Fighting Crime With Technology: Safety First

When Jerrid Powell went on a shooting spree in Beverly Hills last year, he had no idea what he was up against. Law enforcement used Flock Safety's evidence-based crime-solving technology to help locate him. Powell was quickly apprehended and is now behind bars.

Flock Safety is a success story. In less than six years, the native-cloud company has become one of the country's largest public safety technology vendors. It plays a part in solving 10% of crimes in the United States, equating to about 2,000 cases per day, according to a report from the company and validated by independent criminology researchers. It does this by analyzing a vehicle's "fingerprint" using object detection and machine learning, focusing on everything from license plates to bumper stickers.

With so many law enforcement agencies relying on its technology, Flock Safety puts security first. That means securing the identity of its user accounts, along with 1,000 employees and a fleet of cameras, video cameras, and audio detection devices.

From the beginning, Flock Safety has been using Okta for human identity management against its corporate systems, like Salesforce, Google, and Amazon Web Services. Using Okta's customer and workforce identity cloud technology, employees, customers, and contractors authenticate themselves by entering their credentials. It also uses Okta subsidiary's Auth0 to authenticate Internet of Things devices, like cameras, to its FlockOS and devices.

"Imagine a network of cameras, drones, and gunshot detection devices across the United States," explains Eric Tan, the company's CIO and chief security officer. "Each one of those devices has a unique ID and secret associated [with] the device that's calling home to the mothership to authenticate and pass on images or videos."

Flock Safety's approach is comprehensive. Alfredo Ramirez, a senior director and analyst of security and emerging technology at Gartner, says that while most companies do use some type of modern technology for employee authentication, they are often less successful at handling nonemployee identities or correlating all of them across connected corporate applications.

Covering All Bases

While Tan is quite satisfied with the protection Okta and Auth0 are providing, he noticed that as Flock Safety's customer base and reach grew, it needed to expand past authentication into the realm of authorization. Essentially, authentication is the first step in identity management, but higher levels of security require authorization, which moves beyond identity verification to determining users' levels of access and granting access based on those levels.

"When an identity or user account authenticates onto our platform, we know we're covered, but what we don't know is where that identity is going once it's on the platform," Tan explains. "That's what we wanted to address."

With that goal in mind, Tan found Permiso Security, a cloud security company that had recently branched into identity management. With its ability to track both human and nonhuman identities across authentication boundaries, Permiso's Universal Identity Graph seemed like it could bridge the gap between authentication and authorization for Flock Safety.

Tan looks at it this way: "Auth0 and Okta are important preventative solutions, but Permiso is more like a motion detector system in a house. I want to know who or what is coming into all of the different rooms, and if anything looks off, I want it to let me know."

This is the first year where vendors are going to market claiming to be able to discover and secure all nonhuman identity types, but very few claim to be able to handle securing both human and nonhuman identities within the same solution, Gartner's Ramirez says. Most, like Permiso, are using some sort of graph database technology, unlike incumbent identity vendors.

Over the next three to five years, Ramirez expects incumbent identity security vendors to build, buy, or partner for nonhuman identity solutions to complement their human identity solutions. In addition, he expects startups to continue to advance in this area.

Looking Ahead

For Flock Safety, the time to get this up and running is now. Through an API, Permiso's solution can see the identities in Auth0 and Okta. Flock Safety also exposes the API to some of its more critical systems, like Google Workspace or GitHub, so it can monitor for suspicious activity.

"If one of our cameras were to call home and eventually grant themselves access to our GitHub source code library, that would be really odd. Permiso would pick that up," Tan explains. "Similarly, if you had an employee who was a field technician, and that person's user account was granted additional permissions or elevated access within our Google Active Directory or Workspace environment, it would alert us and automatically quarantine them."

Tan is considering adding Astrix Security's nonhuman identity security platform for real-time discovery and mitigation of breaches by nonhuman identities. He's currently evaluating the tool.

"For example, if there is a test API account connected to our GitHub instance with elevated privileges that the team isn't tracking, I would have the team either shut it down, reduce the privileges, or make it authenticate through Auth0," Tan says.

While it might seem like Flock Safety is adding a surprising number of identity-related security tools into its stack, it's always better to be as prepared as possible, Tan says.

"The concept of solving for nonhuman identity risks is still in the early innings, similar to LLM risks," he says. "The idea is to pick a handful of early innovators and compare the results. In my experience, they're usually always different, allowing us to think about the various threat vectors."