The 52nd Edition of the Identity Jedi Newsletter

The Newsletter: The Full Story

Just over a year ago, I received a text from my friend Lance about starting a daily newsletter. When I first saw it, my immediate response was “no fucking way”. There was no way I would have the time to do a newsletter, let along a daily newsletter, and about identity? No fucking way. There’s not even enough news to support that.

He says, ok fine..weekly. But the point is you should do one.

I said, I’d think about it.

I didn’t.

Well, not really. You see, what Lance didn’t know, is that I was already thinking of doing a newsletter, however, I couldn’t quite find right platform to do it on. Yeah there was Substack, Medium, LinkedIN, etc..but they didn’t quite have the format I was looking for. So I told him, if I’m going to do a newsletter, I want it to be like Morning Brew. It was the best newsletter I had read, and I loved the format and the referral program. I had been researching like crazy to figure out how they did their referral program. (It turns out they built it from scratch, which I didn’t have the time or money to do myself). So a couple of weeks go by and then Lance sends me a link to Beehiiv. It’s a newsletter platform built by one of the guys from Morning Brew.

It was perfect!

The referral program was built into the platform, and all I had to do was write content and schedule. It was like the Force was guiding me in the right direction. ( C’mon you knew there had to be a reference in here right!!)

So the platform was selected, I even go them to give me an extended trail of the pro version. Benefits of getting in early with a startup company. Now the question was..what the hell was I going to write!?

Second question: Who the hell was going to read this every week?

“Imposter syndrome enters the chat”

It’s a funny thing to question every level of success you’ve ever had in your life, but it happens, and it was happening to me. I didn’t think people would actually want to hear from me. I didn’t think there was enough of a “market” to market this newsletter to. And the biggest one,

I didn’t want to fail.

No one wants to throw a party and have no one show up.

BUT

Then I remembered it was all about perspective..or as some would say a “certain point of view”

So I said I’m just going to create it, and tell as many people as I can about it, and we’ll see what happens. I won’t try to make it perfect, I’m just going to make it. So I wrote the first one, sent out the link and waited…

30 people signed up…

and then 60…

and then 100….

( Holy shit..this thing is growing!)

and then 200…

At this point, it’s people I don’t directly know. Referrals are coming in, one subscriber alone has put in over 50 referrals.

FIFTY!!!

This small thing that was an idea grew into a community. Grew into a place where people were getting value and were excited when it hit their inbox.

And now here we are today. 52 editions later. We’ve got sponsors, 650+ subscribers, and a growing community blog section, and I don’t plan on slowing down. I still want to hit 1,000 subs by the end of the year, and I’m confident we’ll do it

So THANK YOU Jedi for subscribing, for reading, and for being a part of this. It’s only the beginning. We’ve got so much more to do!

The State of the Identity Attack Surface

Another report with some interesting stats to nerd out over! Those of you who’ve been here a while know I LOVE THESE.

Juicy Stats:

• Over 80% of organizations have experienced an identity-related breach that involved the use of compromised credentials. Almost half of organizations experienced such a breach in the past 12 months.

• Only 5.7% of organizations have full visibility into their service accounts Very few organizations have full visibility into the activity and usage of their service accounts, while 62% only have partial visibility.

• 73.4% of organizations struggle with getting their PAM solutions fully onboarded and working Many organizations have encountered difficulties in their PAM implementation, causing progress to halt. Most know what to do but are too resource constrained to move ahead.

Ok..soooo a majority of organizations have been breached due to compromised credentials a minuscule amount of organizations understand how many service accounts they have, and most organizations are struggling to manage access to the most sensitive accounts they have.

That’s promising…

This article below sums it up rather nicely. Shit is broken. And we keep applying the same techniques and tools. Now this is posted by Silverfort and vendor blah, blah, blah. Looking past their bias need to talk about this information, the reality is we aren’t getting better at this.

Or we aren’t tracking the right metrics to show that we are getting better. Identity in the early days shied away from the typical security metrics and focused more on the administrative. “Provisioned X amount of accounts” “Reduced time of access from weeks to minutes” etc, etc. But if we are going to call ourselves “security” then we’re going to have to own some of these metrics.

Food for thought.

Identity and APIs..we should talk

I came across a stat the other day.

80% of the internet traffic is API’s

Eighty percent. Eight-ZERO

No clue if this stat is real or not but it got me thinking, even if it’s half of that. Nothing about API’s is tracked in identity systems. We have products galore that handle inventory and access to API’s. But how are we tracking the fine-grained access that’s granted? If a large percentage of the traffic is done via this medium shouldn’t we have some visibility into the entities that are using it?

Or am I just talking logic and sound thinking again?

And while I don’t want to be the guy that says hey here is yet another thing you need to keep track of…

It’s kind of another thing that you need to keep track of.

Right!?

Like, let’s think about the anatomy of a data breach for a second.

Step 1) Corrupt an application to get me access to your network.

Well if a large percentage of the web traffic is API’s, which is a public interface into an application. Then that’s where I’m going to target.

Step 2) Use that application to get credential access.

So either the service account that’s running the app, ( because it is using a service account right…..right!?) (Which also by the way based on the study above, you don’t even know exists in your network, but I digress) I use the corruption of the API to get access to data or your network.

Step 3) Keep the door open.

It’s not enough just to have access to your network, I need to stay there for a long time so I can do my dirty work. So what I do is set up a backdoor into the application and keep it open. That way whenever I want back in the network, all I have to do is reach out via that backdoor. And I’m back into your network again.

I feel like we should be seeing more integration between API products and identity systems.

Am I crazy?

It’s time to party!

Oktane 23, the Party Bus Returns!

Our friends from Acsense are back with another party bus, and this time, it’s in San Francisco during Oktane! Of course, I’m always looking out for you Jedi so click the button below to secure your seat on the bus!