惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Palo Alto Networks Blog
大猫的无限游戏
大猫的无限游戏
Martin Fowler
Martin Fowler
GbyAI
GbyAI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
量子位
T
The Blog of Author Tim Ferriss
Y
Y Combinator Blog
Microsoft Azure Blog
Microsoft Azure Blog
C
CERT Recently Published Vulnerability Notes
Recent Announcements
Recent Announcements
A
About on SuperTechFans
aimingoo的专栏
aimingoo的专栏
P
Privacy International News Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 叶小钗
L
Lohrmann on Cybersecurity
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
Hugging Face - Blog
Hugging Face - Blog
P
Proofpoint News Feed
NISL@THU
NISL@THU
博客园 - Franky
C
Cybersecurity and Infrastructure Security Agency CISA
The Register - Security
The Register - Security
M
MIT News - Artificial intelligence
Know Your Adversary
Know Your Adversary
A
Arctic Wolf
F
Full Disclosure
T
Threat Research - Cisco Blogs
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
博客园 - 【当耐特】
D
Docker
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Jina AI
Jina AI
Help Net Security
Help Net Security
V
Visual Studio Blog
小众软件
小众软件
B
Blog
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
N
Netflix TechBlog - Medium
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
C
Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic

Help Net Security

ChatGPT advanced account security adds passkeys and hardware keys Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for months Automating Pentest Delivery: A Step-by-Step Guide - PlexTrac Open-source privacy proxy masks PII before prompts reach external AI services Shadow AI risks deepen as 31% of users get no employer training Identity is the control plane for distributed infrastructure AI traffic is getting bigger, louder, and less predictable New infosec products of the month: April 2026 cPanel zero-day exploited for months before patch release (CVE-2026-41940) Cisco releases open-source toolkit for verifying AI model lineage Met Police face criticism for using AI to spy on their own officers Nine-year-old Linux kernel flaw enables reliable local privilege escalation (CVE-2026-31431) Hacker with a special interest in breaching sports institutions ends behind bars - Help Net Security IP Fabric MCP server adds governance and control to enterprise AIOps workflows - Help Net Security Aqua Compass MCP server enables real-time investigation and containment of runtime threats - Help Net Security Google brings instant email verification to Android, no OTP needed - Help Net Security If cyber espionage via HDMI worries you, NCSC built a device to stop it - Help Net Security Apple fixes iPhone bug that let FBI retrieve deleted Signal messages(CVE-2026-28950) - Help Net Security GopherWhisper APT group hides command and control traffic in Slack and Discord - Help Net Security OpenAI tackles a bad habit people have when interacting with AI - Help Net Security A year in, Zoom's CISO reflects on balancing security and business - Help Net Security Scenario: Open-source framework for automated AI app red-teaming - Help Net Security GDPR works, but only where someone enforces it - Help Net Security Ransomware, fraud, and lawsuits drive cyber insurance claims to new peaks - Help Net Security Google’s Workspace Intelligence promises privacy while running on your data - Help Net Security Cyberattack on French government agency triggers phishing alert - Help Net Security Claude Mythos finds 271 Firefox flaws, Mozilla believes zero-days are numbered - Help Net Security Prove Identity Platform connects verification, authentication, and fraud prevention - Help Net Security New Mirai variants target routers and DVRs in parallel campaigns - Help Net Security Acronis GenAI Protection gives MSPs control over AI usage and data risks - Help Net Security Elastic MCP Apps bring security and observability workflows into AI tools - Help Net Security Progress Software fixes sneaky WAF bypass vulnerability (CVE-2026-21876) - Help Net Security Tencent's QClaw AI agent app arrives on Windows and macOS - Help Net Security Phishing reclaims the top initial access spot, attackers experiment with AI tools - Help Net Security OneDrive updates focus on AI, access control, and compliance - Help Net Security PentAGI: Open-source autonomous AI penetration testing system - Help Net Security Apple Intelligence flaw kept stolen tokens reusable on another device - Help Net Security Shadow AI, deepfakes, and supply chain compromise are rewriting the financial sector threat playbook - Help Net Security Thunderbird 150 arrives with encrypted message search and OpenPGP improvements - Help Net Security VirtualBox 7.2.8 is out with Linux kernel 7.0 support and crash fixes - Help Net Security Ransomware negotiator admits role in attacks he was hired to resolve - Help Net Security Scattered Spider hacker pleads guilty to stealing $8 million in cryptocurrency Ivanti Neurons AI automates IT operations, reducing manual work and security risk Silobreaker Mimir adds agentic AI to intelligence workflows with governance and transparency - Help Net Security OpenAI’s Chronicle feature lets Codex read your screen, raising privacy concerns CISA flags another Cisco Catalyst SD-WAN Manager bug as exploited (CVE-2026-20133) A single platform powers SIM farm proxy networks across 17 countries - Help Net Security NGate NFC malware targets Android users through trojanized payment app - Help Net Security Meta and PortSwigger drive offensive security further to find what others miss - Help Net Security EU pushes for stronger cloud sovereignty, awards €180 million to four providers - Help Net Security SmokedMeat: Open-source tool shows what attackers do inside CI/CD pipelines - Help Net Security How to spot a North Korean fake in a job interview - Help Net Security Product showcase: Syncthing for secure, private file synchronization - Help Net Security Week in review: Acrobat Reader flaw exploited, Claude Mythos offensive capabilities and limits Google wipes out 602 million scam ads with Gemini on duty Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild GitLab 18.11 brings agentic AI to security fixes, CI pipelines, and delivery analytics Liongard upgrades LiongardIQ with AI access, live asset data, and deeper discovery Mozilla challenges enterprise AI providers with Thunderbolt, open-source AI client under your control Codex can now operate between apps. Where are the boundaries? Android 17 Beta 4 arrives with post-quantum cryptography and new memory limits Apple AirTag tracking can be misled by replayed Bluetooth signals Social media bans might steer kids into riskier corners of the internet Workplace stress in 2026 is still worse than before the pandemic New infosec products of the week: April 17, 2026 - Help Net Security ImmuniWeb brings AI upgrades, post-quantum detection and more in Q1 2026 NIST admits defeat on NVD backlog, will enrich only highest-risk CVEs going forward Anthropic releases Claude Opus 4.7 with automated cybersecurity safeguards - Help Net Security Fortinet fixes critical FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808) - Help Net Security Google Play is changing how Android apps access your contacts and location Tails 7.6.2 patches vulnerability that could expose saved files Cargo theft malware actor spent a month inside a decoy network before researchers pulled the plug Two US nationals jailed over scheme that generated $5 million for the North Korean regime Product showcase: Ente Auth encrypts, backs up, and syncs 2FA Wi-Fi roaming security practices for access network providers and identity providers European AI spending set to hit $290 billion by 2029 Windows is getting stronger RDP file protections to fight phishing attacks Capsule Security debuts with $7 million funding to secure AI agent behavior Hackers hijacked CPUID downloads, served STX RAT to victims $12 million frozen, 20,000 victims identified in crypto scam crackdown Rockstar Games receives “pay or leak” warning after cyberattack Google makes it harder to exploit Pixel 10 modem firmware Siemens expands Industrial Automation DataCenter with edge AI and cybersecurity Adobe issues emergency fix for Acrobat Reader flaw exploited in the wild (CVE-2026-34621) Seized VerifTools servers expose 915,655 fake IDs, 8 arrested Fixing vulnerability data quality requires fixing the architecture first ZeroID: Open-source identity platform for autonomous AI agents MITRE releases a shared fraud-cyber framework built from real attack data The fully free Linux OS Trisquel gets a major update with version 12.0 Ecne Week in review: Windows zero-day exploit leaked, Patch Tuesday forecast ClickFix campaign delivers Mac malware via fake Apple page Poisoned “Office 365” search results lead to stolen paychecks Gmail’s end-to-end encryption comes to mobile, no extra apps required To counter cookie theft, Chrome ships device-bound session credentials Product showcase: Session, a messenger without phone numbers or metadata Little Snitch for Linux shows what your apps are connecting to - Help Net Security Apiiro CLI turns AI coding assistants into full-stack security engineers - Help Net Security April 2026 Patch Tuesday forecast: Spring-cleaning of a preview - Help Net Security What vibe hunting gets right about AI threat hunting, and where it breaks down - Help Net Security Health insurance lead sites sell personal data within seconds of form submission - Help Net Security
What happens when security teams inherit identity
Sinisa Markovic · 2026-05-26 · via Help Net Security

At the Span Cyber Security Arena conference, I sat down with Eric Woodruff, Chief Identity Architect at Semperis, to talk about how organizations perceive identity and the challenges those perceptions create for security.

He shared his perspective on where organizations struggle with identity, why identity platforms can become difficult to manage, how phishing-resistant authentication is viewed in practice, and what non-human identities and AI could mean for security.

identity security

Most boards still treat identity as an IT hygiene problem rather than a strategic risk category. What changes that conversation in your experience?

I think a lot of organizations still treat identity as an IT problem. Unfortunately, many times in organizations I’ve worked with, that conversation changes after there has been a security incident. Then identity starts being treated differently. Instead of something proactive, it becomes reactive.

At the same time, I think the culture is changing. I’ve seen some security teams say that the Active Directory or Entra team should be part of the security team. With that, the culture and perspective around identity start to change.

So it’s a mix. Unfortunately, it’s still mostly organizations that have experienced an incident, but there are also organizations where people attend talks, read articles, and start understanding the risks behind identity. Their perspective changes.

I think it is improving, although not as quickly as I’d like. Especially over the last five or six years, as COVID pushed more people into remote work, it shifted some security priorities around identity and made organizations more aware.

Where do identity platforms most often overpromise and underdeliver in real enterprise environments?

I think they’re really complex. Part of the issue a lot of organizations have is that the identity person isn’t just the identity person. It can easily be a full-time job.

You’ll see huge enterprises that can staff that, but in small and medium-sized businesses, it can be all over the place. People become a jack-of-all-trades. They’re managing server infrastructure and other things, or if they’re part of the security team, they may be doing other roles as well.

The platforms themselves are not easy. The standards aren’t easy to understand, and despite having portals and setup wizards to help walk you through the process, they still tend to lean more toward usability rather than security by default.

I think that’s the biggest problem. You need to know a lot to properly secure these environments, and a lot of organizations don’t have the time or money to invest in the people needed to do that.

I’ve also seen situations where a security team owns identity. Identity systems sit somewhere between IT and security, and a lot of security people are used to working behind the scenes without interacting with end users.

Identity is different because it’s one of the only areas where you usually have to deal with end users frequently, which makes it more similar to an IT role. I’ve also seen situations where security teams adjust things within the identity platform without realizing that identity works differently, and mistakes can happen.

What is one widely accepted identity practice you think the industry has wrong?

I would probably say it’s the idea that going phishing-resistant and using things like passkeys and similar technologies is difficult.

I notice that many enterprises of all sizes don’t necessarily want to move toward something phishing-resistant, either because they’re worried that it’s going to confuse end users or because, from a security perspective, they’ll say, “Unless it can solve 100% of our challenges, we’re not going to roll any of it out.”

I think there are two things wrong with that approach. Organizations need to look at it differently. If we can go phishing-resistant with passkeys and technologies like Windows Hello for Business for 90% of our users, then that’s 90% of our users who aren’t going to be phished.

I also think people underestimate users. If it takes an end user five to ten minutes to set something up and it’s a one-time process, I think end users are more willing to deal with it than we think.

You can see that with consumer applications like Amazon. When they ask users to enroll in MFA or set up a passkey, they don’t necessarily give users much of a choice, and people just deal with it.

I think the problem is not realizing that people are more flexible than we think. That’s the main problem.

Do you think that will improve? What are your thoughts on the future of that?

I don’t know. It’s funny because I remember six or seven years ago going into organizations and helping them roll out more traditional types of MFA, and you’d see the same problem. Organizations would worry that everyone was going to be upset, and then nothing would happen.

It’s almost like nobody learned because now, only about six years later, we’re trying to do something very similar again.

You got everyone to do this once already, and while there are always a few people who complain, people generally don’t like change, especially in the beginning when they don’t understand something or think it’s complicated. They naturally have some resistance.

I also think security teams could do a better job helping end users understand why these changes are important. A lot of times, security teams either don’t tell users why they need to do something at all, or they provide explanations that are too technical.

End users don’t necessarily need to understand everything threat actors are doing. They just need to understand the danger and what the worst-case outcome could be.

I think when people understand what could happen if protections aren’t put in place, they’re more likely to understand why these changes matter. Systems could be compromised, or losses could be significant for the company and for the individual.

You’ll often see employees thinking, “It won’t happen to me,” or “I’m nobody in the company.”

In those situations, it can help to look at examples in the news. Unfortunately, you can probably find stories about someone in finance or another employee being phished or compromised, and those examples help make the risk feel more real.

Agentic AI is moving faster than the rules meant to govern it. How do you give an autonomous agent an identity, control what it can do, and track its actions on behalf of a human?

That’s a good question. Unfortunately, I’d say most agentic systems right now are still designed to act on behalf of the person.

There has been a lot of work around systems like Agent ID to build these capabilities, but right now they’re still very vendor-specific. If your agentic system doesn’t integrate directly with them, you basically can’t use them.

I think the real problem is that those systems inherently want to get the job done. Out of the box, they naturally lean toward acting as you.

There also aren’t many guardrails in place that force the use of non-human identities. Even if you create non-human identities, the systems don’t necessarily use them.

I was making this point recently in a discussion around NHIs. The idea was, “If we issue NHIs, people can use them with cloud-based tools.” That sounds great, but I can still simply tell the system, “I don’t want to do it that way,” and it will often respond with, “Of course, I’ll just do whatever you want.”

People will try to create guardrails around these systems, but ultimately, if you tell the AI you want something done differently, it will often follow that instruction.

I think controlling agentic systems is definitely an identity problem, and the identity industry is trying to solve it.

In the short term, though, the answer is probably more around endpoint controls and other restrictions. You can limit what people can do on their work devices and also make sure they aren’t overly permissioned within the systems they’re accessing.

We’ve already seen examples in the news where someone used AI and accidentally deleted a database or caused other problems.

So I don’t think that completely answers the question, but for now, until we have better standards for non-human identities that work more seamlessly with agentic systems, the short-term fix is controlling what users can do on their work devices and making sure they don’t have overly broad permissions.

What is your opinion on all this AI? From a cybersecurity perspective, is it dangerous? Will cybercriminals benefit from it?

I’d say when models like Mythos came out, there were people who completely freaked out and people who said it wasn’t a big deal. I’d probably fall more into the “not a big deal” camp. I’m not saying people shouldn’t be concerned, but I think a lot of it is marketing because existing AI models can already be pushed into doing things they probably shouldn’t do.

Even in security research, I’ll use existing AI models and sometimes ask them to emulate a threat actor because I want to understand how to defend against something. Suddenly, the model will start walking through an attack and then basically say, “Please don’t use this for anything bad,” before continuing.

AI is also interesting because more things are moving toward consumption-based usage models, and I wonder what impact that will have on threat actors. I’ve seen people say, “I was paying $20 a month for Codex, and now it’s going to cost me $2,000 a month.” Obviously, costs could also affect threat actors if they have to spend significantly more money to use these systems.

Things are changing all the time, and I still think it’s difficult to measure how much of a negative impact AI will ultimately have. I think some of the stories about threat actors simply telling AI to attack people are exaggerated.

I’m not saying people shouldn’t be concerned, but I think it’s still too early to tell. It’s also very easy to market fear around these technologies.

What does the role of a Chief Identity Architect look like five years out, and what skills are you hiring for now that didn’t exist on the job description three years ago?

I’d say you don’t necessarily see a lot of Chief Identity Architects. At least for us, this role is somewhat unique within the company.

Ian Glazer, who is well known in identity, has talked about the Chief Identity Officer role. You could say I’m maybe aspiring toward that type of role.

Ultimately, the point of a Chief Identity Officer or Chief Identity Architect role goes back to what we discussed earlier about where identity belongs. Identity doesn’t necessarily fit completely within IT or security. It occupies a space somewhere between the two.

In general, if you’re an identity architect, you need to understand a lot from the SOC side of an organization. You also need to understand a lot of things on the IT side and even areas you probably wish you didn’t have to know, like device management and related technologies, because many of the signals from different systems ultimately feed into identity security systems.

I’d say it’s difficult right now, and looking toward the future, many identity professionals used to come from system administration backgrounds. Now, many people coming out of universities have cybersecurity degrees, but there’s often very little focus on identity within those programs, and sometimes that becomes noticeable.

Organizations need to take identity more seriously. I don’t think every organization necessarily needs a Chief Identity Architect, but most organizations should have some type of identity architect or identity engineer and try to find people who have an identity background.

Whether that’s someone who has managed Active Directory or someone who has been working with Entra or Okta long enough, the background matters.

I think the skill set itself will probably remain similar to what it is today, which means understanding a broad range of technologies and systems.

I would say identity professionals also need to learn AI, whether they want to or not. I was probably not very interested in interacting with AI initially, but eventually you start getting questions about non-human identities, agentic AI, and how to secure them.

At a minimum, you need to catch up with it. A lot of times, for me, it’s about using the systems directly because that kind of hands-on learning is usually the fastest way to understand it.

Whether you like it or not, you need to understand it.