The Analyst Brief

This week Simon and David take a deep dive look at a recent cyber security advisory that was released by the NSA and CISA recently. This top 10 list covers a range of issues from default credentials, excessive permissions, a lack of networking monitoring and segmentation as well a lack of MFA and poor credential management. Simon and David apply their identity lens to the top 10 and what it may mean for your organisation.

This week Simon and David return to discuss a recent cyber attack against the hospitality chain MGM resorts - that leveraged social engineering, credential theft and more. Are attacks against complex digital entities now standard practice? They also return for part II of the ForgeRock and Ping Identity integration and discuss a recent article by David and a market choice poll by The Cyber Hut.

After the summer recess, Simon and David return for another Week in Identity catch-up. This week...heavily influenced by some recent acquisition activity...they discuss Tenable buying CNAPP/CIEM provider Ermetic, a rewind to Cisco buying ITDR vendor Oort and a detailed discussion on the uncertainties surrounding Thoma Bravo adding ForgeRock to their stable. They also discuss the further rise of Identity Security and a recent release by Okta's Defensive Cyber Operations team on a recent attack.

This week the US Security and Exchanges Commission announced rules requiring organisations to handle cyber breach notifications, risk management and expert cyber personnel in a different way. Simon and David delve into the implications of this. Why have organisations been reluctant to notify on breaches historically? A lack of detection? A lack of incident response playbooks? A lack of expert personnel? What is the end goal of such regulation? What will success look like in the short and long terms? Clearly a move towards a more risk based approach is the ideal outcome but why has the market failed for cyber security? What are the three V's of threats?

This week Simon and David discuss the recent acquisition of Oort by Cisco, which finds them discussing the entire ITDR space - who is the buying persona and what problems will it solve? As always technology isn't always the answer and we mustn't forget the human element. They answer an audience question focused on Microsoft - and will they start to dominate the IAM space? They also remember the passing of hacking pioneer Kevin Mitnick.

This week there is a special guest on the podcast. Eric Olden CEO at Strata joins Simon for a discussion. They cover a broad and meandering set of topics focused on Eric's journey to being a multi-company founder (his first startup was at age 23..), contributing to the SAML specification and how he is now focused on identity orchestration at Strata. What is orchestration? Why is it needed and how the rise of the hybrid cloud landscape is here to stay. They deep dive into IDQL, identity integration recipes and how the rise of the AI co-pilot may save us all.

This week Simon and David took a meandering look at the last weeks most eye catching events in the world of identity. They had a quick recap of Infosec 2023 held at the eXcel in London, where the topic of data level encryption, data origin authentication and integrity caught Simon's eye. They discussed a recent vulnerability found in deployments on OIDC in the Microsoft world as uncovered by Descope called NOAuth - which essentially was caused by poor verificaiton of OIDC id token claims. They finished off by discussing the world of generative AI and how that is impacting the world of fraud, content, biometrics, misinformation and more...

This episode, sees The Week in Identity have another specialist guest: Bojan Simic, Co founder and CEO of passwordless specialists HYPR. Simon and Bojan delve into Bojan's story from being a computer science graduate to entering the security world pen-testing in New York and working with some of the world's largest financial services institutions. From there the inspiration to rid the world of passwords started to take hold...and ten years later, seeing HYPR as a leading passwordless authentication provider. The topic covers a range of fascinating subjects, from the perfect storm of FIDO, mobile biometrics and secure hardware storage, through to how to create strategies for mass passwordless adoption based on nudge-theory, gamification and stakeholder buy-in. They also cover success criteria, AI and what the future may hold for IAM...

This week Simon and David discuss the recent Identiverse conference as well the Gartner Security Risk Management summit that happened shortly afterwards. They delve into the world of passkeys (again), verifiable credentials and modern architectures and how we're moving to an industry education maturity model, where organisations are going beyond knowing what a technology is, to how to get started and derive value. They also discuss the concept of "minimum effectiveness" as it pertains to technology, expertise, friction and insights and that essentially having too much identity and access management "stuff" is often a precursor to complexity and failure.

This week Simon and David review the recent Heliview IAM Conference that took place in the Netherlands. The main topic for the day was the rise of the identity fabric (or mesh) and how this can enable the modern organisation with a range of agile IAM components that supports both business and security use cases. Simon presented a keynote on the future of IAM - using some research from The Cyber Hut focusing on where IAM may look like in 2028 and beyond... They also discussed the need for people, process and technology integration, in order to map the existing IAM landscape to future investment and metrics. They finish off by discussing the rise in cyber threat reports that have emerged in the past month that all have a very strong reliance on IAM - and why ITDR is a process not a product. Cyber Threat Reports: Joint Cyber Advisory: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection CISA Advisory: Hunting Russian Intelligence “Snake” Malware Permiso Security: Unmasking GUI-Vil - Financially Motivated Cloud Threat Actor