Bridging Worlds: From MS-DOS Gaming to Cybersecurity Innovations

1 00:00:00
Speaker 1: How's it going, everyone?

00:00:01
and welcome to another security unfiltered podcast episode.

00:00:06
So today I got a really great episode for you.

00:00:09
It's with Orweiss from Permit IO.

00:00:11
They're doing some really revolutionary things in the

00:00:16
cloud and, you know, really helping revolutionize how we do

00:00:21
IAM in the cloud.

00:00:22
But I got a shout out.

00:00:25
This episode would not be possible without 10kmedia.

00:00:29
They did not sponsor the podcast or anything like that,

00:00:34
but it definitely wouldn't be possible without them.

00:00:36
They made this whole thing happen.

00:00:37
So you know, if you guys want to go ahead and follow their

00:00:43
page, hit up, you know, whatever their, their social media is

00:00:48
and give them a shout out.

00:00:49
So thanks, guys.

00:00:51
Hope you enjoy the episode.

00:00:52
How's it going, orweiss, it's great to finally have you on the

00:00:56
podcast here.

00:00:57
I think this thing has been in the works for a little bit now,

00:01:00
but I'm very excited to talk to you.

00:01:03
Speaker 2: And likewise the feeling is mutual.

00:01:04
Very excited to talk with you, joe, and I'm sure it's going to

00:01:08
be an awesome episode.

00:01:10
Speaker 1: Yeah, yeah, definitely, i surely hope so.

00:01:13
So you know why don't we start off with telling everyone how

00:01:18
you got into IT, what made you want to go down this security

00:01:23
path?

00:01:24
right, and you know, i start everyone off with this primarily

00:01:29
because you know it's helpful for my audience to hear

00:01:33
everyone's background right, because maybe there's someone

00:01:35
out there that's listening that is trying to make this jump in

00:01:40
IT.

00:01:40
They don't know if they can do this, right, they don't.

00:01:43
They don't know, if you know, they have what it takes, and so

00:01:47
it's always helpful, i believe, to hear someone else's story and

00:01:52
maybe it clicks with someone.

00:01:53
Maybe they say, oh wait, you know, maybe I do have a shot

00:01:56
with this.

00:01:56
So what's your story?

00:01:59
Speaker 2: Happy to share it.

00:02:00
I'm not sure if it's the best story for that particular

00:02:03
dilemma, but still happy to share it.

00:02:06
So I got into tech, i'd say at the age of five, basically when

00:02:13
people ask me there what I want to be, i for some reason already

00:02:16
told them that I want to be a software engineer.

00:02:18
And I got exposed to tech really thanks to my sister's

00:02:22
awesome and convinced my parents to buy a PC very early on,

00:02:26
talking like when PCs just started and like it was like a

00:02:31
286 I think, and like mostly through like playing games and

00:02:37
having to run them on MS-DOS, having to type in the commands.

00:02:41
I both learned English, which is not my first language, and

00:02:45
working with the command prompt and basically writing code, and

00:02:49
from there it's kind of escalated quickly.

00:02:53
The most significant jump in my career was going into my

00:02:57
military service in the IDF, was drafted into the intelligence

00:03:02
core, into a unit called AD 200, which is the kind of the

00:03:05
equivalent of the NSA, and there I went from like a silly script

00:03:09
kitty that has been like building websites and games and

00:03:12
stuff like that and maybe learning a little prologue and

00:03:16
stuff like that in high school and went into like becoming an

00:03:19
actual software engineer and that also really led me very

00:03:23
quickly into cybersecurity.

00:03:25
It's kind of in the job requirements when you're working

00:03:28
for the intelligence core security cybersecurity both in

00:03:34
how you write your own software and also in how you understand

00:03:38
the enemy's software was mandatory very early on, but

00:03:43
also very exciting and inviting very early on, so that gave me

00:03:49
both the motivation, tools and perspective on how to do secure

00:03:54
software development and that really led me very quickly to

00:03:59
where I am today.

00:04:02
Speaker 1: So I mean that that's maybe the most interesting way

00:04:06
that I've heard of someone learning English right is

00:04:09
learning learning it via MS-DOS.

00:04:12
I mean, how does that even?

00:04:13
how does that even work?

00:04:15
Can you talk to me about like that learning process, because

00:04:18
that's, that's very fascinating.

00:04:21
Speaker 2: Yeah.

00:04:21
So I'll say it's not the only input that I got for English.

00:04:25
Also, like TVs and movies and books were there as well.

00:04:28
But I think the most incentive was like, oh, i want to play

00:04:32
this game, so I have to type English on the keyboard to make

00:04:36
that happen.

00:04:37
So initially it's just copying off, like my sister would write

00:04:41
it on a piece of paper and I'd like copy the characters, not

00:04:46
even knowing what they mean, from the paper to the keyboard,

00:04:50
like to the screen, and with iteration, with the motivation

00:04:54
of wanting to run things and wanting to play these games, i

00:04:58
picked up the language.

00:04:59
I think the game like that's.

00:05:01
A little later down the road, like not at the age of five, but

00:05:04
like 10, 11, i think, i started to play civilization.

00:05:08
I think it was civilization two from Sid Meyers, and there,

00:05:14
like you have like full conversations with like the

00:05:16
different.

00:05:17
So it's a simulation of like running a country from like the

00:05:21
Stone Age up to modern times and you're you have to negotiate

00:05:25
with the AIs and it's like full on conversations.

00:05:29
And I remember like sitting down with initially with a

00:05:34
dictionary, a physical book, and later on with like a type in

00:05:38
dictionary that you can like a small separate keyboard that you

00:05:41
can type in.

00:05:41
Does the translation for you, and I picked a significant part

00:05:46
of my vocabulary from there and I think my vocabulary is still

00:05:49
pretty odd, like I sometimes use higher than needed language

00:05:54
because of that.

00:05:56
Speaker 1: Huh, that is.

00:05:58
I mean, that's really fascinating.

00:06:00
You know, like you kind of immersed yourself into the

00:06:05
language or that world of English just because you wanted

00:06:09
to play video games.

00:06:10
You know, i wonder how much of my own like language and

00:06:16
experience came from, just straight up, playing video games

00:06:20
, right, like, how much did I learn from playing video games?

00:06:24
because I mean, i was addicted when I was a kid.

00:06:26
I mean, you know, i still play video games today, i just don't

00:06:30
have enough time, right.

00:06:31
It's like that like meme, right , where you know all you want to

00:06:37
do when you're a kid is play video games, but you don't have

00:06:41
the money to pay for all the games that you want to play, and

00:06:44
then you get a job and you have all the money, but you don't

00:06:47
have the time.

00:06:49
Speaker 2: Yeah, it's one of the ironies of life.

00:06:51
I think, in general, there's a lot of things that we need to

00:06:54
learn about this around western civilization, especially as

00:06:58
we're coming into things that will really shake up the job

00:07:02
market, like machine learning agents affecting our jobs and

00:07:08
changes in the balances between the different echelons of

00:07:11
society, like there's the entire wage gap.

00:07:15
That is still, i think, a significant thing that we

00:07:18
haven't solved.

00:07:19
And also retirement, like if you take your story a step

00:07:25
further, by the time you get to retirement, where you can focus

00:07:28
on having fun, for example, it's not only that you don't have

00:07:32
the time, you don't have the physical capability, and that's

00:07:35
the thing, one of the saddest things and but I'm kind of

00:07:39
delighted, the end of the tunnel that I'm kind of looking at is

00:07:42
uploading ourselves to the cloud .

00:07:44
Hopefully that will solve everything or make everything

00:07:47
worse.

00:07:47
Will have to wait and see dilemmas or conversations on

00:07:52
futuristic dystopias.

00:07:54
I'm also running, in addition to permit them, running, a

00:07:58
podcast called command shift left and which is just for

00:08:03
engineers coming in talking about random facts for

00:08:05
developers, and we often find ourselves talking about

00:08:09
dystopian futures and and if we're in a simulation or not, so

00:08:14
for people that like that the check out command shift left.

00:08:19
Speaker 1: Oh, yeah, that's.

00:08:20
It's really interesting.

00:08:23
You know what you brought up with.

00:08:26
You know you, a lot of people wait for retirement to kind of

00:08:30
live their life that they wanted to live.

00:08:32
And I always stress it to people that you know you should

00:08:37
be, you know, enjoying your life , right, like while you can, i

00:08:41
mean it's.

00:08:44
I grew up with a lot of people that would say like, oh,

00:08:47
everything's gonna change when you're 20.

00:08:48
You know, everything's gonna change when you're 30 and 40 and

00:08:51
50, right, and you know, i got told by people that, like you

00:08:57
know, i wouldn't do certain like physical activities when I'm in

00:09:00
my 30s because everything is gonna change.

00:09:02
And like, to me, how my brain works is, you know, when I, when

00:09:06
someone says I can't do something or I won't be able to

00:09:08
do something, it's like all right, well, time to go do it.

00:09:10
Then, you know.

00:09:11
But it reminds me of when I was working for a large company and

00:09:18
one of my colleagues was I think he was at that company for

00:09:24
30 years just same company you know at for 30 years and he was

00:09:32
talking about, oh, i want to retire in five years.

00:09:35
And you know I was asking him like, oh, what are you gonna do

00:09:37
when you retire and whatnot.

00:09:38
And his face kind of lit up and he was talking about how he

00:09:42
wanted to travel the world and he had a list, and you know, of

00:09:45
all the places that he was going to go, all the food that he was

00:09:48
going to try, and I was like you didn't, like you know,

00:09:51
explore any of these locations, like while you were here.

00:09:54
I mean we give vacation time, like you have more vacation time

00:09:58
than probably anyone at the company, because it's all saved

00:10:01
up, like you never used it really, and you know he didn't

00:10:06
right and I'm like, well, what?

00:10:08
like?

00:10:08
what happens if you retire and something happens?

00:10:13
you can't go on your trip, you know, and his, his, he had no

00:10:17
response.

00:10:18
It's like man, this guy spent his whole life working for this

00:10:23
whole trip and I mean legitimately, he may not be able

00:10:26
to go on it.

00:10:27
Right, like you never know what's gonna happen, he may not

00:10:30
be able to go on.

00:10:31
It is disappointing, right.

00:10:35
Speaker 2: It's disappointing and it's scary, and I think the

00:10:38
scariest thing is how accepted and mundane these kind of

00:10:43
patterns have become.

00:10:44
It's like you're gonna do this one job, you're gonna do it for

00:10:51
this significant part of your life, and then you'll wake up at

00:10:54
the other end of the tunnel and most people don't even stop to

00:10:57
think about it, and And, and.

00:10:59
I think that creates a lot of frictions for society.

00:11:02
I also think, by the way, that creates a lot of friction for

00:11:06
security.

00:11:06
People are just going by the lines that are defined to them,

00:11:11
even if those lines don't actually meet the requirements

00:11:14
of their work or The security profile that they need from the

00:11:17
work, so that it fails twice.

00:11:19
One says You're limited in how you perform your job because of

00:11:25
silly security requirements that are like from ten years ago.

00:11:28
For, except the, my pet peeve is Requiring people to constantly

00:11:32
change their password.

00:11:33
Research has already proven that that's a bad idea.

00:11:36
It causes people to pick bad passwords and It causes them to

00:11:41
forget their passwords more often, and that just creates

00:11:44
more chaos.

00:11:44
So patterns like that create us , create situations where we're

00:11:49
both Have less performance in doing our jobs and we're less

00:11:54
secure, and in general, it creates Scenarios in our life

00:11:58
that are just as we just touch on now.

00:11:59
They're just sad.

00:12:01
It's such a shame Because we don't need to live in a box.

00:12:05
We can open our eyes, we can Investigate what we're working

00:12:09
on, we can find the Vulnerabilities and points and

00:12:12
change the existence.

00:12:13
That and we can make things better if, again, if we just

00:12:17
give it a chance.

00:12:20
Speaker 1: Yeah, you know, you brought up the passwords and I'm

00:12:24
still kind of blown away that in 2023, companies still don't

00:12:30
offer their employees a password manager.

00:12:32
You know, like, right off the bat, day one Hey, create your

00:12:35
password.

00:12:36
This is a secure solution.

00:12:37
Everything is going to be stored into here and then it

00:12:40
automatically just stores, you know, whatever passwords you

00:12:43
enter in and it'll automatically , automatically generate,

00:12:46
potentially even rotate, these passwords.

00:12:48
You know, so you're not worried about learning.

00:12:51
You know 30 different passwords .

00:12:53
You're concerned with learning one password and the way that

00:12:57
they salted and hash it and store it and all that sort of

00:13:00
stuff Secures that password, even if it's, you know, password

00:13:03
one, two, three, like one pass.

00:13:06
You know, like, i use that for my personal self and it's it's a

00:13:10
fantastic solution, but I I think that it's just it's Really

00:13:16
disappointing that companies are like not getting on board

00:13:19
with this basic, this, this basic thing.

00:13:23
Speaker 2: Software is evolving quickly, but the software that

00:13:26
we're running in our societies, our cultural software, doesn't

00:13:31
say doesn't get service pack updates as quickly as it needs.

00:13:34
You can also look at like if you continue that line, because

00:13:39
let's look at like the software that is running our bodies, it's

00:13:42
also very hard to update And that also causes a lot of

00:13:45
problems, including that a pet peeve that I have there is

00:13:48
backache.

00:13:49
Evolution hasn't really tweaked us Fully on to walk on to, so

00:13:57
our entire skeleton is kind of Head-ock patched for walking on

00:14:02
to.

00:14:02
So we get back pains very early in life and they stick with us,

00:14:06
which is very annoying.

00:14:07
And that's again all about the paces of updates of the

00:14:11
different layers that we work with.

00:14:12
And I don't know, i'm not sure, if there's a solution for that

00:14:18
again, except maybe uploading yourself to the cloud.

00:14:21
Then you have a new layer of software as a clean slate that

00:14:25
you can maybe Upgrade and update more quickly.

00:14:29
But I guess we'll have to wait and see.

00:14:33
Speaker 1: Yeah, i couldn't imagine trying to secure

00:14:36
something like the metaverse or Trying to put guardrails in line

00:14:41
, you know with with a service like that.

00:14:44
I feel like I feel like that's just an impossible task.

00:14:49
Speaker 2: It is a daunting one.

00:14:50
First of all, you you can rest assured that there are people

00:14:53
that are working on it, so we haven't really touched on permit

00:14:57
itself yet.

00:14:58
But my co-founder, or soft He worked at Facebook it's meta at

00:15:02
the time and he saw, for example , that they've invested a team

00:15:06
of 30 people for half a decade to build a level of access

00:15:10
control that they have.

00:15:11
Combining that with our own experience, that really taught

00:15:14
us that this is a huge problem.

00:15:16
That is that exists now.

00:15:18
I, for example, had rebuilt our access control to the product

00:15:22
in my previous company.

00:15:23
They work out five times Before .

00:15:26
The company was even three years old, and so in combining

00:15:29
those two, we realized it's a huge problem now But it's only

00:15:32
gonna get far worse, and so the bigger companies are working on

00:15:36
these problems, but they're coming for all of us, all over

00:15:39
all the software engineers.

00:15:41
Complexity is really is At the gates and I think it's becoming

00:15:45
very apparent.

00:15:45
I just come back.

00:15:47
I just came back from a A kube con in Amsterdam and I think,

00:15:52
without exception, not even a single company presented there

00:15:55
Didn't talk about, in a large language, model that they're

00:15:58
embedding into their software.

00:16:00
So and that, and thinking of that are you it's.

00:16:03
I think it becomes really easy to see where the complexity is

00:16:06
gonna really slap us In the face .

00:16:08
So if up till now, the users that we were getting access to

00:16:12
where human users working in their pace, it's becoming more

00:16:16
and more machine learning agents on behalf of machine learning

00:16:19
agents, on behalf of a long cascade of those on behalf of

00:16:22
humans interacting for software.

00:16:24
So now it's an AI agent that is interacting with the AI agent

00:16:30
embedding in our app and That's a lot of fuzzy logic for access

00:16:34
control and it's and it's right around the corner.

00:16:37
Right, we're already seeing these being embedded and the

00:16:40
problems and security vulnerabilities that will be

00:16:42
creating our Are are also becoming apparent.

00:16:45
So I think we're up for exciting times and even if we

00:16:50
can't wrap our hands around it No one's asking us it's gonna

00:16:55
happen and, and from my perspective, what we're trying

00:16:59
to do is provide the tools so people can Remove the cognitive

00:17:04
load, that they'll be able to focus on building the software

00:17:07
and they'll have something that they can pull off the shelf that

00:17:09
will, at least I help them carry this load as they're

00:17:13
meeting the complexity.

00:17:15
Speaker 1: Hmm, well, let's talk about permit IO.

00:17:18
You know, you guys, it sounded like you saw this issue in the

00:17:25
industry of managing, you know, roles and permissions and

00:17:29
whatnot, which I've done that myself And it's extremely

00:17:34
difficult to do on-prem.

00:17:35
It's pretty close to impossible in the cloud, especially if you

00:17:40
allowed your developers to get into the cloud before your

00:17:42
security team can actually, you know, look at the cloud.

00:17:45
It creates some very unique challenges.

00:17:48
That it's just.

00:17:50
It turns into an impossible spider web to untangle.

00:17:54
So what are you guys doing differently than everyone else?

00:17:59
that is, separating permit IO apart from the rest of the crowd

00:18:03
.

00:18:03
Because, you know, i feel like I feel like everyone does it a

00:18:07
little bit differently.

00:18:08
The value in this area is identified and companies are

00:18:12
definitely paying attention to it, but I feel like the ones

00:18:18
that make it, that make the engineers life easier, are the

00:18:22
ones that will stand apart.

00:18:25
Speaker 2: I definitely agree with that, and I think that's

00:18:27
the one of the key things that also puts us apart from all the

00:18:31
other players in the space.

00:18:32
So most companies you'll interact with in this space

00:18:35
they'll tell you something like you're an engineer, you like to

00:18:39
build amazing things right.

00:18:40
Here's building blocks, here's a policy engine like open policy

00:18:44
agent or Cedar from AWS or there's a bunch of other

00:18:48
languages.

00:18:49
Here's a policy engine and here's a bunch of APIs.

00:18:52
Go ahead and build your access control And, first of all, let's

00:18:56
realize what is access control.

00:18:58
So there's the decision making, there's the enforcement that

00:19:02
you need to embed as part of the software, and there's all the

00:19:05
interfaces and experiences around that.

00:19:07
In the end of the day, access control is how you connect

00:19:10
systems and people to what you've built.

00:19:12
So it's a lot of interfaces that you've used a billion times

00:19:15
and every time you use them, some poor schlep of a developer

00:19:19
had to create them from scratch.

00:19:20
So classic things like user management with the ability to

00:19:23
assign roles, api, key management, secrets, management,

00:19:27
audit logs So you can see what your customers did within the

00:19:30
system.

00:19:31
So your customers can see themselves what they did within

00:19:33
the system for their own compliance and regulations,

00:19:37
invites, approval flows, one user starts an action, another

00:19:40
user approves it, permission requests, emergency access, and

00:19:44
this list just goes on and on and on.

00:19:46
So instead of telling people oh here's some building blocks, go

00:19:51
ahead and build all of this.

00:19:52
We're saying something very simple Don't.

00:19:55
You don't have to.

00:19:56
If you want, you can, but you don't have to.

00:19:58
Here are all of these experiences ready off the bat.

00:20:01
Just plug them in focus on building your core software.

00:20:05
So it's really about empathy.

00:20:06
It's really about understanding what developers care about and

00:20:08
what they don't.

00:20:09
They care about building amazing technology, but their

00:20:12
core amazing technology, not just run on the mill stuff that

00:20:16
is not unique to any product, and I think that's maybe the

00:20:21
most important thing in what we do.

00:20:22
A key part of that is also embracing and connecting other

00:20:27
people.

00:20:27
So developers want to have this available, but they don't want

00:20:31
to be fine tuning it all day long, especially when other

00:20:34
people need to be able to participate.

00:20:37
So you want product managers to be able to work on policies.

00:20:40
You want security and compliance, obviously, to work

00:20:43
on it.

00:20:43
You want sales to and support to be able to affect this as

00:20:46
part of a product, and the list again here continues.

00:20:49
So it's not just about empowering the developers, it's

00:20:53
about enabling the developers to empower everyone else and be

00:20:57
the heroes of the story.

00:20:59
So, for that, one of the experiences that we've created

00:21:01
and maybe one of our call to fame experiences, is our policy

00:21:04
editor, which I like to say is an interface that a monkey can

00:21:08
use, or even a product manager, if they're smart enough By the

00:21:12
way, product managers are the ones that love the joke the most

00:21:14
, ironically And so you get an interface that you can delegate

00:21:19
to other people.

00:21:19
Everyone can chime in on the conversation, but it still works

00:21:22
with the best practices.

00:21:23
It still generates policy as code that gets loaded into your

00:21:27
Git repository, so you never lose control and you never lose

00:21:31
the best practices as a developer.

00:21:32
But you still don't have to do everything on your own and be

00:21:35
the bottleneck for the organization Every time someone

00:21:38
wants to add a role or make roles dynamic, or have an audit

00:21:42
log for a certain behavior or enable people to invite other

00:21:47
people on their own.

00:21:48
So we get those off the shelf.

00:21:52
And lastly, another differentiator that we have and

00:21:56
I think is also about developer empathy is being a policy engine

00:22:00
agnostic.

00:22:01
So most companies, when you go to them, they'll tell you you

00:22:05
got to use this policy engine.

00:22:06
It's the best because we built it, so it's the best right.

00:22:10
And I think that's really weird , because when I think about

00:22:15
developers, i think about a full arsenal of different ideas and

00:22:21
languages and tools that people want to use, and like saying, oh

00:22:24
, there's only one tool that you can use And that's the only one

00:22:27
that you can, is very weird.

00:22:29
Like different developers want different languages, different

00:22:31
tools aligned with different tasks.

00:22:34
So in permits, instead of saying, oh, here's another

00:22:37
policy engine and you have to work with that one, we're saying

00:22:40
let's just work with whichever policy engine you want, let's

00:22:43
have interfaces that generate it in different languages, let's

00:22:47
have generic adapters that allow you to and that's our open

00:22:51
source project, opal that allow you to connect to different

00:22:54
agents on the fly.

00:22:54
So understanding what developers want and giving it to

00:23:00
them in a way that meets the way they work, that's what

00:23:03
differentiates us from everyone else in the space, and I think

00:23:08
it's something that I'm very proud of and seems to be proving

00:23:11
itself.

00:23:19
Speaker 1: So is it a solution that already kind of builds out

00:23:23
these permissions and the roles, potentially even like

00:23:26
authentication methods for developers, of how their

00:23:32
application will work with storing secrets securely?

00:23:36
Is it building out these workflows automatically?

00:23:40
you kind of go into your solution and point out like I

00:23:44
want something that stores a secret, i want something that

00:23:48
rotates a password or creates this authentication mechanism.

00:23:51
Is that how it's interacting or integrating into the workflow?

00:23:57
Speaker 2: So there are three key components that you mix and

00:23:59
match.

00:24:00
There's a microservice for authorization, what we call the

00:24:05
policy decision point.

00:24:06
So that's a microservice ready to be embedded.

00:24:09
You can also consume it from our cloud, but for performance,

00:24:12
latency, availability and security, it's best to have it

00:24:16
as part of your app And it's based on your policy engine of

00:24:22
choice, like Cedar or Opa.

00:24:23
So we get that ready made for you.

00:24:25
You just plug that in.

00:24:26
And the other part is SDKs and plugins that create enforcement

00:24:31
points themselves.

00:24:33
The main flow is a function called permitcheck.

00:24:35
You're basically saying this is what's happening now.

00:24:38
This identity is trying to perform this action on this

00:24:41
resource.

00:24:42
So your application code can just describe what it's doing,

00:24:46
without going into the policy, without going into the decision

00:24:50
making.

00:24:50
So you can pepper your code with those very simple code.

00:24:54
You can do that for decorators, for the middleware, for

00:24:57
whatever suits your flavor of development, obviously, and that

00:25:00
would connect to that microservice for authorization.

00:25:02
And, lastly, you have the control plane and the interfaces

00:25:05
.

00:25:05
So you have the policy editor, so that on the fly you can say,

00:25:11
oh, i want this role and I want these resources, and I want to

00:25:15
say that these roles can perform these actions on these

00:25:18
resources and I want these conditions for attribute-based

00:25:22
access control, or I want these relationships for

00:25:24
relationship-based access control.

00:25:26
And you just create it quickly, either in code or on the UI for

00:25:32
less technical people or for just technical people that don't

00:25:35
want to dive into this because it's boring And it generates the

00:25:39
code for you and loads it on the fly to the decision points

00:25:44
in the application So it immediately updates.

00:25:46
So you have the ability it's many moments in time to work

00:25:49
through GitOps.

00:25:50
You're creating code, pushing it to Git And from there it's

00:25:53
automatically deployed via Opal to the live agents within the

00:25:57
software And that's basically it .

00:26:00
And maybe the last thing is the experiences on top, because

00:26:03
there's this foundation, event-driven foundation of

00:26:07
decoupling policy and code and creating clear structures,

00:26:11
resources and actions On top of it.

00:26:13
You can now apply interfaces on top, so you can apply the user

00:26:16
management.

00:26:17
So, oh, i have the concept of a role, so I can just assign it

00:26:20
to users.

00:26:20
I have the concept of a tenant.

00:26:22
I can put resources in that box and some users in that box, and

00:26:26
now I can say, oh, only you can , only these users and resources

00:26:29
can interact together.

00:26:30
So, yeah, and these will just work with the user management,

00:26:36
and with the tenant management, and with the approval flows and

00:26:39
with the audit logs.

00:26:40
Everything just emerges from the baseline that you embedded

00:26:44
into your software.

00:26:45
So, and you don't have to think about that, because the

00:26:47
abstraction just builds it out for you.

00:26:49
So that's the way it works.

00:26:52
You have an SDK, you have a microservice and you have a

00:26:55
control plane that gives you the experiences to embed into your

00:26:58
software.

00:26:59
Speaker 1: Hmm, that's interesting.

00:27:04
You know it kind of, in a way, it seems like it's working with

00:27:11
the developers rather than the developers working with the

00:27:14
solution, in terms of you know it's there to really you know,

00:27:20
immediately provide answers and solutions.

00:27:23
You know automatically within the application and really

00:27:26
limits you know the interaction right that the developers have

00:27:31
to go and create.

00:27:32
You know this authentication mechanism and we need to point

00:27:35
it to this IDP and things like that right, like that doesn't,

00:27:39
that doesn't exist with the solution.

00:27:40
So that's very interesting and it and it works across all

00:27:45
languages.

00:27:46
I assume, like it doesn't matter what the developer is

00:27:49
trying to work with it, it'll just work with whatever.

00:27:53
Speaker 2: So we have, first of all, it's Swagger and OpenAPI

00:27:57
base so you can always work with the API directly.

00:27:59
We have SDKs for basically every language, from Python to

00:28:03
Go, net, rust, java, elixir, even the esoteric ones.

00:28:08
We have SDKs ready.

00:28:10
It's easy to create more.

00:28:11
Yeah, you can then bake this into your software in the way

00:28:16
that's suitable for you.

00:28:17
In general, the balance that I love to adhere to when building

00:28:21
developer tools, there's this balance between how simple the

00:28:25
tool is and how powerful it is.

00:28:26
Obviously, the more opinionated and more simplified it is, it's

00:28:32
easier to use, but it takes away the power.

00:28:35
The balance that I like to strike is to have the power

00:28:39
always accessible.

00:28:40
You can choose, you can always dive into code.

00:28:43
You can always use the API directly.

00:28:45
You can always create interfaces, ui interfaces on

00:28:48
your own, but there's an opinionated layer that would

00:28:51
simplify it for you in 80 percent of the cases.

00:28:54
In 80 percent of the cases, you just throw it in and it works.

00:28:57
But for the other cases that you want, you're never limited.

00:29:00
You can always dive deeper and use the direct raw power as a

00:29:05
developer.

00:29:05
I think that's very important.

00:29:08
I think that's maybe what you were hinted at that this works

00:29:12
with the developers.

00:29:14
The developers are the ones that are going to decide what this

00:29:16
application is going to look like, how it's going to behave,

00:29:19
what are the policies and however people are going to

00:29:22
connect it.

00:29:22
That shouldn't change.

00:29:24
That's how software should be built by people that understand

00:29:28
it, but it doesn't mean that they have to build every new

00:29:31
concranny for every little thing in the software, or at least

00:29:35
not at once.

00:29:36
They should always have the option, but they should also

00:29:39
have the option to focus on the things that are actually

00:29:41
important at that point in time.

00:29:42
Let's face it when you're building an application, there's

00:29:46
a mountain of stuff to do and there's always the buy versus

00:29:50
build dilemma.

00:29:50
So you should be able to choose the right balance point for you

00:29:54
at each point in time.

00:29:56
That's why we also provide the solution, first of all, with a

00:29:59
very extensive free tier, but with usage-based pricing on top.

00:30:02
You decide how much you use as part of this.

00:30:05
This would grow with you and we're not like forcing you to

00:30:08
make all of the decisions that they want, because we understand

00:30:12
that as you build out software, requirements come in gradually

00:30:17
and the requirements change.

00:30:18
Your policy is going to change.

00:30:21
You're going to start with R back, and then you want to have

00:30:23
A back and you want to have Reback and you want to have ACLs

00:30:26
and you want to have a bunch of stuff.

00:30:27
But at the current moment in time you want something specific

00:30:31
and you should be able to tap into that specifically without

00:30:35
having to wreck your brain or wreck your budget just to get

00:30:40
started.

00:30:43
Speaker 1: Yeah, it's interesting.

00:30:44
Where do you see this solution going and growing into over the

00:30:50
next couple of years?

00:30:51
Obviously, you have the authentication mechanisms and

00:30:58
whatnot taken care of with the developers, But I feel like

00:31:04
there's a whole other side where it could potentially be used to

00:31:10
even audit current permissions within the environment and say,

00:31:14
hey, you don't use this for the last I don't know two years, or

00:31:18
something like that.

00:31:18
Speaker 2: Let's clean it up.

00:31:23
Speaker 1: Yeah, being able to maintain a healthy environment

00:31:27
in IAM as much as you can Do.

00:31:30
you also see where it's going, or is this something that you're

00:31:35
exploring and whatnot?

00:31:37
Speaker 2: So for sure.

00:31:38
First of all, i'd like to think that I know where this is going

00:31:41
.

00:31:41
I'm no profit, so take everything as saying with a

00:31:44
grain of salt, but I can tell you what I'm seeing and how I'm

00:31:47
perceiving it at least.

00:31:49
So, first of all, we're seeing that the complexity for software

00:31:53
is constantly rising and with it the complexity for the

00:31:59
authorization for that software.

00:32:00
So the software itself is becoming the most critical thing

00:32:03
that's already happened is the breakdown into the cloud and

00:32:06
into microservices.

00:32:07
Everything has become distributed.

00:32:09
So instead of having one big, huge chunk of software now, we

00:32:12
have a lot of small bits of software that we need to get

00:32:15
specific access to separately.

00:32:17
So that's one of the key things that we had to solve off the

00:32:20
bat.

00:32:20
So that's where those decision points come in, and the

00:32:23
granularity of both embedding it and enforcing it is very, very

00:32:28
important early on.

00:32:28
So that's something that's happening, already happened, and

00:32:31
we're in the midst of.

00:32:32
Next.

00:32:34
What's coming is complexity in the policy itself and how

00:32:40
dynamic it is.

00:32:41
So, as we're building more complex solutions of software,

00:32:45
what they do is becoming more dynamic.

00:32:47
So if in the past you had policies like just simple roles

00:32:52
like this user can do that, that user can do that and that's it.

00:32:55
Now a lot of applications have dynamic things like only users

00:32:59
that have paid for a feature can use it, only users that are

00:33:02
currently now in Europe can you do this action or work against

00:33:06
this server, only users that have this quota left can do this

00:33:10
action.

00:33:11
And these kind of dynamic behaviors that are to some

00:33:15
degree stateful, or at least have a stateful component that

00:33:18
is changing at the authorization layer.

00:33:20
That's becoming more and more commonplace because of the

00:33:25
requirements for compliance, because of the features that

00:33:28
we're building into the software and just because of the speed

00:33:32
of software that we're creating.

00:33:33
So that's really immediate next step and that's why we've

00:33:36
created OPL Open Policy Administration Layer as an

00:33:39
event-driven channel, because that's the only way you can meet

00:33:42
those challenges if your authorization layer by itself is

00:33:47
event-driven.

00:33:49
Next, what's coming and I've kind of already touched on it is

00:33:52
the complexity and speed of the components using the software.

00:33:57
So machine learning agents, automated agents, people using

00:34:02
the software with APIs themselves, like more and more

00:34:06
people, are becoming code savvy.

00:34:09
Even if they're not using code directly, they're using low code

00:34:12
interfaces.

00:34:13
If they're using generative AI to drive things automated for

00:34:17
them, they're using things like Zapier, that's becoming very,

00:34:20
very commonplace as well.

00:34:21
It's really around the corner, especially with the machine

00:34:23
learning agents themselves, and so the speed in which your

00:34:27
software is being used and the speed in which you need to check

00:34:29
permissions for is going to explode in the next year and a

00:34:33
half.

00:34:33
So that's something that's happening and with it is also

00:34:38
how you just reason around software.

00:34:41
So if before you had policies that were thinking about how

00:34:44
humans behave, now we need policies that are thinking about

00:34:48
how machine learning agents are behaving, and then you get into

00:34:52
that.

00:34:52
Okay.

00:34:54
So I've basically a policy that to some degree, especially if

00:34:57
I'm gating another machine learning agent component that

00:35:00
can be basically almost undeterministic or with having

00:35:06
significant random, pseudo random factors built into it.

00:35:09
So now I need my policy to also not be to be as flexible, to be

00:35:16
as undeterministic or as able to take in the randomness or

00:35:21
chaos on the other side.

00:35:23
So we'll be seeing machine learning agents becoming part of

00:35:28
the authorization layer.

00:35:30
By the way, in Facebook and Meta , which we have some visibility

00:35:35
into through my co-founder, they have this already today.

00:35:39
So, a lot of times, because of the complexity of the different

00:35:42
elements of software and the different people interacting

00:35:45
with it.

00:35:45
There's an AI agent making decisions on who can do what.

00:35:48
So, for example, it might this and they're in it's applying

00:35:53
complex conditions and complex organizational flows to make the

00:35:58
decisions.

00:35:58
So, for example, it will look at behavior and analytics.

00:36:01
Oh, you've been consuming more data than you usually do, or

00:36:05
you've been accessing data that usually don't.

00:36:07
This raises a flag And now, instead of just blocking you, it

00:36:12
can decide to throttle you, or it can decide to ask your team

00:36:16
lead if what you're doing makes sense, or to get another

00:36:21
approval by another element of software that exists.

00:36:24
So these are things that will also They're coming for everyone

00:36:29
, also sooner than what we perceive as later.

00:36:33
Lastly, is well, i think what do you touch down with the

00:36:36
behavioral analytics?

00:36:37
As this picture becomes more and more complex, as the audit logs

00:36:41
are becoming more vague, as the vulnerabilities, the surface of

00:36:46
attack the attack surface, sorry is growing, it will also

00:36:51
need more intelligent, more automated solutions to recognize

00:36:59
where things are going off beat , recognizing when users go

00:37:03
rogue, when machine learning agents go rogue, when machine

00:37:07
learning agents are being defrauded or being malused, all

00:37:14
of these things are very imminent As I see it.

00:37:20
I think they're a clear part of the upcoming future, and that's

00:37:26
basically just the tip of the iceberg.

00:37:28
By the way, what I think the very classic question is okay,

00:37:34
what are we going to do about this?

00:37:35
I think what we need to do about this is, first of all,

00:37:38
just cover our basics, because we haven't done that yet.

00:37:41
That's what we're trying to do with Parinaio, and to provide

00:37:45
interfaces that would make it approachable for everyone to

00:37:49
work on this problem.

00:37:50
By doing that, we can start to ramp up the conversation, but we

00:37:54
should start with crawling or walking before we're running,

00:37:57
and we need to get through to crawling and walking soon,

00:38:00
because we'll need to be in running pace very soon.

00:38:04
That's how I'm thinking about the future.

00:38:13
Speaker 1: Yeah, the AI agent or the machine learning component

00:38:19
of it, i find to be very fascinating.

00:38:21
I remember working with someone and I got on the call with them

00:38:27
for the very first time.

00:38:28
While we were troubleshooting an issue with some random server

00:38:32
in the environment, some calendar alert came up and said

00:38:39
log into whatever servers.

00:38:42
I'm on the security team, this guy's on the infrastructure team

00:38:45
.

00:38:45
I'm like what was that?

00:38:48
Because that looked really weird.

00:38:49
He said oh, we have this software in the environment

00:38:54
where if you do something out of your norm, it locks you out of

00:38:59
the system and it won't allow you to access it.

00:39:01
And I want to prevent that from stopping me to resolve issues

00:39:06
on these servers if something were to go down on the weekend

00:39:10
or whatever.

00:39:10
I don't want to wait for someone else's permission.

00:39:16
I was very in the middle on this , because what he's doing is it

00:39:23
wrong?

00:39:24
Sure, it's going against the security tools, security policy,

00:39:28
probably even.

00:39:29
But is he wrong for doing it?

00:39:33
He has good intentions behind it, but that also opens the

00:39:38
organization up to a greater insider threat situation where

00:39:44
this AI, this ML, whatever it might be, is learning like hey,

00:39:48
he logs into this critical server in the environment often.

00:39:52
Well, if he gets laid off or fired or whatever it might be,

00:39:59
and he just decides to go in there, that agent that was meant

00:40:02
to protect that sort of login is now allowing it when it

00:40:07
normally wouldn't.

00:40:08
It creates a difficult situation, i think, for everyone

00:40:15
in the organization, because security just wants what's best.

00:40:18
These other guys, they just want to do their job and they

00:40:21
want to be able to do it when they need to do it.

00:40:23
Yeah, it's like what do you do?

00:40:26
Where do you go from here?

00:40:28
Speaker 2: I think you've basically brought us full circle

00:40:31
, back to the mini conversation we had about passwords.

00:40:34
If you're creating security culture that people can't work

00:40:41
with or can't relate with or can't understand, that's bad

00:40:44
security culture.

00:40:45
Even if you're covering all of your bases, you'd fail in your

00:40:49
job, because people will always adhere to norms and not laws.

00:40:54
People will always find a way to make things work for them.

00:40:58
By making it harder and missing the point, which is enabling

00:41:02
the organization to work, you basically shoot yourself in the

00:41:05
foot.

00:41:05
I don't think anyone should be blamed here.

00:41:10
I'm not blaming that engineer and I'm not blaming the app sec

00:41:13
people that created that situation But we need to

00:41:17
recognize such, basically vulnerability points in our

00:41:21
security culture and build the tools the right way that provide

00:41:26
both the security and the enablement to work that the

00:41:30
organization needs.

00:41:31
There's actually another classic story that I have from

00:41:36
my Ministry of Defense days.

00:41:38
Without going into the raw details, there was an air gap

00:41:43
network, a very highly secure air gap network that was created

00:41:47
for a very important project.

00:41:50
In order for that network to work with other solutions, they

00:41:55
created a data loading solution.

00:41:58
There was basically stations where you can bring in whatever

00:42:04
you need from external sources and it will go through protocols

00:42:07
and scans and all the right things that you need to load the

00:42:12
data in a secure fashion.

00:42:13
On the surface, this looks great.

00:42:17
We have a fully air gap network .

00:42:18
We have specific nodes where we control data entry and we can

00:42:22
limit things with our policies and with our scanning and our

00:42:26
security tools.

00:42:28
Problem was that those work nodes, those stations to upload

00:42:33
the data they were great, they were top of the line, but they

00:42:36
were slow.

00:42:37
They covered all of the bases for security, but they were

00:42:41
super annoying to work with because you load in the data and

00:42:44
you'd have to wait hours to get the result.

00:42:47
On the other side, people being people, some of them said this

00:42:52
is just like a small thing that I need here.

00:42:54
It's like a small text file.

00:42:56
There's no reason to wait hours now to go forward.

00:43:02
They found a loophole and they plug it in in a separate way.

00:43:05
I can tell you there was a matter of time until really

00:43:13
dangerous malware was exposed to the network itself and

00:43:18
infecting critical spots of it.

00:43:19
Again, people doing it, they didn't have bad intentions and

00:43:26
they weren't aware of the risk of what they're doing, and so I

00:43:31
really think the problem there is not just people circumventing

00:43:35
things, it's around creating situations where people don't

00:43:39
need to circumnavigate things.

00:43:41
And, yeah, i think it's like the cultural aspect, or the

00:43:46
human aspect, is probably the most challenging part of doing

00:43:50
security.

00:43:53
Speaker 1: Yeah, that is, that's for sure.

00:43:55
You know, and I feel like one of the things that can separate

00:43:59
you and your career is actually your soft skills of how how you

00:44:04
handle those difficult situations.

00:44:05
How you handle, you know, interacting with people,

00:44:08
regardless of their team, their status within the organization,

00:44:13
and you know all those things matter.

00:44:15
It reminds me of a time when I was working for a company that

00:44:20
you know did a very similar thing.

00:44:22
They tried to air gap, basically, their critical

00:44:26
servers and their security, you know, servers like the control

00:44:31
consoles, right from everything else.

00:44:33
The only issue was that they did it in such a way that made

00:44:41
it extremely arduous, very difficult for even authorized

00:44:45
users to log into that environment, to even just deploy

00:44:48
patches.

00:44:48
It was a very difficult task, and so when I took it on, we

00:44:54
were two years behind on patches and people were still telling

00:44:59
me that it was secure because no one can access it.

00:45:01
I'm like, yeah, well, you think one.

00:45:04
You think that no one can access it from the outside

00:45:06
because people have trouble accessing it from internally,

00:45:11
but that's not a reason not to patch, you know, and doing some

00:45:16
deeper digging, of course, the teams that were tasked with

00:45:20
actually patching it, you know they didn't want to work with it

00:45:23
.

00:45:23
They literally told me they're like.

00:45:25
You know, we have a change window and within that change

00:45:28
window we have to be logged in, patched and done and the server

00:45:31
needs to be rebooted.

00:45:32
Well, we don't even have enough time to literally deploy the

00:45:37
patches before we have to re-log in and do this whole process

00:45:40
again.

00:45:41
It took them 20, 30 minutes sometimes to log in to the right

00:45:46
place and just start the work And then at times out after a

00:45:50
certain amount of time, and they didn't want to deal with that.

00:45:53
And I don't blame them, i don't want to deal with that either.

00:45:55
So, you know, it kind of became like my personal mission at

00:46:00
that company to kind of dismantle this thing.

00:46:03
But it was an interesting challenge because the person

00:46:09
that created it was retiring and I don't know what it was like

00:46:13
90 days or something like that And so it was like, okay, i kind

00:46:17
of have to maybe design this for 90 days because I don't want

00:46:21
to, you know, completely destroy like his life's work at

00:46:24
this company, at least not in front of him, right, like?

00:46:30
Speaker 2: by the way, my general opinion is that air gap

00:46:34
is a pointless effort, especially as the speed of

00:46:41
technology accelerates, like the speed in which we're

00:46:44
discovering vulnerabilities is constantly increasing, and so

00:46:48
your ability to catch up when you're disconnected is gradually

00:46:54
becoming irrelevant.

00:46:55
And by becoming so, by air gaping, you're basically making

00:47:00
yourself more vulnerable as opposed to being more, as

00:47:04
opposed to being less, vulnerable.

00:47:05
So I really think that air gap networks are pointless, aside

00:47:11
from like very specific situations or very like when you

00:47:16
can completely connect it, like seal it in concrete, lock it

00:47:21
out from the outside world, like it's like a bunker that needs

00:47:24
to run on its own for a while.

00:47:26
Those are maybe the exception, and even there I'm not that sure

00:47:29
.

00:47:29
Other than that, you're using air gap solutions.

00:47:33
You're mostly doing your security at this service.

00:47:35
That's my opinion, and I think what really makes it apparent is

00:47:40
when you think about the cost effectiveness of your defense

00:47:44
versus the attackers or offenders.

00:47:48
For most, not that significant attackers like your just, let's

00:47:57
say, corporate espionage or just run in the mill, rent somewhere

00:48:02
, stuff like that they're not gonna waste their energy anyways

00:48:06
on targets that have high security profiles, that have the

00:48:11
ability to build significant modes and protect their networks

00:48:13
.

00:48:13
It's a waste of time And for them they have easier targets.

00:48:20
So you already have the capabilities and budget.

00:48:25
If you're building an air gap network, you already have the

00:48:27
capabilities to fend these off rather easily, or at least

00:48:30
contain them if the things go all right.

00:48:34
The folks that you are trying to protect yourself are basically

00:48:38
the nation state attackers.

00:48:39
Those are the ones that usually you're trying to use an air gap

00:48:43
network to protect yourself And for them it's meaningless.

00:48:47
Like we can look at the things like they're in our public, like

00:48:51
Stuxnet and Olympic Games, It's really easy for an actor like

00:48:56
that to.

00:48:57
It's super simple.

00:49:00
It's literally getting something across the smaller gap

00:49:04
.

00:49:04
It's literally how they think about it, and so it's basically

00:49:10
pointless against the only kind of attacker that this might be

00:49:14
relevant for.

00:49:15
So there doesn't exist a cost-effectiveness point, an

00:49:20
equilibrium point, where it would make sense.

00:49:22
I think that's the best argument that I can put on the

00:49:27
table against dismantling air gaps.

00:49:33
Speaker 1: Yeah, with all of the different developments that

00:49:36
have been happening, air gaps are kind of they're laughable,

00:49:41
right.

00:49:41
They're kind of more for show than anything else at this point

00:49:44
, because when you say that you're airgapping a system, you

00:49:50
make it sound like nothing else can access it, like it's just

00:49:54
gonna run forever right, there's gonna be no issues that ever

00:49:58
occur, because software runs perfectly every time, right.

00:50:00
But as soon as you start diving into the architecture of the

00:50:07
air gap, they're like it would always come back to oh well,

00:50:11
windows updates, it has to have access to Windows updates, it

00:50:14
has to have access to Rapid7 or whatever it is right, and all of

00:50:19
those things are in the cloud And it only communicates one way

00:50:22
, allegedly right.

00:50:23
But that's not how it works.

00:50:24
It communicates two ways, right , and you start diving into it.

00:50:31
And even if you manage to put all that behind an air gap and

00:50:35
it was actually secure, there's always the insider threat.

00:50:38
There's always the guy that is making minimum wage, that has

00:50:44
access to this room that he probably shouldn't have access

00:50:47
to, and all they want him to do is plug in a USB into a random

00:50:52
server for $10 million, like now .

00:50:58
We're talking Well, or I really appreciate you coming on.

00:51:01
I think that we are just about out of time here and I'm trying

00:51:04
to be very cognizant of your time.

00:51:06
So before I let you go, how about you tell my audience where

00:51:10
they could find you if they wanted to reach out and where

00:51:12
they could find permit?

00:51:14
Speaker 2: IO.

00:51:14
Yeah so, for starters, finding permit IO is as easy as typing

00:51:20
permit IO into your address bar And when you get there, on the

00:51:24
top right there's a Slack icon.

00:51:25
So if you go there, that brings you into our large open source

00:51:30
and SaaS community and you can DM me there directly.

00:51:33
My name is Orwais O-R-W-E-I-S And with those characters you'll

00:51:38
also find me on LinkedIn and Twitter and GitHub, And I

00:51:41
encourage you to reach out.

00:51:42
I always love talking to fellow engineers and security

00:51:46
practitioners.

00:51:47
Come talk to me about what you're building, about your

00:51:49
security challenges, about your startup.

00:51:52
I always enjoy that And I don't think I've ever not enjoyed or

00:52:00
not welcomed someone reaching out.

00:52:01
So please do that.

00:52:03
And, yeah, I'd love to talk to all you folks.

00:52:06
Awesome.

00:52:08
Speaker 1: Well, thanks for coming out, or?

00:52:10
I really enjoyed our conversation.

00:52:11
I wish it could have gone longer, but you know, all good

00:52:16
things must come to an end, or something like that, right?

00:52:18
Well, thanks everyone.

00:52:19
I hope you enjoyed this episode .