The Stack Overflow Podcast

Zero trust with zero problems

Episode Summary

The home team chats with Alex Bovee, cofounder and CEO of identity access management company ConductorOne, about balancing security and productivity in developer workflows, why tech companies have shifted everything left, and the logic behind zero trust.

Episode Notes

Alex and cofounder/CTO Paul Querna started ConductorOne because they saw that traditional identity governance (IGA) and privileged access management (PAM) needed to be rethought for cloud-forward companies.

Before he cofounded Conductor One, Alev Bovee was a senior director of product management for zero trust and security at Okta.

Read Ben’s article about how Computers are learning to decode the language of our minds.

Would you trade an iris scan for some crypto? Sure, what could go wrong?

Connect with Alex on LinkedIn.

Stack Overflow user Matthew Watson earned a Lifeboat badge for helping more than 32,000 people by answering Checking if an array is null or empty.

Episode Transcription

[intro music plays]

Ben Popper With DoIT, optimizing your cloud spend while controlling your costs is easy. By combining intelligent software with expert consultancy and unlimited support, DoIT delivers the true promise of the cloud with ease, not cost. Learn more at doit.com. That’s doit.com.

BP Hello, everybody. Welcome back to Stack Overflow: The Podcast. I am Ben Popper, your Director of Content here at Stack Overflow, joined as I often am by the two members of my Content Team: Eira May and Ryan Donovan. What's going on, y'all? 

Ryan Donovan Oh, not much. How are you doing today? 

BP Pretty good. So today we have Alex Bovee, who is the founder and CEO over at ConductorOne, and we're going to be chatting a bit about security and authentication, when those things can get in the way of developer productivity, and what ideas are for building better versions that are safer and more private, but also can be a little easier to fit into a great developer experience. So Alex, welcome to the podcast.

Alex Bovee Hey, thanks a lot for having me, I appreciate it. Looking forward to chatting with you guys. 

BP So you've started your own company. I know you used to work at Okta which is a service we use here at Stack Overflow. For folks who are listening, just give them a quick flyover. How'd you get into the world of software and technology, and how'd you end up focusing on this specific segment of the industry?

AB I've always considered myself to be a technology enthusiast. I’ve pretty much been in technology in some way, shape or form throughout my entire career, whether that was building software early in my career to technology consulting to working at various startups including Okta. And then most recently how I got into this space was from my journey actually at Okta, which as you mentioned, is an identity and authentication company. I was leading security products there and really saw this challenge around the need to manage authorization and access control for companies. Companies were solving a lot of the authentication problems of who you are as a user and being able to verify that, and then once you figure that out, the next question is obviously, “Well, what are you allowed to do within this application? What are you allowed to do within these different resources that you access?” And companies just struggle with that, and so we started ConductorOne really to help solve that permission management challenge and there's a lot of different aspects to that problem. 

RD I think security has been on everybody's mind lately. Everybody's shifting left the security into the software development lifecycle. But I absolutely run into issues where I can't get in and do my work because of some security issue. I’ve got to get a two factor authentication, maybe my phone broke or something. How does security get in the way?

AB So I think in general there's always been this trade off and tension between security and productivity, and I think that harkens back to the idea that that had to be a trade off. If you wanted to make things more secure, the best way to do that was to obstruct and to challenge and kind of get in the way. And I think what we've realized over the last really 10 years is that employees and users will just work around technology if it doesn't work for them and they'll work around the security solutions that you put in place. And I think there's been actually a pretty big reckoning industry-wide at this level of if we're going to put security products in place that just make everyone's lives harder, people just aren't going to use them or are going to find ways to avoid them. So in the context of what you're saying, Ryan, I think there's different patterns and approaches that companies are taking now to make sure that security doesn't get in the way of productivity. One is making sure that you're just buying products, first of all, that actually delight users and have better experiences and solve the problem without actually getting in the way. The other is this idea of shifting left, which is actually, instead of solving the problem at the detection and response point, shifting that more towards how we prevent this from becoming an issue in the first place, which then obviates the impact of a security response in the first place and makes it so you don't even have to experience some sort of disruption to your workflow. I think there's a lot of dimensions to that problem, but I do think in general, companies are waking up to the idea that you can't deploy security products that make people's lives harder. You kind of have to figure out ways necessarily to balance that. 

BP Right. I've heard the old aphorism that you can have it two out of three: better, faster, cheaper. What do you want? Pick two and I'll do it but you can't have all three. And you're sort of saying that people used to say the same thing about security, but it doesn't have to be that way. You can have your cake and eat it too when it comes to security. 

AB I think absolutely that's the case. And actually we see the walls breaking down even organizationally. So one of the things that we observe sometimes that I think hints at this change is that we see a lot of organizations where the IT team reports into the security team. And I think in some ways that's almost this nod to, “Hey, we need to be productive, but we also need to be secure. We need to make sure that we're automating as much as possible from a technology engineering-first perspective.” So I think there is a recognition of that being an issue and I think that increasingly what you're finding is people are addressing maybe some of those traditional friction points with automation, they're really balancing and thinking about the user experience impact of what it is that they're doing, and then they're making sure that they are judicious about how they balance the rollout of those technologies and solutions.

Eira May Another aphorism is the best security solution is the one that people will use, which I remember being something that I kept in mind. I worked at Auth0 before they were acquired by Okta. That was actually the role that I had before I moved over to Stack Overflow, so I wrote about a lot of these concepts of identity and access management from the perspective of solving business problems. And I think one thing you were saying a minute ago that I wanted to come back to was this idea of having IT teams actually roll up to security teams and how that's sort of a reflection of this shift left attitude. Could you talk a bit more about that? 

AB Yeah, definitely. I mean, I see it definitely in a lot more tech-forward companies– that is, a lot of the companies in the 7x7 is what they call it in the San Francisco area, obviously in the Valley as well. But I think what you see is that strategically IT is becoming more than just help desk. It's actually becoming sometimes the place where maybe attackers are targeting, because when you look at things like credential enrollment or credential recovery, those are places where you can actually attack the authentication cycle and get access to someone's account. So I view that organizational change as a recognition that the productivity and security concerns are inextricably linked, and the idea that IT is just help desk is obviously incorrect, and it's really that IT is an enabler of the business, and how you enable the business means you also have to do that in a secure way. And so I think that organizational shift, I don't see it everywhere, but in the places that I do, I think it's a recognition that IT is about enablement, security is about keeping things secure, and you really have to combine those two things together to get the best outcomes for your business. And other times you see IT rolling up to finance and what you end up seeing is a little bit of a different focus. You see the focus on help desk, on automation, on SaaS license recovery, more of the financial aspects of how IT can enable the business and the cost of it. And every business makes their own choice in terms of their priorities, but I think it's very interesting when I see IT roll up into security because you see that focus on the balance between productivity and security versus just IT being a cost center.

RD So I heard a lot about zero trust security. Everybody's trying to get their zero trust, zero trust. What exactly is it, and do you think this is a good way to solve some of these security problems? 

AB Yeah, definitely. So I think the simplest explanation of zero trust is that you should not take trust signals from a network. So what does that mean? That means, in the old world you used to log into your corporate network maybe via VPN, or when you showed up to work you would plug into the secure WiFi, and that automatically granted you some amount of trust within your corporate network. It meant you could access different resources, you could access different systems, machines, and so forth. And the fundamental shift is that when all those resources moved outside of the corporate network into the cloud, you kind of lost this ability to provide a security signal based on being on the trusted network, because now the network is effectively the WiFi, it's the internet, it's the Starbucks WiFi. 

BP You're saying the physical proximity, getting through security, getting to my desk, being in that building meant that I had passed some sort of security check and then logging into that network is maybe a second there and so that was good. 

AB Yeah, exactly. Or even remotely logging into it via VPN, the idea was that you had some authentication scheme associated with the VPN access and a VPN client and the certificate on it. And so those are all things that you could control the enrollment around and so you could kind of attest to the fact that this user was trusted based on the fact that they were able to access that network. Whether that was good or not I think you could debate a lot, because someone could steal a machine and then log into your VPN. There's lots of things that make VPNs not entirely secure, but that was the idea with the old security primitives of network-based security. And then the idea of zero trust is, “Well, that network security layer is kind of out of the door entirely, so how do we actually secure that world? We have to authenticate all traffic. We should look at devices and user identity to make sure that we understand the device and the user who's logging in. We should manage authorization granularly and make sure that users just have the access they need to perform the job that they need for as long as they need it and then remove it.” And so that's conceptually the idea of zero trust. 

BP A few things have changed for me recently. I went from a lot of 2FA where I was using my phone and occasionally a token to a number of things now offering me biometric. Does that help in a zero trust environment? Again, like you said, it kind of throws it back on the user so now my Chrome password autofill requires my fingerprint, and they added something called passkey or something yesterday, and same for my iPhone. Everything that's stored in the passcode there can use my FaceID, and so that feels like a pretty strong approach. I don't know if there's a stronger approach in your mind than biometric.

AB So a lot of what that touches on at the end of the day is user identity and device identity, so it is that identification part of the zero trust pattern, if you will. And to your point, when you look at things like passkeys and YubiKeys and external hardware tokens that use U2F and FIDO based authentication, those are the strongest, best authenticators. They are non-phishable, they're non-social engineering-able. They are truly the best authenticators you can possibly get. The challenges really kind of evolve once you have those rolled out. It's about enrollment, recovery. You have a piece of hardware now that you have to manage the lifecycle around. Not everyone has laptops that have passkeys enabled on them. Or if you're going to deploy YubiKeys, you have to physically get these tokens out to your end users. So it kind of creates a new set of challenges, but at the security level, to your point, it is the best authenticator you can use. 

RD I remember hearing a while back that there was some sort of AI face app going around that would make you look old or young or swap genders or something. But the rumor was that this was just people stealing face data. Is something like that possible to sort of steal and spoof some of the biometric data? 

AB It's a little bit terrifying. I'm not saying anything confidential here, but I think there was an attack recently on a Silicon Valley company. It was basically done via their help desk and they spoofed the voice I think of the person or something like that. So it was effectively using AI and your ability to rapidly assume identity aspects of someone approximately that feels and looks like them to be able to, in this particular case, I think credential recovery or something like that was the attack vector. I'm kind of murdering the scenario here because I don't have it off the top of my head, but the idea was that they did use AI to actually spoof the voice in this particular context. 

BP I've started turning down voice ID for financial institutions which offer it because that one seems particularly susceptible. I myself, having done a lot of podcasting, know that voice cloning is quite easy. 

EM And your voice is out there, Ben. 

BP My voice is out there. And a fingerprint feels like it has to be done in person. I guess it needs to look at a face in the real world, whereas your voice ID could be coming from a microphone and it won't know the difference. It doesn't matter. 

AB That's right. It is a little scary, though, how prolific these attacks are. I remember when we were just a five-person company, we would get spam text messages “from Alex Bovee” to the employees saying, “Contact me quickly. I have an urgent issue,” that kind of thing. I think it just highlights how easy these attacks are at scale to just target pretty much everybody, and I think AI is going to make that worse in some ways because it's going to be even easier to do more sophisticated attacks where you can clone someone's voice. You can use context from their LinkedIn to make the message more interesting. There's all sorts of scenarios you can use it for. 

BP All right, so get this. This is my book pitch. I'm just going to give it to you since I promised Ryan I would find a way to work in my book pitch. So did you read that New York Times article about this wonderful medical advancement where this woman had a stroke and then she had a deep brain implant, and now they taught this deep neural net to look at her brain activity and then she could speak to them. She was actually thinking A for alpha, B for beta, and then she would spell out the words and she was able to communicate. Are you familiar with this, Alex, or familiar with this concept?

AB This sounds really fascinating, but I have not read this article. 

BP So they created a brain-computer interface, but it required her to have this intense surgery, which she needed because she'd had a stroke and was paralyzed. Her mind worked fine, she just couldn't move her body to articulate sounds, so they'd say, “Think about an A,” and they'd look at the brain activity. “Think about an A,” they'd look at the brain activity. And over time, the deep neural net figured out, “Okay, when I see this brain activity, it's an A.” And then she could build up from there to letters, and then build up from there to words, and build up from there to sentences. So in that scenario you're starting to get to a place where the machine can read your mind a little bit, but you do need to have surgery and you need to train the machine. But there was a paper that came out in Nature this month in October where they had a cohort of a thousand people and they were inside an ECG/MCG, a magnetic and an electric thing that looked at the signals from their brains, so they didn't have to have any invasive surgery– this technically could be a wearable. And they would have them listen to a short story and then the machine would guess what sentence they were listening to and get it somewhere from 50 to 80 percent of the time. So the next security factor, just so you're thinking ahead here, is when the computer can actually read your mind. At that point, I don't know what the next best step is.

AB That'd be pretty game over. The craziest attack I've ever heard of was– oh man, again, I'm going to get this totally wrong, but they patched into the microphone on the device, and based on the sounds the network was making or something like that, you could figure out keystrokes and it’s just insane stuff the kind of things that you can do, to your point, once you have machine algorithms going over these kinds of inputs. And effectively what that is is the brain is just making different electronic pulses and you're kind of interpreting that at the machine level to process it into some set of outputs. 

BP Amazing. All right, well maybe blockchain solves this? Does that thing have any utility? Ryan told me they’re using it at the DMV in California. Does that have any place in zero trust? 

RD Some headline somewhere. 

AB I don't think so. I'm very skeptical. There was a minute there where everything was blockchain, everyone was creating blockchain technologies and putting it in their products and things like that. And I think when you just took a step back and thought about, “Well, what is the blockchain? What is the unique value that it provides you?” It provides you the ability to have an unalterable ledger of historical transactions. You just have to look at what is your technology, what are you trying to solve for, and is there value in an unalterable ledger for what it is that you're solving for? And 99 percent of the time when you hear people pitching blockchain, those two things have nothing to do with each other. There's no value in an unalterable ledger associated with the use case that they're telling you about. So that's kind of my litmus test. 

BP I think the pitch was something like that it creates a system where it's easy to generate a token that's completely unique and is something only the person on one side needs to be able to know and remember, and then the unalterable ledger on the other side can use it to ID and let them in.

RD We already have PGP keys, let's just use that. 

AB I was going to say, all that to me sounds like generating a token and cryptography, which we have a lot of technology around. 

BP It's just cryptography all the way down, okay? 

RD It’s all math.

BP Satoshi was just sending an interesting idea to a cryptography mailing list. He wasn't trying to create all this trouble. He was like, “Does anybody think this idea is cool?”

AB I mean, the big question is, are any of you guys in on Bitcoins? Do you have a stash? 

BP Yeah, right. You think we'd be on this podcast if we had a stash of Bitcoins? 

AB Well, I don't know what the most recent Bitcoin price is. 

EM I would say, of all of us, Ben is the most bullish on crypto.

BP I also had the most missed opportunities to be filthy rich, but I missed them all. What about that company that wants to scan my eyeballs so that AI will know who I am in the future? Do you have an opinion on that from a security perspective?

AB Is this the Clear company? Don't they do that at the airport?

BP It's Sam Altman's orb company. 

AB Oh boy, I don't know. I think I know what you're talking about. It's biometrics tied to crypto or something like that. 

BP Yeah, you have to submit to an iris scan which is then put on their blockchain, and that way in the future when you're communicating with people, you'll be able to authenticate that it's you, a human, not an AI version of you.

AB Interesting. I mean, that sounds really interesting. I'm a little bit out though. I'm kind of not in on the idea of my biometrics floating around somewhere in some easily inspectable blockchain that is controlled by a private company. I don't know. 

BP I just feel like that's one of those things where you'd have to be really diligent. The cat's out of the barn for me. I've given my iris over to Clear once and to something else for my fingerprint. I just assume that stuff is on the dark web. What am I going to do? 

AB Yeah, probably. I mean, your social security number too, for sure. Credit card data, it's all there. 

BP It's all there.

RD So if biometrics and all these zero trust things are sort of the answer, what is the best practices to maintain really good security practices here? 

AB It's tricky to answer that question because I think the reality is that it always changes, and it's always changing based on what the lowest hanging fruit is for attackers. I think Ben's point earlier of moving to strong phishing-proof, social engineering-resistant, cryptography-based authenticators is the next step in the journey. I think there's a lot of companies out there that just started on their multi-factor authentication journey. They just rolled out push notifications or something like that and so they're like, “Wait a second. We have to do more than that, we have to be better than that?” So they're figuring that part of it out, but once you solve the authentication piece, you have to solve permission management, you have to solve credential enrollment and recovery. So it really just depends on, I hate to say it, but the attacks du jour– where are the attacks coming from, where are they going to be coming from in the next year or two, I think that's really where you have to focus from a security perspective. And it's always a little bit of a game of cat and mouse. I don't think there's a single “roll out this solution and you're going to be totally fine.” It's a never ending journey, for better or worse. 

RD It's still going to be coming from botnets on smart fridges.

AB Yeah, or hacked HVAC systems. 

RD So Baton is an open source identity security protocol. Do you think being open source makes security protocols safer or less safe? 

AB I think it definitely makes them more safe. Take, for example, SAML and OIDC as authentication protocols. Without a doubt, those protocols have made authentication and federation extremely secure. And there have been fundamental vulnerabilities found in SAML implementations and things like that, but the reason you're able to find those and address them so quickly is because of the openness of the protocol. And so I think the fact that we don't have 20 different federation mechanisms floating around out on the internet means there isn't a huge attack surface area to attack these different applications from a federation perspective. There's really one or two ways to do it. And so I think without a doubt that makes the world more secure.

BP Cool.

[music plays]

BP All right, everybody. It is that time of the show. Let's shout out someone who came on Stack Overflow and helped to spread a little knowledge. A Lifeboat Badge, awarded two days ago to Matthew Watson for coming on and saving a question from the dustbin of history with a great answer. “How do I check if an array is null or empty?” Appreciate it, Matthew. You've helped over 32,000 people figure that out. As always, I am Ben Popper, Director of Content here at Stack Overflow. Find me on X @BenPopper. Email us with questions or suggestions for the program: podcast@stackoverflow.com. And if you like it, leave us a rating and a review.

RD I'm Ryan Donovan. I edit the blog here at Stack Overflow. You can find me on X @RThorDonovan, and you can find the blog at stackoverflow.blog. 

EM And I'm Eira May. You can also find me on stackoverflow.blog and on social media @EiraMaybe. 

AB I'm Alex Bovee, CEO and co-founder of ConductorOne. You can find me on LinkedIn at Alex Bovee or at conductorone.com. 

BP Wonderful. Thank you for listening, and we will talk to you soon.

[outro music plays]