This is identity at the center. If it has anything to do with I am this is the go-to podcast. Now your host Jim McDonald and Jeff Steadman welcome to the identity of the sender podcast I'm Jeff and that's Jim. Hey Jim hey Jeff, how are you? Oh, not so bad yourself. Great, great. Hey I know we want to cover. Cover a lot of topics here today in our Preamble and the shows going to be different.
So I don't know if you want to touch on that first and then come back to me with with my topic with art with our opening matter. Yeah, sure. So today we're gonna actually going to replay a round table that you, and I hosted with the Carolinas identity roundtables discussion we had around, role-based Access Control we did in December people, have not heard it. Unless you were part of that Round Table live, that day was. So we're going to kind of treat that as today's episode, kind of
just kind. This quick intro and get to it. But what do you have? What do you have for me here? So what I have for you is I started thinking about our back and kind of going into that discussion was I want to talk about Ai and then I thought of a real cool angle that I had to ask you about which is AI robots and let's just take an example which I don't want to have the argument with it right now. Whether Siri, you know, the Apple voice module is AI or not.
But my Question to you is, do you need to be polite to AI? Or can you just be Gruff and rude and just say, give me this? Give me that. It's interesting question and series not AI sweater are right now. It just listen to the voice response system and not even a very good one. Do you have to be nice to your AI? That's the question. You have to be polite. I would say no, but I also get the idea of, you know, please give me a table information,
right? And type it in, I have, I, I, when I first started using like chat GP and things like that, I had more formal sentence structure asking for, here's what I'm looking for, Bubba blah. Now, I'm treating it depending on, which a, I'm using, whether it's Bings version, for example, which uses GPT for, or if I'm using just the chat GPT normal interface, Is I'm treating it almost like a search query instead of fully form sentences, for example, so it kind of depends what I'm doing it.
But I would say for the most part, I am not polite, but I'm also not impolite, it's not like I'm like, hey, go get this. You son of a you know what fear there may be but I also I'm not doing please and thank yous and things like that. So I usually do as you please. And thank yous, which I think humanize it, but they might the back of my mind. I'm also like okay. It's not a human but it's kind of raised. Like you're not going to get in trouble for saying please and thank you too much.
It's better to just say it when you don't have to, then not say it when you should be saying it. So I actually say Siri you know please give me directions to XY and Z which may be a little weird I guess and I kind of get that. But yeah it's just it's just like you know I you know, I have you seen you, I got you into watching Picard Right. Yeah, I have not seen this last that last season yet, though, okay. I haven't seen the last season
yet, either. Or, I think I saw like, the first episode of the last season. Anyway, there was an episode where it was all the humanoid, a eyes, which I don't really remember what the right term for it was. But basically all the people were being real rude and treating the, you know, the people like data, like, they were just like, secondhand
garbage, right? And then they, Got sick of it and came back to attack the humans and you know maybe that's the future were heading for is that they'll get sick of being mistreated a eyes. And I don't know I think at some point it'll have like once there's a physical manifestation in the real world that might be the changer, right?
I think they look like people. Yeah doesn't necessarily I think have to look like a person but some sort of like I mean people have like this little cute little robot dog things. Right? And some people are Pleasant to the room, buzz in the room, and things like that, right, stuff like that. Some people aren't? I think once there's that, physical sort of connection there like, that's, that's maybe where things might change. But right now, most AI is just a text prop in a web browser or on
your screen. It's kind of difficult to contextualize that as, you know, a human kind of concept or human sort of interaction when you're so used to just typing it into Google you type, you know, please and thank you and to Google. No, no. Don't I don't, ya know, I think that's it. That's probably a good differentiation. This kind of watching a video of the keynote from the CEO over at RSA. It was at the RSA conference, which was what last week and it was talking about Ai and
identity and kind of like this. I don't know what to call it a collision course that were on, but how a I could actually make identity. Work better. And in his presentation he had kind of what was like a human form started out as like like a robot that turned into a human overlay and look like a real human was speaking to the camera and but it was an AI who was answering his questions. And I thought that was, you know, I don't know how far down
the road that is in some areas. It's interesting in some like I am pulls what they call a, i I think it's a farce right? It's like no that's just like you know Advanced predictive capabilities of your system but it's a far cry from like what everybody's worried about like AI is going to make humans obsolete. Yeah. That video you mentioned for our essay that was good. You sent it to me and I watched it and I thought it was an
interesting Tech demo. I don't know how much of it was live if I had to guess, it was probably scripted. I was kind of looking for like okay when they hit what are they hitting play and pause on this video with these right? Yeah for sure pre-canned response to things like that but the technology exists there's a company out there.
I think it's called d d, i d or D Dash by D that does like these virtual Avatar things and you can make them say you know basic whatever you want, you give it a typed out script and it kind of figures it out. It's interesting because I think it adds that visual you know, maybe it's not a physical but it's something on your screen. You say, okay?
What here is, you know and Quote, unquote, a person who is talking to me. So if you think about like today, a chatbot from the identity perspective, in the bottom, right of your web browser is probably a little thing that flies out. So I do ask me anything and then it's 50/50 whether or not I can actually answer your question, right directly help you. It's not really AI.
It's basically just looking for keywords and phrases that map back somewhere, to some sort of script that's associated with, oh, you asked about billing, here are a bunch of links about billing, right? It's all that kind of stuff, but I think at some point, you know, AI is going to Get more. I don't democratized or more prevalent within stuff like this. You and I are actually talking about this yesterday when we were talking about kind of a I
especially an identity products. Yeah, I think there is a big difference today between what we call AI and you know may of twenty twenty three verses May of 2021. I think there's been a big shift, you know, with these large language models coming out that really expands on what is it actually mean of AI? I think the in the good old days, you know, let's call it like 20 21 and before a I meant really just some sort of advanced pattern matching or you
know things like that. I don't think that's AI anymore. I think that's kind of weak sauce, if that's what you're calling. Hey, I what I think of a identity I think of this is use case. I kind of mentioned you yesterday was kind of thought that might be interesting. Is I go into my Ig a product and I say, oh, I'm an axis. I'm conducting an access review and what do most people who do? If you struggle with, who is the person and what the heck, does this access even me?
Or let me do if there was a assistant that I could call up and say, hey, who is this person? Tell me more about them. And what can this access do in terms that are easy to understand and sort of interface with that would be an interesting application. Because that solves, I think one of the biggest real world pain points of conducting, an excess of you, is the people who are supposed to do the review, don't know what they're doing. It's not necessarily their fault or their problem.
They've just been does you know that Jim you own the blah, blah blah, Marketing Group, and you're going to review it every quarter or month or year and you know good luck figuring out if that is still correct. And you know here is 100 people have access to it that may or may not be, you know, be part of your department. I think that would solve any problem. I kind of wonder what the approach is going to be because I think wouldn't one of the things that you pointed out was that?
Some of these are systems like create that human interface. So now, you're looking at, somebody looks like you're talking to a person. You present them with a question. Now somewhere in the background, they're scouring the data to come back with an answer. So maybe it's there's one technology that provides the
human interface. Another technology like chat gpg that does this language model but I think you know on top of that overlay kind of the question that you wanted to ask was was really like, An advanced identity management question, which was, you know, kind of comparing who has access to what what are they actually using it. For, in other words, what is the access that they have that? They shouldn't have and modern I GA systems cannot answer that question.
I think that's the next Revolution and I think that's how we get 20 trust, right? It's so funny. Like there's so many, it's not just your trust but at least privilege. There's so Many Caesars who I've talked to over the years who say we are we follow least privilege model. In other words, their policy is
least privilege. But then we start talking about role-based access control which you know my feeling is that role-based access control is it's not least privilege created works against least privilege and roll mining. Takes it, even further. Is this are saying that 85% of the people have this access. So when it's just give it to 100% like 15% more time, that's the exact opposite of least
privilege, right? But ultimately, you know what's interesting, though, is like it's, there's a problem that I think is so hard to solve. In the Enterprise for existing infrastructure. So company controlled infrastructure but it seems like see IEM can clap Keem. Whatever you want to Cloud, entitlement identify the infrastructure and every cloud infrastructure does gonna. Yeah. Thanks. But it seems like we're getting closer to solving it there,
right? And maybe it's because I think, Because the platform's make the information available and now you can say, okay, these are over-provisioned accounts versus these Council over here. You know, properly provisioned to me. It's like that's what we need to be able to do for applications. So we need to be able to do for active directory groups, and things like that, but the technology as far as I can tell is not out there today.
Yeah. Well, collecting the data is one thing understanding the data and the context in which is presented as a Completely different thing. I hope we're getting closer to that, but yeah, it's going to be a layered approach. You'll have different searches interfaces, different types of things and maybe at some point you know someone will come out with, I do IGA 3.0 whatever that looks like and it maybe it is something is more modern. It's more, you know really leveraging true.
AI not what we've been calling it. I for the last decade or so. But yeah, yeah. And so I think you made a great point though, right? It's like Gathering the data making. And so, do two different things to different things, that were not good at right now. And I think it's making sense of the data is where the AI really steps in because it's like, now you're looking at a problem that the human Bronte human mind cannot crunch are back was designed around.
Let's make this so people can understand it. I think the next level is like, you know, people don't have to calculate the data or understand all the roles you can find out, like, you gave this access, this is what sex is. Being used in automatically, take away the access they're not using. Yeah, hey Jim. You're doing this axis for you. Here's this person.
They've the last time they use this access was six months ago and here's why they used it. You know, we think you should get rid of it but you've got company policies to take it away. Do you want to override that? Yeah I mean there we go we just solved it. IJ 3.0 coming to a product near you. I'm sure. So we probably when I get to the interview or the wrong Table discussion. We did we had but it would be unfair for me to note that back by popular. Demand is our idac.
Jingle tried something for 10 episodes. I like the voice, I'm going to use the voice but we're we went back to our guitar Jingles. So if you're a fan of that, and my terrible musicianship of putting that together, enjoy until we decide to change it again. I mean, a lot of people have come up to me and said miss the guitar jingle I had no idea that people were that interested. I liked it. I mean, I told you, I liked it but you know, I'll also be honest.
I can't listen to a lot of our own episodes because I like here people, I do you need to exactly you have to listen because you had it. But yeah, I can I can avoid listening to myself. The other thing that I wanted to say is just, you know, in this isn't me trolling for more five star reviews and comments. Jean Apple podcast even though I don't have this control. But I did want to say, like, I was reading through some of them over the last few days.
Since like there's one by MB Hedgehog, which I know you showed this on Twitter at one point, but it's like such a great review. And I think it like helps other people, you know, find the podcast right by more more reviews. We get, the more shows up in search results, so that's one good thing. Also, I just want people to know that when those comments are made, they get read by you and I and they are appreciated.
Yeah, it's very cool to get some sort of acknowledgement, you know, usually it's just you and I sitting here on an afternoon or an evening staring at each other recording and you know figure things out and you know usually we've got to guess at this point but today it's just the two of us. But yeah, it's very cool and people take the time out to do that and that's really the best way.
And as of now, the only way he can really help us is, you know, like Vibrate review, all that good stuff. That is, that means a lot to us. And, you know, certainly helps us get more traction in the space. I see the last time we've got for, we get to the are back. Discussion is identi verse coming up.
It's only three weeks away Jim. So in three weeks you and I will be at a dentist's verse, I Denver's 2023, it's heading to Las Vegas, we're going to be there, join the digital identity community at the Aria Resort and Casino in Las Vegas, May 30th to June seconds. It's a must-attend event that This together over 2500 Security Professionals or four days of world class learning engagement entertainment.
And as a data center listener, you can get 20% off of your registration, you only got a couple weeks left, so gotta get on that horse. You can use ID, code idv, 23-0, icen, 20 just rolls right off the tongue added in diverse.com will have a link on our show notes, make it easy, you click the link, it automatically puts the code in. And, you know, that helps us as well, write more people who use
our code. And it shows that, hey, it's worth it to get the podcast out to, you know, some of these events and maybe do some Partnerships like we're doing Earth. I'd ever see. So yeah, and not to mention also on Tuesday night during the opening reception, will be set up on a mini stage outside of the expo hall, which is where the opening reception will be held. I don't think that's probably the table but what I'm saying we will be recording just outside.
You use the term stage very Loosely, all the world's a stage. We just treat Shakespeare definition. Yeah. Yeah, but it's not going to just be us in the corner. Yeah, so hopefully, a lot of you can hang out. Listen to this record live. We're gonna have a few dropping guess, and really look forward to that. Yeah, 7 p.m. Tuesday night, local time. Las Vegas will be kicking things off there, and get things going. And hopefully see a lot of friendly faces and new and you
know, familiar faces as well. We're always looking to meet with folks and stuff like that. So I'll have stickers too. You have stickers? Good? Okay, I'm outside. Have I've got no stickers left. I've got over 100 over. 100. Okay, all right. Should we get to the Carolinas identity Roundtable? Let's do that. Okay? So this is something that we did Jim and I December of twenty twenty-two. So just about roughly about five months ago, as a today, deftly want to thank Tom Lennon from a
sales point. He's the one who invited us as a new member of the Carolinas. It was cool to kind of land with sort of my feet on the ground and meet up with someone. Minded people there that is base. So just to kind of preface discussion. It was around role-based access control and it was Jim. And I kind of Hosting this conversation with a couple other people, so we had Beth Goins. She's an information security, I am and governance manager at Arvest Bank.
We also had Prince Jones who is a senior manager at train Technologies and then Ashley Rous, who is a lead information, security Analyst at Lowe's, and they were kind enough to set aside, you know, some time with us to kind and the group come talk about their experiences from a Role-based Access Control perspective in the real world. So this isn't theoretical.
These are people who are doing in the real world and not only doing it. But doing it really well, I was kind of impressed with how far along they were in each of their Journeys and how they were able to make decisions and make their programs to success on at least on the roll base side of things. So hopefully people will enjoy that and I'll have links in our show notes or people want to connect with them directly and ask them questions as well as to the Carolina identity.
Table as well on LinkedIn, which is only two group that Jim and I are part of. So, with that, I'll go ahead and roll the tape, and we'll talk with everyone in the next one. Thank you so much for the invite. Thanks Tom takes for not only inviting us to this, but also just the group in general, it's I'm a recent transplant down to the Carolinas. I come from Chicago for 40 years and 5 months ago. I made the Trek down to the mountains of Western North Asheville.
I'm sorry, Western North Carolina in the Asheville area. So I've got Cedar Mountain kind of out my window right here. And I'm happy to join like-minded identity people. I'm joined by my friend Jim McDonald, he and I do a podcast like Tom mentions called identity the center. It is nothing to do with our day jobs, which is identity and access management consulting for a company called RSM, but we're not going to a commercial for them or anything really.
But it's just something we've been doing for the last three years on the side. It's sort of like our night job. Our night gig that we do, and we've had a lot of great conversations over the years with folks, all across a tiny space listeners, you know? Send their topics in and stuff like that. So we try to keep it like a vendor neutral, safe place. We don't want to turn into like
a boring like corporate podcast. So that's why, you know, we own it off to the side and we don't let the companies that we work for have too much say and what we do. So that's pretty much how we run it and you know hopefully people will check it out. The idea for today's conversation is basically take that spin of what we do on the podcasts and sort of bring it to the conversation here. And we're going to talk about role-based access control and whatever. We have topics like this.
That are so meaty and juicy. We like to have different guests on with us to kind of lend their expertise. So I'm going to go around the room and give people a chance to introduce themselves. First we've got Beth Goins, she's the information security. I am and governance manager for Arvest Bank. Welcome back, thank you very much. Hi everybody.
I have 20 plus years of experience an application development and product implementation and six years in the information security and governments governance space. My main focus for Energy management is ensuring that there is consistent and Equitable access for all users. While minimizing friction and working for a financial institution, my current position top priority is compliance. I first officially got into the identity space.
When I was hired for a job where I just thought I was going to be working on an IBM Mainframe and ended up working in information security, and identity on my first day on, there was nothing like on-the-job training. You see, I have nightmares of rack F and administrating those. So yeah, we should probably share some War stories about that. Thanks for that. Next up. We've got prints Jones, he's a senior manager with train Technologies. Welcome Prince Little welcome.
So, I am Prince Jones, I work at training, I started and my It Journey over 17 years ago and I've been doing our kind of our back type of work and identity work for the last probably 15 years. I started in Oracle are 12 Oracle 11i space. So that's why I got all of my guests, my juicy experience from and currently I am responsible for identity at train, where we're doing IGA apparently, access management and our Federation SSO solution.
As I'm around brother. Glad to be here and to talk with your. Yeah. So just a few things going on. Nothing too heavy, right? Yes, if you watch any Ashley is next, she's actually real. She's the lead in Formation security analyst from Lowe's. Welcome, Ashley. Thank you. Hey everybody. And so I've been in the IT industry for about eight years. I started on the Consulting side, I'm doing a lot of it audits on a PCI compliance
rocks. And then I actually moved from Consulting to the industry where I've been in the I am space and been focused mainly on our back for the past, three and a half years. So you kind of went the opposite path that myself and Jim, you started off in the in the dark side and then I did Jim and I started off in the light side and we moved to the dark side of Consulting a while back. So I guess congratulations. I'm getting out. Don't think you're next Donald's.
Go for it. Hey, Jeff. First I want to thank you for introducing me as your friend. I mean, seven years of working together with somebody, you know, it's not always easy to stay friends, but you and I we do the podcast, we work great together. Our and really looking forward to talking with the group here today, we picked this topic of our back, because I don't think that, you know, we step into it as like the authoritative voice. I think everybody's got experience with our back, that
can come to the table. Sure. Everybody who's listening in plus this panel upgrade, I am professionals. We've all got our experience with what works and what doesn't work. And so I think it's It's a great topic from that perspective, is something that we've all got a perspective on. Yeah, it's a difficult nut to crack.
I think a lot of people get intimidated when they start hearing about role-based access control and sort of a horror stories that come along with it, hundreds thousands tens of thousands roll over it. How is this thing going to work? I think before we get too far along though. We probably want to Define what it is that our back is because I think there are lots of terminology that we use in the identity space. Where You know we might call it
one thing. Maybe it's called entitlements in another system or maybe it's roles or maybe it is groups, right? There's a lot different ways to do it and I think what I'll do is I'll start off with Prince. How do you define role-based access control like what does that mean to you and your organization are.
So I will explain it how I explain to kind of a leader right without the technicals and I basically just described it as this mechanism for how we Grant or restrict access to people and we typically do it. According to some type of persona, right? So you could think about it as a maybe it's your roll. What's your department or true position? So some information that we know
about you that we say, okay? If you are a member of this group you get these access and you don't have to go and request these individual accesses so that's kind of how I summarize it to kind of, you know, help a leader understand what we're trying to accomplish here. Ashley. Do you agree with the way that that does that make sense to you and how you approach it as well? Or do you have a different spin on it for your organization? It does we have a very similar
spin. I like to think of just are back as just an overall methodology that has two major pieces. So one is defining the subset of users that need access and pulling them into the role. And then the second one is what access do? They actually need to perform their job and helps restrict access to what they actually need. And eliminates the need for users to say, I'll have what, you know, Karen over here is having where she may have been with the company for years and
years and years. And it kind of locks down that axis and stops kind of carryover axes over time. Yeah. I like to call that the the similar access snowball you start using model after and, you know, the, the janitor who became CEO, his probably still has access to the janitor closet. Maybe doesn't necessarily need it, right? Those sorts of things Beth. I know with a kayak of compliance Focus that you Have at the bank, there's probably a pretty big focus on the role side of thing.
How do you guys? How do you guys? How do you define it with with your business stakeholders? And I guess, does it. Does it align with what you're hearing here? Absolutely. I defined role of space access as a bundling of entitlements or access that grants users access to systems based on their similar attributes. So, very similar to what everyone else has been saying. The attributes can be based on their religion, their division, their department, or sometimes.
HR component, it can be worth, right? It can be requestable, but it's for consistent access for everybody. Jim from a Consulting side of things, you're going to be, are going to play the role of Consulting expert here in the identity space. What do we typically see when we're talking to, you know, like our clients around, we want to get into roles and the definitions that that we've heard here from Prince, actually, and Beth about. Does it make sense?
Do you see Alternatives that are out there? When it comes to the definition of what a role is when it comes to Identity? Yeah, so there are alternatives, but first I want to say that Prince Beth and I actually, I think nailed in terms of, you know, it's really an organizational unit of rollers for entitlements or access, you as a consultant, I like to think of things in terms of our framework, you know, way to organize, your thinking around
the topic. So roles get talked about in terms of the authentication authorization side, as well as the identity Administration and governance is So there's the identity Administration Governor side where you're creating the roles and your provisioning, the roles and could be going to multiple applications and turning into entitlements that the applications understand and then on the authorization and authentication side where you're enforcing them why that's
important is because when you talk to somebody about roles, you have to understand what perspective they're coming from. I think the other thing when I think about roles, especially on that IGA side, The house is, you know, the organization around what are the different types of roles? I think there are mainly two. The first is kind of the birthright ring, which is what do I get?
Because of who I am poor, you know, I take my HR record and I'm from this office and in this department, etc, etc. And can, what access can you key off of that fact, I'm an employee. So I get the VPN. I get this, I get that and then there are things. I can't do that and those are maybe. I'm on this project and my manager wants me to have access to this role and we call those requests will rolls.
So you got Birthright roles and requests for roles so that division of sort of like what you are. And then what you can request after the fact Beth, is that something that you guys have touched on as part of the deployment, and how you've tackled roles or is that something that you're working towards, okay, where does that fit into maybe the strategy? I was I was going I think he's reading all my notes here because that's exactly where
we're heading. We definitely want to if we look at access as a big piece of pie right you know and what we want to do is take access for people Birthright first, anything that we can do on a common attribute or something that we can grant automatically, it's going to be one big piece and so we're going to keep trying to narrow down with, actually has to do requestable to very specific job related duties. And so, yeah, we definitely are looking at Possible.
And we're looking at the birds right to minimize but people have to actually ask for Prince, I think from a role perspective, if I'm not mistaken, you guys probably have a probably a pretty big Erp platform, which is pretty notorious for having an obscene amount of roles in it. And I guess when we talk about here, this concept of Birthright versus requestable, how are you guys looking at sort of addressing that differential between access?
So little we actually put it into three different buckets. So we talked about this notion of Birthright which is said hey based on who I am, this is what I want to get. But when you talk about requestable access, you have something that is introduced to that mix and that is that you don't want this one to be still comply, it, right? And so there's this concept of. If I request something, I might need to have a objective approver, making sure that that
access is appropriate. And then we talk, About, even with the with the birthright access, right? Making sure that it's a no such a way that that objective approver also cautions out for a segregation of Duties violations, right? So, as a publicly traded company, that is something that we probably all have kind of seen and had exposure to you. So just someone is requesting
something. Typically, your manager is just not enough to prove that it has to have some type of objective approver and then an S OD process to make sure that, you know, the access that you're requesting in. even with the existing access you have would not compose a toxic combination for the organization, Ashley, we kind of touched on the the access snowball and Prince, just hit it again there.
You know, from a role perspective, we're talking about this Birthright versus, you know, add-on roles. After the fact they could be doing, is probably a little bit of while. But where do things stand for your organization when it comes to how they've how they've tackled sort of that, that question, right? What do I get? When I walk in the door versus what happens to me, Day 2 Day? 3 day 100, whatever it may be,
right. So I do agree that Request will is definitely a type of role that needs to be implemented. I'm to print this point to avoid the segregation of Duties violation. I think there's a way that you can configure them to restrict the type of roles that people can see that they are able to request. So that way, you kind of have that segregation of Duties in place already and And then once you start what was the other half of your question just from the requestable standpoint?
I think, you know, the differential between this is what I get when Ashley walks in the door. She said, yes. So I think that is always evolving and changing in a great point. The bring up because as we evolve, those Birthright rolls, we also need to communicate. What axis is provisioned automatically to the business, to avoid them. Requesting those additional axis. So that one is part of the maintenance process that needs
to be defined. Just who those stakeholders are and how they need to be communicated. I want to come back to something that got mentioned a couple times here and that segregation of Duties, I think that is probably a pain point that a lot of people struggle with but I want to kind of build up the conversation.
We started with kind of like okay what's the definition of of roles and I think we've got enough information every kind of come up with a common standard around that or at least an understanding, maybe we don't agree, but it's the same what I'd like to understand now is this is a difficult nut as I said before to crack and get started with how did you know
this? At kickoff, or this idea gets started to say, hey, you know what Prince went in and said, hey, we're going to do role-based access control and then, you know, it just went Full Speed Ahead, you know, Prince from your perspective. How did you actually get started? Implementing roles for your organization? Yeah. So typically, and I think this is probably going to be true for
many companies. But typically, when we undertake something like this, it's not for quite convenience yet at first, it's typically because of an audit fine. See Type of right now but not mandate. And so we all kind of Corral rounded and say, okay, this is how we're going to address this, this finding and go on, fix it that way. And then it evolves to kind of. Okay, now that we like, we see this, we see the benefits of this. How could we start to do this in
a way? That kind of as a tool to enable business. So I know we like to do pain Auditors a lot. There are the reason for all of our pains but they can also be the reason for actually getting things done. There's nothing like a good old-fashioned. A audit finding to really kind of wipe the fire on a budget or a manager or director or somebody they say, okay, we gotta fix this thing, Ashley.
When you guys started down the role path, what was like the first couple of steps that you took to say? Okay, we're going to do this thing. Here's how we did it. Sure. So I actually started about a year after blows began implementing our back, but I think the driving force for our side was more from an operational perspective.
To take some of the work offer operations team and to automate it and take some of that pressure off of them to allow them to do other Provisions that they need to do. But how we really got started was, we did some mining in a sample environment and just saw what the data produced.
And then we went through and we would communicate with the stakeholders and say does this align with what you're saying, and then we played with the algorithms a little bit more until we can find you in that process back.
How long of a process was it to mine that data and really kind of work with the business to establish, you know what what might have been the initial baselines for a role say initially about a year to a year and a half where those conversations were taking place because we would get our feedback, take it back to the different applications to use to C and B lined up with what the business was saying.
Make sure we got all parties involved and then additionally, it's a lot of data clean up to that. You, you get a lot of access Has pulled into roles that, you know, from the scenario I said earlier were Karen's been in the business for how many years but so has 30 other co-workers. So a lot of the still axis gets pulled in so it's a lot of fine tuning to determine what is actually consistent and needed for the here and now yeah, definitely an overnight task
right? Oh no it's like these things. Take forever. Yeah I think a daily consistency data quality got nested groups, people using groups, all kinds of things, you know. Beth I think I struck a chord about just now She had a little, the tight which when I said nested groups sounds to me like you got something you want to add in there. We end our panel yet. And the nested groups are a challenge for us here.
That's for sure. Part of our process to is also breaking our entitlements down from a critical application perspective, or a high admin privilege, versus what we consider kind of, the lower level of distribution groups, and maybe shared folders, and things like that.
So, we kind of classified our data a little bit and then, we're, Initially rolling out the roles based accessed on what I would consider the less priority items as far as like distribution groups and kind of high-level things that everybody has to have to get their job done. And we're holding aside the critical and administrative things to Dole out very specifically at added more requests for metal versus like a Birthright level.
So definitely looking and changing our approach a little bit from a priority perspective of high priority. Height sensitive information versus less sensitive information Had there been instances where after you've gone through sort of, that analysis may be something that was marked as critical really wasn't so critical lunch menu. Something like that as I added something that was maybe not
Marcus critical. Probably should have had a higher, you know, security or, you know, approval process around it. Did you address discover any of that kind of as your process went through every day. Every day we have a new discovery. There's always that little pocket of something over there.
That wasn't labeled as admin and when you drill into Or no. Wow, that was, that was a big one, you know, and I again from the compliance area, I make sure that our entitlements are variable tag from a criticality perspective and it did not read only update or admin. Those are your big three, you know, and then we kind of go from there and then but PCI relevance and things. But yeah and and then a big one is putting something out there that should be worth, right?
Everybody? Like internet access. You know, and if you drop that out there yeah it's not really over. Overly critical, people really do need to get to the internet. Yeah, I've seen that the last couple years especially with obviously covid working from home. There was a lot of scramble to get VPN in front of everybody. So I would imagine maybe there were some role justments made in the last couple of years to provide, you know, network access, you know, whatever.
It may be. Jim you know, if we if we think about it from sort of the level of what, you know, other companies in the industry are in, this industry are doing at least this space of identity. Where do you typically see companies starting With roles, I think I'll kind of put my two cents in front and maybe you can either tell me, I'm crazy or
whatever. I see rolls typically as a little bit more of a mature, step down a company's identity Journey typically you know, we're going to a company and we're kinda helping them out. It's well, we're still doing things by hand. It's manual faxes are coming in, right. Things are being printed out, and I think there's probably some level of Baseline identity capability that needs to exist before. Really? Makes sense to look at rolls and start to do, like the role now is to out.
Ashley was mentioning before. How do you see sort of that process working? Or do you think it's viable to start with? Hey, let's start with rolls and then work backwards from there. I think we're all under under pressure to deliver. So I think doing some of the baseline or three rolls right off the bat makes sense.
So if you're implementing an IGA system for the first time, for example, you know, automatically provisioning, somebody's it capabilities, there are SharePoint access, the VPN access to think those are things you can do. I think it comes down to kind of one of the things I making myself. Notes. Those folks are talking, there's so much good content here but is
like this, a D20 concept, right? Because I was thinking one of the questions and I hope in my stealing from your questions here, but it's like when are you done, right? And it's like, you don't need a role for every single thing. You technically within your product it might be called roles and you have to have a role for everything that gets assigned, but you don't need to have kind of that traditional business role or technical role for every single thing.
Thing, I think you have to prioritize. So a couple things in my opinion, the right way to go about this is first start by focusing on those. It roles that we talked about second is, go Department by
department. So don't try and do a little bit with each department, pick an apartment where you have an IT liaison or somebody who represents that department, who really thinks roles as a good idea that's going to save their folks, a lot of Pray, if you get that person who really thinks is a good idea, they're going to put in the effort. So that's where I say to start and start with, you know, I think Ashley brought up the idea of like data mining.
I ultimately feel like you have that data, you analyze that data and then you engineer your roles from the top down. So they make sense to human beings. I think if you let the a I do all the work, you get these roles that don't make any sense to people, and it's kind of like a You have to be able to explain what the role does. Somebody has to actually conceptualize. Like if I give this person Erp clerk access a list of login gives them access to the dashboard and lets them do these
functions. It's not like all these nebulous things that could come with it. A couple other thoughts that I was having is, you know, you need to have business ownership over roles. So even if their it rolls, there should be an IT person who's assigned. As a business owner that role will, you don't want to have is like your cell Point, administrator be the owner of the role in like, you know, like who owns I roll while it's just
the, I am person. No, should be a business owner, whether that's an IT person or someone that Finance or HR. And then the other point that I was the last one. I swear. But it was, you know, one of the things I was hearing over and over again. Was this idea of I am fatigued, you know, like when We set up our system and it's like constantly asking people for approval approve this and prove that they get blown away and they're just like yeah whatever whatever.
It's the same thing with like make sense, some be rolls so the lunch menu idea like what about thinking about like it's lunch menus low-risk why not Auto approve and let that thing go through Yeah, you got there for a second. I think you're going for the fatigue part.
We see that a lot with MFA fatigue and that's one of the common ways that people are getting breached is you get spammed a whole bunch of times on your phone's like, you know and you just end up hitting approved just make it go away in the person got in Sean asked a couple questions and I would certainly encourage folks who are out there, you know, watching and listening whatever. Maybe to throw them to the Q&A.
I'm going to hit the second one first he sent and because I think this is a real important one. How do you tackle conversations with HR? Let's say, you know, you're running like a workday or an oracle. An ATP or something like that, right? There's this authoritative source for identity and continue to establish enough information to use membership criteria in a role without an issue of Upstream issue up without an issue of Upstream issues of I
could say it just right. So what I think we're getting at here is you've got data coming for your authoritative Source? How do you make sure that really all the business stakeholders are part of this from the HR side to make sure that when you're designing roles and identities side and maybe Prince will go with you first. How do you make sure that there's not that conflict that business engagement with, you know, other non identity groups to make sure that those complex
don't exist? Yeah. You know it's a really if I could simplify the answer I would say this phrase. Do with me and not do to me and when you bring people along you kind of show The Journey, you can kind of create this atmosphere of partnership and collaboration where when they're put in when you're working on information in each, alright? You're bringing them along to say, hey when you, we're going to key off of this information or would like to key off of this information, right?
How are you process? Is they, are they robust? Are they accurate? Do you have process to catch when? You know, when you're when someone does not have a job title? Are you fixing that, right? Those type of things. So that way you don't have these, you know, unanticipated
issues down the line. So you're bringing everybody along with their Journey because like so when said everyone really has a unique part to play the identity practitioner He does not know most time with these roles are what they give you access to do excetera. So I really think it's that collaborate collaborative process and iterative process over time and bringing people with you that kind of helps, make sure that everyone is kind of playing on the same team.
I think, you know, the butterfly effect is absolutely a phenomenal phenomenal. When it comes to changes in rolls, right? Everyone really needs to understand that there are repercussions for changes in Source data. So, You know, if a role changes or a job title changes or a job code changes or whatever. May be your you really need your friends over on the uh RIT side or whoever is kind of managing the data within that system to be your friend. You know, Chris is echoing.
Do with me, not to me, that's gold. That's obviously honey is sweeter than a stick. You try not to have the stick but, you know, honey is probably the better way to go through it. I want to kind of tease out this other than kind of the underlying thread of Engagement with the business. - that Shana was getting to, you know, Beth when you're going through this process of kind of roll design. How do you tackle that engagement with the business?
Because Jim, I think mention an important thing here which is the business really should own. The role fits their data, they should be responsible and understands what it is that they're approving which sometimes can be a challenge. Yeah. So we have two topics there and I'm not sure which one to to hit first but one is from the end of line manager, you know, approving for their own peace and making sure that the roles of they're approving or what
they're seeing. It has a good enough definition so they really can understand. We definitely get feedback on that all the time and then on the roll itself is having the owner actually go back and improve the content of that role and making sure that they truly do understand. The elements that they are certifying that Are inserted into that role. Just lots of communication out there with the business side and we're getting lots of feedback.
You know, it's great when you get feedback because that means that the reefs reading or trying to be engaged with it and they don't understand what it is that we're pushing out. We need to listen to that, and figure out what we can do to make that more clear. Yeah, Sean breaks over the good point who are some time. We've got, you know, non-technical people who are responsible for technical things and they may not understand that.
I think, you know, hit that sort of internal Consulting role that, you know, each of us might play for our organizations. Ashley, you know, when it comes to helping people understand, maybe how their change, how their decisions might impact Downstream. I am things. How do you typically engage with that in? Do you have any tips for us? Sure. So just going based on that constant communication.
I think one of those things beginning from an HR perspective is just to see what type of notifications you can receive let them know. Hey, if you're making a change, a lot is no like it might be something that affects is so maybe not but always let us know in regards to application teams
and their changes. I always try to encourage them to talk to us first before they want to update a rule because a lot of times they don't have the visibility to user perspectives that We do so that they can say, hey, I want to push this role to this user population and I'll go back and I'll pull the population and say, is this what you want? And they go, oh no, this is not what I want and like. Well, that's what you say. It looks like, let's define it.
And tweak it, you kind of determined that working partnership value through those conversations. They see what level they can bring to the table. And then what level your team can bring to the table as well. Yeah, I think there's a yin and yang that comes to it when it's you're trying to help them and sometimes you have to help them, not be Their Own Worst Enemy. Yes, Shawn wants to know how many of us have successfully rolled out roles in our business. So I'm actually going to open
this up to everybody. If you can use the raise hand feature in the in the webinar, I'd love to see just kind of account if you've rolled out. If you've successfully rolled out roles within your business, I'm going to give people a couple minutes kind of think about that if whether they really think they were successful or not because there's probably Different degrees of, you know, were we successful or what do we Define as at. I'm going to start with Prince when it comes to the role
perspective. How successful do you think you've been to date and getting this put in place? Yeah. So the way I measures your test is I like to personally start with the small wins right? Because those small wins allow me to keep going and I say oh I see how that works. It starts to tell the story and
go to that next phase. So for example, if we know Know that every employee is entitled to be PN access and there's a process of change management process now today that you request it, and it goes to all these approvers, that's approval, 40, get cetera. So to the business, they may say, you know what what it'd be great. If if if you are an employee and we do just had that on day one and I say yeah, that would be great and we could help you do it. So you start by addressing a
problem. That is a pain point for them and then start to build into the security risk get set. So that way you have some small wins and you can get some momentum and it starts getting bigger and bigger. And that's how we kind of rolled out. Our roles in the organization were things that, you know, are very important to them. And then we start to say, okay, now that we've done that, what's the next model? What's the next iteration of this that we can continue to
help strengthen our pressure? So I'm hearing sort of like the initial improv training of. Yes. And that's the answer. Like okay, how are we going to do this? Yes, we can. And here's how we're going to do it, right? Pull it in. The proper framework rules guardrails, whatever it may be Beth. What do you think from a success standpoint? How successful do you think rolls have been from a rollout perspective for your organization? Yeah, so you know what's the definition of done, right?
I don't think we're ever going to be done. You know, it's going to be a constant Bridge painting, you know, where you can go back and new applications are introduced but from a success. Standpoint are our community has embraced it, and that is fantastic. Everyone is impacted from the end-user true, man. Is the path to prove, they're all impacted whether they didn't
get their access on day. One that they needed to get their job done or the managers like you said or just tired of approving and processing things through. So everyone has embraced the idea of brass right now. Gorgeous Bright Walls, what can we get done day one that nobody really has to look at and that helps the employee have a great first day on the job. So 6s is, you know, positive
feedback. There were reducing the friction for people and Getting some good feedback from integers that their time is not spent in a wasted way. Nobody wants to waste time as the one thing that bothers me, every time is sending a manager and approval for something that they're going to approve 100% of the time, like, what is the point of that? That's checkbox compliance at
its worst? You know, I'm looking at the hands raised and I think we're in the minority we've only got really a couple hands that are raised that have actually that they think they've been successful so far, it sounds like Prince you've been successful Beth your organization and successful with it. Actually, what about your organization over at Lowe's? How successful do you think the rollout has been of role-based
Access Control to date? I think we've been very successful with the rollout of roles. I think, you know, the everybody's Point rolls is something that you can never mark As done. So that fatigue will always stay in place because as users, you know, there's the birthright access and they're used to not improving that anymore. But then as your organization changes or your it landscape changes, there's new things that need to be improved and the users get to take that.
Way. So there's always opportunity to improve your rules, but I think a big thing in our organization that we can show how successful we are, it is to actually take the time to do the analysis and the metrics to see. All right, we think our roles are successful, but how successful are they? So what percentage of the users actually receive a role is their subset of the population sets missing? Do they actually need a role?
Do they not? And then also go at it from like a quantifiable view in terms of dollar amounts, just saying Here's what we have automated so far. How much does this actually save the money into our save the
company in terms of dollars? So I saw a third hand raised up definitely still in the minority of the 40 or so people, we've got on the call today, it seems like there's a lot of work to be done when it comes to getting roles in place, which doesn't surprise me. I think roles are very difficult, and I'm going to put Jim on the spot here. Jim of the hundreds of clients that we've worked with what percentage would you say have successfully rolled out rolls?
I mean it depends on what you mean by success, right? They like I mean to that point like if the success is when you've rolled it out and you're not doing it anymore, well 0% you're always going to be doing roles.
But if you're talking about who have achieved value through the use of roles that is Success. Obviously, if you spent a million dollars and you have very little value, that's not a success rate, but I think a very high percentage people who Relations that do some form of roles tend to get, you know, outsides value especially the early roles because you tend to focus on the biggest bang for the buck. If I could, I took a note and I'm waited patiently so on the
other question around HR data. So I feel like, you know, from a consultant perspective, there's two formal ways to handle that. So the first is, how do you prevent getting blindsided by this at the very low? Let's Art with how do you make sure that some change doesn't go into effect on your HR System that you weren't aware of and it crashes your system. So for me that's done in change management.
So change management should be, you know, the HR System should be not changing values in their system without going through change management. You know. So they're not like middle of the week, just deciding to go from 3 digit location codes to for digital location codes.
As you go through change management, most companies do like one or two rounds of change management where there's release notes, you have to have a member of your, I am team on the change management board so you can catch that. What you really should do though is catch that early when the project is being defined. And so as part of your sdlc, you should have security architect or IM arktech to looks for
things that would trigger. Hey, this is going to affect us our feed from HR is going to break when we go from three digit codes for digit codes, if we don't make an adjustment so that they can input to that project team that hey, I am needs to be involved. Yeah, I think we're talking about there was like the IMC at the table right there, identity is threaded throughout an organization and really anybody who's working on identity whoever is leading that program.
It is a program not a project for an organization. They should be involved heavily with any stuff. There's a a couple of questions that came in from Rashon and Christopher basically dealing with kind of a similar issue and that is data quality or missing data or changes in data from the authoritative source and Jimmy kind of touched on just now, you know, I feel bad for Chris and it's gonna stay here is like, yeah, they went through an acquisition and it broke.
All their Birthright are back rolls because I'm guessing the authoritative Source change some data and the identity team either. Was involved and didn't have work, give it enough time to make updates, or most likely, they probably weren't as involved with it and found out sort of, after the fact, that's a tough one to come through.
I mean, this is where communication is absolutely vital people need to know, just how integrated the identity program is with all of the systems, if it's done, right, is great, right? You reduce risk, everyone's having an easier process to get on board at off border off board a compliance. RIT all that stuff. It's a great easy button but if it's not coordinated well and not communicated. Well, it is an absolute nightmare so that is definitely an issue.
And I think, you know, there's another part of this where Roshan was talking about sort of missing identity attributes within an authoritative source and how people are handling that. I think there's an opportunity probably to have some sort of like augmented attribute lists.
It could be within your IJ platform, it could be within, maybe something like an active directory or ldap, that is Add by an authoritative Source. I'm curious, I'll start with you Ashley from a missing or broken attribute standpoint. Is that something that you've had to deal with in the past? If it and if not, if it's something were to come up, how do you think you would address that today?
Sure it's definitely something we've gone through in the past but I think we try to catch it at the beginning as we onboard new applications. So we actually take the time to look at those attribute. Matt mappings and see what would be missing from this. Specific identities. So that's where we mainly capture it. So we don't push our. We don't on board or fully on board and say we're done until we get those attributes put into place. So that's probably how we combat
at the most. And then for changes again, it's just that constant communication always have the seat at the table. I'm, you know, we always have somebody saved from architecture for I am at the table. Then you know, they About those potential, attribute changes. The Project's pods until we can all get into agreement on how that's going to affect all the downstream systems to rochon
point. Like, I think sometimes, you know, I'm hopefully it'll never be a major disaster that happens, but sometimes it takes having one of those attribute changes for in the business to see how involved a complex--. Your I am system is and all the downstream effects. So that going forward, everybody's almost in a nervous State be like, we don't want to break anything. What do we need to do? Do and get everybody involved.
Prince. I Would Imagine with the complexity that comes into you know, the size of an organization like yours. And there's God have been broken roles or things. Just not working the way they're supposed to. How do you tackle that sort of things? Maybe we can kind of crowd Source some information here that Chris can take back to help you. And I think everyone is kind of hit it on the head. I would just add one other thing. So we talked about this concept
of change management, right? But one idea is To have identity as an approver to certain changes, right? So when they, if they are mature enough to go through a change management process, then it leaves. Now, it's not just a passive a we told you about it, right? You have to actually approve of that change. The other thing is having a near production type of test
environment. So if you're making any material changes to the process, now you have these test plans where you want them through their paces and you should be seeing that in result. So if you change the world Etc now we don't have that configured Our system, the end result is that persons not going to get that access. It would have failed there where you could catch it. The other thing is you know even if something is working well that could be Integrations changes its excetera, it's
important to have kpis. Those kpis allow you to continuously monitor the effectiveness of your program, right? So that when something does maturely change, you can pick it up and maybe try to work and mobilize. So solve it on the onslaught instead of like you know having this big old what's happening here. You want to know it first. Be the first of on a knowledge and address it. So I think if you kind of incorporate some of those strategies there it will make it a little bit better.
Obviously you're not going to be able to compensate for every single scenario out there but those are some big rocks that I think will help companies kind of manage that I guess the prevention of a bad day hika, if something like that happened. This. Yeah, you mentioned kpis. It's almost like you're establishing sort of indicators of compromise to your identity platform, right? Something's not working. Seeing the way that it should be. And, you know, the goal is to
catch it before. It becomes a problem, you know, when you've got a massive switch with, you know, with or authoritative sources that definitely screams change management and identity, see the table, all the way Beth. I'm going to put you on the spot here, because I'm going to put you in the same scenario as Chris. Maybe we can help him out. Your authoritative Source has changed overnight and you were not involved.
What is your Monday morning going to look like and how are you going to To start to plot a path to recovery here. Yeah, I know definitely, one of those things is. You hope you have some triggers in place. You know, that would give you some alerts ahead and Tom and me and wipers and saying, you know, you try to make sure you, you know, what's happening, one of our big triggers would be one of my biggest fears is from our HR System people that are active or
not active, right? That's going to turn everybody on or off from a gourd fry perspective. And we do have reports and things that are going out there monitoring for that flag and we haven't caused from the integration and Between the any noted change for the source, and then coming into our environment. So, if a couple of our big triggers more get modified, we have a notification string that's in place to let us know
that prior to being posted. Now, of course it's a window but if you know, if you don't catch it, you're cut it out. Yeah. I think an immediate murder would probably be called major incident response and I'm sure I would be head of the table. And then like you said, back tracking, the changes that came in to see what might have caused it. That's it. That would be our approach to proactive is definitely better than reactive. It sounds to me.
Like you've got like this identity bat signal that like shoots into the sky, it's like, oh my God, fucking this happen. We need somebody come and help us Giovanna help. Roshan out with the question he had and it's really around that missing data from a authoritative Source perspective. So let's say you've got to work day or an ATP or something like that. And there isn't enough data in there to be able to drive Downstream things that you want to have happen.
And really, we're probably talking more about like attribute based access control, which I do want to leave some time, and I know we're getting a little short on time here, so we're gonna go that next. But what are some methods that people might want to think about? If there isn't enough data in your HR platform? Where else could I put data that might potentially Drive some role based decisions or attribute based decisions for Access? Yeah, architecturally speaking
you could you have two options. I think one would be to build error handling To your connector. The other is to build some kind of layer of abstraction. So it would be like you said, maybe dump the leg, the data into a database or an ldap or something like that to, you know, kind of buffer, the data quality. Those are from, you know, that that I think is that technical answer to it. You know, there's something that I wanted to kind of back through the keep doing this back.
Track to like an earlier conversation because I was bringing up a lot of things like. Okay, if you have this process, you've got, I am architect on the, you know, each of the projects and they're reviewing and your, you might be sitting there thinking like, oh, wouldn't it be nice to have all those people? Like the dress not reality Gem and I also I think it was actually made the statement. I like sometimes takes a disaster. Well, sometimes it does.
But you know this is where As I am practitioners as leaders in the space, we've got to be telling our organization look. I am is Middle where I am is like other areas of it and needs to be treated with the same levels of discipline like project management like change management like having a governance body. You know it's got to be treated very seriously because if not things can break down very quickly, we can have that disaster.
We Don't want it to come to that disaster, but it's very apparent when it does happen. Yeah, you mentioned early on their side of the, the alternative. I was thinking, you know, like I met our virtual directory, which is what Craig Reno wrote in as well. Met a virtual directories and health checks that he calls circuit breakers, right? These are all the technical controls and be put in place to sort of prevent a disaster.
But they are still preventive as much as you can, does not replace the people and the process in front of it. To be able to try to head off. Some of the system's good Communications, make friends with the key links with your identity program, HR audit it, you know, if there's representatives for the business, Mitch brought up an unchanged an interesting point here which is absolutely true is that are back, doesn't work for everybody.
And this is kind of where I want to take the conversation next because our back isn't the only way to do access control. There's also a back attribute based Access Control. There's pee. Back policy based access control, which you could argue maybe are sort of the same thing. And in the case of Life Sciences, which is the, the, the example, he's using, is they follow more of an entitlement based access control, which is a
single entitlement. And so sad with a single roll, which sounds like there might be a lot of rules and really gives them granularity to be able to take an attribute based approach. And I'd like to understand, you know, I'll start with you Beth. What's next from a role perspective, right? We've got. We've been Talking about two are back but there are perfectly valuable other methods like a back and P back.
That could be used are those things that you've you're currently exploring or looking at? Or where do those types of things fall from your strategy when it comes to managing access? Yeah, I mean, attribute-based is definitely, you know, we have some Birthright things which are based on people's attributes way that we're doing it and, and Larry rolls layering. We don't try to build everything into one role.
We are actually trying to do a layering effect so that if someone it moves from one job to the other and different applications react differently. So and if I had everything bundled into one role for your job and you moved to another job, you might have to unroll people from a current application that they will still use in the next job. And we don't want to have to re-enroll them and have them start over. So depends on how different applications candle than enrollment in re-enrollment.
So we've taken a layer in effect where it's an all Associates and then by region and then by location and then by department. So as people Move through the company. We can pick and choose those layers and reapply their access and that is definitely all based on their attributes. Prince, when you think about the strategy of roles, I want you to put on your 2023 prediction here since we were at the end of the year. How do you see roles evolving a train? Is it still going to be
something are back? Have you started down maybe the path of a backer P back or some other methodologies for Access Control. Where do you think things are heading in the future? Yeah, and I think, you know, when I, when I think about, because we just got through this strategy discussion where they say, you know, where do we going to be doing? And one of the things I always say is and it's a, it's a, it's an answer. No one wants to hear what it's it depends.
Right. And that's because we're supposed to say that. Yeah, it depicts henna and they're the reason the reason that is and I say it depends is because it really depends on what you're trying to accomplish. What the company's tolerance in maturity is at that time, they care and fee need, right? So, if you are thinking of these big Grand ideas, and you don't have the right support apparatus is in place, it's not going to be it's not going to be functional, right?
If you have all this roles for all where you don't have the right, people to go and update them, Etc, understand what they are going to run into audit issue. So I think finding the right approach to the right situation is really should be the strategy and not try to boil the ocean and put one solution to fit all because our business is not a one-size-fits-all If it all, we apply different models and different things to different strategies.
And so, if that's why you say it, kind of depends, but I think the evolution would be taken advantage of these new tools that are giving us insights excetera about how people are using our tools where we have roles that people have, but they're not using their not logging into Quan that back, making sure that we are using that kind of a defense in-depth approach to kind of find the right people for the right situation. Some a big old Marvel nerd.
So I'm going to pull out Hawkeyes May example, right he's got the the oh bow and arrow. He's got a quiver with a whole bunch of different arrows. If you all kinds of weird stuff and maybe Batman's the same analogy, right? He's got the bat, the bat are back and the bat a back and whatever it may be. You do not have to follow one methodology, right? It's not like you're subscribing to, this is how we're going to be doing it and everyone must conform to this. This is not the Borg, right?
We're not going to assimilate in this scenario. What we want to do is try to come up with the Right approach. And it may be very similar to like what Mitch has done with his organization. Sounds like where they've gone down this entitlement route and it's very granular but if it works, it works right. You don't necessarily need to do to get super crazy with it. So I think that's something you kind of think about Ashley. Let's put on your prognosticator
had here. How do you feel about some of the other Alternatives when it comes to our back versus a back P back? And any other backs that might be out there? I think everybody said it. Well, I think the Alternatives are great, but it really depends on, you know, the situation at your organization. So, at least how I approach, you know, the future of our back in a back and P back and where we should use it.
When is actually listen to the strategies of the organization, as a whole and what they're focused on and try to get your head in the game on where you know they're headed from it, I am or rolls perspective and then you take that use case and you see does it fit in our traditional are back model? Do we need to mold and shape it into an a back model?
What is that actually look like? And so we're not just trying to come up with something out of thin air, we're actually using it for the specific, use case of the company that they needed that point in time. Jimmy and I spent an awful lot of time talking with you know vendors in this space other companies. Etc. What's the future of our back in a quick sound bite because I want to get to our closing out here.
Yeah my prognostication is our back will be just a good conversation next December, as it is right now payback and P back. Our this basically the same thing there they use that they get applied at the time of authentication, authorization. So I've got these attributes about me when I go to Kasi to access the application rather than it looking in the database of roles. It just says you have these attributes.
I'm going to give you this access the much more data-driven approach, which I think is ideally where a lot of organizations like to be, do they have the data to make successful? That is always the tricky question, right? I think there's varying levels of success that you can probably get to all right. Now we're coming up on time here and one of the things that we like to do on our podcasts, Identity at the center.com is to
really end on a lighter note. And so we were kind of thinking about this, you know, what's the one of the questions want to do this is something that's not identity related. Just to kind of have fun towards the end. I'm going to pass it around the room real quick Prince. What is the best or worst meal you have ever had? It just happened recently, I bought it insta pot and I put chicken in the air and it takes like boiled.
I don't know what it was, but I think for the chicken mark Cut, that's should be in the airfryer and not the Instant by instant pot. Chicken is amazing. So welcome to the club. Ashley, what about yourself? What's the best or worst meal you've ever had sugar? And I think mine comes just from a shock. So mine was actually when I took a trip to Germany. I just landed just wanted a drink, you know, was like, I'm tired. Let's like get a drink.
Let's relax. And so I had somebody ordered for me and then I come back and I taste it and I'm like, that's It's not a beer. What is that? And it was banana flavored beer that you can imagine it exists. And so you know on first reaction was like oh this is the worst thing I've ever tasted and you get into any like actually, this is pretty good but it's very functional. Like it's not what you expected, but Anna's love those flavors
that you need to be expecting. Otherwise it's like whoa, which is hit me. Exactly! That's what's the best meal or what? Worst meal you've ever had. Yeah, the worst villains ever had was the one that I made so I can blame nobody but myself. But I have learned the hard way that you do not ever put broccoli in a Crock-Pot. Just it's a hard. No, don't ever do it. Don't ever do to anybody that you love and your family. If you have that relative that you may want to do something fun for.
Yeah, go ahead and do that, but it does. That was the worst of me like that might be the most value piece of information has come out of them. Some Tire hours, don't put broccoli in a Crock-Pot, Jim best or worst meal. You'd had my seal your answer. Jeff, that's take that we had in Vegas. That Wagyu steak. It's like a hunter over. $100, for a piece of meat with no sides singing. This is the biggest rip off until I ate it. Is there anything better than a really nice dinner that you're
not paying for? I mean, but that's pretty, that's pretty good. There's the kind of jittery as a mortgage, your house for us. Yeah. No kidding. Speaking of, where's your house? I think my best meal was French Laundry. It was sort of a bucket-list item for us and my wife and I were finally able to take her parents there so that was pretty good. My worst is about us was pizza that I had in Paris which was completely awful would not. Man's. All right, we got two minutes.
I got one more bonus question and I want to see you know from the folks who have stuck with us the end. I want to take a quick poll, how many people think Die Hard? Is a Christmas movie. Raise your hand if you think Die. Hard is a Christmas movie. I see best got her hand up. We're seeing the sea, okay. Yes now we're seeing hands all over the board over here this might solve maybe some of the conversations you might be having with your family around this time of year.
You know what's the Christmas movie? You're going to watch. You can throw die. Hard out there because it absolutely, in my mind is a Christmas movie. So yeah, with that, we're going to ahead and kind of close things out. I'll pass over here to Tom. Thank you again for inviting us and thank you to Beth Prince and Ashley for joining us. You've been listening to Identity at the center.
We hope you've enjoyed the show, make sure to like rate and review and we'll be back soon, but in the meantime, hit the website at identity at the center.com and find us on Twitter at Ivy. Casey podcast, see you next time on identity at the center.