You're listening to the identity of the center podcast, this is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast I'm Jeff and that's Jim. Hey Jim hey Jeff, how are you? Oh not too bad yourself. I'm doing good. Just kind of thinking about this week we did a little more traveling and I'm wondering how
you're enjoying small airport. Life, you move from Chicago to Asheville, Chicago. You can fly direct to pretty much everywhere in the world. Actually, you can pretty much fly direct to nowhere and the world. That's not true. We have like Non-Stop. UPS to like seven different places on on airlines that I don't travel with so you know it's fine I think it's I liked it for the most part and here's why security is so easy.
I mean I can park or if I'm getting dropped off I can literally be at the gate in like 30 seconds. You know, nine times out of 10, there is like no weight at all to get through the TSA PreCheck line. So I'm satisfied with that. I mean, it's a smaller port, five gates, It's my real airport is really Atlanta just because that's the hub for Delta. So and then from there, you get kind of anywhere but it's all bit of a change. The worst thing is the parking situation.
The Asheville parking Asheville Airport. Parking is not great. So hopefully that'll get fixed sooner rather than later, but it's fine. Yeah, yeah. I find that what you said is is spot on, except I think the biggest risk is that they cancel or Early delay, The Hop from Atlanta to you know, from The Hub to your smaller airport. It happens a lot.
It happened to me this week, but I guess the thought that I was having is really around traveling, it makes it more challenging when you're in the throes of, you know, driving a project. And what I think the real key is to success as having a team of people and being able to trust those people. So I think kind of the career progression and identity access management, right?
As you become like a star performer, then the question is like if you take that next level step to managing other people who have to perform, right? It's to become like that. Next level is just not becoming a star performer on more projects or like taking on more work. It's now how do you get things done with the team? You know. For trust to those folks. And I think a big part of that, right, is having the right team. I'm sure you're having a lot of thoughts.
I just want to throw one more thing in there, which is that, you know, right now on my project I have like an All-Star cast of players who are not only doing an awesome job on the projects in the scope that were responsible for, but also, kind of like, stepping up to that next level to help the client.
Point where we're finding deficiencies with the other teams are working with which are mostly not the clients resources, at their other consulting firms that are, you know, they're pretty much just working within their box and refusing to go outside of their scope. And so, you know, we're doing everything we can everything within our power, to try to help the client because to us like the success of the client is that is the most important
thing. And so from my perspective, I keep Driving those messages like do, what's right for the client do what's right for the client, you know, even if it causes us to, you know, go above and beyond kind of our scope. Obviously, we have to watch that we're not like intruding on other people scope and things like that. But so, anyway, a lot of thoughts are. I'm sure you have some, some things you want to share. I mean, yeah, there was a lot to cover their.
I definitely Echo having a strong team, which is why, which is why you're here with me. It's not it. So I can so I can I can get on a plane and go do stuff, you know, I try to simplify things as much as I can life is already hard. Why make it harder for other people? As well, as yourself, you know, there's one rule when it comes to Consulting in my head when it comes to anything, as long as the customers happy everything's fine, right?
So if it means you need to do you know XYZ or if there's other things and if it's reasonable you can get it done. Just do it. I mean it's not rocket science. So surely gotta like, do you know, balanced budgets and margins and all this other stuff that you do when you're part of a Consulting practice. But, you know, this is probably like boring for people who are not in Consulting. But, you know, it's, it's part of the job.
I think that you and I kind of do in day out, we do this for years now, is we've been pretty fortunate to work with great clients have be surrounded by great people. We're trying to continue that Trend and so far been successful in this. This new role that each of us has with our SM and Yeah, we do have a great team really smart people, you know, I can hop on a plane and feel like, yeah, Jim's got it right whether or not you actually do have it.
You do a pretty good job of Faking it which is which is enough to give me confidence that things are going well but you know the end the day the customers are happy and that's all really matters. So yeah well I think this was applicable Beyond Consulting because they think the clients that we see be the most successful are the ones where they've got a good team. And the, the leaders can delegate And are confident in their own people.
I think the other thing that I just wanted to mention is something we've talked about. I know in past episodes, which is kind of the win-win scenario. So we feel more confident stepping up and helping the client go that extra mile if we know we're in as a win-win, right? So that, you know, hey, if we do go the extra mile and maybe, you know, it's a little bit too much, we're not going to get our hands on. Op too hard.
It's just kind of the give and take, and we're all in it there and they want us to be successful. And that helps us, you know, Drive their success more as well. Yep. I mean, it's be nice. So that hard I mean, doesn't cost you anything. Speaking of nice, we're going to be at octane in a couple weeks so for folks listening to this when it goes live it'll be October 31st which is Halloween. We definitely Some topics for today, we're going to go over.
I am horror stories that we've got, but before that will be an octane November 8th to the 10th. In San Francisco, want to give a shout-out to the Octo folks, as well as specialist even strong. Definitely hooking us up. We actually have a spot to record on the sort of show for, I guess, have I've seen schematics. So I'm not exactly sure exactly how it'll be laid out but from from our Vantage box, when we see it seems like it's gonna be pretty cool spot.
At least will be, you know, out there. And visible for folks. And we might even have a logo or something like that on our little spot. So it's very cool. Looking forward to getting some
folks. I know you been looking at getting some some guests lined up for episodes and I think I think what I'm thinking is it'll probably very similar to what we did for Gartner's. I am Summit and the authenticate conference where, you know, record several episodes and sort of try to release them on a daily Cadence to kind of cover what we're seeing and hearing those days as well as the conversation. We're having with the really
smart identity, folks there. So, I've got, I've also got to say, like, you know, yes, shout out to Stephen. I think, have we made this request three years ago though. I mean, the, the podcast was, you know, not as well-known. Let's just say that I've gotten to the point where, when I reach out to people to be guests on the podcast, I've rarely get a know. The only time people say no is like if their corporation or Or I guess their PR department
forbids them from doing media. I'm like, oh yeah, that's right. We are media. Yeah it's really weird to hear like you're somebody at Gartner called as journalists and like journalists and like very big quotation marks. Like I don't consider myself one. Like, I'm just an idiot talking about identity. Yes, yeah, I mean that's really but, you know, now that I mean, a lot of people download the podcast and it's becoming pretty well-known. It's very cool.
Definitely appreciate folks, who listen, if you fear. Listen to this. Now take a moment hit that thumbs up or subscribe or rape button, whatever it is. It definitely helps when we get that kind of stuff done. So you know just helps us continue to to bring conversations and you know, stay event as vendor-neutral and agnostic as we can and you know we're still commercial-free. So all that little stuff kind of helps us continue to doing things like this. Yeah, absolutely.
So, what I would jump right into a Jeff. I mean, you know, this was kind of like my crazy Oddball idea and we had a few folks who would very much appreciate you took the time to kind of record audio and the, I the question was, can you share an? I am Horror Story. And you know, these aren't like slasher movies. It's like where I am. Has gone bad or you had to end up working in entire weekend to kind of clean up a mess.
That's the kind of horror stories that we generally have an I am. But yeah, if you have come through and I was like these are good stories and then you know, at the end what we're going to do is kind of share our her stories. Yeah so we've got four audio clips that will play here and kind of listen to and reacts in disgust, I've got a written one from a new member of our team here. And then yeah, You and I will go and then we'll end on a lighter note and I get things done.
So let's go ahead and start with our friend Alec fry AKA for identity. He's been on the show a couple times and here's what he has for his Horror Story. Jesse and Jim for identity here. Why Horror Story here and I am was a long time ago in the late 90s, when RSA security tokens were all the rage my colleague and I were on site doing an upgraded, a customer's environment and the right at the
key time. I'd said to my colleague, now when I say, I want you to delete the master database because there was a master and a slave or I guess we should Now call them primary and secondary server. But I said when I say Delete the data bison. He tap on the keyboard said yet done I said no no, I said when I say because it was some background noise he didn't hear me say that. So we both looked at each other
and very quickly. Profuse sweat started pouring down our faces and I realized we had anywhere between about 15 seconds and five minutes before that change was permanent and all users had been deleted from the system. So luckily I realized very quickly If we stop the server, make a copy of the database and started again, which we did, then the system was or ignorant. All systems were unaccessible, for a total of about five to eight seconds.
So making it making sure we could recover really quickly was lucky, because there, the network was down from that perspective, only for about five to eight seconds, but once that was done, we were able to just copy the master database back and recover from it. But the most fun part of that story was right when we're in the To live that if that realization in the sweat was pouring down. That was when the senior exec from that customer site, walked past us. And said, how's it going guys?
Everything good. We post just looked at as best. We could wait. Yes. So luckily it turned out well and everything was fine, but it was a huge scare. So from now on, I make sure that people don't tap keyboards and I, and they clearly hear me when I say when I say, go do this action. Anyway, that's my story. Happy Halloween.
Okay, so I know I get your thoughts but immediately I have Shivers around RS 80 and having been on the operation side, in the logistics side of just trying to get those out there and I'm thinking like okay you delete a master the master database for the RSA server and you're going to have to go off and re-enroll all those people potentially have to do token swaps. Oh that is bad. Yeah that's what that's like the you just click.
Sudden an email and your this story sounded to me, like, you just sent the email and you're like, oh no, did I send that to the wrong person to go to check? And you're like, oh my goodness. I didn't. But the way your heart would like, pounding out of your chest. I also was thinking as Alec was telling my story that, you know, most modern systems that are going to be cloud-based.
Probably don't you have the ability to delete the master database, but if you do, Do might not be so easy to kind of stop the stop, the problem on the spot, right? You have less control over the system, so probably have a harder time inflicting damage but also a harder time recovering from damage. Yeah, that's the whole point, right? Is you're in the cloud. So you don't have to worry about that kind of stuff.
So and it's not like you can just hey, you know, let's let's bring down OCTA for everybody because like, that's not it. That's not a, that's not a thing. Sorry, yeah, yeah. That's a good one. A like thanks for sending out one in. Let's go to our next one. Another person who's been on the show, Andrew chant the phone. He's got a lot of exciting things going on. I think he's gonna share some news here in a little bit with us. So we'll give kind of a sneak T sneaked.
He's hopefully so Andrew when you're ready to share that, you know, let us know and we'll be happy to promote it. But here is his or her story. Hey, Jim. And Geoff Andrew here. And I want to give you a fun Horror Story for your podcast. So I work for a company that had a shared passwords used across multiple departments and this was a very common shared password that was actually shared among a internal messaging system.
I won't name the message system and also has put on a t-shirt so which is scary and people knew it. Well, I found out it made me sick. Stomach as an IM person however we did get it to finally remove the usage of this password across all areas, this password was used for multiple things, such as shared accounts and also service accounts which is scary as it is. But moved all those passwords. All the any scripting language that uses that passwords do fault.
He took care of source no longer being used but yeah, dumb something that is a scary horse or a diet of the great for your body cast. Thanks so much for taking my Horror Story and pretty scary. See ya. Okay, the path of a password made into a t-shirt. I mean, come on man. Really yeah.
That was pretty bad. I also think, though it's Somewhat because of the time frame, we know that Andrews not like a old guy like me. And you I kind of was thinking back to when I first started in it having the password spreadsheet on a file share and somebody explains me. I was fine. It's Pastor the spreadsheets password-protected. Oh yeah and you can't break Excel passwords. I mean no notoriously difficult.
Yeah, yeah. It's not like there's like shareware out there that you can do it for free and no problem. And yeah, it is said there were the service accounts that the passwords never got changed. Everybody knew them. I was like oh yeah well change them if somebody leaves. Yeah, right, I mean I'm speculating here but this half this has to have been like a really funny password or
something was inside joke. But I mean seriously like if even if this was within the last 15 years, let's say like who thought this was a good idea. Idea. Hey, let's put our password and a t-shirt. Yeah, I mean that's I'm sorry, but that is, I don't know what's, I don't know what the right management term would be, but would be like, someone's going on a performance Improvement plan right away. Yeah, the very least if not more, but okay, and her, that was a good one.
Let's go next to a row. He landed in a whole tree. I know he's someone you've worked with in the past, but let's listen to Everyone. This is Rohit at military and I am a senior director of, I am at a Fortune 100 company. Both of these stories are about 7, to 10 years old, when I was working, as an architect in, I am domain.
So the first story goes like this, one of the companies that I was working for was using Oracle identity manager, Why I am was probably the hottest idea tool in the Market at that time. And oh, I am uses SOA as their approval in je. The approval workflows are deployed on the server as Composites. When you deploy a new composite, you have to change the version else. All in-flight request will be rendered invalid.
So this company moved from the waterfall model to Agile model recently and the team was still getting used to And new devops resources coming in. So there was a lot of chaos and not all the processes work correctly, understood or documented. So now the deployment team during the build, did not update the version in the properties file and the composite was deployed over an existing version. What that meant was there were about 300, in-flight requests, all rendered invalid.
Some of these requests were raised by senior leadership The c-suite, there was no time for automation for any correction. So I am operations. Team had to manually raise multiple requests which was high priority and face the backlash for emails being sent out and overall confusion, it really dented, everyone's trust in the IM team at that point and took us some while for us to regain that confidence of all
stakeholders. But it did help in a way that it was a good learning experience for us. No, that switching the models at such a expedited way, was not the best thing to do. Another horror story is with regards to one of the consulting firms that came in, I was a developer at this farm and I was tasked to create a custom engine for rule creation. So this for the custom UI on top of their existing identity engine.
A requester, can go in raise a request or create a request for a new role, provide all the inputs. It went through the approval process and, you know, the generate approval workflow took place. Most of these words today are being done in service now, but it was what the client wanted at that time. So, while we were creating this engine for creating new roles, I
consulting firm was hired. This consulting firm came in and they were tasked to create a role based access control strategy in terms of what the nomenclature would be. What the business rule? The birthright roll, the it roll the application roles would mean, but most importantly, how will they be created? What would be the mining strategy? So, this T came in and created a deck with all the buzz word bingos. Also, an application was chosen for pilot for the about 30
entitlements, in 10 users. So this all went well until it was time for real work. Now, what we realized was that by strategy, did not scale There was a patient's like create metadata for each entitlement which was unachievable to see. The least there was also no regards for complex authorization systems like Mainframe. The strategy was very flat, very simplistic and not scalable.
Although the slides for very very pretty I would say that the strategy was not worth the paper, it was printed on now the higher management friend. Like all our team had to do was done the model which was Northern Ireland feasible, nor useful and we would be presented with this set of brand new shining rolls, which was not the case.
So ultimately what happened was we had to go back to the drawing board, to create our are back strategy and we then created an approach which was scalable and more importantly, feasible, it was a good learning experience. Dance, for all of us, including the strategy leadership and the developers as to how to employ these consulting firms. Thank you for having me on the show. Have a good day.
All right, so this one involves two of, probably what I think are more the more challenging things to roll out access requests and are back. Yeah. I mean they're and their standard issue like everybody's trying to do these things. All right I think bro hit first that was a really well to really well told stories and kind of my react. My initial reaction is I guess I'm thinking like career-wise, you have to go through these hard times. You have to go through these
mistakes. Otherwise, you know, you don't know what to avoid. Be nice too. I think that our careers building one success on top of the neck success but the reality is is like some spots on the way you have to fail. And if you don't go through those failures, your you I say you learn more from your failures than you do from your successes. Well, there are definitely a powerful reminder on what got to be right. So you don't touch the hot thing. Oh, okay.
And then you burn it in your hand, right? Okay, yeah, I'm definitely not going to do that, you know, I think I think you're totally right. Right. I think, you know, learning through mistakes is great, from a learning perspective. It does not solve the problem of the damage that can be done though when it happens. I think this is something that you know life is life is messy. Just like identity and access management is you can have a great plan, it sounds like these
you know. I'm not sure who the Consultants were came in and created this, you know, our back strategy and yeah, it looks good on paper, right? Very pretty slide which we love and Consulting, right? But when it hit the real world, it fell flat on its face and just didn't work. And I think that is, that is something every I am program needs to be prepared for, right. You can go through planning and strategy and like, yeah.
We've got this great plan and, you know, when it collides with the real world, you have to be prepared for things that that just don't go, right? Maybe assumption was off, maybe something changed in the business. You know, parameters that cause it not to work anymore. And this, you know, this isn't specific to just to our back, which is notoriously difficult. Anyway.
It could be anything, right? You can go through all this stuff and say, hey, we're gonna get this thing rolled out and then all of a sudden, next thing, you know, you're waiting a month because you still don't have a development environment, right? Something like that.
It's it's interesting for sure. Yeah, I mean, you know, the other reminder that comes from this is that there are certain kind of core ingrained, I'll even call them T-they're not really information security or I am best practices and however, you feel about that term. They're kind of the basics basic blocking and tackling of how to do ITT. You don't take your sandbox environment and wire it to
production, that's one, right? Like we all agree with, you know, yes, you shouldn't do that and if you do, you are taking preparing be prepared for the Fallout. The other is, you know, over Communicate, you've got to make sure that people know what's coming.
Another is try to pile it and, you know, roll out your system to a small number of people who hopefully are representative of the whole, but rather than impact, 100,000 people, with your change, try to do it to 100 people, and then working on from there, Yeah, I think rolling a 6 out, take a small group, always make sense, especially if you can, if you can tie that roll out to a part of the business that you're trying to make
friends with, right? So it's if you, if they go into this and say, hey, you know what, we're on this new, this new technology, this new business process, whatever may be, and we think it's going to solve a lot of problems. May be that you're having, would you be willing to help us test this and be part of helping make sure this goes well for the rest of the organization. I've never had a business unit.
I can say no, they always want to be part of this and it is long as you set the appropriate expectation. Like, yeah, we know that there may be some issues that come up but we want you to help us make this right for the rest of the organization. In addition to yourself. Like I've never had anybody come back and say, no, not interested, here's one of the hardest ones I think.
Overall, if you're a practitioner anywhere and it, you know, specifically I am sure, but it's when you have the executive pressure, like, here's some artificial date. Eight that this needs to be done by. And, you know, it's kind of like you're under pressure to hit some date. But, you know, in your heart of hearts, that that's not going to work or that's going to be very bad, that's going to have some bad consequences. What's the level of push back to give?
And I think that this is like, where take some touch and take some maturity. Because if you signed up for it, you're almost doomed to fail. And if you push back, you might be seen as you're not a team player or you're just You know to - to be, you know, able to move up the move up the ladder. Yeah, I think you've got to be able to speak truth to power but that that spoken truth needs to be appropriately message through the appropriate channels in a in the proper way.
And I what I mean by that is diplomacy tact thoughtfulness, right? I think I was given a webinar yesterday and I was really proud of this analogy. I came up with what it was like, you know, not everything is an Avengers level threat right there somewhere. You can get A good with just Daredevil.
Sorry sorry Daredevil fans but he's not an Avenger since like you've got to be able to like way what is the risk versus the reward versus the potential impact and if you're constantly saying this won't work and it's because it's like a 1% problem or effects like 1% I think you got to make sure you bring on your messaging so certainly speak. Truth to power, do not be afraid to bring up issues and you need to have developed an. I am program that supports that,
right? It can't just be Be well I'm the program manager. Everything I say goes and everything that I say is the way it's going to be and it's always going to be right. You've got to be able to take input from all parts of the business, your own teams, whatever may be. So have a, you know, a, an environment where you where you do allow that. And if you are the one speaking up, make sure you're doing it, the right message, the right vehicle, right?
Have if you've got them stats figures, something right to help make the case. Yeah, I was thinking of a couple other tactics to one is, sometimes it's like, hey we're going to roll out MFA to the entire organization by the end of the year and here were sitting on November 1st, right? You're like that's not realistic but maybe we could have the MFA capability built or we can select a product or we could do something that isn't short of this audacious goal, but isn't
that? No, we can't do it, right? It's just hey, we're going to do it and I like it. A stepwise fashion. The other tactic I was thinking of is really to try to build support for your idea. So if there are other peers in your organization who you can kind of like hey I'd like to have coffee with you and talk through this issue and here's what my challenges and you got some other folks who have respect within your organization. Maybe.
So maybe you report to CIO and you There's big audacious goal is rolling downhill to you, but there are other folks who report to the CIO and you kind of like talk through it with them so that when you go and you try to propose this less than, you know, less than the full audacious goal that you have some folks in the room who are kind of in support of your plan. Yeah. For sure. I mean you don't want to be voted off the island because you're by yourself, right? Dalliances?
All right, how about we get to our next one. We've got Tom Malta. Another individual who's been on the show before and let's hear from him. Hey, this is Tom Alta. I am, I am practitioner and the space for over 22 years and of late. I've been doing Financial Services.
Strategic advisory work for a number of companies and I'm here today to tell you a little About a Halloween Horror Story, and I am. So, this goes back to my first implementation of I am, when I was running the global program that could Goldman Sachs, and we spent a lot of time building it out and on the morning of the go-live, we were attached to the HR System, obviously pulling an identity events from them and doing automation to remove Privileges and that night, the
HR team sent Over a file that had all of the London, security, guards in it. Essentially terminated and we were scrambling that morning getting all sorts of calls from the London office as to what happened and what broke down.
And obviously, later on, we found out that the file was obviously a bad file and ever since that implementation one of the things, I always advise my clients and what I've done in my own program since then is to make sure That you have a good Fail-Safe mechanism when you're attaching automation to any HR System and not trusting a completely, because mistakes do
happen as in the case of this. And if she could imagine a couple hundred security guards sitting out on the streets of London trying to get into office, it wasn't a very pleasant thing. So I hope that you can learn from that. And I'm great to share this with my peers and colleagues at the idec broadcast team and to all of you. Thank you. Okay, so the first thing I'm thinking to me is London, Calling by The Clash and then I actually get into.
I am I mean, it's a good one. I mean, for some reason, I imagine the security guards at Buckingham Palace with the big hats. Yeah, but yeah, I'm sure they weren't happy but I think Tom brings up a great idea which is like you know, plan for the unexpected. I mean if it especially in this day of artificial intelligence to kind of look for something that just doesn't smell right?
And I guess you can imagine so many different scenarios but you know, a whole department Being terminated at once not a real likely as maybe something that should kick off some kind of human intervention I guess I mean that you know some of these things are probably tough to plan around but that's a great. I am her story because like who you can just imagine five hours earlier than I assume Tom was in New York City office at this time. So he's probably being woken up.
Like yeah, nobody can get into the building. Yeah, that's an F, no bueno. I guess, you know, score one for the people who test, right, make sure that as part of your unit testing or validation. It's like how, how many records are going to be affected right by this change? Is that number accurate, right? Is it, is it what you're expecting? You know, I've seen that a few times where you go to, like maybe update a Meta, Meta attribute about somebody, or a certain area.
And you're like, oh, Shoot, I just did it to a whole bunch more people. I thought it would be right? And everyone now has like the same title or the same email address domain subdomain order may be. So, definitely something you want to think about when you're when you're rolling stuff out is is the scale of the change you know, lining up with the expectations are supposed to be? Yeah, yeah, absolutely. All right, let's go to the next
one. This one is written from the newest member of the Rockstar RS M, IM team. This is from Brian Lindstrom. He and I have worked several years ago in the past. I don't think this is when we were working at the same company. I don't recall it but who knows? Anyway well what's that? It wasn't your fault, right? Yeah I will certainly not. I mean he definitely is claiming ownership here.
This is a good one too so he writes back in my early days I was implementing an identity solution and I inadvertently deleted about 1,000 active directory counts including my own. I first realized this when I said Lost access to various applications and network resources. I tried rebooting my PC, hoping that would fix my issue. But unfortunately I couldn't log back in and then picked my head above my cubicle, and start to hear people complaining about losing access.
I slowly got up walked over to the active directory, guys, and asked, if they could do a restore public shaming and sued and a hard lesson was learned when making changes, make sure you're not in a production environment. So, congratulations. Relations, Brian. That is a good horror story was going to say. Yeah, we started off by saying these aren't / or stories but that very easily could have turned into a slasher Story. I mean. How good is that? I mean, not it's not good, right?
Which is characterized it but from a like a outcome precise, like I just deleted a thousand accounts including my own so I can't even fix my own error. I've got to go to someone else for help I mean that's the Walk of Shame right there it does. Yeah I was thinking about that walk of shame kind of as we're
listening. Ro his story which was kind of going back to Oracle identity manager, which kind of reminds me of the days when you'd still have a lot of Mainframe people or people who are like, from the Mainframe days and you get the statement. We never had to deal with this with the Mainframe, as if the Mainframe was just so perfect. And there were never any of these issues. So, yeah, I'm sure that Brian may have heard that echoing
through the hallways, as well. We never had to deal with this with the Mainframe. Yeah, I lack of the Mainframe one. I shot out to Leslie who I love very much. We used to work together a long time ago and she was a rack F expert. I was not, I was constantly going to her to fix my mistakes. Yeah. All right, let's wrap up with horror stories for you and I want you go first. Okay, so I was originally planning to tell the horror
story of my first big. I Am project where, you know, We estimated properly the number of help desk calls are going to have, but we didn't think they would all happen like immediately on day one, but I've already told that story once and you know, if anybody wants to hear it again, we could tell it again on a future episode. Or I called again, but it actually, they give like a true. I am Horror Story.
So, when I was at in financial services, working for a client, I won't say that the Any name we're implementing a new, I am system and it was like a major deployment replacing, you know, a lot of manual processes and replacing a basically. One of the things that was unique about it was it was like
the brand-new version. We were the first big company rolling in this brand new version of software and when we got to the first goal, I was like, you know, Friday or Saturday night like you know, middle of the We're going to go live and as we're doing all kinds of sat and unit, testing things for failing, left and right. And so, we get to the point of the go/no-go decision and made a decision of no go. So in other words, he had to go
through our rollback plant. So this is why you make the full cut over plan with a cutback plan because you may have to use it. And so, we went through the whole cut back plan, we were able to kind of survive winter. Another month and like fix a lot of these problems and we got to
the next go/no-go night. It was like a month later on a Saturday night, going through the whole thing, some things are failing as a lot better than it was before, but some things are still filing and like the the top consultant who's actually like the CEO of the consulting firm that we were using was like, and you've got to have some guts here and like, and go forward with this thing and everybody was just like, You know, looking at me because it was ultimately my decision and I
made the decision like even though we were failing on some of these things so it's just feeling so much. Pressure at that moment I said all right we'll go and so we went and you know, some of the problems with like data synchronization and provisioning stuff like that and some of the problems were like, you know, like the data wasn't actually synchronizing and I mean, I was on like conference calls It's
like everyday. Just literally getting yelled at for about a month after that, we were like rolling new code every weekend going through change control every weekend. I literally was working like 80 hours a week for like a month straight and then even then I would say, like okay we I wasn't drowning at that point but it still was you know, tough Sally. So you know, that was that's true.
Lee was a horror horror story. I think what I learned from that is that, you know, one like if you don't feel like you can go live, if you're in that go/no-go decision and everybody's like pressuring you got to go but you know it's not the right decision. You got to share the courage to like say we are we're not going if this is Susan's mind to make, we are not going and because believe me that pain that I lived through the next Or weeks and it wasn't just working the 8
hours. It was like getting yelled at and people think there was no way to pull a victory out of that. Like it was going to be seen as a failure, no matter how hard I worked. Could you imagine that? We like, you're giving up family time? I had young kids and everything and like, you know, working 80 hours a week and, you know, it just like your name is going through the mud so that that truly was like my slasher. I am Horror Story.
That's yeah, that's a that's a good /, bad one for sure. Yeah, that's a rough one man. I got questions. So we're I guess how far along into your career where you is this like a new Earth like when you're kind of newer or is kind of middle, like how did you recover from this? I mean, this can be sometimes seen as like a career sort of limiting move, right? For some folks.
So it was like mid-career it was probably the last time I was practitioner before going into Consulting and it was by far the toughest one that I had here was what happened was prior to the
first, you know, pull out. I was not the I am program lead the lead quit, I think he saw the writing on the wall that like this project was heading for a crash and so I was offered the job for me it was a major promotion but I also knew that here in for some painful times I took the promotion anyway and now I'm responsible for this thing. And we're heading for the crash and like fortunately. At that point we hadn't pulled the plug yet.
So that was the time and like we pulled the plug that we had to work. Hard to still get the system deployed but then on that second one I should have had the courage to pull the plug again, but I just felt like too much pressure. Have to go live. It was a big mistake. Yeah, it sounds like it, but I guess. It worked out in the end.
I mean, I I think if we pulled the plug we could have solved some of the issues but eventually we did have to rip off the Band-Aid and go live and then you know I think also being alive gave us more flexibility to address some of the changes. I don't know. I mean it's definitely I learned a lot from it. One of the other things I learned was do not. Stake your career on you know, doing The Cutting Edge, latest version that nobody else has rolled out yet. That's not that's not a good
career move. Yeah, you got to be really ready for bleeding edge pain. If you could have bleeding edge technology. Yeah, that's a good one. I'm sorry, man. That's that's, that's a that's a good horror story. Let's see, I've got to kind of small ones that will close off with one is a story.
I think I've told before but it was New Year's Eve and I got stuck creating like I do five or 600 manually creating five or 600 ldap accounts because I didn't have any Automation in place and it was all stuff that I just saw coming. I was like, you know, poor planning on the business side of things like, oh we'll just give it to it, operations, and I am operations. Kind of fix for us, was contract. Related is like last-minute
stuff. I just remember, you know, Christine and myself Christine was my counterpart on the business side. And I was on the, I Am side and just getting stuck proofreading and validating like 500, or 600 meters 5, or 5 or 600. I think lines on a spreadsheet of people who needed these ldap accounts because the contract said they needed him by January 1st. I just meant being stuck at home, running through these spreadsheets and flying through these ldap creations.
I mean that was, you know, this is this is years of video game practice on mouse and keyboard and And dexterity, right?
It's like alt tab, copy paste, you know, move things around really quickly but that was painful just because I knew it I was very it was very early on in my I am career I think I was probably a maybe it might have been a team lead at that point or something and I saw it coming down the pipeline and couldn't stop it. So it was really frustrating because both Christine and I both saw it coming and couldn't stop it. So that's one. The other one is more of a night.
It all sound like a nightmare for Some people, it wasn't for me and I'll tell you and I'll tell you why. As I explained is, we were rolling on an IGA product and one of the first steps that you go through when you're doing that is you do this thing called identity mapping or count mapping where you're basically taking all the accounts from one system and you're trying to correlate them to whatever your
identity sources, right? Say okay, here's Jeff and here's Jeff's account on this application, coincidentally? Another ldap system. So we were going through that process, For a few hundred thousand employees and
consultants. And I remember sitting in a room with our identity integrator at the time and there was this system that had like everybody in the company had this account and and then some so there was a high-volume system and he was giving me the bad news of how many orphaned accounts that they found out of this platform which had I want to say probably 250. Maybe 300,000 accounts. Which, for me at the time was
massive. I mean, I was just the sheer number of accounts and, you know, he's sitting there and he's like, like so, here's went through the count mapping correlation. We tried to find as many things as we could to try and map this up and we have 90,000 orphaned accounts that need to be figured out. Are they legitimate? Do they, you know, should they be in the system stuff like that.
And I remember sitting there and I was like, Holy crap. 90,000 orphan accounts on just one system that need to be resolved and wait and Wayne was the first. I was working with me, he and I chat about the still to this day. He was shocked when I said, oh, that's not that bad. Because in my head I was like there's no way we'll be able to correlate half of these. So I was like, okay I was prepared for like a number of like 150 200 thousand accounts, like something like that.
And when he said, 80,000. I was happy that there are 90,000 and he was like, you're crazy. I like, what do you mean? There's 90,000. I, of course, is a bad number and we ended up working through it and kind of resolve some of that, but there were a lot of Orphan accounts on that system that definitely need to be cleaned up. There are like real orphans
like, oh, yeah. 90,000 how many we say were true orphans versus you just couldn't correlate them, because you, whatever rules you are using weren't good enough. I think probably between like 50 to 60,000 were definitely like those are not, those are not valid accounts because this was a retail environment. And at the time, the retail environment was allow that you could create your own accounts and you can use whatever name you wanted.
And because those retail, we had a lot of, you know, people early on, in their careers, or just didn't care where they would come up with just weird names for accounts. Some of them not safe for work, you know? Some would be copyrighted. For example, maybe famous people or care of famous, characters of whatever. So, we kind of started looking over, as like, oh, I'm pretty sure we're not employing, Mickey Mouse. You know, for example, right. Or Frodo Baggins right.
Things like that. So, but we had to go through each of those and sort of figure out, okay, who are the real ones? Who are the not real ones? Some were kind of, you know, whatever, what do we do, about the ones that were clearly, you know, not suitable for work. And What were the repercussions going to be for the person who created it? Like stuff like that and I highlighted a few different lack that controls where.
Yeah, there was just like this open system, you could call it whatever you want, you could change your name to whatever you want basically in the system and there was no like, no validation around it. And store employees did not necessarily have, you know, HR on mind when they were, when they were naming some accounts, I think one of the things that you have to do to truly say you're an, I am M is open up a file that is like Annex shares like an Excel icon.
So it's CSV or some other you know, data format. And Excel can open is like too many rows because I think the Excel limit was like 32 thousand rows or something like that. Time to go to 64 bits. Exactly. Yeah, that is definitely. I remember requesting a ram upgrade at the time because I think I had like a 4, MB MB RAM and I just couldn't open these files anymore. It was like, all right, time to go to eight able gigabytes of memory. Yeah, I'm gonna have so many
spreadsheets. So many SQL queries are going to get done. All right, let's go ahead and wrap up this episode. We're going to we were thinking about how we're going to add on a lighter note. Do you want to go with your idea or my idea? We can see both. Okay, you go first. Okay, so my topic was today's halloween or the day that people will be listening to. This is Halloween.
What is the best Halloween trick-or-treat, candy item or non candy to give away your door and think of this Through The Eyes of like 10 or 12 year old kid. What is it that you'd want to receive? Well, I am always happy to receive a Snickers bar that has been my poison for years. I don't know about 10 or 12 years old. I think I've been just happy about any any sort of candy, but if you're going to give away candy, I mean, give away the full bar, right?
Like the full-size instead of those, you know, snack or Halloween. I get it. There's Financial things around there. But if you got like a full candy bar for Halloween, you're like in the money, right? Yeah, as he To give away the full candy bar, then avoid the ones that people might not like,
like I love coconut. So if you do like Almond Joy, Almond Joy. I would be happy with that, but I wouldn't give that away because you're probably going to have like 50 percent of the population of people who are in be like, this thing is gross. So I think the, the way to goes a full-size Reese's, Peanut Butter Cup. Yeah, that's a pretty, pretty safe one. I think like, if you go to Jim's house, like he's given away like Almond, Joy and like, Don't know.
Black licorice or something like that. Your choices is full so you know king-size Almond Joy or this little Snickers bar which would you like to have and then I'll end the night with a whole box of Almond Joy. Yeah. And a whole bunch of disappointed children. Who may egg your house or snag my house and and put toilet paper on it? Yeah, exactly. All right here's mine and here's what I want you to come up with is what is the scariest I am
identity and access. Management costume that you can come up with. I'd say it would have to be like the salesman costume, the person who like calls you over and over again to see if you have some need for their product or service that you have no need for and for some reason you keep accidentally answering it. So yeah. That's pretty scary get up. Yeah yeah. That's a That's a good. I just imagine like the nightmare. It's like a whole bunch of like,
LinkedIn messages. That you curly haven't responded to, like not getting the hint. You know, it's the emails that you're not responding to its the, I don't know how it happens. But some people have, like, I do have legitimately, I am vendors, who call me on the phone on my personal cell phone and leave me voicemails. I can guarantee you that. If you do that to me, I'm never calling you back, right? Exactly. I don't know how I got that. Number is probably on my
signature somewhere. Just you know, had one number four years and that's fine, right? It's easy enough. These days to block it but I mean who makes a phone call these days right? It's all email. Yeah. Well the other thing is like okay we're I am you know strategy develop at least my LinkedIn profile speech to I'm a consultant and people will hit me up and say you know desirous
em need like email filtering. Yeah I don't know, did you read my profile and think that I'm a decision maker for email filtering for our SM because if you did you're not too smart but the reality is you probably just saw our SM or I showed up in some, you know, spreadsheet that you got and leave me alone.
Yeah, my favorite is when I get the Mainframe, the the contract Mainframe position, six months, we'll get her back, F expert all because I somewhere have in my background like, you know, administrated rack F IDs or something like that.
And I'm in a database somewhere. It's like, yes, I would totally interested in a six-month contract in, like, northern Idaho in the middle of nowhere to do Mainframe rack F. Yeah, work or something but I'm not even qualified for like I would not I would not hire me for rack F work. If you're on the run from the FBI, be the perfect job for you. This is true and I Den, it's not that Idaho is not a bad place,
is a beautiful place, really? I don't know if I would necessarily just want to work there for six months on a contract. Do Ring worker. I hate for no idea how to do anymore. Yes. There you go. So, was that those that top your answer in terms of scariest costume it dies? Because I was thinking, I was like, I, you know, I it's funny. I asked the question I didn't
really have like a good answer. I was kind of taking it down, like the technical wrote like some sort of like interface or it's like, you know, file not found or, you know, syntax error or something like that of like trying to figure out like why things aren't working but I love / hate / of The persistent sales
sales, angle of identity. So the other potential scary costume would be The Insider threat person so that person would either look like, you know, it would be like the person with a trench coat and a hat and like, Shadow over their face. So you couldn't even see them or they would be wearing that mask. Which I don't even know what you call. It was like the black and white mask in the guy with like the Hi Fox.
There you go. Yep, you know, it would be one of those two and that person would be basically trying to hack through your network, even though you work for the same company. You're like, stop trying to break our stuff. That's a very Niche scary. I am Halloween costume. It's like, do that, like a sea so convention or something like that.
Yeah. If you're walking around your neighborhood, just like that, like, yeah, they might not, they might not realize what you're dressed up as a might misconstrue that So, maybe not a good idea, exactly. All right. Let's go ahead and wrap it up for this week. This was a lot of fun. Talking through Halloween stuff. We did it again, almost a full hour of Halloween identity talk. You were probably thinking at home. There's no way they'll come up
with more than 30 or 45 minutes. Well, guess what? We did it anyway. So we'll go ahead and leave it for this week. You can find us on the internet identity at the center.com. That's where all of our shows are including our fancy new search engines, you can type in a keyword and find all the episodes. We talk around a different topics if you're looking for you know, something on zero trust or MFA or ring.
And I am program, just type a couple words into the into the search at identify center.com on the listen page and you'll be able to find episodes of relate back to that. And then, of course, we're on the newly Twitter, owns or sorry, Elon Musk owned Twitter at idac podcast. So interesting to see if what, if anything changes on that platform but we are still there. And yeah, I think.
That if there is a other identity and access management costumes that are scurrying that you want to either ping us on Twitter with or drop us a note on LinkedIn, would be happy to bring those up in future episodes or just have a good chuckle you know offline with folks. So with that we'll go ahead and leave it for this week. Thanks everyone for listening and we'll talk with you all in the next one. Thanks for listening to the
identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.