You're listening to the identity of the center podcast, this is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast I'm Jeff and that's Jim. Hey Jim hey, Jeff, how are you? That's a bad yourself good? Yeah I see whatever we start the podcast just for people who are listening on audio which I guess is everybody. We have video going. What, what else would you be
listening to us? Not audio. That's true screens. That's true. And we but we can see each other. Yeah. And I always crack a smile. And then you crack a smile because, you know, I'm going to get into some Thing and you just don't know what it's going to be. But pretty sure this is the Jeffrey act section where I have no idea what Jim is going to say. So for you, for those listening, you know, answer to the show and then I say, hi.
Jim. And then Jim comes at me with something that I have no preparation whatsoever. So, this is all thinking on my feet. Yeah. Well this is this was easy because I'm going to base it on real life. Experience of I want to talk about the Gartner, I am Summit that were scheduled to go to. What is that? The 22nd through the 24th, fourth day for website and so we've got a recording spot. We're going to set up some podcast recording. So starting to invite people.
And I'm letting people know that they need to schedule time to get from wherever they are to the time of the recording because Caesars might be the biggest maze on the planet. Me getting that point. A to point B is pretty difficult at times. Usually you figure it out by Wednesday and is just in time to leave. Yeah yeah. It's a big spot.
I mean I think you if Gartner is where it usually is and I don't know name of the spot but it's kind of like it's got a view overlooking like the the pools or whatever it may be, the rooms could be half an hour away and you and I and courtesy of our friends at RSM, have a suite that we have booked that will be sort of like our recording home base. I have put in a request to make it as convenient as possible.
I know there's a bank of elevators, I got to go kind of go up and down from where the gardener areas, but I have no idea if that request will be honored or if it's even available, so we'll see. But yes, if you are planning on being on the show or even just want to watch a show, get recorded and you know, reach out to Jim and I and Linkedin and
just kind of account for time. I know we're kind of booking things out right now and working through schedule but it'd be kind of cool it'll be the first time Jim and I are actually at a conference together since As I'll never let him live it down. He ditched me for aesthetic 8 last year with the phyto conference but be get an opportunity to fist bump, you know, shake hands. Whatever the greeting du jour is for the day and then if you want to watch or be part of a show,
you know let us know. Be happy to try and figure out how we can accommodate that Jeff have a pro tip for getting an upgrade of room or whatever your request is pictures of benzene dollar bill on palming it to the second trailer goes you know to talk about That's not going to get you quite as far as Benjamin Franklin will, and it gets an extra towel if you want to. If you want to feather free room, I think you're in luck with the Choi dollar bill. Yeah.
Do you have a, do you have an actual tip or you going with the palm the cash Tibbits? It's money. Yeah, I saw your phony talks and the other stuff. Better be doing the walking. Yeah, everyone will be doing the walking. That's what Vegas is as Well, anything else or should we get into our topic? Let's get into it, man. We've got a lot of a lot of ground to cover here. And no kidding.
We're going to talk about identity and access management, really focusing on the state and local government sector and to help with that conversation. We've got our new friend, Robert Snodgrass. He's a director in the security practice here with us at our SM, welcome to the show Robert. Yep. Happy to be here. Longtime listener. First-time caller. So thanks for having me on if I was Brave.
Use my soundboard to do some kind of wacky sound effect, but just imagine in your head if you're listening to right now, it is very cool, it's been great to kind of get to know your last couple of months since we've kind of both been on boarded and working through a lot of projects. You've got a ton of experience in this space.
One of the things that we like to do when we have a new guest on the show though is kind of learn about their origin story and really kind of find out, you know, how did you get into either Identity or sort of infosec? Is it something that you chose to or did it choose? You can kind of walk us through. How you got to where you are right now? Sure. So I've spent my entire career in cyber security Consulting and my path to Identity, probably like a lot of people was a bit
of a zigzag. I actually initially started my career working in a big for focused on actually your p implementations and as part of that gained a bit of notoriety, I call it some good and some bad as it related to dealing with distressed projects and helping to bring those projects back on track. So my focus. Is really around cybersecurity solution delivery. And as part of that path, it led me into both state government as well as specifically the identity sector and through
that. I've had a great opportunity to take my experience, which initially started in financial services and particularly Fortune, 100 Banking. And I've had an opportunity to work with. Now, seven different state governments on various Cyber Solutions, including digital identity over the last 10 years. Different government. That's pretty good in 10 years. That's a that's a that's an excellent track record.
I guess. You know, I will I'm going to shamelessly, plug your organizational skills because you are one of the most organized people. I think that I've ever met Sol most people call that OCD almost frighteningly. So I think that's that's quite a compliment coming from you job because I was going to say, you're one of the most organized people that I've ever met. That's now we're getting in the tearing structure which means
Jim you're not organized at all. I'm not organized at all but I and yeah but I'm doing all the organization for our podcast for Gartner. So enjoy the outcome. Hopefully we have the nine or ten sessions recorded that were hoping for, but I think we'll be, we'll be fine. So, Robert today. We're going to discuss state and local government approaches to digital Identity or identity, and access management, and how they different from Private
sector. And I guess, you know, if there's any differences between state and local government, I mean, do they take a different approach then one another? And also we found a recent article that talked about how states have been investing heavily over the past decade into kind of getting their Workforce. I am house in order and now they're kind of shifting their focus for investment into the citizen.
I am space. So, just wondering if you could maybe talk about that and you know, explain a little bit about that Trend that's happening. Is that something is happening across the board? Or is it something that's just
In Pockets? I think to really understand the trend of identity, as it relates to state government, we really need to understand the origin of Technology as it relates to state government, because it's really very different than what you might see in a traditional private organization. So 20 years, Go agency is essentially operated independently within the state government landscape.
So they had their own directors, they had their own budgets, they had their own IT staff, and for the most part operated independently as it related to delivery of those Solutions.
So then in the early 2000s the legislative body got tired of essentially paying for 100 different, it shops and began to form Departments of it. Within States and that's been going on now for the last probably decade or so, is these these kind of centralized, it departments were generated, initially started with things like data centers. Obviously there's a huge capital investment makes a ton of sense for agencies to consolidate that investment into a single
location. But with identity, it created a really unique challenge because you have agencies that are typically potentially very large, think Departments of Transportation Departments of Health that have 10:15. Thousand employees. They have their own domain structure, and then, how do you collapse that together into unified naming conventions? How do you take this, you know, Forest of various active directory, domains, and unify
them. And that's really been the focus over the last you 10. 12 years is building. That integrated view of what is your Workforce identity, as it relates to an individual state I'd say, for the most part states have really gotten over that hurdle with in their Workforce and that's really why they're starting to look a little bit down the road and focusing on that, that citizen personas as you started to touch on. This is, some Persona is is a bit of a unique concept and it
also isn't a unique concept. So the closest parallel I would put to this is you really think about a consumer Persona where the start of this was very Similar where it was really meant to be a way as you dealt with education, with transportation and so forth. How can we build a unified mechanism for individuals to access those Services? Basically, how do we reduce the barriers of entry for individuals to come in? To a digitized government beyond
that though? I think there's some really unique things that states are starting to think about as it relates to the citizen Persona and why? I think state may start to see really interesting impacts in the private space. So one is the joining of both digital and physical identities. So if we think about your physical identity, as it relates to state government, driver's
license, right? Or a really simple example of how you would go to various state agencies and prove who you are, there's a lot of interesting use cases that are being considered now about how do I join that with a digital identity in some Samples that I saw of recently, read things. Like, if you have your covid-19 vaccination card, can you put a
QR code on that? As a way to sort of validate that record and have the most up-to-date information or on the flip side, how do I take my physical driver's license and digitize that and make that available to me, within my phone in some way shape before? Real interesting, there you wouldn't into the driver's license. I'd like to follow up on that, but just had a thought.
As you were talking about kind of the transition that state governments have made from, you know, having decentralized it to centralize their tea and kind of the all the challenges to doing that. I just had to think there's a lot of big companies that have kind of found themselves. Go through the same Journey, right? If they were, you know, didn't have a push to centralize it.
Departments within that company early on well, they Build a bunch of infrastructure, maybe they have some shared infrastructure, like the network layer and but, you know, normally I've seen a lot of companies where, you know, active directories, where separate at one point, and they've had to kind of go through the process of merging it and really, that also kind of sets the stage for other identity and access management challenges.
So, I mean, I don't think that's completely unique to States. It sounds to me like that's where almost every state has kind of found themselves. But, I mean, we see this a lot in like, University context and see it. A lot in big multinational companies especially if they've grown by acquisition. Is that kind of your experience as well. Yeah, absolutely. So I worked for a fortune 10 bank for four years at the start of my career and a big element that we had to work through is
that they grew very rapidly. Through acquisition. They had organizations almost of equivalent size that they were trying to bring under single identity umbrella. And I think the challenges that we Face, there are almost identical to the challenges that we faced within state government. I think the difference is you're facing them 10 12, 15 years later. So, in some ways you have the advantage in that you can take those proven use cases from the private sector and really apply
them into the public one. I think that lag is helpful right? Sometimes sometimes it might be a little of a hindrance or they go. Why isn't this? Why isn't this service easy to use? Like what do you mean I have to like fill out a piece of paper, right? Look it's only 22 are doing that sort of thing. I want to touch back a month because I might get to privacy
for a second. But before I get to that, you mentioned earlier on that a lot of legislators have gotten together to essentially kind of form these centralized Departments of it or services or whatever might look like.
Is that something that you've seen across the board essentially for like all 50 states or is that you know, half the state's, you know, like what What's been the adoption of sort of that sort of mindset of a central shared infrastructure, group of some sort at this stage and I can't speak for all 50 states because I've interacted with all 50 states.
But at this stage, you know, beyond serving directly with seven states, I probably interacted with another 20 to 25, every single one of them has some level of centralized it the way in which they're funded and the level of service that they provide to both state. And Or local governments will vary dramatically between States but all of them will have a central it department and in every single one of those circumstances. That is the department that is
driving the identity discussion. It seems to me like it's a great opportunity to have more interoperability between the different states for those types of scenarios like vaccine or driver's licenses or other forms of being able to check things which you know, if I put my tinfoil hat on now I'm starting to talk about privacy and there's this natural. Enough, what is the government doing with my data on?
You know, we've seen some some recent things at least at the federal level with things like the IRS and ID me, I guess from a, from a privacy standpoint, you know, what is the sort of data that state or local governments want? What are the constraints that go around how they might utilize it? Or, you know, those types of scenarios? Like, what are some of the things that that those operations are thinking about to
try and protect the citizenry? You know, and their data so you mention ID me but I think probably the better parallel from a state identity identity to Federal identity perspective
is login dot-gov. So log in.gov if you've registered for things like TSA PreCheck or Global Entry is the mechanism in which you log in and so what login dot gov did and what states are doing is really trying to build a shared set of piping in order to facilitate authentication that's primarily what they're driving towards. The Privacy question is a good one.
Because in some ways, not to the same extent that the federal government does, but state government has more information about the individual than just about any other industry, vertical that's out there. And there is no unifying law, around collection, and usage of that information.
Now, I would say in the last five years, five to ten years, there's been a definite trend of States, hiring permanent data, Data privacy officers and or data governance officers to better understand the data they have and how it's being utilized. But laws that people often associate with State privacy, like the California consumer, protection act are focused on consumers not government services. So there isn't, you know, that one place to look at to really understand those questions.
And a lot of cases, you're seeing very agency. Laws and regulations driving that so Center, for Medicaid, and Medicare services. For example, has a view on this, the Social Security Administration has a view on this. The driver's license privacy protection act has a view on this.
And so, it's a really hard question to answer sometimes, when you're trying to go through this view of, how do I balance building out a very robust process to identify and proof an individual, but not create A honey pot of data that both exposes the can the individual constituent as well as violates their understanding of how the data was going to be utilized. Yeah, I think that's that's the main concern, right? Is we're in the age of breeches. So, of course, the more data you
consolidate in the one spot. The more a concern there is that all that stuff gets out there and now we start thinking about things like biometric, you know, you can change your password, can't change your fingerprint at least not legally or maybe even Only so things like that become a lot more sensitive from a sharing perspective and where is it being stored?
I think of you know you mentioned login dot gov and you know I have PreCheck and I have a passport and I use that to log in those types of services, a service like that essentially already exists. Why would another agency? Even think about using something else from a medication standpoint and there probably are certain scenarios like identity proofing. You know, prevent financial fraud, maybe that's why IRS didn't look at it.
Or maybe didn't meet their needs, but it seems to me like, if we, they're still this, as a as a Outsider looking in, like, I see what seemed to be suitable services, but then it seems like because of all the different use cases or requirements, or laws or regulations, whatever they be. We still haven't come up with a scalable or modular. Enough way where it's kind of like a no-brainer de facto standard for government services.
Yes, I log in, with my login, Dot, Than the u.s. maybe it's something else in a different country. I think I can't remember the country in the Europe but they're like totally is a martini or something like that where they're like 100% digital and they've kind of figured out. It seems they've been that way for a while. Like why haven't we caught up to that from a central?
I think that I think Estonia actually Tony only ones I was thinking of where they have a pki enabled infrastructure for their for their digital identity, it really interesting. So I think obviously any individual State probably has more complexity to it than Estonia does. But you know there's a number of kind of deployment related challenges that as you think about what's the model we even went to apply here and depending who you ask they take a very
different approach. There's really only three views to this. At the end of the day, there's a centralized model, there's a Federated model and then there's just a completely decentralized model. It's a decentralized model is basically what you just talked about the Stony. Oh, and this is the direction that the States have gone like with Ohio and in the Innovative Ohio solution where the department of IIT, essentially builds a singular infrastructure for identity.
So it has the identity store, it manages the authentication, and you essentially plug into that. It is, it is the IDP for State Services. Then you have a more Federated system where you can have multiple identity providers that you're utilizing. I think I read an article where it's Canada actually. Rates with certain banking systems, in order to drive identity and then you can have a totally decentralized but based on standard integration pattern view which is really interesting.
I think from a data privacy perspective because no one controls the full View and that certainly in and of itself strives drives kind of a bit more of a container around the data they have, but the complexity of what that really means in the management of it. Also, generates a lot of question marks, To my mind. So until we can really come to a
conclusion on that. I think that each state is really trying to make that determination on their own wasn't black chain, supposed to solve that for us, and we've been hearing blockchain and block identity. Things were going to be like the decentralized way to everybody, manages their own data and it's going to be a perfect world.
And I feel like here we are, I think I first heard about this, probably at Gartner, like four or five years ago and I still haven't, it's it hasn't gotten anywhere. When identity present Active, even though on the face values, like oh, that seems like a pretty applicable use case, Civic Health Care education. I can see it making a lot of sense there. But we're I don't know anybody who's like really doing it really in the real world at any
scale that matters? I'm not aware of anyone that's looking at that it, you know, the idea of a transparent citizen own identity. That is portable like you would see as part of your Apple, wallet is exciting.
And I think very interesting position that states and or the federal government could play to really drive forward, not just state and local government, but the market of identity as a whole, but there really hasn't been Been that singular leaderships, whether that's Department of Homeland Security or directly within sisa that that has not really been a direct strategy for them at this point in time. There are some really interesting Investments that are
coming out of the federal space. The infrastructure act that was signed under the Biden Administration. Last year has about think about 1 billion dollars Associated to it. And grant money related to State and local government Partnerships related to cybersecurity Purity, no guidance specifically on how they anticipate awarding that and what is going to be used
for. But, I mean, it creates interesting questions that can you unify some of that money in a way that drives forward, not just for a singular state, but for a region or even the country, you know, I feel like when we have this privacy discussion, you can't have the discussion holistically without talking about, like, arcs, Odin and Wikileaks. And Kind of what impact that
had. I'm wondering when it comes because I think most of the Privacy regulations that we talked about in our industry things like CCPA, you know, they don't really apply to government agencies. So I guess the formal question would be what draw what is driving or what framework do policy or I'm sorry yeah privacy practitioners use from a government side too. Determine hey, what day does should we collect and things
like that? I'm kind of wondering if the whole Wikileaks peas kind of like looms over is that kind of influencing that in other words. Hey, if we collect it at some point, it may become publicly known that we collected errors that just something. I mean you know I noticed a tank state governments probably aren't collecting the kind of data that say the NSA is collecting. Getting caught, I'm wondering like if we hope right.
But what's kind of driving privacy practitioners Within These government agencies to determine what data to collect? So I can't speak to data privacy as a whole, but in the context of identity and I'll talk about it in two ways, identity, proofing, and identity affirmation. It is something we talk about every single day.
In the reason we talk about it, every single day is we want to avoid those data Marts, honey pots Wikileaks, whatever view you want to apply to it around the collection of data, that potentially creates an attack surface, that we're just not interested in taking the risk associated with.
So when we talk about identity proofing, so when I initially come into a digital service and identifying you are who you say that you are, we have a lot of mechanisms available to us within the state government to facilitate that, but we want to right-size the risk of both collecting that information, as well as validating it with the service that you're attempting
to access. So, for example, if you're coming in to pay your taxes, not get a refund, but to pay for yourself or for your business to degree, if you're willing to cut that check probably, Willing to accept that and we aren't going to go through additional proofing. If you are, for example, getting grant money or in the case of the federal government getting a tax refund with the issues that happen there, the bar would be significantly higher.
And so part of it is limiting again when we are actually attempting to even access that information such that it is risk Justified the second element that is well how are we accessing the information? So driver's license is a really A popular mechanism and state government. Why? Because we have it and it's relatively easy for us to reach out and grab it. But as I mentioned earlier, there is a law.
The driver's license privacy protection act that we do have to evaluate these calls against in. So, the approach that we've generally taken is API in the API isn't send me all the information about Jim McDonald. The API is Jim McDonald. Said these things about himself.
Can you confirm yes or no and so that limits The information that were receiving and have to be responsible for the other element and getting to the biometric piece is the sort of the view and I'm sure that other spaces have this as well. The view we play in the public sector is assumed all knowledge-based proofing is compromised.
So we would take any information, you provide plus a picture of your driver's license, plus a picture of you and do a comparison but we would never store that we Blow it all away. It's real time, it never gets collected. So the footprint is meant to be very small and very transactional as best as possible and then at that point all we do is store that you have in fact been proofed and to what level you've been proved the
other element. We look at is the identity affirmation piece so find your in the system great. But now you're coming in and you're attempting to perform a certain transaction that is as of a higher level. So your Trying to pull information from retirement benefits or cut a check out of your pension or 401K in that case. We would also look at more like an Adaptive or risk based view of that transaction and say,
alright. So you typically login with one of these two devices and that device is geographically located here. And this is the type of login pattern that you follow in terms of the language of your browser. And we would flag that for a typical Behavior. And then that would require, again sort of additional confirmation before that transaction would take place. Yeah, the the latter scenario that you were discussing. I think the buzz term is verified credentials.
I kind of went through that process with the ID. Dot me, process to get to IRS services just recently, right? As you're going through the process of obtaining, a mortgage, you have to kind of go and IRS transcripts and things like that. So, recently went through that process and to your point it made a big point of saying, look, if you do this automated process, we blow a of the data. Your your other option is wait and do a video chat with a human being but the wait time is an hour.
But hey, you do have the option. Anyway, I wanted to switch topics a little bit. You know, we had three our preparation for this session. And you mentioned, an organization called, I think Ignacio. It was the way you can see, I'm not a CEO. And yeah, so that's a public sector CIO organization and what are you, what are they talking about?
And relative to digital identity so nacio, the National Association of State cios in my mind, is the organization to really And what are the it priorities across the state sector. So typically this is a group that meets twice a year. These are decision makers within the individual states. Typically, they are leading the shared Departments of it for that state and they come together to really talk about. Where are you investing?
Where do you plan to invest? What are you seeing as a successful way in which you've invested? So that could be vendors. That could be just Particular topics, and things of that nature. So, every year, they release a nacio top 10 priorities. It typically comes out in the late fall or early winter of the preceding year that says, okay. These are the 10 priorities that we anticipate, we will take into, in this case, 20 22.
And then, these are the supporting technology projects that we believe are going to enable those. So if I look at 2022, is nacio top 10 priorities. Number one is cyber security. Number two is Digital Services.
I think number six is Identity. The idea is that with not just covid, but I think with the understanding that the digitization of government services drives faster Revenue return better engagement with services and frankly just better experience from the user perspective, which ultimately leads them to come back again. There's been a significant investment in that kind of it modernization to enable that
obviously, then PSI. Cyber security exposure and the need for a unified citizen identity, in this case, are going to be critical to that underpinning that if you look at the Technology Solutions, if they're really most focused on particularly from the citizen perspective, there pretty early in the life cycle. So they're just focused on how do I prove out the citizens that are logging in are?
In fact who they say, they are such that I can move Beyond those General Services where I really Not having to prove with any real any real detail evaluation. So now exposing more sensitive services like retirement benefits and health information through these digital portals.
That these are things like access Indiana history to go down this path and if you do, hi, oh, I know it started to go down this path, but many states are really just starting to frankly, dip, a toe in to how Digital Services supported by a digital citizen identity can believe, Start to be rolled out to their constituencies. So we focused a lot you know talking about the United States, right?
And I mean a lot of our listeners are based at least a third of our listeners are based outside of the United States. How much collaboration would is going on, you know, beyond the borders of the United States because a lot of the what you're talking about seems like these are best practices not only for United States, right? But for government.
It's all over the world. The short answer from a state and local government perspective is none that I'm aware of even with in state and local government outside of groups like nacio the information. Sharing tends to be a bit more Regional and Partnerships. So if you think about Washington and Oregon or Maryland and Virginia, where the Carolinas lick, these are groups that share clothes, Geographic territory. They have a lot of overlap in business. Isis and citizens, and things of
that nature. So they tend to work pretty closely together in terms of international Partnerships. Like I said, none, I would say that if you look at it from the federal level and thinking about things, like the National Institute of Standards and Technology, you know, those are organizations that are often setting standards that state governments or are utilizing their our office.
Also, obviously looking at things like standard authentication patterns and way to DC and sam'l which have an Flavor to them as well, but I guess the short answer I would say is indirectly when you think about industry standards, certainly state and local uses them, like anyone else would. But as far as you does, Ohio directly talk with members of the EU to Define what they're doing from a identity strategy
perspective, absolutely not. But wouldn't be a conversation about state and local government without talking politics before I get to that. I'm curious for nacio. So, you know, they're certainly politics play a role large role in a lot of different things. But as far as participation at that sort of like, CIO level, do you see any is it, you know, Red vs. Blue. And some of those things do everyone.
Pretty much just get along and they're kind of like operating outside of the political Spectrum. What's the sort of like I guess feel of the room so to speak? Yeah, it's a great question and I would personally say that those sessions are not political. But state cios are appointed by the governor's office. So there are potentials where they will be cios who leaned more political one way or the other based on their affiliation with the particular governor's office.
I would say typically if you look across the board the vast majority of those individuals would say that they are it first and it in cyber is a bipartisan issue that really doesn't play. And either side of the aisle. So there are always concerns your particularly in Battleground states where if a party affiliation changes over the these individuals may also
change over. But for the most part these are very specialized roles people with a lot of experience in that space working with the state agencies. And so because of that they tend to be seen as longer term positions. Do you find any Trends where, you know, I'm thinking like, you know, Blue States tend to be more digital force, or red States might be more something else first or, is it pretty Universal.
Everyone kind of gets it, that it's just more about getting, you know, secure access to the state's resources, and making sure the services are usable. Do you see any like Trends as far as Democrat versus Republican or Independence? You can also pass to if you want to preserve.
The trains would be more digital service oriented than I would say cyber oriented which is to say that a Blue state would typically provide were government services than a red State. A blue state would typically have a larger budget in comparison to Red states of a
similar size. And so, because of that certain blue states have perhaps identified the need for digital identity for their citizens earlier, just because more things are being offered from a digital perspective that being said, I worked on innovate Ohio, which is Is the citizen portal for Ohio, for 43 years. That was under Governor, Mike, dewine, and tenant Governor husted. That's, that's a red state. So I don't think it's necessarily a red or blue issue. I think anymore people see.
Cyber is as a bipartisan issue that really deals with National Security. You talk about a little about kind of like the funding cycles and changing over of the administration's and how that might impact some of the appointments at the it level and maybe Downstream. Sort of strategies, I guess, what can you tell us about that sort of political cycle. How does that? How does that impact things? Like funding and strategies?
And things like that, because I'd imagine every two to four years, there's probably some major shake-up and that's to me as I think about it. Like, from a, how we're going to actually get things done. That seems like a pretty big concern that would have in a road map, somewhere as a risk. It isn't it isn't it? Isn't that really probably more?
So the four-year Governor cycle than the two-year legislative cycle is more impactful and I'd say it's impactful from a people, and from a funding perspective, the people piece we touched on, which is that many of the agency, directors and secretaries are directly appointed by the governor. So, in the event, that, that Governor is not re-elected or term-limited or even more. So, if the party changes over it
is possible. But that individual will no longer be there when the administration transitions, it's not guaranteed, but it is probably more likely than not. That is the case and so from an execution standpoint that can potentially slow things down whereas people transition and want to understand what the projects are in the Investments that they're making is that projects may not go live in those windows or may drag on six, seven months after anticipated, Windows to bring new leadership.
Up to speed funding is perhaps less impactful and there's really two ways in which the centralized it. Departments are funded. One is direct Appropriations and the second is chargebacks, direct Appropriations would typically be driven by let's say? Marilyn doesn't example is doing it as an IT modernization. Cyber monetization fund where they basically pushed Bonds in order to put multiple Millions. Dollars together to drive, various IT projects that funding once approved is earmarked with
the help. Basically, significant effort is not going to change. Charge backs are chargebacks from Individual agencies. So we're essentially where you're operating, a must, as an out out sourced, it service provider for those agencies and then they pay into Central it for that time. Those, those can be much more impactful because those are really kind of annual Oh, based decisions, and if there's leaders change over, they may not be inclined, to spend their money.
In that way, you talk about this thing called the three. P's when we were talking before the show, what does that mean? So, that's, that's a, that's a Robert ISM that I came up with to really describe the funding cycle and delivery cycle for these projects at the state. And so the three p's are piping
pilot and pattern. The first two are typically activities that we would be driving out of the centralized it. These would be projects with direct Appropriations with definitive timelines, and really being driven by various leaders, but then those Departments of i t. So, the idea is what whether it's access manage better, IGA or Pam that we would stand up the infrastructure, the base configuration, the core testing
of use cases. That would be used for the Enterprise. So lights on documentation, done, core functionality available, we would then Coordinate with agencies for the launch of an individual pilot to essentially validate our understanding. So it's like, everything sounds great and Academia and then once you apply it in the real world, you obviously have a number of lessons learned that come through that process.
That at the end of it, we would incorporate those Lessons Learned and that essentially finalized we call a pattern. And so the pattern then is agencies choose to onboard from that point going forward. The agencies would pay for that the agencies Would be responsible for bringing individuals to the to the table and they would utilize generally documentation generated during that that that piping and pilot phase to drive the majority of that implementation activity.
So it's a way to take kind of a centralized solution and a centralized delivery model and then start to decentralize it across the Enterprise in the state or local perspective, Robert I'm wondering are our state and local governments like most Corporate organizations that I've worked with coming up with kind of a cloud first strategy. So they trying to move to cloud services men, that got me
thinking about. Do they have any fedramp requirements that they're either governed by or that they are choosing if available? So there's been a lot of conversation over the course of the last two years for a state ramp set of requirements, very similar in nature to what you'd see from a federal perspective that Still very much taking shape going back to NASA. Yo, if you look at their top 10 priorities and the technology that supports it, number one is
cloud services. So cloud is, I would say from an Enterprise strategy perspective, relatively immature across the state landscape, there are still a valid evaluating how to strategically apply this for benefits across the state. What type of data are we going to put in there? How does this apply for infrastructure versus software? Where, what kind of changes are we going to make to our overall cyber security services and audit mechanisms that we use?
A lot of that? Frankly hasn't been defined, this is a space and and and I pick on vendor sometimes because think vendors drive a lot of the conversation. But I think vendors that are pushing cloud services right now will help to maybe drive some maturity around that discussion at the state level to the cloud to the cloud. Here we go. Want to start to wrap up the conversation because you don't you know, generous with your time this Sparks though. Something I want to bring up
that listener out there. Andrew also been on the show and you the chance of phone sent me a LinkedIn message. And I think this is a great option to bring up this question as in its around the balance of security versus a user experience, because I feel like this is exactly.
The conversation is probably taking place as part of that and I think of it. He gave me an example of, you know, moving away from SMS in favor of more secure MFA methods, and I'll paraphrase things like app app, based, push authentication or maybe even, you know, if you're, if you're really cool going down, like a password list, router something like that. What are your thoughts on? You know, how does an organization and let's keep it.
The state and local kind of flair for this one, you know, help kind of dry that stuff, stuff that that sort of maturity or that maturation away from What we consider a legacy MFA or others type, some Legacy Technologies like on Prem maybe moving to a cloud based approach. How does that Balancing Act take place? Maybe this is maybe this conversation that takes place in a CO and I'm sure in conference rooms all across different governments. But what are your thoughts on
that? A question that has been brought up more times than I can count in my career and a big element of your why I've talked a lot about not just identity, but Digital Services is, we found That that joining to be extremely successful every time you layer on security, no matter how great the ux is always creates friction with the user
base. So by looking for opportunities, where we weren't just rolling up security, but but tagging that to perhaps web application modernization and releasing that. And sort of one joint package created a bit of a balance, right? So I'm getting better services and experience. And while Is a security layer. That's may be new to me. I'm okay with accepting that because I'm getting a better overall experience. So it's sort of big picture drilling down into something like MFA.
What we often would talk about is, okay, fine, SMS isn't as secure as an application push. But what are they trying to access, right? How critical is it that we push that experience. And if we didn't have a really good risk, story around that, then we would typically show Shy away from that change. So I think as with most things from a cyber perspective, understanding the risk context that's there is important to drive those decisions. Not just looking at it from a cyber lens.
I think the other thing I think about too is that it doesn't have to be a one-size-fits-all. There's probably multiple right answers. Just depends on the use case, context, risk, whatever it is. You're trying to address Gym in 30 seconds. Tell me how you balance security with the user experience. Yeah. Rapper touch on it. Sees about it's all about level
of insurance. If you need a high level of assurance, then you have to have appropriate controls that achieve that level of assurance via high level of assurance as well as you need to reach a broad audience. That's the toughest scenario. But I mean can you name One banking service where you're able to login with your Facebook ID or your Google ID it just doesn't happen, right? I was doing something the other day where it was again, going through the process of getting a mortgage.
You're constantly DocuSign doing things. This is not DocuSign, but it was some other application to signed document. They said, do you want to sign up for multi-factor authentication? Which has become ubiquitous enough? Now that like I am, probably a lot of people say, yes, I do want that level of protection, but that when I got to it, they would not offer SMS or emails and option. You had to download. Not them akator app and at that point I said that sounds very inconvenient, right?
I have Google Authenticator but don't want to go through this whole process to link through for DocuSign except for just become like the clean next term, right? To sign a document electronically. Ultimately, I went up saying way after I started seeing what the documents were I was like okay I will register my Google Authenticator but I bet you most people would say forget about it. Which is too high. It's just felt like to too high of a bar before I knew what I
was going to get after. I saw was in there, I was willing to go over that bar, but it was still probably a bar, especially if you give people the option to opt out. It may become too high up in a bar, but that level of assurance we were talking about your employees. You're talking about your privileged access to high level of assurance and now you can set up those digital hurdles where you need to use. Solve token or maybe even a hard
token. I got a Chromecast with Google TV, yesterday to add to my collection and I went through the process last night of setting up all my video services on it, Netflix Hulu HBO Apple blah blah blah blah. All the things that we said would be cheaper independently
from a cable subscription. I'm now paying more but that's a separate conversation and I must have experienced five or six different ways to Senna, Kate and connect those services to my media device and it ranged from having to use a remote control.
You know that doesn't have letters and keyboards on it and navigating and typing in an email address and you know, a very long and complicated password for each of these services to going to the web and doing like an oauth flow where it's, you know, simpler and easier to Apple, which I logged in and then it used actually my on device credentials and Facial recognition and I never had to type anything which was awesome.
I think that's that, that balance of the usability and security kind of comes back to this as like, okay, we're talking about, you know, media streaming. What are we really concerned about? And how do we make that, you know, easier for people to actually consume the services? I get Netflix is down there looking for ways to, you know, to increase subscribers or drive Revenue. But in the end the day, you know
what's make it easy for folks? All right, let's start to wrap things up, Robert we like to end on a lighter. Or note. And I know that you are a connoisseur of various beverages, you've got a very impressive kind of home bar set up, so I'm going to go with an alcohol theme Here. For our lighter note, what is your favorite alcohol spirits and then, what is your least favorite? Yeah, I think we're saying that.
There's a, there's a definite spin-off podcast here, strong opinions on strong Spirits because I have very strong opinions on this. So, from up, from a Everett perspective of you kind of changes over the course of the year, I would say, you know, given that it's a beautiful weather here in Charlotte, North Carolina, I would say, tequila right now, is in my number one spot.
I think, you know, a lot of times people have their, their Cuervo Scar from at some point in their life, but a huge fan of really great Tequila's out there. And I think it's been really fun over the last couple of years, that Tequila's kind of caught on in the market on the other end of the spectrum. I know this is a really unpleasant Popular opinion. Vodka only because I just don't feel like vodka brings anything to the party. I like I like to make cocktails pocket to me is just a blank
slate. That's my vodka stories for a different reason that's because I had way too many one night. Very long time ago, I have not gone back to the well and I'm not gonna do that anymore. Yeah, and I promise that cyber projects. Don't don't drive me to drink. That's, that's definitely not the case at all. That is plenty of other things I do. Yeah exactly. Jim. What about you? What's your favorite and least
favorite Spirit? Well I feel like I need to trust the the Vodka piece because I think it being a blank slate and the more blank the Slate is. In other words the more time the more refinement it has that fewer impurities exists and when you drink it you don't have the problems the next day of feeling
hungover. So I appreciate that about a good vodka I think probably the Alcohol that I enjoy the most but I have to make sure I don't drink too much of is bourbon and then I'm going to pick one that maybe nobody saw it of for least favorite which is an aperitivo called ouzo if you had to choose? There's no my thunder. No did I maybe see her too? Yeah, exactly.
I'm not a fan of ouzo. My wife had a drink last night at dinner, and I think was an old-fashioned or something and for whatever was they had some sort of ouzo spirit in there. And it was just, Yeah, exactly. The face are seen. As you can see, I put his definitely like not the right thing. Yeah, I was. I'm impressed that well, impress, shocked and I guess not Shock the same time that we don't like the same Spirit. My is Malibu Rum. That's pretty much my go-to.
I don't really drink that much to begin with, but I will enjoy a nice. Sweet coconut rum of some sort other than a, pretty basic man. I'm like I'm not much of a drinker, I'll drink port, but not talking, we're not talking. Fine Wines at this point where you're in the land of breweries where you are now. So, does she need a venture out? That way? I am, we've got whistle hop, like, literally like a hop for me.
So, tons of breweries here in Western North Carolina, and the Asheville area is a good food and drink in town. So yeah, we are. We are certainly enjoying making the rounds and discovering all that the area has to offer my wife and I. All right, let's go ahead and wrap it up for this week. We're getting a little bit long in the tooth here, from a show perspective. Any final thoughts, Robert, what should people be taking away
from this conversation? As it relates to Identity and the state and local or the fact that ouzo is garbage? You know, what do you want to go with? First of all, do not get any tequila that has added Agave to it. You want to go 100% natural? That is the most important takeaway. So for those custom Migos fans out there shots fired, but that is definitely not the best. Tequila brand on the market from Probably what people actually came here to talk about which is
identity. I think the big thing that I like to tell folks is that way as it relates to your state and local governments is that there is significant time and investment is being put into understanding. What are those services that really make sense to digitize? No one likes to go to the DMV no one likes to go and wait in long lines. And with that I see that states are making a more significant significant investment than many
even private. Solutions are in establishing citizen identity and I think there is a hope in a vision that over the course of the next five to 10 years, that state identity really can become a really unique source of Federated identity across public and private sector. So be really interesting to see how that plays out here. Here, I just have to get a new drivers license in North Carolina here soon and it's like a three-month. Wait to get like an appointment as a DMV to get it done.
So hopefully things like that. Get As we move things, forward from a identity maturity at the state and local level Jim. How about yourself final thoughts for this week? Yeah. Final thoughts are thank you to Andrew to for sending us the question. Thank you to Chris for sending us the Tweet. Last time I encourage all of our listeners, you know, take part in the show by submitting some things like that and if anyone's going to be out at the Gartner, I am Summit.
We'd love to meet this. Pump is Chef likes to say, but yeah. Yeah, and if this is your first time listening, please reach out to us connect to us on LinkedIn And subscribe. It helps us out a lot. We've seen a tremendous growth with the show over the last few years. Considering this is all Word of Mouth. We don't do any advertising or anything. So we certainly appreciate every thumbs up. Like, subscribe, share,
whatever. The, you know the thing is that that helps get the word out as I was appreciated and definitely going to be a gardener hit us up. We'd love to just bump, do whatever it takes, two to make sure that we meet up with folks. All Without we're going to go ahead and leave it for this week. We are on the web. I'd any of the center.com, we're on Twitter. At idac podcasts. You can connect with us on LinkedIn robbery, cool. If we put your LinkedIn profile was part of our show notes.
If people want to reach out and have kind of questions or thoughts concerns or the the Agave police want to come in arrest. You absolutely any. And all the above. Very good. Alright. So we'll include that in the show. Notes with that. We'll go ahead and leave it for this week. Thanks everyone for listening. Ting and we'll talk with everyone in the next one. Thanks for listening to the
identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.