Ever wondered how a NASDAQ-listed company navigates the murky waters of cybersecurity? Join us on Identity Radicals with the CISO at Axon Enterprise, Jenner Holden, who pulls back the curtain on their operations and innovative security programs. One such program, which awards physical swords to employees, has successfully gamified the process of security awareness. Jenner also opens up about his involvement in the AZ Cyber Initiative, a program empowering high school students to kickstart their careers in cybersecurity.
Ever wondered how a NASDAQ listed company navigates the murky waters of cybersecurity? Join us on Identity Radicals with the CISO at Axon Enterprise,Jenner Holden, who pulls back the curtain on their operations and innovative security programs. One such program, which awards physical swords to employees, has successfully gamified the process of security awareness. Jenner also opens up about his involvement in the AZ Cyber Initiative, a program empowering high school students to kickstart their careers in cybersecurity.
Holden enlightens us on the importance of security reviews and access control processes – the unsung heroes in the fight against security threats. We unravel the complexities of automating provisioning and de-provisioning processes and shine a light on the hidden risks that linger even after an employee departs. Tune in as we delve into the art and science of detecting unusual activities and bolstering resilience to contain potential threats.
We also venture into the labyrinth of compliance frameworks such as Sarban's Oxley, SOC2, GDPR, and FedRAMP. We discuss the challenges of data sovereignty for international clients and the intricacies of securing service accounts. Jenner shares intriguing tales of unusual security threats including police impersonators trying to buy Axon gear. We conclude by emphasizing the crucial role that resilience plays in cybersecurity and the importance of promoting careers in this field.
Key Quotes
Time Stamps
Links
Identity Radicals is sponsored by Veza, the Identity Security Company. Learn more about Veza by checking out:
Or, schedule a demo with our identity security experts to learn how Veza's Access Control Platform can lead your organization to least privilege.
Jenner: [00:00:00] If you have a lot of people with a lot of privileged access, that's actually an indicator of just general broken IT operations. It's showing me that there's other things in the business that aren't right. Therefore, we have to band aid it by having people with deep access that can go manually fix things.
Announcer: Welcome to Identity Radicals, conversations with cybersecurity experts. The podcast that gives you exclusive access to the latest insights and strategies in the world of ever evolving identity threats. Brought to you by VESA. And now, here's your host, Jason Garut.
Jason: Welcome to Identity Radicals. The show where I have candid conversations with today's leaders on the front lines of cybersecurity.
My name is Jason Garut. I am the CMO of VESA, the identity security company, headquartered right here in Silicon Valley. With me today is a special guest. This is Jenner Holden. Jenner has been the CISO at Axon Enterprise for almost six [00:01:00] years. You may know his company, Axon, as the company that sells the Taser, but they have a broader portfolio of technologies as well, including things for military, law enforcement, and civilian use, includes body cameras, and Evidence.
com, a cloud based digital platform for uploading evidence. Welcome to the show. We're glad you're here. Appreciate it. Thanks for having me. I wanted to also bring up that you are not just a CISO, but you're a board member of a nonprofit called the AZ Cyber Initiative, which is a program that encourages high school students to pursue careers in cybersecurity.
It sounds like a really good cause, and I want to make sure that we reserve some time to talk about that on our, in our time together
Jenner: today. Absolutely. Yeah, that's been a, it's been a really good experience for me. I'd love to talk more about that at the end, for sure.
Jason: For people that don't know your company, Axon, uh, which is a NASDAQ listed company.
So this is a sizable enterprise. Give us a sense for the scale of operations.
Jenner: Yeah. [00:02:00] So as you mentioned, I've been, I've been at Axon quite a while, uh, building the security program and then the CISO since I started here. Um, Axon's now 3, 500 people strong. I've been a public company for many, many years. Uh, a lot of the products that we make, people would recognize, uh, if you go look at any body cam videos out there on YouTube or on the news, uh, the Axon logo will be in the corner.
Uh, chances are that body cam video came from Axon, so we're the, the global leader in body worn camera video, uh, for launchment. Also the, our flagship products, the Taser, right? So everyone is familiar with the, the, uh, electrical non lethal weapon, the Taser. Law Enforcement's been using that again for many, many years.
So those are the two flagship products, but along with it, there's a pretty wide ecosystem that comes with it. Everything from mobile applications, desktop, server, uh, other camera systems like in car cameras or fixed cameras. Um, as well as global scale cloud computing. So all that, all that video and data has to go somewhere.
[00:03:00] Managing it on prem doesn't make any sense anymore. So we have a massively large cloud footprint to help our customers manage all that data.
Jason: Any counts for like how many applications you're talking about? I know you have a lot of Azure services
Jenner: too. Yeah, I mean, I don't have the specific numbers, but like the amount of video under management is in the, in the petabytes per month.
Right, so there's multiple petabytes per month being uploaded. So it's a lot of video globally, uh, hundreds of thousands of cameras. You know, uh, there's hundreds of thousands of officers around the world using, using our equipment. Um, from a security standpoint, the security team is over 50 people at this point, right?
So we've got all the functions you might expect from, you know, enterprise security, IAM, which we're going to talk a lot about today, uh, products, product security engineering. General security engineering, security operations, full 24 7 SOC, all the good stuff
Jason: going on. Do you have a governance and regulatory compliance kind of stuff too in that team?
We do.
Jenner: I have a pretty large GRC function, which we call the [00:04:00] trust team, uh, as our, as we talked about, our customers are government, so they have lots of checklists, certifications, audits, authorizations, a lot of regulatory oversight, uh, that we get to navigate globally, so it's also different in every country and every jurisdiction, so we have quite a, quite a team to deal with that complexity.
Jason: So a big footprint. Over 3, 000 employees, lots of apps, lots of cloud usage, and that's going to give us a lot to talk about today. I suspect that we'll spend some time on identity threats. I think we should talk about provisioning and deprovisioning because I know you and Axon have done some innovative things building there.
And then I'd like to make sure we talk about access reviews too because in the past I've heard you say that access reviews are so often old school and I think you prefer to be new school and I want to hear exactly what that means. So I think we'll cover that. But I want to always lead with this question because this show is called Identity Radicals.
So across this gamut of identity security. What's the [00:05:00] most radical thing that you've done for security at Exxon?
Jenner: Yeah, that's a good question. Um, I, I guess you could consider this radical, but we built our security awareness program, uh, on the foundation of giving people swords. So the winners get a sword.
That's pretty radical, right? And so what we do is, is, uh, uh, actual sword, physical sword, actual, actual physical sword. We call it the information security quest for immortal honor. And as you do, as you do brave deeds of security greatness, you earn experience points on the quest because that's the only reason we do things anymore, right?
It's to earn experience points on our various quests. And then, uh, we tally all those things up and the brave deeds are, are related to identity. Some of them are for sure, like reporting phishing emails, either are simulated phishing emails or real phishing emails that come in. Finding security flaws and bugs, finding access that's inappropriate.
As somebody finds some access that's inappropriate, reports it, and we go fix it, all those types of things earn experience [00:06:00] points on the quest. Over the year, that all adds up, and at the end, the three final lucky winners get inducted into the Hall of Immortal Honor, and they get a sword. They win a physical sword with their name engraved on it.
With Axon engraved on it, and we do a different sword style every year. So we've done broadswords and katanas, uh, lightsaber even last year. This year is, uh, very nerdy. It's a, a bat left sword from Star Trek, Klingon sword from Star Trek. Turns out people are very excited about that, like who knew? Uh, so it's a pretty radical way to gamify security education,
Jason: but it's a lot of fun.
And so obviously, I'm pretty sure you mean this is across the entire company, not just your, your team, right?
Jenner: Absolutely. Oh yeah, this is the entire company. Absolutely. That's amazing. No, in fact, in fact, my team is not allowed to win. We're the, we're the, we're the referees, so we can't even win.
Jason: That's amazing.
Experience points. It's very, very much a gamification exercise. I have not heard of anyone doing that before, and I can imagine it taking something that People might view it as a chore and making it a little bit more [00:07:00] fun and even competitive.
Jenner: Absolutely. And I'm, I'm, I'm grateful we're still able to do it because the first year the sword that we gave out was sharp.
We didn't. Take care to dull it. And, uh, president of the company cut himself, uh, handling the sword the first time. So. Wow. But, but didn't shut down the program. So we were able, we were able to continue. Now the swords are all dull.
Jason: Comes with a free box of band aids. That's right, that's right. Fantastic.
Let's talk about a different kind of threat. Which is identity threats. No sharp edges, but perhaps even more dangerous. Uh, at VESA, we say that identity is the new perimeter, and we're not the only ones that say that. Most attacks these days seem to come through an identity vector, and all of those 3, 500 employees you have are, of course, vulnerable to increasingly clever social engineering attacks.
You've talked before about phishing, and so I guess my question is, do you think identity attacks are inevitable, and what do you do to prepare?
Jenner: [00:08:00] Yeah, so I, I mean, certainly... Attacks of all types, and especially identity based attacks, are inevitable. Like, the attacks are going to happen. It's a, we're large enough now where it's a daily occurrence that there's some type of, some type of identity based attack, even if it's a simple phishing email, those are coming in all of the time.
Uh, I don't think, as a CISO, like, I don't think I could ever promise that we will be 100 percent perfect. at defeating every single one of those attacks that come in all the time every day. So that's never a promise that we make. But I think what we can do is build a program that's resilient enough to ensure that when we do have the, what I call them, security whoopsies, right, these are, these are the incidents that happen that are painful, but not, not like, uh, mortal.
It's not a mortal wound. It's a cut. It's a scrape. We got punched in the face. We got kicked in the shin. But we didn't get stabbed through the heart. We are resilient enough that we can handle the bumps and [00:09:00] bruises of trying to run a security program and come out the other side stronger, more successful than before without leaving ourselves open to those mortal wounds, right?
For, you know, taking the, the, you know, the full, the full blast, uh, that takes us out completely. That I think we can accomplish. And certainly strong identity is a big piece of that because that's a, that's a way we talk more about it as we go down, go down the podcast here. But one of the most important ways to Ensure that incidents stay small, that the blast radius of those incidents...
Don't become that, that terrible breach, uh, is by having strong access management practices, strong identity management practices. Uh, like that is one of the key ways to keep the security whoopsies that are going to happen to keep them small and manageable, as opposed to, you know, massive company impacting issues.
Jason: So first and foremost, maybe. Uh, having strong authentication, I assume, I'm sure you have safeguards in place like multi factor authentication, but then it's also perhaps about [00:10:00] least privilege and monitoring who has access to what. Because if somebody gets phished, you don't really want them having access to services that aren't necessary to do their job.
Um, what about investigating after a breach is detected? Like, what kind of metrics do you use to track your success in containing things after the attack?
Jenner: Yeah, so we certainly, you know, measure some of the traditional things like mean time to detect and how quickly we can respond. Um, I tend to not over focus on how quickly it takes the security operations center or the incident responders to, to correct the incident, to fix the incident.
I measure how quickly it takes them to detect and start working on it. But I don't want us to rush through the process of identifying what happened to who, when, just to get it closed and quote, fixed. I mean, [00:11:00] it's, it's not that infrequent that you hear about a breach that occurred where the company noticed something.
They, they responded, but they didn't quite understand the, the breadth of the issue. And so what they fixed didn't actually patch the whole problem. And there was a residual gap. Left. Residual access, left residual issue left that then the, the, the attackers were able to keep a foothold and keep, keep growing their access.
So I'd rather, even if it takes a little bit longer on an investigation to really, really be thorough, I think that generally has better outcomes than if you try and move too fast. After you detect it, absolutely need to detect and start, start responding quickly. And then in the response process itself, completeness and accuracy is sometimes overlooked in the, in the rush for immediacy.
Jason: To have a quick response, what are the secrets or what tools do you need to have at the ready?
Jenner: Yeah, that's a great question. Um, certainly all of your, your [00:12:00] normal detection technologies for when something seems out of place, right? Something's not right, anomalous activity occurred. Lots of tools can do that, right?
And that includes everything from, you know, uh, uh, inbuilt tools in the Microsoft suite, if you use Microsoft, Google to use Google, your own log and SIEM solutions, like, uh, Splunk or whatever it might be, to tools like VESA to help expand that, that visibility into what are the users doing in what parts of the application or with what data elements, uh, to more quickly identify when something doesn't look right, something's out of the norm.
Um, generally. I have also found that the most impactful security whoopsies are not the ones where your tool said, a bad thing happened, alert, a bad thing happened. Usually it's, it's where a tool has said, something looks weird here. You should [00:13:00] investigate further. Then in the investigation, and that's where we use VASA quite a bit, right, is to go in and look a little bit more closely.
What exactly did this user do, or what exactly do they have access to? What's the series of events that occurred here? That's where you discover the more impactful, you know, potential security issues that you can nip in the bud early. Then if you kind of glossed over that, six months later, you may have a really big issue.
Jason: So resilience is the key. They're going to happen, but you want to contain them. And if they get through, you want to react quickly. And, uh, shut it down as fast as possible. Absolutely. Let's move on to the next topic, which is provisioning. And I'm sure that people listening to this have some sense that provisioning is about bringing new identities into the company.
Somebody joins the company, somebody gets a new job, and you get them access to the apps and other services that they need to do that job. But it's kind of a headache for most companies. And you've done [00:14:00] some innovative things to automate. Here with your provisioning and deprovisioning. So what is it that you're proud of?
Jenner: Yeah, we're, I don't know if it's innovative, but it is hard to do. The concept of, of, you know, birthright provisioning. So somebody starts at the company, the HR system says they are approved to start working, and here's their job location, their job role, here's who their manager is, etc. Like, oh, that's known in the HR system.
The ability to provision the appropriate access automatically downstream from that basic information from the address system, what we refer to as birthright provisioning. Uh, it's not an innovative concept, it's just hard to pull off. It's hard to actually get done. Uh, so I am proud of our team, our Identity Access Management team, to actually get to that point.
Where we have pretty good automation about onboarding, automated provisioning, automated deprovisioning. Right? It doesn't, a lot of the access can be deprovisioned automatically. The minute HR says, this person no longer works here, and they click that button, the automated deprovisioning [00:15:00] starts to occur.
Um, that's even more important than, than birthright provisioning. Uh, certainly not completely done. Certainly not perfect. There's always pockets of, of applications and access that need to be a little bit more manually done with eyes on the ball. But the bulk of it can be automated and then we've done a good job getting to that point.
Deprovisioning
Jason: is interesting and it's been in the news more in the last year and a half because of layoffs across the tech industry and I don't know if that's affected Axon, but the more companies you have doing terminations, the more deprovisioning becomes important because what we see is that at VESA is that companies Rarely deprovisioned completely.
And, uh, even though you think that maybe you turn off access in Okta, uh, that, uh, that, that would be complete, but people still have local accounts that maybe the governance system didn't know about, and these folks are still out there with access. You have situations where people [00:16:00] that have been fired...
Maybe not so happy with their former employer, can still get access to sensitive data. I just wonder if there's things that, any tricks that you've learned to check for dangerous risks that persist after departure.
Jenner: Yeah, this is a, I think an, uh, it's a difficult thing to get right. I'm not going to. I'm not going to say that we get it 100 percent right because there's always surprises, right?
You always find some corner case where some access was provisioned outside of the central IAM program's knowledge. Um, but one way you can find those, or a couple ways you can find those. One is we use VESA pretty extensively in that area to try and triple check our automated deprovisioning. Hey, somebody's been off boarded, the automated process has flowed.
Hey, this one is... Sensitive enough or high profile enough or had enough access that let's do it. Extra set of checks in VASA to go see what [00:17:00] else this person may have had access to that wasn't captured in our automated process, right? Oh, look there. They ended up over here. They ended up over here. Let's go double check with that team, that group, that that person was offered from that application properly.
That's, that's one thing you can do is use a separate, a separate tool. That's kind of outside of your normal. IDN system or your normal IAM system, uh, that still has visibility into all of the areas of access that you need to look at to do a little bit of an extra audit and an extra, um, triple check. And BASE has been certainly helpful, helpful for us in that vein.
Another thing that you could do that we have done some of that I, that I've, I think is probably overlooked is your traditional security monitoring that your SOC may already be doing has clues in there where access may have been retained by somebody. If they end up using that access in a way that they shouldn't.
So if you have a sensitive off board, [00:18:00] you've done all of your due diligence, the automated process has flowed, you've done your extra checks, you feel pretty comfortable, we've off boarded that employee from all the right applications. But, for whatever reason you want a little extra monitoring on that one, you can use your SIEM to look for logs, just logs that contain that username, or variations of that username.
Because they shouldn't be popping up anymore. That account shouldn't be doing anything anymore. So you just, like, alert me if there's any logs that show up with actions happening with that username. And that may sometimes flag an application you missed over here, an application you missed over there, that's in your SIEM, you're getting logs from that application, but it's not in your identity management workflow, somehow.
And certainly you'll find, through that process, like, this is what we usually find, is Automated applications that have been set up with that user's username to run. Service account type things. Uh, so they're operating properly, but that, that, that script or that little [00:19:00] workflow is still trying to run every day at noon.
Uh, and that username keeps popping up every day at noon. Because it's still trying to use their account. So, those are also good to find too because those will, um, uh, you know, break things when that off board happens. You can maybe catch those a little faster. This podcast
Announcer: is brought to you by VASA, the identity security company.
75 percent of breaches can be traced back to identities that were either compromised or abused. That's why companies use VASA to find and remove the risky access permissions that legacy tools just can't see. Secure your data wherever it lives with VESA. Learn more at VESA. com.
Jason: I, I've seen it here at VESA myself with, uh, departed employees and, uh, I'm still getting notifications from things that were set up in their name.
I got to move those accounts to someone else. They're like, Hmm, we just missed that one on the, uh, on their way out the door. So. I could totally see that happening. Let's talk about access reviews, which maybe can kind of catch some of these things on an ongoing [00:20:00] basis. And, uh, for most companies, access reviews is a periodic process.
Maybe that's part of one of the things that you're calling old school, but what, well, how do you think about access reviews for Exxon?
Jenner: Yeah, I mean, we, we currently still do it the quote, old school way, quarterly access reviews, right? We've got it, we've got it automated. We're using our, our IDN solution, sell point solution, and every quarter.
Right, the emails go out where the manager has to go read through the list of the employees and what, what access they have and click, yes, they should keep it or no, they shouldn't. And if they shouldn't, why not? And then we can change those permissions as they go. Um, as you can imagine, and as everybody knows, I'm not so comfortable that that mechanism is terribly effective at, uh, weeding out access, access that's actually dangerous to the company that actually represents risk.
Uh, what that process does do is get us through our audits. Right, you can, you can show [00:21:00] the auditor, we're doing access reviews every quarter, here's the reports, you can see everybody did them, uh, etc, etc. So you get your certifications, you get your audits, and that's, that's why everybody does it that way.
Uh, cause that's, unfortunately the target is maybe to just pass an audit, not to actually reduce risk to the company. Uh, actually reducing risk probably takes a different approach that we're not yet doing, uh, that we were, we were working towards, which I would describe as a little bit more real time.
Right? So if you could, if you imagine you could classify applications and or more privileged groups and access levels, uh, you know, from highest risk to lowest risk and use systems like VASA could definitely have a role in here. And we hope to use it this way, uh, to identify through some of the workflow features, right?
To identify when a change happens that involves these higher risk areas, the access review must happen right now. Meaning. Not just the normal, they requested access and the [00:22:00] access was approved. Okay, somebody requests access, it got approved, the change happens, boom, flag pops up and says, hey, by the way, somebody just got this extra privileged access and it was approved, but I want one more set of eyes on it.
There's another access review that happens at that moment in real time. That's the kind of thing that we would be doing if we were really focused on reducing risk and not just passing audits. Uh, not easy to build by any stretch, we're certainly not there yet, but that's the, that's kind of the vision that I have for, for getting access reviews where they, I think they should be.
Jason: So two things I heard in there. Number one is really moving from a periodic frequency to a just in time or as needed basis. Something just changed, this is the right time to ask, is this safe? That's number one. Number two is you want to have some quantitative way of prioritizing. Which types of access are riskier than others?
And then making sure that those are the ones that get reviewed first. What would be an example of something [00:23:00] that would be extra risky that you'd want to check right away?
Jenner: I mean, certainly any level of privileged admin access to your applications, right? Whether that's IT, IT domain admin type access, or if your other custom applications have some concept of the most privileged users, like those would be super important.
You could probably mix in there. Important concepts of separation of duties, especially in like a financials control standpoint. And so the moment that somebody ends up in a role that could have a separations of duty conflict with another role they already have. Even though that got requested and got approved, that should flag a real time review eyes on from somebody, some other group, third party there, uh, things like that.
I
Jason: know we've had other guests on the show in the past and they've talked about their efforts to create dashboards of metrics about their risk for their board or for at least their CEO. And they talk about how difficult it is to create those dashboards. [00:24:00] Because you're basically pulling queries from hundreds of different apps and systems and you can't really do that manually.
With any practicality, but I envision a future where people have dashboards with little dials on them that show us the number of privileged users in the company and maybe the number of privileged users who have been certified and those that are still waiting to be checked. Do you think that that's a pie in the sky vision or is that something people are going to have in a few years?
Jenner: We should be doing that, but I think I would. I would go one step further and not be measuring the number of privileged users that have been validated or not validated. I would actually set a metric that our number of privileged users should actually be going down over time. Because we don't need people with deep individual access because we have built systems and automated things to the point where the [00:25:00] deepest level operations can occur without anyone actually really needing access.
If you have a lot of people with a lot of privileged access, that's actually an indicator of just general broken IT operations, probably, or, or, or process issues, or things, it's showing me that there's other things in the business that aren't right, therefore we have to band aid it by having people with deep access that can go manually fix things.
So a better, I think a metric would be important is like the number of privileged users shouldn't go down over time as your IT systems and your applications get more robust. in, in their implementation and their management.
Jason: Sure. So it's kind of like Japanese manufacturing, where the goal is to get to zero defects.
And, you know, nobody really believes that you'll ever completely get there, but it's an aspiration that we're all striving towards every day. That makes good sense. Personally, I like having my edit all data access to Salesforce. That's right. I hope they never take that away. But, uh, [00:26:00] I can understand why it might make some people nervous and, you know, God forbid I fall for a phishing attack someday.
I think, you know, the company would regret not having enforced least privilege with Jason.
Jenner: I was going to say, like you mentioned, you mentioned that one of the key reasons to do access reviews and try to apply some concept of least privilege to your users is actually to reduce the blast radius of an attack or of a breach.
Yeah, we're reducing risk, we're passing audits, the risk you're actually reducing is is insider risk to some extent. We want people, you know, it's usually not because people are doing bad things with the access they have. They may make mistakes, but they're generally not abusing their access. But what does happen is that access gets abused immediately when their account is compromised, right?
So the blast radius of an external compromise can be much, much worse when you have over provisioned access. And you're not, you're not tightening down to least privilege as much as possible.
Jason: I think we've seen this a lot in the news [00:27:00] reports, the headlines of the last year, there's been breaches at Okta because they were using GitHub and the GitHub credentials got stolen.
You are giving some serious access to crown jewels when that happens. So this makes a lot of sense. Least privilege is kind of a subjective thing. Uh, and you know, we'll pursue zero privileged users. That makes sense to me. What about policies, many of which are imposed upon a company like Axon by external regulatory bodies?
There might be Sarbanes Oxley because you're a public company. There might be SOC 2, Type 2 if you've chosen to comply. There could be privacy regulations like GDPR. Uh, you, I think you've, you've mentioned to me in the past something about Sovereignty obligations, like what, what are, across all these compliance frameworks, which are the ones that vex you and, you know, give you the most headache?
Jenner: Yeah, absolutely. Um, uh, add to the list of compliance and regulatory things you just [00:28:00] listed, like we also deal with, with some heavy government money, FedRAMP, FedRAMP High, actually for the U. S. federal government. Even the DOD specifically, IL4, IL5, right? We just recently received IL4 authorization and IL5 is coming.
Uh, those things globally as well, right? So we also do the same kinds of things in Canada, in the UK, in Australia. We're working in other countries in, across Europe and the EU. And one concept that's important to our international customers is the idea of data sovereignty. So their government data, which is the data that we, that we process on their behalf, the services that we're providing, uh, Must stay within the boundaries that they define.
The physical, the physical country boundaries that they define. And then on top of that, the core identity characteristics of the people that are supporting them and working on that system and operating that system is also important to them from a sovereignty standpoint. So they care about where those people physically reside.
Are they in my country? Are they in my continent? Are they on the other side of the [00:29:00] world? Where are they when they're supporting the system that holds my government data? And what is their citizenship? Where might their loyalties lie, right? Are, are, is EU citizen okay, or do they have to be a citizen of Italy?
Can they be a US citizen or not? Uh, these are interesting and complex issues that we, that we navigate with our international customers as a US based company. Uh, because of course, like as any country, it's natural, would want to have some measure of control and sovereignty over their systems and their data and their government operations.
So we have to take the, probably a step further than most companies as far as identity goes. And care very much about the location of where somebody is and what their, what their, uh, citizenship is and certainly what their clearance status is. Have they gone through the government clearance process for ABCXYZ?
And that matrix together will then determine what access they're allowed to have with the different operational, uh, cloud services that we have around the world.
Jason: Yeah, I'm reminded of one of our [00:30:00] customers, not you, uh, who came to us and said that they had an issue with employees in China and employees in the U.
S. And there were sovereignty rules that, you know, one should not be able to see the data in the other country and vice versa. And it was hard for them to enforce that because, um, it was, you know, a problem that spread out across many different systems. And it requires you to stitch together with the identity systems.
Maybe with the HR system that has data about where that person resides. A really difficult problem to solve. And that's, you know, one of the areas where VESA aims to help. I wanted to ask you about another kind of identity that, uh, not everyone associates. They don't use the word identity to describe. Uh, maybe you do.
And that's service accounts. Um, service accounts are beginning to outnumber the number of employees that companies have. There's all these different apps. Need credentials to talk to one another. How do you think about the challenge of securing [00:31:00] service accounts at Axon? Yeah,
Jenner: I think you bring up a good point that that folks don't, we probably traditionally haven't thought about service accounts as identities in their own right, uh, because we tend to, as we build and manage and architect and tweak our identity management system, its source of truth is the HR system, right?
So we're like, we're kind of starting from that as the base truth. Well, guess what's not in the HR system? Service accounts, right? Those aren't people, right? And so just the concept of tying service accounts to people automatically kind of throws it out of our associations as an identity. But from an access standpoint, from a blast radius of a breach standpoint, those actually are the most important accounts sometimes.
Those are probably the most important identities to get right as far as least privilege goes, and also the hardest to do. Yeah, so we use tools like VESA to keep visibility on those. And then struggle like everybody does on trying to pare down their access to what is, what is really least [00:32:00] privileged for this service account.
Maybe we shouldn't use this one service account for seven different applications. Maybe they should have individual service accounts where we can pare down the permissions and mitigate risk of a breach, reduce the blast radius, like help identify those kinds of. Areas of opportunity to improve. I
Jason: think they are an area that gets less scrutiny than human identities, and yet they're so powerful and, um, they open you up to privilege escalation once somebody finds a way in, and you may not be watching them as closely.
So I think that's an important trend that.
Um, generally, I want to make sure we talk about education too, because I think it's really interesting that you're devoting some of your time, you're giving back to the community, and you're working for the AZ Cyber Initiative, and, you know, certainly I can tell you that our customers struggle with, you know, Talent and the shortage of talent to fill [00:33:00] cybersecurity positions.
So it just seems like the industry could be doing more to promote cybersecurity careers and get younger people on that path. Seems like you're already doing that. How'd you get involved? Yeah, I don't
Jenner: remember how I first connected, uh, with the executive director of azcyber initiative just as it was getting started, but I was invited to join the board.
I leapt at the opportunity. I was super excited. Uh, to help facilitate getting the younger crowd interested in potential, in security as a potential career, right, down into the high school levels where they can start to craft their interests and what they spend their evenings and weekends doing and what they think about for college at an early enough level to really influence, you know, kind of where they end up at a career wise.
Uh, and we've had a lot of success. It's been a ton of fun, uh, with the AZ Cyber Initiative. The way that, the way that this nonprofit in Arizona works. Uh, generally the, the biggest focus is putting on boot camps, we call them cyber boot camps in the summer. So [00:34:00] free, week long boot camps for high school aged kids to come do, learn cyber security things and do fun stuff, uh, for that week at various locations all over the state, right?
They're held at community colleges or universities or, or at high schools. Uh, we have instructors come in, right? Talented security professionals to come in and And, and instruct in those. I usually come speak, you know, once or twice, a couple of those bootcamps, I'll come give an hour long talk on what it's like to be a CISO and what I look for in people that we hire and that kind of fun stuff.
Um, we've grown quite a bit. The first year was only two bootcamps, right? Two teachers, two bootcamps, you know, 40 kids, maybe something like that. Uh, and this last summer was over 10 bootcamps. It might've been like 12 bootcamps, hundreds of kids. Uh, very successful and a lot of fun.
Jason: These are high school students, and when you come to do your talks, you're not giving them swords, right?
Jenner: No, no, I'm not passing out swords. I tell them about, I tell them about the quest, and then if you come work for Axon, you could win a sword at some point in the future. But no, no, I'm [00:35:00] not giving out swords.
Jason: Jenner, you have a really interesting company, and uh, you, you were telling me that you have some interesting folks who, um, maybe try to do business with your company.
So here's my question. Yeah, yeah. What is the most unusual... Security threat that you've seen and in your time working at Exxon. Yeah,
Jenner: we have plenty of interesting and weird things happen, for sure. Uh, some of the most interesting has happened a couple of times, I anticipate it will keep happening, where somebody who decides they want to be in public safety, they want to be a police officer, they want to be a fireman, they're not.
They're not hired and working for an authorized police department. They're just pretending to be one. So we do come across police impersonators that are trying to get access to our gear, right, because what better way, Jason, to, to look and look like a cop and be a cop than actually have a taser strapped to your side, to actually be wearing a body [00:36:00] cam around with your fake uniform.
Uh, so they actually come, we'll have, every so often we'll have a fake, you know, law enforcement impersonator try and buy Axon gear because that's going to make their, their play story more realistic. Uh, it's pretty, certainly we try not to do that, we, we catch it when it happens, uh, but it's an interesting, uh, interesting identity kind of related threat that we deal with on a pretty regular basis now as we get bigger.
Jason: Wow, your, your identity challenges are not limited to your internal folks and your service accounts, but, but your would be customers as well, and maybe almost like a bank, you want to know your customer, because on one hand, it's kind of, it's kind of funny that the people are going to these lengths. To, uh, pretend, but on the other hand, it's actually quite scary and dangerous that these people might be roaming the streets with, with, uh, with weapons.
Jenner: Yeah, and we do, we certainly do, um, uh, we sell, we have a line of tasers. And even some of our, uh, camera lines as well, for civilian use, [00:37:00] for consumers. Like, they're a great, they're a great tool for, for self defense without carrying a gun around. Um, but not the law enforcement versions and certainly not with the intent of pretending to be a cop.
Jason: Right. I think we can agree on that. Okay, Jenner, this has been fantastic. Uh, we covered a lot of ground. And, uh, we learned that, uh, everyone's going to have whoopsies, but we've got to make sure that we contain them. Resilience is key. Fast response is key. We should all be striving towards least privilege.
If there was a magic dashboard that tracked our number of privileged users, we should aspire to bring that level down towards zero over time. And we learned that if you want your employees to take Security seriously, maybe you should try coming up with a gamification program and give out points and give out rewards.
That is something I haven't heard before. I think that's really innovative. So thanks for sharing these things with us today, Jenner. Really good conversation. You're [00:38:00] welcome back on this show, as you know, anytime.
Jenner: Appreciate it, Jason. I really love my time here. Thank
Jason: you. Until next time, everybody, you've been listening to Identity Radicals, brought to you by VESA, the identity security company.
Be sure to subscribe to this wherever you get your podcasts. Until next time, let's be careful out there.
Announcer: Thanks for listening to Identity Radicals, brought to you by VESA, the identity security company. To learn how to secure your organization's identity access, visit VESA. com. Please leave us a rating and review and subscribe to the podcast to get each new episode as they're released.
See you again next time.