You're listening to the identity of the sender podcast. This is a show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast, I'm Jeff. And that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good. Keep him dry. Like I said I'm looking out my window at my pond it will probably be a lake.
Tomorrow might be Oceanfront, we got the big hurricane that's going to go right over top of my house hurricane. Elsa. Hurricane else is going to let it rain. Let it rain. I guess is the way it's going to go, huh? Yeah. I'm less worried. About the reign of my particular situation, but we've got some trees that I'm, I guess I'm more concerned about the wind blowing
a tree over onto my, my roof. I have a roof over my head, so I don't have a whole lot to complain about, but the trees could change that this is true and I think you know, from a tiny reflective, it probably works out pretty well because I know you're going to be on vacation and a couple of weeks. I think you're going to somewhere in Florida, right? Yeah actually. I'm going what I thought was the
original path. Of the Tampa and looks like the the storm change path, changed his path, a little bit so that it went a bit north of that. But now it's going to be directed over my home in Augusta Georgia to make a path over to Columbia South Carolina. Anyway, this is not the Weather Channel, so I'll stop it there into that. The late weather news as you're listening to, this may be weeks or months after it took place. Yeah. For my, we are all the content. This is what we strive for on
the identity of the sender. Cast, absolutely. Well I think important thing is the timing right? You're on vacation you're going to Florida. I'm actually going to Key West in a couple of weeks myself. So I'm not looking forward to, you know being part of a hurricane situation at that point either but we'll see how it goes. Well folks are interested in how the sausage is made. We're recording with Sarah, you know, a couple days before this one will go live, but we've been
recording some backup pisode. So, that while we're on vacation, we don't miss our publication schedule. We've been pretty anal about that in terms of getting our episodes out every Monday at 12, noon eastern time. So planning to keep that. Keep that going throughout the throughout the year. Yeah, two years 100 episodes and 101 is going to be this one. You mentioned Sarah. So why don't we introduce her? Her name is Sarah. Chickadee she is the principal product manager for AWS
identity. She's also the co-founder board member and president for Ida Pro, which is a lot of different things going on. Welcome to the show, Sarah. Thanks very much, Jeff. Yeah. So I'm excited to have you on here because for a while, for a couple reasons, right? So Friday Pro. I've been a member, I think since Inception, which I know you found her that a couple years ago, 2017, I believe.
So I've been there since the beginning, little bit of find a wall, but I did have served on a couple of boards, one for the board selection committee, whatever its I am, butchering the name on that one, but for that. And then most recently on the ID Pro Surfer, Station or CID Pro which we'll talk about later. But before we get too far along what. I'd like to understand though, is from your perspective, you know, how did you get into the identity space? Is it something that you chose
door? Did it choose you? I sort of fell into it sideways, which I think is more or less. What happens to everyone. My undergraduate degree is in physics. I was really excited about being a rocket scientist when I was in my early 20s and then, Got my undergraduate degree in physics and realized that one undergraduate degree is not quite enough to go. Be a rocket scientist that you need a lot more school.
And I was not up for a lot more school at that point in my life and so I didn't really know what I wanted to do. I when I got like a secretary job at a non-profit and their website was god-awful and so I took it upon myself to make a website better and like they were using a Content management
system bait, huh, pythons? So I taught myself Python and then they moved their headquarters from Where I'm based to New York and I said well, moving to the are going to secretary salary, just really doesn't seem like a good life plan and so I'm going to say in Seattle and I'll take the severance package and but while I'm doing that, can you change my title to like a technology Services? Something something. And they said sure.
Like that's the least we can do, we feel super bad for letting you off and so they changed my title. I became a technology Services, something something, and then eventually I got recruited by an identity team who basically said We know identity really well. This is at the University of Washington. They've actually built a lot of the identity tools that other universities used in open source to them. And they said, you don't need to
know identity. We can teach you and like you have a year to ask all the stupid questions and that was awesome. And I had just gotten out of grad school at the time and so the first thing they said was hey, you should go and read all of the new specifications and like summarize them and tell us about them. And so I went and read Fido and I went and read Yuma and And read oauth and everything that was going on at the time.
And then I started going to conferences and I met the people who had written the standards, which is really amazing. And so I got to ask them, like why is it this way? Why did you put this in there? Why do tokens like, why are there only Vera tokens? Why are there other kinds of chickens? And like got like long involved? It. Like normally, when you go to technology conferences, people do not have time. They did not want to answer your questions.
They will not. Not like sit and explain things to you. They get very impatient with that. And identity people are not that way at all. Identity, people are super nice super generous with their time and they're so happy that someone has read their standard and that anyone cares and they will happily like sit in the bar for two hours and explain to you why Bearer tokens are bearer tokens.
And so I got to learn the identity field really well and eventually people said, oh wow, you've like you've read all these standards and you understood them. Like can we hire you? Will you work evenings and weekends. Can we come like, will you come to our office and explain these to us? Because we don't have time to read all of them.
And so I said, sure and I started kind of Moonlighting in addition to my university job as a contractor and eventually it was working 20 hours a week as a contractor in addition to my 40 hour week job, but I was making twice as much money Contracting. And so I was able to jump ship and I quit my full-time job and became a contractor and my my company was called engage
identity. And that's Roughly when I founded Ida Pro. So in Blazer who runs identity for Salesforce and I, where, I think we were at a bar at RSA and we were bemoaning. The fact that security gets so much attention and privacy you get so much attention, right? They have c-suite positions and identity like is this third leg of the stool that's critical to both of them and it gets no respect, no attention. We don't even have a professional organization that identity nerds can join and like
learn About their own fields. And isn't that a travesty? And then like we looked at each other and were like, shit, we're going to have to do all this work ourselves, aren't we? Like we're going to have to found this thing. We're going to have to move forward. And so we did that and we found it ID Pro that was in 2017. And then after that, I spent a year at ping and then I came to AWS and I have loved AWS. I'm like a fish in water.
Here it is. Totally my culture and my jam and I'll probably be here for a long long time, what makes it? So sorry. That's it's a fascinating story. I, especially liked the part where you sat at a bar and we're thinking, how are we going to solve this issue of awareness, right around identity? Because I feel the same thing, right? It's it's always been kind of tucked under, you know, infosec or, you know, maybe audit in some earlier stages and things like that.
But it really is foundational from a any security component has to have identity in it. And if you don't have that addressed, you're going to have a bad time. You're probably going to In the news for all the wrong reasons. So I'm glad that you started it. I'm glad that it started at a bar, that's even better. And we've had we've had in on the show as well. I think he kicked off our first episode for 2021 so he's a good dude. Definitely will Echo what you said too about the identity
industry being so welcoming. I think it's one of the industries at least that I've been part of where, you know, everyone really is, you know, willing to share their knowledge. It's not an arms race. Race when it comes to trying to be better or worse. I mean, I understand there's probably some of that when it comes to product, you know, for sure. You know, people are trying to, you know, have the best product
out there. But at the end of the day, all the people who were in the industry are very willing to share information and we have, we had them on this show and we talk to them at conferences, you know, and we're going to all times different things. And, you know, people are very
gracious with their time. And I would certainly encourage folks who you know, are looking to get an identity or if they've only been an identity for a short time, or if they've been an identity for a long time, Reach out and talk to somebody, right? I mean I think you'll find most people are, you know, pretty open have that.
And they are certainly receptive to having their work read and commented on otherwise you know it dies somewhere in a LinkedIn post somewhere where you know, maybe not a lot of people might see it so definitely Echo that for sure. Yeah and a lot of the work that we do and identity has to do with interoperability, right? So we are unlike other Technologies in that we have to work together and the way to make our customers have better experiences.
Is for us to talk to each other and make sure that all of the attributes that we have are coming across and that they're coming across correctly and in the way that customers expect.
And so identity is kind of an unusual field to work in in that you have to work with your competitors and we have these kind of teams of Rivals all the time where we have to build standards together and so we all know each other and we can all share knowledge and that's really the only way to learn this feel like there is no accredited undergraduate degree for identity and access management. You can't get one you Have to learn it on the job. It's the only way. So I got imagine that.
Not everyone always agrees when you're sitting in these rooms and you're trying to come up with something that is interoperable between different products. What is what is something that people might argue about?
Well comes to integration, I mean I'm not looking for you know dirt or anything but I'm curious as someone who's not taking part of these conversations you know, what are some of the things that you guys are trying to figure out and maybe one organization or one person, you know thinks it should be done this way and another person another way, how do you kind of, can come come to consensus around that?
So one of the big contentious things, I was one of the co-authors of the nist digital identity guidelines, which were Rewritten in 2018. And one of the really contentious things was that Wanted to deprecate SMS MFA because when you send a multi-factor authentication code as a text message that text message can be intercepted with off-the-shelf, hardware and software, we know that. And so, it's not very secure, their Sim jacking, right?
There's lots of ways for an attacker to get to that to get to that, message SMS as an infrastructure was never intended to be secure. And so the Telco companies obviously took issue with us publicly saying, this is insecure and we need to deprecate it and said, look, we have ways to detect some jacking. We have ways to time limit these codes, so they can't be used for very long. Like this is an okay way to do multi-factor authentication and it's better than just a
password. Like there's no question about that and it's really easy to deploy. It doesn't require anyone to install an app and so there are a lot of benefits to it there, a lot of drawbacks to it and the same thing is happening. I'm like the same sort of discussion is happening right now with using email for multi-factor authentication for a long time.
We said no, no, no, that doesn't even count as multi-factor authentication because it's supposed to be something, you know, something you have and something you are. And if you just have a password and email, then that's something that's protected by a password and something else that's protected by a password. And so you're not protecting against different kinds of attacks. But if you're in a corporate environment where you can put multi-factor on the email, then, maybe that is a valid.
Of MFA because you know that that person has had another Factor checked via another chill right? And so a lot of companies are having this struggle with like okay what counts as MFA what doesn't count as MFA does it have to be just more secure than just a password or is there a higher bar for security that we want to talk about? So yes. Identity nerds love to argue and we're very bad at agreeing on things and but we're good at moving forward. We do build new technologies.
Really quickly like the identity field moves. Moves forward really fast. Yeah, I think even fissionable forms of MFA are better than no MFA at all. You know, it's funny because those listening to your how you got into. I am story and you're talking about all these standards and people are like, you understand these and you're like, yeah, they have to remember that you were you and to be a rocket scientist and you have a degree in physics, so it all adds up to me anyway.
But the other part kind of the the endpoint of your journey or the last where you currently are AWS putting together or being responsible for the AWS Cognito project is fascinating. I mean I work with clients all the time and when were you know working on customer I am projects and strategies the question asked is always what about Amazon? What about Amazons A customer. I am capabilities and so that's
AWS Cognito right. Maybe you can tell us a little bit about what it is, who's it for and all those great things. Yeah. So the way that AWS thinks about identity as we divide it between Workforce and consumer and it's it's absolutely huge here. So the between the two of those, we do over 500 million Authentication. Authorization calls per second. So it is just like the scale that you work at an AWS is just Bonkers. Wait you said 500 million per second?
Yeah that's ridiculous. It is completely ridiculous. Only slightly less than what Bezos makes per hour but anyway Yeah, so so the part that I am really excited about and that I am diving. A lot of my energy into is that the Amazon could be do product, which is our consumer-facing product. And the reason I'm really excited about is because I don't think that any company is really delivering a great consumer identity product.
Right now as a service, right? Consumer identity is a friction point at the beginning of every app at the beginning of everything you want to do, right? And there's no great way to have. Have end-user remember a password or have to enter an MFA code, right? That's always a pain. And so we're looking for more researching new ways, how can we make this easier? How can we make it less
friction? How can we make it harder for attackers to get in and easier for good guys to get in and that's a really interesting problem for me. And Amazon company do is just a lot of fun because it's it's a Swiss army knife or I like to say it's like a So identity Legos like you can build a whole bunch of stuff with it. It's got a native directory. It does oid. See it does sam'l. We just had a token revocation.
Like, there's a whole bunch of stuff you can build just with Cognito and so just talking to Cognito customers are our customers, do all sorts of really neat things with the product that we never expected them to do and so we can talk to them about. Hey, what are you building? Oh, you're building a castle. Cool, that guy over there is
building a car. Like if we built a Wheel like would that help both of you somehow and so we're building new stuff all the time and talking to people about how they're using the product and it's a lot of fun. I won't claim to be an expert on Cognito. So for the folks who aren't as familiar with it, you mentioned Workforce and customer. I am, is it the same product for both? So kognito is both, and then it's just a matter of configuration or is there
something more to it? That people should be thinking about it when they're talking about either constituency. Nope, so cognito Is the consumer identity piece and then Workforce is handled by a product called aw ssso, okay? So we have ssom Cognito and then on the kidney do side, I guess who's taking advantage of Cognito? Is it app developers who are already building on AWS
services? Do you see uptick from maybe through who are using other platforms like Azure Google Cloud but then they come in and use Cognito for some reason. Can you can I help me understand how you know What does it look like from a development perspective? If I'm trying to layer on I am on top of my product we do. So we see multi-cloud use cases and we see AWS native use cases.
And we see just like, hey, I'm hosting a an app on like Rackspace or whatever dreamhost whatever my web developer is. And I just want to add some identity on top of it. So yeah, we get customers from all over the place using Amazon Cognito, but it's mainly after developers. Yeah, it's people who are building something new and they just needed an easy way to Log people in and we call that undifferentiated, heavy lifting right? They don't want to do all of that heavy lifting.
It's not going to make their company a better company to build a whole login system from scratch and try to do it in a secure way. But they know that at amazon security is job 0, and if Amazon is holding all the passwords and no passwords ever go through my system, I feel way better about that than I do about trying to build this all myself to a standard that would be considered best of breed. So sir, what are the use cases that Cognito supports today?
Is it just the authentication? Do you have a directory? Do you do you know have registration widget or talk to us about what's there today? And maybe a little bit about what we can expect to see in the future. Yeah. So today it is.
It's a native directory. It's a federation service, it is authentication and we have a Service called a hosted UI where we will host your login page, your account recovery page, or MFA page, anything that has to do with user credentials or creating the account recovering, the account that those you can host on AWS servers. They'll still look like they're on your domain. So there won't be a change in the URL, but it will be hosted by AWS so that credentials,
never go on your server. You never have to touch any of that. And so you are the Ability of having to deal with passwords and usernames. And and all of that is taken away from you which our customers really like and we're going to continue building. As I said, we want to make this an easier experience with less friction and more security. And so those are the types of things. You'll see us releasing on cognitive in the future. I believe I heard somewhere that
you kind of taken a low code. No code approach. Is that correct? And Whether it is, or isn't it? Sir certain developers skill set or language? That people need to kind of be familiar with in order to have success with Cognito, or is it something where you guys support, pretty much whatever bring your own kind of language.
Yeah, so we kind of go both in the direction of if you want to do a bunch of custom code, we have API so you can call and you can use Cognito for that and that's totally fine. But we also recognize that a lot of people don't want to do that, like they want a low code, no code option. And so we're building out more and more functionality in the AWS console that is just like do you want MFA? Yes. Or no clicker.
Radio button, click save and you're done like you don't have to write all that code and And we will even host the page for you. And so there is like you can have a Cognito instance up and running with zero code which is
really cool. That's something that you know, when I started an identity that was not an option for many vendor and so we're hoping to get more and more people into identity just as administrators who know who know the security implications of the decisions they're making, but don't necessarily have coding skills. Yeah. Struggle with organizations that are looking to build something that already exists. As a product somewhere else.
And I think what you hit earlier was something that I always agree with is, you know, who's spending more on security? Is it going to be, you know, an organization is doing 500 billion medications per second or is it going to be, you know, an organization that, you know, builds Transmissions?
I'm gonna go with, you know, the company that's actually probably spending more money, you know, on the actual security part of it, because chances are, they're probably be more successful with it. And it's not core competency or really core to the product or the mission right for another organization. So it makes a lot of sense of be able to take advantage. Of those types of solutions and I definitely see the low code. No code approach, I love the
Lego brick analogy. I think that's something that, you know, that that I've seen elsewhere, you know, we see it a lot and like itsm tools, so things like service now and Pega and other things like that, where it's becoming more business-friendly to configure identity services. But all that does is really masking, the hard work that takes place behind the scenes right to make sure that that stuff works and interoperability. 80 and things
like that. And I think that leads me to kind of the next conversation topic that I want to bring up which is around ID Pro itself. Because I do think it takes a army of really smart people to kind of come up with these types of standards and having the conversations right to allow, you know, companies to interact in a safe way through their identity mechanisms. So why don't we talk a little bit ID Pro? And I know that, you know, just
for a starting topic. Let's say you recently were at a Reverse and announced the new CID Pro certification. I know it's something that has been near and dear to a lot of people's heart within Ida Pro itself and kind of figuring out. How do you prove that you can actually do? I am work right? Are you qualified? So maybe why don't we start with that? And you know, what is this CID Pro, you know, who is it for?
Yeah, so this kind of goes back to the conversation that Ian and I had when we founded ID Pro, right? Like identity is Critical to the success of security and privacy. But security has cissp, right? And privacy has a certifications as well, but there's nothing for identity. There's no vendor neutral way to prove. Yes, I know General identity skills. I can do critical thinking about security issues until now and so we decided, hey we're going to build one.
We started building a body of knowledge last year where ID Pro members who are people who have been in the industry for decades. Kids are writing scholarly Journal level articles, about identity, and access management
topics. And we said, oh we can certify against that and so you Jeff and a lot of other identity professionals all got together and wrote questions that said, hey someone with like our Target candidate is someone who has two years of experience either as a developer or an administrator with an identity system. And so these are questions that are aimed at someone who's been in the field for two. Years and hey, this is what you should know.
By the time, you've been in the field for two years, this is what you should be up to speed on and so someone with two years of experience should be able to take the test and pass it without studying, that's our goal. So, I think it's a good target audience if I like it because it's still, you know, relatively entry-level but does require some experience in the industry, right?
To be able to kind of come up the stuff or at least be able to read the body of knowledge on the ID, Pro dot org website, which is a, which is a It reads, I think if people are looking for good identity content, go there and I don't say that just because we're on the list is a podcast but also because it is, you know, there's a wealth of information out there and I do like the fact that, you know, if you're looking to work the
certification process through ID Pro essentially, that's the page that you can go to to study, right? There's most of the questions, I think have sources that come from that area to make it, you know, I won't say easy, right?
Because you still need to have the knowledge and demonstrate it. But easy from the fact that you're not having to scour the web eight different, you know, websites a bunch of YouTube channels, you know however people are studying for things like Security Plus and C is ESPYs and you know, things like that. I think it's a good place to start. You mentioned that the certification focuses on more? Do that like the technical of the administrator side of
identity? I think there's a large constituency of people who are maybe not as technical they might be more on a business analyst or process-oriented when it. That identity. What are your thoughts around? How do we include those people? As part of that is is this test for them as well? Or do you see like a different path to kind of demonstrate? Maybe I am as a process knowledge and maybe less, so on the technical side of things. So a couple of things one is
that it is intended for them. We intentionally crafted the question so that they're not gotcha questions, right? There's nothing that requires like rote memorization of the phyto standard where you must know exactly what string, this API returns, right? Like that.
It's not the kind of thing that were testing against the questions are things like, hey, a developer is making an identity system and he has a, he's getting a token from a federation situation and he decides not to check the signature on the token because his system works fine without checking that signature and he's got stuff to do. And so he just push to production and leaves the
office, right? If you are an identity person, who doesn't know that like you should be checking signatures Tokens to make sure that they actually came from where they said they were coming from. You should fail this test. And so, if you don't know those sorts of things that require like critical thinking and understanding of this system and why we trust the system, those are the types of things that we're testing for not specific, gotcha questions.
However, people have expressed interest in future, certifications, and going deeper.
So we've had people say, hey, I want to do a whole certification about governance and how you govern an identity system and how the business processes work, how you make sure that all of these mechanisms are in place that keep the system healthy and hey I want to do a whole legal certification about what are the legal restrictions and requirements and enablement Surround identity and and can I prove that I know those things and so for future certifications like we could go in that
direction or we're going deep into one, specific role and Identity or we could go by industry and we can say hey Finn Identity has its own special requirements and Healthcare identity has its own special requirements. And like, Hospitality identity has its own special requirements, right? And so we could go that direction like kind of a horizontal direction as well.
So there's a few different ways to slice it and if all of you listening out there, have opinions, please join, I do pro join the certification committee because these decisions are decisions that are being made now and they're going to affect identity Professionals in the future.
So I think this is Such important work and it's really providing some credibility or, you know, if somebody needs to have some kind of certification to kind of advance in their career or at least prove some base level, Baseline level of knowledge, I think that's where certification can be really handy, and it's also kind of a way for folks who are kind of
early in their career. You know it's interesting sorry because I think in the beginning of the Episode where you were kind of describing your background of whether you chose I am or I am shows, you think you said kind of of course I am chose me right? Because folks from who have been in this industry for a long time?
That's how you know, 99% of us got into, I am, was it shows us, you know, we kind of lucked our way into this, very cool industry, but I think in the future that's actually going to change, you know, maybe somebody will have their entry into I am, Via our project but they others might choose like, hey, that's an industry. That I know somebody who's in the industry, I want to get into that industry and they start by
getting certified. And what the certification really means to me, like what you're talking about with the, you know, the signing tokens. Like those are kind of like some baseline knowledge that if you have that, you kind of understand what's going on when it comes to I am. So I think it's very important. What you're doing.
And I think it really helps that next generation of I am practitioner get into the space, which I think is important for all of us to do is kind of like handing handing this industry down and making sure that the next round of qualified people don't have to kind of kill themselves to figure it out that we're, you know, giving that passing our knowledge on. But I wanted to get into Kind of some of the the Tactical
components. Now if somebody wanted to take this exam you know, do they need to be my ID Pro member? Where would they go to sign up? And you know how much does it cost to take the certification exam? Sure you don't have to be a member it's open to the public you sign up at ID Pro dot org, slash CID Pro.
That's for a couple or calling certified identity professionals, CID Pros, the credential you get However, if you pass the exam you do get a year of Ida Pro membership for free so you can come hang out with all of the idea Pros. We have a slack that we all hang out on all day. And lots of people ask random questions of like identity professionals who have been around here, you've been around for 10 years. Like how did you handle this problem? How did you do this?
Those sorts of things. The exam is $750 and Ida Pro is a non-profit, nobody's making money off of this. This is what it costs us. To develop and deliver the test. And we're hoping to make this a sustainable program where we can deliver more tests in the future of different subsets of identity. So I think it'd be interesting to see identity as a formal education path, right?
I think there's a lot of in information security but building out the curriculum for someone to show career progression specifically with my identity would be interesting to see and I think this is kind of one of those first steps towards that. I will tell you right now that the slack All for ID Pro is just a loan that is worth the price of admission for an ID Pro membership which I believe is $150 a year. Yes, if I remember. So just that slack Channel alone is well worth it and then you
get everything else. So I think we're burying the lead a little bit. It's like that's that's where we want people to be at because there are really smart people and really friendly people who are asking questions answering questions. And yeah if you're struggling with and I am questions. Um where you know, there's forums like you know, probably date myself stackoverflow, right? And things like that, right? Where people go to ask questions.
It's a great spot to be able to really pick the brains of, you know, I'd sell though. Identity nerds out there to, you know, answer things that chances are someone might have seen it or solve that already or can tell you what doesn't work. So you don't go down a rabbit hole of, you know, making mistakes that have a misstatement made before. So I think that's always really helpful. So I'm a big supporter of ID Pro for sure. And I love the fact that there's a certification for it.
I wish I had contributed more. I think I have one question the test and there is others who are out. There are definitely double digits you know like yourself and know. Ian has written about a lot of questions. I think people like Matthew Carter and Chris Phillips they believe of also you know contribute a lot. So it has taken a lot of work to get to this ditch you know to the to the state you're in right now in a launch release. I guess from start to finish.
How long did it take to actually get this? Into. Okay, we've got something. Let's announce it and let's laugh. Let people start registering. It was it six months a year longer than that? It took almost a year. Yeah, I so I took three months of Levi took maternity leave an early 2020 and I came back in July. I expecting that the board would have moved forward on this project. I do pro board and they had just been super busy and nothing happened.
And so I had Cleared my calendar to take leave and I was like, all right, I'm going to take this on like I'm going to do this. We're going to bring this in and like I'm going to launch it it identifies next year so so what happens when you show up at identifier sand and you have that that presentation that you gave to kind of announce it, what was it like to can I get out on that stage and say okay this thing that we've been thinking about here it is.
Have at it. What's what was the reaction to it? It was so amazing. Jeff. Like I literally did a happy dance on stage. I was so so so happy we could finally open registration for the test and everyone was stopping me in the hallways and going I'm so glad you did this.
I'm going to sign up. I'm going to have my whole company sign up. I'm going to have my whole consultancy sign up like we're getting a huge amount of traction for it so it's just really great to see that as the industry was clearly ready for this. Like, this was the right time. I'm kind of sad that I didn't get to identify first this year. You spoke it identifies. You just kind of alluded to it. Doing the happy dance. Can you give us a recap of the conference?
I know I'm definitely going next year, you know, God willing, but can you give us kind of a recap and tell us a little bit about what you enjoyed? What was your favorite session? Sure, the conference this year was a lot smaller because of the pandemic. And so the people who came were really industry veterans and they really pulled out all the stops. I think they were, there are so excited to be there. That the sessions were like extra well-done and extra research.
I think it also helped that they had to pre-record beforehand because it was a hybrid event where half of it was done online and so they couldn't just put in their slides the night before they actually had to at least 21 try run to record it for the online audience. But it was it was really awesome. There's a great session by Tori Mayer. Who's a first-time identifier
speaker. She's a product manager at paying and she's About why you need product management in your, I am team in order to have strategy and listen to customers. And not just do project management of like Gantt charts and how you get things done. But really making sure you're doing the right things and making sure you're doing the right things for the long term.
That's a really great talk. David Lee of cloud entity gave a great talk on diversity in the identity industry and how we can do real work there and have real solutions. And not just do sort of thoughts and prayers. Kind of do this is bad. I hope it gets better kind of thing. Brian Campbell gave a great talk on the new par standard John. Lennon did a talk. That is actually going to be a book. I guess, he wrote a whole book on actually identity at AWS.
So, there were a ton of good talks this year, and I think the online portal is still open so people can watch those. And then normally identifies puts them up online for free a few. Later. So they may be coming to the internet soon but I don't know for sure on that. Yeah, I'll have to keep an eye out for that cuz I, yeah, I think usually they do have them online somewhere to view and I'm sad to, I didn't make it. This is the first one I've missed since 2016, at least.
So, for whatever reason I was I'm looking forward to traveling and just didn't make it to this one. So, definitely. Next year, for sure it's a great conference. I think it's the best identity conference at least in the u.s. that I've been to.
Ooh not that other ones are bad but I think this one being so specifically focused on identity and the fact that while it's hosted by ping, I think pink does a good job of separating it out that it's not all about ping and it is separate, you know enough where there are certainly competitors there and it really has turned into you know not just the Ping Identity conference. It's it's own thing, right?
And I think they've done a really good job of having that level of abstraction that layer of second of Separation to make it a little more vendor neutral, which That's what we try to do. On our show to is, is not do commercials or anything like that and really kind of more talk more substance. One thing I thought was really interesting as we were kind of prepping before the call. Is you mentioned your fondness
for escape rooms? So I think there's a couple things you told us a story about one that you attended in Denver, but before we get to that for folks who aren't familiar what is an escape room? So, an escape room is a series of puzzles. They actually started in Seattle. Where I live. So it's not like who incidental that I'm into this.
It's in the first one. You were literally locked in a room and the key to get the door was like in a safe and you had to get the code to the safe in order to get that I could to the save, you had to find all the pieces of the puzzle in her to find all the pieces of the puzzle.
You had to find all these keys and you had to do all these solutions to different puzzles around the room and some of them involve like mirrors and lasers and some of them involved like literal jigsaw puzzles and some of Involved like getting a magnet through a maze. And so, it's a whole bunch of fun, puzzles that you have an hour to solve, and then if you don't solve them, you are locked in that room forever and you
starve and you die. Hmm. Okay. So there's definitely some repercussions for for not for not getting a getting things done. And this is. So, I guess, the important thing, right? This is, this is in the real world, right? We're not talking about a webpage, although maybe there's a computer with, you know what? Page open, but you're actually physically in a room and there are puzzles or things and a theme usually associated with it, right?
To kind of say, okay, you need to get to this objective, whatever that may be open the safe or, you know, find the key to the exit, whatever it may be, which I think is fascinating, I have not done one yet myself, but I know people who have and they just keep talking about it and raving about it and it's a little bit irritating sometimes about how much they like it. But why don't we talk about the one that that happened in
Denver? Because I think it was an interesting story on a couple different fronts and I don't want to spoil That's a lot. You go ahead and tell it. Yeah. So I try to get some ID Pro members together and every identifiers to go to an escape room. So the last one we did was in Washington, DC in 2019. And for that one, we set an all-time record for the fastest team to get out of the room.
Because it turns out that like, identity people are really good, creative problem solvers, and so like the very transferable skill set. And so this one, we like we had really high expectations. Were like, oh yeah, like what's the record for the room we're going to?
Beat that record and we did one in Denver this year and identify verse and the record for the room was 27 minutes and we got out in 33. So we were pretty darn close but we had to haul ourselves all the way from the conference center which is more by the airport at to downtown Denver and we were going to Uber, but apparently Ubers are really expensive and unreliable now because like post IPO, they want to make money or
something. And but as it turns out, like at 6 p.m. on a Tuesday, like limos are super cheap and so we actually rented a limo and a tidy Pro members, drink, champagne, and were ferried to an escape room in downtown 10 for then and then came back. And so it was, it was an extra fancy Escape. So if you need any more motivation to join ID Pro, that's right. Sarah will pick you up in a limo and take you? A escape room. Is that what I'm hearing? And you will get out in record time.
There's a 50% chance. I just imagine this this image of like this limo pulling up to identify verse and then a whole bunch of identity, nerds kind of like hopping into it and people sticking out of the top of the sunroof, whatever drinking champagne as they're like, you know, onwards my toe off companions are unique, he's back to downtown and then they're
like jokes the whole way. I mean, this is Now really getting into like probably true identity, nor tears nor identity and heard territory for sure, but it sounds like a lot of fun. So, you know, I think what want to do is probably end up here on a lighter note, what is your ideal escape room like describe it for us and the listeners. So, let me tell you about a few of the Escape rooms that I have really been impressed by, and like, some combination of those would probably be my ideal.
So the first one is in LA. It's on Hollywood Boulevard. There is an escape hotel that has, like, eight different Escape rooms. And I did not even know this was there, but I was there with my family and we walked in and we were like, do you have any open it like, and they're like, yes, we have lots. Which one do you want? And we were like, which one is the hardest?
And I forget what the name of the room was but they were like, it's this room and but you start off blindfolded and chained to the floor and we were like cool. We're in like let's do it right? And it's in Hollywood, right? So it's Hollywood production level. So that one was super fun and then, hey, Sarah. Are you sure though that was an escape room? Right? You have to wonder when they do that.
Yeah, no kidding. Sorry then there's a great one in Austin that we did where we were supposed to. There was this whole cabinet that they had built in doors. And so you started outside the cabin, you had to break in. And then you saw the bunch of puzzles in the cabin, and the
fireplace swings open. And you're like, okay, what's behind the fireplace and you crawl in and there's an adult-sized slide to the next level of Building where there are more puzzles and so you have to go down the slide, that was awesome. And then, my absolute favorite escape room is here in Seattle. The company that founded Escape
rooms is called puzzle break. And they started with two and they found that they had groups that were trying to compete to see which one could get out faster, but they were two different rooms and so it wasn't really a fair contest. And so they built two, identical Escape rooms. And not so not only can you bring two groups and see who
gets out faster? But there is a, it's all say on steamed and there's like this plastic candelabra on the wall that lights up when the other group, it's a milestone. So you can sort of tell like who's ahead.
So like we went in and then like we're looking for things and like there's this clearly, this like chest said that we're supposed to put together and like there's one piece missing that we can't find somewhere in the room and then one candle on the kind of labra lights up. And we're like, oh, Oh, hell no. Like they already found the chest piece, like we have got to get to work, but this is not cool.
So I think like some combination of like, competitive escape room that involves being like blindfolded and chained to the floor that also involves slice. Like, that's a combination of the best things I've seen. That's an Eclectic mix of flavors for your escape room. I like the idea of the competition part, right? Kind of bracing against someone else. Yeah, I firmly believe there should be like Hotel. There should be like, escape room Olympics. There needs to be a world
champion. It sounds kind of like the movie Saw. If you think about it in that perspective, that's maybe a little bit more morbid way to end on a light note. Yeah, don't know.
Kidding. Right. You know, I like to I like to keep it real for the folks you know, I haven't done one myself but I would imagine that if I were going to do one I would like something that is like virtual reality based somehow where You're not constrained by the limits of physics, man, you know, where there's some component to it, where you're able to leverage, kind of a bunch of different Technologies, maybe to kind of solve issues, or, you know, puzzles, things like that.
So, maybe that's one of those in Australia. And so you have to change your strategy. Oh my gosh. I think we need to do a fact-finding mission. To to come up with some sort of identity problem that will that needs the identity at the center podcast to be there. That's right. We're going to use our Char, we're going to need our escape room Sherpa, Sarah to help us with that, as well. So I think that should be a mission of ours to take on at some point first. And what about yourself?
What about have you ever done an Escape Route? I've never done an escape room. I thought about the one that Sarah mentioned, where there's a key locked in a sieve, and I've got a safe in my house and I know the combination and half the time. Time. It takes me to three tries to get to get it plugged in so I'll see you do it. Like, yeah, once he even if I know the combination, I takes me a while to get the safe open, so
I don't think I would succeed. But I think if I was to say what an ideal escape room would be for me, would be something that's almost impossible to solve like, finding my keys or finding my remote control, you know, even though I was the last person to use it and I put it wherever Still can't find. It sounds like every day's an escape room for you. Jim was true. There's been that way for a long time. All right. So I think, we think we brought it back up to the lighter note,
which is what we wanted. So we can forgive my saw reference, but before we let Sarah go any final words of wisdom, Sarah, that you want to lay on us and lay on the listening audience for anything we've talked about today. Oh gosh. Yeah, one of the tenets of the oauth working group that I have made. Also a tenant at AWS identity is make the easy things, easy and
make the hard things possible. So when you're doing identity, you want to make it as easy as possible for things to get people to do things that they do every day, right? Login change, their password, things like that, and you want to make it possible for them to really dig into this system and write their own code if they want to make their own custom
stuff. If they want and and really go to new lengths and New Heights. So, that's one of the tenets that I firmly believe in what architecting identity. I really like that. I think, you know, there's enough hard thing to this world. Let's try to make the easy things. Easy, that's when I think one of things I've been saying recently is, you know, I know identity can be overwhelming, but the goal is to make it whelming, it's like okay, there's so many things to solve issues, whatever
right? And you can easily get overwhelmed with like a list of a hundred thousand. Is that need to happen. Let's just, let's just take it down to whelmed, right? Let's just fix the things we can fix and just work on in order. And that's how you eat. An elephant one bite at a time. Jim, how about yourself words of wisdom and words? Wisdom?
I have is, you know, in preparing for this episode I went out to YouTube and watch some videos on AWS Cognito, so I actually may have known more about it than I let on with my questions. But I'd say anybody who's interested, I mean a ton of videos out there. Ron YouTube around AWS Cognito. So if you want to start that educational Journey, that's one place to start. But I would actually even turn it over to Sarah could because maybe there's better than than what I found, right?
I found things on YouTube but where else can people go to learn about it? Yeah, and so AWS doesn't annual conference. Every year in December in Las Vegas, called reinvent and all of the talks from that conference go up on YouTube. So if you search for reinvent and search for Cognito, you'll find some of the, some of the best stuff that are solutions Architects. That are our service team has put out there. That's a great way to get started on learning.
Now, you should see reinvent banners around when Gartner would do their identity access management conference which I believe was kind of like right before it and It's smart. I think to kind of, you know, have the two. It's almost like black hat and definitely. I did both. And I was in Vegas for two weeks and that was a terrible mistake. No one should ever stay in Vegas for two weeks. No, I did it for one week like Vegas, but I wouldn't want to live there.
I like biggest only because, you know, when I go, I'm staying in a hotel, there's good restaurants, you know, usually it's, you know, on a company's answer, something like that, which is also helpful to this amazing. But like, that's part of the problem, right? Like you just can't stop eating. Yeah. Well, you know, or you don't have to go outside, right? You can breathe our official error for, I think, my record is
four days. I never saw some light once in Vegas. Yeah, well, you know, that's what gives me. My radiant pale skin, that lichens, me to Casper the Friendly Ghost. Hey, Jeff. I'm very, how long is the ideal? Stay in Vegas for me. It's for days, anything beyond four days. So like I cannot wait to get to the airport. Yeah.
I think I would say the same. But I think that's true for probably most areas unless you're actually going for leisure like a beach or if it's something like you can't go to Europe. For example, for four days. Or if you're in Europe, can't come to the US or four days because it takes you a day to get there today to get back. You're going to want to spend more time. So you know, I could I could probably swing a week but that's
I don't drink really that much. I don't gamble but I love to people watch and I'll tell you right now, Beast be with Las Vegas being one of the best areas and actually Paris, France was another fantastic area for people watching. I could I could satisfy that that that need you know for several days and be good. Sarah, what about yourself? What's your, what's your ideal Vegas?
Stay duration? Yeah, I think for today is just perfect and then you got to get out of there and then you're throwing your last leftover coins, in the slot machine at the, at the airport and your way out, okay. All right, I think that's a good spot that we can leave it for this week. Sarah, thank you so much for joining us. I really enjoyed the
conversation. Kind of talking about everything from from Neva WS Cognito perspective but also just congratulations on the ID Pro success and especially on the certification getting out there. CID Pro. So for folks who want to get more information about that certification you can visit ID Pro dot org slash CID pro has all the information there, it's open to the public. You don't have to be a member which is fantastic.
Would encourage people to check it out and try to pick out the one question that maybe My made it onto the test or not. We'll see. So with that we'll go ahead and leave it for this week. You can connect with Sarah on LinkedIn as well. I'll have a link to her in our show notes and linked to CID Pro. Also to AWS kognito for folks who want to learn more about that specifically. And with that, we're going to go ahead and wrap it up for this week, preciate it and thanks for
listening. And we'll talk with you all in the next one. Thanks for listening to the identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.