This Week in Enterprise Tech 544 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Louis Maresca (00:00:00):
On this weekend, rise Tech, we have Mr. Brian Chi. Mr. Curtis Franklin back on the show. Cybersecurity testing is essential for identifying remediation vulnerabilities. We'll talk about five ways security testing can aid incident response. Now has your organization thought about self sovereign identities? Maybe you should. Well, today we have Heather Doll, CEO of inicio to talk about how you can gain control over your own identity data. You definitely shouldn't miss it. Quiet on the set
Speaker 2 (00:00:29):
Podcasts you love from people you trust.
Louis Maresca (00:00:43):
This is twt. This week in Enterprise Tech episode 544 recorded May 19th, 2023. Poll one's self-sovereign identity.
(00:00:54):
This episode of this weekend, enterprise Tech has brought to you by Miro. Miro is your team's online workspace to connect, elaborate, and create together. Tap into a way to map processes, systems, and plans with the whole team. Get your first three boards for free to start creating your best work yet. Miro.Com/Podcast. And by Melissa, more than 10,000 clients worldwide. Rely on Melissa for full spectrum data quality and ID verification software. Make sure your customer contact data is up to date. Get started today with 1000 records, clean for free at melissa.com/twi. And by Cisco, orchestrated by the experts at C dw. When you need to get more outta your technology, Cisco makes hybrid work possible. CDW makes it powerful. Learn more at cdw.com/cisco. Welcome to Wyatt this week in enterprise tech, the show that is dedicated to you, the enterprise professional, the IT pro, and that geek who just wants to know how this rules is connected. I'm your host, Lewis Maki, your guide through the big world of the enterprise, but I can't guide you by myself. I need to bring in the professionals and the experts of the radio. Mr. K Franklin, principal analyst at I'm and the guy who lives and sleeps the enterprise. Curtis, how's it going this weekend? The enterprise for you.
Curtis Franklin (00:02:18):
Oh, the enterprise is treating me well this week. Got a lot done. It's nice to have some things published on the AMIA site. Have a nice report on cybersecurity awareness training. Got one coming up on risk quantification. Got some data coming out that's gonna be exciting about the size and state of the market. And in addition, I've got some follow up from rsa. Got a number of companies that I met with there that I'm gonna be writing up. It's interesting we're seeing a number of trends. One of 'em, of course, the whole AI thing where we're gonna be talking about that four, oh, let's call it forever. But the other is the way that a lot of the awareness training companies are moving from defining themselves by training to defining themselves by behavior modification. And that has a lot of interesting ramifications. So plenty to write about, plenty to talk about. But can't think of doing anything until we get deeply into the world of quiet.
Louis Maresca (00:03:25):
I agree, agree. Can I always look forward to these Fridays? So thank you Curtis for being here. Well, you'll also have to welcome back our favorite network geek, Mr. Brian Chi Sheer. How's the how's the fiber going?
Brian Chee (00:03:37):
I'm getting fiber in my diet <laugh>. Sadly, I wanted to go and complete that run that I just ran at the central Florida fairgrounds, but there was someone using the main hall and I couldn't go and splice the fiber, but that's all right. Oh, this coming Wednesday the, actually the chairman of the board and the IT person both wanna learn how to splice fibers. So I ought to be interesting that and I'm having fun with the salespeople and the art graphic artists for the fairgrounds. Teaching them all about digital signage and seeing what we could do. It's kind of cool. Bright Sign and a lot of the other digital signage companies have really stepped up their game on what they can do. And eventually I want to go and create a giant touchscreen, say maybe a 55 or a 60 inch TV vertical and simulate a giant cell phone so that people can go and browse through the fairground schedule. Ought to be fun.
Louis Maresca (00:04:43):
Well, thanks. Cheaper for being here. We should definitely get started cuz it's been a busy week in the enterprise. And cybersecurity testing is essential for identifying and remediating vulnerabilities. Today we're gonna talk about five ways security testing can really aid an incident response. Now has your organization thought about self-sovereign identities? Well, maybe you should because today we have Heather Doll, CEO of inicio to talk about how you can gain control over your own identity data. So definitely don't miss it because we're gonna talk about that in just a bit. But before we do, we do have to get into this week's news blips. Now we're all fans of password managers because it removes the need to type passwords physically. But this article by dark reading reminds us of the need to use managers that have secure coding practices. Now, key Pass is an open source password manager.
(00:05:30):
Most open source security based products are statistically more secure, but that's because they're constantly scrutinized by the community and people who use them. Thank goodness. Well, security researchers are also heavy on open source projects like these according to researchers. Key Pass is vulnerable to exposing people to leaking their master password. Now you may be wondering how that's the case. Well, in this particular case, researchers used old school methods of analyzing memory dumps of the process, right? They paid attention to how the code captures the master password in memory and how it doesn't follow secure coding practices. And if you want a good security code product practice book, this book from 2007 or something like that is, is still a viable thing cuz it actually talks about this. It's, it's a Microsoft Press book. Now, it doesn't matter where the dump comes from, whether it's process dump or swap file or hibernation file or ram dump of the entire process.
(00:06:22):
They can still get to it. A user opens key pass goes to enter their master password and the masked text box that shows up and there and lies the problem. The secure text box ex method is called Under the covers, where it captures the text data and the input and leaves leftover fingerprints and fragments of that text, text string in memory that actually can be concatenated back to the original value. Now the reality is passwords themselves are potentially the real problem here. But the reality is password keys and other methods of identity are more secure and shouldn't be shrugged off when thinking about security. Now, the this vulnerability is one of many vulnerabilities found in password managers in recent years. Some crafty hackers have found ways to trick password managers into auto-filling passwords from their sites instead of the real sites so that they capture 'em that way. If you decide to use a password manager, use one that actually security audits as well as ones that use safety of your inputs and outputs and how you, how they actually store your data. Plus, make sure you turn off convenience features even though they're convenient like autofill that saves milliseconds of time, but can open you up to more attack vectors.
Curtis Franklin (00:07:32):
Well, one of the things that you learned early in cybersecurity is that not all vulnerabilities, not all attacks are created equal. The truth of that lesson is made clear in a new report from Kaspersky, which shows that three attack vectors are the starting point for nearly 80% of all ransomware attacks. According to a dark reading article on the report, exploitation of public facing applications accounts for 30 43% of all breaches. Next comes use of compromised accounts at 24%, and then malicious email, which brings 12% of the total. The report titled The Nature of Cyber Incidents is very pointed in saying that paying attention to this handful of attack vectors could make a huge difference in the number of successful ransomware attacks. And it should be noted that Kaspersky isn't alone in identifying these as the top attack vectors. Google Mandiant found that the same common vectors made up the top three techniques in their studies, but their ransomware actors tended to focus on vulnerability, exploitation and stolen credentials, which together accounted for nearly half or 48% in mandiant's research of all ransomware cases. The real problem for the security industry is that these attack vectors and percentages haven't changed over the last three years because they haven't had to change. Jeremy Canelli of Manion says actors engaging in ransomware operations haven't needed to evolve their tactics, techniques, and procedures. Those are called TTPs in the industry significantly in recent years as well understood strategies have continued to prove effective. End quote. The lesson here is that paying attention to these high probability events will have the highest payoff for the enterprise just as they've had the highest payoff for criminals.
Brian Chee (00:09:31):
So thank you to my hometown newspaper, the Honolulu Star advertiser. They actually threw up this story about Montana has become the first state to ban TikTok. Well, I'm not even gonna bother reading the news, the news story there. It's worth reading on its own, and I'm sure every news outlet on Earth is gonna be picking up this story. Well, this isolationist move isn't unexpected as American legislatures test the waters in legislative actions that are being justified as protecting the private data of their citizens. Considering how Chinese state-sponsored hacking has harvested huge amounts of data from organizations such as the US Office of Personnel Management, yielding millions of government employee records, and all too many other organizations. Well, when I was originally briefed by dis when I was learning how to set up secure machines for use in classified processing, the efforts of mainland China was described as collecting grains of sand.
(00:10:40):
While China's collection efforts are looking more and more like beaches stretching into the distance with records on a very large portion of the US population, TikTok could be the effort to collect the data on the next generation of information workers in the US and collect that information when they're ignorant enough to expose actions that could potentially be held against them if ever in a sensitive position. My comment to those in the TikTok generation is that the fun and games of that maximum of 10 minutes of video should be viewed as being similar, just screaming at the busiest street corner in your hometown, all your private moments, social media should be viewed through the lens of introspection. Is what you're saying today going to come back and bite you tomorrow? The advice I've tried to give to my students is to shut the heck up and only post a fluff to social media. You're potentially exposing the answers to your future security questions about your first car, the name of your dog, your school, where are you honeymoon. And the list goes on and on. It is hoped that someday the general population will have a much better cybersecurity awareness and have dramatically better it's than simple passwords. But that day isn't here yet. And you definitely need to be more aware, aware of what you're posting to social media. So it's to legislators of Montana, good move, but you've only slowed the mainland Chinese collection of grains of sand.
Louis Maresca (00:12:14):
Whether you are a hobbyist, a startup, or an organization trying to develop new products, rapid prototyping is a method of experimenting and improving out your ideas. Now this Text Explorer article actually visits innovation into the area of rapid prototyping. Now, if you've tested out a circuit design before, you most likely have used a breadboard, right? This, these plastic rigid boards that interconnect your chips and discrete components together to help provide a VULs source. Now, surprisingly, they don't necessarily represent what circuits will do once it's in its final form factor. Now, what if the form factor is round or curved or requires a flexible plane to build the circus into it? Well, to try to get things closer to the real deal, m i t researchers have developed flexport that's sort of flexible breadboard. Now that means if you're trying to rapid prototype wearables or smaller iot t circuits with odd form factors like inter interactive sensors, actuators, and displays on curved and deformable surfaces, such as a ball or clothes, you can do it now with these flexible boards, really cool stuff.
(00:13:13):
The red boards design consists of a thin plastic that connects two pieces of the same material to enhance the flexibility. And if you've ever done woodworking before, you know this as curing. This live or living hinge pattern can be found in the caps of condom in bottles and the spines of plastic disc cases holding together flex box or flex boards electronic components. And if you like me, this has opened up a number of possible prototyping ideas or capabilities. Flex board can also enhance virtual reality gaming through controllers and gloves. In fact, the team installed a collision warning system on the controllers and alerting players where a VR headset is when there is a risk of bumping into surroundings. Now what it makes even more useful is the fact that you can cut the long breadboard, or actually the, the flexboard strips in the smaller segments for tinier items or several can be attached to prototype on larger objects. Flexport could make workout equipment, kitten kitchen tools, furniture, and other household items more interactive in the near future. Simple innovations like these may seem like they may not have an impact on things, but you might be actually surprised here, it might just kickstart an influx of invention in the market of micro electronics.
Brian Chee (00:14:26):
So this story comes from my lovely wife. It's a librarian, and this came from the American Library's magazine. So it's called Sit and Surf. It wa I want just want to highlight, it's a cool concept. Solar powered charging and surfing benches have been popping up all over the place. And I'd like to encourage organizations around the world to consider something similar. Even though it's only a solar charging station, it does encourage people to enjoy the great outdoors. Well, maybe not while it's snowing, but while this does provide an outdoor and outdoor sitting area and internet connection what about hackers? It does provide an easy way to extend services for your employees and patrons. Well, you know, hackers need sun too, right? Anyway, who knows? It might be where children do their homework during the next pandemic and you know, maybe the hackers will get some sun so they're not so pasty white next time.
Louis Maresca (00:15:28):
Well, folks, that doesn't for the blips. Next up we have the bites, but before we get to the bites, we do have to think a really great sponsor of this weekend enterprise tech. And that's Miro. Quick question. Are you and your team still going from tab to tab, tool to tool? And you're losing brilliant ideas and important information along the way? I know I have sometimes now with Miro, that doesn't need to happen. MIRO is the collaborative visual platform that brings all of your great work together. No matter where you are, whether you're working from home or in a hybrid workspace, everything comes together in one workspace online, no matter first glance, it might seem like just a simple digital whiteboard, but miros capabilities run way far beyond that. It's a visual collaboration tool packed with features for the whole team to build on each other's ideas and build a future shorten time to launch so your customers get what they need faster.
(00:16:21):
Now with Miro, you need only one tool. See your vision come to life planning, researching, brainstorming, designing and feedback cycles that can all happen and all live on a Miro board across teams. And faster input means faster outcomes. In fact, mural users report that the tool increasing project delivery speeds by 29% view and share the big picture overview in a sense. And when everyone has a voice and everyone can tap into a single source of truth, your team remains engaged, invested, and most importantly, happy cut out any confusion on who needs to do what. By mapping out processes, roles, and timelines, you can do that with several templates, including miros Swim Lane Diagram. Strategic planning becomes easier when it's visual and accessible. Tap into a way to map processes, systems, and plans with the whole team so they not only view, but have chance to give feedback as well.
(00:17:20):
If you're feeling meaning fatigue, I know I am Miro users report saving up to 80 hours per user per year just from streamlining conversations and feedback. Are you ready to be part of more than a million users who join Miro every month? Get your first three boards for free to start working better together at miro.com/podcast. That's miro.com/podcast. That's M I R o.com/and we thank Miro for their support of this week in enterprise tech. Well folks, it is time for the bites. Now we talk about a lot of security on this show, but what we don't talk about is some ways for you to manage things if things happen. For instance, if you have good incident response when your organization runs into an issue. Now there's, you know, cybersecurity testing is really essential for identifying and remediating vulnerabilities, whether it's continuously challenging detection or response capabilities, whether it's refining threat intelligence, gathering priorities, or enhancing overall incident preparedness.
(00:18:26):
Now, this particular article goes through five key considerations that organizations can focus on when developing an overarching strategy to build and maintain cybersecurity testing programs. Let's just talk about the five right up front here. It's collaboration across teams that make sense following an intelligence-led and risk-based approach to scope definition, performing continuous stress testing of cyber defense controls and setting up metrics for shared understanding and improving tracking. And of course, establishing feedback channels to drive process improvement. Now I do wanna bring my co-host in in just a moment, but before we do, I wanna go over another list of potential things that your organization can do that actually helps with this as well. You can use manage or managed vulnerability management tools, which actually could help organizations quickly identify any, or track even any vulnerabilities in there. You can actually implement a security awareness training program.
(00:19:20):
In fact, previous couple previous shows ago we had a professional on the show to talk about security awareness. There's really important programs at your, at your organization. You can implement zero trust as well as a, as a security model. And in fact, one of the big things that we talk about on this show every week is making sure that you keep your software up in services up to date. And of course using strong passwords as well as multifactor can also help. And of course making sure that you plan for being able to respond to cyber attacks. But let's go back to that previous list. I wanna bring my co-host back in and start with you guys and talk about just how effective these types of things are. Now Curtis, let's start with you because you talk about and think about security all the time. Is this a good start for a testing program for an organization?
Curtis Franklin (00:20:07):
I think it is a good start and one of the reasons is that it reinforces the notion that responding to an emergency, responding to an event is an organizational issue. You know, many times we start to take a very narrow view of incident response. That incident response is the responsibility of this piece of kit or this person or this department. And in the case of a very limited event, that may be true, but when you have a large event, you need to have a response across the organization. And in order to make sure that can happen, you have to have an emergency test. You know, public agencies run through things called sets, simulated emergency tests on a regular basis. And sets are critical for a lot of reasons that you mentioned in your list, including making sure that different groups that may or may not normally have a lot of dealing with one another know how to communicate, know how traffic is passed, and know who is responsible in each group for interacting with the other groups. I mean, this is a human issue and as humans, we need to practice these things. So I could not agree more with the idea that this is something that every organization needs to be doing on a number of different levels. Yeah, it takes time. Yeah, it's a pain. But yeah, when something really goes wrong, you'll be very glad you did it.
Louis Maresca (00:21:58):
Cooper, what about you? Any, any, any thoughts on this particular list or obviously I do agree with Curtis. It's obviously definitely a an organizational thing, but I think it also depends on what kind of organization you are too.
Brian Chee (00:22:12):
Yeah, well y'all, y'all know, I, I have quite a bit of background in government, you know, activities. In fact I actually coordinated a information based or cyber warfare game across the entire Pacific for US forces. One of the things that I threw out just to make people sit up and take notice is I nuked Okinawa. So when Okinawa dropped off the map, what do you do? I had dead silence from entire command center for, I don't know, a good minute. It's like they didn't know what to do. So the US mil, well, military in general, we all know war games, sand table games and things like that have been around for a very, very long time. The si the cyber security industry isn't really doing anything new. We've, they've taken a lot of techniques from military. Heck, we all saw the Tom Cruise MO movie Top Gun, right?
(00:23:20):
Well that is a sand table exercise writ large. It is not that difficult to do. Find the curmudgeon in your organization. You know, the person that's always complaining, that's always looking, you know, for the cloud, hovering over the world storm clouds there are usually the best ones to go and find things that you haven't thought of. It doesn't have to be really, really complex, but you do have to think, what can we do if this happens? Get the people that are, you know, the sourpuss, get 'em to go and think the worst case scenario and then at least talk about it. So I think this is one of those things that every organization, no matter what the size, well maybe a mom and pop store can just talk about it before they go to bed, but everybody else really ought to go and do something, write it down.
(00:24:25):
There's nothing quite like y'all say, someone crypto jacking your point of sale system to make you panic. If you write it down and ghe a throwing binder with tabs on what to do there's a lot less chance you're going to forget it in the panic. We do that all the time with the military. That's why we have these giant binders. Heck, I was, I was participating in pandemic exercises with the C D C and Usam. We actually practiced a super influenza or a smallpox, a weaponized smallpox outbreak. And we knew what to do because some really devious people came up with all kinds of things and we put it into binders, you know, people didn't have to think in the middle of a panic. That I think is one of the things you need to tell your people if you need to gamify it, you know, this is not rocket science.
(00:25:33):
There's lots of things you can do. Lots of very simple things that you need to do. At the very least, you are opening doors between your employees, you're trying to go for buy-in make them part of it, make them part of the defense of the company and make them feel more like part of the family. You know, there are many, many approaches to this and take some pages from how the world of the military, the military world does this. We do exercises all the time and it's paid off because we don't get surprised as often as people think or portray us in fiction, fictional books. Right.
Louis Maresca (00:26:20):
Well, I think it's interesting because obviously I, I talk with a lot of organizations and they try the whole red team blue team scenario, but you have to have some, some worthy adversaries within the company to go and figure these things out. In fact, sometimes they have special teams that go through and try to attack different services or services within the organization where there's internal external services, that kind of thing. And then they produce a report. But obviously not all organizations have expertise in that area. So Curtis, I wanna, I wanna talk to you about this because a lot of organizations out there, they need mechanisms in order to have better security response. And the idea is some of 'em have a security awareness program, but some of them, like cheaper said, is going through mock sessions are almost war game sessions to, to determine whether they can like hopefully respond well enough. Is this something that you're seeing more and more and more of as, as they as teams don't have experts like red teams and blue teams?
Curtis Franklin (00:27:15):
Absolutely and there are, there are three broad mechanisms that people use for this. One of them is the red team, the, the attackers that will, will come in. Now, you're right, most companies do not have the expertise in-house or at the very least don't have enough people in their security team to take half of them and make them a red team. So you can rent a red team, you can hire someone to come in and red team against your blue team. And that can work very well. There are a number of companies that are very good at doing that. So that's one thing. Another is the pen test, the penetration test. This is where you have someone who is not at all going through and trying a red team blue team. They're just attacking. They're looking for your vulnerabilities, they're looking for ways they can exploit the holes in your particular infrastructure and take advantage of them.
(00:28:26):
And the third is something called the cyber range. Now the cyber range is where you either physically or virtually go to a setup that looks a great deal like your organization set up and run an exercise. The advantage of doing this on a cyber range, rather than red teaming or getting a PIN test is that the attackers can go full bore when someone is red teaming you. When someone is pin testing, they have to pull up short of actually causing damage to your production equipment, to your production application infrastructure. And with a cyber range, they can, as Brian and I occasionally did when we were testing products, test to destruction so they can go ahead and take you down completely. That can be a real eyeopener for a lot of teams. So these are three basic techniques that can be used. All of them highly valuable and all of them being used more and more by companies that want to know that all of their training, all of their preparation is making a difference.
Louis Maresca (00:29:46):
Love that. I love that. Well, thank you for gaining some more awareness to organizations. Hopefully that's helpful to you as audience members. Well I, it definitely should. We, we should definitely move on because we have a guest to drop some knowledge on the TWI ride. But before we do, we do have to thank another great sponsor of this weekend enterprise tech and that's Melissa and Melissa's a leading global data quality identity verification and address management solutions provider. Now we are pleased to announce that Melissa's clean suite and data quality suite have again been named leader by g2, the leading peer-to-peer software platform in the 2023 data quality and address verification spring report. Melissa has also been named momentum leader and high Performer in the same reports across the small business mid-market and her enterprise segments. Melissa received various recognitions including good partner and easiest to do business with, easiest setup and highest user adoption and easiest admin along with leader status.
(00:30:47):
Melissa's ranked highly in the price category for clean suite and data quality suite across many segments. The Melissa's team believes that data quality should never cost more than it saves and continues to offer affordable high quality solutions for data quality and address verification. Poor data quality can cost organizations an average of 15 million annually. The longer it stays in your system, the more losses your business could accumulate. Melissa eliminates waste and lost opportunities from incorrect mailings and improves customer satisfaction. With seamless real-time identity verification tools, Melissa's matching and de-duplication tools help establish a single high quality customer record linking all customer touchpoints for an ideal 360 degree view of each customer. Melissa complies with USPS's Move update requirements and assures the most current address data through IT processing in the USPS's national change of address database. Since 1985, Melissa's specialized in global intelligence solutions to help organizations unlock accurate data from a more compelling customer view.
(00:32:00):
Melissa continually undergoes independent security audits to reinforce his commitment to data security, privacy and compliance requirements. They are SOC two, HIPAA and GDPR compliance. So you know your data is in the best hands. Make sure your customer contact data is up to date. Get started today with 1000 records cleaned for free. I'm melissa.com/twit. That's melissa.com/twit and we thank Melissa for their support of this week in enterprise tech. Well folks, it's my favorite part of the show. We actually get to bringing to guests to drop some knowledge on the TWI Rio. Today we have Heather Dossey's, CEO O of Inia. Welcome to the show, Heather.
Heather Dahl (00:32:43):
Hi. Thank you for having me.
Louis Maresca (00:32:45):
Absolutely. Now our audiences across the complete spectrum of experiences, whether it's IT pro or enterprise and whether they're beginning in IT or they're CISOs or CEOs or whatnot. So they love, some of them actually love to hear people's origin stories. Can you take us through a journey through tech and what brought you to IND c
Heather Dahl (00:33:03):
I was born into tech. Both of my parents met working at the Jet Propulsion Lab. And whether I liked it or not, I guess I rebelled for a number of years and that led me into technology. Really when I look at my career in tech, I think it began when I was four years old and I was building AI in the form of robots made out of my grandfather's beer boxes and Alpo cans and some Lego robotics. But that also started my career in identity because when I built the significant number of robots in that early stage of my career, I named them all Jaime. And for those who are get smart fans, shout out to you. But what that did was I had an identity problem on my hands. And when you name everything the exact same thing, right <laugh>, you don't know what anything is.
(00:34:00):
And that took me down the path of coding some to, with some TI computers that took me down the path of figuring out scripts on prying emails to do some early spamming for student body president. And then that took me into broadcast journalism, right? Where so many tech careers start. But I worked as a broadcast journalist for almost 20 years covering the nation's capital. And what I learned there is how to take very complex ideas and concepts and processes like how something becomes a law, how it works its way through Congress, how the agencies work and how do you explain that in 90 seconds or less in a way that makes an impact for the viewer. Also with broadcast journalism, there is a tremendous amount of technology involved getting the people into the little box. And so you not only have to have the analytical skill, the ability to write and communicate, but you have to have the technical ability to get your story on air and through by going, actually, to be quite honest, I went to the Smithsonian one day and talked with a volunteer about my interest in learning more about technology and that led me down the road of doing research on what became threat intelligence solutions.
(00:35:24):
Through that I moved into the world of decentralized or self-sovereign identity and here we are talking today.
Louis Maresca (00:35:34):
Love that. I love that. Now obviously digital identity is a big topic, obviously verifiable credentials is a compelling story for a lot of organizations. Can you maybe talk a little bit more about that and what's the, maybe the interesting thing about that for organizations?
Heather Dahl (00:35:50):
Interesting is that we've been actually talking about this for almost 15 years. So while it seems new, and even at RSA two weeks ago, I've never had so many meetings in my life at RSA about verifiable credentials really. Some of the projects we've been working on goes back 13, 15 years. And so while it's a new technology, I guess that's your definition of new, for me, it seems like it's been around for a long time. I think what has happened is, you know, there's no such thing as an overnight success and it takes a tremendous amount of work that 10,000 hours that, you know, Malcolm Gladwell writes about. And so we've been working on this and proving it out and building and creating the open source communities like that you have at Hyperledger or the Decentralized Identity Foundation, we have been building standing up learning and moving forward.
(00:36:43):
And now I believe this concept of a verifiable credential is starting to reach more mainstream. Where a year ago at the European Identity and Cloud Conference by Cooping or Cole, there was one afternoon, one track session a week ago, four days, two track sessions for, you know. And so we're seeing that momentum. What it goes back to, why all of a sudden this interest in a verifiable credential after all these years, really I think the interest became the remote world that the pandemic threw us into and we needed to share and exchange data in a verifiable way without necessarily having to call back to the source of that data because we all of a sudden overnight went into a world where we needed to obtain and verify data from all kinds of industries that had never communicated together. For instance, healthcare and travel, great example.
(00:37:44):
There were very few direct integrations already stood up and we couldn't move fast enough because we all have been in that world and not only is it technically complex, let's add the lawyers to it to make it even more complex. And so we couldn't wait on that. And so a verifiable credential was an immediate way that we could start exchanging authoritative, verified data without having to go through the traditional ways that we've been using to share information either through direct integrations or through a federated identity approach. And we can move very rapidly. I think that is what ultimately accelerated the adoption of verifiable credentials cuz one, we saw it works and two, we saw it solved a problem that we hadn't been able to solve elegantly. And three, you know, what it saved or it opened up entirely new revenue streams we could have never imagined.
Louis Maresca (00:38:41):
Yeah, I think the interesting thing here is obviously I hear a lot, I listen to a ton of security talks, identity, identity talks at some of the latest conferences. And I can tell you that a you know, a lot of them talk about the con the current conventional way of authenticating or exchanging information. And I can tell you that they say, Hey, it's expensive or ends up being expensive, it's not very secure. You know, obviously we know that from experience, but from, you know, these, this concept of a of of like a, a centralized or decentralized system and the concept of verifiable credentials, it sounds more expensive to me. Can you convince me otherwise? <Laugh>,
Heather Dahl (00:39:15):
Oh, so much cheaper. <Laugh> the the systems, you're basically taking an agent or a software agent and you're layering that onto your existing systems or you don't even need to have existing systems and that allows you to immediately issue that credential to a holder. A holder can be a person, it can be a thing, it can be a company, it could be a tree, it could be an animal. A holder has what can be called, I like to call it an agent because it's more than a digital wallet, but we'll call it digital wallet cause that's more common. And they actually have the credential themselves. And I can hold all of my credentials in my own device. And so when I go to another party to verify it all they need to verify it can be as simple as a mobile application to be on an iPad. And they can request with my consent to obtain whether it's using selective disclosure in the entire credential and take that data, verify the authenticity of that data using a ledger, and then ingest that data right into their own existing systems. So actually the deployment of these systems are very lightweight and in some of them it's a matter of hours, not a matter of week stays and months for the configuration and installation of these systems. They're very lightweight.
Louis Maresca (00:40:45):
So it's interesting that you mentioned the, the concept of organizations moving to these being lightweight. So I guess I do have a question about that. I'm a, I'm a normal organization and let's say I have 4,000 users and I want to move to a more decentralized way of doing things. What's what's the process I need to follow, whether, let's say I have CRM services that I use and maybe I have some digital data services that I use or, or I have you know, a a data repository or a documented repository. I wanna move all of these to a more centralized, I'm sorry, a, a more sovereign way of doing things. How do I do that? Like what, is it a, is it a hard process? What's the process I would take to get there?
Heather Dahl (00:41:23):
The the first process is what is the data that you're trying to transmit? What is the problem? What is the data that another entity needs to verify, consume? It's important to remember that other entity may be in your org own organizations perhaps to have siloed databases that don't communicate with each other for whatever reason. And it's too expensive to make them communicate with each other. And so maybe you just wanna exchange information from point A to point B in your own organization. What is that? Is it a K y C piece of K Y C on your customer? Know your customer information that you need to get from maybe account opening over into the product for approval for an auto loan. Or is it that you have an outside partner that really needs to confirm that someone is a card holder at your company and therefore they can receive the benefit this partner offers.
(00:42:21):
But they don't want, they want privacy preservation. You don't want your customer order to feel like you're creeping on 'em through their entire life, but you wanna make sure that your partner is really benefiting and providing the value that maybe you're paying that partner to do. And so you're, the first step is identifying what is the information that needs to be exchanged and then going through and saying, okay, I need to add an issue or agent to the database that this information sits, that agent issues the credential, and who is the party that needs to hold that information? Is it myself as a human? Is it a device, a sensor? Is it a business that needs to hold their information and then identifying who needs to receive it. And with that it is adding a verification agent into their system or their mobile devices. And so it's basically deciding what is the flow of information that needs to occur and then picking up the components and basically building on that. You may be in a situation where you have 500,000 verifiers because you determine that every single bricks and mortar shop needs to be able to consume a loyalty card, right? Or you may say no, the auto loan department, they're the ones that need the credentials. I only when verifier, it really depends on, on what the use case is that you're trying to, to solve.
Louis Maresca (00:43:58):
Well, when we come back, I do wanna bring my co-host back in because they have a lot of interesting questions that's happening here in the back channel. So I wanna bring them in. But before we do, we do have think another great sponsor of this week in enterprise tech, and that's Cisco orchestrated by the experts at C D W. Now the helpful people at C D W understand that hybrid work continues to evolve and that your organization must evolve with it to succeed. And with so many options to collaborate remotely, you need a strong and consistent network to empower your workforce and keep them together. Consider a Cisco hybrid work solution designed and managed by the experts at C DW to deliver the same quality network experience to all of your offices, even your satellite ones, connecting your team from pretty much anywhere. Because Cisco networking keeps things flowing smoothly and securely with embedded security compliance and multi-factor authentication that protects collaboration among your spread out team.
(00:44:54):
And with real-time visibility in the distributed applications security user and service performance, you get a better line of sight into how your network is operating and how better to grow your organization. And Cisco networking levels, the playing field, providing access to flexible high-end collaborative experiences to create an inclusive work environment when you need to get more out of your technology, Cisco makes hybrid work possible. CDW makes it powerful. Learn more at cdw.com/cisco and we thank w for their support of this week in enterprise tech. Well folks, we've been talking with Heather doll, c e o of Ndic, c o and we've talked about the sovereign identity scenario, but I do wanna bring my co-hosting because there's obviously a lot of experience from the industry from them. Let's start with Curtis. Curtis.
Curtis Franklin (00:45:45):
Oh, hi. Well, I'm, I, I have to say, looking at your website, listening to you talk, it looks like Ndco is using the same technology that's behind, that's normally called blockchain, a distributed ledger for a purpose that does, has nothing to do with cryptocurrency. Yes. yep. I've been saying for a long time that the best uses for blockchain for distributed ledgers don't involve currencies. I've got to ask, what led you to to think of using a blockchain for identity?
Heather Dahl (00:46:29):
It goes back to the early days of zero trust. I was working on doing research and that led me to talk with John Kinder, who was at Forest to research at the time before he published the first papers that even led to zero Trust. And it was really digging into this idea of you never trust and you always verify what are you verifying against a compromised centralized database. And so that led down the road of how do you decentralize not only data, but how can you decentralize this identity that we're verifying against at the time this concept of blockchain was starting to emerge. It was not a common word that we know today. This was something that we really had to dig into and understand and we realized perhaps that blockchain could actually help decentralize the identities that you verify against.
(00:47:29):
And through twists and turns over the last decade, we were able to say there's a tremendous amount of power and a blockchain and ledger. Basically replacing almost like a phone book is a lookup. Instead of saying, I need to hash everything, data, everything to a chain, or that this is only meant for cryptocurrency, we were saying we're gonna squint the other way. And how can we use this to build and solve problems that enterprises have now that have nothing to do with crypto? And there is a tremendous amount of issues around identity. What's interesting is most companies don't call me looking for an identity solution, nor do they say they have an identity problem. What they do say is, we would like to share an exchange authoritative, verified data because when you bring all the components of the data together, think about it like a quilt. It's the quilt that's the identity. And without the ability to verify the data, you can't create an identity for the end user inside your organization.
Curtis Franklin (00:48:42):
Well, I'm glad you explained it that way because it seems to me that there's nothing in your system that says that this information has to be wrapped up in an IT identity. And it seems to me that, that it could very easily be used in things like food safety in going into various supply chain attestations for how many hands something has passed through. Is that the sort of problem that you're also involved in solving?
Heather Dahl (00:49:18):
Absolutely. Identity is in the eye of the beholder and what information you need to make a decision is based upon the receiver of that information. I could provide you all kinds of things that I would call an identity. Are you going to accept that? It's up to you. And if you notice, that's very much how we operate in the analog world in our daily lives, human to human, it's all based upon relationships and what the digital world has started off as is a transactional place. I exchange this for that. And then this happens without that overlay of relationship and context. And that is what a ledger and a verifiable credential starts bringing is the foundation to not only exchange information, but to build a trusted relationship on top of it. When I started thinking, you could even said to me a few years ago, could you ever cross the border legally using blockchain?
(00:50:24):
And I think that was kind of like the moonshot, right? Like, will I ever see the day that I went across the border using blockchain? And Inic C has worked with C A S I T A who provides technology to the commercial aviation industry. They tie airports and airlines and governments together. And c a has been for over five years, some of the pioneers in this, definitely not for crypto purposes, it's for purposes of helping solve the friction along the travel ribbon. They had a strong view of how do you create a seamless journey using digital technology, but in a way that protects the privacy of the traveler because you're dealing with multiple governments, you're dealing with the freedom of movement and you're dealing with human rights. So how do you do that in a way that preserves the privacy and offers consent of the traveler when their information is being shared?
(00:51:30):
And so in March that dream came true, I legally crossed a border using blockchain for my passport. And that was in the form of a verifiable credential to be really specific. It was in a KO specification, digital travel credential, DTC type one. And we, I was one of the first space monkeys. I was able to take my paper passport in my kitchen the night before I left for Aruba. Don't feel bad for me. And I was able to take that and use my phone and open my passport and take a photo of the page where my picture is. You're really going for that M R Z code at the bottom. I was then able to u take my phone and place it on my passport and with that, open the chip that contains all the data in your passport and ingest that into my phone and then provide consent to make sure that that data was actually from an authoritative US passport.
(00:52:35):
And this doesn't apply to just us passports, any passport with a chip. And then I was able to use in my device with a mobile agent to connect directly with the government of Aruba. And I transmitted with consent, my digital travel credential directly to the government of Aruba. They ingested it and compared to make sure that I was actually allowed to cross the border against their existing list and systems, fortunately they decided I could. And they sent me back a form of a verifiable credential called a trusted Traveler credential. And that was receipt that I'd crossed the border standing there in my kitchen. And so when I go to check in at the airline or I go and I land in Aruba, I have already been approved by the government for that crossing. And I'm not having to pull out my passport 14 different times or three or four or five different times.
(00:53:31):
My passport can stay in my pocket or my case, my purse, and I can continue to move through my seamless journey. There'll be a point in time that as we make this transition to digital and travel, where you'll still need your paper passport with you. But are we moving to a world of passport in a pocket or a tap and go world? Absolutely. It's that seamless travel. But here's what's key is I crossed that border, I went out those e gates in a split amount of time. So from the time I was at my gate and I landed in Aruba at the beach in 30 minutes. Now that is what I call the future of travel right there. And you can also see a world where when you think about all the things you use your passport for beyond travel, you start creating those seamless, trusted relationships through a verifiable credential. And the encrypted peer-to-peer communications channel that's called did come that sets at the Decentralized Identity Foundation.
Brian Chee (00:54:33):
I tell you what, well I'm, I'm going to let it go. We're, I know that we're having a great time, but we're, we've got finite time. So I think I'm gonna pass things over to my co-host Brian to, to take the questions from here. Well first off your 15 year mark on this technology I think is absolutely spot on. So I'm gonna ask Victor to go and pull up an article that I was involved with. It was myself, Oliver Wrist, which the show Curmudgeon and Paul Veia back in 2005. We did it an identity management challenge between Curry and ibm, Microsoft novel's, sun and Thor Technologies. We got a lot of traction but not a lot of adoption. We're not sure, but I just wanted to go and put that out. But did come. Big, big issue. I'm super into iot. And so Victor, let's go to move to the dicom.org webpage and have Heather talk about what is dicom, especially when applied to the IOT world,
Heather Dahl (00:55:48):
Right? DICOM is an encrypted communications protocol. This is an open source project, so anyone listening, you can go become a part, join, participate in the meetings. It is an open community. It is actively growing and I encourage you to join us cuz we need as many brains and thought leaders as we continue to evolve this protocol. But what did come does is it creates that channel in which we can exchange and verify credentials, but we can also exchange and verify relationships. So it's not just the credential, it's the communications, it's the chat, it's the relationship building. So you could see a world where through did come, not only was I able to send my credential and the encryption and the encryption around the credentials also a part of that, but there's a part where maybe I didn't meet the requirements Aruba wanted and I was standing in my home and maybe when it happened, the last time I visited Aruba is maybe I overstayed three days.
(00:56:56):
And they would have the ability to talk with me as government of Aruba to individual private citizen heather doll and say, last time you were on the island, you overstay three days. Can you tell us more about it? And because I know I'm in this encrypted channel and I'm talking to the government and my data's not going through a third party or who knows where, who's going to sit and date mine and watch how many times I overstay on my vacations, I'm able to say, you know what? I got sick. It wasn't good, but I left as soon as I could leave. And they'd say, okay, that falls within our criteria to let you go through. All of this is going on and did come, but it means that my relationship is directly with the government. It brings more trust. I know that what I'm sharing with them falls under their regulation and policy and therefore we have an open channel. Now let's say I leave Aruba and I decide I'm not coming back anytime soon. And I don't have a reason to have an open communication with them. I as private citizen Heather Dahl can then terminate that channel with them. And so they're not necessarily, they're not datamining me tracking me, following me, being creepy on me. Channel is is terminated, but I could reopen it. I wanna go back again and we can reopen it. So that's what the DICOM communication channels do.
Brian Chee (00:58:22):
Yeah, and I'm, I'm gonna point out to our viewers, this isn't federation, right Heather? No,
Heather Dahl (00:58:28):
No, no, no, no, no. Yeah. Cause this federation.
Brian Chee (00:58:31):
Yeah cuz when I was talking to the f d A about a food safety grant they really had a problem with federation cuz they did not want to go through what the State Department did on having to set up huge infrastructure to support in the, in the state department's case. It was a giant PKI I facility. Federation has an awful lot of baggage with it.
Heather Dahl (00:58:55):
Well, the thing is, is what we're seeing in federation is performance scale, but but also the ability to integrate and share information across a variety of parties and use cases. And really what this does is it extends the reach of the vision we had with Federation, but allows it to finally perform its scale. And I should take that, that not investor in Federation, but finally allows you to and verify data and build relationships at scale. That federation, you know, was, was, was good for the time that we were in mm-hmm. <Affirmative>. But there's a whole new world that extends beyond federation and it's pretty powerful with the cost savings and the ability to create new revenue streams because of authoritative verified data that you can make immediate decisions on. And right now we are just, you know, we've had so many years of hoping the data you got was good or was it old or dated or garbage? Who knew? But you did the best you could. This is bringing authoritative fresh data right to the point of decision making. Well
Brian Chee (00:59:58):
Then how about for my last question, do we have hopes of doctors and hospitals ever using this technology?
Heather Dahl (01:00:06):
We absolutely do. In fact if you go to Hyperledger in their lab projects, there's a project called cardia, C A R D E A, open source. Come join us. We meet every other Thursday and it's specifically around the verification of medical information records. And I should say it's not just medical records and health data, it's physician licensing. It's employee workplace. Does someone, is someone allowed to make that decision in a hospital is specifically on healthcare. And in fact C'S first deployment of this technology was for the exchange and with consent of covid test and vaccination records for the purposes of travel without needing a direct integration in, involved in that was the Bronx Rio, who was at such, you know, such a crucial time for them and the pressure put on the h i e system in the us but they stepped up and they saw the future of innovation that this can only help address the pressure they were under at the time. But really open up the future of health exchange and information as well. So come join us at cardea as well.
Louis Maresca (01:01:21):
Well folks, unfortunately time flies when you're having fun. Heather, thank you so much for being here. We're, since we're running low on time though, I do wanna give you a chance to do the pitch, give our audience some information more about Inicio, where they can go, maybe they hit get started.
Heather Dahl (01:01:33):
Yes, absolutely. Inicio is I N D I C io.tech, t e C h. Everything you need to go to get started with verifiable credentials right there. We also have a podcast you can follow us on LinkedIn updated every day with our progress. But join us in the communities, Hyperledger, indie Aries and a non-res are projects you can join up with our team there. Also with Decentralized Identity Foundation did come and DV come join the community cuz that's the best way is to learn together.
Louis Maresca (01:02:07):
Thanks again. Well folks, you have done it again. You set another hour with the Best Staying Enterprise and IT Pro podcast in the universe. Definitely tune your podcast to twi. I wanna make sure I thank everyone who makes this show possible, especially to my co-host. I got the very one, Mr. Curtis Franklin. Curtis, thank you so much for being here. Can you tell the folks at homework people can find you your work and maybe how they can get in touch with you?
Curtis Franklin (01:02:31):
I'm happy to do that, Lou. People can get in touch with me on various social networks on Twitter. I'm at KG four GWA on Mastodon KG four gwa@mastodon.sdf.org g I'm also on LinkedIn, Curtis Franklin. Please feel free to get in touch with me and direct message me on any of those as well be looking for a new piece from me on dark reading this coming week. Gonna be talking about several things. I've got a couple articles coming up about training, about risk and about the link between the two. So would love it if you check that out. I'll let you know on the social media as soon as they're up and available.
Louis Maresca (01:03:27):
Fantastic. Thank you Curtis again for being here. We also have to thank your Veryo and Mr. Brian Chi Sheer. Great seeing you as always. Thank you for being here. Can you tell the folks at home where they could find you in the coming weeks? Where could they get in touch with you?
Brian Chee (01:03:39):
I'm still stuck in Twitter. I'm a D V N E T L A B Advanced Net Lab. Mastodon and I have not really clicked yet. We'll see. But you're also welcome to drop me a line. I am scheiber, spelled C H E E B E R T TWIT tv and you're also welcome to use twit twit tv and that'll allow you to throw emails at all the host all at once. Now I do have one last question for Heather. What's the bird's name?
Heather Dahl (01:04:16):
Maggie.
Brian Chee (01:04:18):
Ah,
Heather Dahl (01:04:18):
Maggie. Yes. She is clearly a fan of your show. If you heard phone ringing or some knocking or maybe a few yas. That's an African gray parrot who's 28 years old and she clearly enjoyed your show. So
Brian Chee (01:04:35):
Yeah, I still remember going up to Amazon and seeing a salt lick and seeing thousands of Mcca take flight. That was really stunning.
Heather Dahl (01:04:46):
Yeah, she's some, she's very sassy <laugh>.
Brian Chee (01:04:50):
Anyway, thanks so much for being on the show.
Heather Dahl (01:04:53):
Thank you so much for having me and Maggie <laugh>.
Louis Maresca (01:04:58):
Well folks, we have to thank you as well. You're the person who drops in each and every week to watch it, to listen to our show, to get your enterprise goodness. And we wanna make it easy for you to watch and to listen to catch up on your enterprise on IT news. So go to our show page right now, tweet that tv slash twi. There you will find all the amazing back episodes that we have, the show notes, the cos information, the guest information, of course the links that we do during the show, but more importantly right there next to those videos. Or you'll actually get those helpful. Subscribe and download links. Get your audio version or your video version of your choice or listen on any one of your devices or any one of your podcast applications cuz we're on all of 'em. So definitely support the show by getting your or subscribing to the show.
(01:05:43):
So please do that and support us there. Plus you could also support the show by getting club TWI as well. It's a members-only ad free podcast service with a bonna TWIT plus feed the really can't get anywhere else and it's only $7 a month. That's right. There's a lot of great things about Club Twit. One of them is actually access to the members only Discord server. Really great server. You can chat with host, you can chat with producers, you can have a ton of separate discussions and all the amazing channels that are on there. Plus they also have special events that that only happened there. So definitely check that out. Definitely support our shows and join Club Twit and be part of the movement. Go to TWIT tv slash club twit. Now, club Twit also offers corporate group plans as well. That's right. You can share it with your entire team where you can share all of our ad free tech with them and the plans start with five members at a discounted rate of $6 each per month.
(01:06:36):
You can add as many seats as you like there. It's really a great way for all of your teams, whether it's IT departments or sales teams or whatnot, to get in touch and, and, and view and listen to all of our podcasts. Plus just like regular memberships out there, they can join the TWIT discord server as well as the TWIT plus bonus feed as well. So definitely have them join and be part of that. Plus also get this, your family and your friends can be part of the FAM family plan. That's right, it's a $12 a month plan. You get two seats with that and then just $6 for each additional seat and they get all the advantages of the single plan as well. So you have a ton of options here. Please join Club twit, be part of that movement, be part of the fun, and of course get access to all of our podcasts, TWIT tv slash club twit.
(01:07:16):
Now after you subscribe, I want you to impress your friends, your family members, and your coworkers with the gift of Twit. Cuz we, we have a lot of fun on this show. We talk about a lot of fun tech topics on it and I guarantee they will find it fun and interesting as well. So definitely show share twit with them. Now, if, if you've already subscribed and you're available right now, Friday's 1:30 PM Pacific Time. That's right, we do the show live. Go to live twit tv there. You'll find all the stream options you can choose from. Come see how the pizza's made, all the banter, all the behind the scenes, all the fun stuff before and after the show. Watch the show live and be part of that fun as well. Now, if you were gonna watch the show live, you gotta also maybe check out our IRC channel as well.
(01:07:55):
We have a famous or infamous IRC channel channel. You can check out it's go to irc dot twit, do TV that you'll jump in the TWIT live channel right away and see all the amazing characters in there. And in fact, they gave give us each and every week they, they send us on a ride of all the fun show titles that we have each week. A lot of fun funds. I giggle a lot in there. So thank you guys for being there and supporting the show and being part of that. Well, I definitely want you to hit me up. I want to contact me, go to twitter.com/lu. I'm there, I post, post all my enterprise tidbits plus I, I'm, I accept direct messages there. So please hit me up there. Of course, I'm on Ma on Lu, I'm at twitch.social, so you could hit me up there as well.
(01:08:32):
I'm starting to get more volume on there, so please hit me up there. Of course, I'm Louis maka on linkedin.com as well, so I have a lot of great conversations with with IT professionals and people in the field there. And of course I get show ideas and show show concepts there. So please hit me up there where wherever you can because I love to hear your show ideas. And if you want to hear what I do during my nor normal work week at Microsoft, please go to developers microsoft.com/office. There we post all the amazing great ways you can customize your office suite to be more productive for you. But also, if you have M 65, go open Excel right now. Go to the automate tab, see that Automate it's new. I've had seen it before. Go check that out because that's where I live.
(01:09:15):
That's my wheelhouse. It allows you to record macros of things that you do on your sheets and run them in power, automate whether it's unintended or live right there on the sheet. And you can also edit the scripts and JavaScript and, and make them more customizable for you. So definitely check that out at developers.microsoft.com/office. I want to thank everyone who makes this show possible, especially to Leo and Lisa. They continue to support this week in enterprise tech each and every week and we couldn't do the show without them. So thank you for their support all each and every week. Of course, I also thank all the engineers and staff at TWIT as well. And of course I also wanna thank Mr. Brian Chi one more time because he is not only our co-host here, but he's also our tireless producer. That's right. He does all the show bookings and the plannings before the show and we really couldn't do the show without hims.
(01:10:00):
Thank you Chiefer again for all your support. And of course, before we sign out, we have thank an editor for today because they make us look good after the fact. They cut out all of my mistakes. Thank you so much for doing that, <laugh>, and of course our TD for today. Mr. Victor. Victor, thank you all so much for your support and of course the smooth transitions that you've done during the show. So I appreciate all your support and until next time, I'm Lewis Mareka. Just reminding you, if you want to know what's going on in the enterprise, just keep quiet.
Ant Pruitt (01:10:30):
Hey, what's going on everybody? I am Aunt Pruitt and I am the host of Hands-On Photography here on TWI tv. I know you got yourself a fancy smartphone, you got yourself a fancy camera, but your pictures are still lacking. Can't quite figure out what the heck shutter speed means. Watch my show. I got you covered. Wanna know more about just the I I S O and exposure triangle in general. Yeah, I got you covered. Or if you got all of that down, you want to get into lighting, you know, making things look better by changing the lights around you. I got you covered on that too. So check us out each and every Thursday here on the network with a twit tv slash hop and subscribe today
