Cybersecurity Today Weekend with Carey Frey, VP and Chief Security Officer at TELUS
Digest
This podcast episode delves into the complexities of identity management, tracing its evolution from early internet practices to the current era of Artificial Intelligence. Host David Shipley interviews Kerry Frey, CSO at Tellus, who shares his extensive cybersecurity career journey. They discuss Tellus' role as a telecom and cybersecurity provider, the persistent challenges of username/password systems, and the shortcomings of past solutions like Public Key Infrastructure (PKI). The conversation highlights the rise of FIDO and passkeys as more secure authentication methods, contrasting them with the convenience-driven adoption of less secure practices. A significant portion of the discussion focuses on the emerging threats posed by agentic AI, including credential stuffing, session token theft, and the "lethal trifecta" of LLM vulnerabilities, pervasive lateral access, and AI agent risks. The "Sign-At" handbook is introduced as a resource for improving identity maturity, with recommendations to move away from bearer tokens and implement robust audit trails. The episode concludes by emphasizing proactive security measures and the ongoing quest for a balance between security and usability in identity management.
Outlines
Introduction and Cybersecurity Landscape
The podcast opens with a sponsor message from Meter and an introduction to the weekend edition of Cybersecurity Today. Host David Shipley introduces guest Kerry Frey, Chief Security Officer at Tellus, highlighting his extensive experience in cybersecurity. Frey then shares his career journey, starting at 19 with Canada's Communications Security Establishment and progressing through telecommunications companies to his current role at Tellus, which serves as both a major telecommunications provider and a significant cybersecurity service provider in Canada.
Identity Management: Past, Present, and AI Challenges
The discussion shifts to the persistent challenges in identity management, from early internet practices to the current AI era. Frey analyzes why Public Key Infrastructure (PKI) didn't achieve widespread adoption due to complexity and centralization, contrasting it with the decentralized success of SSL. The conversation then moves to modern authentication methods like FIDO and passkeys, noting that convenience often still trumps security, especially with AI platforms.
Agentic AI: Emerging Threats and Vulnerabilities
The potential threats posed by agentic AI are explored, focusing on how these autonomous agents could exploit existing identity vulnerabilities. Risks include credential stuffing, session token theft, and the potential for AI agents to cause significant damage if compromised. The concept of the "lethal trifecta" is introduced, describing the convergence of LLM vulnerabilities, pervasive lateral access, and the potential for AI agents to cause widespread damage, exacerbated by a lack of robust identity and audit trails for AI agents.
Addressing Agentic AI Security for Businesses
The conversation addresses how small and medium-sized businesses can navigate the complexities of agentic AI security, given that large enterprises struggle with these issues. The importance of proper management and understanding of security implications is stressed.
The "Sign-At" Handbook and Improving Authentication
Frey discusses the creation of the "Sign-At" handbook by a CISO working group, which aims to provide a roadmap for identity management maturity. Key recommendations include moving away from bearer tokens, enforcing re-authentication when trust domains change, and implementing fine-grained permissions and robust audit trails for AI agents.
Market Dynamics, Future of Identity, and Proactive Security
The discussion touches upon the potential role of government regulation versus market dynamics in addressing AI security challenges. A recap of the evolution of identity management is provided, contrasting robust security measures with the drive for convenience. The potential dangers of auto-browse use cases are illustrated, and practical solutions for securing agentic AI are discussed, emphasizing the need for proactive security measures and known best practices.
Conclusion and Further Resources
The podcast concludes with practical advice for listeners, encouraging them to explore resources like the "Sign-At" handbook and emphasizing the importance of aligning with security principles and the ongoing evolution of AI security.
Keywords
Cybersecurity
The practice of protecting systems, networks, and programs from digital attacks.
Identity Management
The administrative process of assigning and managing user identities and their associated access privileges within an organization's IT environment.
Artificial Intelligence (AI)
A field of computer science dedicated to creating systems capable of performing tasks that typically require human intelligence.
Agentic AI
AI systems that can operate autonomously, make decisions, and take actions to achieve specific goals without constant human intervention.
Public Key Infrastructure (PKI)
A system for creating, managing, and distributing digital certificates and managing public-key encryption.
FIDO Alliance
A global consortium developing open standards for authentication to reduce reliance on passwords.
Passkeys
A passwordless authentication method using cryptographic key pairs, offering a more secure and convenient alternative to passwords.
Single Sign-On (SSO)
An authentication scheme allowing a user to log in with a single ID and password to multiple related software systems.
Bearer Tokens
Security tokens that grant access to a resource to any entity that possesses them, making them vulnerable if intercepted.
Session Tokens
Small pieces of data used by servers to maintain user sessions across multiple requests.
Q&A
What are the main challenges in identity management in the age of AI?
Challenges include vulnerable username/password systems, complex account management, and limitations of past solutions like PKI. AI introduces risks of agents exploiting these weaknesses, leading to credential stuffing, session token theft, and potential for widespread damage due to inadequate authentication and audit trails.
Why did Public Key Infrastructure (PKI) not succeed as widely as anticipated?
PKI faced challenges due to its centralized control model and complexity for users, making simpler password-based authentication more appealing for widespread adoption.
What are the risks associated with agentic AI and bearer tokens?
Agentic AI combined with bearer tokens poses significant risks, allowing compromised or malicious AI agents to gain unauthorized access to multiple systems and data, leading to data exfiltration, fraud, and impersonation.
What are the key recommendations from the "Sign-At" handbook for improving identity security?
The handbook recommends moving away from bearer tokens, enforcing re-authentication when trust domains change, and implementing fine-grained permissions and robust audit trails for AI agents.
How can organizations and individuals mitigate the risks of agentic AI?
Organizations can implement best practices like using hardware-based tokens and fine-grained access controls. Individuals should be cautious with new technologies and implement strong authentication measures.
Show Notes
Identity, AI Agents, and the Session Token Time Bomb | Carey Frey (CSO, TELUS) on Cybersecurity Today
In this Cybersecurity Today weekend edition, David Shipley interviews Carey Frey, Chief Security Officer at TELUS, about the evolution of identity security and why it's a growing risk in the age of generative and agentic AI. Frey recounts his career from Canada's Communications Security Establishment to leading TELUS's internal security and managed cybersecurity services, then explains how convenience-driven identity decisions led from PKI's unrealized promise to passwords, bearer/session tokens, and today's widespread session cookie theft. He describes lessons from TELUS's deployment of FIDO2 phishing-resistant tokens, the dangers of long-lived SSO tokens across SaaS ecosystems, and how agentic "auto-browse" could amplify harm via the "lethal trifecta" and ephemeral agents with poor auditability. Frey highlights the Syne/SignNet CISO Identity Handbook and calls for stronger cryptographic roots of trust, proof-based tokens, re-authentication across trust domains, and fine-grained delegation guardrails.
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at Meter.com/cst
00:00 Sponsor Message
00:24 Weekend Edition Intro
00:32 Meet Carey Frey
02:07 Carey's Cyber Origin Story
03:47 Telus Security Two Hats
06:22 Identity's Broken Legacy
08:43 Why PKI Didn't Win
11:25 Passkeys Missed Moment
14:10 SSO Tokens Surprise
19:50 Session Theft Reality
23:18 Agentic AI Stakes
24:17 Building Identity Playbook
25:24 Identity Maturity Model
25:49 Fixing OAuth and SAML
27:00 Industry Call to Action
27:37 Where to Find the Handbook
28:06 Not a Vendor Pitch
30:13 Agentic AI Identity Gaps
31:30 Auto Browse Threat Scenario
33:12 Lethal Trifecta Explained
34:31 Ephemeral Agents and Forensics
37:08 Supply Chain Agent Malware
38:20 Crypto Roots of Trust
39:35 Proof Tokens and Reauth
40:17 Delegation Guardrails
42:34 Regulation or Market Forces
44:25 Practical Risk Decisions
46:20 Wrap Up and Next Resources
48:00 Sponsor and Closing Credits
Table of contents
United States
