Jasson Casey: [00:00:00] Why is identity still broken? Why haven't we figured this out? Identity products for large aren't really treated as security products. They're treated as productivity products. '

Ashish Rajan: cause a lot of people would say that we have MFA, Jasson.

Jasson Casey: So the controversial version is all of those, except for one you mentioned, are completely insufficient.

Any system that relies on a secret moving is fundamentally. Flawed and a system exists or could be built very quickly to exploit it.

Ashish Rajan: How do you envision people who are trying to work through this new challenge of AI with Deep fix

Jasson Casey: Adversaries are using these tools to basically be almost the perfect mimics.

It's hard to imagine anyone standing up to social engineering attacks that are AI enabled. The biggest advice I would give to CISOs is for your problems, where do you actually have the ability to bring determinism to bear versus a probabilistic solution?

Ashish Rajan: Identity is in cloud and other applications, and perhaps the top three reasons for why most applications get compromised.

And for a long time we have tried MFA, we have tried federated access. We never spoke about it from a [00:01:00] device perspective. How do you bound identity to a hardware? Same way your Apple pay will pay works when you go in. It doesn't know it's Ashish trying to make a transaction, but somehow it's a secure transaction between your bank and the vendor you're trying to buy the coffee from in a matter of few seconds and it understands, yes, it's Ashish and this is the card for Ashish.

Similarly, how can you apply that onto the world of identity? I had to great conversation with Jasson, who's a CEO and co-founder of Beyond Identity, and we were talking about how identity has come a long way where things like. That are example that I gave earlier about Apple Pay, there is hardware capability today that's available for people to use for their cloud environments, for their applications, for their workforce.

Identity in general can be disrupted. So if you're trying to understand the identity problem, whether it's in the cloud space or in general for applications, and this is the episode for you. Let me share it with someone who's working on the same problem as well. As always, if you have been watching or listening an episode of Cloud Security Podcast for a while, for a second time or a third time, and you've been finding 'em valuable, I would really appreciate if you take a quick second to hit the subscribe or follow button on iTunes or Spotify, if that's for you're listening to this or on [00:02:00] YouTube or LinkedIn.

If that's for you watching this episode. I hope you enjoy this episode with Jasson. I'll talk to you soon. Hello and welcome to another episode of Classically podcast for Jasson with me today. Hey, man, thanks for coming to the show.

Jasson Casey: Yeah, thanks

Ashish Rajan: for having

Jasson Casey: me.

Ashish Rajan: Maybe to kick things off, if you could tell a bit about yourself, your professional background, what are you up to today?

Sure.

Jasson Casey: So my name is Jasson Casey. I'm a co-founder and CEO of company called Beyond Identity. And let's see a little bit about myself. I have a technical background. I went to school in Texas at both of the universities. Oh, this is my joke. And I built a career building infrastructure.

So my first decade of work was telco infrastructure. Think like firewalls, routers, load balancers, that sort of thing.

Ashish Rajan: Yeah.

Jasson Casey: But with a specialized flare, they were kind of application layer. They focused on figuring out what was going on higher up in the stack in real time and doing interesting things with it.

And I'd say the last decade I've leaned more into for a while it was big data intelligence at scale. And at the end of 2019 I was a CTO at a company called Security Scorecard. And I [00:03:00] had these thoughts around some of the findings that we had made at scorecard around like what are the highest correlation security signals for breach?

And luckily we had some interesting partnerships with some cybersecurity companies, so where we could figure out like who are they pay, who are they having to pay out to, and what do they look like before and after? And the three loudest signals was how are passwords handled?

How is patch management handled? And how is how strong is the authentication infrastructure itself? And I happened to meet a gentleman by the name of Jim Clark at that time, and Jim was really interested in starting this authentication company. And his motivation was ease of use. I wanna make it easy, I wanna make it easy, I wanna make it easy.

And he convinced me that that we could mash these ideas together. And there was a couple other folks involved as well who had already built out early prototypes of the product. And and yeah, that was how Beyond Identity got started back in 2019.

Ashish Rajan: Maybe you're a good person to ask the question about how do you define IAM or identity access management in [00:04:00] 2025, what's the 2025 version of it?

Jasson Casey: Ah, that's really interesting. So who do we want to ask, right? If we want to ask like a Gartner or an analyst, they're gonna give us a lot of boxes, right? I've got identity threat detection. I've got identity posture management. I've got MFA phish resistant, MFA, Pam, IGA.

When we look at it, we have a slightly different take. We're, I would say we're a security company with like identity fur that we've draped on our back. And what we mean by that is when we look at the root cause of security incidents, like where does security incidents actually come from?

And the reason we focus on security incidents is not everybody has breaches, right? But everybody has security incidents and if you treat the incident right, it won't grow up into a breach. Yeah. And no matter where you look, about 70 to 80% of the root cause of security incidents is a failure in the identity stack.

And so Verizon, DBIR confirms that Madiant Threat Report kind of talks through that CrowdStrike's threat report talks through that, but you can also see it if like you [00:05:00] actually tease out the reports. And so we started pulling that thread as why is that? Why is that? What's the ask the five Y's?

Like keep asking like what's the really the root cause? And what we came away was identity products for large aren't really treated as security products. They're treated as productivity products. How do we get people to work fast? How do we get outta their way? And that's not necessarily a bad objective.

But on the flip side, no matter what your organization looks like, whether it has a lot of legacy infrastructure, premise infrastructure, cloud infrastructure, employees, contractors, business partners, BYOD, managed devices. What system sees all access to services and data identity? Yeah, it's the identity system.

Yeah, like the identity system is literally high ground. So if you think of it from like a security or a defense perspective, identity is really the only part of your architecture that's gonna see all service and data access, regardless of whether it comes from a managed device or not, regardless of whether it [00:06:00] comes from an employee, a customer or not.

So why aren't identity products also security products? And so we built identity around this concept of we wanna have a cross layer across the entire identity stack, and we want to try and address root cause issues of security incidents while also being easy to use to get people to work. And is it possible to do that in a way where you can shift the security discussion from detection and response to prevention?

We think we have some pretty good answers there, but but that's our take on it.

Ashish Rajan: Interesting. And funny enough, when I first started my career, I was talking about this earlier, identity access management was where I started and my naive brain back then used to think that it's just username, passwords, and single sign on.

End of story. Why do I have to talk to five different industries about the same thing five single times? But I also feel today the number of identities and the number of, things that are connected into identity is to what you said, very quite complex. I think I'll probably include [00:07:00] the example of ATT&CK Mitre, which is uses the TT P thing.

I think always the top three ones, always one of them is identity related identity compromise, credential compromise, phishing, they're all related to identity. So if, why is it broken? Because I almost feel like to, and I'm giving you an example from 15 years ago. Yeah. It's I was in identity 15 years ago and I always thought, Hey, clearly people have solved this problem by today.

Right? Why is identity still broken in terms of why haven't we figured this out yet? Yeah.

Jasson Casey: The why haven't we figured it out? So I think there's a couple things there. Number one, identity roots is in trying to simplify it for work the workforce, right? That that, I think that's really where it started.

Or on the consumer side, trying to get people to be able to purchase things easily. Yeah. Be really low friction.

Ashish Rajan: Yeah.

Jasson Casey: So I think it started from a different location, but when you look at pauses, right? Whether it's Mitre attack or something simpler like Lockheed kill chain, some interesting things happen.

So let's talk about lateral movement for a minute, right? Not [00:08:00] initial axis, but lateral movement. What are all these lateral movement techniques that are being used and why exactly Are they identity related? Past the hash.

Ashish Rajan: Yeah.

Jasson Casey: If I can copy a thing over here and paste it over here, then turns out, boom, I'm that person.

Yeah. Or I'm that machine, or I'm that transaction. So when we look at something like that, we see a couple phenomenon. The possession of a secret, a symmetric secret. Is really the technical answer that the industry has given for identity. So for instance, think about it like a session cookie.

Yeah. Access token, berros ticket, primary refresh, token, or a password. And there's many other things as well, but merely the possession and the presentation of these sorts of things is oh, I guess you're John. Yeah. Here's the shopping card. So now let's think a little bit about computer architecture.

If I have a secret that I'm sharing, and that means that secret's in my memory, that means I copy it off across a web request to some other service. It's in their memory. We think a little bit about how modern web stack is built. Your [00:09:00] engineers will pull in Kubernetes, the lattice service mesh, the Latta message broker.

They'll add a message broker, they'll load balancer, they'll use a CDN. Another way of looking at what I just said is they've just involved three to four third parties that are opening the TLS connections.

Ashish Rajan: Yeah.

Jasson Casey: And now they all have in their memory those secrets resident. So whether it's an attack against the third party or an insider threat of those third party or your infrastructure, these secrets have now basically been put in a shotgun and blasted on the wall and you're not even sure where all the residue has fallen.

So we look at that and the obvious question is, how could you solve that? What could you do about that?

And it's a first principles thing, right? It's kinda let me take you back to the classroom. What if we were in school and we were learning about this, is there a way to where the secrets don't have to move?

And classically the answer is Yeah. There's you could think of it as asymmetric cryptography or some of these things like empirics privacy, preserving proofs or protocols. But there's ways of doing a thing where you don't have to reveal the secret. So that's interesting, [00:10:00] but then there's a second question.

Rather than doing that, because then I have to trust that you wrote your software correctly. Is there a way to do it with proof? And turns out the answer is there is.

Because of mobile banking.

Ashish Rajan: Okay.

Jasson Casey: All modern electronics now have some form of trusted execution environment. Whether it's a secure enclave on that Apple device, whether it's trust zone in an arm processor or an actual TPM in a laptop or a server.

By the way, you can get TPMS in Amazon instances now, right? It's possible to create an asymmetric key pair where you can prove you have a thing by just a signature. And as part of enrolling this process, you can get a proof. Like a little receipt, a little log entry that helps tie that, hey, this key is bound to this device.

It's never allowed to come out of this co-processor. It's never in memory. If it's never in memory, it can't be dumped. It can't be stolen. It can't be copied. Yeah. So from a root cause perspective if you start trying to take advantage of some of these hardware for the [00:11:00] authentication portion, whether it's a user, a workload, or even a transaction.

Now you have this credential that can't move, it can't really be stolen. So that's really interesting. That chops off a ton of security incidents. Interesting. There's another thing. So if I'm the adversary, if I can't steal the secret, I'm gonna, the next best thing I'm gonna do is I'm gonna sit, I'm gonna try and do something called a signing fool attack.

I'm gonna jump in the middle and I'm gonna say. Hey, I'm your boss. I need you to log in and approve this thing, and then you're gonna sign my challenge and I'm gonna turn around and present it to Salesforce and get logged in as you, and then go do whatever it is I wanna do. Yeah. So there's a second part of this.

The second part of this is how do I take the burden off the human from having to understand, are they even logging into the right thing? And a ton of our industry right now is invested in like training and training process and how do we not click the bad link? Yeah. And I find this a little bit ridiculous because number one, like it, [00:12:00] the visual metaphor I always see is like I'm sending in I'm sending in a fam like, like a family member to go fight a robot, right?

This isn't gonna end well. And just layer in what we're seeing now with gen AI. The ability to look like you sound like you write, like you or impersonate a brand or a service is almost flawless or certainly will be very soon. So why are we still accepting solutions that require a human that kind of always be perfect.

Ashish Rajan: Interesting. Would you say? 'cause a lot of people would say that we have MFA Jasson. We have SMS two factor. We have YubiKey, we have all these other things that we have been building towards. I think there used to be an RSA token a long time ago as well. I don't know. There still is

Jasson Casey: one.

Oh, sorry. Yeah.

Ashish Rajan: I'm like, I haven't used it for a while, so I like, I don't know if there's still there, but the. There's obviously, there's two factor that people has relied on for a long time and there's a standardization for authentication authorization. But I think what you're trying to say in [00:13:00] terms of a device bound identity con code, as you call it so would these fail?

Is that why we should go towards and that direction with ai? Is that correct? So I'll

Jasson Casey: give you the tame version and then I'll give you the controversial version. Okay. So the controversial version is all of those except for one you mentioned are completely insufficient. And can be exploited in minutes by, there's at least three or four open source toolkits that you can download and happily help you hijack the session token through some sort of victim trying to get their job done right.

From a technical perspective I would go back to those fundamentals. Any system that relies on a secret moving is fundamentally flawed and a system exists or could be built very quickly to exploit it. So for instance, let's talk about those tokens, right? The TOTP tokens. It's a secret that moves.

Now, technically, I have this thing, it's been seeded, it's unique to me. It's randomly changing. Yeah. But as I type that number in, that number is basically being carried across, right?

Ashish Rajan: Yeah.

Jasson Casey: As I [00:14:00] type in a password there technically there are techniques where you can enroll in the clear and then use use something called an hpac.

But 90% of websites don't do that. The password is actually in the clear over the TLS connection in some kind of JSON payload on a web post. Yeah, when you present an access token, actually, here's a great challenge. So for all you CISOs out there, go talk to your engineers and basically say, Hey.

The access tokens that we issue to our client apps, to our to the browser for the web-based apps. Could I copy it into a new browser and would it actually just work? You're gonna get some interesting responses to that. So I would argue technically authentication that's not device bound and hardware backed is fundamentally flawed and can easily be exploited.

The natural re response someone's gonna say is I don't, I can't buy specialized hardware. And so it turns out there's an easy answer to that. You already have. Mobile payments payment. Let's come back to that mobile payments company. Okay? Yeah. We all have cards now where we can tap and pay.

We all have phones that we can tap and pay. What's actually going on in that? It turns out there's a [00:15:00] little security co-processor in your credit card and in your phone. And in there is a tiny little signing key that's been enrolled against your identity and it, you can think of it as like a jail.

The key can't come out of that jail. You there if you were issuing assembly instructions, there is no read key. There is only sign this data. And that co-processor is then gonna challenge the local user. And you see this with your phone, it's like smile, right?

Ashish Rajan: Yeah. Yeah.

Jasson Casey: And if you're, if you had a hard night that's not gonna work.

And then it falls back and says, put your pen in.

Ashish Rajan: Yeah.

Jasson Casey: So you put your pen in. That security processor will then say, oh they have possession. They just provided either a knowledge or an inherit factor. So I'm gonna go ahead and sign this little payload. And then over the wireless interface, it's gonna hand that to the merchant's computer.

So that little security co-processor pretty much exists in all chips now. And the reason why is you're a chip manufacturer. How many specialized chips do you wanna build? How many dyes do you really wanna lay down? And the answer is as [00:16:00] few as possible. Yeah. So this stuff just gets rolled in infrastructure now.

And so I guess I went a little deep, but the high level point is I challenge you to buy a computer, whether it's a mobile computer or a laptop, or even a server that does not already have this hardware baked into it. If you use Windows today Yeah. And you use Secure Boot, you use this hardware already.

Oh,

Ashish Rajan: Okay. Yeah. But then it's more, it's never highlighted as a feature you can use, which is kinda what Apple and Google have done with the phones, where it's an obvious, oh, use your face ID to do the Apple Pay, or Google Pay or whatever. But in a regular laptop or a work laptop. Actually, MacBooks had the fingerprint thing as well on it.

So

Jasson Casey: Apple has their version of it.

Ashish Rajan: Yeah. And but then I don't know about the windows. You are gonna gimme hate for not using window, but I'm a technical Apple user, so I'm like, yeah, they have fingerprint on their keyboards. I guess a point still remains to what you said about the mobile payment piece.

It just that it hasn't been exposed. So are we saying that identity, it actually

Jasson Casey: has been exposed, but it's a little bit low. So if you're a developer Yeah. It's a little bit lower level. Okay. And most developers are, [00:17:00]we're building maps up here. Yeah. We're not that concerned with wait a minute, what hardware exists?

I don't know how to write a device driver, or I don't really want to interface with that lower level. So this capability exists. But what we saw, and this was the op, what we thought was our opportunity. Most people don't take advantage of it. Most companies don't take advantage of it. So it's sitting there and if you know how to write the software, you can.

Ashish Rajan: IO obviously there are two sides to the user profile as well. There is the end user who is going to your point, the application user. Who the customers and other, everyone else who's using the application. And then there's your workforce identity as well. I think when I was thinking about service, I'm thinking of workforce identity, but I think you called out.

It can be on both sides. It is on both sides. Yeah. As in the application can still also utilize the same capability.

Jasson Casey: Every time you buy a cup of coffee or tea at Starbucks. And if you pay for it with your Apple phone or your Google phone.

Ashish Rajan: Yeah.

Jasson Casey: Or your Android. You're using this technology.

Ashish Rajan: Yeah. I think they've done a great job of. I always go back to the how Apple made security a thing that people want. Whereas [00:18:00] I feel enterprise has totally failed on this, but Right. At a point you almost feel it's like we still haven't solved least privilege, so I'm not gonna open that can of worms.

But just talking about authentication and being okay for people to use MFA or having that two factor, simplifying that process I felt has been probably the hardest thing for every identity person out there. How open are people to the idea of having a a device bound identity to what you said, where the credentials don't move, they just remain there.

To your point, they're in the jail. And I wonder, because when I'm going with this after I'll come back. I'm curious how open are people about this and what's the aha moment they have that makes go, oh my God, I should have done this ages ago.

Jasson Casey: So this, yeah, this is a tricky one. There's no one tool that works.

Yeah. So it really depends on the audience and the person. The approach that we've taken is basically been, we tried a lot of stuff and most of it didn't work and a handful of it does. I would say a security minded organization is generally open to a technical argument, like what I've been making.

Most organizations aren't. Most [00:19:00] organizations, it's like, Hey, I gotta go home. I gotta go home at five. You're, what you're saying sounds like work, it sounds like Help desk tickets. And and so what we've realized is the argument and the demonstration for that audience is a little bit different.

So for that audience it's a series of questions like, Hey, let's talk about your help desk. What is the workload on your help desk? Or resets or lockouts? Yeah. Let's talk about your soc. What is the workload of incidents in your soc? For session hijacking. For credential theft, for really the, all of these identity related issues.

And what if 70 to 80% of those on the, both the IT help desk and the SOC could just go away? What if you could actually go home at five? What if you could actually focus on some of the more advanced detections and responses that you've been wanting to get to? But this bread and butter just keeps getting in the way.

We've also realized [00:20:00] that resistance to change is just a kind of a common, and the idea that something could be easier to something that you've literally done pretty much every day of your life that you've used a computer could change is a hard concept for people to gr.

Ashish Rajan: Yeah.

Jasson Casey: And so just putting a front and center, just experience it.

If you log into a service using a technology like what I just described. I guarantee you're gonna be upset when it gets turned off. And it's a psychological thing. It's maybe more of a user design statement, but we got a lot of feedback. So some of our customers are like county governments like large organizations that you wouldn't necessarily think of as like technology leaders, so to speak.

Ashish Rajan: Yeah. Yeah.

Jasson Casey: I was having a conversation with a CTO of one of these large counties just a month ago, and his response is, what you could have done that would've made my job easier. And he's what? He is you could have just given me a package video to put in front of our county CIO up front, just so they could say, oh.[00:21:00]

Because apparently so they were having a series of they, they had a high load of security incidents. It was all basically people clicking on the wrong link session, hijacking, then occurring afterwards. Yeah. And so their incident response was just bogged down on, they were just doing that all the time.

So we, they, we found them, they evaluated the solution. They ended up becoming a customer and deploying. But there was a lot of initial resistance from the general manager and executive in this organization. And it was really a resistance from change, right? And and the funny thing that happened is they the CTO walked over.

To one of these executives and said, Hey, I'm gonna install this for you. We're gonna sit, I'm just gonna take you through it, and then I'm gonna listen to your feedback and then, if there's something we need to change, we'll go change it. It's the proper help desk mentality.

Yeah. Yeah. And apparently the, I think it was the CIO apparently, the CIO, after he saw it, he's why didn't you tell me it was gonna be this much easier? We didn't, we wouldn't have had to go through any of this. Oh. So there's different ways of explaining the value. Depending on who you are, the value lands differently.[00:22:00]

Usability is a value reduction of workload on the soc and the help desk is a value. Compliance is a value. So some of our customers basically are using things like CIS compliance or N-Y-D-F-S or the new rev of P-C-I-D-S-S. As a way of budgeting this particular activity with their CIO or their CFO.

A new one that we've recently discovered is FedRAMP.

We just went through our FedRAMP process. It took us about five to six months to, to get our ser our authorization.

It's pretty fast. Yeah. Historically. And between us and our partner is this company called SMX. We realized there's a pretty interesting angle to help other companies get on FedRAMP quickly, like a FedRAMP easy button, if you will.

Ashish Rajan: Yeah,

Jasson Casey: because it turns out if you have device bound identity, a ton of controls come for free, right? Because, let's think about it. Device bound identity basically means. You have a credential locked to a device. So whenever that credential's being used, you actually [00:23:00] know exactly what device you're talking about.

Yeah. So if you think about instant response blast radius, like I know exactly what device I'm dealing with.

Ashish Rajan: Yeah.

Jasson Casey: We're on the device you're working from. Most people think of oh, pull your phone out, use your phone to log into a service. That's not what we're talking about. Our authenticator and our credential is on the device you're working from.

If we're on the device, you're working from back to this theme of identity sees everything. We can also answer questions like, Hey. Is your device secure enough for the thing that you're actually asking for? When we come back to compliance, easy button for compliance. If identity can always answer, who are you on, what device are you in, what geography are you, what are you asking for, and what are the security controls?

Not that we expect to be on your device, but are actually present and active right in this moment. That sort of answer is what's really powerful and helps with things like compliance, easy buttons.

Ashish Rajan: I love that. I almost feel the way you describe it because what the person said about having a package video it's the same kind of thing that happened when Apple introduced an Apple pay. I remember [00:24:00] those ads that were floating around where it was a cool thing to use that 'cause you almost to what you said there's already a standard process of how people are doing it. Yeah. Whether it's a frustrated MFA piece or whatever the piece may or just username, password.

Yeah. They already have a path. Which either they're frustrated by or probably not frustrated by. All the, all you need is like a Google ad in between. They may not even

Jasson Casey: realize it anymore. Because they literally do it every day of their life.

Ashish Rajan: Yeah. And that's just the norm for them. If you can make that the shift easy.

And I, that's where I, it reminded me of that Apple Pay ad, and oh, if you and the person's are telling you that you just gonna add video in between like a product package, like an Apple Pay package and everything video that kind of goes up and shows it to your C-T-O-C-I-O and huh.

It's that crazy. Yep. And interesting point about the value being shown from incidents as well as help desk, because I think I remember every company at least most of the enterprise, I think they pay per call. The cost of it. If you have a lot of people coming back from holidays, which would happen quite how often when people are in a large enterprise, hundreds of [00:25:00] employees.

If say 20% people call, that's a ton of money and time being spent on just resetting passwords. Because people just can't remember after a great holiday,

Jasson Casey: We've had one customer justify budget purely based on exactly what you just described.

Ashish Rajan: Yeah.

Jasson Casey: Because they pay per call. Yeah. They have an outsource provider for it.

Ashish Rajan: Yeah.

Jasson Casey: And it's easy to quantify.

Ashish Rajan: A hundred percent. And the, because I think to your point, using values like incident, the cost being saved, those are things that many people probably are not using, which is why we go back onto the what's tested. Hey, yes. Let's use a standard OAuth or a SAML or whatever.

Maybe. Is AI impacting this anyway? Like how is that? Oh, yes. Yeah. So how's that changing the landscape for this?

Jasson Casey: So there's a couple things there. So first let's talk about the adversary using ai.

Ashish Rajan: Yeah.

Jasson Casey: Do. So if I call your phone number and if you've left a custom outbound voice greeting

That's about all I need to sound like you, right? Have you ever put stuff on YouTube? Have you ever put stuff on any social media? It's, it doesn't [00:26:00] require much footage for me to be able to look like you.

Do you write, do you post those writings? It doesn't take much for me to sound like you in the written form.

Adversaries are using these tools to basically be almost the perfect mimics.

And when you think about progress, right? Don't focus on what's available today, use that as a data point, but also realize this is gonna continue to improve. It's hard to imagine anyone standing up to social engineering attacks that are AI enabled.

And so AI defense is a real concern that you actually have to worry about. So the second part of this observation is there's a ton of companies now all trying to offer and sell AI detection. I can spot the ai.

Ashish Rajan: Yeah.

Jasson Casey: And it, there was something that really didn't sit right with me when I started reading this and it took me a while to articulate it, but there's two reasons here.

So first, from a technical perspective, when you look at how you, how AI works, right? How you actually build models. Detectors are great labelers, [00:27:00] right? Yeah. And you can use it to train the next generator.

Ashish Rajan: Yeah.

Jasson Casey: There is a bit of an arms race there, right? If I, let's assume I have a detector that works and I, by the way I don't.

I don't really like this field that much, but let's assume I have a detector that works for a moment. Yeah. I can use it to train a generator to defeat it. So there is its arms race concept around AI defense that I just don't see it as being a sustainable thing for detection.

But let's put that argument aside. And now let's think about acceptable use if AI is really taking over the world. Then everyone is gonna start incorporating realtime AI as soon as it's possible in their communications.

Ashish Rajan: Yeah.

Jasson Casey: Hey, right now you can't tell that I was kicked in the face by a horse this weekend.

Because your realtime AI is making me look great. Yeah. Yeah. Also, did you know I don't actually speak English, right? This is this realtime AI language. It's great. Yeah. So the list go whether make, and you think of simpler things, right? Like makeup filters, blemish filters.

Ashish Rajan: Yeah.

Jasson Casey: Is a company called deep Voodoo that's doing this in the movie space. [00:28:00]

Ashish Rajan: Oh okay.

Jasson Casey: And it's basically realtime ai, it's realtime deep fakes. But they're, but it's licensed. And so they're doing it to save actors time on makeup, to save production budgets, money on ensuring the most expensive person to do the dangerous thing.

Interesting. Number one, it's a detection is a bit of an arms race. Yeah. But number two, what is the point of detection when people are actually gonna be wanting to use it very soon? Yeah. So the better question is, where is this coming from? Who actually authorized the production of this content? And so we think device bound identity can answer that seamlessly.

When I'm on a Zoom, when I'm on a teams, when I'm reading an email, an outlook. I can actually see, hey this is coming from Jasson's computer. Yeah. Managed by Beyond Identity with these security controls. And by the way, Jasson used two factor at the very start of the session to authorize the production of this content.

So that's one angle on ai. The other angle on AI is more of kind of the [00:29:00] use cases, right? So let's talk about Agen XX for a minute. Everybody wants to build a agentic workflows, right? Everybody wants to build these things that I guess on one end of the spectrum lets them do things faster On the other end of the spectrum not have to hire as much, but when you drill down and say how does this actually work?

You have these agents that are authorized on behalf of some user. They're gonna go do something, they're gonna gather some data, they're gonna process it through a couple of phases. They're gonna produce an answer, and then they're gonna die. They're like fireflies. Yeah. Yeah. They're gonna be born, they're gonna do a thing and they're gonna die.

Yeah. So from a security perspective, how do I, number one, make sure that the right person is always doing the right thing and nothing else. How do I do investigation and incident response after the fact? Yeah, like, how do I know what actually happened? And by the way, the speed of all of this is gonna be an amplifier on credential sprawl.

Because the agent needs to be authorized on behalf of the user to go do things as the user. And so again, we think the answer is device bound, hardware backed identity. [00:30:00] What if in the moment and after the fact, I can always say. This person authorized this agent with this exact workload and this exact model on this exact machine with these permissions for this limited period of time.

The agent does its thing and then the agent pieces out. I still have a log after the fact. That's cryptographically attested. All those statements I just made and the only assumption I have to make to know that all of that is true. Is the foundry that produced the silicon hasn't been compromised, which is a fairly strong assumption.

Still an assumption. Yeah. So we see opportunity on both sides of how do I defend against an AI enabled adversary, but also how do we enable our customers to go fast with AI but not fail compliance. And not recreate, and not just. Blow out the sock with credential sprawl related security incidents.

Ashish Rajan: Yeah. And I guess you, [00:31:00] to your point the bigger play also here is that it's gonna constantly evolve as well. And assuming you can keep detecting new AI probably is not the ideal solution because you're just trying to chase your own tear at that point in. It doesn't, it's like an endless, would you say?

'cause I think to your point, if we have figured out after all these years. All the TBS point towards the fact that identity is still at the crux of where things usually start. They need to have the credential from Ashish to pretend to be Aish. AI agent or non-AI agent, and being able to bound that to something which is a bit more, levels of trust is higher, for lack of a better word, to what you said.

It's the hardware that you have issued as an organization. You probably have it already. I'm curious if CISOs are trying to, everyone obviously has an identity program. Develop it, it's already built in. Is there, I feel like people are probably looking at how to uplift it for the world of ai.

And you gave some examples there as well. If you are coming from a lens of, Hey, I want to go down [00:32:00] the path of doing a identity bound to the hardware I'm imagining there'll be some challenges depending on the organization. What have you heard are some of the challenges that people have to face and we obviously spoke about the value part before that they can use to show the value for it.

What are challenges people feel when they've already been on a, let's just say, traditional path of identity for a long time when they're trying to go up to this new world.

Jasson Casey: So I would say the challenges are very similar to some of the challenges that I mentioned earlier. Like the first thing is wait, I'm not gonna go buy specialized hardware.

And I guess there's two responses to that is one, technically you have, if you're running a model but two you don't have to go buy specialized hardware. It exists. Yep. Amazon is Amazon Nitro. There's something called Nitro, TPM. There's something called nitro enclave. These are ways to actually bind and use hardware backing to be able to say, this workload is on this machine in Amazon and no other machine for this moment.

And obviously you use it for a lot more than that, but like my point is the technology already exists even in your cloud [00:33:00] workloads. So that would be number one. Number two, I would say a lot of the companies we deal with are still figuring it out. They, no, no one really has the answer, but they're exploring.

And the value argument there is, number one, if the adversary is using AI and the good guys are using AI detecting the use of a, what is the point of detecting the use of ai? You're need to find a better question. By the way, you're gonna fail compliance audits if you don't actually get that better question of who authorized what agent running what model on what device, at what time with what permissions and that record needs to survive the destruction of the agent.

It and because this hardware exists, it's provable. Like you can actually do the math offline. It's, and by the way, blockchain pioneered a lot of these like mechanical techniques a long time ago. So it's not like we're inventing new things. Yeah. Yeah. It's there.

Ashish Rajan: Would you say the blocker [00:34:00] probably, even though people have done MFA for a long time people have done you mentioned cloud workload there for a second as well, because we are not just talking about identity that are, say Ashish and Jasson. It's not just the customer stakeholder, but also the workload as well that people are hosting in cloud. We mentioned Kubernetes earlier as well in terms of, hey, my application has a non-human identity, if you wanna use that word.

I'm sure Gartner would throw a few more in there. Is, can we go into that direction? 'cause you mentioned AWS Nitro,

Jasson Casey: so here's a, here's an interesting use case. The war in Ukraine.

Ashish Rajan: Yeah.

Jasson Casey: Turns out the Russians and the Ukrainians are buying Chinese drones off Amazon.

Ashish Rajan: What?

Jasson Casey: It is a war of consumer electronics fueled surveillance and munition delivery, right?

So you're over there. One of the problems you're gonna have is that my drone. If it's a DGI drone, they bought it and we buy it. So is that mine? You are gonna be conservative, you're gonna shoot it down, or you're gonna disable it, or you're gonna run ew against it or [00:35:00] something. In legacy warfare there's this thing called IFF, identify friendly or foe, and let's not, shoot our own team.

Ashish Rajan: Yeah.

Jasson Casey: So this is a machine workload identity problem, right? Like, how do I know what this is?

And guess what? It's running an arm processor. Guess what arm has Trus Zone. That's what Trus Zone does. Trus Zone will let you run an attestation. So you, IE you can do device backed, device bound, hardware backed identity on this drone.

You can also do it on a soda machine, right? But it's a more interesting use case. And there's several ways of using this to figure out, like essentially is this the device that I think it is, was it authorized by the soldier? I expected it to be authorized by.

Ashish Rajan: How would you uplift this trust workflow?

I imagine for CSO saw this thing as well. Traditionally, they have sold the idea to the board that, Hey, MFA makes me certain that it's. Potentially a, she logging in with this username, password and MFA, if for whatever reason, she started in [00:36:00] Vegas and landed in Ukraine two seconds later. Something triggers in authentication, Hey, raise the stakes are up, so I need to do another MFA, or whatever thing may be. How do you envision people who are trying to. Work through this new challenge of AI with deep fakes, as you mentioned, and other things. How do you not build trust in the identity workflow?

Especially when all the executives are being targeted. They all have to, what you said, YouTube videos out there. 'Cause they all have to be on social media, on press file. We are here as well, like how does one build a trust in the identity flow workflow for their organization?

Jasson Casey: So a couple things, right? Like people are doing the best they can. The and, risk-based approaches are the best that they traditionally have had.

But let's back up a little bit. So there are probabilistic tools that you can use and there are deterministic tools that you can use.

Yeah. Probabilistic tool is, Hey, I think this is Jasson. A deterministic tool is, this is in fact Jasson, and so the biggest advice I would give to CISOs is for your problems, where do you actually have the [00:37:00] ability to bring determinism to bear versus a probabilistic solution? Because if all you're doing is bringing probabilistic detections, like that fast mover example that you just described, you're trying to run a really long race slightly faster than the other guy.

What if there was a shortcut? That's what determinism is. Determinism is I don't actually need to give you a set of likely outcomes and then let you make a choice. If I have the right initial starting conditions, I can tell you exactly what's gonna happen and that's actually what Device Bound is.

So when we look at device bound and Fast mover and you actually see fast movement. It, you actually know a lot more.

There's no session cookie being copied around. It's one or two devices, being used concurrently, either egressing, A VPN, right? Yeah. At somewhere across the globe or being used concurrently, under the same [00:38:00] identity, not physically in the same location.

You have, you don't have an ability to say that when you're dealing with a password, when you're dealing with push, when you're dealing with TOTP. Tell me that six digit TDLP that six digit TOTP code, what part of that code helps you understand what machine is using it, right? Yeah, that password.

What part of that password helps you understand? Which of Jasson's machine was this entered on? And someone might say, oh, but I have fingerprinting and I have this. And it's yeah, you have a tool bag of probabilistic things that you bring to bear that give you levels of confidence that may or may not be right.

Ashish Rajan: Yeah.

Jasson Casey: But if it's device backed, the only way to fool device backed is to compromise the foundry at the silicon itself, right?

Ashish Rajan: Yep. It's an interesting point because I was thinking about. The trust workflow has changed its definition as well. And to your point, hardware, at least for the current version of AI we are living in.

That's probably the only trust boundary where you can [00:39:00] start and at least before it becomes a problem, the. True shift left, as people may call it. If you picked it up in the beginning, rather than trying to wait for, oh, now ish should move, so now I need to validate, now I need to do this.

But if the initial conditions are already valid for the trusted device, it's within that zone of trust that you have already established as an organization, the trust level is already higher. So this is an interesting point

Jasson Casey: actually. So you said if you've already established Yeah. When you move to device bound identity there's a dis, there's a distinction between enrolling the device and the device asking for something, running a transaction. So where I'm going here is continuous. Okay. But when you enroll a user traditionally with a password or you enroll a, a workload Yeah. With a, with an API token.

Because that token largely is the bear of that token must be, the winner of the Willy Wonka ticket, right? It must be Jasson. You don't really have a way to say, this is Jasson on this computer. This is this and this. When you use device bound. [00:40:00] When you enroll a device bound credential, there's a very specific ceremony that happens.

It helps you understand this person on this device with these constraints now has a credential. You think of a credential as like a certificate, but there's a couple extra signatures on it. Okay. That are useful for some technical reasons. And just because they have that secret or just because they have that credential does not authorize them for anything.

Anytime they want to go do something. They have to prove they can use that credential as part of doing the thing. So continuous reauthorization almost gets baked in. So when you were talking about, you initially established this trust, and then the thing that keyed me off is in a device bound world, there is an initial enrollment.

Yeah. But then there's also transactional usage. And because it's device bound and signature based. Every transaction is a new signal where you can say, oh, it's still this person, it's still on this device, and I, and here's [00:41:00]deterministic with these controls, and here's deterministic proof.

Interesting.

So let's talk about workload changing. Yeah. Let's say I have a let's say I have a very specific model. I've got this workflow and the model's now alive and it's doing a thing. And let's say the model's gonna be alive for hours doing things for maybe more than one person. Model integrity.

How do I know if the model changed? How do I know if someone went in and wiggled a weight to get the outcome that they wanted, not the outcome that I actually wanted. Yeah. With device bound identity, when you actually know who on what device with what posture, we dig into that posture, what that posture actually means is you can do something called measure.

The workload that's actually asking for the transaction. And if the workload changes, the authentication breaks. So go back to that. You're buying a cup of coffee, right? Yeah. Having your phone is not enough, right? You tap your phone and then your phone says [00:42:00] smile or gimme your pen, right? So you have to do that.

Second thing, what's happening under the hood is that crypto processor is basically asking for, it's asking for some additional proof. And the software is feeding in like this this thing called a feature vector from a biometric or a h mac of a pen. But that crypto processor has an ability to create a very long, logical sentence that includes those things, but can also append some other things.

So now imagine you said, Hey, I'm gonna measure the check sum of the process. Yeah. Or I'm gonna measure the integrity of the model. And that's also going to be part of the unlock to allow the signature. Or put in another way. I'm really paranoid. I wanna know the process. I wanna know all the parents of the process.

I wanna trace it to the loader, and then I want that to come back to the EXE. Then I wanna see how it was signed. Then I wanna see the OEM of that signer, and then all of that can be part of the unlock for the signing. So I'm getting into a lot of details. Our customers never have to see any of [00:43:00] this. They just turn policy controls, but.

You already have this capability.

Ashish Rajan: Yeah.

Jasson Casey: And my argument for anyone moving into the AI world, trying to enable their workforce to build out like custom workflows and these sorts of things, is whether it's us or someone else, any solution you move forward should leverage the hardware and should actually be able to give you an answer.

What user authorized, what workload with what model, on what machine, with what permissions, at what time for how long.

And you should also be able to destroy the machine. Let's be let's use a wild metaphor. Like you should be able to destroy the machine completely.

Ashish Rajan: Yeah.

Jasson Casey: And from the log in a tamper resistant way, you should still be able to reconstruct what happened.

If you expect to keep your FedRAMP compliance, if you expect to keep your government compliance, and I'm sure the commercial compliance regimes will update this over time and run these AI models. You're gonna have to do this, so do it now. Yeah. When things are just getting started and it's actually not hard.[00:44:00]

Ashish Rajan: Interesting. I think I agree and I also had a second thought about the application workload as well. I get a lot of the CISOs would think about this from a, if I were to make my application device pound authentication what would that look like in my cloud workload? Where would my developers be complaining?

Because then there's a whole developer first world that we're trying to go for as well. It's one thing to convince Ashish the employee that hey, stop using MFA go for the device bound one. What about the other half, which is the application identity? Being dealt where we have server identity, we have the application identity itself on the other side.

So we spoke about that customer side. On the workload side of identity itself. How how would that work in this particular, is that still am I gonna be a developer or an infrastructure engineer who has to understand the device or No,

Jasson Casey: not at all. What you have to understand is authenticate transaction log out, right?

So there's an SDK.

Ashish Rajan: Yeah.

Jasson Casey: At a high level, those are really the functions. At a low level it does everything I just described.

Ashish Rajan: Ah, okay. Also, the adoption is the same as they would've done for a cloud [00:45:00] themselves, exactly. Oh,

Jasson Casey: interesting. So we try and design our things to, to look and feel like classic authentication libraries.

Ashish Rajan: Yeah.

Jasson Casey: But under the hood we take advantage of the hardware to the extreme. Interesting. So you don't have to understand it.

Ashish Rajan: Yeah. I think that's what, those are all the technical questions I had, but I think I definitely learned a lot more about this particular space and I think now I need to go back and watch the ad for Apple Pay again.

I was like, I'm like, oh, is that what's happening in the background? It was great for, to explain it. I've got three fun questions as well. Yeah. First one being, what do you spend most time on when you're not trying to solve the identity problems of the world?

Jasson Casey: So unfortunately this summer I feel like all I've done is travel for work.

But I like to cook, I like to read and I'm really into, right now I'm really into drones and drone detection, drone tracking. So I have a little radar project that I'm building back home. Alright. On it's doing something called phased array radar to where you can actually pick up and understand angle of interceptive drones flying around and whatnot.

Oh, I like to build things.

Ashish Rajan: Fair. I maybe have device bar identity, so it's not, it's to know [00:46:00] it's your dji, not your enables dji. I Exactly. Oh, fair. The second question, what is something that you're proud of that is not on your social media? Ooh something I'm proud of on my social media.

Jasson Casey: So I'm not a big social media guy, but also it's the probably not great with questions. What are you proud of? There's obvious thing, like I'm very proud of Beyond Identity. We built a great product here. I'm proud of the work that I've done in the past. I'm actually a really good cook.

I'm really good in the kitchen.

Ashish Rajan: Oh. What's your favorite dish to make then?

Jasson Casey: You pick the cuisine, and I've got options. Oh, comfort food for me is like Northern Mexican and Tex-Mex.

Ashish Rajan: Oh, yeah.

Jasson Casey: But we, I I figured, so my wife is vegetarian.

Ashish Rajan: Oh yeah.

Jasson Casey: I love ramen.

And she likes the essence of ramen, but vegetarian. And so I, it took me a while, but I figured out actually how to make a killer show you Ramen. It's vegetarian. Takes me about four days to make it. It's not four days of eight hours a day. Oh. But you, it's set up time and letting things set and [00:47:00] whatnot.

So you're doing something a little bit every day.

Ashish Rajan: Yeah.

Jasson Casey: But but yeah, we'll make make a dashi and a and from scratch and then we'll make the the the broth. And I'll do the, obviously we can't use animal fat for the the oil. Yeah. So I'll use, various types of oils flavored with ginger and shallots.

And then I still do a, I still do a meaty a meaty one on the side for me. But yeah, no, that, that was a pretty, pretty fun discovery over COVID to figure out how to do that.

Ashish Rajan: Interesting.

Jasson Casey: Yeah, we make pasta, we make bread from scratch. We've got a pretty big garden at home that she's mostly been running, not me.

I like to eat food. I like, I like to make food. There's a engineering element to food too, right? Like it's Yeah. Yeah. Composition. That's way, and I travel a lot, so I'm always in foreign countries meeting other cultures and the guaranteed thing you have in common because you both have to eat.

Yep. And you both probably have food you like.

Ashish Rajan: Yep. Which kinda is funny. My third question as well, what's your favorite cuisine or restaurant?

Jasson Casey: Ooh, for cuisine restaurant. So what's the situation? Am I on death row?

Ashish Rajan: You can take one cuisine to the island. You're gonna be stuck [00:48:00] for

Jasson Casey: the it's like the Anthony Bourdain question.

What's your death row? Meal? Yeah. It's actually not gonna sound very very refined. I love fresh salsa. And like chips and salsa and an iced tea like that, that just reminds me of childhood. Oh, in like South

Ashish Rajan: Texas? Yeah. Yeah.

Jasson Casey: But no. I like I like the flavors of kind of South Texas, north Mexico smokey chilies, smoked chilies, moles like at Thanksgiving at our place, and obviously my wife doesn't eat this, but I smoke a Turkey that I brined in.

Oh, nice. Like an ancho glaze and we make mole. So Thanksgiving for our house is smoked Turkey with mole.

Ashish Rajan: Oh, nice. Sounds like I should get an invite now. No, but it sounds really amazing, man. Thank you. Thank you for sharing that as well. Yeah, we can people find more about Beyond Identity and about yourself as well, the work you're doing?

Jasson Casey: Yeah. Hit us up so Beyond Identity.com, we're on LinkedIn, we're on pretty much all the socials.

Ashish Rajan: And where can be able connect with you?

Jasson Casey: Same place. I'm on LinkedIn. I'm actually on X, although I don't, I'm more of a lurker on X. I don't really [00:49:00] say much on X, but yeah, I respond on LinkedIn.

Ashish Rajan: Awesome. All right. I'll put that in the short as well. Thank you so much for coming me on the show. Absolutely. Thank you. Thanks everyone for tuning in as well. It was. You next time. Thank you so much for listening and watching this episode of Cloud Security Podcast. If you've been enjoying content like this, you can find more episodes like these on www.cloudsecuritypodcast.tv

We are also publishing these episodes on social media as well, so you can definitely find these episodes there. Oh, by the way, just in case there was interest in learning about ai. Cybersecurity. We also have a system podcast called AI Cybersecurity Podcast, which may be of interest as well. I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do in-depth analysis of different topics within cloud security, ranging from identity endpoint all the way up to what is the CNAPP or whatever, a new acronym that comes out tomorrow.

Thank you so much for supporting, listening and watching. I'll see you next.

‍