Wednesday Dec 13, 2023
Identity as the Perimeter with Adam Bateman
Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest is Adam Bateman, CEO and Co-Founder at Push Security, based in the UK. Another of our cyber friends from across the pond! Is a former director at the security consultancy MWR who were renowned in the industry for their specialist research and red team capability. Adam started off as a red teamer himself, and then went on to build and lead the detection and response division of MWR, where they specialized in defending organizations against state-sponsored attacks. Adam came up in the world of offensive security, and it shows in his thinking. He co-founded Push to protect SaaS-native companies, whose data resides in a bazillion places, protected by a bazillion identities. Or maybe just by SSO. But probably a mix. ½ a bazillion known SaaS apps using SSO and another ½ a bazillion using who knows what identity methods?
After our first chat with Adam, Allan really got to thinking about this idea we bandy about that “identity is the new perimeter!” Is that the right model? Is it a complete model? Are there better models to describe our SaaS sprawl security problem? Allan posted his ideas on LinkedIn and LinkedIn got very vigorously into the conversation. We thought Adam and Allan could record a show and hash some of these concepts out, and Adam agreed, so here we are!
- In one sense, vulnerable Internet-facing credentials have ALWAYS been a problem. In other words, Identity is not the new perimeter, but is a rather old one. What are your thoughts?
- What is happening in the wild? What do the attacks actually look like?
- Allan Alford Consulting subscribes to over twenty SaaS applications, and Allan is literally a one-man company. How many SaaS apps are used by the average enterprise? What percentage of those are in the SSO fold? This is truly scary.
- How do we get everything behind SSO? How do we get SSO locked down and secure?
- What’s our best possible world? Everything behind SSO with a Yubikey? Next best is everything behind SSO with Smartphone MFA app?
- Back to this perimeter thing: J. David Christensen agrees with the idea that identity is not a new perimeter. He says it has always been THE perimeter! Jamir Fisher agreed. Robert Mithcell points out that if and identity provider can be compromised, then identity is the M&M defense after all (hard shell, soft center). Our friend Abhishek Singh says authZ and authN combine to form Zero Trust. Once you have zero trust, he says, like it or lump it, identity becomes the attack surface. What are your thoughts on that formula? We found it to be a rather tidy summation, as did our other friend Dan Holden. Thoughts?
- Lastly, when we talk identity, we always feel the need to point out that humans are just some of the identities crawling our digital world. Are the solutions we’re crafting for humans using SaaS also good for machine accounts? Application accounts? API-to-API connections?
Sponsored by our good friends at Push Security.
Check then out at:
https://pushsecurity.com/ranch