more than ever. Like people have work forces that are not within a brick and mortar, you know, HQ, or the normal perimeter sect, I mean, these things have been happening. But then like the firestorm of COVID and everybody working from everywhere, again, because of this cataclysmic change in our lifestyles, in every single organization, from you know, state and local governments having to suddenly support remote work, which they never even thought of before. It became a really interesting challenge, because adversaries knew that they had the weakest link, isolated. Like, a predator seeing the thing that they want in an isolation. Which means, they're at home, and what is their security staff. What does it look like? And it became that, identity became the most attacked vector because it became easier, theoretically, to do a credential attack and login from anywhere, because anywhere was acceptable all of a sudden. Working from anywhere made it such that I can't just shut down access to a particular resource or app to say you must come from HQ or an office building. And so if I can simply steal credentials, or act as if I am David or Jamie, then I suddenly had access to whatever I wanted with the least amount of friction, and it's very difficult to trace, historically. And so that is the landscape that led to the rise in phishing attacks that we have seen, like unbelievable amounts of growth. With the rise of social engineering-please.

David Moulton: No, I was going to ask if there is a particular case study or an industry event that is really an exemplar of what you are talking about?

Jamie Fitz-Gerald: I think there are many. I think-we saw an anecdote I've shown to a couple of different executives, and I think it's just explanatory of what's happening. It was about, and we're going to talk about this more later I think as well, which is phishing and MFA, and just thinking that like historically we thought we were fine. In the beginning, with just a strong password, that was okay. And then, in about 2019, there was a study that came out that said getting the MFA would stop like 99% of phishing. Full stop. Like, done. And we fast-forward to today, and like, my entire talk track is passwords are dead, and traditional MFA, which is push, or SMS, are completely insufficient, because adversaries know how to bypass all of those. So it's funny that literally this is in less than five years, what we used to say was 99.9% acceptable is no longer even thought of as a plausible answer to what is happening in our world, and I can-I find that quote, at some point, if we have a chance, I'll find it.

David Moulton: Yeah, if you've got access, we'll include it in the show notes, as an artifact of a different era. I mean, it's only a few years ago, but in tech and in security, like you mentioned multi-factor authentication, it was often touted as the critical defense, but you've also said that it's no longer seen as something that is going to give us that 99.9% of ability to stop phishing dead in its tracks. How effective is the practice now? What challenges do organizations face in implementing it? Talk a little bit more about MFA for me.

Jamie Fitz-Gerald: Yeah, no doubt. So MFA, as in multi-factor auth, is still in the critical line of defense. And so I don't want to suggest that doing MFA is not important. It is important. I think what my ask is, is for folks to look at the quality or call it the trust level or assurance level based on what type of MFA you use. So what this comes down to is historically, rolling out MFA into an organization alone was seen as a high task, because you have to go roll out some type of factor, or you have to have a phone, or you have to have a push mechanism, which means you have to have an app on a phone. Some folks have gone with these, you know, hardware tokens, where you're having to carry around these, like, you know, a key of some sort, or even the rotating number historically. We've seen all of these. And I think the friction of rolling out any of those things dealing with loss, devices, how do I manage a large fleet? How do I actually deploy it in front of all of my apps, including Legacy applications, where it-modern off may not be baked in-have all been real challenges for folks to get there. So, I think, again, it's still a worthy cause to get there, because not everyone even uses MFA today. But the message I want folks to understand is that there are new opportunities that have been brought to us by modern technology that you can really lean into, and it's how you use your phone, it's how you use your laptop today, which is the face ID, the touch ID, the biometrics that we're used to everyday, we use in our banking, we use to unlock our devices, and that consumer experience that folks have gotten used to, what you don't realize is actually really interesting. Just doing the face ID or touch ID is actually multi-factor auth. And we're like what do you mean? I'm just doing this one thing. Well, the way that it works is that the only way to leverage the biometrics that you registered on these devices, or even a PIN code, means that you know I know that it is your device that you are in possession of. That is called a possession factor. That is, we know what you have. We trust it. It has been registered with us in some way, shape, or form. Also, when you go to authenticate with your biometrics, you now can assure that it is you in a passwordless way. Which means that, in this case, there is no way to remote convince you to biometrically log into this particular device, which means now we have high trust of who you are. We know what you have. And who you are. Just that alone is a multi-factor auth. Now what is cool is that we can now do even more things behind the scenes. We can gather more information about that device. We can ensure the device is in a good, you know, state, when you go to authenticate. There are so many more things that we've done, but if you just take it from a pure MFA perspective, I think the exciting part that we have in the industry, for my first time in my career, I can say I can make my end user's experience better, and significantly raise the security bar in an organization. And so that's why I get really excited about kind of the state of MFA, and where I see it going in the very near future. [ Music ]

David Moulton: So, Jamie, in a previous life, I was a software designer, I built UI, U-ex, I now find myself sitting at the intersection between a career that is informed by delight and frictionless experiences, and if you are a designer, you've probably said some of those statements, and then, on the security side, where often extra security means extra steps, extra friction, it means slowing down what the user wants to do, and it is exciting to me, to think about how you bring together a great U-ex, a great user experience, while also increasing the amount of security, the amount of safety and trust that the end user would experience, and therefore, when you multiply it by everyone that is in your organization, that's a huge gain for security, and for good experience. I want you to talk about how critical it is for identity solutions to integrate that seamless experience. What's the value to the organization? Whether that is security, whether that is IT, whether that is the organization as a whole. Talk to me a little bit about the value of a seamless experience.

Jamie Fitz-Gerald: I would say that is so much value in the seamless experience, from a perception, from an end-user kind of experience. It actually can be-there has been some study, and I'm not going to quote any of them directly, but there have been some studies that having a modern auth experience, or a low-friction experience, attracts better talent. Because people feel like they are working in a modern organization that cares about making sure that they are able to be effective and quick to get their job done. So I think it really does span the spectrum, but if I'm going to be very clear, and very crisp on this, I think having the ability to have secure auth, leveraging the device that you're accessing your resources from, without having to leave the device, without having to go get a second device in any way, shape, or form, that alone is a productivity increase that is obvious. You can feel it. Every day, you don't even say, even if you have to auth to get into another application because it's a more risky auth, or you haven't authenticated for some time, if you simply have to touch a finger or look at a camera, you don't even think you just do it. The speed bump that the security team put in place for security outcomes doesn't feel like a bump. It's almost like a carriage return, we just do it. And I think when that happens, your end users feel like security is not bothering them. And they feel like they're able to do their best work. So I think that's a really exciting kind of feeling part of it. Now, when it comes to security, again, I want to make sure that it's very clear that when you have a passwordless experience, where I cannot phish you into giving me credentials, because credentials don't exist. You literally have a secret key, written into a trusted hardware module, a TPM, and that the only way to get access to that is to unlock it with biometrics means that like I can go down the crypto route, and go down the security outcomes that I can offer, and I can't convince you to do a phishing website when you click on this link if you can go do all of this and put this in place, which is pretty amazing. Again, the concept of remote phishing attack can be essentially squished, as long as you enforce this everywhere, is an amazing outcome that only a few years ago I would ask a security, like a SISO, what's this thing that keeps you up at night? And they used to tell me all the time, phishing. And I would say why? Like, why? I mean, we have all these great security controls, he goes, because if I get phished, all my security controls are gone, nothing matters. That is, if-once I have that key, I walk in the front door, and I don't even have any network or end point controls at that point.

David Moulton: So, Jamie, when you're talking about moving away from a password world to one that's using multi-factor, and we're not quite there yet, to what I think you're talking about is like a passkey. There is a public portion of the key, there is a private portion of the key, there is the off server that sits in the middle, that's the third part of the hand shake. It means that if I go to fake bank dot com, that looks like real bank dot com, and they don't have the public portion I never had a password to steal, the authentication never occurs, it doesn't matter if I click the link, and I can't believe I'm actually saying this on a security podcast, but here we are.

Jamie Fitz-Gerald: Right [laughing]?

David Moulton: This is an incredible idea. And when I think about what end users have to agree to when they adopt something like this, this heavily relies on computer science to protect them, rather than this password that I think is very random and hard to guess. What does it take to get an organization to implement it?

Jamie Fitz-Gerald: So, it's important to do this, so I'm going to do it, that there are two worlds that we need to talk about here. Because in one world, it is the consumer world, then the websites and the things that you reference, you know, if you were using Gmail, even our personal life, you might have seen that they're starting to introduce passkeys in option. And in the consumer world, there is an evolution that's taking place on folks getting towards passkeys. Generally, passkeys offers you the ability to have phishing resistant off. Phishing isn't off, it's a term that is essentially coined by mist, in terms of what they mean by phishing resistant auth, and that means that you get all those properties that you just described. This is great for the world. This is great for our industry, for you and I, my parents bugging into things. And we have been leading into that, and really driving at, you know, where Okta is part of the final alliance, and we actually offer a different part of our product line. There's two major parts of Okta's product line. One is stalling to the next STAS company who is starting their new product, and they want to have an identity journey, and we support passkeys natively as part of that platform. So if somebody wants to try on passkeys for their app, they could just do it. The second part is workforce. And I just want to separate this out because both of these things matter. Now what's really interesting is, in the workforce land, when Okta is your IDP, and your access management solution, essentially what you're doing is you're integrating Okta into all of the apps that are out there that you're using. This is your work, this is your service, now-whatever your corporate apps are, you integrate Okta. And we can do whatever credentials you want. We can also offer you phishing-resistant MFA, out of the box natively. Now, what's great is, because we are the one way that you log into all of your corporate apps, you get SSO, we had to build this one experience of seamless passwordless auth to Okta, and then an organization gets that across all apps like that. And so because of that, it allowed us to drive the industry forward by saying, like, in reality, passkeys is great, and it is evolving in an enterprise environment it doesn't give you everything you want. It gives you phishing-resistant auth, which is a huge step forward. But there's other things you want. I want to know more about that device. Is it a manage device? Is it a trusted device? Does it have a good posture? Is it integrative to my EDR solution or XDR solution? Does it have the right version that it's running? Can I get all of that in that same single auth? And the answer was yes, if you build towards that. And so Okta leaned in to build a purpose-built enterprise authenticator that gives you all of that with that same user experience of the one touch, and you know, passwordless auth. But it does more than just secure auth. So I am only just kind of laying that out because having passkeys is huge for our world, and getting away from knowledge factors, but leaning in towards biometrics as a way to give phishing-resistant auth, plus all the other things we did, we could do, is something we actually call fast pass, at Okta. But it's something that has been an amazing growth for all of our customers, because it allows us to actually do more.

David Moulton: Jamie, I may have just had a small epiphany or a realization in real-time, is what you're talking about with passkeys consumer, and what you're talking about with fast pass, or what Okta Solution does, more along the lines of zero trust?

Jamie Fitz-Gerald: The answer, my short answer is, yes. But it's knowing nuance, and the world is evolving, so I'll tell you this, like the concept of passkeys when it originally launched was very clearly specifically for consumer use cases. In fact, Apple brought it to market first. It allowed you to switch over from a password to a passkey. It was backed up into your iCloud. All of that happened like overnight with Apple [inaudible 00:32:58] which was phenomenal for the industry from a consumer perspective. On the enterprise side, we started to actually say well that's great, but actually may not be perfect for some of the use cases we had in enterprise, like I don't actually want my passkey backed up to your personal iCloud. I don't actually want that. I want to be able to control that. And so people have really kind of given more constraints. That has led the industry to start to evolve even further, so that now passkeys and hardware tokens and all of that is actually evolving as we speak, so that there are more controls baked into the usage of this more secure offload. [ Music ]

David Moulton: Jamie, let's shift gears a little bit. What are the key strategies that organizations can use to unify and simplify their identity management systems?

Jamie Fitz-Gerald: It's really important for folks if they're looking at their overarching strategy, and I'll just break it down to your zero trust average, I mean, most organizations have gone through some type of zero trust journey or they have a strategy, or they have a plan in place, and I think when you really look at that plan, I'll make some kind of bold statements, like I don't think you can get security right if you don't have identity right. It shouldn't be controversial to say that, but it is so important. I think that when you look at the opportunities that are put in front of an organization to kind of think about an identity strategy, you really start to look at identity is not one thing. It's not just IDP anymore. Now you start to look at governance. We start to look at privilege access. You start to look at your security aspects, your ITDR, which is Identity Threat Detection Response. These are all different components on the zero trust strategy that, again, I think is underpinned and really should kind of start from an identity perspective out. And so it's actually kind of fun, since I've been at Okta, and even if you just look at Okta in the last five years, we've evolved a lot to really lean in toward this concept of platform. And platform from an identity perspective. And I think if you look at some of the other players that are out there, you are going to hear platform from lots of different folks. And what we mean is that there are some natural synergies for an organization to really think about. If I have an access management solution that can be uniformly deployed, and offer me that seamless user experience, it can work across all my modern SAS apps, as well as like reaching back and keeping my Legacy apps secure, and you know, hybrid worlds as well, I can start to look at how I can leverage that in an access governance world. Where I might need to have off policies before I can give you access to a given app. Or, tying those into a privileged access story. And so I think that's where we start to look at in more a platform type approach, for a lot of folks looking at how identity can be a key component to their overarching strategy, and I counter that concept by saying like just because you hear the world platform, don't shut down, because a lot of people will say the word platform, and I think it's important for folks to say think about platforms that have natural synergies. I think that is something where we wanted to lean in. We wanted to your identity solution provider of choice, and I think that we're trying to stay within that lane, and just excel within that world. And so that's something we've been thinking a lot about, and not trying to just chase everything that is out there.

David Moulton: Jamie, what are the emerging trends or technologies you believe will have the biggest impact on the future of identity security?

Jamie Fitz-Gerald: I love this question, because I think about this every day [chuckling] and I'll give you some high level things that I think are really interesting. You mentioned passkeys every year. We talked about that a bit. I do think it's really exciting. I think it's exciting to think about a world where, I mean, even on the consumer side, where my wife and I share credentials to log into our PG account, like what if that didn't have to happen anymore? Like, the technology is here for that. So I'm really excited about seeing this shift. If we look back at this podcast in five years, we're going to be laughing about the fact that, I hope, that there was a hundred websites that you called out. I think that is a great trend. And I think that there is going to be a lot of things going on there that is good. I think the other thing that is happening more and more, and there's a ton of companies that have kind of entered this space called identity proofing. Many people do not even know that they've actually interacted with one of these tools already, but I'll give you an example of what this looks like in our everyday life. If you go to the airport and you see this thing called Clear, a lot of those solutions are actually trying to identify you as you. You provide your credentials. Well, what is that? It's my ID, it's my passport, and they're trying to give you like a digital version of that in some way, shape, or form. And I think there is going to be a lot more of that. Other folks might have seen it, you did your taxes, ID.me, is another one of those players out there that are starting to drive this concept of identity proofing. Now, why is that so important from a security perspective? Adversaries are going to continue to evolve. Let's say for argument's sake, we got this phishing-resistant auth everywhere, now there's secure auth, well, what do you do? Well, you claim I lost my phone. You claim I lost my biometrics. They're gone. Whoa, well, what do I do? Well I call Help Desk. And I say no, no, trust me, I'm David. He's not David, I'm David. And so the Help Desk teams are now the next thing under attack. And so how can you raise the bar in a social engineering attack is another thing that folks are really spending some time on, and I think there is going to be a lot of evolution there. I think there is going to be some other things that are happening with that, so once I do that, and I've proved that I'm me, well this concept of wallets comes into play, and so now we have these concepts of wallets, the digital wallet world, where I have a physical driver's license, why can't I have a digital driver's license? Well, I do in California, which is cool, right? We have nowhere to test it yet, but these are some of the cool things that I see the industry kind of like leaning into. The big players, the Apples, the Googles, the Microsofts, they're starting to lean in toward that as well. And I think that's going to help, you know, raise the security bar. Make things a bit more safe in the industry as well as even in the business world. We want to make sure that Help Desk call, you know, becomes, you know, no big deal. No one is losing sleep on it, whereas right now, that is a major concern for a lot of organizations.

David Moulton: We've talked about social engineering. We've talked about deep fakes. We've talked about the use of AI to drive social engineering, phishing, vishing, smishing on the pod in the past. I think all of those things are going to be driving where identity goes, forcing innovation, forcing adoption into this really important area of security around identity. What are some of the most important things that you want a listener of today's conversation to take away and remember?

Jamie Fitz-Gerald: That there are opportunities to raise the security bar with secure auth, and you can do it in a way where your end users actually like you. In a security podcast, if you don't hear that and go what? I can make things more secure, and make my users like me more, that should be ideally attack [laughing] that everyone walks out of here and goes wow, really? How does that work? And to hear that we've got some purpose-built baked solutions with Okta, where you can have this passwordless experience. We've got integrations with some of the top security players out there as well. The Palo Alto Networks of the world. A lot of the end-point security vendors that are out there, making sure that you can have the most secure experience as well as the best user experience is my number-one takeaway.

David Moulton: Jamie Fitz-Gerald, willing to cause you pain on the Peloton, but not on your login, thanks for coming on "Threat Vector" today to talk about identity, identity security, and some of the innovations Okta is working on and generally educating me in a space through a fascinating conversation. I really appreciate it.

Jamie Fitz-Gerald: Thanks for having me, and keep in touch. [ Music ]

David Moulton: That's it for "Threat Vector" this week. I hope you found my conversation with Jamie as fascinating as I did. I've learned a lot about the evolving landscape of identity security, and the critical role it plays in protecting organizations from today's threats. There are two key important takeaways from our conversation. First, identity is the new perimeter. In today's hybrid work environment, where employees are accessing resources from anywhere anytime, it's essential to have strong identity controls in place. This means moving beyond traditional passwords, and implementing multi-factor authentication, passwordless authentication and other advanced security measures. Second, identity is the foundation of a zero trust security strategy. By verifying every user, device and application before granting access to resources, organizations can significantly reduce their risk of cyberattacks. A big thanks to Jamie Fitz-Gerald from Okta, again, for joining me on "Threat Vector." If you like what you've heard, please subscribe wherever you listen, and leave us a review on Apple Podcasts or Spotify. Your reviews and feedback really do help us understand what you want to hear. I want to thank our executive producer, Michael Heller, our content and production teams, which includes Kenny Miller, Joe Bettencourt, and Virginia Tran. Ayad at "Threat Vector," and Elliot Pelzman mixes our audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]

Threat Vector
Podcast Info
HOST(S):
Sherrod DeGrippo

Meet David Moulton, the voice for Threat Vector, the Palo Alto Networks podcast dedicated to sharing knowledge, know-how, and groundbreaking research to safeguard our digital world.

Moulton, leads Thought Leadership for Palo Alto Networks, draws on a rich background of experience, including roles in design, strategy, marketing, and sales, to connect with experts from across the globe.

Schedule: Biweekly, Thursdays
Credits: Executive Producer is Michael Heller, Show production by Kenne Miller, Joe Bettencourt, Virginia Tran and David Moulton. Editing and audio engineering by Elliott Peltzman.
Creator: Palo Alto Unit 42
Threat Vector