Radio LogicThe State of Identity Security

Anders Askasen: This is Radio Logic, the show about digital identities, the people behind it, the tech behind it, and in each episode we’ll cover what works, what doesn’t, and what’s next? Let’s dig into it.
Hello, my name is Anders Askasen. I’m the Senior Vice President of Marketing for Radiant Logic and uh, with me today, I got Simon Moffatt. From The Cyber Hut. Simon, tell us who you are.

Simon Moffatt: Uh, Simon off, I’ve been in the identity space about 25 years, uh, now. So my time at the Cyber hut as a industry analyst and advisor firm tracking all of the exciting movements in the identity security space.
So I’m, uh, thrilled to be chatting again with you.

Anders Askasen: That’s gonna be interesting if you get your input on, um, on some of, some of the things that I’m working on daily.
Simon Moffatt: I think so. I think so. It’s, it’s, I love the fact that identity. It’s just grown into being such a important vessel in all of our lives, whether we are in tech or within the consumer space.
Identity is just so important.

Anders Askasen: The thing is, Simon, uh, if you look at identity and, and we’ve kind of been the industry about the same time. Currently it is the number one attack vector that a lot of attackers, um, I mean they exploit that. And it is a problem for organizations to, to deal with. And, and from my perspective, we have all these different technologies that we’re tackling certain discrete problems of the identity problem.
There’s really no coherency across that. Tie them all together.

Simon Moffatt: It’s true. I, I think, but you need to sort of, um, maybe start a little bit earlier and say, you know, you’re absolutely correct. Identity is the number one attack factor. So why, why is that, why is that become the most lucrative way for, for the bad guys to steal data, steal credentials to then proliferate more attacks?
Um, steal PII. Take ip, intellectual property. Like what, why has identity become this, this main point? I think PA itself is a, it’s been a gradual occurrence, but equally it’s a sort of perfect storm of legacy technology. Um, sort of isolated and siloed, um, components, security components, um, plus. We just have more identities to manage.
You know, we have more, more staff, we have more contractors. We have uh, zero hours contractors. We have supply chain, we have federation, we have business partners, and then you have this consumer identity sort of B2C space as well, which that’s proliferating. And we’re a few minutes in, we’ve gotta mention ai.
I was about

Anders Askasen: say ai, you’re mentioned all these different categories, but then you have these ephemeral. AI agents that need access and they’re, they’re, at least from the pattern that I’m seeing currently, they are more being run as Simon or run as an individual and they kind of assume those type of privileges and, and that identity and, and go about and do autonomous decisions, uh, based on.
You know, some prompt it, it, it’s scary, right?

Simon Moffatt: You do. And I think hopefully, we’ll, we’ll cover this later on, maybe in a bit of detail, but you, you know, we’re gone from service accounts in active directory. You know, the account was used to run the, the DNS or the DHCP services and it was like, right, well, we’ll, we’ll give that a strong password and we’ll just forget about it.
We’ll just leave it in the corner to, to do its thing. Whereas now we have non-human identities, we have workload. Identities for APIs and other, you know, we haven’t solved the human problem. We’ve not solved this NHI problem. And then suddenly we’ve got agen ai, which has really only matured in the last 12 months and is still maturing.
It’s a bit like a, um, the analogy I heard was sort of giving, giving permissions and control to a toddler, uh, in, its in its infancy. The 12, 18 months, it will evolve again. I mean, we need to solve

Anders Askasen: it. Obviously we, at Radiant Logic, we have an opinion on, on what’s kind of the best practice to this. And, and we believe firmly that you need that identity layer under control.
You need to make sure that you have all these different legacy silos because there’s a lot of them, right? Um, if you look at a, at a large enterprise, they have so many different legacy technologies and they’ve introduced, you know, SaaS applications. And just bringing that under one roof. Uh, and we have a holy trinity that we, we typically go to market with, and that’s unify, observe, and act and, and unify is really it.
It follows that maturity cycle that we see with customers where, you know, let’s bring everything under one roof. Let’s clean it up. Let’s correlate everything. Let’s make sure that we have everything under control. Um, is that a pattern that you also. It resonates with you.

Simon Moffatt: It, it does, it does resonate. And I think from a sort of an inquiry perspective, you know, we get asked a lot around, you know, where, where do we start?
So we appreciate as a large enterprise or a medium-sized enterprise. Absolutely. We know our identity world is under attack in various places, and it may, it may not be under attack necessarily by the external adversary. Could be under attack by regulators. In compliance and audit simply because you haven’t, uh, as you say, unified your systems.
You have no visibility, you have no discovery, so you’re sort of getting attacked from, from multiple areas there. So organizations, they, they, they, they want to know, okay. I understand my identity world needs to be modernized. It needs to be fit for purpose. It has to deal with security, it has to deal with compliance.
It has to be, um, operationally efficient, cost effective. Where, where do I start? And to me, the, the, the immediate sort of ground zero is discovering what you have, you know, what does your identity world look like, which identities. Do you have what’s under management? What is not under management? Where are the identity systems located?
So identity providers, sources of truth, if they exist, maybe they don’t. Um, what authentication factors, um, are being used? Um, are they strong? Are they usable? Authorization you, so you sort of go through all of your. Pillars of, of, of identity components and, and discover that,

Anders Askasen: yeah, what do you have? But, but that, that kind of follows the pattern of many of the security frameworks where you need to really get an understanding of what you have in-house, right?
Whether it’s devices, computers, servers, identities, whatever it is, you need to have a full. Understanding for, I mean, the saying goes, if if you can’t see it, you can’t manage it. Right. So, and, and that, that might sound cliche, but there, there’s a point to that. But what’s interesting, since you mentioned regulators, um, obviously both you and me or Europeans, you.
The Europeans love to regulate things, and, and we can see from, you know, some of the initiatives that comes out of the European Union, and obviously the, the UK government is, is looking at replicating it in one way or another. Uh, you have ntu Dora. That all takes the stance of let’s, let’s get a grip on the resiliency and the cyber posture of critical infrastructure, the most important services in society.
And, and you see there, there’s actually demand in these regulations to get a grip on identity. So it is, it is on the table of, of the identity of the regulators as well.

Simon Moffatt: No, I think that’s absolutely correct. And, and again, that’s been a gradual, gradual shift, but. Equally, it’s part of a much bigger movement.
If, if you look at, maybe go back a decade, a decade ago when we were looking at things like Zero Trust. So zero Trust comes along as the, as the brand new way of managing your, your networks and this movement from, um, sort of physical secure. Private networks to this, oh, we need to keep the bad internet at bay.
And that, that sort of movement, if you like, and, and that movement in involves not just technology, but funding and training. And where does your network security effort and budget sort of go to? I think as that. Has, has taken, hold the regulators and others suddenly look and say, okay, well if, if the network isn’t the problem, we need to look at what, what’s, what is the most static anchor points in this sort of exchange of information and identity is one and a piece of data at the end of a transaction is, is the other.
And, and you have those, those two anchor points and then you can start to build out security, control, audit, understanding and and other. And I think that that’s been quite a. It’s a mind shift. I think it’s not, it isn’t just about technology, it’s about understanding. Ah, okay. Where is the risk in my organization?
I, it will center around identity of people and non-human.
Anders Askasen: And I, I guess if you go back, I mean we both started our career maybe 25 years ago in the identity space and, and, and it was so much about just getting identities into a direct. Of some sort. I mean, I started back when it was, uh, let’s, let’s get the password, uh, file into nist.
And then it got upgraded to NIST Plus and then LDAP came around and it was a huge step, right? Uh, but now we see all these different LDAP directories are still around. Uh, and, and it, it caused us that kind of static environment, but they all need to come together. And since you’re mentioning Zero Trust, I’m interesting to get a pulse on how is that being.
Actually rolled out. Uh, ’cause the way that we see it is that. We’re a great provider of context. Since we have that identity layer, we can, we can provide all the necessary information in real time for policy decision points, um, based on the fact that we have it all right, in the, in the, in the identity layer.
And, and if you haven’t started there, you have that identity sprawl with legacy directories all over the place. What’s, what’s the current status, if you will, on, on Zero Trust.

Simon Moffatt: Uh, it’s,

Anders Askasen: it’s because it’s a lot of talk about it, right?

Simon Moffatt: It is, it is. And it’s, it’s definitely been this buzz and the migration too for, for a long, long, long time.
I think my, my worry actually is a little bit, it’s, it’s sort of, um, it’s not, it’s not sexy anymore. You know, you go to RSA or the conferences and you walk around the exhibition halls and nobody talks about. Those sorts of things anymore. It’s, it’s AI or agent ai or LLMs or whatever. And the, the zero trust aspect, we all know this.
It’s a, it’s a concept, it’s not a product. It’s about changing, understanding, uh, about risk in general. And, and you hit on some really important aspects that are, context is one. You know, zero trust is all about context. And the more information you have, the better decision making you can, you can achieve.
And you, you’re right, you talk about 15, 20 years ago. Ldap, your identity provider, your multifactor authentication provider, your policy decision points, they were all probably from different vendors. Probably didn’t interoperate very well if they did with so-called standards or to SAML skim, whatever.
They’re all implemented differently. There isn’t a level of, of data flow and, and consistent data across those types of systems. So you typically have these mid large enterprises, right? Well, we’ve done strong MFA, we’ve got an identity provider, or probably several in some sort of federated model. We’ve got an IG product.
Been there 10 years, we bought a privileged access management product, which covers 8% or 10% of our key systems. Oh, and surprise, surprise, they’ve been data, the data breach, and it’s like, well, how did that happen? So they’ve got you, you have these pillars which are not connected, they’re not joint. And it’s looking at the trying to move away from these isolated islands and trying to have something more conjoin.

Anders Askasen: But, but it, it’s funny because, ’cause we, you brought it up, right? The, all the agentic AI stuff, right? I mean, ultimately you kind of need zero trust in the agentic AI era. Uh, but if you’re doing that with all these disparate, different components from different vendors, it’s nothing wrong with different vendors, don’t get me wrong.
It’s just that there’s a lot of legacy stuff and they don’t necessarily talk together. And there is a lot of cleanup to be done if you’re gonna do this properly. How? Are you going to go down with Agen AI and secure AI agents when you have that kind of landscape? I mean, what is the solution to that?

Simon Moffatt: It’s, I mean, there’s, there’s some really good infographics and images online. You know, the open source stack, which is becoming this, this huge sort of, um, software pile of things. And the thing which is holding up this complex middleware is some tiny open source library written by some guy who’s not updated it in the last six years.
And, and I, I worry hugely. That many of the AgTech and AI systems in general are sort of sitting on top of a legacy, but b, just very, very risky. Um, poor systems and that, that’s a concern because we haven’t really sorted the human identity problems out. We then have NHI and workloads, and then we’ve got this.
Stuff. And it’s like, well, again, it’s back to the toddler analogy. It’s like giving the keys to the Ferrari to a, a 4-year-old and they haven’t quite figured out, you know, how to not bump into the table and things. So legacy’s not gonna disappear. And I think there’s, there’s definitely this easy aspect of kicking either legacy vendors or legacy projects or old stuff and you can’t get rid of that.
And those technologies and projects were designed and purchased. For the right reasons at the right time. You can’t rip and replace that easily. So you have to think, okay, how can I augment this stuff? How can I improve it? How can I remove the risk? Maybe by having layers on top around data and context and being able to integrate.
So you sort of keep the foundations there as these, these sort of big boulders if you like, and you sort of putting concrete in cement in the gaps there to allow the foundation to take something heavy like egen. So you can start to look. Adopt future based systems. But it isn’t an easy thing. It is about understanding your landscape, understanding where to start, discovering where our risk is, but then overlaying and, and look, there’s some really good data points.
Many organizations have, you know. Clearly good strong identity provider authentication system. That’s gonna give you a good level, of course, grained information. But you then need to augment that with, as you say, context, decision making, device information, threat intelligence. And you start to, once you start to join together and create a fabric of of, of data sources, it’s much easier to to identify risk and apply the right controls and, and respond to things.
I think. That’s definitely a journey. That’s not a, download some software and make it happen, but I think it’s understanding what you have, where’s your risk? What is the strategy? What, what, what do you want to try and use identity for for the next whatever, 2, 3, 4 years, and then make those incremental steps to get there.

Anders Askasen: I think. When the whole digital transformation started with, with cloud and, and SaaS services, I think the, the industry was kind of euphoric thinking that everything would move into the cloud and, and all the problems would be solved. But I think the reality that I’m seeing when I speak to clients and customers is the fact that yes, they’ve.
Adopting certain services in the cloud, but at the same time, they still have these legacy systems that, you know, both of us were playing around with, uh, 20 years ago. They’re still around, right. And they’re still serving a very critical, uh, component inside of the, the architecture at these companies or enterprises.
Um, but it, but it, it, it’s funny you say, it seems like we call. Come back to the whole, you need to unify all the identities and create that identity fabric. And then I wanna lift that maturity cycle, because once you’ve done that, you kind of need to track accountability. You kind of see what’s going on.
Uh, and given the fact that on top of a lot of CISO’s mind you have that, uh. Threat, surface reduction, mitigate risk. How do you actually do that? Because you need to look at what’s going on with the identities. Are there anomalies and, and how do you deal with that? And obviously there’s a lot of buzz in the industry around.
I-S-P-M-I ip. Walk me through these acronyms a little bit.

Simon Moffatt: Well, we definitely need more acronyms. That’s definitely what the industry is lacking, I think, is acronyms. Uh, obviously not. We have too many acronyms. And it is, it’s complex. It’s complex. It’s an analyst, it’s complex for the buy side. It’s complex for everybody to understand what this really means.
So I think the ISPM identity security policy management, the, the good thing there is security. And I think if you look at identity in general, and yeah, again, you go back 15, 20 years, identity was about. Productivity in compliance, single sign on systems, governance, access requests, role based access control.
It was about giving staff. Efficient access to those systems in a compliant way. It wasn’t really built for security. The join mover lever process was not, it wasn’t, it wasn’t designed retrospectively. Security has become a conversation there, but it was never designed for this. So having security, even in the identity conversation is brilliant because again, 25, 30 years ago, you had networks and then you get network security, you have data.
And then you had data security. So you sort of this evolution to saying, right, well, this identity stuff. Oh yeah. Actually this is quite important because without it, my business fails to function, fails to sell, can’t go into partnerships, can’t with these products. So the, the security element is vi vitally important.
So the posture aspect is saying, okay, well you discover what you have. Is, is it safe? Is it skew? What, what does the hygiene of these identities look like? Are they, should these identities exist? You know, do they tie back to a real individual? Do they have the correct permissions, uh, ghost accounts, stale accounts, excess policy?
So it’s all about doing that good hygiene washing,

Anders Askasen: but that, that also changes the, the original intent. When, when you and I started it was, it was much more about. The operational side of things, making sure that you have access. The day you join a company, you have access to a, b, and C, and, and the day you get promoted, you get some additional access, and then at, at some point you, you retire.
You leave voluntarily or involuntary, right? Yeah. Uh, the, the joint move reliever process. But now moving from that operational side to a more strategic side, we’re looking at reducing the, the, the attack surface. We, we, we wanna mitigate risk. We want to have control. And it’s not only about dashboards.
Dashboards are important, but ultimately you kind of want to get results, right? That’s what the CSOs are looking for. They’re not looking for another dashboard. They wanna make improvements to the security posture. And that’s, I think that’s the real. Uh, paradigm shift going from sort of the operational side of identity to the more strategic side?

Simon Moffatt: It absolutely is. And I think as identity has moved from being tactical to strategic and it empowers the business to do a lot more things, absolutely improve security and reduce. Absolutely improve productivity, but also helps the business do more, sell more, share more. And it’s not necessarily about, you know, getting online and, and, and, you know, selling something to a customer, but if your identity layer is operating effectively, it means the audience, your staff can, can work effectively.

Anders Askasen: So there is an operational
Simon Moffatt: efficiency, it’s an agility aspect, right? It’s an agility thing, but it’s more tangible because it impacts the business. So say if you, I dunno, you, you sell shoes, you make shoes, you sell shoes, and you think, oh, what, what’s identity? Gotta do with this? Well, yes, you’ve got the B2C external selling thing, but if your staff can share things to the correct people at the right time, you have supply chains to deal with your business boundaries to deal with making sure the right people at the right time have the right access.
It’s a real, it’s a real business benefit. It allows the business to move faster, get products to market faster. Mm-hmm. Work in partnerships, make acquisitions, respond to competitive threats. And these are all. Business strategic things. They’re not technical things. These are allowing the business to be successful.
I think that is, is really where identity has suddenly become this, this central pillar point. Because it does interact with the data security world. It does interact with networks and endpoints and it, it, it is become much more of an enabling technology. But I guess back to your. There’s metrics of success there, which have changed.
And it isn’t just about, okay, how quick can you gain access to a, a system or do single sign on? It’s about saying, okay, what’s the, the sort of coverage, performance and effectiveness of my identity world? Um, and that will include change, you know? Adding in systems to my identity world, how long will that take?
Do I understand the risk? Do I understand my coverage? You know, what, what exposure do I have here? What, what number of stale accounts, excess permissions, et cetera. So you need to have discovery, what you’ve got, but then getting into a, almost like a secure running state of your identity world, which you essentially want to govern.
So you’re not wanting to change that running state, but if you are gonna change it. Back to the hygiene point. You wanna be doing that dynamically and cleaning and removing and, and processing based on the risk of the business. And that, I think is a, a real, that’s a real change. I think that the metrics of identity is different.
And the final thing I’d add there is. If the metrics are different. So the stakeholders are different people involved now in the identity world for sure. Not just the ld, A guy, which I was the LDAP guy a long time ago, but the more people interested now

Anders Askasen: we, we, we all lie like LD a and, and directories and, and all the rest.
But, but to wrap things up, Simon, if, and I’m sure there’s a lot of CISOs tuning into this and, and, and they’re kind of, you know, on top of their mind, they’re thinking, what can I do? Mm. Um, concretely to achieve these more strategic goals. What will you say? As a final,

Simon Moffatt: a final, a final

Anders Askasen: final

Simon Moffatt: wrap. Final half an hour wrap up.
I think there’s a couple of things you need to, first of all, you need to understand identity is, is that key enabling technology. There’s, there’s no cyber technology, data tech, um, endpoint tech that. Doesn’t rely on identity. It just doesn’t. It says a fundamental assumption that your identity layers are working effectively.
So I think that that is all about communication, effectiveness, understanding that identity is strategic. And then the second part, as I said earlier, understand what you have. You know, do that discovery exercise. What does identity look like in my organization? Where does it reside? What identities. Are we managing?
What’s manual? What’s automatic? What’s under the compliance? Re what does, what does it look like? And then from there, rapidly identifying where that risk possibly is. Manual processes, disconnected systems. Uh, systems which don’t have MFA, all, all of the basic controlled. And then obviously from there you can look at visibility, looking at posture, ultimately looking at observability, and then looking at that runtime change, but identify identity as being strategic.
Work out what you’ve got and then build a, a strategic roap.

Anders Askasen: I, I, I think you’re spot on, Simon. And I think the fact that the regulators, uh, with all these different initiatives that, that we mentioned, this two, and Dora and all the rest, they’re, they’re gonna make sure that the, the budget is there for them to succeed.
So, Simon, with that, uh, I thank you very much for, for coming and it was a really pleasure speaking with you.

Simon Moffatt: Not at all. Thank you.

Anders Askasen: Thank you very much, and we’re looking forward to the next session. Thanks for listening to Radio Logic. Subscribe now wherever you get your podcasts.