Trust but Verify

Cameron D’Ambrosi [00:00:03] Welcome everyone to State of Identity. I’m your host, Cameron D’Ambrosi. Join me in this conversation with Peter Padd, co-founder and CEO at Fortifyedge Edge. Peter, welcome to the podcast.

Peter Padd [00:00:16] Hey, good morning from Australia. Everybody had a five year old doing really well today and look forward to sharing a bit about what we do at four or five age with Cameron and all of you.

Cameron D’Ambrosi [00:00:26] Fantastic. Well, Peter, before we get into exactly where we are in this moment in time and digital identity in what 4 to 5 age is building and why you’re so excited about the prospects for the future here. Love to hear just a little bit about your background, kind of how you came to co-found Fortifyedge Edge and and what those formative experiences in your professional career were that kind of shaped your view on the digital identity space and some of these opportunities?

Peter Padd [00:00:57] Yeah, I think so. So we formed up the company in 2019 and like a lot of startups, a few of us were doing that sort of customer exploration of what’s what’s sort of the next way that we can do identity authentication access. In around 2018, I attended a conference on machine learning and there’s some really interesting academic things looking at new and novel ways of doing very tiny machine learning. So I thought, Oh, that would be a great, great technology to apply to the identity challenge. So that was that was when we formed it. And then we got into a Techstars program with the US Air Force and got to do lots of our customer discovery. But before that, why why would I pick this? I mean, I started my career working on middleware programs with IBM in the late eighties, even though I’m 80. But I always worked on middleware and the infrastructure and and then moved to Silicon Valley in the US in the early nineties and got very fortunate, got through the, the whole birth of cloud computing. We school at ISP and we were doing web services and we had to secure these things and so on for a while. And a number of Fortune one hundreds as well. Building. Like the next generation of secure applications, we extended the enterprise systems. We then I then came back to Australia and I was like, What am I going to do? So then I spent about the next decade working on the digital core digital infrastructure for the Australian governments health system. So I worked on the two big programs was basically national provider identifier. So having a unique identifier for every patient healthcare organization and professional, and also the National Authentication Service for Health. So that’s really delving into picture. I’m building a very key CIA in Australia that’s highly trusted data center level stuff. So, so is doing all that and then, you know, once the kids grow up, it was time to do start up again. So building on all that and where we were, you know, we were just starting to do with some about how do we do with identifiers for devices because they’re going to start getting smart and how do we trust those and all that sort of stuff. And we started to see some of the problem statements coming out of government such as, you know, how do we trust I’d say, how do we trust wearables? We’re going to be using them in disaster scenarios. How do we work with them when they’re not connected and we still trust them when they reconnect? And that was the foundation of the problem. So what we formed the company on.

Cameron D’Ambrosi [00:03:34] Well, that’s as good of a Segway as any into, you know, what Fortifyedge Edge is, what you’re about and what your thesis for, how this is going to impact the digital identity space as.

Peter Padd [00:03:46] So I think that’s why, as I referred to, because when I did, all that work was like, I’m always you you always looking at the next right and all the standards and everything. It’s a foundation of a lot of this work. And in the public safety area, I have a group called the Public Safety Communications Research Group, and we got in their accelerator philosophy. It’s all focused on, you know, how do they make things better for first responders? And they actually put out a draft standards probably full now just middle of last year on how do we do it and how do we do a sanitation, biometric authentication for first responders because in their environments, friction and sort of traditional stuff can actually be a distraction to their mission because they’re wearing PPE. Right. We all know what paper is now. Right. So so, you know, a lot of our stuff was good in an office and we live with a lot of the friction. But for these folks, it can be a distraction from their mission and can exacerbate the emergency. So you imagine, you know, they want to be connected operators, they want to be wearing wearables and use i.t and make decisions at the speed of relevance. But how do we trust all that? How do we work out if the bad guys got control of one of the i.t. Devices and are listening to see where the fire fighting team is and so they go somewhere else to start a fire and then, you know, they want to share devices. So how do we easily with that friction even transfer the identity of who are we going to bind this device to this set of wearables to the next shift of a firefighter, for instance. So that was that sort of, you know, give you one example. We use a lot of horizontals for. We do, but we started with the archetype of the extreme user to really push the innovation for someone. That not only is friction like really annoying, actually it exacerbates emergencies on their mission, which can be significant. And then the other side is we better be really good at detecting adversaries getting control of these devices that are out in the wild because, you know, the combination of the access to the information they have and potentially to ingest bad information that could lead to bad orders and bad decisions all the way down to catastrophic stuff. It needs some really good, you know, creative ways of solving that problem.

Cameron D’Ambrosi [00:06:12] I think creative ways of of solving the problem is a great way of thinking about kind of this current moment we’re in right in in identity. And I think you’ve hit on a lot of those challenges, namely, right. How do we get assurance levels up? How do we keep friction down? And thinking about these in use case specific ways in many regards I think is a really great, you know, finding screen, if you will, to kind of get at what actually is going to. Makes sense in terms of a successful solution. You know, like you alluded.

Peter Padd [00:06:48] Yeah. And I think it’s really important. And now I have that, you know, again, I’m very fortunate always in Silicon Valley and Silicon Valley, you know, through the nineties and through the crash, though. And, you know, we used to go and build stuff and, you know, raise tons of money. And, you know, I spent a lot and I six, 12 months, 18 months building it. And then we would go and talk to the customer and go, Oh, my God, I hope this actually has product solution. So so we’ve sort of gone, you know, you don’t need to do that. Get out of the office, go talk to the users, operators, whatever, you know, and just get feedback because you could over engineer and not actually solve the problem and your team might love it but actually doesn’t solve anything for that’s that’s what’s great. We’ve done a lot of that with, you know, the public safety and defense and more recently with some of the industrial customers like Siemens and stuff where where the systems are critical and information and commands that we can control, that we want to do to them all this heightened level of risk. And we all we’re all quite aware that going through some of the cyber activity we’re dealing with and watching across the globe at the moment. So how do you trust who’s really, you know, using that device when they’re out in the middle of the wild? That’s what we’re all about.

Cameron D’Ambrosi [00:08:12] Let’s dove a little bit deeper into the solution itself. Is it safe to say that you are doing you know, as I understood it from our previous conversations in your website, you know, it is. Behavioral biometrics are behavioral analytics combined with edge computing in the sense that many of these solutions are kind of relying on moving things off of the edge to kind of make some of these determinations as to is this an authentic transaction or behavior? And you guys are doing this all at the edge and all. And, you know, I hate the term real time. We’ll call it near real time and on a continual basis.

Peter Padd [00:08:54] Yes. So if I go back to the new standard on. Authentication for the first responders. They’ve got a section in there where they talk about biometrics and the challenges. And we talked about that taking off, take off. You pay to use certain biometrics. It could put you at risk. And in the light of sections of the specification, they talk about the future of biometrics and advanced biometrics. And I talk about the future is going to be doing sensor fusion with a bunch of sensors that are already in all these wearables. And I’d say things and we can get off that and we can sort of combine all of that to get a really good accuracy score using forms of machine learning. Because machine learning’s really good it like looking old and like you said it’s it’s else. So it’s something that you know, machine learning algorithms know deep neural network. Once we use that continuously analyzing the sensor data and that sensor data is able to be continuously monitored to look for, to re identify you and then also be used to identify an adversary putting signal to the Iot device, whether it’s a wearable or a vehicle or whatever, that isn’t signal of the human being that it normally is and it can do it very quickly. And that’s that’s the and it’s quite interesting as we you know, as I did so much work for the government and everything, you know, we really had to start to look at the use cases from adversary. The adversary attacking is the primary use case first and do all sorts of analysis of that versus sort of the ally. And then suddenly the odds of happy pass becomes a lot easier. So our ability to to detect within seconds of bad guys are using like say a smartwatch or something is what we’ve been able to do. And because it’s the neural network is constantly looking at stream the data on the device, it’s quite efficient because we’re not using up network which sucks battery drawer and these things are on to send all send all the data some way to process it even on a on a sort of edge could even be an edge sort of mini server like one we use with Microsoft. Now we can do it on the device because it’s quite efficient. So, so that’s, that’s, that’s by sorted. So it comes with the benefit of it’s a silent passive thing that is running in the background on the device, watching the sensor data on the device and spitting out the neural networks which had a school that it says audience camera, 97% hold on Sunday, it’s 20% and it’s not him. What’s his policy on that? You know, step up this indication, you know, praise your finger on the watch or something. You know, you’re always going to be part of the you know, the MFI. We said that’s basically how what we do is working and it’s a piece of software. So you can sort of built it to put it on any of these things.

Cameron D’Ambrosi [00:11:50] So in terms of, you know, end applications and how you are looking to come to market with this technology, talk me through your go to market and where you’re looking to penetrate in, you know, where you think you guys have a leg up on on some of the current solutions that are out there in the space.

Peter Padd [00:12:07] So I go to market. Given what given what we do, our go to market has really been with partners. So the first one that we partnered up was with Tell us there’s two parts of the Talis business, so we partnered up with them a couple of years ago and they acquired Gemalto a few years ago, which is a big player in the whole identity space and security. So that’s been fortunate to work with those folks and on the defense side. So we’re looking at the sort of public safety defense side with them. And we built a solution which was a full edge solution with us, some Microsoft intelligence defense called the Nexium Defense Cloud Edge. So we’re basically the for like a defense personnel, a first responders, we basically became the sort of zero trust identity access solution for those personnel when they want to access what what what is this Microsoft Edge or SEC Edge mini box? It’s like a it’s a backpack size cassette deck edge server that runs or that they can carry around in a backpack or in a fire truck or something like that. So that’s so that’s one market we’re going to and is quite a lot of adjacent. The other the other one we’re looking to is an on the on the commercial side is we got some interest and we got picked up by Siemens a few weeks ago to go to the World Expo. They picked up five startups around the world to integrate into mine, and that’s one of the leading industrial I.T. platform middleware in the world that connects us to all those devices because they need added security and so that so we basically built integrated our stuff with that platform a couple of weeks ago that up there and showcase that. And what that means is now we can improve the security to all the Iot devices which have very legacy technology. But I need to get the data out to, you know, improve predictive maintenance, improve operations, but also who’s actually issuing commands to that how to device that’s running a power station or gas station. And we’ve there’s enough examples right now on the Internet of those things getting hacked and people turning off power stations and other things. So now if you think of the relying party, which is those devices via say I take place online nicely, it basically says, okay, well is is still is the operator whose Cameron authorized one is it him the prime party just needs to do that. I do that that challenge to the device, whether it’s a wearable or augmented reality and it can say, yeah, look, in the last 10 minutes, looking at the confidence falls out of the neural network. It’s been 90 plus percent of the time. I say I’ll give them access to that in my commands, but as I say, in in normalize in that data, they can do that just in time decision. So just in timeless indication to determine I’m going to stop access. And so now the reason why is very important on the frictionless side a lot of these sorts of uses in the to have frictional any host of high frictional syndication to kind of think of like air traffic controllers then allowed to be having passwords and windows popping up. It’s a safety issue. So we get it. We’re getting into space where it’s cyber, physical security. It’s not just cyber anymore. It is a physical so physical world and there’s safety issues and safety risk as it’s not just a cyber victor. So multi-domain sort of problem. So those are the use cases we’ve had. What we’ve found is it’s an archetype of a market where high levels of security are required. So we started there. But, you know, this honestly, there’s so much, so much opportunity for these use cases, so diverse. You could be busy just doing all of those for a long time and keep yourself very busy. So that’s what we focus on, highly mobile user that needs that sort of high level security and has those zero trust principles, which is it’s MFI. Right? That’s that’s not too bad. But you verify every access. So by having a a continuous authenticate at a point in time, it’s time series data of these things we know exactly it’s an audit trial point in time who is doing it and by the neural network and the sensors that algorithm has bounds are use it to the device in the context of where they are at that point in time. So that’s why overall we see the trust goes up with what we do.

Cameron D’Ambrosi [00:16:46] Tell me a little bit about, I guess, what’s one of the. Fundamental challenges of, I think, using these hidden or low friction or zero friction factors for identity use cases, which is how do you establish that initial linkage to an identity, both in terms of the first time I’m present, how quickly can you kind of build a profile of me? And then then I think the trickier part, which is, okay, how do we establish that first link to, you know, okay, this is Cameron’s signal pattern. And how do we know that it’s not his wife who was the one who originally established it and therefore is now, you know, the next time she tries to come back in, we think, oh, it’s it’s Cameron. It’s really his wife, you know, similar to how right now I could set my wife’s face or finger, for example, as a second fingerprint or a second face from Apple’s perspective. So if they push a biometric challenge for me, you know, I could really have my wife be the one who is, you know, accepting that.

Peter Padd [00:17:46] Yep. So so we you know, again, back to my background, because when you build this sort of stuff for government, you have to be standards based because you know, we had hundreds and hundreds of companies use that stuff for the Australian government. So I was very happy to see Fido came into existence, you know, a few years back. So we so standards like Fido and so on. We used to, you know, we used to design how we did this and but in particular for that, this is a now that this is a second sector in that sort of fighter model. So we’re not trying to do everything we would be part of. So like for instance, if you added this is another authenticator into Active Directory into his or ID or whatever we would be part of part of your identity establishment lifecycle. So we’re not we’re not trying to replace those guys. We would just work with them. So so it would be another option there, but we would be relying on your traditional biometric, but the value here would be okay, you may use face I.D. to start your session, let’s say, and then we reduce the number of times you need to use a face I.D. because the so the you know, the policy the policy algorithm, the continuous access evaluation algorithm, he would basically give a score and determine whether you need to go back and use that as a factor. So we always assume we’re going to be working with that stuff. This isn’t a throw at you old stuff, and we’d be part of that establishment that you’re already using.

Cameron D’Ambrosi [00:19:23] And you know, how does it how quickly can you spin up that that profile?

Peter Padd [00:19:29] Yeah. So that was a really good question. So at the moment, because it is, you know, we, you know, the actual inference engine and machine learning run on the device and during inference. So when it’s like actually an authentication mode or anti smooth mode, it’s operating on a device. The sensor data is done on the ice, but with machine learning, you’ve got to have a training slice, right? So right now the training phase so is very interesting. You get a lot of data from sensors. So depending on the you know, how many hertz it’s that, you know, you’re talking line 50 to hundreds of samples of data to a second and then you’ve got dozens of sensor points off a device. You actually getting a large volume of data to write to quite quickly establish your identity and what we’ve and you know my core team a. Researchers at Ph.D. levels at Sydney University in machine learning and so on. So that’s everything sort of got science behind it and they’re able to at the moment where we’re training out within a matter of a couple of minutes to start to get to 90 plus percent confidence levels to identify you. So it’s quite quick and we’re in the process of generalizing the model to even reduce that. So so if you think of, you know, one of the principles of the company is that privacy principles use really good data to identify you, but leave it in control of the user. So, you know, don’t send it off off the device somewhere. And then the second part is reduce the friction. So it’s not just about decreasing the friction when you’re authenticating, but it’s also the whole establishment of that, you know, biomarker signal that where we’ve we’ve trained up the algorithm to do so. So we’re working on that now to generalize the model more and reduce that time. Yeah.

Cameron D’Ambrosi [00:21:16] That’s fantastic. So, you know what’s next? I do love to ask my guests, you know, to take out their crystal ball and and make some predictions for the future of the space. I think, you know, there’s been so much hype around Passwordless and I think many of the solutions that are coming to the fore now in many cases are. Password. Even if they’re not directly password related, they’re in many cases password reliant. And I think you’re pushing the paradigm in a slightly different direction here. You know, what do you see happening in in the next couple of years?

Peter Padd [00:21:51] So I think, you know, having been in this, you know, I remember going to like smartcard conferences in DC and everything. I’ve been watching this for years and it we always were like tradeoff of security versus usability and you know, we used to always joke, look, if you wanted to be really secure, go and get one of those US Air Force bankers and put it on the ground and die connected in Iran. And we used to say that to the security folks because what we found and working in health care, you know, as soon as you start putting too much friction into the use cases, they turn all the security off because it’s actually putting at risk patient care. So I think where we’re getting to is we truly can like have a combination of higher security without forgoing the usability. But we’re still not there. There’s still a lot of friction. So when people say Passwordless, it’s not frictionless. It’s still there’s still a lot of steps. And that’s the benefit of being away from Atlas and a whole bunch of folks know you can really see that scale, like what’s being used. So I think that’s one part like we’re going to the cybersecurity industry is going to get because we’re not like a leader in adoption of machine learning and AI. That’s other areas. So I got I say there’ll be a lot more of that and that’s going to help a lot because there is a need to respond to a weaker signal of industries basically stealing who you are and then accessing those systems and that adversaries are getting very sophisticated. So I think that’s one part. The other is another partner we have. We’re an ecosystem parties that build all the microcontrollers because our software is currently the place for them to. Build is down to the silicon level. So, so so the future here is I’m going to be doing authentication, identity, whatever at the silicon level. So even below the OEM, the manufacturers of the watches and the phones and have machine learning down there. So it just is getting more and more efficient as well. So that. And what that means is down the track, we’re going to start using devices without mobile phones. We’re going to have a great experience with them that we’re going to get personalized. It’s going to be working that quick off. The silicon that it’s in knows you and I get in the back of a fully autonomous vehicle and it knows it’s me, but I didn’t have to give anything away. It’s just like, you know, basic identifier and confidence score. And then how do you want to use my augmented reality environment to hold your next meeting? And we could be doing this podcast from an autonomous vehicle, for instance, and it’s fully trusted and secure. And, you know, it’s me because this actually could be not me. Right? So this is I think that’s the future for us all. And I think I listen to a talk by the CEOs of Opteron also when they did the merger. And it was a really good talk. And I basically said, you know what? I’ve learned and I learned this as an engineer that I like whatever technology you the foundation of your company was built on luck. That’s it. So we built this at the edge of the endpoint devices. And I know that with over all the years, from the first time I put in a pix, you know, firewall and checkpoint and DMV and stuff in the nineties, you know, that was all built for the data center and stuff. And we have a decentralized capability and it’s going to get really powerful. And and with that comes, we need even more powerful cybersecurity to protect the ability of what we can do at the endpoints. So, you know, that’s the future coming and that’s why we’re sort of leapfrogging beyond the office and the really mobile work because that’s sort of the future. They’re the ones that going be highly connected, interacting with all sorts of Iot and wearables to to perform what they’re doing or in your life.

Cameron D’Ambrosi [00:25:58] I love it. I think look, I think you’re spot on in terms of the directionality of a lot of those predictions. And, you know, I think Iot and kind of the edge computing power that is about to be, you know, in the hands or on the wrist of people beyond just the cell phone, I think is going to unlock so many different applications for identity. And it’s also going to be a major pain point. And I think, you know, platforms like yours are hopefully going to pave the way to making all of these adoptions much more seamless and making sure that we’re covered that much more well by digital identity and the required security that these applications are going to need.

Peter Padd [00:26:41] Yeah, and it’s it’s look, if I give you an example, I yeah, we we actually I also I’m actually out here at the Spices for Spice Forum and because guess what? An astronaut is just somebody with a big giant PPE thing on run and I have to secure space as well. As you can hear, there’s you know, there’s assertions that the satellites are being hacked and everything. So whether it’s the ground station or the astronaut up there, they need identity. Right. That’s that’s a connected big giant fly and Iot device. So so that’s why edge computing becomes really important because, you know, it’s a 30 minute round trip to Mars. You’re not going to be able to call back back home. So so the whole sort of edge world is, is, is coming. And it’s interesting because we went all the way to the cloud and now we’ve gone back to the right. We need a bit of back. And you need. That’s right. You need edge to cloud. And that’s that’s what that’s our thesis of what we’re working on. Yeah.

Cameron D’Ambrosi [00:27:43] Yeah, I like that a lot. I mean I think. So what’s the cliche I’m looking for here? Maybe, you know, throwback to true detective time is a flat circle. You know, I think people go chasing the latest fad in some regards and they immediately think, well, that’s going to replace all applications with this. You know, there’s going to be no such thing as on prem because of the existence of cloud, which is obviously not the case. Like there’s still, you know, applications where on prem or on the edge is going to be better than cloud. And just as I don’t think, you know, edge computing is going to completely eliminate cloud. We need potential paths forward for all of these different problem statements and solution sets. So to your point, you know, a mission to Mars versus what I need to, I don’t know, unlock the mailbox at my house, you know, two different two different things.

Peter Padd [00:28:39] Yeah. And and and if you think, you know, as we’re getting more and more power in the end devices, you know, I still remember building out, buying all those Sun Microsystems books because, you know, we’d sort of run in the first cloud and and the power of those supercomputers. You know, my latest iPhone has the same email suck. And I was running like enterprise supply chains on that. So. So if you think in the next five years, the sort of power we’re going to get with like all the wearable tech, that’s a great opportunity. And that’s where I say we you know, we’re focusing on really tiny, small cyber security solutions that can run even when they’re disconnected. So as adversaries, you know, the first thing I like to do is this. We less and less often in defenses disrupt the network, disrupt the RF over tight control of the device, you know, go malicious, right? So if we have like autonomous intelligent neural networks able to like protect itself on a little device like that, that’s, you know, that’s where we’re heading, right? We want to stop the attacks before they even get off the damn thing. So that’s so that’s our, you know, our design and what we do store in the year. And because you think about it, right, yeah, we’re going to add more primary use cases of machine learning and AI and all these devices and they’re going to be doing all sorts of stuff. So how do you you know, the AI moves at the speed of, you know, the silicon? So you need like security to keep up with that speed. And you don’t want to have a ton of friction with all of that because it’s going to basically negate the use of it. And as usual, you know, people will just turn it off, which can lead to pretty big catastrophes. So. Yeah.

Cameron D’Ambrosi [00:30:35] Fantastic. Well, Peter, thank you so, so much for your time. I really, really appreciate it. Most critically. Time for a shameless plug for our listeners who want to get in touch with you better understand the the platform that you’re building or, you know, learn how to collaborate. What is the best place for them to go to do all those things?

Peter Padd [00:30:56] Best is to go to our website. So it’s Fortifyedge dot com. And if you want to get in touch, there’s a there’s an email link on there. And we’ve done in the past year we’ve done some podcasts like here but we also did some keynotes with aam and Sunset is some great links to videos. We can see it working and get a deeper rundown from some of our engineers on what we do. And we’re a partner based company. So you’re an OEM. We want to partner if you’re an enterprise and you need better security and if you working down at the silicon level, you know, we partner with companies like ARM to go into, you know, at that level so-called flexible and who we can work with. All right. Thank you. Thanks so much.

Cameron D’Ambrosi [00:31:41] Oh, it’s my pleasure. Thank you again. And please be well.

Peter Padd [00:31:45] Thanks so much. Thanks, everybody.