You're listening to the identity at the center podcast. This is a show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the center podcast. I'm Jeff. And that's Jim. Hey Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good good. You know. The this is our second podcast recording of the day we have to do that around the holidays and things like that.
But you know, during the last recording session, I had FedEx show up right in the middle of the call, as, as expected, right? They gave a delivery when In do they showed up at the very last moment within those delivery window and then it was something I had to be signed for. There's only a couple of t-shirts and a pair of jeans that I was having delivered, but I had to sign for it anyway. That's a little bit of the behind, the behind, the big
curtain. Yeah, it was like it when we're sitting here, having a conversation with a guest and then I see Jim get up walk away. It's like forecast, mostly think I was like, oh they're not paying attention or like what's going on around here. But yeah, I mean, This is real life. This is the way things work.
Of course, if you're getting a delivery, that is exactly when they're going to show up. As soon as we hit the record button, you know, that's when you're going to hear the, the doorbell or the dog bark or, you know, the fire engine or the police car drive by. That's just, that's just the way it works in the world, we live in. So, so, it's all good. Well, the one, though, you saw always happen, was the landscapers would show up.
It was like, I think we were recording the podcast and, you know, the first 50 episodes or whatever it was on Thursday afternoon because I Ooh the my crew showed up on Thursday afternoon at like 4:00 and like you know the leaf blower would go on just as we hit record as same thing here my you know, I guess, Thursday's landscape me day Across the Nation. So so we moved to mostly Wendy, Wednesday's a try and counter
for that. But that ends up being my like my I don't know my homeowner's association that's when their Landscaping does it on Wednesdays. So whatever. I don't think people tuned in to
the identity of the center. Cast to learn about Landscaping, Trends across the United States. Other than hey, we're real people, we have stuff going on. And sometimes, you know, things pop up while we're recording that, you know, you don't hear necessarily behind the scenes, but like I said, sometimes, I'll watch Jim get up, walk away, and then come back and they'll carry on the conversation just like nothing ever happened. So, so I think with that said, why don't we get into our
conversation for today? Because I am staring at a screen here of our guests and I'm very Excited to have Steven Cox on the show, he's a co-founder and chief technology officer at strobe a city, so welcome to the show Steven. Thanks a lot Jeff. I'm happy to be here. Thanks for having me. Thanks so much for being here. And, you know, I think one of the things that we like to get into, and we're going to actually have a conversation that kind of structures off a couple different things.
Probably mostly around customer identity and access management and some things to think about that. But as it's your first time the show we as an industry addition around here is we like to understand kind of the origin story for people. And how they actually got into the identity space or maybe even when they realized they were in identity and maybe they didn't know before just kind of had
that daunting. So, maybe I can kind of take us, you know, briefly through kind of your past and and how you ended up on the show, I guess. Yeah. You know. So one of your one of your previous pods you you ask the quite that question. A really interesting way you asked like, you know, did you did you find Identity or did identity find you right?
And I would say that identity definitely found and me you know I kind of like to make the joke that I'm you know I'm not an identity guy but I play one on TV you know I've been in the security space for a very long time about 15 years. My first foray into into security was doing DNS monitoring of the common. Net infrastructure verisign that was not too long after I was out of college. I worked for after that a network monitoring company name. Net witness. That was that was later
acquired. Hard, I worked after that for for an incident response company name mandiant, you're probably familiar with before the before the fire acquisition a little bit after that was where I met my, my fellow co-founder of strobe, acity, Keith g, Keith later, recruited me to an identity company that you're a lot. Of your listeners are probably familiar with me and secureauth, and I really liked what secure off was doing around threat detection at the the identity layer.
So I spent a number of years at secureauth, you know, helping them build their product out and and, and then Keith. And I went off and started stir Bassett e, late in 2019 and and the with the prime focus on customer identity. So serve a city is relatively new. And, you know, I think people who are listening have kind of come to realize we don't really do commercials on this show,
right? We don't talk about ourselves and certainly try not to make an infomercial people, but I think it's in this Yes, I want to make a slight exception, other than to kind of bring the audience up to speak as they may not have heard of strip acity. It's only been around, like you said since, you know 2019, you guys are still growing. And as a relative new player in the same space I guess you know
what's the 30-second pitch? Why does the world need yet another see IM product or vendor in the space? Yeah I appreciate I appreciate the sentiment there for sure. You know. Definitely start-up problems is getting. You're getting your name out there getting the getting the share of voice and and You know stir Bassett e is is the first see, I am vendor.
That was Cloud born and and designed from the get-go to solve the the, you know, the gamut of customer identity problems were we're built for scale were built to solve some of the, some of the modern data privacy challenges that that, you know, that that brands are facing today. And and, you know, were we're, you know, we're building digital transformation for the cloud. Really.
So I think you partially answered this question, but I was going to say look it's not hard to find a Blog titled customer. I am is different from Enterprise. I am, in fact, I wrote 11 us with. I denture P but I want you to explain to the listeners that I am practitioners of the world. What that really means. Y is customer, I am different from Enterprise, I am. Yeah, we've also blogged on this topic. It's an it.
Definitely an important one to understand, you know, at a high level and you know, at a real at a real high level, you know, you're you're basically looking at a different base of users in see, I am versus, you know, Enterprise I am. You know, Enterprise, I am traditional. I am, has kind of been focused on the workforce, right customer. I did, I am is focused on consumers, of course, in in, you know, in Workforce, I am your provisioned by an HR or an IT person.
Right. You typically have less say over the means in which you, you access things, you know, and work for Siam and customer. I am your often self provisioning or registering yourself, right? You have a lot more say, on the ways that you access things, because you can simply walk away and find another brand to do business with, right? You have you have that choice. So, so here, you know, user experience becomes really important. And flexibility becomes really
important. You have this, you may have a A widely ranging, you know, demographic, you know, spread and your user base and see, I am some of them may be less sophisticated. Some of them may not have up-to-date technology. So how do you, how do you do, multi factor in cases, where you have, you know, a less technical user base. Some of them might have issues enrolling in multi-factor, we're not want to all together.
So and then you course, you've got a, you've got to think about scale, you know, Enterprise, I am focused on like, you know, sort of thousands to to maybe hundreds. Thousands of users and see, I am can easily get into the tens and tens of millions of users and up? Yeah, that's right. And I think, you know, really where I was keying, my thinking was really where you started, you know, there's such variety, we're talking about customer, I am, who are your customers? Are they consumers?
Are you doing an e-commerce site? Are they your members are? They beat has be to be to be partners are you know the other business Aces and there's such a different different ways. You could go about managing those user accounts. Getting people access, you know, whether or not, they are able to maintain that excess over time. Or you know, when they leave the customer organization, your off-boarding them compare that to Enterprise.
I am so you know, Jeff it's so there are doubt, we'd all really talking about what we do but for those who listen to us every week, you realize that we do Consulting On, I am and develop strategies. But, you know, a lot of times we're working with organizations, or what we call Enterprise I am, is figuring out how to manage who gets access to what from a Workforce perspective. Now, we're really not Reinventing the wheel every
time. It's not like well, you know, most organizations they're getting a feed from an authoritative Source like a human resources system but maybe you guys should do it differently. That that sound that's not the way we look at it, right? It's like You know, you'd have to really be completely different than everyone else in order to, to really shake some of those kind of fundamental Roots.
But when it comes to customer, I am I find that you know, that that's not necessarily the case, you have to kind of go into it open-minded. Like how do you do it today? What are you trying to achieve? And and it's a, it's a big, it's much more different picture and I think that in some ways makes it easier or makes it Provides a justification for why there would be so many, see IM up, or opportunities for CA and products to be introduced in the market.
But at the same time difficult, because since the problem is not one clear solution to kind of develop a CA and product that solves all these problems and so it creates opportunities but at the same time makes it a very difficult problem to solve, you know, kind of In Ewing on with that you know we talked about the blog, you guys have a Blog will get the link out there in the show notes blog. I saw another blog that you guys wrote called trade-offs of using open-source.
See I am and that's I found that interesting because you know again the CIA in problem is something that has so many different solutions, I've run into a lot of clients that do there were using open-source. See I am Were seriously considering that and I wanted to get your perspective on what those trade-offs are. Yeah. Absolutely, you know, just just a small distinction, you know, when I when we talk to, you know, open source.
See I am, you know, on that blog, we're not necessarily speaking about like using open-source libraries in your software. You know, we all know that's pretty much the standard way that the people build software these days but we're really talking about here is like using a fully baked, you know, No see IM open source offering and then Landing it sort of directly within your product or your your infrastructure, right? And again I'm a joker.
So you know the the analogy I like to use is that open source CMS see IM is kind of like a free puppy, you know you know, puppies are cute and awesome and and and and you, you know, you there they're awesome. You know, it's great to have.
But, you know, when you get, when you take on a puppy, you're taking on much more than Then just, you know, the the immediate relation of having a puppy, you have to feed the puppy, have to walk the puppy have to take, you know, it's a multi-year obligation right to care to care for care for that puppy. And that's kind of, the sort of
mouth mentality. I speak to, when I, when I, when I talk about taking on an open source, see, I am offering you, you do get a free product, right free product, quote, unquote, but you're taking on the, on all the obligation of Of all the Care and Feeding around it, right operationalizing? It hiring people to maintain it hosting it somewhere, monitoring it patching, it addressing security vulnerabilities, right?
And that can, that can quickly get daunting a lot of the open-source offerings that you see, you know, in this space, you know, have premium support packages. So then it's really not even even free anymore, right? If you go that route and and you know, none of these things are bad there. Many organizations that are perfectly fine with that type of arrangement, and they have the
resources to do that. And, you know, you have you ultimately have more fine-grain control over it because you actually, you know, own the code and, or working from the code with a CI M platform. You may have a little bit less fine, fine, grained control, and maybe that's okay too. But you should just really kind of think of those. Think of those trade-offs, it's not it's not quite as you know, clear apparent, as you might think, you know, From from the
beginning, right? It's not really the open source model that I hear you have it. An issue with a really talking about in terms of trade offs. What you're really talking about is the kind of responsibilities that you're taking on yourself. Exactly. Your your organization is taking on, right? Exactly. It's kind of back to my point about was see, I am and kind of user management being so different. I mean, when you look at CA and products but they seem to all do
well. Is authentication, right? Authentication for web applications has gotten you know baked into standards. There's not many solutions out there that are saying hey you know, forget about the standards, we got something proprietary. That is a heck of a lot better, right? So then it becomes a matter of, you know, hey, we implement the standards, we have, you know, robust hosting offers cloud.
His successor excetera. I guess what I'm saying is, I think that, you know, there's not a ton of differentiation there where the differentiation for my money becomes is around what capabilities, do you provide in terms of doing user management, terms of user registration and terms of, you know, credential management when you get into the bead abuse scenarios, it can get extremely complex but I find that A lot of my clients, you know, they're looking for a product that can
solve most of their problem. They don't want to go and develop their own user management platform. They want to do that. They can just go and do that. They don't need the product, but they want a product, right? And they, you know, even more they want to cloud service, right? And they're even willing to make some trade-offs to get there, but I wanted to kind of throw that out there. Is that kind of what your
thoughts are as well. Do you really feel like, you know, user management is Is kind of what is one of the main areas that differentiates eam products? I think so. Yeah. I mean, you know, the, the question kind of comes down to like, well, what what amount of user management is enough, right? Like it and it really comes down to, in the, to me, to my eye, and my opinion in the CIA I'm space. It really comes down to user
experience, right? Being able to craft, you know, it's not just crafting user experiences for the end users for the, for the end. Customers but also for the, for the For the brands themselves that are using the see, I am product, right? They they may have different user. Personas that you need to cater to, right? You have the brand admins, you have the I am specialist, you have the marketing teams that
the support folks. You know, there's there's a there's a variety of different user personas within an organization that may need access to be able to do certain things within a see IM platform. You know, so, you know, role-based access control is kind of, kind of one ways. One way to address. Dress this, right? You kind of allow people to do different things within your Administration, console, kind of based on their their role, or their user Persona that you that you can figure, right?
So you kind of make it, kind of make it easy to get to get to where they want to go and do what they want to do within within your product. So I do think it's important for sure. Now so now that I kind of made the case that you know user management should be the top priority and I'm not even saying that I think that's one of the
main differentiators. when we talk about customer, I am versus Enterprise, I am I think one of the main differentiators can or differences between the two can be scale, and when I say that, I'm talking about, you know, Enterprise scale is, you know, typically up to 100,000 users, where an internet scale or or where the customer I am, fits in and can be millions billions of users but like even if we just take Millions that's all Exponentially more than than even large Enterprises.
And when you start talking about companies with or organizations with high seasonality, those the volumes can just become ginormous. Now, one of the things I looked at in researching shrive, acity architecture, if you will, is you guys look to address that using kubernetes, you're the
architect. It you were probably the person behind that decision so maybe even like we like to start the most basic level maybe we could do for the audience to kind of explain what kubernetes does and then why you selected it to help with their scale or how it helps you with scale? Yeah. Yeah. See. Yeah. You mentioned you mentioned that scale is, you know, a differentiator and between see. I am Andy, I am. I definitely agree. I mean you can get to, you can
get to sort of match. Massive levels of scale and see, I am I really, I really like your your point about seasonality, write, the example, I love to give is the is the tax company, right? That's got extremely bursty traffic at certain times of the year. You know, when everyone is like, oh my gosh, I'm late on my tax return. I have to do it right now and they're rushing to get those. You know, those were tax returns in right before the deadline. So, you know, so you have to
handle, you know? Detra burst of traffic, right? And in a way that doesn't doesn't kill your your wallet. I'm I'm sure a lot of your users have posted stuff in the cloud. So they kind of know what I'm talking about, but one of the one of the core tenets of kubernetes is a concept called
auto-scaling, right? So you look at metrics that are being, you know, emitted by your services and you can add additional instances of your services, if you know, the metrics reach certain point, they call that sort of Horizontal or vertical auto-scaling, and you're able to also scale that traffic back down. And in a situation where you know, the burst traffic kind of
you know, subsides, right? So it makes kubernetes like really well designed for for for this type of product because you can handle the seasonality, you know, the crazy bursty traffic and you can also scale it down and and not kill yourself in terms of You know, in terms of your hosting bills that make sense. Yeah, that makes sense even. So maybe you could talk to us a little bit more about how that
scaling works. I mean just, you know, we're not looking to get a PhD in how this works but just, you know, a little bit more in terms of our eight. So is it that there's some kind of monitor watching over your instances looking for processor utilization, then spinning up additional server instances. That's exactly right. Yeah, yeah, you you you you have, you know, you have a certain set of services you're monitoring their their, their
activity, right? You're minding what the CPU is, what the memory is, you know, various different metrics. I mean, you can actually in some cases design, your own metrics if you want. And when you reach a certain threshold, you can effectively kick off a job that spins up a new instance of that service, right? So and you can sort of Define all kinds of you know, parameters around. That right.
Maybe you want to double the amount of services or maybe you just want to add one additional service, right? So you you have a lot of control over being able to do that. And then the flip side of that is, you know, when it falls below the threshold for some period of time, you drop one of those Services, you know, off and so you do have some, there are some design constraints around that, right? You have to make sure that your, your services can be run in
parallel, right? That there's not any sort of State shared between them, they have to kind of run and Be able to run in parallel, pretty easily, right? So that one instance of the service can handle a transaction, on its own, that makes sense. And yeah, and that's kind of the idea of scaling, with in something like kubernetes. Yeah, so glad I asked, you know, I guess did you look at Docker as potential or maybe a Docker swarm versus kubernetes? I guess, what was kidding?
Can you help me? Understand, you know why maybe you went with kubernetes over Docker specifically? Yeah, we did. We did look at darker swarm. I actually Have some, some personal experience with dr. Foreman, you know, it previous companies that I've that I've worked with, I think it was really mainly that we had amongst the early Engineers that we had some some real direct knowledge of kubernetes. So it just kind of made sense
for us to go in that path. Just because of you know what, you know, startup bootstrap get stuff running as you know, type of mentality. Yeah. So it was more of like a prism or like a team experience thing then Than anything else. Gotcha, I'm answering helps with
a raffle perspective. I would say if, you know, the closer to using, I'm always curious about the security to, you know, I guess when we talk about the scale of some of the, you know, install bases in the fennec ation basis that you're probably dealing with and getting into millions and spikes and things like that. I immediately think of things like DDOS, and other types of attacks, that that can Trend
that way. But also other things like passwords praying, you know, man-in-the-middle social engineering fishing like all the stuff. The Comes along with this. Yeah. How do you approach security from a CI, M environment perspective and what are some things that people should be thinking about as they look at 6 a.m. for their organizations of some of the threats and and how you've looked to address some of
that? Yeah. You know I you know, I know it's a it's a bit of a buzz word but you know I do also like to talk to this in terms of you know, defense the defense in-depth concept, you know, there's really no one one way to solve. So, all these types of different attacks. You know, you know you mentioned password, spraying just defending against password spraying is, you know, a combination of things like doing bot detection and breached password detection, right?
You know, are these are these transactions coming from from known, but infrastructure, you have the ability to sort of rate limit, you know, based on various patterns of traffic or you can you, you know, are you pivoting on the data? Like, you know, things like looking at multiple IPS coming after one set of credentials or a single IP hitting multiple
sets of credentials, right? You're kind of looking at these traffic patterns and trying to make make decisions off of whether you allow those, you know, those trick, those transactions that go through or not and you know where you are, you protecting your users from sort of the the stolen or weak password situation, right? You know, setting up password policies to something meaningful. You are using passwords doing reach, password protection when a user sets or reset their password.
You know, if you in a few you kind of want to really get sexy, you can think about things like password list flows, you know so there's actually no password at all like you're taking it out of the problem entirely and when we're talking about like man-in-the-middle type of tax I assume we're you know we're specific specifically talking about man in the middle attacks, you know, against authentication and that and that has some interesting Solutions. To it's, it's really around
making sure you're taking advantage of, you know, a lot of the lasers later. Latest browser, security enhancements a specific way to defend against this. You know, in authentication is to use an out-of-band MFA method. So, you know, when an action has to be carried out on an external device to complete the transaction, you know, something as simple as like, push to accept his kind of a real base idea there.
And the, the concept there is that You know, the, the, the to multi Factor methods are not going through the same channel, at that point right there. You can't fish, you can't fish a one-time passcode that's on a, it's on a list on a separate channel, right? From from where you're from,
where you're sitting. So you're pushing the, you're pushing the the security context of this in two separate channels, which is, which is just an inherently good thing to do when you're trying to trying to design secure systems and century Mention the password was because they see a lot of kind of interest in that especially in the Enterprise space and we see password list to some degree. In the consumer side of things. I immediately think of something
like slack. Where, of course you can use a password to log in, but they also have the magic link process which is kind of a veiled password that sort of approach, you know, maybe not the smoothest transaction, but it works. And then I think of some of the other things that you mentioned to around the, the multiple channels that can be happening for MFA or second Factor types of authentication, I think of them Apple.
So, I, you know, I've got an iPhone, a watch, an iPad, a Mac, I'm up. And, you know, I have all this. I have Windows too. So, don't don't hate me for everything. But when I get a multi-factor prompt for Apple, it dings me on every device. Even the one I'm using which never really made sense to me. It's like, oh, okay. I, you know, you're sending me a second Factor request, but you're setting it to the same device that I'm already using. That seems a little bit.
Like that was not well thought out from that kind of deployment standpoint and just curious, you know, if that's if that's something you've seen as well. And I guess just also if you can touch on the passenger side of things, because I'm wondering how see I am products are looking to address that specific use case for consumers and getting away from the password, which, you know, everyone hates and everyone's been telling us as has been dying now for 10 years, it's the longest death
I've ever seen. Yeah, yeah, so you know, the impact Password. Listen, see I am is is interesting. You know, we've it's interesting to see that you mentioned, you mentioned, your Apple in your Apple devices. It's interesting that the consumers, the consumer device, companies have really kind of, kind of led the way here in terms of using Biometrics as a, as a potential second Factor, right? So they're actually making it there.
I always like to say, they kind of their kind of making it easy for us as I am. As I am designers Architects to To leverage a biometric as as a second Factor, right? So you can get into a password list situation where, you know, you do, you do a an out-of-town, you know, an out-of-band sort of push to accept type of transaction. And the biometric is the the devices. The first fact is the, is the first Factor. The biometric is the second Factor, right?
And, and that's, that's actually pretty cool, right? And consumer because it's easy, right? It's I mean, it's it, you may have some challenges with Rolling it but like it's user-friendly, you know, it's like, oh cool. Like I just logged into, you know, the service I'm trying to get to just buy open picking my phone up authenticating putting my thumb on the on the reader or my finger on the back of the phone and I'm in, right?
I don't have to like though type my password in or try to remember it or try to pull it from my password manager. It's like, oh I'm just in you know. So that's that's actually really beneficial in the in the, in the consumer space the enrollment side like I say is a little harder but it's The user experiences is great there and it's interesting. Yeah I mean even you mentioned like oh yeah the the code goes to all of my devices even the one, I'm even the one on I'm sitting on that.
That's not ideal of course, right? But it is, it is still somewhat of a separate Channel because it's not in the same browser session, right? It's out, it's an, it's in a separate browser session. So you could argue that it is slightly more secure but but probably not probably not. Ideal. Yeah, you mentioned there Stephen about the consumer Brands, kind of driving a lot of this. I think they're driving it from the standpoint that they're putting readers into their devices.
They're putting, you know, the touch ID or the facial recognition. But to me, it's the the Fido alliance with the fighter to standard web authentic, that's really making this interoperable and not proprietary. And so to me, that's such a key that You know, we continue to kind of support that recognize that, at least I was trying to give a nod to it here on the, on the podcast. Yeah, but I yeah, yeah. I also wanted to just mention. We had a guest Roger Grimes, who was on the podcast?
A couple episodes back. He wrote a book called hacking MFA and he kind of dissected the man in the middle attack built on the evil jinx. Framework, you get an opportunity to recommend highly going out and looking at that, because it really shows you how someone can take an out-of-band MFA. And if they set up a man-in-the-middle attack, really, you know, take advantage
of that. And this is a framework, that's still out there on the internet today and it's really, you know, kind of driven from from fishing campaigns to get people to log into a fake website. Yeah, but you know that fake websites relay In those credentials and really just trying to steal and access token, right? Yeah. So all that I kind of led to the next question that I had for you in terms of kind of looking at your architecture and I see you guys are standards.
Based in terms of the authentication, oid see support Samuel support. I got the sense and in talking to you I think you validate this is that you favor. IDC which is I think the trend I'm seeing almost everywhere you favor oid. See over Samuel, I'm wondering why that it is to avoid kind of the overhead of dealing with browser redirection or is it something else? So interesting, I I'd actually argued that that redirection is,
is the preferred way to do this. There's, there's a, there's a lot of reasons for that, you know, it a, if you think that a think of it, as a really sort of Base philosophical level, You're not, you know, when you, when you redirect your not necessarily sending data between two security domains, right?
You're redirecting. The browser, the office Kirk is carried out and then you're redirecting back to the to the original location that you were at universes embedding embedding, you know, sort of log in you. I within a within a portal your you have to collect the information like username and password and pass it, you know, over to whatever your Authentication solution is so there's, you know, quite simply more attack surface there than you have in in the, in the redirection.
You know, in the redirection method, another reason is that, you know, we would favor redirection is that, you know, ux or customer Journey changes can be easily made with configuration rather than requiring code changes within your, in your web app, right? You, if you change, if you change flow, Within a web app yet you probably are changing
code within your web app. If you change flow within a solution that you can redirect to you, you may be able to do it and with configuration only, right? So it's a very quick change versus something that you have to involve your engineering teams with and then you know, we favor oid see, you know it's it's just more modern, right? It's based on rest apis uses Json, you know as the payloads typically it's more lightweight, you know, Sam olens. Is is old. Its twin almost I guess almost
20 years old. Now it's XML. It's very heavy. You know, ATC takes things like data privacy. Very seriously. You know like consent handling is built into the is built into the protocol so we we do kind of have to progress Jing Li support sam'l for, for legacy reasons and will for a long time. But I wouldn't advise anyone, you know, in this day and age to build a net, new app on Top of sam'l know. That's, that's kind of my personal to sense their.
I think we've been saying that sandals is like the passwords then dying not quite as long as the password. But yeah, I think it's gonna be around for a while. Unfortunately. I think I'm trying to memorize. It was Ian Glaser from Salesforce, I think that that kind of talk about that we had him on the show while back and that was back in. We record with him in December of last year 2020. I think the show went live January 2021 and as far as I checked, Samuel his As has not
died any further, is it son? Passwords haven't died yet either, but I hope the password eyes before Samuel. Yeah. No, Sam was going to be around for a long time. I'm afraid to say, well, you know, problem is, if people aren't if people keep using it, it's going to stick around. Right. So what point do you start to re-architect on these old apps is it on the apps or end of life? Is it when something new shinier comes along to replace it?
You know, what is it? It's just I think it's just the nature of of applications and how they're built. I want to Pivot the Because I want to make sure I leave some time to talk about something that I personally like to watch and enjoy. And, and it relates a little bit to customer. I am in a way that I'd like to understand who is your favorite twitch streamer and why is it you? Oh, well yeah, why is it me?
I mean, I I follow a lot of, I follow a lot of OverWatch OverWatch streamers, and it's kind of a kind of my favorite PC game. I follow the OverWatch league and and there's there's quite a few like, you know, professional players that scream often on Twitch. So there's a, I follow a bunch of them. That's, that's really my, my probably the most of the time that I spend on Twitches doing that.
Yeah, I definitely I've done a little bit of streaming here inerrant, which myself, definitely not anything that I do if any sort of regularity and it's usually the same two games, it's either World of Warcraft or week of Legends. So, we to games like a Is that we will play despite the toxicity. I think of sometimes of either of those folks but Jim I think wasn't your son looking at being a streamer at some point. Yeah.
Both my boys, give it a shot for a little bit and they had some followers and people made donations to them which seemed to really weird to me as like, you know, almost like lesson guide only giving you money while he was the last time you got a donation for this chef and we don't ask for him. It's fine. Yeah, all right asking for the now but I just I thought it was weird. I don't know. I don't look, there's just in
some things. They don't get and that's one of them get off at Jim's Lawn. I think is what he's trying to say and I kind of think you're right. I do watch. I like the idea of twitch and and what it brings. I think it adds a social aspect to gaming, that used to be there with couch Co-op. That doesn't necessarily exist anymore. You still have multiplayer. Online games. And obviously, you know, I have a long history of World of Warcraft. I used to be at a rating gold.
So I have, you know, I was definitely nerd out on that for a long time, definitely much more casual now. But when I see services like that, I also look at I was like, oh, that looks like an interesting game rather than me go in and spending 60 $70 on the game. I'm gonna go watch someone play it and see if it makes sense, right. It's almost like it's almost like a demo without any fee for it.
And sometimes these streamers are can be relatively interesting and actually hold a conversation and it's it's not just, you know, I think probably maybe what some people might be expecting. If they're not familiar with it is just like you're watching someone else. Play a game. Why is that interesting I guess? Stephen tutor back to you is like, okay, so I'm watching someone play a game. Why is that interesting?
Stephen so when I decide when I discussed this with the, you know, with the get off my lawn crew. I I kind of I kind of say well do you do you watch sports on TV? Do you watch football on TV or what? Why are you Catching the football player on TV rather than playing football yourself, right? It's a similar analogy. I mean, that's that, that's the that's what that's what Gamers want to do. Is they want they want to watch
other Gamers of play, you know. And it's it's there's a lot of different reasons you mentioned is a good, a good, a good reason. Definitely is like, oh, I'm interested in buying this game. I want to go check it out, see what people are doing with it. See if it kind of fits what I like to do. Another reason is people use it to get better. Right? So like, I watch OverWatch streamers because I learn all the horrible mistakes that I make when I play, right?
And I see what the professionals are doing when they, when they play. And I go, I can't, I can, I can incorporate that into my game, right? You know, this is sorts kind of a, it's kind of a learning experience as well, right? So, yeah, I think another thing that I saw, so this wasn't twitch. It was YouTube. I believe my kids kind of made their entry into video games with Minecraft and People who do Minecraft videos first off its, I don't know.
It's under the price, not a very high fast-paced game. So the folks who would stream their videos were like entertaining, right there are they're trying to make like a fun story and they made it sound like they're having so much fun playing the game. And I think that was really what drew the kids into it in the first place. Yeah, yeah and there's a personal connection thing to you there, too. Because I mean, you can, you can you can talk To The Gamers and on Twitch.
And, and if you if you really like a, you know, a streamer, if you really like a professional gamer and like, they might actually reply to you right like them. And actually I call you out. And that's I mean, that's pretty cool. Especially for I think especially for younger folks. They're like wow, you know, the my favorite streamer does actually talk to me, you know.
That's, that's pretty cool. Yeah. We get that all the time with the podcast, you know, I'm sure, yeah, autograph sessions, all that kind of stuff. So, you know, we get it totally. Alright. So, you know, at the end, Day. Here's, I'm going to type back to Identity and, which is, especially when you mentioned, you know, getting better and watch how the pros do it.
And OverWatch, for example, it's all about owning noobs, right, making sure that you're a step ahead of the game, whether it's on, OverWatch, or people who try to break your see, I'm system. Whatever it is. You want to make sure that you own the noobs. Would that be fair? Stephen, I would say, I would say the analogy is if I want to own the noobs, I want to I want to own the the script kiddies that There that are trying to attack your, your your portal,
right? Yeah, those are the noobs and in my in my view. Yeah I kind of we had this conversation that's with that same guests. Roger talking about hacking MFA. It was like even if you had the worst MFA that's going to block a bunch of their script kiddies because you know, it takes kind of next level versus just going to the dark web downloading a password file. And trying all the passwords, exactly what Kleenex is still better than no Kleenex. I guess Stephen.
You've been very generous with your time. But before we go, I'd like to just kind of give it an opportunity for each of you can to kind of I guess we've any Pearls of Wisdom advice for folks who are looking at Sea. I am as part of their their strategy that they're looking to address. What are some things that you hope people took away from this conversation? Steven. I think I think he I think you started the conversation and exactly the right way.
It's kind of fun. It's kind of understanding the nature of the difference between traditional I am and customer identity and making sure that you're you're kind of thinking through that decision process of what you're going to do when you go to undertake your first, you know, see, I Am project and understanding that decision process, understanding the trade-offs, understanding those differences that, You know, that we that we talked through and and making sure that you're
making the right, you know, purchase decision or build decision or by decision, right? I think that's really the, the words of wisdom, I would want to leave with Jim. How about yourself, my parole was some kind of ties back to the episode. We did with Martin Cooper and grow. You know, the analyst firms, put out analysis of a space, like, see, I am and include the major vendors and some vendors don't. Even make it into that field.
Doesn't mean if they're not in that in that analysts report that they don't have Merit and just because they are on that answer for. Maybe they're the the furthest up to the right doesn't mean they're right for you. And I think, you know, Justin having done the amount of research that I've done. It was tribe acity.
It's it. There's a lot there that interests me and I think that, you know, I just wanted to the opportunity to say don't kind of rate vendors off just because they don't fit into the analyst report where you expect them to, you know, the at the I think what it's worth doing is like, including some vendors who wouldn't normally expect to win three of them into your RFP, or your POC process because the other thing that happens is our vendors who you know, middle of
the pack or less and three years later that the far upper, right? There's others who are the four upper, right? Who get Acquired and then they just drop off the page then you know, three to five years. So keep those things in mind that's kind of my role was Demers.
What I'm sitting here thinking about, I think we've mentioned this before, you know, and I'll supports are great, they should be a data point to take as part of the decision but they should not be the decision and unfortunately I still see a lot of companies out there. That you know they only look at Gartner and if it's not on Gartner we don't care. They're missing out on a lot of stuff and they're probably you know paying a lot of money for things, they don't need all you
know sets of things. So my recommendation would be you know if this if you're looking to solve a particular solution or specific area should say is talk with people who have already solved, it talk with people in the space. Get out there and talk with other people.
In the I am World groups like ID Pro, which have fantastic select Channel where you can ask questions like this, you know, ask questions out there because Cuz, you know, the you don't want to be, you have, you know, you want to have more data points to have a better decision. And what's right for your organization versus just taking the word of Gartner, or cumin or coal or forest or any other, you know, and these kind of analyst firms. So, all right, so I think that's enough soap box.
At least it was for me on that topic. Well go ahead and call it for this week in the show notes will have a link for folks who want to connect with Stephen on LinkedIn. People could also Learn more about serve acity at St. R IV, AC ity.com. Stir a city like said, show notes. Link will be in the show notes and we'll also have a couple links to some of the blog articles that we mentioned.
As part of the conversation here around differences between Enterprise. I am customer, I am trade-offs for versus open source, things like that. So be a wealth of knowledge that people can check out there. All right, so I think we'll call it Stephen. Thank you so much for your time. Jim, thank you so much for your time and we'll talk with everyone in the next one. Thanks for listening to the identity at the center podcast.
If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.