The Cybersecurity Bridge
theCUBEresearch principal Cybersecurity analyst Jon Oltsik hosts the newest SiliconANGLE podcast focusing on bridging the gap between Cybersecurity and all other parts of tech
The Cybersecurity Bridge
Karim Toubba, LastPass
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Karim Toubba, CEO of LastPass joins theCUBE Research analyst Jon Oltsik for the latest episode of The Cybersecurity Bridge
Hello everyone and welcome to another episode of my podcast, The Cybersecurity Bridge. I'm John Oltsic, analyst at large at theCUBE, cybersecurity industry activist and everything. If you haven't ever watched my podcast, I you're hiding under a rock. I don't know what you're doing. You're missing out. But I'll describe what I do here. Each episode we talk about a particular area of cybersecurity. Each episode starts with uh the first section where we talk about the present of that area of cybersecurity. The second section we talk about the future of that area of cybersecurity. And the third is the cybersecurity bridge. And I've got a great guest. Old friend, great guest, building forever, Kareem Tuba, CEO of LastPass. Welcome, Kareem. Introduce yourself to my audience.
SPEAKER_00Hey, hi, John. How are you? Good to see you again, as always. Um so yeah, uh Kareem Tuba. I am the, as John mentioned, uh CEO of LastPass. Uh, been on this journey for a little over four years now. Uh, been in cyber, John, as you know, more years than I care to admit, uh, probably going on a little just over three decades now. Uh started uh started way, way back uh in the networking uh space in the mid-90s and kind of came up like many of us did either through the networking or the sysadmin ranks into the cyberspace before cyber was was kind of a big thing. Um, and uh spanned a variety of uh public and private companies um focusing on network security, uh encryption. And most recently, prior to LastPass, uh I was CEO of Kenne Security, which helped really kind of usher in the risk-based vulnerability management world using uh kind of a precursor to AI, uh, which was kind of deep machine learning capabilities to help organization uh prioritize and drive prioritize remediation and reduce risk. So it's a little bit uh a little bit about me.
SPEAKER_01Great. And we're going to talk about LastPass, we're going to talk about identity and access management, we're going to talk about AI. But before we do, Kareem, are you ready to play cybersecurity trivia? I am ready. Let's go. All right. So I try to tailor the questions to my guests, and this one is who is known as the father of computer passwords? Was it A, Alan Turing, B, John McCarthy, three, Fernando Corbato, four, Maurice Wilkes, or five, Robert Fano. I'm gonna say four. Four, Maurice Wilkes. I like to do that sound, as you can check. No, I mean it was this is a really hard one, an esoteric one. Um, I'm I like the history of our industry, so I I didn't know who it was. I knew where it came from. The answer was Fernando Corbato. And he led the development of the CTSS, which stands for compatible time sharing system and MIT. And it happened in 1961. So live and learn, Korean. Live and learn. Now you now you can ask other people that question. But uh let's let's start. So identity and access management, I always start with a general question. What's the status of that? So answer that question, but also put a particular spin on the small to medium-sized enterprise, small to medium-sized business market where you tend to specialize.
SPEAKER_00Yeah, yeah. So look, I mean, identity and access management uh is something that's obviously been around uh for some time and it's got some core components to it, right? Uh it's uh usually starts with an identity platform or an IDP that gives you the capability to really kind of marry policy along with the attributes of all the users that are within that directory structure and then layer in all the authentication policies on top of that, uh, whether people are using single sign-on, whether people are using multi-factor authentication. Um, and it's a space that has been around for quite some time and candidly hasn't seen a lot of change uh up until probably a little while ago when we started to usher in new modes like pass keys uh to really help facilitate and uh uh uh reduce the friction um that uh organizations have relative to uh how they authenticate into uh into systems. So something that's kind of been tried true and tested for a while uh with a little bit of innovation, I would say, kind of around the fringes. Obviously, with the modern day uh uh AI coming upon us, with all the AI work that's been uh that that is being done, there's opportunities to drive kind of a renewed level of innovation, not just for users, but uh ultimately for authentication of agents, which is an area many people are kind of focused on. Uh, but it does serve as the core backbone to the various aspects of uh businesses uh because it really is uh tied to the policy construct that is just so fundamental to uh driving an overall security policy. It's also important to remember that if you look at any kind of retroactive reports on an annual basis, the Verizon DBIR, the data breach insert report, is kind of still kind of tends to be somewhat the gold standard that people look at. Uh identity and identity-related thefts and credentials continue to bubble up to one of the top issues. So it means that organizations still have a lot of work and hygiene to do in that particular um in that particular area. As it relates to SMB and mid-market and candidly, even enterprise, um, it is surprising sometimes uh the the amount of work that still needs to be done in and around identity access management. Um, we see this all the time at customers where we see areas where they're extremely buttoned up from an identity perspective. They've got strong authentication uh capabilities, uh including SSO and MSA. Uh they're leveraging pass keys for critical applications wherever they can. They've got strong policy enforcement and identity detection capabilities, but they typically do it for their more privileged users first. Um, and then, you know, if you think about concentric circles, if you will, at the core where the privileged users are, they're typically buttoned up. But as you go out from that radius, it tends to get more and more loose. And obviously today, so many people are accessing so many different applications and data sets that it becomes really paramount uh to really make much more meaningful investments in the area.
SPEAKER_01Well, let me go back to something you said about uh the lack of innovation or lack of change in in identity and access management. So when I was an analyst, we used to say it's the it's the area that everyone owns and no one owns. And there was a certain amount of intransigence in that it's just so hard to change because um you have different identity systems, different directories, things like that. Has that changed? Has security become more of a driver in uh securing or building a modern identity infrastructure?
SPEAKER_00Yeah, I mean, look, one thing that we we do see, and again, this is across the board from small to medium-sized businesses all the way up to enterprises, is that people, by and large, at this particular point in time, have really uh settled on a core set of infrastructure capabilities. And a lot of that is kind of rooted in the core identity providers, the sort of the, you know, what people will know and refer refer to as an IDP. Uh, so that will be something like um an Okta or um or a Microsoft uh uh intra ID. And that is great because it does give you kind of like a centralized sort of point of control uh where you have all of your users, you have your associated policies, and oftentimes you have authentication structures that are uh associated with that. Um and it also serves as the framework for the policy that you roll out within the organization. So, from foundational perspective, I think I would say over the last, you know, probably decade, um many organizations have have have really kind of uh settled, implemented a core set of infrastructure technologies. Uh for organizations uh that are a little bit larger, more mature, mid-sized markets, up to upwards of enterprises, uh, we have seen identity teams. So we do see teams within security, as you know, they're often segmented uh across uh kind of different domains that they own. You'll have an endpoint security team, a network security team, um, and uh a core identity infrastructure is certainly a part of that. But I think uh candidly, one of the things that has ushered that in are companies like Microsoft that have done a pretty good job packaging their software uh licenses in such a way that um entra ID becomes such a core part of their licensing model and the associated attributes. And I think that has helped organizations adopt a minimal baseline, if you will.
SPEAKER_01Yeah, I'm seeing that too. And so let me let me ask you this. Um I did speak to someone with uh from Microsoft at RSA, and they said, well, we don't have passwords anymore, we just log on using pass keys. And that seems like a uh attractive future for organizations, but it's not so easy. You know, Microsoft's a big company, they have things that they can do. So, where are we in that transition from passwords to pass keys? What are the holdups there and what's driving any change?
SPEAKER_00Yeah, okay. So if you backed up, you got to remember that implementation of pass keys is both a client and a server side or an application side implementation. So it is important to understand that because the way um implementation of pass keys work uh is that you have to have a server-side change um to enable the support of both the creation of the pass key itself, but also um uh the uh subsequent authentication piece. And so as a result, um there is a fair bit of work that has to be done, right? This is kind of not too dissimilar from various technologies that had to be implemented both on the server side and also on the client side. So when vendors like ourselves and others tout support for pass keys, it's not that simple. Um, it means that we actually support uh passkey storage, passkey creation, and passkey support within the client side for authentication. But then what we're using it to pass into has to support the pass key infrastructure as well. So oftentimes that's to hold up. And of course, not every application supports pass keys. Um, you know, by the way, this is not too dissimilar to what we saw with SAML, right? Uh for single sign-on. And here we are, I don't know, what is it, 12, 13, 14, maybe as close as 15 years from the original SAML 1.0 specification and rollout. And here we are, and we see applications all the time that don't fully support SAML, partly because of economic reasons, partly because of technical reasons, partly because of of reasons uh related to the application providers themselves. Um, and so, like every transition in technology, we believe this is a multi-year transition. I think the way we tend to view it is that we tend to look at it through the lens of we will have a period of time probably over the course of the next five plus years where users will actually be using both pass keys and passwords. And what you want to do is, uh especially in the world uh we're in uh today on the password management side, is you want to create vaults that can support both. And the user should be no worse for the where. Once they log into the vault, they really shouldn't care whether they're passing a username and a password or they're passing a pass key to authenticate to their favorite application.
SPEAKER_01Yeah, certainly. We want to make it frictionless for the users. And double shouldn't have we've been saying that for a long time. Um I so I'd be remiss if I didn't ask you uh specifically about LastPass, because I think there's an impression that you that LastPass is a password management tool, which it is, but uh as we put it in the context, broader context of identity and access management and cybersecurity, there's a lot more that you do. And we talked about this at RSA, but give me a little bit more of a flavor of of what you're doing for users and why they're looking for you to do that.
SPEAKER_00Yeah, yeah. So yeah, I mean, so look, I mean, the history and legacy of the company is clearly password management. Um, and the the, you know, by by way of background, so I've been with the company uh a little over four years now. Um, and uh, you know, the company originally started in the password management space. Um, and about two years ago, I think we kind of got to the point where we really wanted to take a look at what we could do to kind of broaden and more importantly leverage the privilege of the footprint that we have, which is originally deployed as an extension in the browser. And one of the became one of the things that became very clear to us that was super interesting is that we have a um a uh a footprint that allows us to effectively see all the web traffic within the browser. And we do something called parsing the DOM, which is the technology, the underlying implementation of our technology that allows us to do the autofill uh within the browser. And so that gives us the capability to see all the web traffic. And so we looked at that and we said, wow, there's some really interesting applications of what we could do with no additional deployment of a footprint. So the first thing we did is we we actually leveraged that extension uh to build full visibility into the applications that are being used within the browser, uh, most notably and initially about a year and a half ago, SaaS applications. So without deploying any additional capability, uh the product we launched uh just about a year ago now back then had given you full visibility into every single application that a user is using in the browser. But more importantly, because we parse that DOM, we can actually link the application and not just tell you what application we're using, but we can actually tie it to the authentication mode. We can tell you some really important pieces of information. Who's the user? What uh credentials are they using to log in, meaning what email, uh, what account? Um, are they using single sign-on? Are they using MFA? Are they using a username and password? Are they using pass case? And furthermore, we can tell you if they are using usernames and passwords, are they vaulted? And is that vaulted credential corresponding to the policy that you have? That policy being something like um, you know, randomness, strength, length of the characters within the password that conforms with your acceptable use policy of password creation. And so there's a lot of policy construct and visibility that you can get out of that without having to pipe all that data back to a sim and kind of tie the session of the connection to the actual credential and the actual user session to understand what credential they're actually applying. Now, of course, fast forward to today, and we've developed a couple of um really notable additional capabilities, because again, we live in the browser, we now have the full capability to warn and block users based on the policy. So now if John Olstick is working for an organization that uses um Monday.com uh as um as uh uh uh uh your program management application, um he can then log in. But then if you if John swipes his credit card and wants to start an account with Right, we can pop up a message in the browser that basically says, hey, wait a minute. Um you we're actually Monday.com users. Click here to access your Monday.com account and it'll redirect you to your single sign-on to keep you in line. We can just warn you, we can even block you entirely. And then, of course, with the advent of what we're doing today, we've extended that model to AI applications within the browser, which is really important because now we can give you visibility into what AI applications um uh you're actually using and shortly will be giving you give you the capability to understand what you're actually doing with the AI app. Are you simply prompting? Are you actually cut and pasting data in there? Are you using a personal account to log in or using a corporate account? All of which really kind of help you define the boundaries of the policy of AI access within an organization.
SPEAKER_01I'm glad you mentioned me because I've been known as a malicious insider. So uh let's move on to the future. And so we haven't talked about non-human identities, which are booming, booming. Crazy. Um, what are you seeing there? And um what are you doing about it?
SPEAKER_00Yeah, yeah. Well, look, I mean, um non-human identities are um are certainly uh what a lot of organizations are talking about. I think the I think the interesting piece um is to kind of it's it's good to kind of calibrate what we mean by agentic identities, um, uh because that's really kind of the the basis and the core of the discussion. And the reason that's important is because, you know, there are there are things, and I'll give you a couple of examples. There are things where people are using um agents where they're um they're effectively interpreting what the user wants to do, which is a very different agentic ID, uh, identity and authentication construct than if somebody's deploying their own agents, which are then deploying more agents, i.e. known as agentic swarm. So the use cases for each of those, the security risks for each of those, the policies for each of those are vastly, vastly different. But um, you know, what I prompt, we'll use anthropic, uh, which is which is what we use internally here at LastPass, but we'll use we'll use Claude as an example. So I can prompt Claude very simply. There's no agentic interface that that that is uh uh uh invoked in that. But when I start to um engage with prompt and let's say co-work and uh a Claude then has an agentic uh framework, if you will, or will do agentic work on my behalf per the definition of an agent, where they will reach out to everything from the web to various different data sources to get data on my end and give me an interpretation. So there's already kind of like agentic capabilities that are assuming the role of the user that are built into the uh LLM application models that we use today. Further to that, um, there is an entire identity construct related to uh agents that are um actually being built either by third parties. So, you know, the ServiceNow uh agent uh capabilities, uh agent force is another example. Um, and then of course, uh people that are developing agents within the organization themselves to automate some of the things that they may have initially done from a prompting or skills perspective that are moving aggressively into the agentic world. Each of those cases um, in many ways, requires that organizations are ultimately able to answer three fundamental questions. And here's the irony the the the questions that are to be answered are kind of identical to what we've talked about in the uh human identity world, with obviously some very, very different variations on how you implement, but it's basically who, what, and how, right? Who is the user that is accessing the data and what account are they using? Um uh what application and model are they accessing and what form, right? Is it through an MCP server or is it direct access to the data? And what are they doing with it, right? What are they, what, what data are they actually accessing? We have that model today for in the AI world uh for users. And what we're doing specifically is we're doing a lot of work now to uh extend our APIs and CLIs, which form the foundation of the uh agenda construct, so that we can use the vault that we already have from an interface and an API perspective to temporarily inject uh the appropriate credential on behalf of the user proxied by an agent so that they can get access to a particular uh piece of data when a user either spawns an agent or when an agent is launched on behalf of the user to do work. Now, furthermore, there will be more work done beyond that because if you look at uh agentic swarms, that's an entirely different structure because in that model, uh, you really don't have attribution that's typically tied back to an individual user because an agent is attempting to achieve a task and it makes it has the authority and makes the decision to actually uh enable additional agents to then go do work on behalf of the of the parent agent. And it's that structure that requires the same fundamental questions to be asked, which is what agent is accessing the data? How are they? Accessing it and what are they doing with the data themselves? And aggregating that to provide control and visibility is really kind of the core of what many of us are working on in the industry as a whole.
SPEAKER_01Yes. And it's uh it's dicey. It's dicey. Very quickly. It is. I'm I'm glad to hear that you have a handle on that.
SPEAKER_00So let me take you in a different direction though, because we're talking about the by the way, John, real quick, I don't think anybody has a hand. I'll be honest, I don't think anybody has a handle on it. I mean, I think it just yeah, it's just kind of a it's just a kind of a sign of the times. I mean, you you and I have known each other long enough to be good to to understand, you know, kind of the trials and tribulations and the changes within the security industry. But but the truth is, I have never seen this pace of implementation uh and change ever in 30 years. I mean, it's staggering to me how quickly uh we, ourselves included, are moving to adopt a set of capabilities and technologies. And it's kind of like you're speeding down the road of the car, and there's a crew ahead of you that's kind of building, laying the next brick so that you can continue on your journey. That's what it feels like almost on a daily basis. Um, there are things that are happening like uh uh open AI um and and uh anthropic uh joining a FIDO alliance from an uh from an authentic uh uh authentication perspective, I think is extremely important because in many ways they hold the underlying infrastructure that is going to enable some of the things. But then also all of us that are part of that will uh are having kind of like these deeper conversations about how to enable the capabilities with the right interfaces, how to make it uniform, how to make it scalable, how to make it secure, and most importantly, how to make it implementable. Because one of the biggest things that I see people struggling with is there's so much pent-up demand and there's so fear, so much fear about missing out about the productivity and the advancements of artificial intelligence. Uh so everybody's all in. Uh, but when when it comes to implementation of AI and also implementation of secure AI, that's where I think people are um people are really kind of struggling sometimes, right? And uh I don't think there's a single exception to that rule.
SPEAKER_01No, I tend to agree. I've I've never seen things move as fast as they are. Things are moving so fast that we're not sure what's coming next. And as security professionals, that's we have to know what's coming next so we can do threat modeling and put the right controls and and guardrails in place. So I totally agree with you. Um, we were having a great discussion, but we're we're the clock is burning. So I'm I'm gonna move right to uh the cybersecurity bridge, or so how we get from here to there. So one of the things is um how about insurance and and um and regulation. So are are are the regulators, are the insurance companies going to push changes in IAM that maybe have been a little bit we've been a little bit slow on um because they want to manage risk a little bit more tightly.
SPEAKER_00Yeah, I don't know. I've been holding I've been holding out for years, and it still hasn't happened. Um, you know, I mean, you know, go back to the PCI DSS days, if you remember those days, right? Uh oh my goodness, that was probably uh 20 years ago now, where there was a big push. And I I don't see it uh candidly. Um I think that there are some regulations um that are um that are worthwhile pursuing, but I don't see any meaningful regulations that are gonna pop up that are uniformly applicable. I think there's some regional ones um that uh governments are putting into place um that I think uh, or or vertical ones that have been in place for a while. Um but unless you're in a heavily, heavily regulated industry, as you know, uh like banking, uh I I don't I don't really see something uh that's going to be put in place that is uh that is mandatory. I think that there'll be some regular guidelines and uh and I continue to see variations of adoption of those guidelines, unless you're in an extremely regulated industry.
SPEAKER_01So pessimistic there, and I mainly understand. We've been around the block a few times. I I totally agree. Um there's this to me, there's this uh in these um competing initiatives or competing trends. So one is with AI, um, we're going to have much better knowledge. We can make real-time decisions for instance just-in-time authentication or make those changes. But those have to be guided by governance and policy. So, how do we balance those two? How do we make sure that just because we can do something that we use it to our advantage rather than, I mean, I've seen this for years, people just who needs access to this? Well, I'm not going to go through that check, check, check, check, check. How do we do that? How do we balance those two areas?
SPEAKER_00Yeah, it's a great question. Um, I was talking to somebody a couple of weeks ago, and uh one of the things I was kind of describing was I've never been in a situation where we're going through the same thing our customers are going through, which is adopting AI um at a rapid clip, um, but also doing so in such a way that um that actually makes um uh makes it secure, right? Um and so the the recommendation I always give customers was if you can start with policy first, great. But more often than not, we don't see that, right? We see so much bent-up demand for AI utilization in this particular case, uh, given what we talked about earlier, that um policies are typically structured afterwards, because it's hard. It's hard to understand what to implement unless you have a very clear AUP or an acceptable usage policy within the organization that then creates the appropriate guardrails for what people are implementing. Um, so the recommendation um we make um more often than not is if you can't start with policy first, take a minute, step back, um, define, quickly define a clear policy, and then that will give you the guardrails to really basically understand what you should be giving access to to whom from a data structure perspective. Look, there are there are things that um have a lot of structure around them, particularly within AI. Uh, when we implemented skills through an MCP uh server, uh it was our it was a first opportunity for us to really kind of step back and say, okay, how do we want to enable uh access to data when we're going through a proxy layer? Um, and how do we want to do it that aligns uh with the policy? And only when did we only when we implemented that did we get a better understanding of what the real security risks are.
SPEAKER_01And I'm sure you'll appreciate this too, uh, because of our law and just great experiences here. But um, what I typically see is the first thing people say is just give me visibility. I need I can't make decisions unless I have the data. And I can't have, I can't, if I don't have the data and the visibility, um, then I'm flying blind. Are your customers saying that to you? Are they saying, give me the visibility? And then do they see things that they're either unaware of or maybe even um alarmed by?
SPEAKER_00Yeah, that's actually the biggest use case of our deployment uh within Bizmax, which is our our offering on the um on the AI visibility and control side. Um, because you, I mean, look, what's what's one thing that's been true for every forever in security? You can't protect what you can't see, right? And you certainly can't model and understand the threat landscape with what you can't see. Um, and so with AI, even more than SaaS applications, um, there's so many different ways that people are leveraging AI now, right? There's uh you can leverage AI through an application in the browser, you can leverage AI as an extension uh because there are different modes of of deployment. You can now leverage AI as an application. It's amazing with all the push to SaaS that we're now seeing a kind of like a not a huge pendulum swing, but a swing nonetheless back to a tick client on the app on the desktop, uh, you know, both uh uh uh for you know things like cowork and other applications. Um, and so getting that visibility right up front is probably for us the biggest use case that people have, because only then can they begin to understand how big or little the problem is, and only then can they begin to understand how they apply a policy based on utilization.
SPEAKER_01Yes, and in this world, it's not visibility alone, it's continuous visibility and then continuous risk management or back to your old company, risk scoring, where something new is happening, a new agent is is spun up or a swarm presents itself. Uh, what's it doing? Where you know, where's my risk has to come into play? That's right. That's right. Well, Kareem, we've been talking for a while, but uh time is uh not on our side. But let me ask you, so I asked this question of all my guests, and it's my final question, and that is um, if you had to give a piece of advice to um companies out there in the identity space, in the AI or the non-human identity space, I I mean it's you have freedom to say whatever you want here, but what's what's that advice or those pieces of advice and and make it for CISOs for cybersecurity professionals, what have you?
SPEAKER_00Good question. Um I would say the advice is drawn from our implementation and deployment. Um and uh what I would say especially about the cross-section of the adoption of AI and security is be incredibly clear um about the goal of AI adoption and the associated uh security implications. I think um one of the biggest things that I see when I talk to customers is that there's so much demand and hype around artificial intelligence that people are rushing in and with without a clear understanding and view of what it is that they're trying to achieve. Are they attempting to build products faster and drive better outcomes for their customers if they're in the technology space? Are they trying to drive better customer experiences? Are they trying to drive growth? Are they attempting to reduce the bottom line? Um, because my biggest concern um that that I have, and which is why I give this advice, and this is kind of born from our experience of implementing AI over the last, I would say, nine months or so, is that um organizations are running in running into this so fast that um they're they're because they don't want to miss out, that would clearly define what they're attempting to achieve.
SPEAKER_01Yes, it's that's sound advice. I'm seeing the same thing. Um we're chasing opportunities. Uh and we're not, yeah, we we don't have a clear visibility there. The other thing I'd say, and and I'm I lied. This is if you could make your answer um kind of brief here, but there's this whole notion of uh identity as the new control plane. And I think that users really have to have a strong understanding of what that means or what that means in their environment. Um, because I think if you don't know, if you haven't answered those questions, then it's then it's rhetoric. It's really nothing, it doesn't, it's meaningless. Um, so how would you respond to that?
SPEAKER_00Yeah, I mean, look, I would agree for users, but the the the reality is we're stepping in a world where you're gonna have lots of users assisted by many agents, right? That's clear. And so um the the the interesting question that I think still needs to be answered collectively as an industry, um, is what does that mean in the what what is the corollary to that in the agentic world, right? And that's gonna be driven through APIs and policies um and and elements of infrastructure and across the ecosystem and not the sort of traditional um things that we would do with users, right? I mean, clearly we're gonna step into an era, whether it's a month away or you know, 20 months away, where you're gonna have many more agents within an organization that you have employees.
SPEAKER_01Very true. Yeah. And when that happens, I'll have you back on the podcast and we'll review what we said. And maybe we were right. Hopefully we're right, but maybe we can talk about what we're wrong. We'll see. But uh Kareem, old buddy old pal, thanks for participating and uh being a guest on my podcast.
SPEAKER_00All right, good to see you as always, John. Thank you.
SPEAKER_01Good to see you too. Will I see you at Black Hat if I go? Uh, I will not be there this year, no. Okay. Well, Las Vegas will certainly miss you. But uh, for my audience, thanks for watching the Cybersecurity Bridge podcast and see you again in a couple of weeks.