Transcript
Media Group. Delighted to be talking about secure browser and identity. Joining me in ISMG studio are Ofer Ben-Noon, he's a CTO SaaS here at Palo Alto Networks. Joined by Jamie Fitzgerald, VP Product Management, Access Management with Okta. Jamie, Ben, Ofer, thank you so much for being here today. Thank you for hosting us. I want to start by talking about the attack surface a little bit. What are the types of attacks on identity that give you the most concern today? And they are growing. Unfortunately, that's probably the most concerning thing is that they are growing. And I think why? Because adversaries understand that if they're able to compromise identity, they have persistence, they are much harder to detect. So what types of things are we seeing? You hear them in the news every day, you hear phishing, you hear credential theft, you hear account takeovers, token hijacking. I think every step of the way, we continue to see adversaries respond and react to the different types of controls that we're putting in place, to where they start to shift to onboarding, recovery. They're starting to use AI agents, browser plugins, where there's a gamut of different types of attacks that we're seeing on a regular basis. But to your point, there's more and more against identity. Okay, so Ofer, how are these attacks preying upon the inherent weaknesses in the consumer browsers many enterprises are using? Look, I think the most interesting thing is that, in a sense, the browser is becoming now the gateway to identity, right? Because at the end of the authentication flow, you are getting a cookie, a token, which is becoming now your digital identity as a user, as an employee, right? So when the malicious actors are able then to have key logging, screen scraping, cookie theft, in a sense, they're able to take over your identity. So when the browser itself is not secure, when the browser itself is vulnerable, it's fairly easy to just hijack your identity and then from everywhere in the world, access the organizational resources and to download. So even if we have the best identity security capabilities, the browser itself is not secured, then all of the identity theft process is becoming much easier and to surpass a lot of the protections that we have on the identity itself. And the other part of the story is how do we connect between the identity and the device controls, right? Because if we're thinking about the whole ZTNA concept, it's about connecting between the user, which is the identity, the device and application, so we can really add a lot of capabilities on the device side of the house. So I'm thinking about the convergence of the unsecured browsers with the rise in machine identities, exponential. What are the biggest security gaps arising from this convergence? So I'll take that. I think that what we're seeing is, again, you hear AI, you hear AI agents and all these things, and some of these concepts are new and some of them are not. Conceptually, for some time, we've had this challenge of a machine needing to communicate with another machine, and the easiest way to do that is normally what organizations and adversaries lean into. What does that mean? It means that they create a token or they auth as themselves to allow a machine to act on behalf of that individual user. Well, now that's just, again, the exponential phase of AI and folks seeing the value prop, the fact that I can move faster, I can do more, means that people are quickly leaning into how AI and agents to machine identities can help them. Well, the problem there, again, is that they're not following proper authentication methodologies. They're not using authorization correctly. They're just quickly, how quickly can I move faster? There's all this AI, look at all this awesomeness that's out there. And therefore, we're starting to see more and more of those different types of attacks. Again, there are some great tools that are out there. There are right best practices, but again, the business need versus doing the right thing has continued to be a challenge that we hear again and again from our customers. Great. Does that resonate with you, Ofer? Super resonating. So, I want to ask your advice for enterprises, and I guess, Jamie, this would be for you. What do you advise for improving identity management across all platforms and for all identities? So many things I'd love to advise, but I think- Too summarized. Right, too summarized. Let me use my LLM in my brain. And I think a few things. I think first things first, moving towards more and more secure auth. I think remote phishing attacks continues to be a real live attack surface, and there are much lower bars to raise security when it comes to just pure auth than there ever were before. So, I'm excited about that, and I think people should really look at it. I think when you start to look at it, you talked about devices and where devices come into play. Again, what we're telling our customers to do is to, as much as possible, control the device. It's great. You can't always do that. There's BYO. There's contractors. There's all these partner stories. And so, when you can't do that, what can you do? Well, there's certain ways that you can understand basic posture, good hygiene, leveraging those capabilities in all of your authentication decisions. And then, you start looking at partnerships like the ones we have, and you start looking at things like Secure Browser and how they can really complement a very large, diverse, hybrid-deployed enterprise, which is almost all of them. Ofer, your advice. What do you advise enterprises when it comes to moving to a secure browser? I think that when we're thinking about this conjunction between identity and secure browser, the biggest advantage is to say, look, now that we control the identity, the user, we know who can access what, and we can really have a good sense on the identity side. If we secure the browser itself, we can really harmonize that security to have the trust to run also in an insecure environment, right? So, as Jamie has mentioned, when the trend of BYO is continuing and definitely not reducing, we have the ability to say, even in a hostile environment, when good chances that there is an Info Stealer, which is doing key logging, trying to look at the memory of the browser to extract the identity token, in situations where someone is trying to look at the screen and to see, okay, that is the username and password, and now I'll try to hijack the MFA code. We are allowing the security and allow that identity process to happen also in a hostile environment and blocking that Info Stealer from taking over the browser, taking over the non-encrypted databases and caches, and in a sense, allowing that to happen in an environment which is hostile. The second area, I think, is now that we understand the identity, how do we apply the right DLP mechanisms around it? Because it's okay that you say, okay, we now understand that the user is the user, and we know that we are running from a BYO versus a managed environment. How do we now limit what the user can do on the endpoint itself, right? Because from the identity side, you can say where you can access, what you can do in terms of the SaaS applications, but what about, okay, when can you copy-paste the data out? When can you download a file which can be open or the file has to be encrypted on the operating system? I think really bringing these two together of knowing, okay, we have the access part covered, we have the secure browser, but in conjunction, we're able to really give the organization the full freedom and granularity of who can do what with the data in terms of the SaaS applications and the service and in terms of the endpoint side. I think that's why I'm so excited about this partnership. Totally. Funny you should mention that because I want to ask you about the partnership. It's no coincidence I've got the two of you here. What are Okta and Palo Alto Networks doing together to help your customers address these challenges? Yeah, so I think if you think about, again, what Ophir described, how do we work together to ensure that the controls, all the goodness that Ophir just laid out, is able to be enforced, right? Control matters. In security, it's about how do I balance choice for my users and productivity and all those other things with controls. One of the key things that we've been working on very closely is to ensure that when you're an Okta customer and you're a Palo Alto Networks customer, we want to make sure that when we work together, it becomes basically trivial for us to say, okay, you have standardized on Prisma Access Browser. How can I ensure that you can't access anything unless you're leveraging this amazing toolset? Our partnership starts off with that and making it dynamic and simple and a more native integration that is not brittle and actually lasts over time. So we're excited about that as the first step. We've got a lot of other things that we're cooking in the oven, but that's something we're really excited to talk about as part of RSA. Good. Ophir, anything you want to add to that? It's already quite fun, exciting to see how the first early customers are benefiting from this partnership. So it's already in early availability. Some of the largest organizations which are really seeing how the secure browser and identity can complement each other and really give them the next level of control, compliance. And excited about upcoming June where we are going to have general availability for all of our joint customers. Okay. You're teasing it. I got to ask you, what news are you announcing at RSAC 2025? For us, in terms of the secure browser, we are talking about our advanced anti-phishing capabilities, our VDI reduction support for Azure Virtual Desktop. We're talking about our additional capabilities for Gen AI security, Prisma Access Browser 2.0, which is the next level of secure browser. So we're quite excited about it and extremely excited about this partnership because at the end of the day, browser and identity has always been so important for our customers and very excited about this partnership. Absolutely. Jamie, what do you want to add to that? What are you talking about here at RSAC? A couple of things. I'll start with some of the things we've been working on, which are, again, the Prisma Access Browser integration. We actually also have an integration with something called Okta Identity Threat Protection, which is another way for us to have the single point where you connect Okta and Palo Alto networks is expanded in its capabilities to go to the browser, to go to the endpoint and the security automation tools and making those things work together. So that's exciting. I think all up, when it comes to Okta, some of the other exciting things that we've been working on is, I mentioned AI, you can't have a conversation without talking about AI. But because of the fact that we're actually seeing a lot of organizations lean in towards AI agents and how they're building their own tool sets and how they're thinking about how you provide access and control to the data at the enterprise level, Okta is really a key component there. We provide the layer of auth and authorization as well as authentication between these agents. And so we're working really hard to allow the next builder of an app or the next large customer that's trying to leverage AI and AI agents to do it in a secure way that's all grounded and rooted in proper, secure identity. So we're really excited about that. We've been ready to launch here at RSA. Well, I'm excited to have the two of you here. So Jamie, Ofer, thank you so much for your time and your insight. Absolutely. Thank you. Thank you. Again, we've been talking with Jamie Fitzgerald with Okta, Ofer Bendun with Palo Alto Networks. We've been talking about identity and secure browser. For Information Security Media Group, I'm Tom Field. Thanks so much for giving us your time and attention today.