Joseph Carson:
Hello, everyone. Welcome back to another episode of 401 Access Denied, Joe Carson, your host of the episode today, and I am the Chief Security Scientist & Advisory CISO here at ThycoticCentrify, and I'm really excited about today's episode. I've got a very special guest, a long-time friend and used to work for many years ago so, Art, it's a pleasure to have you on the show. Can you tell us a little bit about yourself and what you do and then we'll get kind of into the show from there?
Art Gilliland:
Absolutely, Joe, it's great to see you again. So hello everyone, my name is Art Gilliland, I am the CEO now of ThycoticCentrify. Quick background is I've been in the industry now for almost 25 years or so, worked across probably almost every domain except for physical security, unless you count my time as a bouncer in college. But I'm looking forward to having a conversation, Joe, it's really good to see you again.
Joseph Carson:
Likewise, it's been a few years, I think the last time we saw each other, maybe probably during a Black Hat or RSA event I think it was.
Art Gilliland:
I think it might have been a decade ago or something like that.
Joseph Carson:
It probably was. I think actually it was around 2013 or 2014, around that time.
Art Gilliland:
Yeah, I think so.
Joseph Carson:
It's been quite some time, but today's episode, I'm really excited because a lot's happened this year. And one of the things I like to do is just to kind of a review and what we've been seeing in the industry, what's been happening in the threat landscape, what types of things are happening around in cybersecurity. And then we can, towards the end, we'll move into a little bit more about predictions because I really like to think about what's happening in the future? What do we need to think about? What threats are increasing? What's the challenges for organizations?
Joseph Carson:
So towards kind of the second half we'll look for more around the prediction side of things for 2022. So welcome again, on the show. So one of the things for me this year, of course it's been a continuous of the pandemic. It's been that extension. And we're really seeing the hybrid workforce, we're seeing organizations still having many employees working remotely, some are trying to get the employees to come back in the office and struggling to get them, to at least persuade them. What things have you seen from the hybrid workforce, what areas of organization's been at risk and what's changed the environment for basically the working environment?
Art Gilliland:
Yeah, I mean, I'll speak as a CEO of a company that's going through a lot of change. Obviously, we experienced not only the COVID and all the challenges that you have to do there, but also we created a merger essentially of two like-sized companies and brought them together in sort of the April timeframe this last year during all of this pandemic. And I think one of the interesting or really complicated things as you go through that transition is, and we hear a lot about it in the news, is this sort of great resignation of October that we're supposed to be experiencing.
Art Gilliland:
And I think part of the challenge for a lot of companies is you're seeing a lot of movement, a lot of labor movements, you're seeing a lot of people move and the challenge that we have is that you can't... it's hard to rebuild the culture that was there before, because even if, let's say, you lose 10 people and you hire 20, there's a bunch of new energy and a bunch of new excitement that's joining the company but the only thing that the team remembers is those 10 that left because they knew them already.
Art Gilliland:
And so that cultural transition, I think, is making it very difficult because we don't see each other, we don't hang out by the lunch station. We don't get to interact. And so even though there's a lot of new excitement, a lot of new people joining the companies, the memory is only of the people that left. And so it's hard to sort of rebuild in this remote world. And I think the reality is that we are going to be remote for a long time. I'm in the office today, I like being in the office, but I only want to be in the office two, three days a week. I'm not going to be here every day. And I think that's just going to be the norm as we go forward and we're just going to have to figure out how to manage through that.
Joseph Carson:
Absolutely. And one of the things I've seen is even where people's investing in their personal side of things, they're actually investing in home offices, they're investing and making their home a much more enjoyable place to work because I mean, I've been working remotely for 15 years now, it's been a long time.
Art Gilliland:
You're an early adopter.
Joseph Carson:
It was already adopted. And one thing that I find was that for me to switch during that time where not being in the office, because I was rarely in the office in the first place, I was always on the road, so for me the biggest impact was not seeing my colleagues in face-to-face, not traveling to events, not doing speaking engagements. For me, that was a big change.
Joseph Carson:
But one thing definitely is, working from home in a pandemic, it's not just you working from home, it's everybody, it's your family, the kids are stuck at home and that becomes... it's more that you're finding that place in your home to work that is quiet even for myself, even doing things like the podcasts and webinars and even moving to speaking at digital events, which has interestingly, where I used to maybe do about 40 in person events per year, now I'm doing about 70 to 80 digital events per year because there's none of that travel time. So for you, I mean, how has it impacted you having to work from home also with kids and family and everyone around? How has that changed?
Art Gilliland:
Yeah. I think there's positives and negatives, right? So I think definitely the positive is I'm available and around and so my dog is super happy and I think there's some goodness there. I think a lot of us deal with the fact that working from home, a lot of people just hear home, they don't hear the working part of it. And so there's a lot of interrupts that happen but that's true at the office too. And so you deal with that.
Art Gilliland:
I mean, I think it's good now that my kids are back in school and things are sort of returning to somewhat normal in sort of the day-to-day, but to be fair, I enjoy the remote work also. I think the ability to be efficient and see customers all over the world in one day, because if I was going to see customers in Singapore, I'd have to fly to Singapore to see them, to interact with them just because there wasn't a global comfort with being on video.
Art Gilliland:
And look, if there's an upside and I'm sure we'll be able to highlight quite a few upsides from the terribleness of the pandemic, it's that this transition has enabled us to just be way more effective at building relationships and interacting and conducting business remotely, which again, made the world a little smaller and a little closer for people like myself that used to have to fly all over. And so now I can have a meeting in Singapore, I can have a meeting in London and I can have a meeting in New York and I can be home for dinner. And I think that's just good and healthy.
Joseph Carson:
Absolutely. And even for me who traveled a lot, and like yourself, it's trying to stay healthy while traveling was also challenging.
Art Gilliland:
Yeah. I'm not sure COVID has made me healthier. I think I've been drinking and eating more...
Joseph Carson:
It depends. For some it's been good.
Art Gilliland:
Yeah, exactly.
Joseph Carson:
But the one thing I did find challenging as well, doing these digital events though, is that when you were traveling, you would be in the same timezone as the person you're meeting and you would get over the struggle basically of the time difference and jet lag. But for now, is that I would be attending for example Black Hat recently, and I would have to be spending 10:00 PM until three in the morning to attend those events, if you're attending live sessions yourself, so there is those, some pro's and con's itself.
Art Gilliland:
Yeah, that's not awesome. That's definitely not awesome. And look, I think there's also just not being able to shake people's hand. I mean, we are a social being as well. And so even if you're an introvert, it's nice to actually interact with people every now and then. And so I think there's some level of excitement about being able to start and meet in person. Over the last couple months, I've started traveling more to see customers, and customers are more comfortable inviting you in to their offices and that's been amazing. I mean, it's been great in like the level of excitement to have a business meeting has really gone through the roof.
Joseph Carson:
What's been interesting though, is some of the events I've attended recently, so absolutely, even in EU we've been having much more freedom of movement and going to events has been interesting because you've got now different people at events who is, "Don't touch me, stay two meters apart." You've got those who are like, "We'll do fist bumps," or, "Oh, we'll just..." was it kick each other in the foot?
Art Gilliland:
There's definitely an awkwardness in the introduction. It's like, "Okay, are we shaking hands? Are we fist bumping?" You're doing a lot of this kind of, "I don't know what to do." You don't really know what to do.
Joseph Carson:
I've had situations where you're grabbing someone's fist for a fist bump... Awkward moments. But absolutely, I think one thing though, is that we've seen this... I think working remotely and being more flexible is something we've been doing for a long time. And I really, it was a great book that I read years ago, which was a guy called Ed McCormick who'd really seen that we're kind of moving to this direction anyway. And we've seen, from the times of mobility to greater connectivity, to BYOD, and I even call it bring your own office now as that employee... I mean, most employees have probably never... who's just changed positions in the past year or a little bit longer, have never been to the office, they've never been to the... they probably haven't even seen their colleagues.
Art Gilliland:
We did this whole deal and I never met the opposing team face-to-face. I mean, we were on video the entire time and we did the $1.3 billion acquisition of Thycotic. But the reality is Jim Legg, who was the CEO of that company, and I never met. We didn't actually meet until like almost three months ago, two months ago.
Joseph Carson:
That's impressive, how we can do business today.
Art Gilliland:
It is kind of interesting. I mean, look, that's part of the transition that we're working through.
Joseph Carson:
Yeah. And also a lot of this introduces new threat landscape, a lot of organizations in the past, even the past 12 months have seen the challenges of supply chains and the risks where we're seeing even until today, there's major supply chain challenges in either shortages of electronics and chips. We've also seen challenges of logistics and moving things around. We've seen attackers take advantage of supply chains as well, even bringing some countries into basically some type of chaos, whether it being shortage of fuel or shortage of goods in the shop. What challenges do you see? What risks are organization facing as a result of the change in the environment?
Art Gilliland:
Yeah. I mean, I think the biggest challenge we've had is just the lack of real ability to understand if the people that are logging in and accessing the things you need to, are the right people. And also the security of the location where they're working. I mean, it's not like it was perfect before, but at least it was somewhat understood and controlled when you're in the office connecting there's a way to sort of correlate, should this person have access to these sensitive systems and literally overnight, over almost like a couple weeks' time, companies were having to figure out how to open their environments to the outside world and let people log in.
Art Gilliland:
And so I think that is just, it's opened up the aperture for avenues for the adversary to attack us. And so we've had to become a lot smarter at authentication of the people and as they come in, what authorization should they have? What access should they have? I think companies have had to figure out how to control sort of the blast radius's internally. And so, "Okay, this person might have gotten in, they might want to do bad stuff, but how do I at least contain the damage into certain areas?"
Art Gilliland:
And some companies have accelerated that investment and that skillset significantly, and some of them have not. And I think that complexity that's been added to the environments, just makes it harder. And I think that would probably be the biggest thing that I've seen is just the added complexity, the increase of the number of connections from the outside world, the fact that workers are literally exploding into other locations. And so even trying to figure out where your workers are coming from has become more complicated, especially for the super large global enterprises now, because people are all working from home.
Art Gilliland:
And then you have these home environments, now of course some of us have the luxury of having a much more secure home environment and high bandwidth and all of those other things, but that's not true globally, and so in a network, there's a bunch of stuff going on in your house that corporations just would not allow.
Joseph Carson:
Yeah, we did some research late last year, so every year we do some basic research and last year was about looking at from an employee perspective, and it was always the balance between productivity and security. It was really interesting that their fear, employees working remotely, was actually the connectivity and bandwidth problems because as you say, not everyone has the same internet speeds. If you're in, especially in a rural location, you might have really... How many times have somebody had to, during a video call, turn off the video because it was disrupting the actual audio feed.
Joseph Carson:
So we're starting to see some of the challenges. And also employees, they're at more risk as well because they want to get their job done. They're measured on how well they do their job, not how secure they are, but how well they do their job. And during that research, we found that employees were willing to take risks, to get the job done. And if that meant sharing a password over a basically unsecured channel, like social media or even email or some type of messaging tool, they were willing to do that in order to make sure that somebody could access the application to get the job done.
Joseph Carson:
And organizations no longer have that solid visibility. If employees were doing that in the office, they could see that happening, but they're not. We talk about this that really now, organizations, their corporate networks, is the public internet. It's basically, that's the means of communication. That's where all the internet communications is happening. That's where employees are working and now you have to change the way you do security. You can't rely on that perimeter firewalls managed network anymore. We have the move to a way that, what can we do?
Joseph Carson:
And this is where I really think that organizations who in the past year, they've accelerated their move to cloud to kind of manage this hybrid workforce and working remotely, but at the same time, this has opened up a major challenge because now they've got all these different types of complexities and less visibility of those complexities...
Art Gilliland:
The complexity that you're talking about. And then there's just the connection and the connectivity and the fact that their systems are being accessed from everywhere.
Joseph Carson:
Absolutely.
Art Gilliland:
And I think two years in now, I think companies have bought and built and tried to create more of that infrastructure. But over the last year and a half, they were all scrambling to try to do it. So I think that's been, that's definitely been disruptive and you see more of that challenge. I think the upside for it is just the level of security awareness that has gone into the ... At the highest end of the most sophisticated enterprises, they've been paying attention to this for a long time because they have the resources to be, to have the luxury to do that.
Art Gilliland:
I think what we've seen more in the more recent past is that sort of that mid-market, that upper mid-market of the company sizes, have just invested a lot more of their energy and their IQ into, "Okay, how do I operate in this new world where digitally or otherwise I might be more vulnerable?" And I think that's been a big, obviously a big uplift to the security vendor industry, but also just, I think it's better for society if the companies are taking it more seriously.
Joseph Carson:
Absolutely. That kind of takes me to one of the areas I've seen and it's that I always look at what do you, as you are doing that digital transformation, you're accelerating to cloud, and I've seen a lot of organizations as well where they've simply opened up to keep their employees productive, they've opened up RDP to the public internet and still only being protected with a simple password, to allow accountants and other employees to do work.
Art Gilliland:
Yeah. Not awesome.
Joseph Carson:
It's not. And I've seen from a ... I've seen companies become victim of ransomware and we've seen in the past couple of years, cyber criminals, they're really specializing. They're not trying to be the Jack of all trades, they're not trying to do everything. What they're saying is, "I'm going to specialize. And if I'm a specializing encryptor, I'm not going to use it, I'm going to make it an affiliate program, just like a channel and I'm going to give it to people." And that's what we saw recently with the REvil, criminal guy, basically we're seeing some of their affiliates being arrested through coordinated police efforts. So how much of the specialization are we going to continue seeing?
Art Gilliland:
Yeah. I mean, look, there's so much money being made now in that part of the world. As our lives went digital, all of our sort of financial also elements went digital and so crime just followed it. And I think what we're seeing is that it's a marketplace. And so as an entity, as a company, we're kind of fighting against market forces here. And so, yeah, let's say we hire 5 to 10 people, in a company our size, we're about a thousand employees, we probably have about that many working on our security infrastructure, the reality is my 10 folks cannot compete against a marketplace where every single step of the attack chain is being specialized.
Art Gilliland:
And so literally my person who's trying to protect us is competing against someone who's the best in the world at that one thing. And they're monetizing that skillset, as they should. And you see some vertically integrated adversaries, typically government agencies, entities or the true cyber criminal gangs, but in general, it's a marketplace. And you see it even show up in some of the nation-state sponsored attacks, they're using just off-the-shelf tools to gain access or do research or whatever step they want to augment in their own attack chain.
Joseph Carson:
Absolutely. Even they're starting... they use mercenaries.
Art Gilliland:
Of course they do.
Joseph Carson:
Cyber mercenaries and ...
Art Gilliland:
That was true in like the spy world, and now it's true in the cyber-spy world.
Joseph Carson:
Yep.
Art Gilliland:
Right. They're just going to...
Joseph Carson:
We'll let you carry out your criminal activity and profit from it, as long as you do some work for us, as long as you give us some favors back. And it also keeps that attribution side of things more difficult. How can you attribute?
Art Gilliland:
Yeah. It makes it really hard.
Joseph Carson:
And one of the things as well, just in addition to that, I read a fantastic article recently, as we were talking about the supply chain, you've got those who specialize in creating encryptor, those who specialize in gaining the access and selling the access, you've got those who... Even help desk. We will give you the help desk to help communicate with the victims, because you may not be in the same language, you may not be in the same timezone, so we'll facilitate that for you.
Joseph Carson:
So there's this whole production line of criminal activities and expertise such as... It's a criminal marketplace. The one I recently read, which was really interesting, which was an article from Joseph Cox, on VICE and Motherboard, and he introduced basically a new element where basically, because not all criminals may not be native English speakers and one of the best ways to gain access to organizations is through social engineering. And what you're now starting to see is basically social engineering through basically voice bots. So where we've had DDoS bots, we've had different types of bots, whether it being denial-of-service, whether it being access bots or deployment, we're now seeing voice bots, which are providing basically automated voice...
Art Gilliland:
Automated translation or being able to... Yeah, so they can access more of the world.
Joseph Carson:
Absolutely. And there is a service you can go and buy it online. You can enter your own text in. And the challenge is that in the industry, organizations have went that way to do their basically automation. So for people to receive a social engineering voice bot, it's not uncommon for them to get something in a traditional kind of organization. And it's so authentic sounding, these things are really putting the fear that your account has been compromised, make sure that to verify, "To stop this financial transaction from happening, please basically enter one, put in your two-factor authentication pin and we'll prevent that transaction from happening." But in the background, what they're really doing is stealing your 2FA code.
Art Gilliland:
Yeah. I mean, look, it's the social engineering has just become more extreme as that it's professionalized, right, they're just better and better at it. I mean, I think one of the things that I find interesting about this is obviously there's a lot of discussions around what are the major economies going to do about it? How do we create a treaty with Russia and China and others? And that may be possible. I'm somewhat skeptical because we've been spying on each other for centuries and I think that's going to continue.
Art Gilliland:
But I think the thing that cyber has done is it kind of levels the geopolitical landscape a little more because it used to be that only wealthy companies had the ability to invest in the sort of makings of war. But now you don't have that. You don't have that same hurdle. You don't have to spend billions and billions of dollars to become effective cyber, a cyber force. And so I think it's going to change sort of the geopolitical landscape and give I would say poorer countries that may or may not have the same heft in negotiating in the other way, just a lot more, a lot larger seat at the table.
Art Gilliland:
And so it's going to be an interesting... it just changes the dynamics, right? So even if we can agree with China and Russia and others around sort of what the rules of cyber are going to be, it doesn't mean we're going to be able to convince North Korea or convince Iran or convince Turkey or African countries that may invest further in this capability, what they should or shouldn't do in the cyber scape as they try to fight for resources. And so I think it's going to make the world that we engage in just a lot more diverse in how we think about trying to do treaties and trying to do cyber crime fighting and managing cyber criminals.
Joseph Carson:
Absolutely. And that's kind of one of the things I'm always worried about is that we've seen so much uptake in those cyber mercenaries and cyber organized crime who are attacking from countries where there's no, let's say, legal boundaries. There's no basically collaboration or transparency. And what we started seeing is for countries to try and defend themselves, they're now investing in cyber offensive capabilities. And this is where you start getting into, "Well, who is it okay to attack back? When is it okay to do offensive attacking?"
Joseph Carson:
And for me, it's always a concern and we've seen a lot of countries and it's clear that one is, no country can do this alone. It must be a collaborative of working together, transparent effort to hold countries who are providing safe havens for cyber criminals to make sure that there's less places for them to operate from. So what we're seeing around regulations are new compliances that are really trying to move this direction. We've seen a lot of things like EO GDPR, we've seen CyberCentrals, we've seen NIST, we've the recent executive order from the administration of the US really starting to take a kind of hard line against cyber attacks.
Art Gilliland:
Yeah. I mean, look, I think there's kind of stages that they're going through. One is they're pushing that responsibility on us as enterprises to take it seriously and invest. And the risk trade-off that we would've taken before, they're just essentially making it cost more if we don't follow through on our duty. And so there's some element of increasing the bar. I've never been a huge fan of regulation, primarily because it's just a bar and people think once they're there they're safe, like, "I had PCI," or, "I had GDPR." And the reality is it essentially is the low bar in security and so you've reached that, and if you think you're done at that point, I think it's a fallacy.
Joseph Carson:
It's a check point, a measurement, of time.
Art Gilliland:
It's just a point of measurement. And it definitely brings the whole industry up a bit, but it's still a low bar.
Joseph Carson:
Yeah. It's like taking one measurement of the temperature per year and then trying to predict what the weather's going to be like all year round. What clothing should you wear in winter if you're taking the temperature reading in the summer? It's going to be different.
Art Gilliland:
But I think it's positive and we need to do that. But I also think there does need to be more government specific action to protect our environments, protect the infrastructure. I mean, if a foreign country blew up a oil refinery, like physically blew up an oil refinery, planes would be flying and bombs would be dropping, but when you blow up global transit, like the cyber crime that took down Merck, or Maersk, sorry, Maersk. What happened? And so there's...
Joseph Carson:
Nothing for months.
Art Gilliland:
Nothing, and candidly, did the countries that were dependent on that sort of react in an aggressive matter back? I think it's hard to tell. And I think that that lack of consequence makes it very difficult to deter the behavior, which is why I think cyber crime is so rampant also is if you can sit in your basement and in your PJs and make $500,000 in 10 minutes, and the risk of having somebody bust down the door is minimal, I think that it just creates incentive, in particular in some of the countries that don't have the economic opportunities that others might have. I mean, it's almost unavoidable.
Joseph Carson:
Yeah. I mean, I want to move into a little bit more of prediction side of things. So one of the things we talked a bit about identity and as organizations struggling with a whole BYOD side of things. And one thing that I've seen is I always try to look at what things do you still have control of? What are the artifacts or the assets and resources? As more employees are using their home networks, using their BYOD devices, they might get an allowance to buy a device, but you may struggle to manage it, or you might be partially managing it. So for me when I really look at this and it kind of brings me back to even Estonia, because in Estonia basically from the ground up, we built a society around a digital identity.
Joseph Carson:
Digital identity is the common piece that basically brings all of society here together. It's how we basically do voting. It's how we pay taxes. It's how we use public transportation. It's all tied to that. So for me, identity is where organizations still have control off, whether it's on premise, cloud, BYOD, SAS, developers, third-party contractors, full-time employees. And then the security control is the access to that. So for me, I really see identity as being the new perimeters, the perimeter we still can control, and access is where you apply the security controls to. What's your thoughts around identity being that perimeter and security being ... ?
Art Gilliland:
Yeah. I mean, we're hearkening back to the Jericho Forum, obviously, and, "The firewall is dead, long live the firewall." Look, I am a believer. When I started looking at what spaces in security that I wanted to work in next, I think there are two that I think are super interesting for me personally. One of them is in identity security and the other is information security, so almost like DLPV 2, if you will.
Art Gilliland:
And I think the reason that I think those are the most interesting personally is as more and more of our companies' and our customers' infrastructure goes into cloud and/or SAS, we are essentially operating our entire business in someone else's infrastructure. And so if you look at ThycoticCentrify, for example, our front-end CRM system is Salesforce, our financial ERP system is NetSuite, our HR system is Workday.
Art Gilliland:
And so almost all of my core business processes are operating in someone else's infrastructure, in someone else's application. And the only things that are mine, quote unquote, in that are my users, whether those users are people or machines, and my information that's there. And so the place where I am going to be able to enforce policy, my own policy, I have to accept their policies, but where I'm going to be able to enforce my own policies are on who my users are and what they have access and authorization to see and do, and then the information and what is allowed to happen to it.
Art Gilliland:
And so I am a strong buyer of that. Whether that's going to be the tipping point next year or over the next sort of five years, I think that horizon is coming to all companies over time. And look, we're going to be in a hybrid world where there'll be some infrastructure on premise and some in the cloud, and we're going to find some equilibrium behind that just because of efficiencies and cost and other things. But the likelihood that more and more of our policy enforcement is moving towards your users and what they should have rights to do is inevitable. And so I am a huge believer in that. It doesn't mean that firewalls will completely disappear, but their functionality...
Joseph Carson:
The value that they provide will change.
Art Gilliland:
And the value that they provide, even the value they provide now is de minimis because of how many connections need to come in.
Joseph Carson:
It's the same with VPNs. We've had this big discussion, people have been saying, "VPNs are dead." And I'm like, "No, the use case is different." It's no longer about giving you access to a specific network. It's about providing privacy to the communications that you have as well. It's about providing some type of control over basically the flow of data. So I think we have to change and look at that the values might be slightly different and the use cases becoming different as well to what they were originally.
Art Gilliland:
Yeah, I think that's right. And you have to be able to watch that data. You still need a place to enforce it, but that place has to be separate from the location that you sit at, right, and so is it a new kind of gateway or policy enforcement location? Because you used to have to enforce it on the endpoint. You still have to have those physical locations, that sometimes that physical location is just sitting in Amazon with somebody else's application.
Joseph Carson:
Someone else's hardware, you're just renting the computer.
Art Gilliland:
It's totally that. And someone else's application, whether it's a CASB or a proxy, I think it's unlikely to be a firewall, but architecturally it'll probably be one of ...
Joseph Carson:
That was an interesting one here at Estonia, because we had that challenge post-2007, where becoming the... it was the data embassy became the new concept because Estonia didn't want their sovereign data of the citizens being in someone else's geographical location and that way became the data embassy. You talked about the Jericho Forum and I've had tons of decentralized identity and all of those things. And in the past, from the Jericho Forum, we've had a lot of discussion around things like you bring your own identity, the organization will provide you entitlement to the identity you're bringing in. It's a bit like what we're seeing today, where application identities and passwords, it'll have single sign-on and then that will be basically entitled and then all the organization provides basically is authorization and access to specific data ... kind of bring your own identity or ...
Art Gilliland:
Yeah, look, I love the concept of it. I love the idea of it. I think the challenge is who's going to own it, right? And I think you see a battle for it today in the enterprise. And actually, Microsoft, a long time ago, if you remember almost a decade ago, they came out with Passport and what that really was, in my opinion, was an attempt to create individual identities that then you could federate, you could use them, you could bring your own and you could have a passport.
Art Gilliland:
And you see Facebook and Google and others that have sort of this user idea or Art Gilliland's identity and then allows me to log in to other places. And so I think there is an attempt to sort of build out that and I think Passport was a failed attempt at it. But I think Azure AD is probably a more mature, better option for companies. And so whether it's Azure AD or Okta or the new Auth, a kind of open source model that allows you to have your own identity, I think at some point it becomes necessary. I think we're at least a decade, at least away from it.
Joseph Carson:
Yeah. I think the challenge is always going to be who maintains the root of trust?
Art Gilliland:
Yeah. Who has the root? Is it Microsoft? Is it Okta? Is it Google? Is it Facebook? And then how trusted is that identity if you're Goldman Sachs or you're Santander Bank?
Joseph Carson:
Yeah. Do you come in at the same level?
Art Gilliland:
Yeah.
Joseph Carson:
Do you come in at the same level or do you need to level-up, providing more security controls depending on the type of data you're accessing?
Art Gilliland:
Yeah. And maybe, Joe, what happens is you bring sort of your base Art Gilliland identity, and then you get re-verified at your place of work, and then you add on privileges that you have to do a second factor for to get there.
Joseph Carson:
Which is what happens here in Estonia, that's exactly. If you log into the bank and you want to, let's say, move across to the tax authority system using that same login, you might have to level-up, depending on what you're accessing. If it's just view, it might be okay but if you want to change something, you'll have to provide more security controls.
Art Gilliland:
Yeah, and look, I think what we're going to need is just stronger levels of escalation and open source around that. Maybe it's SAML2, maybe it's Oauth, whatever standards that we can do because otherwise you can't do single sign-on across entities because there has to be some credential pass.
Joseph Carson:
There has to be some type of authentication exchange.
Art Gilliland:
Otherwise you're doing it again. And look, I think OAuth is probably a good one. I think SAML2 maybe because it lets you see levels of authorization, so it's not just on, off. Again, we'll see.
Joseph Carson:
Absolutely. So I want to move to my next prediction. My next prediction is around hacking eSports. So I find it really interesting. We've seen a lot of the gamification of hacking turning into... there's a lot of gamification platforms where you can actually go and you can do capture the flag events, you can do educational learning. I think it's a great way for people who want to get into the industry to ramp up their skills and to learn new techniques.
Joseph Carson:
But what's really happening, I think it was around the past year I attended a couple of events and one I attended earlier this year was ...Con, which for me was amazing, because what they really did was they really launched the idea of hacking eSports, that you will spend... I sat for probably a day watching the likes of John Hammond and Joe Grand and others and friends basically just hacking and watching them hack. And of course it was in a gamification style, what's your thoughts on this becoming a eSports world? Just like you have UFC, Ultra Fighting Champion, and other boxing, do you think that in the near future, this will become, just like gaming has with streaming, will become a new sport?
Art Gilliland:
I mean, look, I have 15-year-old twins and it's amazing to me how long they'll sit on YouTube and watch someone else play video games. And it's changed a little bit now, but when my son was like 10, holy cow, I think he could spend hours watching somebody else play a video game. It's possible. Look, I can't think of anything more boring. They're going to have to find a way to sex it a bit to make it really interesting to watch, but I have hosted and participated in capture flag kinds of events and sort of war gamey kinds of things or hackathons, and it's inevitable that people that are excellent at that, aren't going to be sort of glorified, right? And so there are some sort of big names out there of people that they would just love to watch them work and watch them go.
Art Gilliland:
I think there's the technical aspect of it. But as you know, a lot of like really high-quality hackers are just great social engineers and they just are good at managing human nature. And so if you can find a way to sort of create a game around that and create some sort of excitement, tension, that people will want to watch, I think it's such a big part of society now, I think it's inevitable that they'll find a way to sort of turn it into... We watch The Bachelor, we watch Survivor, we're going to watch some sort of live hacking where the geeks inherit the earth and we're starting to make multimillionaires out of television personalities that are hacking for a living.
Joseph Carson:
Absolutely. Even myself, I follow quite a few of them just to kind of keep my skills fresh and I'm watching and learning, and I find it fascinating. I think the one, watching Joe Grand's, who we know for years, that just watching him doing hardware hacking and just kind of his thought process and seeing what he was doing, was so fascinating.
Art Gilliland:
What I think is so amazing about these folks is they just understand how the system works so well, that they can identify the potential places for risk just because they're so deep in how the process works. And look, these folks are geniuses in general and their knowledge of a domain, a specific domain, even the 15 and 18-year-olds, just the depth of their knowledge of how networking works or how these hardware systems work or how just software works in general is truly extraordinary.
Art Gilliland:
And so I think from that perspective there'll be people like you and me that are geeks for the space and love it, that are just overly impressed with them because of just how extraordinary they are. But it's possible. I don't think I'm going to be watching it on ESPN but maybe.
Joseph Carson:
You might be surprised.
Art Gilliland:
Look, maybe. It's amazing to me that people will watch the Secret Singer or whatever that crazy show is, where you get famous singers that put these big, stupid costumes on. People watch it.
Joseph Carson:
Yeah. It's been popular here in Estonia and people's watching it. And I can relate, my son as well, he will watch hours of just watching others playing Minecraft or other games and it's just fascinating. One of the next predictions I've got as well is around Zero Trust. From the executive order, we've seen a lot of emphasis on it and I think everyone has different opinions of what Zero Trust is. And for me, one thing it kind of... It's not something somebody can just simply ... a piece of software that says Zero Trust on it and you're done. It's not something that you simply check off and you're finished with.
Joseph Carson:
And I was at EIC a few months ago and I listened to Brian from Yahoo. And he mentioned the best term. I was just sitting back, it was during a QA and he said, "Zero Trust, it's basically, it's a mindset in how you wish to operate your business. It's something you go on that journey, it's how you practice security. It's not that you put it in places of control, it's how you practice it." I think Zero Trust will become a more focused topic in 2022, but what's your thoughts around that area?
Art Gilliland:
Yeah. I mean, look, I think Zero Trust is going to become a security norm just like Defense in Depth became a security norm and it'll mean a bunch of different things for the companies. But I would agree with Brian that, look, what it is, is it's a way of having your environment work. It's a way of sort of believing and sort of philosophy of what you want to try to do. And it's an embracing of essentially least privilege, this idea that you want people to have access to what they deserve to have access to and nothing more.
Joseph Carson:
Yep. Based on ... starting point.
Art Gilliland:
Yeah. I think that the trick for all of this is how do you make that as seamless as possible? How do you make it a curated experience for your employee to say, "Okay, welcome in the front door, Mr. Employee," after you've said who you are, and then the hallways that you're allowed to go down and the rooms you're allowed to go in are just open for you. And it feels like you have freedom to move around, but your environment is curated. And then if somebody different comes in, their environment in the same sort of structure is just different, they have a different pathway and different rooms they can go in because of their rights, but you have to be able to make it that seamless over time. I think that's the directional vision.
Joseph Carson:
It's how you automate as much as you possibly can.
Art Gilliland:
Yeah. And how do you know what those pathways should be? I think the biggest challenge is we've had this sort of rules-based access, we've had a lot of these theories before, but wow, are they clunky. And so as an employee, you come in and okay, I'm a new employee, I'm the CEO, what should I have access to? Should I have access to everything? Probably not. There's a whole bunch of stuff I never need to see. Why would I ever have access to a data center? I don't do anything in the data center except for visit. And for that, I could actually be walked in by someone who ... and leads me out, otherwise my badge should just never open that door.
Joseph Carson:
It reminds me, years ago we talked about from one of this kind of really the boom of virtualization side, and we went from persistent machines to non-persistent machines, which then you had... And the way I see from a Privileged Perspective and Zero Trust, and I wrote the book of the Least Privilege Cybersecurity for Dummies, which has been a great book. For me, it was about moving from Persistent Privilege to Non-Persistent Privilege.
Art Gilliland:
To Zero Standing, yeah.
Joseph Carson:
To Zero Standing Privilege, where you do just on time, on demand.
Art Gilliland:
Well, and that way, if you steal my account, for some reason you trick me into giving you my password, you don't get access to all the things that I have. You might get access to the basic stuff but the really important things, I only get access... I only get privilege for that, or I only get authorization for it at that time and in certain circumstances. And I think that kind of environmental, again, more deeper, deeper embracing of least privilege, I think that's going to be the maturity curve that people go down. You start with sort of, "Okay, let's do two-factor, which is kind of ... stage now."
Joseph Carson:
It's the whole point I think is that you implement security controls that have Zero Trust enablers. That's really what we're thinking about. That's kind of, when you're thinking about putting in a process or policy in place is what things that help you put those controls that give you, enable a Zero Trust posture on that specific challenge.
Art Gilliland:
What's difficult about it though, Joe, is every vendor in the security space has named their product Zero Trust something. And it's because all of the surveys tell us that not 70 to 80% of companies have budget for it and the education about what it is so spotty that companies and executives that are focused on manufacturing or focused on building cars or focused on... they're not going to educate themselves on Zero Trust. And so they're looking for check boxes. They're looking for sort of hit... They just want to, "I want to make sure I do Zero Trust. Okay. Zero Trust is the law of the land. Zero Trust. Make sure I buy some of that."
Joseph Carson:
So for the audience listening at this, I definitely recommend if you go back a few episodes to episode 39 and listen to the Zero Trust Fundamentals with Dave Lewis, it was a really fun episode. I definitely recommend to go back and listen to that one. One thing I've got, the last thing before we kind of finish up and do summary, is what's your thoughts around cryptocurrencies side of things? I have a prediction that we're going to see regulation in near future because we're also seeing the EU coming up with the EU digital currency as well. I believe that cryptocurrencies will be the future, but you have to have some type of regulatory kind of controls of them. So what's your thoughts around that?
Art Gilliland:
I think governments are running scared from cryptocurrencies at the moment because you lose control of your monetary policy. And so it is inevitable that we are going to see regulatory pressure because governments are losing their, quote unquote, financial sovereignty based on the rise of this and the fact that you can transact a lot of it. And so I think we're in for a bit of a rocky road in that. I think they are inevitable. And what I personally love about them is that it's a great equalizer across and to not have to do translation when I'm in France or in Estonia or the US or Denmark or all these places that have different currencies, being able to standardize on that again makes the world more connected.
Art Gilliland:
And I think that's a very positive thing, but I know it scares the heck out of individual governments that are going to lose sovereignty over their own monetary policy. And so I think there's going to be a lot more regulatory pressure. I think it's inevitable that it will be regulated at some point. What I would hate to see is government-owned currencies like the EU digital currency, I think that will not be awesome. We already have that, it's called a euro and it's called a dollar.
Joseph Carson:
For me, when I travel, the currency, I don't have to handle cash anymore. I haven't had to handle cash in years. I rarely have it in my pocket. So what's the difference other than anonymous transactions?
Art Gilliland:
It's anonymous. I mean, I think that also has its downfall because it can be... there's a bunch of other challenges that come with that. But I think the reality is, I've been using digital currency, I would prefer to pay with my phone or my watch or my credit card. I do carry cash, but literally I take it out, I put a hundred dollars in my wallet and it sits there forever. And so it's especially now with COVID where all the restaurants and locations are going cashless, they don't even want to touch your money.
Joseph Carson:
It's a health risk these days.
Art Gilliland:
It's a health risk now apparently. And so digital currencies can save us from COVID apparently. So, look, I think it's inevitable. I think regulatory pressure is inevitable and so we just need to move to embrace it. And the digital currencies that back something meaningful like helium or they back something actually meaningful, I think that is...
Joseph Carson:
There's a tangible asset kind of value there.
Art Gilliland:
Yeah. There's a tangible good that it's creating. And I think that those kinds of... It's better than some of these bean coin kinds of things that are just silliness, speculative silliness. But I think...
Joseph Carson:
I guess we're going to leave NFTs to another conversation then. Art, it's been a pleasure having you on. Any final thoughts you would like to share with the audience before we kind of wrap it up today and any thoughts you would like to share?
Art Gilliland:
Yeah. I mean, I think, look, thank you, one, for having me on, Joe. It's been a pleasure talking to you. I always enjoy it. I think the conversations are smart and interesting so thank you for that.
Joseph Carson:
It's been a pleasure.
Art Gilliland:
And look, as we go off into this next sort of phase of work, I think it's going to be interesting to see what happens with not only the cyber crime part of it and the fact that we're sort of just digital and out there now and interacting across boundaries with really no perimeters around us, which I think drives more value for the kinds of technologies that focus on identity and information security. But I also think just the cultural aspect of not being together in offices and how we change the way that we build relationships at work, I think is going to be significant.
Art Gilliland:
I mean, forget the whole security part of it, that piece at the beginning, talking about how do you build culture when new people come in, how do you build that company connection, is going to be radically different. How do we change the way we recognize skill and delivery and provide promotions? Because it really goes counter to human nature where you kind of create a tribe, you know those people, you promote the people you know that execute well, and there's a level of trust. I think there's a whole bunch of new management skill sets that need to be learned because of COVID and because of the way we're working now, which I think is kind of a new horizon for us as well, so.
Joseph Carson:
Absolutely. I'm excited for the future ahead, so it's an exciting time for sure.
Art Gilliland:
It's an exciting time and there's lots of learning, so.
Joseph Carson:
Absolutely. So Art, it's been a pleasure. Hopefully this won't be the last time you'll be on the show. Hopefully.
Art Gilliland:
I would be happy to come back, Joe, thank you.
Joseph Carson:
In the future. So for the audience, again, many thanks for staying with us throughout this episode. We are really taking just a look back on the last year. What's changed? What's been happening? And just giving you a little bit of a outlook on some of the predictions and what we see some of the trends going. So Art, it's been fantastic. Thank you for joining me on the show. For the audience, tune in every two weeks. Subscribe, go back and listen to previous episodes. I definitely recommend the Zero Trust Fundamentals, that was definitely a fun one. Stay safe, and I will see you soon and speak to you soon. All the best.
Art Gilliland:
Cheers, everyone.
Joseph Carson:
Bye.