Ever wondered how someone develops a passion for IT and cybersecurity? Join us for a captivating conversation with Or Weiss from Permit IO, as he takes us through his incredible journey into the world of technology and security. You'll be amazed at how he learned English by playing games on MS-DOS and how his experiences have shaped his vocabulary.
As we explore the challenges of software engineering security, we discuss the limitations imposed by mundane security requirements, such as constant password changes, as well as the difficulties of securing complex systems like the metaverse. Or Weiss also shares valuable insights into AI agents interacting with humans and each other, a complexity that will continue to grow in the future.
Discover how Permit IO is revolutionizing access control and empowering developers to streamline the process of connecting systems and people to their projects. Learn about the importance of user management, API key management, secrets management, and more. We also delve into the future of software authorization and the complexities of software security, providing a comprehensive understanding that will leave you well-equipped to tackle these challenges head-on. Don't miss this insightful episode!
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, everyone?
00:00:01
and welcome to another security unfiltered podcast episode.
00:00:06
So today I got a really great episode for you.
00:00:09
It's with Orweiss from Permit IO.
00:00:11
They're doing some really revolutionary things in the
00:00:16
cloud and, you know, really helping revolutionize how we do
00:00:21
IAM in the cloud.
00:00:22
But I got a shout out.
00:00:25
This episode would not be possible without 10kmedia.
00:00:29
They did not sponsor the podcast or anything like that,
00:00:34
but it definitely wouldn't be possible without them.
00:00:36
They made this whole thing happen.
00:00:37
So you know, if you guys want to go ahead and follow their
00:00:43
page, hit up, you know, whatever their, their social media is
00:00:48
and give them a shout out.
00:00:49
So thanks, guys.
00:00:51
Hope you enjoy the episode.
00:00:52
How's it going, orweiss, it's great to finally have you on the
00:00:56
podcast here.
00:00:57
I think this thing has been in the works for a little bit now,
00:01:00
but I'm very excited to talk to you.
00:01:03
Speaker 2: And likewise the feeling is mutual.
00:01:04
Very excited to talk with you, joe, and I'm sure it's going to
00:01:08
be an awesome episode.
00:01:10
Speaker 1: Yeah, yeah, definitely, i surely hope so.
00:01:13
So you know why don't we start off with telling everyone how
00:01:18
you got into IT, what made you want to go down this security
00:01:23
path?
00:01:24
right, and you know, i start everyone off with this primarily
00:01:29
because you know it's helpful for my audience to hear
00:01:33
everyone's background right, because maybe there's someone
00:01:35
out there that's listening that is trying to make this jump in
00:01:40
IT.
00:01:40
They don't know if they can do this, right, they don't.
00:01:43
They don't know, if you know, they have what it takes, and so
00:01:47
it's always helpful, i believe, to hear someone else's story and
00:01:52
maybe it clicks with someone.
00:01:53
Maybe they say, oh wait, you know, maybe I do have a shot
00:01:56
with this.
00:01:56
So what's your story?
00:01:59
Speaker 2: Happy to share it.
00:02:00
I'm not sure if it's the best story for that particular
00:02:03
dilemma, but still happy to share it.
00:02:06
So I got into tech, i'd say at the age of five, basically when
00:02:13
people ask me there what I want to be, i for some reason already
00:02:16
told them that I want to be a software engineer.
00:02:18
And I got exposed to tech really thanks to my sister's
00:02:22
awesome and convinced my parents to buy a PC very early on,
00:02:26
talking like when PCs just started and like it was like a
00:02:31
286 I think, and like mostly through like playing games and
00:02:37
having to run them on MS-DOS, having to type in the commands.
00:02:41
I both learned English, which is not my first language, and
00:02:45
working with the command prompt and basically writing code, and
00:02:49
from there it's kind of escalated quickly.
00:02:53
The most significant jump in my career was going into my
00:02:57
military service in the IDF, was drafted into the intelligence
00:03:02
core, into a unit called AD 200, which is the kind of the
00:03:05
equivalent of the NSA, and there I went from like a silly script
00:03:09
kitty that has been like building websites and games and
00:03:12
stuff like that and maybe learning a little prologue and
00:03:16
stuff like that in high school and went into like becoming an
00:03:19
actual software engineer and that also really led me very
00:03:23
quickly into cybersecurity.
00:03:25
It's kind of in the job requirements when you're working
00:03:28
for the intelligence core security cybersecurity both in
00:03:34
how you write your own software and also in how you understand
00:03:38
the enemy's software was mandatory very early on, but
00:03:43
also very exciting and inviting very early on, so that gave me
00:03:49
both the motivation, tools and perspective on how to do secure
00:03:54
software development and that really led me very quickly to
00:03:59
where I am today.
00:04:02
Speaker 1: So I mean that that's maybe the most interesting way
00:04:06
that I've heard of someone learning English right is
00:04:09
learning learning it via MS-DOS.
00:04:12
I mean, how does that even?
00:04:13
how does that even work?
00:04:15
Can you talk to me about like that learning process, because
00:04:18
that's, that's very fascinating.
00:04:21
Speaker 2: Yeah.
00:04:21
So I'll say it's not the only input that I got for English.
00:04:25
Also, like TVs and movies and books were there as well.
00:04:28
But I think the most incentive was like, oh, i want to play
00:04:32
this game, so I have to type English on the keyboard to make
00:04:36
that happen.
00:04:37
So initially it's just copying off, like my sister would write
00:04:41
it on a piece of paper and I'd like copy the characters, not
00:04:46
even knowing what they mean, from the paper to the keyboard,
00:04:50
like to the screen, and with iteration, with the motivation
00:04:54
of wanting to run things and wanting to play these games, i
00:04:58
picked up the language.
00:04:59
I think the game like that's.
00:05:01
A little later down the road, like not at the age of five, but
00:05:04
like 10, 11, i think, i started to play civilization.
00:05:08
I think it was civilization two from Sid Meyers, and there,
00:05:14
like you have like full conversations with like the
00:05:16
different.
00:05:17
So it's a simulation of like running a country from like the
00:05:21
Stone Age up to modern times and you're you have to negotiate
00:05:25
with the AIs and it's like full on conversations.
00:05:29
And I remember like sitting down with initially with a
00:05:34
dictionary, a physical book, and later on with like a type in
00:05:38
dictionary that you can like a small separate keyboard that you
00:05:41
can type in.
00:05:41
Does the translation for you, and I picked a significant part
00:05:46
of my vocabulary from there and I think my vocabulary is still
00:05:49
pretty odd, like I sometimes use higher than needed language
00:05:54
because of that.
00:05:56
Speaker 1: Huh, that is.
00:05:58
I mean, that's really fascinating.
00:06:00
You know, like you kind of immersed yourself into the
00:06:05
language or that world of English just because you wanted
00:06:09
to play video games.
00:06:10
You know, i wonder how much of my own like language and
00:06:16
experience came from, just straight up, playing video games
00:06:20
, right, like, how much did I learn from playing video games?
00:06:24
because I mean, i was addicted when I was a kid.
00:06:26
I mean, you know, i still play video games today, i just don't
00:06:30
have enough time, right.
00:06:31
It's like that like meme, right , where you know all you want to
00:06:37
do when you're a kid is play video games, but you don't have
00:06:41
the money to pay for all the games that you want to play, and
00:06:44
then you get a job and you have all the money, but you don't
00:06:47
have the time.
00:06:49
Speaker 2: Yeah, it's one of the ironies of life.
00:06:51
I think, in general, there's a lot of things that we need to
00:06:54
learn about this around western civilization, especially as
00:06:58
we're coming into things that will really shake up the job
00:07:02
market, like machine learning agents affecting our jobs and
00:07:08
changes in the balances between the different echelons of
00:07:11
society, like there's the entire wage gap.
00:07:15
That is still, i think, a significant thing that we
00:07:18
haven't solved.
00:07:19
And also retirement, like if you take your story a step
00:07:25
further, by the time you get to retirement, where you can focus
00:07:28
on having fun, for example, it's not only that you don't have
00:07:32
the time, you don't have the physical capability, and that's
00:07:35
the thing, one of the saddest things and but I'm kind of
00:07:39
delighted, the end of the tunnel that I'm kind of looking at is
00:07:42
uploading ourselves to the cloud .
00:07:44
Hopefully that will solve everything or make everything
00:07:47
worse.
00:07:47
Will have to wait and see dilemmas or conversations on
00:07:52
futuristic dystopias.
00:07:54
I'm also running, in addition to permit them, running, a
00:07:58
podcast called command shift left and which is just for
00:08:03
engineers coming in talking about random facts for
00:08:05
developers, and we often find ourselves talking about
00:08:09
dystopian futures and and if we're in a simulation or not, so
00:08:14
for people that like that the check out command shift left.
00:08:19
Speaker 1: Oh, yeah, that's.
00:08:20
It's really interesting.
00:08:23
You know what you brought up with.
00:08:26
You know you, a lot of people wait for retirement to kind of
00:08:30
live their life that they wanted to live.
00:08:32
And I always stress it to people that you know you should
00:08:37
be, you know, enjoying your life , right, like while you can, i
00:08:41
mean it's.
00:08:44
I grew up with a lot of people that would say like, oh,
00:08:47
everything's gonna change when you're 20.
00:08:48
You know, everything's gonna change when you're 30 and 40 and
00:08:51
50, right, and you know, i got told by people that, like you
00:08:57
know, i wouldn't do certain like physical activities when I'm in
00:09:00
my 30s because everything is gonna change.
00:09:02
And like, to me, how my brain works is, you know, when I, when
00:09:06
someone says I can't do something or I won't be able to
00:09:08
do something, it's like all right, well, time to go do it.
00:09:10
Then, you know.
00:09:11
But it reminds me of when I was working for a large company and
00:09:18
one of my colleagues was I think he was at that company for
00:09:24
30 years just same company you know at for 30 years and he was
00:09:32
talking about, oh, i want to retire in five years.
00:09:35
And you know I was asking him like, oh, what are you gonna do
00:09:37
when you retire and whatnot.
00:09:38
And his face kind of lit up and he was talking about how he
00:09:42
wanted to travel the world and he had a list, and you know, of
00:09:45
all the places that he was going to go, all the food that he was
00:09:48
going to try, and I was like you didn't, like you know,
00:09:51
explore any of these locations, like while you were here.
00:09:54
I mean we give vacation time, like you have more vacation time
00:09:58
than probably anyone at the company, because it's all saved
00:10:01
up, like you never used it really, and you know he didn't
00:10:06
right and I'm like, well, what?
00:10:08
like?
00:10:08
what happens if you retire and something happens?
00:10:13
you can't go on your trip, you know, and his, his, he had no
00:10:17
response.
00:10:18
It's like man, this guy spent his whole life working for this
00:10:23
whole trip and I mean legitimately, he may not be able
00:10:26
to go on it.
00:10:27
Right, like you never know what's gonna happen, he may not
00:10:30
be able to go on.
00:10:31
It is disappointing, right.
00:10:35
Speaker 2: It's disappointing and it's scary, and I think the
00:10:38
scariest thing is how accepted and mundane these kind of
00:10:43
patterns have become.
00:10:44
It's like you're gonna do this one job, you're gonna do it for
00:10:51
this significant part of your life, and then you'll wake up at
00:10:54
the other end of the tunnel and most people don't even stop to
00:10:57
think about it, and And, and.
00:10:59
I think that creates a lot of frictions for society.
00:11:02
I also think, by the way, that creates a lot of friction for
00:11:06
security.
00:11:06
People are just going by the lines that are defined to them,
00:11:11
even if those lines don't actually meet the requirements
00:11:14
of their work or The security profile that they need from the
00:11:17
work, so that it fails twice.
00:11:19
One says You're limited in how you perform your job because of
00:11:25
silly security requirements that are like from ten years ago.
00:11:28
For, except the, my pet peeve is Requiring people to constantly
00:11:32
change their password.
00:11:33
Research has already proven that that's a bad idea.
00:11:36
It causes people to pick bad passwords and It causes them to
00:11:41
forget their passwords more often, and that just creates
00:11:44
more chaos.
00:11:44
So patterns like that create us , create situations where we're
00:11:49
both Have less performance in doing our jobs and we're less
00:11:54
secure, and in general, it creates Scenarios in our life
00:11:58
that are just as we just touch on now.
00:11:59
They're just sad.
00:12:01
It's such a shame Because we don't need to live in a box.
00:12:05
We can open our eyes, we can Investigate what we're working
00:12:09
on, we can find the Vulnerabilities and points and
00:12:12
change the existence.
00:12:13
That and we can make things better if, again, if we just
00:12:17
give it a chance.
00:12:20
Speaker 1: Yeah, you know, you brought up the passwords and I'm
00:12:24
still kind of blown away that in 2023, companies still don't
00:12:30
offer their employees a password manager.
00:12:32
You know, like, right off the bat, day one Hey, create your
00:12:35
password.
00:12:36
This is a secure solution.
00:12:37
Everything is going to be stored into here and then it
00:12:40
automatically just stores, you know, whatever passwords you
00:12:43
enter in and it'll automatically , automatically generate,
00:12:46
potentially even rotate, these passwords.
00:12:48
You know, so you're not worried about learning.
00:12:51
You know 30 different passwords .
00:12:53
You're concerned with learning one password and the way that
00:12:57
they salted and hash it and store it and all that sort of
00:13:00
stuff Secures that password, even if it's, you know, password
00:13:03
one, two, three, like one pass.
00:13:06
You know, like, i use that for my personal self and it's it's a
00:13:10
fantastic solution, but I I think that it's just it's Really
00:13:16
disappointing that companies are like not getting on board
00:13:19
with this basic, this, this basic thing.
00:13:23
Speaker 2: Software is evolving quickly, but the software that
00:13:26
we're running in our societies, our cultural software, doesn't
00:13:31
say doesn't get service pack updates as quickly as it needs.
00:13:34
You can also look at like if you continue that line, because
00:13:39
let's look at like the software that is running our bodies, it's
00:13:42
also very hard to update And that also causes a lot of
00:13:45
problems, including that a pet peeve that I have there is
00:13:48
backache.
00:13:49
Evolution hasn't really tweaked us Fully on to walk on to, so
00:13:57
our entire skeleton is kind of Head-ock patched for walking on
00:14:02
to.
00:14:02
So we get back pains very early in life and they stick with us,
00:14:06
which is very annoying.
00:14:07
And that's again all about the paces of updates of the
00:14:11
different layers that we work with.
00:14:12
And I don't know, i'm not sure, if there's a solution for that
00:14:18
again, except maybe uploading yourself to the cloud.
00:14:21
Then you have a new layer of software as a clean slate that
00:14:25
you can maybe Upgrade and update more quickly.
00:14:29
But I guess we'll have to wait and see.
00:14:33
Speaker 1: Yeah, i couldn't imagine trying to secure
00:14:36
something like the metaverse or Trying to put guardrails in line
00:14:41
, you know with with a service like that.
00:14:44
I feel like I feel like that's just an impossible task.
00:14:49
Speaker 2: It is a daunting one.
00:14:50
First of all, you you can rest assured that there are people
00:14:53
that are working on it, so we haven't really touched on permit
00:14:57
itself yet.
00:14:58
But my co-founder, or soft He worked at Facebook it's meta at
00:15:02
the time and he saw, for example , that they've invested a team
00:15:06
of 30 people for half a decade to build a level of access
00:15:10
control that they have.
00:15:11
Combining that with our own experience, that really taught
00:15:14
us that this is a huge problem.
00:15:16
That is that exists now.
00:15:18
I, for example, had rebuilt our access control to the product
00:15:22
in my previous company.
00:15:23
They work out five times Before .
00:15:26
The company was even three years old, and so in combining
00:15:29
those two, we realized it's a huge problem now But it's only
00:15:32
gonna get far worse, and so the bigger companies are working on
00:15:36
these problems, but they're coming for all of us, all over
00:15:39
all the software engineers.
00:15:41
Complexity is really is At the gates and I think it's becoming
00:15:45
very apparent.
00:15:45
I just come back.
00:15:47
I just came back from a A kube con in Amsterdam and I think,
00:15:52
without exception, not even a single company presented there
00:15:55
Didn't talk about, in a large language, model that they're
00:15:58
embedding into their software.
00:16:00
So and that, and thinking of that are you it's.
00:16:03
I think it becomes really easy to see where the complexity is
00:16:06
gonna really slap us In the face .
00:16:08
So if up till now, the users that we were getting access to
00:16:12
where human users working in their pace, it's becoming more
00:16:16
and more machine learning agents on behalf of machine learning
00:16:19
agents, on behalf of a long cascade of those on behalf of
00:16:22
humans interacting for software.
00:16:24
So now it's an AI agent that is interacting with the AI agent
00:16:30
embedding in our app and That's a lot of fuzzy logic for access
00:16:34
control and it's and it's right around the corner.
00:16:37
Right, we're already seeing these being embedded and the
00:16:40
problems and security vulnerabilities that will be
00:16:42
creating our Are are also becoming apparent.
00:16:45
So I think we're up for exciting times and even if we
00:16:50
can't wrap our hands around it No one's asking us it's gonna
00:16:55
happen and, and from my perspective, what we're trying
00:16:59
to do is provide the tools so people can Remove the cognitive
00:17:04
load, that they'll be able to focus on building the software
00:17:07
and they'll have something that they can pull off the shelf that
00:17:09
will, at least I help them carry this load as they're
00:17:13
meeting the complexity.
00:17:15
Speaker 1: Hmm, well, let's talk about permit IO.
00:17:18
You know, you guys, it sounded like you saw this issue in the
00:17:25
industry of managing, you know, roles and permissions and
00:17:29
whatnot, which I've done that myself And it's extremely
00:17:34
difficult to do on-prem.
00:17:35
It's pretty close to impossible in the cloud, especially if you
00:17:40
allowed your developers to get into the cloud before your
00:17:42
security team can actually, you know, look at the cloud.
00:17:45
It creates some very unique challenges.
00:17:48
That it's just.
00:17:50
It turns into an impossible spider web to untangle.
00:17:54
So what are you guys doing differently than everyone else?
00:17:59
that is, separating permit IO apart from the rest of the crowd
00:18:03
.
00:18:03
Because, you know, i feel like I feel like everyone does it a
00:18:07
little bit differently.
00:18:08
The value in this area is identified and companies are
00:18:12
definitely paying attention to it, but I feel like the ones
00:18:18
that make it, that make the engineers life easier, are the
00:18:22
ones that will stand apart.
00:18:25
Speaker 2: I definitely agree with that, and I think that's
00:18:27
the one of the key things that also puts us apart from all the
00:18:31
other players in the space.
00:18:32
So most companies you'll interact with in this space
00:18:35
they'll tell you something like you're an engineer, you like to
00:18:39
build amazing things right.
00:18:40
Here's building blocks, here's a policy engine like open policy
00:18:44
agent or Cedar from AWS or there's a bunch of other
00:18:48
languages.
00:18:49
Here's a policy engine and here's a bunch of APIs.
00:18:52
Go ahead and build your access control And, first of all, let's
00:18:56
realize what is access control.
00:18:58
So there's the decision making, there's the enforcement that
00:19:02
you need to embed as part of the software, and there's all the
00:19:05
interfaces and experiences around that.
00:19:07
In the end of the day, access control is how you connect
00:19:10
systems and people to what you've built.
00:19:12
So it's a lot of interfaces that you've used a billion times
00:19:15
and every time you use them, some poor schlep of a developer
00:19:19
had to create them from scratch.
00:19:20
So classic things like user management with the ability to
00:19:23
assign roles, api, key management, secrets, management,
00:19:27
audit logs So you can see what your customers did within the
00:19:30
system.
00:19:31
So your customers can see themselves what they did within
00:19:33
the system for their own compliance and regulations,
00:19:37
invites, approval flows, one user starts an action, another
00:19:40
user approves it, permission requests, emergency access, and
00:19:44
this list just goes on and on and on.
00:19:46
So instead of telling people oh here's some building blocks, go
00:19:51
ahead and build all of this.
00:19:52
We're saying something very simple Don't.
00:19:55
You don't have to.
00:19:56
If you want, you can, but you don't have to.
00:19:58
Here are all of these experiences ready off the bat.
00:20:01
Just plug them in focus on building your core software.
00:20:05
So it's really about empathy.
00:20:06
It's really about understanding what developers care about and
00:20:08
what they don't.
00:20:09
They care about building amazing technology, but their
00:20:12
core amazing technology, not just run on the mill stuff that
00:20:16
is not unique to any product, and I think that's maybe the
00:20:21
most important thing in what we do.
00:20:22
A key part of that is also embracing and connecting other
00:20:27
people.
00:20:27
So developers want to have this available, but they don't want
00:20:31
to be fine tuning it all day long, especially when other
00:20:34
people need to be able to participate.
00:20:37
So you want product managers to be able to work on policies.
00:20:40
You want security and compliance, obviously, to work
00:20:43
on it.
00:20:43
You want sales to and support to be able to affect this as
00:20:46
part of a product, and the list again here continues.
00:20:49
So it's not just about empowering the developers, it's
00:20:53
about enabling the developers to empower everyone else and be
00:20:57
the heroes of the story.
00:20:59
So, for that, one of the experiences that we've created
00:21:01
and maybe one of our call to fame experiences, is our policy
00:21:04
editor, which I like to say is an interface that a monkey can
00:21:08
use, or even a product manager, if they're smart enough By the
00:21:12
way, product managers are the ones that love the joke the most
00:21:14
, ironically And so you get an interface that you can delegate
00:21:19
to other people.
00:21:19
Everyone can chime in on the conversation, but it still works
00:21:22
with the best practices.
00:21:23
It still generates policy as code that gets loaded into your
00:21:27
Git repository, so you never lose control and you never lose
00:21:31
the best practices as a developer.
00:21:32
But you still don't have to do everything on your own and be
00:21:35
the bottleneck for the organization Every time someone
00:21:38
wants to add a role or make roles dynamic, or have an audit
00:21:42
log for a certain behavior or enable people to invite other
00:21:47
people on their own.
00:21:48
So we get those off the shelf.
00:21:52
And lastly, another differentiator that we have and
00:21:56
I think is also about developer empathy is being a policy engine
00:22:00
agnostic.
00:22:01
So most companies, when you go to them, they'll tell you you
00:22:05
got to use this policy engine.
00:22:06
It's the best because we built it, so it's the best right.
00:22:10
And I think that's really weird , because when I think about
00:22:15
developers, i think about a full arsenal of different ideas and
00:22:21
languages and tools that people want to use, and like saying, oh
00:22:24
, there's only one tool that you can use And that's the only one
00:22:27
that you can, is very weird.
00:22:29
Like different developers want different languages, different
00:22:31
tools aligned with different tasks.
00:22:34
So in permits, instead of saying, oh, here's another
00:22:37
policy engine and you have to work with that one, we're saying
00:22:40
let's just work with whichever policy engine you want, let's
00:22:43
have interfaces that generate it in different languages, let's
00:22:47
have generic adapters that allow you to and that's our open
00:22:51
source project, opal that allow you to connect to different
00:22:54
agents on the fly.
00:22:54
So understanding what developers want and giving it to
00:23:00
them in a way that meets the way they work, that's what
00:23:03
differentiates us from everyone else in the space, and I think
00:23:08
it's something that I'm very proud of and seems to be proving
00:23:11
itself.
00:23:19
Speaker 1: So is it a solution that already kind of builds out
00:23:23
these permissions and the roles, potentially even like
00:23:26
authentication methods for developers, of how their
00:23:32
application will work with storing secrets securely?
00:23:36
Is it building out these workflows automatically?
00:23:40
you kind of go into your solution and point out like I
00:23:44
want something that stores a secret, i want something that
00:23:48
rotates a password or creates this authentication mechanism.
00:23:51
Is that how it's interacting or integrating into the workflow?
00:23:57
Speaker 2: So there are three key components that you mix and
00:23:59
match.
00:24:00
There's a microservice for authorization, what we call the
00:24:05
policy decision point.
00:24:06
So that's a microservice ready to be embedded.
00:24:09
You can also consume it from our cloud, but for performance,
00:24:12
latency, availability and security, it's best to have it
00:24:16
as part of your app And it's based on your policy engine of
00:24:22
choice, like Cedar or Opa.
00:24:23
So we get that ready made for you.
00:24:25
You just plug that in.
00:24:26
And the other part is SDKs and plugins that create enforcement
00:24:31
points themselves.
00:24:33
The main flow is a function called permitcheck.
00:24:35
You're basically saying this is what's happening now.
00:24:38
This identity is trying to perform this action on this
00:24:41
resource.
00:24:42
So your application code can just describe what it's doing,
00:24:46
without going into the policy, without going into the decision
00:24:50
making.
00:24:50
So you can pepper your code with those very simple code.
00:24:54
You can do that for decorators, for the middleware, for
00:24:57
whatever suits your flavor of development, obviously, and that
00:25:00
would connect to that microservice for authorization.
00:25:02
And, lastly, you have the control plane and the interfaces
00:25:05
.
00:25:05
So you have the policy editor, so that on the fly you can say,
00:25:11
oh, i want this role and I want these resources, and I want to
00:25:15
say that these roles can perform these actions on these
00:25:18
resources and I want these conditions for attribute-based
00:25:22
access control, or I want these relationships for
00:25:24
relationship-based access control.
00:25:26
And you just create it quickly, either in code or on the UI for
00:25:32
less technical people or for just technical people that don't
00:25:35
want to dive into this because it's boring And it generates the
00:25:39
code for you and loads it on the fly to the decision points
00:25:44
in the application So it immediately updates.
00:25:46
So you have the ability it's many moments in time to work
00:25:49
through GitOps.
00:25:50
You're creating code, pushing it to Git And from there it's
00:25:53
automatically deployed via Opal to the live agents within the
00:25:57
software And that's basically it .
00:26:00
And maybe the last thing is the experiences on top, because
00:26:03
there's this foundation, event-driven foundation of
00:26:07
decoupling policy and code and creating clear structures,
00:26:11
resources and actions On top of it.
00:26:13
You can now apply interfaces on top, so you can apply the user
00:26:16
management.
00:26:17
So, oh, i have the concept of a role, so I can just assign it
00:26:20
to users.
00:26:20
I have the concept of a tenant.
00:26:22
I can put resources in that box and some users in that box, and
00:26:26
now I can say, oh, only you can , only these users and resources
00:26:29
can interact together.
00:26:30
So, yeah, and these will just work with the user management,
00:26:36
and with the tenant management, and with the approval flows and
00:26:39
with the audit logs.
00:26:40
Everything just emerges from the baseline that you embedded
00:26:44
into your software.
00:26:45
So, and you don't have to think about that, because the
00:26:47
abstraction just builds it out for you.
00:26:49
So that's the way it works.
00:26:52
You have an SDK, you have a microservice and you have a
00:26:55
control plane that gives you the experiences to embed into your
00:26:58
software.
00:26:59
Speaker 1: Hmm, that's interesting.
00:27:04
You know it kind of, in a way, it seems like it's working with
00:27:11
the developers rather than the developers working with the
00:27:14
solution, in terms of you know it's there to really you know,
00:27:20
immediately provide answers and solutions.
00:27:23
You know automatically within the application and really
00:27:26
limits you know the interaction right that the developers have
00:27:31
to go and create.
00:27:32
You know this authentication mechanism and we need to point
00:27:35
it to this IDP and things like that right, like that doesn't,
00:27:39
that doesn't exist with the solution.
00:27:40
So that's very interesting and it and it works across all
00:27:45
languages.
00:27:46
I assume, like it doesn't matter what the developer is
00:27:49
trying to work with it, it'll just work with whatever.
00:27:53
Speaker 2: So we have, first of all, it's Swagger and OpenAPI
00:27:57
base so you can always work with the API directly.
00:27:59
We have SDKs for basically every language, from Python to
00:28:03
Go, net, rust, java, elixir, even the esoteric ones.
00:28:08
We have SDKs ready.
00:28:10
It's easy to create more.
00:28:11
Yeah, you can then bake this into your software in the way
00:28:16
that's suitable for you.
00:28:17
In general, the balance that I love to adhere to when building
00:28:21
developer tools, there's this balance between how simple the
00:28:25
tool is and how powerful it is.
00:28:26
Obviously, the more opinionated and more simplified it is, it's
00:28:32
easier to use, but it takes away the power.
00:28:35
The balance that I like to strike is to have the power
00:28:39
always accessible.
00:28:40
You can choose, you can always dive into code.
00:28:43
You can always use the API directly.
00:28:45
You can always create interfaces, ui interfaces on
00:28:48
your own, but there's an opinionated layer that would
00:28:51
simplify it for you in 80 percent of the cases.
00:28:54
In 80 percent of the cases, you just throw it in and it works.
00:28:57
But for the other cases that you want, you're never limited.
00:29:00
You can always dive deeper and use the direct raw power as a
00:29:05
developer.
00:29:05
I think that's very important.
00:29:08
I think that's maybe what you were hinted at that this works
00:29:12
with the developers.
00:29:14
The developers are the ones that are going to decide what this
00:29:16
application is going to look like, how it's going to behave,
00:29:19
what are the policies and however people are going to
00:29:22
connect it.
00:29:22
That shouldn't change.
00:29:24
That's how software should be built by people that understand
00:29:28
it, but it doesn't mean that they have to build every new
00:29:31
concranny for every little thing in the software, or at least
00:29:35
not at once.
00:29:36
They should always have the option, but they should also
00:29:39
have the option to focus on the things that are actually
00:29:41
important at that point in time.
00:29:42
Let's face it when you're building an application, there's
00:29:46
a mountain of stuff to do and there's always the buy versus
00:29:50
build dilemma.
00:29:50
So you should be able to choose the right balance point for you
00:29:54
at each point in time.
00:29:56
That's why we also provide the solution, first of all, with a
00:29:59
very extensive free tier, but with usage-based pricing on top.
00:30:02
You decide how much you use as part of this.
00:30:05
This would grow with you and we're not like forcing you to
00:30:08
make all of the decisions that they want, because we understand
00:30:12
that as you build out software, requirements come in gradually
00:30:17
and the requirements change.
00:30:18
Your policy is going to change.
00:30:21
You're going to start with R back, and then you want to have
00:30:23
A back and you want to have Reback and you want to have ACLs
00:30:26
and you want to have a bunch of stuff.
00:30:27
But at the current moment in time you want something specific
00:30:31
and you should be able to tap into that specifically without
00:30:35
having to wreck your brain or wreck your budget just to get
00:30:40
started.
00:30:43
Speaker 1: Yeah, it's interesting.
00:30:44
Where do you see this solution going and growing into over the
00:30:50
next couple of years?
00:30:51
Obviously, you have the authentication mechanisms and
00:30:58
whatnot taken care of with the developers, But I feel like
00:31:04
there's a whole other side where it could potentially be used to
00:31:10
even audit current permissions within the environment and say,
00:31:14
hey, you don't use this for the last I don't know two years, or
00:31:18
something like that.
00:31:18
Speaker 2: Let's clean it up.
00:31:23
Speaker 1: Yeah, being able to maintain a healthy environment
00:31:27
in IAM as much as you can Do.
00:31:30
you also see where it's going, or is this something that you're
00:31:35
exploring and whatnot?
00:31:37
Speaker 2: So for sure.
00:31:38
First of all, i'd like to think that I know where this is going
00:31:41
.
00:31:41
I'm no profit, so take everything as saying with a
00:31:44
grain of salt, but I can tell you what I'm seeing and how I'm
00:31:47
perceiving it at least.
00:31:49
So, first of all, we're seeing that the complexity for software
00:31:53
is constantly rising and with it the complexity for the
00:31:59
authorization for that software.
00:32:00
So the software itself is becoming the most critical thing
00:32:03
that's already happened is the breakdown into the cloud and
00:32:06
into microservices.
00:32:07
Everything has become distributed.
00:32:09
So instead of having one big, huge chunk of software now, we
00:32:12
have a lot of small bits of software that we need to get
00:32:15
specific access to separately.
00:32:17
So that's one of the key things that we had to solve off the
00:32:20
bat.
00:32:20
So that's where those decision points come in, and the
00:32:23
granularity of both embedding it and enforcing it is very, very
00:32:28
important early on.
00:32:28
So that's something that's happening, already happened, and
00:32:31
we're in the midst of.
00:32:32
Next.
00:32:34
What's coming is complexity in the policy itself and how
00:32:40
dynamic it is.
00:32:41
So, as we're building more complex solutions of software,
00:32:45
what they do is becoming more dynamic.
00:32:47
So if in the past you had policies like just simple roles
00:32:52
like this user can do that, that user can do that and that's it.
00:32:55
Now a lot of applications have dynamic things like only users
00:32:59
that have paid for a feature can use it, only users that are
00:33:02
currently now in Europe can you do this action or work against
00:33:06
this server, only users that have this quota left can do this
00:33:10
action.
00:33:11
And these kind of dynamic behaviors that are to some
00:33:15
degree stateful, or at least have a stateful component that
00:33:18
is changing at the authorization layer.
00:33:20
That's becoming more and more commonplace because of the
00:33:25
requirements for compliance, because of the features that
00:33:28
we're building into the software and just because of the speed
00:33:32
of software that we're creating.
00:33:33
So that's really immediate next step and that's why we've
00:33:36
created OPL Open Policy Administration Layer as an
00:33:39
event-driven channel, because that's the only way you can meet
00:33:42
those challenges if your authorization layer by itself is
00:33:47
event-driven.
00:33:49
Next, what's coming and I've kind of already touched on it is
00:33:52
the complexity and speed of the components using the software.
00:33:57
So machine learning agents, automated agents, people using
00:34:02
the software with APIs themselves, like more and more
00:34:06
people, are becoming code savvy.
00:34:09
Even if they're not using code directly, they're using low code
00:34:12
interfaces.
00:34:13
If they're using generative AI to drive things automated for
00:34:17
them, they're using things like Zapier, that's becoming very,
00:34:20
very commonplace as well.
00:34:21
It's really around the corner, especially with the machine
00:34:23
learning agents themselves, and so the speed in which your
00:34:27
software is being used and the speed in which you need to check
00:34:29
permissions for is going to explode in the next year and a
00:34:33
half.
00:34:33
So that's something that's happening and with it is also
00:34:38
how you just reason around software.
00:34:41
So if before you had policies that were thinking about how
00:34:44
humans behave, now we need policies that are thinking about
00:34:48
how machine learning agents are behaving, and then you get into
00:34:52
that.
00:34:52
Okay.
00:34:54
So I've basically a policy that to some degree, especially if
00:34:57
I'm gating another machine learning agent component that
00:35:00
can be basically almost undeterministic or with having
00:35:06
significant random, pseudo random factors built into it.
00:35:09
So now I need my policy to also not be to be as flexible, to be
00:35:16
as undeterministic or as able to take in the randomness or
00:35:21
chaos on the other side.
00:35:23
So we'll be seeing machine learning agents becoming part of
00:35:28
the authorization layer.
00:35:30
By the way, in Facebook and Meta , which we have some visibility
00:35:35
into through my co-founder, they have this already today.
00:35:39
So, a lot of times, because of the complexity of the different
00:35:42
elements of software and the different people interacting
00:35:45
with it.
00:35:45
There's an AI agent making decisions on who can do what.
00:35:48
So, for example, it might this and they're in it's applying
00:35:53
complex conditions and complex organizational flows to make the
00:35:58
decisions.
00:35:58
So, for example, it will look at behavior and analytics.
00:36:01
Oh, you've been consuming more data than you usually do, or
00:36:05
you've been accessing data that usually don't.
00:36:07
This raises a flag And now, instead of just blocking you, it
00:36:12
can decide to throttle you, or it can decide to ask your team
00:36:16
lead if what you're doing makes sense, or to get another
00:36:21
approval by another element of software that exists.
00:36:24
So these are things that will also They're coming for everyone
00:36:29
, also sooner than what we perceive as later.
00:36:33
Lastly, is well, i think what do you touch down with the
00:36:36
behavioral analytics?
00:36:37
As this picture becomes more and more complex, as the audit logs
00:36:41
are becoming more vague, as the vulnerabilities, the surface of
00:36:46
attack the attack surface, sorry is growing, it will also
00:36:51
need more intelligent, more automated solutions to recognize
00:36:59
where things are going off beat , recognizing when users go
00:37:03
rogue, when machine learning agents go rogue, when machine
00:37:07
learning agents are being defrauded or being malused, all
00:37:14
of these things are very imminent As I see it.
00:37:20
I think they're a clear part of the upcoming future, and that's
00:37:26
basically just the tip of the iceberg.
00:37:28
By the way, what I think the very classic question is okay,
00:37:34
what are we going to do about this?
00:37:35
I think what we need to do about this is, first of all,
00:37:38
just cover our basics, because we haven't done that yet.
00:37:41
That's what we're trying to do with Parinaio, and to provide
00:37:45
interfaces that would make it approachable for everyone to
00:37:49
work on this problem.
00:37:50
By doing that, we can start to ramp up the conversation, but we
00:37:54
should start with crawling or walking before we're running,
00:37:57
and we need to get through to crawling and walking soon,
00:38:00
because we'll need to be in running pace very soon.
00:38:04
That's how I'm thinking about the future.
00:38:13
Speaker 1: Yeah, the AI agent or the machine learning component
00:38:19
of it, i find to be very fascinating.
00:38:21
I remember working with someone and I got on the call with them
00:38:27
for the very first time.
00:38:28
While we were troubleshooting an issue with some random server
00:38:32
in the environment, some calendar alert came up and said
00:38:39
log into whatever servers.
00:38:42
I'm on the security team, this guy's on the infrastructure team
00:38:45
.
00:38:45
I'm like what was that?
00:38:48
Because that looked really weird.
00:38:49
He said oh, we have this software in the environment
00:38:54
where if you do something out of your norm, it locks you out of
00:38:59
the system and it won't allow you to access it.
00:39:01
And I want to prevent that from stopping me to resolve issues
00:39:06
on these servers if something were to go down on the weekend
00:39:10
or whatever.
00:39:10
I don't want to wait for someone else's permission.
00:39:16
I was very in the middle on this , because what he's doing is it
00:39:23
wrong?
00:39:24
Sure, it's going against the security tools, security policy,
00:39:28
probably even.
00:39:29
But is he wrong for doing it?
00:39:33
He has good intentions behind it, but that also opens the
00:39:38
organization up to a greater insider threat situation where
00:39:44
this AI, this ML, whatever it might be, is learning like hey,
00:39:48
he logs into this critical server in the environment often.
00:39:52
Well, if he gets laid off or fired or whatever it might be,
00:39:59
and he just decides to go in there, that agent that was meant
00:40:02
to protect that sort of login is now allowing it when it
00:40:07
normally wouldn't.
00:40:08
It creates a difficult situation, i think, for everyone
00:40:15
in the organization, because security just wants what's best.
00:40:18
These other guys, they just want to do their job and they
00:40:21
want to be able to do it when they need to do it.
00:40:23
Yeah, it's like what do you do?
00:40:26
Where do you go from here?
00:40:28
Speaker 2: I think you've basically brought us full circle
00:40:31
, back to the mini conversation we had about passwords.
00:40:34
If you're creating security culture that people can't work
00:40:41
with or can't relate with or can't understand, that's bad
00:40:44
security culture.
00:40:45
Even if you're covering all of your bases, you'd fail in your
00:40:49
job, because people will always adhere to norms and not laws.
00:40:54
People will always find a way to make things work for them.
00:40:58
By making it harder and missing the point, which is enabling
00:41:02
the organization to work, you basically shoot yourself in the
00:41:05
foot.
00:41:05
I don't think anyone should be blamed here.
00:41:10
I'm not blaming that engineer and I'm not blaming the app sec
00:41:13
people that created that situation But we need to
00:41:17
recognize such, basically vulnerability points in our
00:41:21
security culture and build the tools the right way that provide
00:41:26
both the security and the enablement to work that the
00:41:30
organization needs.
00:41:31
There's actually another classic story that I have from
00:41:36
my Ministry of Defense days.
00:41:38
Without going into the raw details, there was an air gap
00:41:43
network, a very highly secure air gap network that was created
00:41:47
for a very important project.
00:41:50
In order for that network to work with other solutions, they
00:41:55
created a data loading solution.
00:41:58
There was basically stations where you can bring in whatever
00:42:04
you need from external sources and it will go through protocols
00:42:07
and scans and all the right things that you need to load the
00:42:12
data in a secure fashion.
00:42:13
On the surface, this looks great.
00:42:17
We have a fully air gap network .
00:42:18
We have specific nodes where we control data entry and we can
00:42:22
limit things with our policies and with our scanning and our
00:42:26
security tools.
00:42:28
Problem was that those work nodes, those stations to upload
00:42:33
the data they were great, they were top of the line, but they
00:42:36
were slow.
00:42:37
They covered all of the bases for security, but they were
00:42:41
super annoying to work with because you load in the data and
00:42:44
you'd have to wait hours to get the result.
00:42:47
On the other side, people being people, some of them said this
00:42:52
is just like a small thing that I need here.
00:42:54
It's like a small text file.
00:42:56
There's no reason to wait hours now to go forward.
00:43:02
They found a loophole and they plug it in in a separate way.
00:43:05
I can tell you there was a matter of time until really
00:43:13
dangerous malware was exposed to the network itself and
00:43:18
infecting critical spots of it.
00:43:19
Again, people doing it, they didn't have bad intentions and
00:43:26
they weren't aware of the risk of what they're doing, and so I
00:43:31
really think the problem there is not just people circumventing
00:43:35
things, it's around creating situations where people don't
00:43:39
need to circumnavigate things.
00:43:41
And, yeah, i think it's like the cultural aspect, or the
00:43:46
human aspect, is probably the most challenging part of doing
00:43:50
security.
00:43:53
Speaker 1: Yeah, that is, that's for sure.
00:43:55
You know, and I feel like one of the things that can separate
00:43:59
you and your career is actually your soft skills of how how you
00:44:04
handle those difficult situations.
00:44:05
How you handle, you know, interacting with people,
00:44:08
regardless of their team, their status within the organization,
00:44:13
and you know all those things matter.
00:44:15
It reminds me of a time when I was working for a company that
00:44:20
you know did a very similar thing.
00:44:22
They tried to air gap, basically, their critical
00:44:26
servers and their security, you know, servers like the control
00:44:31
consoles, right from everything else.
00:44:33
The only issue was that they did it in such a way that made
00:44:41
it extremely arduous, very difficult for even authorized
00:44:45
users to log into that environment, to even just deploy
00:44:48
patches.
00:44:48
It was a very difficult task, and so when I took it on, we
00:44:54
were two years behind on patches and people were still telling
00:44:59
me that it was secure because no one can access it.
00:45:01
I'm like, yeah, well, you think one.
00:45:04
You think that no one can access it from the outside
00:45:06
because people have trouble accessing it from internally,
00:45:11
but that's not a reason not to patch, you know, and doing some
00:45:16
deeper digging, of course, the teams that were tasked with
00:45:20
actually patching it, you know they didn't want to work with it
00:45:23
.
00:45:23
They literally told me they're like.
00:45:25
You know, we have a change window and within that change
00:45:28
window we have to be logged in, patched and done and the server
00:45:31
needs to be rebooted.
00:45:32
Well, we don't even have enough time to literally deploy the
00:45:37
patches before we have to re-log in and do this whole process
00:45:40
again.
00:45:41
It took them 20, 30 minutes sometimes to log in to the right
00:45:46
place and just start the work And then at times out after a
00:45:50
certain amount of time, and they didn't want to deal with that.
00:45:53
And I don't blame them, i don't want to deal with that either.
00:45:55
So, you know, it kind of became like my personal mission at
00:46:00
that company to kind of dismantle this thing.
00:46:03
But it was an interesting challenge because the person
00:46:09
that created it was retiring and I don't know what it was like
00:46:13
90 days or something like that And so it was like, okay, i kind
00:46:17
of have to maybe design this for 90 days because I don't want
00:46:21
to, you know, completely destroy like his life's work at
00:46:24
this company, at least not in front of him, right, like?
00:46:30
Speaker 2: by the way, my general opinion is that air gap
00:46:34
is a pointless effort, especially as the speed of
00:46:41
technology accelerates, like the speed in which we're
00:46:44
discovering vulnerabilities is constantly increasing, and so
00:46:48
your ability to catch up when you're disconnected is gradually
00:46:54
becoming irrelevant.
00:46:55
And by becoming so, by air gaping, you're basically making
00:47:00
yourself more vulnerable as opposed to being more, as
00:47:04
opposed to being less, vulnerable.
00:47:05
So I really think that air gap networks are pointless, aside
00:47:11
from like very specific situations or very like when you
00:47:16
can completely connect it, like seal it in concrete, lock it
00:47:21
out from the outside world, like it's like a bunker that needs
00:47:24
to run on its own for a while.
00:47:26
Those are maybe the exception, and even there I'm not that sure
00:47:29
.
00:47:29
Other than that, you're using air gap solutions.
00:47:33
You're mostly doing your security at this service.
00:47:35
That's my opinion, and I think what really makes it apparent is
00:47:40
when you think about the cost effectiveness of your defense
00:47:44
versus the attackers or offenders.
00:47:48
For most, not that significant attackers like your just, let's
00:47:57
say, corporate espionage or just run in the mill, rent somewhere
00:48:02
, stuff like that they're not gonna waste their energy anyways
00:48:06
on targets that have high security profiles, that have the
00:48:11
ability to build significant modes and protect their networks
00:48:13
.
00:48:13
It's a waste of time And for them they have easier targets.
00:48:20
So you already have the capabilities and budget.
00:48:25
If you're building an air gap network, you already have the
00:48:27
capabilities to fend these off rather easily, or at least
00:48:30
contain them if the things go all right.
00:48:34
The folks that you are trying to protect yourself are basically
00:48:38
the nation state attackers.
00:48:39
Those are the ones that usually you're trying to use an air gap
00:48:43
network to protect yourself And for them it's meaningless.
00:48:47
Like we can look at the things like they're in our public, like
00:48:51
Stuxnet and Olympic Games, It's really easy for an actor like
00:48:56
that to.
00:48:57
It's super simple.
00:49:00
It's literally getting something across the smaller gap
00:49:04
.
00:49:04
It's literally how they think about it, and so it's basically
00:49:10
pointless against the only kind of attacker that this might be
00:49:14
relevant for.
00:49:15
So there doesn't exist a cost-effectiveness point, an
00:49:20
equilibrium point, where it would make sense.
00:49:22
I think that's the best argument that I can put on the
00:49:27
table against dismantling air gaps.
00:49:33
Speaker 1: Yeah, with all of the different developments that
00:49:36
have been happening, air gaps are kind of they're laughable,
00:49:41
right.
00:49:41
They're kind of more for show than anything else at this point
00:49:44
, because when you say that you're airgapping a system, you
00:49:50
make it sound like nothing else can access it, like it's just
00:49:54
gonna run forever right, there's gonna be no issues that ever
00:49:58
occur, because software runs perfectly every time, right.
00:50:00
But as soon as you start diving into the architecture of the
00:50:07
air gap, they're like it would always come back to oh well,
00:50:11
windows updates, it has to have access to Windows updates, it
00:50:14
has to have access to Rapid7 or whatever it is right, and all of
00:50:19
those things are in the cloud And it only communicates one way
00:50:22
, allegedly right.
00:50:23
But that's not how it works.
00:50:24
It communicates two ways, right , and you start diving into it.
00:50:31
And even if you manage to put all that behind an air gap and
00:50:35
it was actually secure, there's always the insider threat.
00:50:38
There's always the guy that is making minimum wage, that has
00:50:44
access to this room that he probably shouldn't have access
00:50:47
to, and all they want him to do is plug in a USB into a random
00:50:52
server for $10 million, like now .
00:50:58
We're talking Well, or I really appreciate you coming on.
00:51:01
I think that we are just about out of time here and I'm trying
00:51:04
to be very cognizant of your time.
00:51:06
So before I let you go, how about you tell my audience where
00:51:10
they could find you if they wanted to reach out and where
00:51:12
they could find permit?
00:51:14
Speaker 2: IO.
00:51:14
Yeah so, for starters, finding permit IO is as easy as typing
00:51:20
permit IO into your address bar And when you get there, on the
00:51:24
top right there's a Slack icon.
00:51:25
So if you go there, that brings you into our large open source
00:51:30
and SaaS community and you can DM me there directly.
00:51:33
My name is Orwais O-R-W-E-I-S And with those characters you'll
00:51:38
also find me on LinkedIn and Twitter and GitHub, And I
00:51:41
encourage you to reach out.
00:51:42
I always love talking to fellow engineers and security
00:51:46
practitioners.
00:51:47
Come talk to me about what you're building, about your
00:51:49
security challenges, about your startup.
00:51:52
I always enjoy that And I don't think I've ever not enjoyed or
00:52:00
not welcomed someone reaching out.
00:52:01
So please do that.
00:52:03
And, yeah, I'd love to talk to all you folks.
00:52:06
Awesome.
00:52:08
Speaker 1: Well, thanks for coming out, or?
00:52:10
I really enjoyed our conversation.
00:52:11
I wish it could have gone longer, but you know, all good
00:52:16
things must come to an end, or something like that, right?
00:52:18
Well, thanks everyone.
00:52:19
I hope you enjoyed this episode .