You're listening to the identity at the center podcast. This is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast. I'm Jeff. And that's Jim. Hey Jim hey Jeff. How's it going? Oh not so bad yourself. Good good. I can I use the same joke that use the previous episode. How do you like my my backdrop? How do you like my expensive books and bookshelf?
Look so real. So many fine leather bound items as our friend Ron Burgundy would say you'd be shocked to know that it's actually a green screen that I haven't put it in a fifty thousand dollar. In my home. Yeah, it's a nice-looking Library, that's for sure. Not now, your sad pathetic, life of having to like, get up screen and look around where you're at, because I I know where your record is. Like I like you Jim, but I know that that's not through the area.
Yeah, exactly. Well, maybe someday, I mean, the podcast getting pretty popular, your the topic that I wanted to bring up is and this will be, you know, stealing from my predictions down the road. But I can see us being a top 10. Cast in the world and not, we're not just talking about I am which you know, that would be pretty impressive in and of itself. But what is the statistic for top podcast, a top-10 podcast, top 10%.
I should make that clear, right? We're not going to be a top ten podcast in the world, top 10 percent. Yeah. So, you know, I've actually met to bring this up on previous episodes, but we've been doing really well. Surprisingly, I think shocked, He's so currently, if you consider all the podcasts globally and there's like some 90 million episodes or something like that that are out there. We are actually somewhere between the top 25 and like 10% or 15% of all podcasts in the
world like globally. Not just identity everything, which is fantastic. And certainly you know I'm going to I'm going to nominate everyone who's listening as listener of the week for being Part of that Journey. As we you know, started us off a little over two years ago and it's like, you know, I was just Jim and I listening to it but we certainly grown but yeah, it's pretty cool. Yeah. I think this is an area that is
ripe for disruption. So if you're listening and you have like a product that does a good job of accurately and this is the key word accurately getting podcast statistics for listenership across every single service that's out there because
that's the challenge. I would certainly be interested in hearing because Certainly products in this space that do it. But it seems to me that accuracy is a little bit of a question mark, because if you think about like, you know, I know most of our listeners, for example, listening on Apple. That just happens to be our most popular platform based on the stats that I see, but there have a podcast, you know, host and vendor is of their own.
So, of course, they want to, you know, keep sales information, just like any other type of add information to themselves, they may or may not make some pieces available to our podcast host, for example, spotify's another one. One Google's another Amazon and it seems like there's a whole bunch of these other different aggregators are out there but yeah, based on the stats that I can see.
We're, you know, we're in the, I would say somewhere in the top 15 ish percent of all of all podcast worldwide which is, which is crazy, absolutely crazy. I think so too. The thing I threw out there as a challenge to all of our listeners is if you would prefer to have this be a video podcast. I can't guarantee that it'll happen, but let us know because going to start doing the live
streaming. We have video cameras, we potentially could do it. It's a lot more work and honestly after watching a few live streams, you might change your vote but you know, let us know because I think it's something we've been debating whether or not people actually would want that. It is a lot more work that is for sure, audio is relatively Easy at this point for me to edit and, and host all that. So now we're getting to the big guns. But, yeah, the live streaming
stuff will be interesting. I think we'll start there. The last thing I just wanted to mention is, I think this is our last episode for the year, right? So we will be back in 2022 and so we're just going to take a couple weeks off. Try to spend some time with the fam and do all that good stuff. You know, last year we decided to do the same thing and then the solar winds. Um, supply chain hack took place, and we did a special episode so something like that could happen again.
But at this point, we're planning on taking a few weeks off. Yeah. You're the mad man recording like Christmas Eve or something like that. And I was like, all right, I'll edit it but I'm not getting them. I'm on vacation too. Yeah, last one for for a few weeks, but we are planning to continue the live stream through the break here. So relatively new for us, we're still kind of experimenting experimenting with it but it's a live stream on YouTube. Follow us on Twitter at idea.
See podcasts. That's kind of the well now it's when we're going live. If you go to idea CDOT live, that'll take you right to our YouTube channel as well so yeah. Hopefully people can I check it out. It's an opportunity to interact to so you can kind of take comments and idea there's been like 15 minutes so it's something super easy for Jim and I to get on be a little more current with some of a topics and make that going on in the
world. But also if there's things that pop up during the week, we kind of address it as a quick hitter so The key is, you know, light and Breezy, nice and easy, you know, something along those lines and right now I will try to do it on Friday mornings, I think. But we may have to flex it maybe to other days of the week depending on kind of our schedule. So that's sort of the plan as we kind of move forward, but why do we get into our main topic for today?
Since we want to end on a high note, we're going to talk about fraud reduction platforms and to help us with that conversation is a I guess we just had on just a few episodes ago. Episode 124, we talked with John Tolbert, we'd analyst and my managing director at Koopa charcoal. Welcome back to the show. John. Hey, thanks for having me back. Yeah, so thank you so much for coming back and I think this is an area that really kind of dovetails really well with our previous conversation around
consumer or customer. I am see I am and, you know, this is a capability. I think that kind of resides in in, in that area of, you know, how do we make sure that Now that we are managing our customers, right? That those ideas are maybe not doing things, they shouldn't be doing. So why don't we kind of break it down for the folks who are listening in? Might not be as familiar with this space as we get into it.
And let's start with what is a fraud reduction platforms, fraud reduction, intelligence platform. I think of as a service, that sort of Aggregates, lots of different bits of intelligence about the consumer retail. Dale Finance, lots of different Industries and helps those subscribing. Customers to reduce the amount of fraud that they have to deal with.
And again, you know, it is cuts across many different Industries, we probably think most commonly about Finance, but you know, retail Healthcare travel and Hospitality, you know, fraud has been on the increase year-over-year and you know the last 18 months or so covid. We saw new forms of fraud, you know, being generated. So, you know, fraud reduction intelligence platforms, help businesses kind of stay ahead of that and reduce those unwanted
fraudulent transactions. We had a conversation last week with our mean from paying around identity proofing and I know that's one of a kind of the major areas. So I think that's kind of included. But are there other other areas of fraud reduction that are kind of seen as like a core? In C or capability. Yeah. I call it six major capabilities and yep. Identity proofing is definitely one of the really important ones there.
It's good in many cases to be able to tie the right individual to a digital account and, you know, depending on regulations and the type of transaction. It is, that's actually required to be able to do that. So, I did any proofing is a very important fraud reduction technique.
But then we also have things like compromised, credential intelligence in a knowing where maybe a credential has been misused recently that can be a factor that can help, you know, throw an alarm, then we have things like user, behavioral analysis, device intelligence behavioral Biometrics and bought detection and bought management was the major six major areas of fraud reduction. Relevance what are some of the threats that I guess these kind of platforms?
Try to solve? I know, we see we tend to see, you know, themes, I think from a cycle of where the attacks are coming from and what they're trying to look at obviously, ransomware is kind of a big one right now, but when it comes to, you know, the fraud reduction side of things, what are some of the common threats that that are out there?
It's a woman who's in most Industries are worried about our account takeover and it is exactly what it sounds like you know, taking over somebody's account. Often, unfortunately, it's too easy to do that because they're still password-based authentication out there or, you know, in some cases, maybe those passwords are backed up by knowledge-based authentication. Security questions, you know asking you know, mother's maiden name, what high school, did you
go to or something like that? All that information is publicly available if a fraudster wants to search for it. So unfortunately, it's in those cases where You're using password authentication backed up by K B. A then it's all too easy to take over accounts. So that's another reason why we recommend heartily multi-factor authentication wherever we possibly can? But yeah, I can't take over. I'd say is a number one, concern globally, and then, there's also new account fraud.
Sometimes you'll call it account opening fraud, or synthetic fraud, and that one's a little bit different. That's Are you take bits and pieces of pii personal information, and try to use that to assemble an account? And fraudsters do that again for financial reasons.
They're trying to build accounts to, you know, be mule accounts, move money Around Here There and Everywhere and information that, you know, might be obtainable from Healthcare, records or education records, you know, names address date of birth, other pieces of information, you know. Just how you Building a digital account, normally can be pieced together by fraudsters, to create an account that then resembles a real person, but it's not the real person.
And they're going to most likely use it for some sort of illegal activity. So I'd say there's the top two. There are also things like Sims swap attacks, you know, getting a mobile operator to sort of reassign where a number of rings to, and this is one of the or where text go. This is one of the reasons like SMS OTP one-time passwords, you know getting a text on your phone, to get you into a site
can be problematic. Because if there's a Sim swap on, on one end of the channel, then the fraudster can then direct those password, reset requests or authentication requests to a device that they control. So, that's closely related, but different means to get there. I think I use Casey brought up their job with the Opening. That's the one that I've kind of become most familiar with in the fraud reduction. I think it's interesting color fraud reduction rather than fraud prevention, right.
It's kind of acknowledging that. Even with these Solutions, you're not preventing fraud. You're just making it more difficult for the fraudster to do their, do their Dirty Deeds. But, you know, kind of back to that account opening, to me, that's the, when you talked about the pi. It's, you know, To give a real world example, is when you go into an application, they say okay, which of these four of these four streets of you ever lived on, right?
And we'll list for streets and it's just that one that jumps out of your like, oh yeah, I've lived there 20 years ago or I lived there when I was a teenager or something like that. As you know, you slept which one of these cars. Have you ever owned? You're like wow how does this thing? Know so much about me? Well, you know the big major Credit Agencies know that Value. And I mean, correct me if I'm wrong but aren't those some of the biggest players in this space?
Yeah, both globally and especially in the US, credit rating agencies have a lot of information about all the consumers. So, you know, much of that information is authoritative a lot of name address pairs. All that information is available from places like that. But then, you know, there's also different kinds of sources like, you know, local government agencies, DMV, These different types of licenses that have been issued taxes.
There's there's information that can be used to construct those accounts outside of credit rating agencies to write very. Yeah, it seems that there's a whole business model around aggregating that data and then there's a business model around how Who's the who builds the best mouse trap to use that data to create a fraud reduction of the most high-profile prevention fraud reduction platform. You know, usually where I see
the. So we split our time on the podcast, talking about Enterprise identity management, you know how things are used to manage your Workforce and customer identity management. When I think of fraud reduction my mind usually goes to the consumer customer, I am platform. Is that generally the rule are there also some Enterprise use cases that that benefit from Frog production. Yeah, I think, I think your ride
most immediately. We think of how this can benefit consumers and consumer facing organizations. But, you know, a lot of the mechanics of how this is done can be used behind the scenes, just a way for Enterprise authentication. So, you know, we want not only to see Enterprises using multi-factor authentication to protect their assets but also risk-based authentication.
So a Lot of the same types of risk engines that can evaluate bits and pieces of information about consumers, a transaction time can also be used to look at how an employee logging in from a different location. You know, give it a risk score. So you know, technology behind that can be very similar, it comes down to you know, what are the information sources? How do you prioritize those factors in policies and then
what do you want to do with you? I mean, one of the things I've always kind of wondered or thought about like, wow, you could really choose this kind of identity verification so many ways, including Enterprise, use cases. But what I've kind of heard is that the these very expensive to use this fraud production methodology to kind of use a just to pick on one of the big players in the space. Orion to use an experience application to sc's questions. It's not Penny's, it's more than that.
And obviously, when you're, we're talking about opening a bank account or opening an account to trade cryptocurrency or something like that. It's Uber important to verify that identity versus other scenarios where, you know, in like a retail environment as long as you're able to provide some level of verification. Chin, it's good enough.
Well, I think, you know, again, kind of unfortunately with the rise of covid, we've seen some interesting technology applications though of let's call it fraud reduction technology, the identity proofing piece especially for onboarding new employees. So again, you know, there are certain pieces of information, you need to put together depending on, you know what jurisdiction? You're in order to onboard an employee. So you know, these remote identity proofing.
Gaps have become quite popular in the last year and a half or so. And I think that's only going to continue to gain in popularity and that's a direct application of, you know, a type of fraud reduction technology for an Enterprise use case. I think we're seeing more more use cases come out of this because I think of you know the current pandemic situation and and vaccine cards, right?
So I think a lot of organizations are trying to figure out how They comply with maybe local orders on vaccination, status for employees, you know, Federal contractors, for example, in the u.s., you know, whatever government mandates are kind of out there when it comes to that is how do you securely gather that data rather just say I'm just going to put it on our company's SharePoint site?
Right? I don't think that's that's probably the way to go with it. So I'm seeing you know organizations take these third tarp third-party approach to try and gather that information. So I'm wondering if fraud reduction platforms is also play in the role in the secure collection of some of this data to kind of facilitate that in a way that maybe people are more comfortable, at least on the Enterprise side. I'm wondering. And it's kind of open question, right?
I think I'm just curious. If if, if you see it like that John or if there's other ways that maybe I should be thinking about as well, you know, I think that's an interesting
possibility, I have not. I don't have any answers right now about is this something that's actively going on you know in a Commercially available product for me, especially, you know, in our Locale. But it does seem like if there were authoritative sources of information about vaccination status than, yeah, that would be something that could be built in. I'm surprised there hasn't been a bit more uptake on Solutions like that same thing with like,
you know, decentralized, I didn't a blockchain based identity for these kinds of covid, related, use cases. Yeah. Give it 20 minutes. I think is fast, Aztec moves, somebody like primary building an app that right or their re-engineering. Business process under existing at the kind of account for that use case. Speaking of use cases, what are some of the He use cases that really these products are trying to solve because I know it's really the collection of the
data, right? So it's kind of out is okay, this is Jeff and he is who he says he is and I think of the typical use case of onboarding a new employee. I need to show some sort of documentation that I allowed to work whether it's an ID or some sort of government thing, whatever it might be at least in the u.s., what are some of the, you know, other use cases that this sort of helps with. Well, you know again, looking at those types of fraud. There's a lot of different variations and account.
Takeover fraud, for example. So there's you know, probably rarely one off attacks on on people's accounts these days. You know, we often hear about credential stuffing attacks using information from perhaps the dark web combinations of usernames and passwords to go out and sort of spray that against a bunch of different sites. See if people have reused passwords between sites and then you know if they have you can take those accounts over if you've Her best word for it, you know.
So, some of these more High Assurance kind of, use cases, I think that we've been hinting at, you know, with like employment verification and, you know, the need to concretely identify where a person has lived over the years. There also, you know, lower Assurance kinds of use cases that you know maybe certain kinds of businesses retail.
They don't necessarily Need that rich history or, you know really strongly assured identity for, you know, purchasing certain kinds of goods online or buying food at a grocery store. So you don't need that. But you do want to be assured. That, you know, this isn't a fraudulent transaction, especially if it's a, you know, card-not-present kind of online transaction. So yeah, there's there's lots of
different applications to this. That's I think we see many different approaches in fraud reduction because there's the identity of who proofing, but now we see lots and lots more use of like behavioral Biometrics. So you know for retail use case just having an assurance that the person who's using the device is the same person that registered, you know, in many cases, that's enough to lower the risk, significantly enough to allow transactions to go
through. So those are some of the advantages things like behavioral bias, Magic's could bring to fraud reduction John going to get up on my soapbox. Here, you talked a little bit about when you're going over to six areas of fraud, reduction. One of the areas that I think you mentioned, I don't want to verify that, I got this right is knowing when an account has been compromised elsewhere, right? So this is something that I've seen and I'm going to just call
out. I think Microsoft was saying look across our You know our Office 365 or Azure environment, plus Microsoft Live, plus plus plus all these different plus Hotmail. You know we've got all this these logins billions of logins per day we know which which accounts potentially been compromised, plus, we're in a Consortium with Facebook and Google who by the way, don't compete on the access management side of the house. You know to me it's kind of like, you know, they're using
that. That's Security as a business differentiator, which concerns me a little bit, right? Because I feel like that's something that potentially puts them in a anti-competitive position. I don't know if that's something you can talk about but I wanted to throw it out there. Yeah, I probably wouldn't come in too much on that other than to say, yeah, there's there's an advantage in having lots of login and transactions transaction information to review.
I think there are are definite patterns that can be detected. And the more information you have potentially, the more accurate you can be with those predictions and there does seem to be in in some cases silos of information where, you know, a
particular vendor in this space. They can aggregate information about what they see across all their customers, but, you know, if there aren't information sharing mechanisms in place between vendors, then You know that could tend to limit the amount of transaction information available for analysis. You know, I think this is where we've seen a competitive Advantage kind of breakout from
a war between the top vendors. Any authentication space, Microsoft talks about their signals that they get from across their Microsoft stack right of all youth in occasions. They have, you know and I think I think at this point we're starting to see the beginnings of what might be called monopolistic. A hater when it comes to authentication and logins. So this is purely my opinion. So please don't hold anyone else accountable.
But I see things like Microsoft Facebook, Google and some of the big IDP players that are out there, right? Social logins where they're collecting a lot of information from the notification standpoint but they're not necessarily sharing it. You know Google and Microsoft are not sharing, their authentication signals with each other because I think that it's seen a little bit as a competitive Advantage for the security.
They can provide for their Their users and I know that certain governments are more tolerant of monopolistic Behavior like that at some point. Does this type of data enter into that realm of well, hold on a second, we need more interoperability and if you don't do it voluntarily we're going to kind of make you do it, which obviously opens up government and all the feelings that go around, you know, big government, little government. What you saying?
Say, you know can and can't do. But if if the current Trend continues where Microsoft Google and let's say, log in with Facebook, continue to dominate login box is around the world. At some point, does it enter that enter that state? Now, Apple has started to fight back a little bit with their D Central, not decentralized, but with their obfuscated user ID, but now they're collecting data as well, right? So, they know what you're logging into and I'm just
curious. John, I won't put you on the spot but it was That I would just kind of occurring to me as we were kind of talking about this authentication strategy of this consolidation of user authentication information at what point? Do we really need to open it up for the benefit of others or do we leave it as a competitive Advantage for these organizations to take advantage of and build better products on? Well, you know, I I think I would say there is value in the compromised credential
intelligence, peace to this. But even so there are other things that that consumer facing organizations would want to consider besides just the Compromised credential until, you know, there's user behavioral analysis, and that's something that they could do potentially on their own or, you know, through interaction with their fraud reduction intelligence platform, vendor, you know, thinking about
financial transactions. For example, going beyond the login, it's good to know what the pattern of transactions has been for a user over a given month, six months or a year, you
know. So that if Suddenly there's a request to transfer thirty thousand dollars to someone that's there's no history of that in the users behavioral profile then that should you know raise a red flag and stop that transaction until there's some other kind of implicit or explicit I mean authorization from the user.
So yes, login information is useful but there are other things like you ba The behavioral Biometrics device intelligence device intelligence, I think is, you know what we think about strong authentication and needing, you know, two out of three different, kinds of factors. That device intelligence is in many cases, just as important as, as others because then you'll, you can find out, IP reputation device reputation, you know, typical location
history for a device. I think that's something that's just As important as all the other factors as well. So we'll be back in person at conferences. Is some point. Anybody who wants to discuss this further for a beer? I would love to to dive into this topic, but let's get back on track. Do it for a bit here, John, and I wanted to talk about kind of
the approach. So evaluating the market, you know, as a consumer, or somebody who's representing an organization that has A need for a fraud reduction platform. I'm wondering in your mind, two things. One is, you know, what should I be looking for? And the second is, you know, from the standpoint of who in that organization is, it should be, you know, doing the shopping or brought to the table as the shopping is being performed.
I think, you know, when we talk about who's responsible for securing an organization, most people are going to point. To the CIO or the ciso, they're not going to point to the business. So you guys are responsible for securing the data but this is one of those technologies that sort of blurs, the line. And I feel like there needs to be participation from that business side in the selection of a frog production platform, right?
I'm just wondering do you kind of share that perspective and then again, you know, again the kind of the beginning of the question was any kind of what Should I be looking forward to kind of help me decide? Which platform makes sense for me, you know, in a way you're setting up to answer your own question, I think you need to know your business in order to know what to look for. So yes, to a degree, CIO ciso, should probably be involved with these are more business-driven,
kinds of decisions. So let's say you're in again in retail or travel hospitality. Mystery like that. The business people probably have a better handle on the kinds of threats, that may arise purely from the fraud side. Then say those who are charged with taking care of the infrastructure. Most of these are delivered as services or almost all of them really are delivered as services. So, this is something that you hook up to Via API. This is a service that you call
at runtime, you know? Direction until service. So it's not something that necessarily needs to involve the, the security infrastructure directly. So I think of it more as a business decision and having the Business Leaders involved in making those kinds of selections. I think makes the most sense. Yeah. I think that makes sense, because at the end the day, right? The business of third data. And if I'm in the position of saying, okay, we need to have this capability.
Who's going to help me Define what the rules are to even? Identify a pattern of fraud, right? The business is going to help me make that decision. So if I, you know, I guess for my own personal perspective is like, okay, I'm going to give a tool and then someone's gonna make me use a tool. I should at least have hopefully have a say in what tool is being used.
I think having that input is it would probably make a lot of sense and I think of things now of other areas that Miss might stretch into things like kyc or know your customer or am L anti-money. Laundering are these are these types of capabilities and services part of that first Rod reduction platform or is, are those separate capabilities. How does that work? That is built into, many of the
solutions. Many of the solutions that I reviewed this time around, do have those kinds of capabilities for do it both kyc and I am l in, you know, in some cases, even more, you know, pep compliance politically exposed persons effect, lists things like that can be checked for a
bed. Auction time so that those are, you know, have a smaller audience maybe than some of the broader lower Assurance, kinds of customers, they may be dealing with but it's extremely important that they comply with those regulations to. So, yes, to succinctly answer am L, KY C is built into many of these solutions that are out there today. Yeah. And, and this is an area that you did did some recent
reporting on, right? I think it was June of this year 2021 that you had the leadership quadrant for the fraud reduction intelligence platform. So I have a link to that in our show notes so that people can check that out any anything that you want to kind of tease people who might be interested. Yeah, there's there's a lot of content. There's a lot of variety in the solutions that are out there.
There's a like a base set of capabilities that needed to be in there but I think going through it carefully. I mean, if you're in the market, Ticket for this kind of a product service. Really. Then you look at look at the details, see who covers your industry, your particular technical requirements and make
decisions based on that. So I think what we'll try to do now is pull us back up out of the the heavy-duty fraud conversation and since this is the end of the year and we typically end a little bit on a lighter note, it would not be an end of your show of any sort. If we didn't do some sort of predictions, 20:22. So what I'd like to do is take us around the room and we'll start with you, John and then go to gym, what are your identity predictions for 2022?
And they can be good or bad, right? I'll leave it up to you if you want to be a an optimist or a pessimist, well, I'm gonna go out on a limb here and say that we will probably still be entering passwords and answering security questions here and there. That's, that's a real stretch. Well, you know, okay.
Okay, so on a more serious note, you know this identity proofing piece I coming at this from both the fraud reduction side as well as the consumer identity side, I'm seeing much much more interesting this especially the different gradations of how that might be included into the transaction level analysis. I think in 2022, we're going to see a greater emphasis on identity proofing even, you know, amongst Different kinds of
consumer facing sites. I think that will Avail itself as add-ons through a lot of the cin solutions that are out there. Sounds like a byproduct, right? Of the pandemic and the less in person, but still need to verify identities and validate statuses of maybe bits of pieces of information. So I'm on board with that Jim. What about yourself from a production standpoint? What do you see for 2022? You know, Jeff and I'm typically
a very A optimistic person. But the thing I wanted to come through as some kind of prediction that wasn't just like, hey, I think more people are going to move to the cloud because I think that one is kind of like John's, you know, password still going to be around. I mean, here's what I'm worried about.
I'm worried about continued. Escalation of, not only ransomware but, you know, potentially state-sponsored hacking events that Start to blur the line between computer hacking and physical military intervention, and that this continues to create more tension between the United States and China and Russia and to the point that maybe some of it boils over into military level conflict. So that's my concern. I don't know. That's definitely not ending on a lighter note.
All right, we'll just the the goal of this segment but that's my real. Star in a movie, we saw with the, you know, the pipeline hacking this year. I think a message was sent that, you know, the rent somewhere, Crews need to really back off. But there's just so much opportunity to make money with attacks like that where you have companies that are going to have to pay.
And they've, you know, under invested in technology and then plus the reports that you keep seeing come out with Zero day vulnerabilities in software has gotten so complex as listening to listening to a podcast from couple charcoal actually say, okay? Casey live has a fantastic podcast that I recommend people check out and Martin was talking about the amount of lines of code that go into traditional
software product. And it's almost impossible nowadays, not to have bugs, inherent in complex. For program. So I think you know zero-day vulnerabilities continue to be found which means that every organization is vulnerable and, you know, anyway, I don't want to harp on that that - prediction but I can I don't see anything that's going to turn the tide in the other direction
to me just seems like. The problem is getting worse and at some point the government's going to have to step in and say, you know, we can't fight this with ones and zeros. Okay, so yeah, I'm good. I don't know if I necessarily more positive one. I feel like it's a little bit of a Debbie Downer situation, but I think I think we're going to see a couple things. I think we'll continue to see zero trust be sort of like the the marketing term du jour for
organization. Shifting that we've already seen that kind of this year. Kind of take hold, I think just based on the slow moving moving trains that a lot of organizations are is 2022, will really be when. Okay, now we've got room, Budget to kind of address some of those things for this hybrid, environment of people working from home remote. I think VPN will still be around, but I think it's days are starting to get numbered and I think it will start to see more of that zero trust Edge,
kind of process be in place. I think I'm going to see a lot more organizations struggle internally if they have not invested in just the basics of identity management, you know, Jim you and I the work that we do, we see a lot of kind of immature organizations, just by the nature of We work on.
And, you know, they don't, they're using basic processes, things are manual, and they've really fallen behind where they should be at this stage of the game where they don't have, you know, dedicated IGA tool sets, they're kind of doing things and Lotus Notes or other things, right? You know, we joked about several months ago, you know around hey if you're using Lotus, Notes successfully and you're really
happy with that. As an IM platform, please come on the show and tell me I'm wrong 0, people have come. To be on that one just as an update if you want to look back on that. But I think you know just from maturity standpoint. If you're not doing the blade basic blocking and tackling and add any perspective, you know, even just the basics of identity governance automated onboarding off-boarding at a just for active directory. Even basic access reviews, basic privileged access management.
That means more than just, I have this Vault and I put passwords in there but they don't rotate. You know, there's no discovery of those things, you're not doing anything. Unlike session management. You don't have MFA pin place or even adaptive or conditional rules in place, like that's the basics and I think it's so hard to catch up if you don't keep up with it.
So what we typically see, at least from my perspective is, is this hurry up and wait and then you stop investing and all of a sudden what used to be considered? Great was. Yeah, you're barely cutting it and you're having to spend a lot of money doing any number of things manual, you know, support for things fraud. Issues that might come up because you're not you don't have the appropriate behavior analytic.
So unfortunately I think I'll continue to see a lot of those organizations that just have invested internally and identity and I think hopefully, the positive spin on. That will be that they took this last year and realized, oh crap. We really need to get our identity hats on and kind of fix some of these systems systemic issues that might be present organization. So that's going to be my my prediction. John, do you want to weigh in? Do you think are we - Nancy's here or Debbie?
Downers, for free people who are familiar with Saturday Night Live? Well, don't leave it to me to be the optimistic one that's not a good idea for the voice of reason and Santa Yeah. I mean there will continue to be attacks. I'm sure. Ransom ransomware is not going to go away. If it makes the criminals money frauds, not going to go away all these things mutate and change. I mean the real world. Analogs are really good examples.
You know, things like viruses themselves, you know, these things change, we have to kind of retool and adapt our own processes to Deal with it. So in those that do a better job at that are going to be more resilient against different
kinds of attacks. So Jeff what I was going to add based on what you're talking about with organizations that are laggers that are closer to the starting line than the art at the Finish Line. It reminds me of that one meme where there's a you can see a lion and these these two envelopes are talking one elipsis. The other I don't have to be faster than lion. I just have to be faster than you. That's the old. How do you run away from a bear,
right? You don't be the fastest on Skype you faster than your friends.
Yeah. It's just got to be faster your friend and I mean what how that applies to what we're talking about is there's so many of the fraudsters out there that are looking for Easy Pickins. A lot of them are not computer, scientists who can come up with the zero day, there are people who can download scripts and go on the dark web and download tools and work their way into Your environment and then run Mimi cats and on your active directory.
But once they own your active directory, they own, you you pretty much are in a position where you can't conduct business. And so I know that's you have to be faster than your friend or you have to be faster than the other envelope. You don't want to be the total lagger that is just sitting pray. Yeah, exactly. All right, so somewhat I don't feel, we were successful in ending, I don't know, I don't
know. But I think it was interesting from a thought-provoking perspective to say, okay, you know, what are your thoughts going into 2022? Like what do you see happening right? Is this the year passwords will die again for the 10th year in a row? Who knows? Right. I'm optimistic. I think there's a place for it but you know, we'll see before we wrap up here. Any final thoughts?
John is, we kind of anything we've talked about today whether it's the Diction side for 2022 or the fraud reduction kind of components. We talked about before. What are some final things you want to leave with us for 20 21? No pressure. Well, I guess I would say, you know, just thinking back on fraud reduction, there has been a massive Evolution fraud techniques.
And what I find valuable about the solutions that are out there in frog reduction spaces, they evolve as well, you know, and I think there's, There's Hope in that just like there is for identity management in general. Yes, there are organizations out there that don't have as mature infrastructures or processes and places they should. But you know there are those of us who are part of this community that are willing to help and provide assistance and guidance in that.
So I think that you know, taking a look at The kinds of work that you're doing with the podcast and others in the industry here. I think that maybe that should give us a way to end positively. I think I think John just called us Heroes and I'm going to take it. I think that's at least that's what I'm going to glean from that. So but yeah, I think you're totally right, John? Right. There's a bunch of I am Heroes
that are running around. If you're listening to this, you're probably an IM hero for your organization, or your providing iom, heroics for some other organization, whatever. It looks like so, well done. John. I like that. Jim. How about yourself? Final thoughts? Yeah. Silver Lining here is that for folks who are looking for a career where they can make a difference, I make an excellent living identity.
Access management or information, security, Fantastic Field. I encourage anyone who's interested to, you know, tap into us as resources tap into the community, I'd love to see. More universities, put together degree programs. Focus on information, security and identity, and access management. It's just, it's a field where right now there are more, there's more jobs than there are people to fill those jobs.
So, I mean, maybe overall in the economy that's always the, that is where we are across all Industries. But it seems like this problem you've good economy or bad identity and access management. Judgment and information security are, you know, white-hot fields. That you could you could build a great career and plus you can be one of the the weirdos that actually picked identity and it just fall into it by accident. Like my theory is that most
people did anyway. But yeah, it's a great Community, tons of great resources out there and tons of great people who are totally interested in sharing the knowledge, right? This a lot of this is not competitive Secret Sauce where people are not willing to share it, so, We encourage people who are interested, check it out, tons of resources. We've had some folks in the past that have been, you know, getting back to the community as well. I think it's people like Andrew
and David, and things like that. Where there's just tons of resources out there that's community-driven. So, so there we go. We brought it back to the positivity side of things, so that's good. We're going to go ahead and end it there. I think, you know, this has been a great year for us and we certainly hope to see the continued growth and listenership that we have all around the world and hope people have a great holiday season here, over the next few weeks
while we take a break. So, again, just a reminder, we will take a break here for a few weeks for podcasting, but we are going to continue theoretically, some of the live streams. So, keep an eye on Twitter at idac podcast, that's where we'll announce it. And we'll be streaming on YouTube here and there, over the holiday break. So, come join us there for some quick conversations. So with that, we'll go ahead and leave it.
Thank you so much John. Thank you so much Jim and we we'll talk with everyone in 2022. Thanks. Thanks for listening to the identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.