You're listening to the identity of the sender podcast. This is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the center podcast, I'm Jeff. And that's Jim. Hey, gem. Hey Jeff, how are you? Oh, not so bad yourself. Hey, I'm living the dream right now. It's kind of a nightmare. No, I shouldn't say that. It's really not but I think
everybody's experience those. So, last week we were at the conference and then this week came home took some time off because I was moving so it wasn't really a vacation and then you come back to work and it's like they always say A, the work will be waiting for you. Yes, it will be waiting for you plus all the new work that's coming up. So, yes, like I was on the computer, literally, till 11:30 last night working and I haven't done that in a while.
I mean, it's just was like, a tidal wave came in from like 8:00 a.m. to 11:30 at night. I consider that payback for all the work you gave me and editing. All the podcasts that we did for our from Gartner, we put out, I think nine, Roads in two weeks, which is like a new record for us which is very cool. It's very cool experience but yeah so welcome. Welcome to the world of Jeff for
the last two weeks. Yeah, no, I was thinking like, you know, hey that putting out all those episodes that wasn't too much work. Was it for me? It wasn't. But for you, I know it was a lot. That's a lot of work but it's fun. We do it as a hobby, right? We don't really do anything. This is, we don't really, like, monetize the show in anyway, right? So we don't do commercials or anything like that.
Your ability to advertise ourselves know, maybe that'll change at some point in future to kind of figure things out, but We Do It For the Love of the Game. And certainly, it's fun. Well, we don't, we don't advertise for ourselves, but if anybody wants to hire us to do more than free to do so yeah, definitely come. Visit us at our SM.com? Yeah, so I mean there's a couple things actually working out so like we put all the episodes 94 Gartner so you haven't check those out.
You basically did a preview episode of like the day before of what We thought we would be getting into and then we did like a daily recap from the three days of the conference. And then while we were there, we also recorded specific conversations that we had with five different guests. So we have Louis Almeida, Jamie Lewis gross, we had head covet sand, we had Vittorio Bertolucci and bread to me from various companies. I got them all off memory.
That's how fresh it is, having different conversations and we rolled that out base. They all this week and for kicking down and forth. While we're recording this on Friday, the S as this will become our new our Labor Day. Episode that goes out on Monday. The down a few nice comments about people whose lives. We have really good coverage of
the of the conference. I feel like that was kind of part of the goal was, you know, for people who couldn't be there, just kind of giving you some kind of inside picture. Obviously, we're not, you know, news media covering it. You know, this session did this or the session at that, but more getting their perspective of us and some of our friends of the show who work who happened to be there and we're willing to jump on the jump on the podcast for a little bit.
Yeah, it was pretty cool. I think even some folks and Garner took notice and re K. Thanks thanked us for our journalism. I told him, I think journalism is stretchable is a little bit of a stretch for what we do, but it's very cool to get some get some nods from that. Yeah, it was fun again. Think so you know to Gartner really for putting on a great show but also are some for hooking us up with that sweet. Sweet as you like to say anything. Have a great, you break top one
now. I mean, yeah, that was getting old. Keep them guessing. That's, that's the way that's the way to roll, but yeah, having a spot to record was definitely ideal. And we're actually looking at doing this again. I think we're looking at being at the authenticate 2022 Conference in October, will be in Seattle. So we'll be meeting with our friends from the Fido. I am It's looking forward to maybe getting and Iran and Russia are the executive director over there.
And if you're going to be at the conference, we'd love to sit down and have a conversation either on or off the Record depending on the know how it works. But that'll be exciting to that. For those who haven't been following along. That's the one that Jim ditched me last year and made me present on my own 48. A talk that was all his idea. I would have been more than happy to call fall over you but I was sick as a dog at the
middle of a pandemic. Turned out at least a test said that it did not have covered by it. I feel like I had covid like 10 times. Yeah. I was sick a lot during the pandemic but I'm yeah fight Alliance is definitely one of my favorite organizations. You know, it's kind of like as well as idsa in as well as Ida Pro. And I wanted to mention, I put a message on the ID Pro slack Channel, but just to mention here as well. We've got a A special episode plan for Halloween, so Halloween
falls on Monday this year. And so the idea that I came up with was, what is your? I am Horror Story, So to participate. So I kind of figured the episode format with look, like what we did with. What's the difference between ID and access management and
digital identity. And it's kind of like, you know, individuals kind of recorded their 3 to 4 minutes or And then email it to us. So if anybody's down, I am Horror Story like I've got one that comes to mind my own life but if any of our listeners have one that they'd want to share, basically, just sit down record, it send it to us, reach out to me ahead of time, right? We can't have 20 of them, just
to break it up into. So it's going to be more or less of a first come first, serve kind of thing you that or send them in. We'll just try to figure out the best ones that are podcast friendly or we can, you know, if there is one Is that maybe aren't safe for work? Hey, we can maybe talk around it. I love hearing the stories because I think it's interesting. So for my perspective, send them all in and we'll we'll try to pick the best ones.
Maybe I'm thinking of one in my own personal life. I shared a too long ago, but it could be interesting for sure. Yeah, definitely. And then, you know, also just speaking of authenticate coming up. That's a, you know, the The conference that you went to last year, we'll have the executive director of The phyto Alliance and Russia are, hopefully, come on and do a preview.
He's always a good sport about coming on the show so I think it's more a matter of just finding a mutually available time isn't agreed to come on yet but I'm just getting it out to hit each other. Yeah. Right. If he did come on I'd be surprised. Is it good? Good sport? Yeah. Anders cool. What else we got? Octane? Going up.
I think we're planning on doing something out there so octane is acht has customer conference partner and customer conference in San Francisco in November. So I think we're tossing around ideas of how maybe we do something around that. So yeah, we're kind of like been hitting like, the conference circuit here pretty, pretty hard over the last couple of months. Yeah. What I love about the cover, like, just take the photo coppers.
For example, if you onto the photo Alliance of the authenticate conduct calm, and look at the Agenda and you just look at the sessions as like, so many good topics and so many good speakers. So what does that mean? For the podcast means we can have all these people in one place. Is a, hey, can you carve an hour out of your schedule or you're already going to be there in Seattle and just join us in the in the podcasting sweet and, you
know, lay down the track? Well, I don't know if we'll have a sweet but some area, hopefully the table and chairs that makes it. This will be convenient. So yeah, like a broom closet. Yeah, I mean that, you know, that's funny you say that but a lot of people when they first start podcast, they start in their closet because it has all of their clothes in it. And the clothes do a really good job of like minimizing Echoes and things like that. So yeah, there's a pro tip for you.
If you're looking to start a podcast, you know maybe take a look at your closet and that might help. Yeah. Because, you know, that'll be the cheapest moment in your podcasting history. At some point, you'll by mixers and And some microphones and sound treatments for your walls. All kinds of Av services for editing and noise, clean up, and nothing beats having good clean audio to begin with, like that's where you should make the
investment. So, if you're doing a podcast, that's where that's where I would spend the money. Yeah, I mean, people don't want to look, we started early on, we did not use this cool software. We use zoom and, you know, people had poor internet connections. It sounded horrible or if they had, you know, as you know, just like behind the curtain. The reason is like, with zoom, it's recording it at this happening.
Whereas, with the software that we use, now is called Riverside, it does the local recording, and then you mergers look recordings together. But if your internet is spotty, you're going to get the local recording and it'll sound good. Yeah, it's we've definitely upped our game for sure. I'm satisfied with Mr. Rat for what about Auntie website? Yeah. I mean some updates and so we're going to get to listener questions here in a minute.
But yeah, I made some updates to the website, put out a brand new, listen page, that has all of our episodes that used to be, just our most recent one. But now, all of our episodes are listed there in chronological order. Most recent first, as all of our show notes on each individual
page. So when we say like, check out the show notes or they'll be a link in the show notes, now, there's actually a place to go instead of trying to do it on your phone to your podcast app or you know, ever might be a little more convenient if you want to link directly to a show. There's now a permanent web link for each episode and most importantly we have joined 1999 and added a search to the to the
podcast list and page. So you can now actually type in, you know, a couple key words and I'll pull back episodes that where it's either in the title or in the show notes, so kind of a simple approach, but it works. I was really impressed for the search feature and it's because even though it's like, we joined 1999, How many apps do you use? Including I am. Platforms, where the search feature stinks? Like, you have to get us failed. Just write something guns, like this works. Really good.
Yeah, I'm looking at you Microsoft Dynamics. Yes, exactly. The one that that I was thinking of. Yeah, exactly. So yeah, check it out. Idac podcast.com. There is a listen Banner right on the front page or link on the top and yeah, it's I'm proud of the work that wasn't into it so hopefully people enjoy it. All right, should we get to actually, Talking some identity. We spent 10 minutes like talking about everything except it. Yeah well we needed that mental
break. Yes. Let's do it. Let's go for it. All right. So how did this come about? Basically this is a LinkedIn post that you put out there to ask questions from folks around you know what is what I'd any questions they have was kind of loosey-goosey. We got a bunch of different things, from a few different folks will go through these kind of one by one. We pick sort of the best ones that we or ones.
We think we can answer the best at least, or at least have an opinion on and just kind of go back and forth. I'll go ahead and give a give you the first one here. This is from Eric Woodruff and he writes since it's a long weekend and one could bet the threat, actors will hope all the admins are out on a boat somewhere drinking, perhaps credential theft and fishing resistant. MFA may be diving into how traditional MFA like OTP
one-time. Password is no match for things like evil Jinx to or modish car, which are basically open. Apps that people can use to run like a reverse proxy or a man-in-the-middle sort of attack that would intercept those codes. So, I think the question here really is, you know, what do we think about fishing resistant MFA and things like that, that might help people enjoy their time on a boat drinking. Yeah, for sure.
And I think it's, you know, the consultant in me wants to take a people process and Technology approach of this, because I think that the first part of his question was geared towards it's a holiday weekend. And the hackers.
Like we think the hackers like to try to exploit the fact that admins are not going to be around, I mean, that's always been something we've said, I don't know if the data actually supports that that more hacks happened before a three-day weekend or something, but let's assume that that's correct. I think it is that, you know, the first thing is you have ever if everybody goes out on a boat and Shrinking and nobody's going to be able to take the call and jump on it and that's a problem,
right? So that people standpoint has to be that somebody's ready to jump in, if you know, the world goes to hell in a handbasket, you know? Then I think that the process, I'd really what we're getting at here with the fishing campaigns is people keep falling for fishing campaigns. They're clicking links in emails to go to what it looks like Instagram or there. You know. And look, I understand some of these things are getting really sophisticated.
You know, they send you an email looks legit, you click the link and the login page looks legit. However, if you were smart enough or I should leave smart enough, let's say educated enough for you. Have this built-in And you go and look at the URL bar, you can see you're not on the real instagram.com or whatever the pages that they're trying to
fool you when you look at this. But even that's assuming that you've got your browser configure to actually show the full URL I guess I'm gonna bug me about Safari is by default it hides, the full You full URL. It just shows the first part of it or maybe just the base of the domain. You know. I think these are things that yes, you know, we hope that we wouldn't fall for fishing but there is a reason it is So popular because it works.
Yeah, I kind of feel like I have to built this little fish. I'm in this industry and everything, but I've also worked for a few companies now that I've really had, you know, awareness campaigns and I feel like I'm more aware because of this awareness campaigns, I'm more suspicious when I see something less likely to click on the link.
So that's kind of the process. I'd and I think what what Eric is also Up in terms of technology is there's some there's some multi-factor authentication methods that are stronger than others. Obviously leveraging a one-time password through SMS or email that's like the that's the low end of the spectrum versus doing some kind of certificate based or you know, biometric or something. That That can't be captured with a man in the middle attack.
We don't have the monkey like how one-time passwords are. Look any MFA is still better than no one will say, right. But things like SMS for example has been specifically called out as like the Bottom Rung of the MFA tree. It is probably the most easily intercepted breached you know cracked whatever you know whatever term you want to use. The basically say yeah, the MFA went to the wrong person or was
intercepted. When do you think SMS as a one-time one-time password approach, or MFA approach becomes no longer prevalent, because I feel like it's still the number one method like every single app seems like, yeah, that's like it defaults to is, like, the minimum viable product. When people are rolling out MFA, when do you think it will be that? That is no longer the case. Are we talking two years?
Five years, ten years, never, oh, no, Kind of feels like that never because I don't think it's in the foreseeable future but I think what could get it there as kind of the that 52 approach where if the device makers make it so easy to use the biometric? I mean it's kind of gotten there, but I I think so.
Look in terms of MFA to me, there's different levels, there's the low rung, like we talked about the one-time password all the way up to something like You became, but you can't expect people to use a UV key to go shopping on Amazon or, you know, something like that. So, you know, per carry one around and plug it into their phone. Like that's not normal. People don't do that, right, but could you?
Yeah, exactly. But could you do that for high-stake transactions, connecting to a VPN or doing some kind of online banking for it. In certain scenarios, I think it is reasonable, but I think there's always going to be those lower risks use cases. And I mean, heck, we know, there are still sites out there that aren't even at that level of using it as mess. So I think it's really the level of assurance that's required.
And there's always gonna be there's low level Assurance use cases, where SMS will be good enough I guess as that's kind of a pessimistic View. I think that's the the technology side is that you got to go up the ladder in terms of level of assurance, if they use cases higher and I think they need to think about a critically. Like if getting into the VPN is low level Assurance then somebody could escalate to a higher level account.
So if only requiring like a higher level account for our higher level of assurance for an admin account, what if somebody gets into the vpm as a low-level account and then Then somehow is able to elevate their privileges or Elevate to another account. Yeah. I mean, you were talking. You know what? Take a risk-based approach. I think to it again. MFA still better than nothing. Yes, traditional MFA. Which is really the question, right? Is that as good as stronger,
what versions know. Is it more fishing resistant? MFA, yes, but I don't know if we're there yet. So like, you talk about my certificates and really, I think now, we're starting again to like pass keys on devices, which is sort of a new kind of Fido standard. I don't remember the exact technical term Vittorio. Helped us out. Yeah, Last week when recording, but there are certainly a lot, it's a mouthful.
So I prefer passkeys as a name, it's still better than nothing it. But the end the day, you know, how do these man-in-the-middle attacks work? Is they trick you into going to a nefarious website. So security awareness training for sure. Right, making where that doing random fishing camp, simulated fishing campaigns. Right? Kind of checking up on your, on your employees and things like
that dry. If you are a customer environment, making them aware of where they Can and can't get help from what they should be looking for, you know, giving tips on looking at the, you know, the full URL watching for misspelled or, you know, domain squatters right. Things like that. I think is always a concern, but that, I think, I think it's my two cents about. I think we, I think we've beaten that one up. Pretty good. Okay, so let's move on to the
next question. I was submitted by Ian saying, and it goes like this. Why does modernization always seem to stop at today's Standards preparing for what's next. Seems to be punted to the next round of quote-unquote modernization. I think it's because we are still playing catch-up for the most part. Like, if you're doing modernization, I think that is a thinly veiled, excuse to bring your whatever you're trying to modernize technology process.
Whatever might be into something that you probably should have done like five years ago, maybe even 10 years ago, say feel like organizations are for the most part, not on The Cutting Edge of
the technology. They are doing, just enough to get by to either make the business run at the most cost efficient way possible because bleeding edge is usually expensive usually introduces more risk you know it would be nice to be you know more modern I think as a as an organization when it comes to the technology and services you're putting out there but I think of things like password list that we're seeing
such rapid iteration. Roo not only the use cases of how it actually works and keep things secure, but also the methods of delivery, you know, things like that, where you could call it modern. Yeah. We were modern two years ago when we first started. Look at password list. And now, what are we looking at now? We're get past keys. So, okay, so what's your definition of modern because it keeps changing and how often do you continually upgrade the technology that you've got to stay modern.
It's too expensive to do that. So I feel like you know, the reason it doesn't happen is money. Most organizations don't have budgets to install. A brand new ID P, MF a conditional adaptive password lists identity governance privileged access management, Cloud infrastructure and title that management, like all this stuff. They can't do this every year so you go in Cycles. It's basically okay, you're
buying a product. Let's hope to get five years out of it before we even think about trying to do a replacement or to do a major upgrade or something like that. Unless there is a very clear, reason I clear and present danger or some sort of unmitigated evil risk or audit finding where it forces you to do it it comes down to money. What do you think? Yeah, I think I think improvements and standards the way I took those was, you know, I think it's very reliant on upgrades to Hardware.
So for talking about like, you know, Omer Technologies like iPhones and things like that. Think about how fast they move from version to version, but then there are still people who are on older iPhones back. There are some people, like I had a painter, come and paint my house. I asked him if we could use like cash app or then know, I was pretty much open to whatever your I don't have any of that. And he had a flip phone and he's taking pictures of the place of
the flip phone. I'm thinking, oh my goodness, this guy. So out of date, the Is like, you know the bank that I go to wants to do business with him just as much as they want to do business with me even those Technologies out of date. So they, you know, the standards have to take into account all the folks who have the old technology and then I think the I think the other thing is that, you know, the responsibility to be secure. Generally does not fall on the end-user.
Al's on the company, providing the service. So you know if you say whose responsibility is it to keep my account at Wells Fargo secure is it my responsibility or Wells Fargo? Most people say it's Wells, Fargo's responsibility, my password needs to be as long as what they say, it needs to be. And my multi-factor has got to be whatever they say, it needs to be and I'm going to, I have to follow those rules if I went access but they try to keep my data secure, it's not my responsibility.
Now you and I may see it differently because we're in this industry. I think, you know, the quote-unquote man on the street and it feels like the responsibility lies on the company, that's providing it now. So they've got the responsibility for security and they don't want to alienate customers that don't have the technology. So if Wells Fargo, all of a sudden said, the only people who can access their account are people who have, you know, this biometric support from this version.
So basically if you have an iPhone 7, you can't be a customer here anymore. You need to withdraw your millions of dollars from our bank because we don't want you here. That's not going to happen. So that's good. That's that's that. That is not going to fly. That's not going to happen. So that's my feeling is, like, that's the holding back modernization is old Hardware. Old Hardware. I can see that. I mean, I still think money is the answer. Well, yeah, I mean it always
ties back to mommy's home. All right. Sure, do the next one. Yeah, let's do the next one. Okay, so this is from our guy. Chris power, who we actually we're able to meet out at Gartner. Chris is a big Sox fan meeting like actually on your feet socks. So kudos to him for that and collecting socks off by Gartner. He actually came up with a bunch. So I'm going to try to paraphrase some of these can Jumping on the socks thing before you go any further, I got.
So I kind of felt like after that conversation with him was like this is the first time that I've ever heard somebody going to the vendor Hall. I kind of like scoping the place out to find something wear socks. So if you're listening and you do a booth at a conference, you know Sox, might be a good giveaway. Yeah, I think it's interesting because I know he is, it sounds like he's into it. I think Ian Glaser from Salesforce has also into it and then Someone else I read his.
I was all unlike my LinkedIn or Twitter feeds and stuff like that. Where I saw people comparing security-related socks. So there is definitely a market out there for socks now. Didn't we? Look at like the possibility of socks that they're, you know, getting custom Sox's not a trivial matter right there, expensive. Any type of merchandise is expensive weave. We are looking at it. I think trying to figure out how that would work, but at least of
decent quality. Can you get some paper thin socks from Some low quality type thing probably, but it's going to do it. Do it right man. Spend the money. That's right. Anyway, so shout-out to Chris. So his question is really looking at the best ways to manage layered access. So, by layered access, what he means and he gives an example is application. A is managed by the I am team to get into it. Initially let's say something your single sign. Alright.
So basically like the authentication is controlled by one team. But once you're inside the application, the application and once you're inside that application, there are other entitlements or access controls, maybe your administrator or powers or something like that, where you can gain additional access within that application. So, you know, the perspective he's taking here is we've taken the position that business owners and vendors who have this ability to take on the responsibility.
Meaning the ability to escalate within a specific application,
take on the responsibility. And the audit findings that come from adding access, when they surpass or go around the I am team, this release is me and this case Chris from the response from that responsibility on paper, but not from the threat and the risk that these business and vendors these businesses and vendors making changes on their own, if something would happen to occur the call to resolve, it would start with the IM team, of course rights like, hey, why
does someone have incorrect access to your application? Well, let's start with the top of the chain. Jane and then you start doing this, you know, root cause analysis and said, oh well we only control one part of the authentication. Someone else is controlling it. What are your thoughts on the management of that layering of access? So my thoughts on managing I am
managing access period. Is that the business makes the decision on who gets access to what and I am team provides the tools to do that in a Controlled fashion. So even the example he gave is saying, okay well I am team manages the single sign-on so ultimately you know to get single sign-on to an app. They don't give everybody a single sign-on to every app, right? Ellie Give the apps that you need. Well, who's going to decide who would apps?
Jeff Steadman needs access to what groups he goes into an active directory. That enable him to see that icon in his single sign-on. That's Would be the business. What I also think is like when you gets to entitlements, it's really then finer grain. Either groups in active directory or maybe is provision into the application with
certain entitlements. Whether it's groups or some other attributes that drive access typically use a tool like identity governance and administration like a South points, avian omata, you know, along those lines, I'll Amos or clear sky. I that can narrow name every single idea by somebody else, right? But the idea being that it goes to the business and the business
I person in the business decide? Yes, you get access or no, you don't get access and then the system ideally if it's fully, automated, would provision that backs us. It doesn't, it's going to issue a ticket, but then ultimately, if there's a breakdown, like, somebody gets a ticket. It and doesn't follow the ticket or they provide access. That shouldn't be given, if you have the right Tools in place from, I am perspective that have that automation or issue a
ticket. And someone breaks process, you have to be able to identify who broke process, but it sounds to me, like what Chris is saying is that they've got a single sign-on tool, but they don't have an IGA system in place. While could be that but I think what happens in the real world, too. You might have the single sign-on tool but you don't actually control the permissions
within the application itself. Like sap might be a good example where there's like an sap team who is responsible for maintaining access within sap but the front door might be controlled through an active directory authentication. For example. So I think that's the risk. Right? Is okay. Well the I am team is doing the right thing. They have like defined processes but somewhere along the way the business decided that they did not want to hand over.
The provisioning of the actual entitlements within the specific application to a centralized team that does that work, or that centralized team doesn't have policies or standards or things like that, that align with sort of the organizational. I am policies. So I see Chris's Point here is like, okay, well, we can only control so far because we're
only doing this part. We're only really doing the authentication part of it. The authorizations are being managed by someone else in their own application that we do not. Have connectivity to into or integration, for example. So I can have an IGA tool, but I might not have a connector that is provisioning, the actual permissions within the account, they happens quite a bit. Right. So I think you know, from a risk perspective the risk doesn't go away, it becomes a business decision to say.
Okay well how do we want to manage the risk to your point? I think the business owns the risk. They have made the decision not to integrate with the Enterprise standard identity and access management. Meant system to the, to the degree, that absolves the business from complying with their audit requirements. Like, that's something about was take back to say, okay, well, you know, if you want an easy button, put it in active, directory, or Azure active directory.
And because my IJ platform is fully managing active directory, or Azure active directory, I will control both the authentication and the authorization. But if you've got an application that sits outside of that, out of sight of that management chain, I'm not going to be responsible for it because I can't control. What? And I would never agree to say, I will own the audit responsibility for an application that I cannot control the authorizations in.
So I think that's where the business comes in. And is I think it's part of the, I am program. I think this is, you know, an agreement that gets made somewhere. Maybe, you know, executive levels or some other management levels to, basically say, okay, here's what we're responsible for, but by the way, because you're not using the, I am easy button that we've created, you are going to take on these responsibilities.
You need to show your audit Trail for Who requested access was, it approved keep that for, you know, X number of months years, whatever you know regulation you need to comply with things. For example, if you ever decide that you do want to hop on the I am trained and become fully managed. Great, let's talk about that. But until that happens, I will not accept ownership of your audit findings. Have a good day application
owner team. That that's the way that I would look at it. No, I mean you made a lot of great points certain when you fart at escp example we Seen that over and over again. I think what It ultimately comes down to is if an application or platformer how we want to look at is going to do their own identity and access management. They still need to be in compliance with the information
security policies. Essentially, they have to do what the I am platforms are doing with the same level of adherence, to controls and being tested and, But ultimately comes back. 24. The decision-maker standpoint to decision makers, should be the business and the IM system, whether Central or its sap GRC, they need to be able to show the audit Trail and who approve the access and collecting all the same information that's required of the IGA system.
I think it's kind of feeds also to hit the second question. He sent us, which is around work audit balance, which is a pun off, work life balance very In a regulated Industries, it's hard to balance the work I have because I don't want an audit finding against the work. I have to assure our identities
are safe. So, now, basically, what we're saying is balancing water what, you know, the stuff I have to do that is going to be an audit finding or maybe was not in funding versus the thing that I know I should be doing from a general identity and access management hygiene perspective. There are certainly some overlap. But what ends up happening is this prioritization that?
If every, if Every time an audit finding comes out, that becomes like the fire and it wins, when you're trying to, you know, versus all the things we should be doing and this is almost like the modernization question earlier. It's like, there's a bunch of things that you should be doing, but if you're constantly playing catch up on stuff, you know, what is that balance? Look like where. I have a list of a lot of things I need to correct.
Every year, hopefully, you're making progress and it's not the same audit findings. Otherwise you've got problems but I think it goes along with that as well. Which is, you know, what is that mindset? That that If that needs to take place from basically walkable and say, okay, well we're just going to dress these Auto findings and not really solve the bigger picture versus trying to be more strategic for my New Perspective. That would solve potentially audit findings in the future.
That would arise from not having a strategy or a program in place. What do you think? Well, I think the thing that comes to mind to such act to know what is the source of the audit findings and is a predictable because if the source of the audit findings is, Is hey, we've got an ancient access management system or an ancient, you know, provisioning tool. That's not really doing what a modern IGA does.
Or we don't have a good privileged access management tool or we're shifting to the cloud and we don't have her framework for managing access there or maybe it's all the above were completely under invested that. Maybe you can attack it by saying we need to make these shows. You can vestments as an
organization. Now, you also have to That some were, his ations it's almost like their strategy is to stay under invested and on this very unfortunate because we from the clients in the past that they call us after they paid a major Ransom, you know, to rent somewhere gangs because they were under invested and very vulnerable to being attacked, or they have some kind of major incident or major audit finding and, you know, it's like, okay now the house is on fire.
Now we're going to call in the big guns and usually the situation is they've gone, 10 years and under invested. Now I think a big reason is of fish. Strategic decision was made like we're going to Outsource. I am as just a function we don't want to run and then it gets into this mode of just maintenance just maintain what we have. I mean five years in the I am industry is an eternity. I'd say five years ago. It wasn't even Baseline standard that you need that.
Mme everywhere. I would say anybody would argue that you don't need them. If they everywhere now is crazy right? You have to look at your environment from a zero trust perspective. So I guess that's you know to Chris's. If you can kind of like predict what those audit was going to cost us on a findings and is due to, you know, things that can be
addressed with investment. I think you have to push to make that investment and If your organization is cotton, critically underinvested in molten vest, I think your options are one. You've got to figure out how to convince people that is worth, carry about and worth investing in or, you know, potentially just think like this organization never going to invest, and we're just going to
continue on this cycle. And, you know, you question whether or not, that's what the place you want to be. Yeah. If you're not investing, you're accepting the risk. That's the bottom line.
Like that's that's pretty much Even when you are investing, your you're accepting certain levels of risk, but you should be investing to reduce risk, but anytime you don't spend money to fix something that's risk and you know, that's just no way around it. Let's shift a little bit because he he came up another one tools and Technology.
He's looking for a tool. That will tell him at the entitlement layer when the last time it was used in order to reduce aging access his requirements, at least in a base level is it has to An active directory and third-party applications. I think a tool like that sounds really nice. I don't know if something like that exists because I feel like this is extremely dependent on logging and what logs are kept by the entitlements applicator the application that has the entitlements in it.
So active directory, obviously has logs. I would feel probably okay with that the third party applications though, you just don't know what you're going to get from a log in perspective. Hey was this do they even track 1? Entitlement is used beyond the initial authentication or authorization chain?
Yeah I mean you're right on like you know there are some well I don't think there's going to be one tool that that kind of you know pulls all this together without logs and I think the ultimate answer is having a Sim tool like a Splunk or elastic
stack that can pull this data. It in and you create reports that can make sense of it. I think there are some access management tools that you know can filter at a coarse-grained authentication level and but ultimately it still comes back to spitting out, there's logs and when you throw active directory into the scope I think there's so many different ways to authenticate to active directory. Ultimately, you're pulling the active directory security logs.
I think, you know, to me, the logging to make sure you're capturing the data that you want, centralizing, the logs, and then building reports to, you know, make sense of the of the log data to help filter it, to just what's important and potentially setting up alerts so that you know anything that's like really bad, you're getting alerted on, this sounds like a lot of custom work to me to try them, get all All the logs and then, you know, basically, you're looking through all the
authentications that take place that's almost like this needs to be at the authentication level for each application. Suck up, all those authentication transactions. So to speak into that log and then try to come up with some sort of logic or tree that says, hey, look for this specific
authorization chain. And if you see this specific word, which should map back to an entitlement name somewhere, or maybe it's even a word, it could be some sort of primary key that if, you know, Slate's from one thing to another you know, maybe this is an untapped space, maybe there's already products out there that exist. So if you know of something, you know, hit us up here, you know, ahead and send a message just on LinkedIn. We'd love to like talk and
figure it out. Maybe it helps Chris out as well, but I feel like this is a very custom a custom thing that needs to be built, which to me, sounds like it's going to be pretty expensive. Yeah, yeah. Sounds like something. Maybe the FBI has just something but it sounds to me, like, premise question. He's talking about the The entire winter and entitlement is actually used, then you not only have to say, okay, Jeff logged in as an administrator but here actually use the administrator
access. So I, you know what, I kind of think we're one place that we do, see that is with Kim software. So it's going in to Amazon, for example, and finding out when a role was actually used, and if that rolls not being, Stanley says you Jeff is now using that role but that's you know basically that's leveraging data that Amazon has and brawl the cloud providers have.
So it's almost doing like log analysis from this Cloud vendor so it kind of goes back to our answer but it's also very specific to Cloud infrastructure. I don't think a similar tool set exists for you know non Cloud platforms. Yeah, that's a good point. You know, the Kim space might offer some solution. There are they think about too is just because it entitlement isn't being used, doesn't mean it should go away.
I think of things like fire call or other sets of like emergency break glass type accesses where you hope that the you never have to use them or they use very sparingly, you know, if that if you have, you know, I'm, I would imagine go to some sort of portal say, oh, yeah, that's you know, that's the emergency access. Don't worry about that. That's fine to leave where it is, or whatever. B versus taking more like an automated process.
I know there's there's one one client that we're kind of talking with in our professional life where like things like out-of-band access. For example, like how do you detect accesses and entitlements that are being granted? And you know we're looking at a combination of our PA robotic process automation, you know logging things like that to try to come up with some ways to kind of address that that unique use case, which is emitted. Ooh, pretty advancement.
A lot of, I think a lot of organizations still trickling the basics but it is something that, you know, that that we're working on in our professional life. Let's get to the next one, which is a culture question. I like this one because it's gets more to the people side of identity. Chris works with a wonderful team. Now mostly virtual and spend a lot of time grinding provision requests. I feel your pain. Chris, how do you remind them of the importance of the work they do.
How do you reward them? Away. So I think the idea here is that, you know, I'll go back to my old id admin days and kind of how I got into identity was.
You're basically processing requests tickets emails, walk-ups maybe not so many walk-ups recently you know, Iams where there's you know you have to create accounts for some reason or add permissions are entitlements and it's, You Know, It's a Grind, e work, sometimes, especially if you're in a big organization, or you have a lot of tickets or requests coming in. You know, how do you You how do you a stress, the importance of what they do?
I mean, really, you're talking about the first line of defense for an organization. It all starts with identity, but when you working on, you know, 100 tickets a day, or maybe 10 tickets today is really matter. Right. How do you keep the focus for a team that that's sort of their primary primary role is to just do that permissioning for
people? I think it's also comes back to kind of people management what I want, which is make sure that you are In touch with their people, you're having the water once, they have an opportunity new, you care about them. They know that the work that they're doing is important to the organization and they know that if they have a concern or something, coming up in their life that you're going to listen to them and do what you can to help them.
I mean, so to me, it's kind of like, if you talk about the work culture and how do you keep people from going crazy, it's know that they're not. Alone, even though there may be physically alone at home and but that they're part of something bigger and they're valued and that you're going to be there
for them. If they have, if they need a mirror, I think I feel like the last couple years because of the pandemic organizations, have gotten better at this of helping people understand their role with the organization. Why they're important because such a such a focus was paid on the mental health side of things, you know, for folks.
I think is a good thing. I think it starts a lot of it as that messaging from the top you know and making sure that you know as a manager of a team like that for example promoting the success of my team to other managers and people that might be above me and the organization.
Here's what we do. Here's why it's important and getting that message to them and having those folks help Cascade that message back down to folks, this is a lesson I took from a few of the Cecil's that I've worked for in the past. And Burt where that thank you of what we're doing, you know is a powerful motivator, you know. Not everyone is motivated by money or tokens of thing. Whatever that might look like gifts. Sometimes I love will tokens. I do yeah, I do have tokens of money.
Don't get me wrong, but yeah, a sincere. Thank you and acknowledgement of the work that was done, is certainly helpful. And I think that's, you know, it's not always the end, all be all but At least recognizing, maybe even seasonal spikes. Okay, we know we're going into a busy time, you know, maybe it's open enrollment for example or it's the first day back after holidays and everyone seems to
have forgotten their password. So, you know, you're gonna get a lot of password calls because they just don't feel like they want to take advantage of, self-service, password, whatever, reason, not saying that. These things haven't happened to me in the past. I'm just, you know, throwing examples out there, right? But I think, you know, I think part of it is making sure that I think the biggest parts were just being aware.
Are of the value making sure that the team understands it, but also promoting your team, especially for managers and other folks who are leading people in these types of roles is, make sure that people know what it is, that your team does and why it's important and enlist their aid. And making sure that that message is getting around and have a Cascade down, is a big thing.
You know, I as you're going through that, I thought of a session at the five-day conference that I saw listed that I'm definitely going to sit in this called The Forgotten how we all started with the contact center then forgot to secure it properly. You know, it's like we all like started out in that kind of position and then when we go through security it's it's not are you no mountain high enough of a priority for us to get it right?
That's the global security engineer from CVS Health John Poirier. So reach out to him and see if maybe we can we can meet up with them while we're at the conference. Yeah that would be cool. I didn't say I think it's a really good question. I'm I think that's probably where we'll go ahead and leave it for this week. We've it's Labor Day. We've labored through a bunch of questions. I feel like our work here is done. We'll end on a lighter note which was also submitted by
somebody out there. I don't think they knew they were submitting a letter or note but we're going to treat it as As such, let's go with it. And it's from Kurt Greening, what tool program policy or settings that if implemented would help reduce the chance that you would be called into work because of an IM emergency on Labor Day. So what is it that you're going to implement?
That's going to make it. Make sure that you can be on that boat drinking somewhere or at least, you know, not, not have to do some work on Labor Day. Well, I guess the serious answer would be what a talked about earlier is like, you're going to have to take your turn. In our recent uptick for turn, but if everybody taking their turn then it shouldn't be anybody's turn. Every time of holiday shows up, my funny answer was my technology would be an airplane and get on that airplane and go
somewhere. If that doesn't have Wi-Fi, like Belize or Bora Bora, that was my five response to Kurt, he's a good egg. I met with him out in the Gartner as well. Uncle how about you Mike Let's see, I think self-service, you know, reset your own password, you know, make a wit, make people aware that you know what they think it is emergency may not be truly an emergency,
right? Don't I remember back to my pager days of Walgreens, you know, don't page me at 3 a.m. because you can't get access to the corporate menu you know for the cafeteria tomorrow because you're trying to plan your meals, I will not be very happy about that. You know, I think taking a risk based approach to escalation I think my fun answer would be Setting an out of office and making it very clear that you're not checking email.
Good luck, godspeed. And you know notify the next of kin so to speak is the way that I would look at it. Yeah. Don't put your cell phone in your email signature. Yeah, I have mine. I do. That's the only number that I use, but yeah, I think that's I, you know, you have to draw boundaries. Fortunately, I think a lot of people especially the, it space are aware that they sometimes get you have. They're in a support position. You might get called in on days off or weekends or holidays.
I can certainly remember having to create a whole bunch of accounts because of a mismanaged onboarding, New Years Eve, for example. So it just I think if you can plan ahead and try to head off as much of things, you know, people can enjoy it but and first cats culture question.
So if you have those people who don't respect the boundaries and they go ahead and like violate the work lifetime, Your employees just, you know, recognize your employees and to whatever extent you can kind of stand up for them. Let people know like, hey, you know, calling them at home just because you have their phone number. Yeah. It doesn't make it right.
Yeah. I remember back in the day would be like okay well just you know work from home today or hey leave early you know on Friday or whatever it's kind of makeup. Make it try to make it Equitable I think for both sides right ever. We all have a part to play in it so be a good human being is my motto. That's pretty much it. All right, what do you think? Should we go ahead and leave it there? I think so. Okay, hopefully everyone is enjoying their Labor Day. The end of summer officially
here. At least in the US we'll go ahead and wrap it up. Check out our website, idac podcast.com, check us out on Twitter at IDC podcast. Follow us, always love to engage with folks. If you got show topics questions, concerns grievances, you know accolades you can set them all, send us send So us on LinkedIn after you connect there and we'll be happy to chat.
So hopefully we get to meet some more Folks at some of these conferences that are coming up. So, authentic 8 2022 in Seattle by the final group or final lines of should say and then potentially octane, which is put on by OCTA in San Francisco in November. And who knows what next year from it perspective. So with that, we'll go ahead and leave it for this week. Thanks everyone for listening, and we'll talk with you all in the next one.
Thanks for listening. Turning to the identity at the center podcast, if you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.