You're listening to the identity at the center podcast. This is a show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast, I'm Jeff and that's Jim. Hey Jim hey Jeff, how are you? Not so bad yourself? I'm doing good. You know.
We're going to release this podcast, couple days after Thanksgiving the Monday after Thanksgiving and I'm just kind of wondering what are you thankful for air conditioning and fast internet? And here I was thinking you were going to say family and friends will be crazy man. No, I was going to go with a tech answer to So my answer is going to be password. Alice but guess what? I spent the entire day doing are not the entire day but it was a
good hour and a half. Talking about how we're going to do is self-service password, resets and password synchronization and what all the password policies have to be in order for the synchronization not to break. And I asked what I started to realize was that all those years in, I am that kind of made make me the dinosaur that I am. Sure come in handy, still. Yeah. I mean password. Oh this is cool, right? I think it's coming. We've been hearing for a while,
but guess what? There's still people passwords out there so gotta cover them to and support it so and the only happy path is the part that most exploits are probably taking advantage of is, you know, I forgot my password and kind of going through that or if they've reuse their password and unfortunately, maybe you're getting, you know, a rainbow you're part of a rainbow table out there which has pretty much every breach password, no demand covered.
So it's important. Oughtn't kind of cover is like okay we know we want to plan and design for the future but we can't forget the present. Yeah. You know, the other thing that I find that, you know, having you know, the good old gray hair experience is that a lot of the basic fundamentals of it and your, your software development life cycle, those things come in handy and they play out in.
I am projects over and over again and the example I'm going to give Right now is something that's come up in one of my projects where the team working with the Zach asked for access to the dev environment during their or I'm sorry it's the QA environment but they want to make changes as they're going through their QA process and that's very much you know not how normal software development projects go where the testers
are changing the system right? Because then The developers don't know what was changed and they're asked to then solve problems that they're not sure how those came to be.
So the analogy I was using today was imagine that you are asked to fix a car, you're working on that car and then you step away and then the owner of the car comes over and starts working on it. Then you come back and you think it's in a certain place and the car should start now and you go to start it. Is not working and you go in and you discover all these changes were made and you have to kind
of troubleshoot backwards. So I think that's ultimately why you prevent that from happening, right? The developers are responsible for creating a working environment and having other people work on that environment. You know, behind the scenes is just not acceptable. So really, that's just basic software development.
That's not specific to I am but you have to be able to bring that at to the table when you're going into projects because you never know when these kind of scenarios might pop up. I think it's basic anything. You know you're telling the story and for the this is an audio podcast but I was squid and real hard at you like what that the brow is furrowed like,
this doesn't make any sense. I mean this shouldn't be rocket science and it shouldn't be it should be common knowledge but common knowledge isn't so common. Sometimes you know we did this when I was in the help desk is like okay. Like a long ticket. A troubleshooting you were you you needed to document what you tried. So that as you were going along, if the ticket need to be migrated to another queue or whatever it might be, they knew what was already tried and they
weren't wasting their time. I mean this seems kind of like a no duh. But no da Jim well. I mean it's one of those things you came with hard-earned experience, right? Absolute learn it from a book. Absolutely, let's see. So what else we got? Got going on before we get to our main topic which is identity governance. I think we're after Thanksgiving, will probably be taking a, our normal sort of holiday break here towards the end of December.
Give my tired weary fingers, and even worse voice, a break for a couple weeks as we sort of had into Christmas. But we've got a few more, a few more shows lined up after this one, but people shouldn't be surprised. You know, as we normally do every storm or between like mid-December to like mid-January, take a few weeks
break to kind of restore. Recharge that's using my spot where I try to get some creative juices flowing and either come up with a new intro or I think I think I'm okay with the logo right now. Probably you know, keep that for a little bit but it's an opportunity for us to kind of reinvent and you know keep things fresh so keep an eye out for that. In case something changes.
Yeah, sharpen the saw a little bit but yeah I think even Slackers like else deserve a couple of weeks off and gives us an opportunity to kind of come back full steam. I mean, You think about it, this is going to be episode. What? 190 up at three and a half years, not even three and a half years, so we're definitely exceeding the pace of one episode per week. Yeah, which is a lot considering this is not our day job.
Exactly. All right well, why don't we talk a little bit about identity governance. Some very happy to have our guest on here. His name is Paul Mazzara. He's the vice president of strategy with zaevion. Welcome to the show Paul. All right. Hey, thanks for having me, glad to be here. Yeah, thanks so much for joining us. And, you know, one of the things I like to do when we have someone out for the first time is kind of find about their identity background in their
origin story. I guess, how did you did you get into the I am space? Is it something that shows you or did you choose it? Yeah, kind of combination. I think, eventually it chose me and then I decided to kind of stay with it so to speak. Yeah, for me, it started back in the right. When the kind of internet start taking off, in terms of not just being a website that had little pretty things to look at or read.
But so this is around the later 90s and up to then I'd been a software developer so I actually started out as they call it. T PF programmers, the Game programmer, the tpf is like a airline Airline programming and so but I was able to kind of move into like a more windows programming and learn Visual Basic and and then I picked up TCP IP sockets. And so at that point, there was opportunity to, to go with a start on this B2B Extranet that Visa was working on.
And at that point, they were looking at putting it on CompuServe, so that's kind of where we're was. Back then. And so they said, okay, let's put this thing on the internet and see, you know, what? We could do with it, see what the, what are member banks, you know, because basically, it was a way for member banks can share information with visa and kind of secure fashion, nothing like top secret or transactions, but just information.
And so it started out with kind of a proprietary kind of a tunnel firewall bit, the client had to load on their desktop and then to do that secure Communications before SLE So then I actually helped Implement Implement SSL and then a single sign-on. So that's kind of how I got into the whole I am. And then from there, we had kind of a custom enrollment entitlement system. And so that was a lot of fun, right? During the kind of internet boom in the early 2000s.
And then from there, I kind of evolved more to like an architecture role. Did some work on some Federation projects and then eventually Went to over to McKesson in the healthcare space. That was a lot of fun started. They're very small Beginnings to and we kind of built out a shared Service as part of the it group for see I am we built a whole big platform to kind of hosts.
A lot of different customer and you know patient portals and Pharmacy portals and a lot of cool stuff using the Technologies you guys are all familiar with and then a couple years ago went to Gartner so I have opportunity To cover, IGA,
Pam and see. I am there and talk to a lot of clients by a lot of people that you know like people that listen to your podcast around what are the struggles that people are facing and a lot of the struggles and challenges I had as a practitioner very similar to what I was hearing out in the field. So it was kind of really nice to get that validation confirmation out there that not I wasn't the only one that kind of going through this, you know, proud of
these challenges. So, so it's been a nice ride and now I kind of dove into the, to the vendor space now, for about a year and a half. I've been it would save you kind of, it's part of their strategy team self, kind of going full circle. So we'll see what's next. But yeah, I don't plan on stopping anytime soon. Yeah, so you've been like, neck-deep and IGA. Now for a few years, I guess I got to ask about the Gartner
suck because I'm always curious. I guess take me through like a typical day of what it's like to be. You know, an analyst in this space where you know like it or not, the Gartner magic quadrant is One of the tastemakers that's out there. I'd love to hear more kind of, you know what's that like? Yeah, actually you lot of people
don't know. I was on a team that was like the former Burton group if you guys heard of the Burton group Gartner bought the burden group and they kind of created a technical, professional part of gardener. So I was on the I am team for that. That particular group in our focus is more around, the The Architects and implementers, and we did the solution scorecard
and of It's met with those. I did a bunch of those for IGA and we had another team that did the magic quadrants and and some of those those reports it was great. Kind of we work together but we didn't really author co-author any, any any research with them? But yeah, I mean the day in the life I would say it's it's a lot harder than it kind of looks in the sense of all the different things you have to juggle, you know, first of all, prepare for conferences.
Presentations doing yes, x amount of documents that you have. You gotta crank out plus co-authoring and then on top of that, you're talking to hundreds. If not thousands of clients every year that call and ask well, okay, you wrote about this. So how does that apply to me or, you know, what other questions do they have about General? IGA Pam. See I am then you guys know
those three topics there. You could spend a whole life just with one of those and so for me it was like, okay just Constantly reading up on, you know, vendors offerings and solutions, and plus we have to be thinking on the Forefront to. So it was it was a lot. It was definitely a change from being a practitioner to analysts that I really did enjoy it. I think it's a, it's a really good job.
I would recommend anybody. Who's, you know, who's interested in, kind of take making a change to kind of consider that, of course, you have to be a good speaker, a good writer, and, you know, good technical but, you know, Subject matter, expert and believe me, there's a lot of talented analysts out there, and it's a very sort of competitive.
In terms of you have the best and the brightest I think, and at Gartner and so, if you think you're going to do go in and kind of, wow, everybody, your kind of I felt sort of humbled, you know, for I thought well, I'm 20 years and I am and here I come Waltzing in and tell you just you're the Newbie guy, okay, we'll see. Yeah, so it was very, very fulfilling but also very challenging. I think it's refreshing to hear that everyone gets imposter
syndrome. Sometimes kind of walking into situations like I think I know what I'm talking about and then you find out was like, oh man, I don't know anywhere near as much as I thought I did. Yeah, I so the solution scorecards in my mind is a lot more detail typically than yes. The, the magic quadrant. I know, at least let's talk specifically on the magic quadrant itself Gartner. Discontinued doing that. I think three years ago I think
2019 was the last one. I think the reason that I heard was that it was because it was so mature that they just wasn't really much value and now they've I think pivot into like a buyer's guide or something like that for that you know, I guess is that something you agree with is the IGA Market mature and there really isn't a kind of a need to continue that research. Or is there something else going on? Yeah, you're right.
I think they kind of pivoted to a market guy and I think part of the issue was It seemed as, though, over the last few years of that report, that there's a lot of same players, and not a whole lot of interesting developments or changes. And so, and, you know, because of the criteria for the magic quadrant the, you kind of have to have X number of dollars in sales, and, you know, there's a lot of kind of criteria to even
to get on there. And so, the gardener was thinking it again, I wasn't part of that decision. It was the kind of the other team, but from my perspective, What I saw was that, you know, they really wanted to try to include other people and, you know, include other vendors and give a kind of wider array of these are the kind of vendors. Like in the market guide, they'll talk about the IGA lights and you know the the up-and-comers, the established and Bo. And so I thought it was good in
that sense. But unfortunately to you know, a lot of companies rely on that mq upper right. Right. So you know most of the time there's there they just kind of circle that upper right and say okay this is my Ben. I'm not going to look at anything else and so with the disappearing is like, people were liking it. What do we do now? You know, so but I think I think overall it's a good thing because I don't recommend just circling that upper quadrant.
I mean, you gotta look at your unique use cases, you know, some of these Niche vendors, you know, maybe they're great but they only are in Latin America or Europe. So, but if you're over there, hey, that's to me. That's almost like an upper right center right there. So, so I think I think It was a good move in that, you know, they've kind of broadened, their research to include more vendors and then at the same time, as you said, we're doing the
scorecards. So the scorecards really giving you the meat and potatoes about each vendor and comparing them. And so that was almost okay well you got this score cards now. So kind of most gave you you know a little bit different information but I think more focused you know. So one is a market and the other was more for the Architect implementers to really look at the capabilities, you know, in great detail because frankly, the magic quadrant critical
capabilities. You know, they totally kind of broke down the different capabilities but they were not as deep. I mean, the scorecard, we did, was like, 300 or some criteria for each vendor. So it was pretty massive, and It was good for me because it really got gave me a chance to look at all the different vendors capabilities and really understand where the kind of differences were. And I bet that's probably been helpful now. You're with Sapient vice
president of strategy. I guess I have, you know I got two more questions. The first question I'll let you answer it is. What is the vice president's strategy? What does that mean? Yeah, that's a good question. So I think one of the thing areas that I'm focusing on is kind of trying to look a little further out And you know what, attracted me to save you.
It really was the kind of innovation culture that they have there in the, you know, if you just look over time of what savings done, we've been pretty much on the Forefront of IgA and now we broke broke into the pan magic quadrant as a Visionary. So we're kind of looking at that converged solution which we will
get into in a bit later. But so part of it is just making sure that we're always looking a little bit beyond our Releases and seeing what are some of the big rocks out there that we need to either avoid or kind of, you know, incorporate into our overall strategy. And so might not be because in my title is product and Market strategy, so there's the market aspect is like so what should we do from Geo Market standpoint? You know, it's SMB or kind of big company.
So I'm starting to look at all those and see what we're we're does. Make sense for Save yet to Enter into certain markets geographies Etc. And you know recently we came out with the healthcare identity Cloud which is basically Our Savior and Enterprise identity Cloud which name of our product and it's basically it's not a different offering but it's it's geared towards the healthcare industry that is kind of an overlay of configurations best
practices accelerators. Kind of things that help you as a healthcare organization to kind of get your feet off the ground much more quickly. And kind of cater to your specific needs like you know, EHR integration for example. So so those are kind of some of the things that I'm kind of trying to spearhead their grad Sabian. And I know the solution comparison just came out from Gartner to about Stevia and you guys did pretty well in it. I guess. I don't want to turn this again
into a commercial for Sadie n't. But what were there any kind of take aways or findings that kind of stuck out for you as you're kind of looking over what, you know, Gartner is telling telling you about your product. Now, Yeah, I think I mean it's sales very similar to the scorecards that that we just there is kind of two criteria when it's just the basic, what they call that an exact words, the core criteria and then the
competitive. So core is basically everything that you as a client expect that you're going to need from an IGA solution. And if it's not, if it's missing, then you really need to justify why you would actually even go forward that kind of solution. So we did extremely high there and the other one was Additive which is more differentiators. Other use cases that might be a little more specialized in nature.
Again we just we were in the 90s for both of those I think not really a whole lot of surprises there. In terms of it's very consistent with what the scorecard and it came out with a couple years ago. So I think it's more confirmation that you know, that we're still in a good leadership position in the space and then hopefully that with this, you know, A lot of more companies will recognize say Viet and you know, include us in kind of the
as on the short list. So that's I think the goal there is to really be able to get on those short lists and be able to, you know, also being kind of as a solution making it easy as you guys know implementing Solutions is like IG are very difficult. So I think that's what we're kind of leading the Lee of the leading the way there, you know, on those capabilities. But yeah, in terms of particular things surprises, not a whole lot more confirmation.
So Paul you and I caught up the other day and I was just one part of your background that I found so fascinating, which was your whole dive into the sea. I am space. So customer identity. Access management. When you're at McKesson and you made the statement. Yeah, we went out and got forgerock. Around 2011, and I'm thinking, okay, I got became aware of forgerock. Run 2013. 2014 McKesson was kind of like a, like a Marquise logo for them at a time back to.
Yeah. What I realized was that took guts man to go out there and select a vendor, who was pretty much knew, right? I mean the product was had just been spun off, I guess by son. Has open source so that took some guts and but it must have been fun to to like take this product and like do all the things that was envisioned to do and be the kind of a Trailblazer in that respect, but I thought it was also cool about the conversation was like how many
times you? And I must have passed each other in the hallway at the Hard Rock conferences and things like that and I didn't even know each other so but hey eventually we got to go. To know each other and I'm glad you're here. And I wanted to actually to and I'll turn this over to you does that get?
But I wanted to pick on something that you said to Jeffrey is that you're the VP of product and marketing strategy and I think that that is pretty cool because one of the big trends that I see happening in the market is around this converged. I am Oh, it's taking these these product Towers whether it was, you know, I think of and I am like the three major Towers being access management.
IGA or identity management, whichever you want to call it and privileged privileged access management and I see a shift away from kind of best-of-breed like this what we do we do it well and then we partner with the partner with best of breed in the other areas toward each of the vendors trying to build capabilities around multiple of these you know Towers if you
will. And so I kind of see where say vehement started out was around IGA, but also now kind of like venturing into the into the Pam space, not into the single sign-on space. So I'm assuming that was an intentional part of your strategy. I guess I'll start there as like, is that right? Yeah, I think you hit the nail on the head there. Definitely. You know, we've actually started way back when we're save. You kind of did. Well, we called our application governance, it's are fine.
Grained entitlements kind of management part of the product which we started out Genesis was a doing sap more of a Saudi and kind of compliance angle and then saving it grew more to a complete IGA sweet. This was in the early days and
you're right. So now we're kind of it's been several years as I mentioned The, we did debut in the Pam magic quadrant as a Visionary. So again, I think the, you know, our Innovation and kind of mindset, we thought, and again, even myself, when I thought about this at Gartner, we did
some reporting on this. I mean, the Pam, and IGA traditionally been very separate, but it does make a lot of sense to have those to be together in that you most definitely want your privileged users to have a whole It's controls around them. In fact, those are probably the most important ones that you want to make sure you have the whole lifecycle management of those identities in your IGA system. So it made a lot of sense from
those two to be together. And then the other thing is, yes, we're kind of going to more of a just-in-time ephemeral type nature of identities and access rights. It makes sense that your IG a solution and your Pam solution are together because they also Are both interfacing with those endpoint applications. And at times, you know, we can generate on-the-fly elevate your privilege and that remove it as
part of your privileged access. But then, if you're non-privileged, we still have that same connectivity to be able to manage those entitlements. So we could do privilege and non-privileged with the same kind of connectivity that we already have. So based on the risk, if we might decide to have you elevate, your, if you're An elevated risk. We might decide to direct you to having session recording and a
bunch of other controls on top. So it's, I think it's going to continue to be. It's going to evolve into something much more Dynamic and kind of what we're doing in the future. What we're starting to look at is that whole application access layer where you know, we can dynamically You elevate, you and put those privileged access controls on the Fly. It's not going to be so separate, you know. Yeah, yeah. I'm kind of wondering from Market philosophy, if you will.
It's the was if you rewind the clock for five years ago at the predominant message was around better together, right? And it seems to me that this converge I am approach is he's probably going to push away from that model, right? Because now companies are competing on on different fronts, right? It's going to be hard to to find a Best of breed mix that is the perfect set of capabilities to
to fit my need. I guess and I don't know which one's better from a customer standpoint but let me put that question to you. What is Better for customers. Is it? You know, for this can converge, I am Trend to continue and to deepen, or is it better? Or did they have a better before with the Better Together approach? Yeah, it's great question. Yeah, I think that, you know, because you had asked to about, you know, will what about access management and into the mix?
And I think we've decided that we're partnering for that and that, you know, a lot of organizations, in many cases, pick their access management solution, as part of, you know, could be their collaboration Suite or other things. And, in many cases, why should we kind of try to compete with a lot of the access management? Current Solutions out there and they're well established fairly. I don't know.
Commoditize has maybe a ton of the proper word of course, I don't want to put down any access management vendors but you know they do a great job and what they do but you know in the sense you know the single sign-on Federation space is fairly mature but then it also becomes. It's almost like a different kind of a discipline, IGA and Pam are almost a different discipline that requires. I think a real Send how you you kind of implement IGA.
So I think we've had a lot of success in that and so I would recommend for customers to you know definitely if they want to try to reduce the number of tools that they have in the course at the cisos. You know I hear that there's 80 plus tools that they have to worry about. So definitely there's there's that push in the probably at the top level of the organization. They're going to want to have
less tools and maybe one or two. Throws to choke and you know have have overall, you know, better. You know said spend you know, it's reduce spending total cost of ownership. That's the word I was looking for but no. Yeah I think that's right. I think that's right. You know I think what you're saying there is that an organization or that's a buyer. We've got to figure out what we need.
Right? And yeah, not over by just because hey, something Got all these bells and whistles, but I will say, is an interesting time. That is converged identity. Converged, I am movement is taking place because at the same time, each one of those Towers, all three of them are becoming much more complex than they've ever been. I mean, look at access management with password List. Look at ya, you know, identity management with verified credential, you know, I Oh and
identity proofing. Look at I think that's the biggest one privileged access management. The space is just humongous when you think about managing privilege in the cloud which basically all Cloud infrastructure access is privileged access. So exactly, you know, like as much as we might want to go from 80 products to one that might not be the right answer, you know. Yeah. Having one 30-minute trip. We all felt Kind of understand what that's all about, but that's not necessarily the right
answer, right? Yeah. And I think for today, if you're looking at Solutions today, I would definitely, you know, obviously if you could do a converge solution with with as many solutions as possible, that's obviously great for Matty Co and cost and support, but I would definitely don't compromise the functionality that you need, you know, for a system such as IGA and Pam and access management man there. Important. So they could really make or break your security posture.
So you got, you know, it's not like you're you're getting some other software that's not Mission critical. So, I would definitely say you don't compromise and your requirements. And, and frankly up to this point, I have not seen. You know, those that are offered kind of a lightweight lightweight IGA is part of access management or other solutions.
That I haven't seen a lot of progress where they really are, are providing the depth of The functionality that that's a Sapient. And other IGA companies are providing. So again, so there is an acknowledgement there that is hard. You know. All right. Gia is not easy. Why I want to get into governs Logan. I think you hit on something that I tend to have a bone to pick with vendors and in any space is they're selling you way more than you'll ever actually
need or use. So, I think of smaller IGA players that are out there like, I Lantus secure and, you know, Etc, that have Very good products and they might be good enough for the vast majority of the use cases, that, that organization is trying to solve. So I find it interesting as we kind of had this conversation, go along and you know, obviously got the established dominant players, like yourself and say,
0.0 Mata and kind of others. And it's almost like we've gone full circle here, where we started off with platforms about. I don't know 20 years ago where it was like I am CA Oracle parapsychology don't even fit Events are not flexible enough, right? And then you have the upstarts, these little startups like sale Point. Nobody knows who the heck, they are right. They came in and kind of help disrupt things. And now, it's like we could go.
We need an IGA tool and now the industry is again shifting towards. Okay, well, we need a, a converged tool which in my mind, I hear that was cool. That sounds like a platform to me. We have a bunch of these texts that, you know, things that are kind of working together. I want to get specifically into the governance, I think gay. Thank a lot of organizations struggle with just basic identity. Governance, that's where, you know, your cells sale point
omata. I Lantus secure ends, IBM one, identity. I mean, there are dozens of products in this space and through I guess I'm curious you know what from your perspective sitting in the shoes that you've had as both a Gartner analyst and now you know on the vendor side of things with stadion? What is it? That makes it so hard for people to Actually do and do right?
Yeah, that's a great question. And, you know, I was privileged to one of my first report was a gardener was guidance for successful, IGA, implementations and got chance to talk a lot of lot of Gartner clients about this document and in, yeah, the there's definitely there's so many parts to to answer that question, but I think it's always comes down to, if you think about IGA it's almost like a I think of the The garbage in garbage out kind of Paradigm in that you know your IGA is as
good as the data that comes into it and the and the data that comes out and there's so many opportunities to make mistakes that could be resolved in hundreds, if not thousands of people losing access or getting the wrong access and then you getting a black eye because of its you know, Asia as the I am architect. And you know I've been there not at that scale but I've been on the side of you.
Oops. You know somehow All those 50 people got deeper vision, sees, and a lot of times, it's okay. Well HR you know, kicked something off and we did what HR
said, you know? So a lot of it is, is understanding the data and making sure you have good data governance from all the way from your sources of Truth, all the way to the applications and really from a people process standpoint, you even before you get an IGA solution, I should tell clients this that gardener You know, document and understand all those business processes and make sure, you know, who's responsible for what information and who's
responsible for that business process and get them on your side. Because you're essentially automating a lot of that and IGA tool. So I'd say that's one thing. The other is your, you always want to start with your business drivers. You know, and Garner. We had the kind of this Foursquare chart that said, one was risk and Risk and compliance the other was security, and the other one other was operational efficiency and not forget the other one.
But anyway, but my point is that you should always start from what are your business drivers? What are you trying to achieve? And what is the top management want to see in this solution, you know and it could it could change over time. It could be one of those you know one year and then it changes to another but if you're able to start and then Define
those use cases. From the top drivers, all the way down that's going to help you kind of scope and prioritize your deployment and that's kind of the other part of this answer is that your deployment should be very well. This is as thinly or kind of scoped, you know, very carefully to, you know, minimize the damage that if something goes wrong that it's kind of minute minimal minimized so to speak.
So and I look at IGA, it's kind of a novice Swiss army knife but So many little bells and whistles that are part of these tools. That it's easy to, okay, I got this new tool and I'm just going to click the buttons and do a bunch of cool stuff, but that's really a mistake. And there's no manual that's going to tell you what to do at, what time, that's where you guys come in.
That's where, you know, implementers and people who are experienced at deployments come in and that's kind of the last thing I'll say is bring someone in that really knows what they're doing. They have some Battle Scars. They I work in your industry, they've deployed the tools that you've selected and you know, it's all about minimizing the risk of going sideways, may you bring up a good point there.
I think there's something that, you know, we talked with our clients all the time is, you know, a lot of times, yes, you know, your personal technology and kind of, you know what, you want to get out of it. When your experience, with that technology will be greatly impacted by whoever's putting it in place. So having people have that experience and do have those Battle Scars as you mentioned, right? Yeah. You kind of helped me kind of keep things.
On the straight and narrow. Keep you honest formica capability standpoint. I got kind of will side question here because you know I think there is there are still a lot of companies that have not taken the plunge into an IGA platform for whatever reason. It may be, it could be, you know, the company size is really small and they're getting by with just a can full of people and it's probably Overkill at that point, I still see a lot of organizations that are quite big
hundreds. Thousands of users that are not in the IGA space. Ali. They might have something like Microsoft, identity, manager or some sort of, you know, kind of homegrown sort of semi identity thing. Maybe it doesn't do the governance and maybe just to keep it as tration, right, right. Yes. What I I'm curious to hear your perspective on is when is it the right time for an organization to invest in an IGA platform and say okay you know ex-service? Well I'll just pick on him, you
know, Microsoft a manager. Art as well. We get by with it fine. But when is the right time to say? Okay we need to kind of graduate into modern identity management and we think IG is the right space to go. Yeah. Yeah, definitely. I think yeah there's a couple
factors there. One would be as you said most in most cases that you'll see the tools like ma'am or maybe even spreadsheets like people are doing access certifications by doing you know, CSV extracts and putting a dumping it all into a database and and so there's As a number of areas, I think where companies are just going to start to see the feel the pain, you know of either they're going to get an audit finding or God, forbids, something happens and you know, compromise of some
kind. So, this, hopefully there's not that event that that turns people to IGA, but I think a lot of it is the pain and definitely at around 1,000 or so. Employees is where I think most people. Most companies will feel that pain because it just Too hard to manage that manually, and it's kind of Jim alluded to the cloud infrastructure. Every user is an entitled, every
users a privileged user. And if you look at the cloud and Timeless themselves, that's kind of hundreds of thousands of entitlements that nobody really knows. If it's being used out there being used or not and they are you overprivileged, which the answers 99%. Yes. So there's a lot of reasons why it makes sense for kind of those.
And those organizations to start looking at IGA and the other thing is, you know, given now that these Solutions are SAS delivered called a gardener basically, you know, consumable in the cloud you don't need to stand up servers and infrastructure. Which you guys know back in the day was a pain in the pain in the rear. And so that with that also comes, you know, with these smaller organizations. They just don't have the staff
to stand up a, I am solution. So now that they have a SAS solution, I think there's very little Reasons why not to, you know, if you are kind of at that size to where it's just too painful to manage manually, you know, and or regulations, I heard a stat, the couple weeks ago about the Privacy, there's like 75% of the world now has some sort of privacy regulations and I know that's kind of more on the consumer side of things, but it's not going to go away anytime soon.
There's there's going to be more regulations and, and there's going to be Riley. Some new cyber security laws and Reporting and responsibilities of reporting things so I think it's just going to get even more. So imperative for every company to be you know, cyber have a good cyber hygiene. The IGA is definitely one of the tools that'll help you in that journey. I think that was a great answer is like as you're going I was like up, but did you think of it?
Now we just answer that but the way I was going to put it was When did you IGA before? It's too late. So that was the, that major event item that you brought up, or, I mean, before you hit some kind of rapid growth. I move we worked with the company, Jeff. And I, that quickly became 10,000 employees and did not have an IGA system in place that's Way Beyond, you know, too late. And I'll say one quick thing on that, sorry to interrupt, but Ma Days and companies that do merge
or divest without IGA solution. It's like a very difficult because you don't know what user has access to what, you know, like you guys say you're beginning your podcast, it's all about who has access to what you and I that's what I GA gives you that answer and for those kind of m&a, situations, or you just there's no way that you can figure that out easily when you're doing those sorts of mas. And And maybe even Partnerships, you know, more and more, especially smaller companies are
partnering with other companies. So there's a lot of B2B relationships sticks. Here's what happens. Here's what happened. So we got this phrase in in our industry of jml Joyner, move earlier, I always love to fall back on ads, remove changes but it's the same thing, right? You have to be able to provision access when people join remove access when they leave the company and you need to change our success when they move around.
So as you grow, if you don't have automation, the first thing to die of is that we deal with changes. The second thing to die off is that we remove people when they don't meet access anymore. When they've left the organization, we're always going to give people access because this creaky wheel gets the grease. If somebody doesn't have the access, they're going to squeak.
So as you grow, well beyond that, that ability to manage it manually is Those processes fall off and you just do the minimum to get by. You become very insecure. So that was my answer. I'm gonna say before it's too late but not until you have the time to devote to doing it, right? Because if you start a project and your smes don't have the bandwidth to support the project, you wind up spending a bunch of money for people to follow up with people to try and get things to work when they've
got other priorities. And so I see see this in my project sometimes where it's like, hey we've got the budget for implementing an IGA right now, but our HR team can't really support it and are as your team, can't really support it and our ticketing management team. Can't really support it. So, use the IEM and this is on the integrator size like you just sit there and you bug people and you send reminder emails and you join calls and
nobody joins on the other side. So if your, when you go into a project to implement, IGA just make sure you remember it's Middle where it doesn't do stuff by itself. It requires integration to all these other systems and if the teams on the other end on time to support it is going to cost a lot more it's going to go a lot slower degree and if you made a good point around, that's another kind of tentative successful implementation, is it?
Yeah. If you're able to start like a year ahead of even choosing a vendor, And you just start socializing it and you start getting the HRS and all the right teams kind of onboard and then they can kind of standing. Yeah. And then they Coulda say, okay, I'm going to kind of carve out a few hours or something. Make sure that my Engineers have availability for you.
You know, next quarter, you know, the worst thing is to kind of come up last minute and say you know, I'm implementing the system this weekend, can you support me? You know, that's the way to make enemies very quick make enemies like to not succeed. Exactly one. Stereo that I wanted to touch on. Ignore, you know, going along those converged identity and you guys really take it at least a secondary focus on privileged
access management. However, you want to find that I'm not trying to put words in your mouth, but in terms of this privileged access management and the cloud specifically was really it's so here's my perspective is that the IM practitioners are inheriting a cloud, Environment at some point. So typically what I see is that some development team, had a project to launch some applications in. They get an AWS account and start doing it more in a modern way where they're doing
containerization. They're doing devops. And then the it the the I am will call it. The I am team comes along and it's like we've got a secure. This. You got to take all the controls that we have in our on-prem environment. We need to apply those in the cloud. But they're behind there behind the curve, right? All this stuff is already been built. So my question is, where do you think they should start?
So should they start by doing, you know, taking their existing, I am tools and you know, trying to see how far they can get in the cloud with those. Is it that they should, you know, really just I don't know. Let me know that question. You, where do you think the practitioner should start? Art. Yeah. And and I think that's really why some of these Solutions.
You know, I wrote a paper on on this before they actually called it. See I am or Kim but there's emergence of these these vendors that address that specific use case around the cloud entitlements. And I think that's somewhat came up. From fact, I think I don't know the status like, 80 years 90 percent of organizations are multi-cloud and so yeah you might have a strategy Around your AWS or Azure kind of access
management. But once your multi-cloud, how is it that you're going to kind of make sense of all of those entitlements and kind of from that again, from that place to answer who has access to, what were they doing with it. So, in some cases, if you have, I mean, right now, I believe will at least save you and we had we've already had some sort of this built into our product around the cloud entitlements.
And but other salute, other vendors have kind of done some Acquisitions, you know, like Microsoft acquired Cloud Knox. So that's part of their permissions management and so, I think there's some kind of movement going on in the market. I would participate there be similar things going on there. Sale Point acquired, something, cyborg built built their own kind of Kim capability. So it's definitely an area that
has arisen. So if you have a product already, obviously, you may already have some Those capabilities built-in and therefore like us again we have we have that capability to. So I would recommend that if you don't and you already have Solutions built in and you're looking for a kind of specialized Solutions, make sure that they have supported Integrations with a lot of the different, you know, the vendors. So the answer, you're more or less going with is is the key,
man. Sir, and I was interesting because those kind of Thinking that you're going to go with more of the, the governance IGA answer, which is like, hey, make sure that in your IGA system, you kind of know who has access to what, which may be that. I kind of feel like Keem bolts onto that. It exactly. I mean, that was always my opinion. When we kind of came up with the acronym its Cloud infrastructure, entitlement management it to me. That's IGA, but the Market vendors, Is kind of taken a
different kind of approach. You know. Pam vendors are jumping on the him bandwagon so I guess from a vendor perspective may not always be inherent in the Kim. Still in a IG, a solution ours is so I always thought that that's your right there. Kind of they should be very tightly integrated or within the same solution that would be my my recommendation for sure. So I have three questions for you is it Linux or line x 2? Tomato or tomato. Kim. Or key more?
Just answer that third one. Yeah, it's definitely Kim. Yeah. So we came up with instead of see I am which sounds a lot like see I am so we said okay also I think there was another way we're looking at a cloud access management cam or something. We should know that's the not going to work, soak it. So we thought Kim was kind of a cute way of, you know, calling see IEM without trying to confuse it. You put a name on a very complex Problem. Yeah, exactly.
Exactly. I know we're running out of time here. So I want to make sure that we are. We have enough time to talk about another passion of yours which is classic cars. So we kind of end on a lighter note around here, that's going to bring things up from the very heavy identity governance talked. We just had I guess here's my first question for you. I guess how do you define a classic car and then the second part of that is, what is your
ultimate classic car? Yeah. Yeah we'll definitely a classic car. I kind of am from a career standpoint, would be something that's kind of, at least is older than like a 70. Don't know as funny because I'm in a car club and we just updated our inclusion criteria. This from like a 72 and older to like 79. So, I think somewhere in the 70s that a, You could argue, I'm sure there's people that want to make it, you know, if some 80s cars. But frankly, I think the 80s is really where things.
Going downhill with the terms of cars and performance, but really those classic cars youth least the way I look at it is, you know, they have super big engines that don't get good gas mileage. Unfortunately, for those of you out there, don't mean to offend anyone. But it's so it's basically and then they're, they're like weigh a ton that you look at them demand, they're just huge. You know, cars and they have really good looking Interiors.
A lot of them. Um, maybe even more modeled after airplanes and stuff, the airplane interiors and things. So there's a lot of kind of different approaches to classic cars, but I would say, definitely something in the 70s or earlier goes back all the way to the 30s. And something that could possibly be really fast and loud and a lot of different colors to, you know, two-tone interiors, and those kind of things.
So my favorite of course, is I'm going to say The class car that I have is a 1964 Buick Riviera. And so the Riviera that's first year they came out with 63, I got a 64, they call those. The first Generations, they had a number of generations where they kind of changed the body style but that's my favorite from 63 to 65. The body style is I think the coolest so you guys you know can can check those out on the internet but very different from the other 60s cars at the time.
If you look at like the Impalas Or the the Thunderbird was kind of the first. The Ford Thunderbird was kind of the first what they call a personal luxury vehicle and that was kind of what Ford was wanting to do. So you know I'm sleepy awaken others came out with their version. So definitely the Buick Riviera is my favorite So far, if I get another one, I'll let you know as I might change my mind. Jim. How about yourself? What do you got for a classic
car. So if I had to pick one, it would be the 57 Corvette. It's kind of a roadster. I mean those cars are just like they just scream luxury and performance but not luxury. They scream performance from that era and they're just You can't help but turn your head when one goes by. So but the thing is I'm not that handy so I'd have to buy one to somebody else restored.
I don't have to have a mechanic. Who would come in, do repairs on it. So it would be a lot more expensive than, than just, you know, getting one and restoring it myself. That's not going to happen.
Couple you Jeff. Well I'm not much of a car guy and we were kind of joking about this before we hit record is like you know mine is going to be, you know, we're probably like oh it's you know the first Tesla Roadster some like that because I have a big family like you know, if I could have my fun answer will be the door and from Back to the Future, I'm going to call that classic only because it's from my past, my youth. I've always been a fan of the Lamborghini.
Diablo, I just love the way it looks. I'm more of like a Supercar kind of classic. You know, I think that, I think that the whole point of that vehicle was that it had to be as fast as possible. I think I like had to wake be, at least. I'm not sure what the mph were, but I had to be a be able to go at least 315 km/h, which is crazy. Fast is fast. Yeah, so I was, that would probably be like my classic card. I don't think that was goes back to the 70s.
I can't be part of Paul's Club, but it's like any other. It's like any other industry, where you a classic, write all the music that I used to listen in high school? Is now on classic, you know, radio stations. So at some point you know, you'll hear Nirvana on the oldies station and you're going to realize what the hell happened to my life souls and take? It was just yesterday. So whenever a Lamborghini Diablo, we, my will be my answer.
Well, I like the Countach man. That was like the 80s. Yeah, like the Miami Vice kind of Swing the door swing and all the Lamborghinis are sweet. All right, we've had a lot of good conversation today. Say, you know, Paul, I know we want a little bit longer than we probably anticipated, but really appreciate you kind of helping be part of this conversation, kind of share your expertise and viewpoints. We're going to go ahead and leave it.
I think for this week, we know now with our classic car selections, are we know a lot more about the IGA space and some of the things that people should be considering when it comes to deployments and selecting products and so forth. We also got some scoop on some Gartner stuff which is pretty cool and kind of pulling back the curtain a little bit.
So, thank you for that and also in our show notes, I'll have a link To Paul, hopefully he's okay with me asking him for the first time on air since he's okay with connecting with people on LinkedIn. So I won't do that. Also have a link to Sabian and their website and kind of find out more about what CBN sup to from an identity perspective in our show notes as well as links for Jim. And I if people want to connect their and we're also have to
continue the conversation. So you can also find us on the web. We're at identity at the center.com. We're on Twitter at idac podcast and with that. Thanks everyone for listening and we'll talk with everyone. One in the next one. Thanks for listening to the identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.