The 53rd Edition of the Identity Jedi Newsletter

California Dreaming, when a breach isn't a breach, and a rant..because...yeah

Wednesday 9/20/23 - Identity Jedi Newsletter - Subscribe

Hey Jedi welcome to the 53rd edition of the Identity Jedi Newsletter. As we embark on year two of the IDJ newsletter, let’s kick this off with a bang! This week, we talk about breaches that aren’t breaches and why we need to do a better job of defining what identity security is. Grab your glass of water; we are about to get spicy 🌶️ 

This newsletter is brought to you by the wonderful state of California. Tacos, sunset, and waves. I ❤️ it here. 

Sponsored By

Bullet-proof your cloud IAM and ensure rapid recovery with Acsense.

You share, I give! Don’t forget about our referral program. Share the newsletter, get free stuff!

Let’s do this differently.

No sales pitches, no talking AT you, but talking WITH you, and most importantly…listening TO you.

Join me and the folks for S3 in Austin next month as we get real about what’s failing with identity. And we’ll talk about the future of identity…today!

Space is limited and filling up fast, so hit the link and secure your spot.

Let’s Get to the Good Stuff!

  • When a breach isn’t a breach

  • Spicy Tuesday

  • The problem is the password

MGM “Breach”


Ok let’s talk about this. Just reading the headline below would lead you to believe that the “breach” that happened at MGM recently had something to do with Okta.

But in fact, it didn’t.

And I would say it wasn’t a “breach” at all.

reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all MFA factors enrolled by highly privileged users.

If I convince you to give me access to your bank account. Is that a breach? I didn’t break anything or take advantage of a gap in a product. I used the proper credentials to get access. What I do with that access may not be legal, but that’s a different story.

My point here is that no product can protect against everything. How often have we said security is about People, Process, and Technology? However, as soon as something goes wrong, what do we see:

“If customer X had Y product installed…”

“Here’s how we at Blah Blah, Inc would have..”

The truth. It doesn’t matter the product, if the attack vector is the people or the process. In this case, convincing the IT staff to reset MFA factors on a privileged account. So FOR THE LOVE OF GOD why do we keep doing the same thing!? Knowing that it ends in the same result.

Bottom line: This wasn’t an Okta problem, this wasn’t a breach. This was a hustle.

Spicy Tuesday

Ok so nobody told me that Tuesdays were Spicy post day. But I am absolutely here for it! I say we make it a thing. #spicyTuesday.

Here’s a post from Richard Bird yesterday tell some truths.

The problem is the password.

A pretty good article with quotes from some different execs from “security” companies. I agree with the premise, passwords aren’t enough, we need to move to something stronger, better, etc.

My only nitpick is how?

Let’s talk about how to get off passwords. What are the steps we need to take to reduce the reliance on passwords? I’m seriously asking. While this is a good read, let’s all of us together create a better one. So I want to hear from YOU Jedi. Read this on the web, and leave a comment. ( If that doesn’t work just reply to this newsletter) and let me know your thoughts on how we can take real steps to getting rid of passwords

It’s time to party!

Oktane 23, the Party Bus Returns!

Our friends from Acsense are back with another party bus, and this time, it’s in San Francisco during Oktane! Of course, I’m always looking out for you Jedi so click the button below to secure your seat on the bus!

Identity Jedi Show Podcast


Don’t miss it, come hang out and have a good time and help us kick-off Season TWO! of the Identity Jedi Podcast! AAAND get a signed copy of the book as well. YOU DON’T WANT TO MISS THIS

Get your tickets!

The Last Word




Stop. Pushing lies.

Don’t believe half of the shit you read this week about products that would have “helped” with the MGM breach. Don’t fall for the clickbaity headlines, and think that this was a fault in a product. You wanna know what really happened?

Google Rachel Tobac.

We’ve GOT to get better around this stuff. The problem is how we think about all of this. We think security is a band-aid. That it’s a magic potion that makes everything better. We talk behind adjectives, and big words, and say absolutely nothing at all. So let me be clear:

1) Identity Security is a MARKETING TERM

2) Identity products are ADMINISTRATIVE TOOLS, and ADMINISTRATIVE TOOLS aren’t designed to STOP anything they are designed to make tasks easier

3)The answer is to train your PEOPLE and develop your PROCESSES to utilize TECHNOLOGY. YOU HAVE TO INVEST IN ALL THREE.

I’m done ranting….for this week.

Be Good to each other, Be Kind to each other, Love each other

-Identity Jedi

What did you think of this weeks newsletter?

Login or Subscribe to participate in polls.


Join the conversation

or to participate.