You're listening to the identity of the center podcast, this is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the center podcast. I'm Jeff been that's Jim. Hey Jim hey Jeff, how are you? Oh not so bad yourself. I'm good. I'm good. I'm not going to complain about the heat wave I live in Georgia and it's hot for like four months straight.
So to me I know a lot of the folks I'm talking to you from around the country are like oh my God, it's so hot but to me it's like it's just another day of hot. It's I'm in. Now, the mountains of Western North Carolina, it's not quite as hot which is kind of nice still, humid, but surviving. I think, yeah, the heat wave has been like all over the world. Basically, you know, like England head if shoes. I think it was last week or maybe was earlier this week. I don't times flying at this
point. Yeah, right. Yeah, the big thing I've been working on this week, is kind of coming up with a conference plan for the group that I'm in. And really, you know, No, obviously you've got the opportunities, like Business Development opportunities that come from conferences than top of that.
Of course there's the training aspect, you know, go there and receive training and I think the third thing that doesn't get enough attention is that it's really like a reward, almost like a retention kind of aspect to conferences. Like if you bring folks to conferences or Let folks go to conferences, they see it. As, you know, they're being rewarded or they're being recognized as somebody who's worthy of being invested in. What do you think?
I think, I feel like we talked about this, a few weeks back. Generally, I want to agree with you. There are some people who don't like going to conferences and might see it as a punishment. So I could see it as a two-sided coin. I think it just depends on the individual. And you know, why are you going there? I think my attendance at Fences has changed over the years, it used to be for learning now it's
less. So, it's more networking and, you know, business development and sort of things like that. I kind of wish it was, you know, more Focus sometimes on the learning side. But you get so busy at these conferences, going from one meeting to a next to another that there's I'm always personally finding less and less time to actually kind of sit down and actually listen and enjoy the content live. I don't have to catch it after the fact. So I mean during the pandemic we
were attending conferences. Virtually I I did that myself. You know what I found was, a lot of times I couldn't stay focused on the conference the entire day. So you know, especially knowing that sessions would be available for later viewing. I felt like the training and learning side of it was enhanced because you can really focus on it but that everything else was not nearly as good.
Yeah, that's for sure. I mean the hallway conversations just, you know, seeing people and faces and voices that you recognize that that whole stuff. Definitely spare time, it's back. I was at RSA earlier this year miss the Denver's because it was moving and then we're gonna be
at Gartner in a few weeks. So I'm looking forward to that as well but it's back man would just sort of like this is we're just going to move forward now unless something happens this kind of move things backwards but I don't see that happening. No, I don't think so. Yeah. So as you mentioned, we're heading out to the Gartner conference and hoping to up our podcast game, a little bit. What are your thoughts are? I think, yes. Upping, the game will be a challenge as usual, but we're
starting from zero. So anything is an improvement. We are actually still looking for a place to record.
While we're out there, we actually tried to go the Gartner route, and that was not successful in finding a spot that we could set up camp at. So if there's any friends of the show out there that have like a breakout room or something that's convenient within the conference based in Las Vegas, Reach Out. We'd love to figure out how we, maybe we could share some of that space with you at least for Time because we are definitely looking to do some podcasting
and get some guests. And maybe even hopefully, if we can get enough people, you know, one, two or three, people that want to watch how the sausage is made so to speak, that's certainly an option as well. But as of right now, I feel like it's going to be you and me holding these little
microphones. And a costing people in hallways, are trying to find like little cubby holes that we can do things in, I guess we could try to look for like a sweet or something like that at Caesars but that's nowhere near as convenience. That's kind of like a fallback plan right now. So hey Hey, we'd like a show.
We want you to walk half an hour across this casino up into this sweet and then, you know, spend an hour there or 45 minutes, or 15 minutes, whatever it is, and then walk another half hour back to work back to the show. It's just not the same. So, blending options and then again, we can't really record at the roulette table or Starbucks or anything like that. Yeah, there's some rules about recording and public spaces, and things like that. I wasn't even thinking about
that. I just remember thinking about your thinking, always annoys you Oh, trust me. I was thinking about it too. But yeah, so if you're if you're a friend of the show or not even a friend of the show but you have a lead on some some breakout space that might be in the conference area or even something similar, you know, reach out to us on LinkedIn, would be happy to discuss and figure out if there's an option here that we can do something together to make event to take advantage of it.
Yeah, that's Gartner. I think we're also looking at Octane coming up in the future which is a November. So yeah, we're sort of Of getting our our conference circuit, you know, back on the back on track, after a couple of years here of Hiatus. Yeah, never actually been to Octane. I think it was supposed to go to it. The first year of the pandemic, so, obviously that didn't happen, but it should be a
fantastic conference. And again, you know, hopefully, we can set new records in terms of, you know, putting the podcasts out with a great frequency, maybe five. Six episodes in a week and I'm just putting in some crazy ideas on my plate. It's basically work on your plate, but hey, the scheduling side is now so easy. Yeah, that's true. Especially I don't know if you've seen your calendar early lately but it's a disaster.
Well, everybody knows, right. Just just because you're traveling or you're taking time off or whatever. It may be, the work doesn't disappear. It just shifts from one area of your calendar to another. So yeah, my calendar was crazy earlier this week. It's today's been a little bit lighter. So it would kind of be able to catch up on some things. But yeah, availability is always a challenge in this crazy world, but why don't we get to our topic?
Because I actually kind of interested in several of the things we're going to talk about today. So actually, this entire show is basically formed her on one, tweet from an individual named Chris power who tweeted us few days back with a bunch of topic suggestions. We're kind of going to go through somewhat of a surgery as you kind of put it as your kind of preparing here for the show
to kind of dissect. At least what we think some of the questions were that he tweeted out or she I mean I guess I'm not sure no, it's okay. Is it okay what we think the intent is behind the question kind of work through that. So yeah, Chris Hildebrand sweet and Chris the defense Twitter limits us to 140 characters And he wanted to ask like ten questions in one tweet and so, yeah, he's just better, Twitter's money's worth for sure
on this tweet. I think we it is like six or seven questions in here that will try to address, but why we just dive right into it. So Chris if you're listening, this one's for you. Hopefully others get value out
of it too. If you do have questions, definitely tweet about us. We will try to build build an episode around it or weed them into other episodes that were working through but here we go. Alright, so topic suggestions Extracts management more or less job roles, how to build admin intelligence or IAI managing audit expectations, provisioning outside of sale point in parentheses, third-party apps, validating extracts, and you say she's got more if wanted.
All right. Well, let's start with the first one. Let's talk through manual. Extracts Management's. First of all, what do you think he's referring to with that statement? Well, just judging on the Tweeter overall I think. This might be a set point user. Right? And so guessing I'm guessing. Yeah, so I'm kind of thinking of it from a sales Point architecture perspective, there's multiple ways to integrate with applications, and one way is kind of the quote-unquote, disconnected
application. And so in that disconnected application, you could work simply with like file feeds to, you know, or file extract. To take them into cell point and build, you know, the data for the access catalog or for an access recertification. So, you know, I've always referred to this as the least common denominator integration.
So, in other words, just like there's no reason you can't integrate into cell point from your application, even if it's like, the legacy of the Legacy, you should be able to Sport a flat file comment. Eliminator tabbed Eliminator or what have you and so what I think Chris is getting at here is like, how do you put a whole framework or process around
that? And to me it kind of starts off with kind of trying to put some rules to the road in terms of what the format of that file should be when it should be uploaded, where should be uploaded things like that. Ideally Um there's not an opportunity for humans to touch the file so in other words the files being created on the system. So say we're talking about a Mainframe and as being, you know, somehow FTP or transfer to
your file share. So, a lot of times what I've seen corporations do is they'll set up a SharePoint or OneDrive and have files put on that one drive.
Now, typically what I've seen is that a human being like, pulls the file, And moves it but you know the more often you're doing that the more likely it is that you're going to create some automation around it. So I would say just keep that in your back pocket that if even if you're doing just quarterly at two stations or even annual attestations try to ramp up the frequency of that upload so that you start to drive the idea of automation of getting those files uploaded but a lot of
times this is where you're starting to get into. The wild west of your it environment and you're just happy to have something. So again it's kind of like setting up the policy for what does that track should be like how they get uploaded things like that. And then I think the other thing that a lot of times what you need is like some kind of translation of the file, like, what is it, what are these columns that are in the file? What do they signify in the application?
Because ultimately, you're going to design a campaign around the, the you Data that's that's in those files. Yeah, I like that analogy of the Wild West because I feel like it's is like the frontier. You're building an outpost, you're not sure what's going to come in the door. So I think your I agree with you. I think this is probably talking about those, those disconnected systems, so to speak that are not using like a formal connector right to like, read the data directly.
I think part of the question that he also asked later is, that is like, validation of extracts, you talked about, you know what? What Asian of the file or file type is a coming in CSV some other version. What are the expected data attributes? And values? Is it Boolean? Is it a string? You know what, kind of string it may be like those sorts of things.
I think this is where coordination with whoever is extracting that data, you're working with them to make sure that you're getting the data back in a, in a format, that is
parsable. I think this is also an area where, yeah, I think his story Clearly, it would be done manually where someone will pick up the file from a SharePoint or OneDrive or any other file share and then run like an import into, for example, your IJ tool, let's call sale point in this case because I think that's what we're talking about here, I see more RPA. Now, robotic process Opera automation, taking up a lot of the stuff and doing some of that
work for you. So there might be some opportunities to say, okay, well, you talked about like this integration pattern like the the lowest Common denominators, refer to was okay. Well, at least let's just get an extract of data so we can make our IG a platform at least aware of what's out there. Can't really do anything with it, but at least it's aware of it, right?
And if you can leverage some sort of our PA to ingest that for you automatically, if you can't do it, you know, through the platform itself, then that might be sort of a another is there, a lower lower lower list, common denominator, to, to automate that. So that steps but I think that's you're really kind of looking again at that that Wild West. It's like you're not sure what's coming.
If you're if that's all you have left from like an integration standpoint, you're probably doing pretty well like from a sales point perspective which is call it or any IGA perspective is if you're look if like you're down to just systems that there are not connectors for that's that's a problem that I think a lot of people would love to have because that means they probably moved pretty far down the maturity scale and gotten a lot of their, you know, bigger, maybe more well-known
applications, that do have connections. Actors, you know, set up, I guess the alternative could be. You've got some sort of like, group that just for whatever reason, doesn't want to play ball, you know, be part of the I am program and be part of the, the, the, the IGA platform, whatever it looks like. It's probably more of a political battle, but that's kind of what I'm thinking from
that perspective. Yeah. That that last point that you brought up is something in my experience of working with cell Point Architects, almost every time. I was in like you know advisory roles like we are not doing flat file Imports, there are such a pain in the butt and I think that's getting to the part of the question where Chris asked about validation. Like, imagine a comma-separated value where you have the person's name and it's comma, MD, or comma p h key or
something like that. They'll like perk the file and now you have to figure out like what's causing the file to break and you're trying to imply automate this process what-if. You have 100 applications that are doing this and what if you're getting these extracts on a regular basis? Now I'm sure somebody sitting out there saying well then you know, through parentheses or not parentheses, but quotes around all the data or something like that.
And I'm I'm sure somebody's got like a best practice. But if you can find a way to break it, somebody's out there, breaking it. I guess what I was also thinking is, you know, where these can be valuable Is on the big selling point of having an IGA system is building. Truly a Depot of one place to go to know who has access to what and that's, you know, when you use that statements like to who has access to what it means, everything like, what's all the
access they have? If you're in a big Enterprise, with thousands of applications? That's a lot of applications, right? And so if you get one place to go to know who has Access to our top 125 applications. That's not really as compelling as well as access to all of our
data writer. All of our data that is of some relevance and so there's got to be some velocity in terms of you know when you implement one of these systems getting all of your your applications integrated and so you know flat files while I don't like them either. To me it's better if you could you know. Just set up a connector to hit a relational database and pull the data from the database. Because I think that the point then is that you run into much fewer these errors.
But if that's not available or to the point that you're making because this I've been seeing as long as I've been in I as actually, as long as I've been in it, there's some people who just don't want to play nice. They just don't want to be bothered by what you're doing, because their job is way too important. They can't have you screwing around with their system, but if you just need a file dumped on an FTP site, yeah, we can do that.
Sometimes that file is sort of like the first step you might do that initially with the goal of eventually using a connector or maybe that maybe that system gets deprecated or is no longer strategic, the organization goes away but not the ideal way that I would look at the creation I think, you know, at that point maybe the question is, is the juice worth the squeeze? Is it something you really want to spend time on or are there other things that maybe provide more value?
That could be another way to look at it too. So Let's move on to the next one. It is more or less job roles. I certainly have an opinion on this one. What do you think? Jim now I think what we decided beforehand was that we're going to go every other one. So now it's your turn to go first. So, let's see what that opinion that I get to. I get to leverage some of your answer. All right.
I like to keep things simple. So I'm more of a fan of less job roles, at least to start with, I prefer more of an attribute based approach to and having more roles. But more consistent roles, what I mean by that, is taking a few attributes from like your authoritative Source. I'm an employee in North Carolina, I'm all set. Chicago Old Habits, will die and employee in North Carolina and I work in information security. Those three attributes might drive three different roles that.
Give me what I need, if I change, maybe I am an employee. Who moves back to Chicago? But I still stayed information security. Two of those attributes. Stay the same and maybe that third attribute that was controlling other axis change as well. So I prefer less job roles themselves.
They feel like they're pretty volatile and it's a lot of work to keep them up to date, especially the coordination that needs to go along with what happens if you have shared job titles between different groups and analysts. And one group might be different than analysts and other support support, you know, whatever it may be and the coordination.
The you To also have with whoever is the owner of the authoritative Source. Typically, like HR or maybe Finance, if maybe its contractors, are not employees involved, right? Things like that. So I'd rather keep things simple at least to start again. I think this is another area where I go out of organizations say they want to be you know, fully role-based, you know, Access Control in place and it's really hard to do especially if you don't have good data and good tools to actually make it
happen. All right, your turn. Okay, I'm going to generally agree with you, fewers better. I'm going to in a put a spin on it, which is that, you know, I've been involved with kind of building an are back from the ground up. And so to me this is my opinion. I think that there's so many folks out there who have experience with roles and have a different perspective. But to me, it's you want to start out with What can we Grant access to automatically? So when we onboard somebody, can
we create the Ada account? Can we put them in the right groups based on attributes in their, you know, their identity data authoritative file. So, for employees and be an HR System or for a non-employee, it might be some other system, but if there's data attributes are or even if you're creating them in your IGA system, but identifying those at You see, he off of like, they're in Chicago, so they have access to the Chicago lunch menu. And, you know, that's our silly
example. We always point to, but the idea being that, you know, there you can onboard somebody, give them email accounts. Give them, you know, VPN, I'm sorry. Were you were you wanted to say something? Okay, now, I was just clapping at the lunch menu, example, just We also use it all the time but yeah, I know. I want to say for the record. I Am pro watch. Yeah, yeah. Everybody should have lunch so All right. I think that's the starting point.
I think then on top of it, you know, one of my other major rules drivers is that the business has to own the roles.
They have to get behind the roles that doesn't mean they have to create them in a silo or create some of that it's-- help, but they can't be so disconnected from the process that they don't have any skin in the game and so that's where I start to dial it back to, you know, Identifying somebody in the business, in a business departments, a finance or say HR, who understands enough about technology be dangerous or is involved with the provisioning of users that they work with
your, it rolls administrator, your IGA rolls administrator to design the roles and then I think, the area where you start is where you have people who basically do the same thing. So if you have something like A call center or you have something like you know, people who do nursing now. All nurses, don't do the same job as I've learned from working with Healthcare clients but they have a lot of the same responsibilities you need access to the same system.
So there may be a baseline nursing role and then based on the type of nurse they are, it can Branch off from there. But even if you, you know, if you take that 80/20 perspective, that was the other thing I was going to say is I think you need to take a detour. Any perspective like rolls isn't going to get you to 100% automation of access assignment at least. I've never seen anywhere come
even close to 100%. So if you kind of come to a point where you're saying, we're trying to get to a point where we've either automated or simplify the axis assignment, for 80% of the access that needs to be provisioned, you win, you win big time. And so to me, focus on people that do the same job. Or do portions of the job. The same don't focus on like it administrators and folks like that. They're so hard to get a role for that basically or and have one roll per person and then you
lose It sounds unlikely. We agree for the most part. Keep it simple. Less is more 80/20. All right, let's move on the next one. I'll be honest. This one had helped me a little bit stumped. I wasn't quite sure, but but it's how to build admin intelligence or IAI, okay? And then you and I were talking as I could maybe it has something to do with like intelligence within specifically like the IGA platform maybe sell Point. What I guess, what are you inferring from this question?
Yeah, I mean this is like Over the past few years. This is an area where the IGA platforms have really invested to start to try to differentiate their products and from an intelligence standpoint, I think a lot of the focus has been put on trying to predictively either assign or recommend access. Be assigned to certain people. So, in other words, hey, where you're assigning Access to Jeff. We see there. Everybody else who's on the security and privacy team also
has access to XYZ application? Do you want to go ahead and give it to Jeff as well? So in other words it somehow is analyzing the data to make these predictions. I make things, you know, using artificial intelligence to make sure that Jeff has the access he needs. I think that the best way to To kind of go about building. That is, I think from the first and point, it's this very product-specific, there's something that products are using to differentiate themselves.
So it's proprietary. I think you have to look at what the vendors recommending in terms of what their product can do and how to configure it. I think, you know, in terms of of best practices for me, it's like dip your toe in the water like enter into the This area slowly because what you don't want to have happen, is artificial intelligence, which is essentially computer program, kind of deciding who should get what access when somebody's actually should be taken away,
because then you don't even really know. You're getting much further away from that kind of eye. Till ticket based methodology, and you're trusting a computer program that you don't really know how it works behind the scenes to decide. Guess what access and I think that I think most audit groups wouldn't really like that and I don't think I would feel comfortable with that either.
Yeah, I think if this is, if this is the direction you're going down, you know, AI for example, it's only as good as the data that you're giving it is only as good as the a model that's built around. I think. Generally right now, I am relatively skeptical that this stuff actually works in the real world in the way that, you know, vendors portray that at will. I think a lot of times it's based on sort of this ideal state of 0, we have all of our
systems connected. All of Our data is clean, all of our users are in our sources and I think anybody who's been an identity for more than, you know, 10 minutes probably realizes that that's not true. You know, the majority of the time. I'm, I'm, I'm skeptical. Let me just leave it that I think it's a data point to be used by somebody, to then help decide whether that information is valid as part of the decision-making process. I don't think We're yet at the spot where is completely
hands-off. And you know, we're letting you know, some agent Smith run around inside your your IGA system making decisions on who has access to what that is definitely not. What I've seen out there is generally more of a tool to be able to say okay well we're trying to build roles and we see that 80% of the people have this access or hey Everett you know a hundred percent of the people in your team have access to this thing.
We think it's okay like Like that, you know, maybe add some value but again it's is only as good as the data that's coming into it. And it's judges should just be part of the decision-making process, not the decision making
process, if that makes sense. Yeah, the one thing that I'm going to see here thinking about it, the one area where I think artificial intelligence could really help is kind of that, that key model, which is where you're analyzing, what access to. An account has and how much they're using that I've access. So, in other words because to me authorizations are kind of like that next Frontier of the attack
surface. So now, if I look at Jeff's account and he has 500 authorizations via the roles that he's in. But over the past 12 months, he's only used two hundred of them. well, then I have an over-provision to count, most likely So I can see that. Like that's, that's interesting to me. Like, you're not, you're using really Behavior analytics, right? To sort of enrich the notification process. I actually have a pretty good real life example of this is I have a Apple iPhone.
I have an Apple Watch and over the last few weeks since I've moved from to Chicago area, which is relatively flat to, Western North Carolina, which is the opposite, very hilly. Apple is telling me. Hey you're A lot more stair-climbing than you normally do. I am, I'm walking up a lot of Hills compared to what I used to do. And I think that sort of trend indicator might be helpful from an analyst perspective to say, hey, that is, that is interesting.
What do we do about that? And I think that's an area that, you know, you and I have been talking about for years, we've seen sort of players in the space like EXA Beam, for example, and other sort of this, what people call like this Sim 2.0, that is taking these owls and surfacing up to platforms, to be able to make decisions with, right? We see this a little bit in the access management platform where
the impossible travel scenario. Well, you know, Jeff just logged in from Chicago and then three minutes later he logs in from North Carolina, that doesn't make any sense. Let's do something about it. Throw up an MFA prompt or, you know, some other challenge, whatever that looks like.
The same thing could be done from a identity governance perspective, or a privileged access management perspective, where you taking those sorts of Ada, and you're leveraging a eye to spot those Trends and do something with it. You know, if it's just surfacing it up in a ticket, that's better than it being lost in some sort of log somewhere. That, you know, no one looks at for six months and then by then,
it's too late. Yeah, you know, part of what my concern is with, this AI is like the teams that I think would be we get the most benefit from. It are the ones who are the most vulnerable to what if it goes Haywire. So you know My concern is a lot of the companies that have scaled back the size of 13 teams. It's like, oh yeah, that's where using AI to get more efficient would be really helpful but they get further and further away from you actually knowing how the system works.
And so to me it's a little bit of a scary combination. But you know, also counterbalance that with the fact that more and more these things are moving to the cloud. And you have even less until it's just about what's going on behind the curtain truly as the software as a service, like these are proprietary systems are not open source, you don't always know how they're working behind the scenes and your urine kind of a trust model that you know that system is going to
stay secure. And it's secure until it's not, I guess. Yeah, I think I might humans going to have flaws in it. So I want to bridge that part of the AI and being able to explain it with the managing audit expectations. Because one of the things that I think about is like, okay, well hey, we're leveraging a auditor, we're leveraging AI to do these things for us and then the next question, I would have it. An honor is okay, tell me how your AI works. Can you can you actually explain
it, right? The algorithms is it documented things like that? Are you going to be able to produce the evidence that your AI is actually effective in making that decision? So I think that goes along with sort of the question next on the list was managing audit expectations which is definitely near and dear to my heart from a former operation side of things. I will go first as we kind of go back and forth here, I think this is let's start with a. Let's start with Our expectations.
The first one I think is you have to have a relationship with your Auditors. You cannot just treat them at arm's length as like the cops and they come in and check you and your the bad guys. More generally speaking, most Auditors, especially the internal Auditors are the check before the external Auditors come in is much better to have things found from an internal audit perspective than from an external audit perspective. So if you've got the relationships there that is helpful.
I think the other thing too is at least in my experience is that audit doesn't actually tell you what to do. They are there to check on what you say you are going to do or what are you've documented from a process procedure, whatever it might be to validate that what you're doing. From a process perspective, is actually what's taking place in
real life. Now, you could argue, they might find that a process is ineffective and then you have to update the process or whatever it may be, but in the Is that I've been a part of and worked with generally, speaking audit is merely an advisor, they advise on risk. And they say, okay, here is what we think should be taking place, but it's still up to the business to make a decision on what they want to do about that risk.
And a lot of times what you'll see is, you know, an audit findings document that has the auditor the audit, you know, whatever are finding that they say they have. And then there's like this Blank Spot called management response. I've written enough of these in the past. A stores like okay, they're just telling me what the problem is or what they, what they see as the problem now.
It's up to me as the person who's going to write that management response to say here's what we're going to do to fix it. Or here's why I don't think that it is a risk and we will focus on other things instead. So I think understanding those expectations and making sure that the Auditors understand what they're you know what it is that they're looking at because sometimes you have to help them, they may not be as you 100 percent Identity or 100% tool
base, or whatever. That maybe is making sure that they understand how the platform works, whatever you're doing from any perspective and how the processes work and bringing them into the fold. I like to include them as part of program management as part of rolling things out. I think they're a key stakeholder. When it comes to, you know, designing, huh? Services work. You want to make it audit friendly and audit compliance as much as possible at front rather
than try to do that stuff later. So, sometimes that makes Sense to invite them to a steering meeting or invite them into a you know and I vendor demonstration of a tool that might be considering, right? Let them ask their questions as well and help provide some of their input. I think that's, I think it's an easy way to help sort of get them into the fold and help manage those expectations.
Yeah, what do you think? Well, I think that the way you're talking about that, the way you're addressing, you're talking about internal external audit. Some work is a job bigger, more complex structures, like that. T risk? That those are your teammates, right? They're the ones who are to advise you in terms of how to pass the audit, I'm going to throw out another perspective, which is that, I think the audit process that I see the most of the time is very reactive.
In other words, it's assessing how things are done and then, you know, inspecting the data looking for, you know, controls that are broken. And identifying those think going out for so, in other words, if a control, if they don't find bad data or they don't find an exception to it,
then the control works fine. So to me that's kind of like that's not necessarily the spirit of what you're trying to achieve with the these regulations are trying to achieve is that you've got a more secure environment, not just that you pass the audit and So here's an example where I see
that. So around user experience and what we talk a lot about with user experience, when it comes to the detective control of reviewing access is that sometimes people get overwhelmed as like here's your 50 users that report to you and therefore hundred entitlements do you should they have and they're named XYZ 1, 2 3. And The managers like, you know, I'm afraid to take away access for this person because what if they can't do their job? Last time I tried to get somebody access, it took 10
days. There's no way I'm going to take access away, unless the person has left the organization. So I'm just going to approve. Everything is what we call a rubber stamp. And I mean, how many clients do we go into? Are like yeah, reverse a problem. You get audited? Yeah, we get audited you pasteurize. Yeah. We pass our audits. So, in other words, even though you have a Can process you pass your audit. So that's part of my
perspective. I wanted to bring up one other thing which is I see some you know some identity governance tools that are kind of early in their maturity, which I think our focus more on organizations that maybe don't have as steep of a compliance curve to overcome as a where I'm getting at by that, like few, Think back to very early in variety careers, the way that audit evidence would take places that the administrator would take screenshots of the user list or
they print it out on, you know, the the dot matrix printer and like that wood and then they scan it in. That would be the evidence that would end up in somebody's email box to say yes there's the right people or they'd actually physically write notes. I mean, I know this make it
sound like a dinosaur. That is so essentially what that was coming from is that what we're auditing is not what your single sign-on system says that if you have access to or your IGA system says people have access to we're talking about that, what the source system has. Now if you can prove to me that nobody can access that system, unless they go through your single sign-on system or that the data in your IGA system is airtight that nobody could have
like deleted a few accounts. Then okay, maybe I can go with that but for the most part we're trying to get to the system of record which is the end point system. And if there's a counts there that aren't on your system, you know, like service accounts for example, the audit has to be done a fact data of the data on the system, not on your central, I am system. So I don't know that every audit Department looks at it like, you know, that Black and white like
I'm talking about. But to me, that's really what you're auditing it, what you should be auditing is the system where the data exists. Yeah, I'm I'm talking to myself because I'm a very long time ago setting with an auditor and they were asking me to prove a negative show me that this account does not exist. Okay, I run a search in a duck. Not found will do you have any proof that that's not found.
Like it's not found it's not their me to wait and I had to take screenshots of you know it was like a sample of like onboarding rock whirring since I got samples 50 people take screenshots of 50 searches showing that the account is not there. I always got a chuckle out of that. That's one of the really laughs. I were talking to be or not to be. That is the question. Exactly.
All right, let's get to the last one on his tweet and that is provisioning outside of sale Point, third-party apps. Your turn to go first. Alright, so what I think he's getting at here is like what is the best practice for handling provisioning when you can't automate the provisioning.
So there are is a scenario where a lot of aij systems have kind of a ticketing management system within themselves for the purposes of creating a ticket to it administrators to go create that access or than they're supposed to close that. It when they are done, you know, maybe there are, you know, posting some evidence that they did the work. Usually not from what I've seen to me. The best practice is sending creating a ticket in the itsm
system. In the reason I say that is usually when let's say we're onboarding somebody, right? And they hit six axis is and five of them are systems that we ought to meet the 61 Is a system where it's some Linux application and an account needs to be manually provision. And so, ultimately, the Linux administrator is the person that is going to have to go and create that account and assign
the entitlements and everything. They don't only do, you know, they're not waiting around for these tickets to come through. They're doing all kinds of work and they manage their work and itsm system usually. And so when you create a ticket for them in their itsm system, it gets in there Q with all the other work that they have to do now in terms of priority and might come to the top or go to the bottom whatever. But to me, that's why you want to put it there.
As like you don't want there to be one other place. They have to check to see if they have work order. You know, stack all the work that they have to do it. Be preferable that they clock, all their work in the itsm system. And that there, I am tests are in there as well. So I think that's what Chris is asking about there. Yeah, and I have one spot to go. I think to have that provisioning track makes sense. I'm not a fan of using the built-in ticketing.
You know, that there were process that might be built an IG perform unless that's the only thing you have. I think you're better off strategically, who averaging whatever your it standard is servicenow share. Well, freshdesk, you know, whatever. It might be like that sort of approach. I think the other thing that I will add on to this is it could be a scenario where you've got the Third-party apps.
They might be like ass a space app and you don't have a connection for example, from sale point. But you could do, is, if you have a relatively modern access management tool something like an OCTA or an Azure is, you could leverage them to do the provisioning for that third party app, maybe it's controlled the in Active Directory Group, or maybe it is a entitlement within the octave Universal directory or something like that.
You basically stage the account into one of those directories via sale point and then you let the access management tool that has probably the appropriate SAS connector to that app to then facilitate the provisioning of that through the same process. So you're kind of like, chaining your lifecycle management from IGA to the access management platform to do that as well. So that could be an option as well. Hopefully were inferring some content.
Some of the appropriate context out of this from a tweet which is always dangerous but we're giving it our best. Yeah I'm sure Crystal follow-up after here's the episode and let us know how much how much we I mean, hey, if we 80/20, if we got 4 out of 5, I'm happy, yeah, I'm happy. We got half of them, right. So I'll set the bar a little bit lower for us. Okay, so I think that really kind of covered everything from his tweet, which is really cool.
I love to get like stuff like this because Jim and I can ramble on about anything, but we'd rather talk about stuff that people actually have questions about. So thanks Chris for sending that tweet out. If you got questions and you're listening, drop them in a tweet. Sent them to us via LinkedIn. We're happy to kind of like I said build a show around it. Anything you want to bring up around anything that we talked about so far before we start to
close things out. No, I'm kind of excited to get into this lighter note, question, I actually I had a because I'm new with my company. I had an introduction and I was supposed to come up with a legendary question for everybody else. And yeah, instead what up? I messed it up. I thought that there should be a
lighter note. Question presented to me and I was going to answer it. So the question I asked the group that I came up with on the Fly, was, what's your favorite podcast and you got some really good answers. Yeah, so for those who missed it, Jim and I are working together again, both part of our SMS identity practice.
So, come seek us out if you need help with something but yeah, we have like a think we do. When we have people who start, they have liked to give like a little intrude for themselves. And I remember looking at that That's line you're working with with Ben and it was completely blank and he's like, no, you were supposed to come up with the questions and they're like, okay I got it now. Fortunately wasn't like a real Mindbender kind of, if right. All right, let's get to the
lighter note. So here's the scenario. They're making a movie about your life. Jim What actor would you want to play you in that movie? No, so Jeff, you know, me for a little while and you know, that one of the things that's happened to me since I was a very young person was, people would always say, do you know, do you have a twin brother? Because you look exactly like dot dot dot. And based on my different looks that I've had throughout my life.
It would change for a while. There it was a few different looks to, I've only known you for seven or eight years at this point. And I know two of those looks I changed my look like every I have changed my look like every two years when I was younger, you know, go from long hair or short hair, facial hair, no facial, hair, different hairstyles, things like that. Anyway, used to be Kid Rock and then it was Bradley Cooper from A Star is Born.
And I've gotten he look like Aquaman You know, Jason, Momoa Samoa. Yeah, I don't like that one. That what? I don't see at all? I'm sorry. Well, I do. I like, I feel like, I feel like even embarrassed saying that
one, right? I like, I'm like, I don't look anything like him, but I had at least three people say it and I think what it is like, you know, I have longer hair, facial hair and I work out and so people are like, oh yeah, your long haired guy, who works out, you look like Jason Momoa, that's He's
like, that's how he looks. But the most recent one, I got was Goldberg and I want I was just like, no, I don't, I don't see if I, you know, I mean, everybody sees what they see and, so, anyway, I could see the Goldberg maybe if you like, shaved your head and your beard, but then I think that kind of like defeats some of the purpose. I'm gonna go Jason Momoa though, even though I don't look like, I'm the question was like, who would you have play you?
And I mean, I like that one. I'm going with that, I feel like it's going to be with those movies where it's like, why did they cast this person? Like that person doesn't look anything like them. And maybe, you know, that's a that Jason knows on, a great actor. I enjoy his work, Bubba, blah. But I'm just, I'm just not seeing it, man. I'm sorry. Yeah, that's okay. Sorry. I think as far as myself I don't look like any I don't get anything like that. Like I don't like anybody else.
I guess we're better for something that's good or bad, but no one's ever said, hey you look like so and so, and I've had relatively consistent look now for like 30 years. I used a long here when I was younger, but it's been pretty short since my, I guess, early early 20s or late teens. So, I don't know who would play me. I would say back in the day, maybe somebody like a Tom Cruise or something like that. Just like the the short hair from what was it Mission Impossible?
I think would probably have been like, the probably the closest match, but you know, who would I want to play me? I would love to have like Paul Rudd or somebody like that or Ryan Reynolds I think. Both of those guys would be amazing in my role but in the story that is Jeff and his in
his life. But I don't I don't, I have not been either fortunate or cursed to have somebody say, Hey you look like so and so so I'm going to be positive and say that's a good thing but that's just how I'm going to read into it. Yeah, well, I mean, he's, you know, when it changes every couple of years you're like okay. Well I guess I can look like whoever I want to look like then. It's true. Occasionally, I'll grow the facial hair, a little bit out
for maybe a week or two. I'm fortunate, enough to be able to grow a nice beard if I wanted to, but about two weeks is my limit before. It starts to bother me and it's ready to go. Yeah, you are. I've always said you've got like a full beard of 5:00, but so get this one. So, my brother, and I were on the cab in New York City, a few years back. And we told the cab driver, Were brothers. And No, I don't see it. And it's like, really, why is
that? Well, you have facial hair and he doesn't like and you look like Jason Momoa and he doesn't look like Jason Momoa. He looks like Kid Rock. Now, I think that's just a magic. It's genetics. I mean I have four younger brothers and I don't feel like I look like any of them.
I think my middle brother. Alex is probably the closest one, but if you put like, the four of us are five of us into a room, I think one person would be like oh yeah I can kind of see the resemblance but the rest of us all. Look different. Yeah. Well what I was going to say is like your one brother. Looks like you with glasses on then I was thinking, I thought I think the only time I ever see him is like a LinkedIn picture which is about the size of a penny, you know.
So I don't really know what he looks like. I just know he looks. It looks like you kind of. Yeah I think you know Alex I have very similar, you know, personalities. Tris things like that. We're definitely probably the most similar looking as well. Although he has shaved his head, and I have not yet been that that brave to do it. So, when he had hair, we definitely look a lot closer. Well, you have plenty of her, I'm doing so far so good. So we'll ride that wagon as long
as we can. Yeah, that's right. Absolutely. Alright, let's go ahead and wrap it up for this week. Chris. Hopefully hopefully we covered what you're looking for, if not I'm sure you'll tweet at us. If Got other topics out there. You're listening, feel free to drop them into a tweet at IDC podcast or send us a message on LinkedIn. You will be at Gartner again the week of August 22nd.
If you've got a spot that we can podcast from, so we're not homeless podcasters and the halls of Gartner, that would be great, sync up with us. We'd love to try to figure out a way. We can maybe share some space with somebody and I think that'll do it for us. I got one more time centered, I got one more thing. Good news is next week, we're going back to having gas now, we don't know. Yes, lined up for, like the next, you know, few months or whatever.
So it could just, you know, works way back to Jim and Geoff, but there's so much interest in being on the show and I don't think it's going to be that hard to fill. But next week we're going to have our friend Robert Snodgrass on talk about State and Municipal I am and citizen I am so pretty excited about that. I'm he's super knowledgeable in that area. Yeah, for sure. That'll be a good one. I always hate to put next week because we never know what the schedule will put out there.
But if it's not next week, it'll be an upcoming. I'm so so that's how that's how I will copy out that. How about that? I'm good with that. That's your ass trick. Yeah, it's coming. It's coming up. We're just working on calendaring and scheduling. All the good stuff. All right. We're going to leave it there. We're on the web identity at the center.com. We're on Twitter at idac podcasts. If you'll be at Gartner ping us. We'd love to do a fist bump or something. And with that, Go ahead and
leave it for this week. Thanks all for listening and we'll talk with you all in the next one. Thanks for listening to the identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.