This is identity at the center. If it has anything to do with I am this is the go-to podcast. Now your host Jim McDonald and Jeff Stedman Welcome to the identity of the sender podcast. I'm Jeff. And that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not too bad yourself. I'm doing fantastic man, and I've survived last night tonight. We've got karaoke, are you ready? Well, i'mi'm? Ready? Because I'm just gonna be sitting there watching.
Yeah, well, I have to make sure that I don't end up as horse at the end of today, doing a lot of recording you over here at identify worse. And by the way, you know, we're doing this Nostradamus week idea. I think it's been going really well. What do you think? Yeah, I've got some good. Predictions. We've had some great guests. We've got another one. Today we'll get to in a second. It's interesting to see identify worse this year, a ice there
decentralized identity. It seems like all the future stuff is starting to become more prevalent as topics within things but there's a lot of new speakers to like that. People just haven't seen before which has been pretty cool. So I'm digging that. Yeah you know I think everybody's like real open and networking here as well. So all those new speakers there Like we're talking about before. Like you, you can learn so much from these individuals who are
out there in the real world. Just like our listeners implementing identity and access management Technologies, and they just have so much knowledge to share. And I think what's great about our industry is that people are so willing to share that that knowledge. Yes definitely. That is like one of my highlights for sure. I think I mentioned that in our conversation, we talked about Andre Durand yesterday. I think I came up during that So, yeah, yeah, it's good times.
Yeah, and by the way, I didn't point this out, but he was one of the few people who said, I chose identity. Yeah, he absolutely did. It's a rare bird. But yeah. Well it's just also to think about like, you know, paying idea in the size of PID and he's like talking about like his first day was just him as in boxes. Empty and he had no emails that you know I just picture that my head. I'm like that is absolutely insane.
It's funny. You know, everyone talks about Inbox zero, and you're crazy inbox and stuff like that and some people thrive on that and some people like, oh my gosh, I have way too many emails when you're gonna get done. It's interesting that see the dichotomy between the two. It's like people who keep a clean inbox or have nothing versus an inbox is just jam-packed with stuff.
Yeah, so I had a client, I won't identify who it was, but he had gotten so far behind on his email that he quote, unquote, declared email bankruptcy. So that meant if you emailed me and you're expecting your Response. You will not be getting a response from that email. So you need to email me again. It's like the big reset button. It's a big reset. Yeah, kind of wish you could do that for few different things. All right. Why don't we get to our guest for today?
She's very, very gracious to gift us. Some of her time. She is Gallaher Lansky. She's the co-founder and chief product officer at plain' ID. Welcome to the show. Go. Thank you, thank you for having me here. Yes, you're all the way coming from Tel Aviv Israel. Yes, I were suffering. Various versions of jet. Lag. Yours is probably little bit worse than mine it at this point, but this is the first time you've been on the show and we like to learn more about
about identity origin stories. I actually met you several years ago, I think when playing Eddie was just kind of starting out and it seems like you guys have grown quite a bit since then. Yes, we have. So this is a conversation that's definitely worth worth having and has been probably long overdue before we get to that, though. How did you get into the identity and access management space? Is it something that you You
chose or did it Choose You? Well I think it shows me actually I you know, I started studying physics, not even computer science. I did combine it a bit with computer science but once I, you know, in Israel does the military service that we are doing right after that. I started working for a company called mem Co not sure if are, you know, when core but it was one of the first cyber security companies in Well, and they invented single sign-on.
So maybe, you know, some of the other names of that product such as proxy, mices. So control is say, and so on. So that's how I started my. I am Journey after that, I joined cyber log, which you probably all know, right? So again and identity company and form, they'll that was my primary focus security, identity and access management and now plane Eid. So for those who aren't familiar with plain' ID, the authorization company I believe, tell us about it. Give us like what's the 32nd?
62nd hallway? Identifiers pitch if somebody's like, oh, what have I done? You know, what is what is plain? I do put in a dee doo. Yeah. So, plain idea is, there's always action company or thighs, ation is connecting identities to digital assets, right?
We enable organizations to manage to control Ortho ization policies in a Assistant way a centralized way and enforce dose of the relation policies in the different Technologies which organizations have today whether those are applications apis, Michael services, and data, so that the 30 seconds about of the relations, but we are going to talk more about that, right?
Yeah. We're going to get into P back a back, our back, all the backs, I'm sure authorizations are really hard to do cross application cross. Loud. I'd love to get a little more about how you kind of approach that before we get to that. We were kind of talking a little bit before we hit record here around introductions and say, okay, we've got gal, she's the, You Know, Chief product officer, but you're also do CTO work as
well. And you kind of had this interesting spin, which I totally like get. It makes, though it makes sense. I was originally going to introduce you as CT o /c p 0 product officer, no privacy C-3PO. Yes, a very, but she had this interesting response. Why did you ask, why do we settle on the introduction of Chief product officer and that both? Yeah. So I believe that Paul actually did technology and not the other way around. Eventually we are building
products for our customers. We are not throwing technology on them that they can't really use. And that's why. I believe product should be the primary focus product should be using the technology options. Which are available to the best way it is. It is possible and not the other way around. You can just get in love with technology and then try to turn it into a product. I think it should be the other way around because sometimes you need to choose other technologies that can better fit.
What your customers are actually asking, I love that connection between customer requirements. Customer needs to the technology that can address them in the best way. So, Give a standing ovation. I would because I love the idea of identity as a product, even if even if you are a product company even within an organization identity, is a product that you're serving to your constituents employees vendors, consumers, whatever it may be.
So yeah, I don't have my son works here but standing Applause. I like that concept, Jeff. I mean, you're putting together product and if nobody's buying it, that ought to be an indication that it doesn't have a lot of value or something's wrong, right? They, it could be value. Could be awareness, maybe you've got Got wrong assumptions but yeah, nobody builds something and hopes, it doesn't get used except maybe Disaster Recovery. It's kind of a weird way but yeah.
Right. I get where you're going with it. Yeah, so so gal, you're the co-founder of plain' ID and you talked a lot about P back. Can you give us an overview of what P back is? Yes, I'm going to start with what provoked is not be work, is not marketing, just marketing. You know, some people might argue but I do want to emphasize It hasn't been development. In that phase p Bach is a way to manage authorization, policies. That's pee bucket management method.
And if you look at how this space has evolved, it started with ACLS. We all know ACLS, right? Access Control list. That was the very first way. We started managing Authority tations and then it evolved into a wall based Access Control to try and simplify how we manage authorization that. Ended up in Roll Explosion. We are also all familiar with that a buck attribute based Access Control. Try to maybe.
So some of those challenges, a buckets, eventually the method of leveraging attributes from the identity and the acetyl, the result identities, trying to access defining, the combining relationship between them, and then making decisions based on that. But it did also lacks some stuff. It was very It wasn't it didn't include all the posters which are required and then came p'burg and feedback is not a replacement. I mean, it's very important to understand P.
Work is a method of management. It includes yes. A book policies is obviously travel injure attributes, but it also uses Roars Roars is just another attribute of the identity. We can't throw away roles. We can't do it because we don't know anything everything about the idea. Entity. So that's really P. Back one business policies life cycle of how policy should be handled within the organization and then enforcement different methods because so many
Technologies are out there. Can you give an example? Because I do think that, I don't think people confuse P back with our backs so much. I think people have that concept down but P back in a back. And I think you pointed that out as people think it's the same thing. Can you give an example of P back that will kind of highlight that difference. Yes. So a book started as a velly technically notion. Let's leverage attributes. To Define connections between identities and assets. Right?
That's a box. That's very clear, but it doesn't include the processes. Eventually we know authorities ation. Should be governed. Should be audited. Should be managed as a lifecycle to all of that. That and that is what P back brings to the table. The policy is not just a technical tool. It's also a business representation of the decision, the organization wants to implement within their systems, right? So it needs to be expressed in that way.
It needs to go through a life cycle through the, through the processes of the organization development staging staging production. How that looks like, right? It needs to have some Kind of review process simulation. Maybe those are all elements of the policy system that the organization I think. So, shout out to Paul volution friend of the show, one of your employees. They're playing an ID and he actually made the introduction
to get you here today. But he had given me a demo and kind of one of my big takeaways was that you know the P back system could Pull data attributes that were maybe traditionally, identity data or they're not like in your ldap right there. You can pull this data and start to build an Uber profile of a person. Now, apply the policy to it and now you've got something that's, you know, a force multiplier if you will exactly it.
Sits on top of all those attributes that are being pulled about both the identity, by the way, and the acetate To destroying to access. So leveraging, both sides in order to make the decision. Yeah. Where does p back fit from a strategy perspective? Because I see a lot of organizations struggle with rolls just in general, like, oh, we want to be a man are back, you know, shop, for lack of a better word. And they get some percentage of the way down the journey.
And then they stopped making progress if I'm going into a green field situation where We really haven't started anything yet. I've always been more of a fan of the attribute base side of things, because I feel like it's a little easier to start up setup because he was okay. Well, what are some key attributes? Are you an employee or you not an employee, okay? Well, if you're an employee, you get this.
And now, we've got some sort of Access Control like that and maybe you start to combine a few different attributes and for a long time, I'm glad Jen, Jim asked the question because I thought a back could be back where the same thing it was just pee back was the marketing term and Is I don't know a back wasn't sexy enough, I don't know. But as I've said, you know, learn more over the years.
It's like, okay I get it if I'm going into an organization and I have not yet taken the journey towards any sort of consistent access control method. Any of the backs could I start with policy based Access Control P back or are there prerequisites to be able to be successful for a policy standpoint versus attribute or role-based perspective? Yes. Oh, I think you should dealt with policy based access control. I think it is a core component of any modernized.
I am infrastructure but you know, you need to understand. You can't do without holes and they'll explain. Okay? You give an excuse, you gave an example where you're leveraging HR data to make decisions, but it's not enough, right? We can't make all the decisions just to on what HR knows. And we all will also understand that HR Doesn't get it. Always right. No come on I don't hate has always pristine and never needs to be cleaned. You know.
I was also thinking of a scenario like let's say you wanted to have an authorization based on, you know, you can only access this if you have more than a hundred thousand dollars of assets under management, right? Well that's not data that you would want, you wouldn't want the person's account balance, in your, I am system, where you'd want the ability to apply that rule, they get the Access because yes or no. Hmm, right?
Yes, exactly, exactly. And that's, that's another key component, which needs to be to be not. Well, known, right? Pivec is not just about those Dynamic, fine-grained decisions. Eventually authorizations are not implemented, just one way there. So many ways of authorizations are implemented today and even if we want for standard to be out there, it would take some time if at all All we need to be able to manage authorizations
for application Level security. We need to do the same for apis for microservices for data and we can't say one fits, all right, doesn't work that way. That's the advantage of P back. They enable you to manage the decisions in a consistent way. Regardless, if it is for data Access Control, API Access Control, Michael service, Access Control. All. And that's important.
That is a key component P. Back does not enforce technology P. Back is a method of management with many options of enforcement. All right, I'm going to post a little bit into a rabbit hole but all that on, I promise I'll stop. But I would imagine a scenario where it let's take that
example. I had where, you know, people can only access a certain portal if they have a hundred thousand dollars under management, So assumably that would be some kind of like web service call to some system that would say you know Jim has the assets or he doesn't have the assets. Ideally that's in real time but you can see the potential hang up if that's in real time. So you have to probably stage that data which is always like why virtual directories existed
in the first place, right? So I would imagine that's one of the real challenges when it comes to authorization is like okay, how often do I have refresh this my data that I'm going to base this policy decision on. Yeah, absolutely. And you know what, that's how we used to do authorizations. But now I believe you would find our more advanced ways. There are actually four patterns to authorities ations and and that's also, I don't know if
it's a well, known fact. But in the old standards, there was just permit to deny. So you could ask that question. Can I approve this transaction? Chen which is more or less than 1 million dollars and get a. Yes, no. But that's really inefficient and you need to go leafless your data over and over again. Right today. There are more patterns for, like, I mentioned patterns for authorizations in addition to permitting. I we also have entitlement resolution, which is an
open-ended question, right? What are the least of capabilities? A user can do within this session. People might even consider that as Log in time or so ization, to support a, the authorities, ation spell, a login session. There's also a resource resolution or asset resolution, which is the same way. Same question, into the wealth Pearl, a specific asset. What al-essawi idea user resolution is called what are the list of users per asset under the most interesting one?
Which is, I think the answer to the example you gave it's called policy resolution and this is This decision is that handles data because you do not have to ask a pill meeting I per transaction, you don't need to do that.
You need to put your controls in that case on the data 11 and therefore the data which user can see is only the data, the policy enables him to see not by transaction by by filtering the data, the user can actually access implementing those within your overall architecture provides It's you the best authorization solution and obviously Security in place. So that gives a good background. I think of P back and what it is
today, right? We talked about going to talk about how things are going to be in the future and one of the things that I'd like to know would be, do you see p back over taking our back in the future and let me just before you start answering that? I feel like, I don't know if Jeff really agrees with this because we kind of got into it on, on this topic before, but I think that the popularity of our back is what it is, because people understand it.
I've got this role and I put people in the role and then they get this access. I get that or if it's a dynamic role. It's, you know, I take the data and my plug-in, I understand that. All right. And it's audible a my orders, like it. Now, I think Pete back challenge. I think it's much stronger. I think it has much more capabilities. I don't think people understand, right. We're here on the identity, the center podcast, and I'm learning a lot. Just listening to you, I'm
learning a lot. So how's the data? How does this information get out there and no bring it back to the simple question? Do you see p back? Overtaking are back in the future. So no, I don't and also I want to emphasize. This is not a wall between 5:00 and a buckle Arabic. They are all needed in order to support the advanced authorization requirements organization have today. Let's let me go back to the example you provided. Yes, you are assigning a role to a user and that simple to
understand. But now let's ask the question. What does that wall entitle the user to do? Who makes that decision. You are a doctor. Okay. What can you do? Can you see your patient records? Can you approve of some kind of subscription that is authorization? And that's the difference. And that's what needs to be understood by the broader audience. You still need words because you need to, you need to give some title or some. I don't know information, which is personally personally
assigned to a user. But the decision, which is attached to that or the logic, which is attached to that all that is authorization. It takes the role and explains the whole to the application resources to the data to whatever. P back is still a concept of like centralization that right. I mean it's not you're not talking about at the app because to me it's like if you have a great orchestration of what you should have access to, In these
applications. But then when you get the application, they have three rolls 33, you know, very simple levels of what you can do within the application. Mom getting to at least privilege models pretty difficult or impossible. Right? Well, if you just rely on laws, then, yes, but let's talk about least privilege. What is least privilege? What what what is that? What does that mean? It means that you can access whatever resources at a specific
point of To begin with. You do not have access obviously but you'll get your gate egg getting access when you need it to the specific function or resource whatever right now what is identity first what is identity? Well what is zero trust and they all saying basically the same thing when access is made Let's understand who the user is. Let's make the decision if this access can be granted.
David and to what level they are all eventually talking about the same concept, the same Notions access should be much more advanced. It should be dynamic. It should be smart. However, marketing terms, you have, you want to put on top of that, make the decision for user in the context of the access at the time of access. Obviously, we'll possible or as close to access as possible. Right? We make it sound so easy but
it's hard, right? I mean, if we think about it in the real world of authorizations are a mess for a lot of companies. Yes, it is. Even if you just look at active directory, naming conventions, don't make any sense incomplete memberships are off. You've got nested groups. Now you start taking that problem and adding in every other application and trying to
come up with. Well, what is the policy for someone across 20, 30, 40, 50 different Maybe this the end system doesn't support that granular. Yeah I'm an authorization standpoint most probably doesn't. You are absolutely right but you know what? That's the chicken and egg heel. Right. It's always like that with technology. Think about s is so SS.
So today the authentication if you're saying authentication today, everyone in the space would it automatically think about IDP and open I did connect or sam'l depending where you are. That's given that even In a commodity today, but going back 10, 15 years, that was not the case. I still remember, trying to convince application owners where I where I walked to connect to active directory or later on to connect to whatever IDP I had in place, now, we don't want to speak with your
authentication system. We have built-in authentication system. If your system goes down, my application, not available. Exactly. People get mad at me. They don't yell at you. You, they yell at me and I can't control the experience to the level that they think that they want to.
That's where I mean, that's a common organizational struggle, where to me it's like too much decision-making has been delegated out to, you know, the business unit or the application teams where it's like, you're going to if you can't get by in around a simple concept, like authentication than your current position where you can't really push anything. Well, the cows point, though. Single sign-on was in the same boat. Exactly 18, 20 years ago, and it took time as it always does, right?
We talk about cycles and yeah, some organizations are agile and can be and some, aren't it. Takes time to to build in that functionality authorizations. I don't know if I've seen as much of a shift towards. Yeah, we do need to build in more granular permissions. Sometimes you see it. Sometimes it's hidden behind extra licensing or subscription costs that SAS products like to charge extra era for a team
license, right? Or something like that, versus an individual seat or something like that. How do we get applications to get on board with you know having more flexibility from an authorization standpoint to be able to enable stuff like this? Yeah. So like I said, it's a chicken and egg you need to start somewhere. Where would you start with the newer Technologies with the new developments, right?
Be considered an organization which cut which currently takes big monolithic applications and Converse. Them to Michael Services, which is a common theme, right? A lot of organizations are going through that transition. How do you provide authorizations for microservices? Would you go develop that by the by yourself? If in the past developers they
said I want to own that code. I don't want you to tell me what to do. Once you move to my core Services, that's not the case each micro service owner wants to be responsible on the business logic of his His small micro service authorization should be a service like authentication provided to all those say microservices.
So this is like a very good opportunity to start thinking, don't worry dowshen, don't try to take care of all your legacy application that for sure would not walk, but look at new development, new initiative, which you are onboarding. So that would be one second. I see more vandals like cots. SAS applications supporting built-in policies and that's another opportunity there, right? So the market is evolving still slowly but it is evolving.
I think we are seeing a very similar path to what happened with the SSO with you know single sign-on. Yes it's more complex but also more interesting. What's a fundamental shift in the way we do things? Yeah. Just like MFA was as fundamental shift to Authentication. It's very difficult to change How We Do authorizations in a short time period. If you're building an application, your point.
Yes, you can do that. You know, if you're on a rack F Mainframe which we've been saying, you know, is going to die for, I don't know 30 years and now all of a sudden it's hot again, you can't find people who know how to do it. There's these great cycles and sometimes sometimes the answer is no, we're just not going to do that because the cost is too great to invest to re-architect an application when it is time
to replace the application. Let's take this as something that we want to consider is part of the, you know, the purchase decision, which is why I love having identity. Have a seat at the table for new applications coming in having some sort of Standards don't go buy a product that doesn't integrate with Open Standards to do. Authentication, don't go buy a product that doesn't set us up for future, success from an authorization standpoint. Either maybe doesn't have as much cash.
A right now. From a, you know, a purchasing decision standpoint, but it should be something that I A teams out there who are listening and who have influence over steering committees or architecture review boards, or whatever, you know, political thing exists, within an organization to say yes we're going to get that app. These are the things that they should be aware of when they're
making a decision. No one goes out and says I'm going to buy this thing and I and I never will be able to connect it to mind active directory. Oh my gosh. Why not exactly. And you know what? You touched, another very important Point. Absolutely agree with you. New identity, people, they need to be part of that discussion. Today, there's a bit of Disconnect, right application owners. They're doing what they want up. SEC data stack is not connected to the identity identity space.
And that leaves a very big gap there because also ization. Eventually, if you think about that also has a Sheen takes all the efforts, which organizations have placed into identity and access management well-defined identities, well-managed identities. Well, authenticated identities. And brings all that effort into the application, space into the data space, but they need to stick together on the same Cable in order for that to happen. Can I ask a side question here?
Because it's it came up this morning as part of the opening, Keener, the keynote for this for this morning, about the role of potentially having something, a chief identity officer, and having a sea of the table at, you know, basically the c-suite. So right there with cpos and ctOS. And all the see people, where do you stand on that? Because I thought was interesting discussion this morning. The panel with Andy, hindle and Glaser and Claire something. I'm gonna personally know
someone else. There was a couple other folks I figured out names. I really apologize. I should have been more prepared to ask this question, but just occurred to me as I'm thinking about it here. Do you think now is a good time to have a chief identity officer sitting at the board level or reporting to a Like those other roles might be, or do you have a different perspective on it? So, I haven't thought about that too much, but I do believe it
should roll under security. Because why would you do that? Why would you do authentication? Why would you do authorization? And the reason is Security in many cases. And eventually, all of those Technologies are a means to an end. And the end is the business objective of the organization not having multi-factor authentication or well-defined authorization that really
doesn't matter to anyone. They want, they their organization to preform, according to its business objective and to do that, they need support of security and I am. So that's the way I can't lie, see that but still new to the concept. So I'm going to try Later. Turn this into a question, but during Andres keynote, he talked about.
Okay. Well, really where what's important is like, I kind of feel like our industry has done a pretty good job on the authentication side when you can see what's happening with it. It's like I was getting better and better in terms of validating that the person or potentially the non human being is who they say they are they can authenticate the problem now that we need To solve is on the authorization side and I my mind where I was going with this was
like the over-provisioned account problem, right? Which kind of a pulling back to the statement. It's not our back burst P back and I agree with that because I feel like P back is In this context, kind of like the scalpel. Where's our back is kind of like the sledgehammer or the axe, right? It's like you have two hundred applications, you're probably not going to do p back for all 200 application but for your big ones it's like that's where we use the scalpel.
We got a really this is this my idea anyway, so I think that over-provisioned account problem because you have all these accounts sitting dormant They've got all this access if this accounts get hijacked somehow. Now they've got tons of access that they didn't really need to have in the first place and I think our back puts you in position that that's what's
going to happen. I think P back is kind of like on more like on-the-fly decision so it's not like over-provisioned account sitting there with that access. Do you see things that way? Is that is that the right way to think about it? Yeah, yeah and I think it's Evolution not a revolution and that's it. That's part of what. What you have mentioned. P'burg does not replace any of the other stuff which is the lp
back makes them better. So yes, we have over-provisioned accounts, the reason being that's how application operate today applications, the majority of them, do not know how to operate without that account. Being still, and we do see your applications having that ability, which is great in my opinion. But that's again an evolution, which P book supports Arabic, cannot support that, pubic can support that, but that's the combination of both that enables
enable that to actually happen. I like to think of myself as pragmatic, right? And this is where I think a back has a role because you may get into a situation where with your IDP you're integrating many applications since these are just to pass them, the attributes that they want. It's not so Security numbers is not Bank. Count balances and find you guys want to take the attributes and determine what parts of your application.
Pragmatically speaking, I'm just going to pass a so to me that's where a back or if you don't have a pee back tool that might end up being your answer. I feel like if you're going to go down the P background as more of you know as somebody delivering this authorization service to the organization you have to have more of a partnership with the Application teams to make sure that you're applying these policies correctly, putting people into the right roles.
Correct. I mean, of course, you have to put them in the right roles, but it made me think of where we were with the authorization, maybe a decade ago, which was exact mole, right? The exact Mo standard and I always felt like the exact the most standard was, I didn't see very many organizations implementing it because back to your original point, it was hard enough to get. In teams many times to give up authorization, right?
And maybe I'm just thinking a point in time where I had to physically deal with trying to get a bunch of applications with different application owners and their own agendas to get onto a common authentication platform, that was really hard, but then to get them to give up authorization where you're making the decision whether or not the end user can see a screen within their application. It's like, no way not happening. You're not qualified to make that decision.
And to me, that's where exact mode put you now to me, there was a, I use case for that. If you had a situation where, you know, you are a Security First organization, and you absolutely had to have a paper trail in Central location of what people could access, and did access that put you in a good position to do that. But it feels like nobody talks about exactly anymore which is a good thing.
No I'm just okay so I think Sakamoto meant well and it's a good deal it was a good involvement of the market to start speaking about authorizations. I also believe that is part of the reason, people are afraid for my salvation, just because of that Camille and the complexity it brought in In but Zach. Amell is not the only method for authorization management. Certainly not for authorization enforcement.
There are many new developments today and we can see them all over the place like, Opa, which is an open standard Amazon Sada. We have, we have other development as well there. And I think that those are all good. Indications because it means there is the need what we started with maybe Zachary was not good. Enough was too complex for us and looking for news new options and and that's good. That's the evolution. The market is currently going through.
We need to I would say shake out that is a Camille bad notion. May be sent to some areas are currently still. Okay to still good. I I formed my personal perspective, do not see organizations now. Adopting zakah meal for four. New implementations, doesn't seem like a lot of the concepts from exact mole still exist. Like policy decision Point policy enforcement Point policy Administration Point. Like to me those were like oh yeah that helped me understand authorization.
Yes, I think those concepts are still They still apply it right? Yes is absolutely and that that is certainly a very important contributor physical standard to put in place those main elements of an authorization solution but let's not get too much in love with that because we are seeing that the solution eventually can be more distributed. For example, we cannot force all Technologies to outreach to the PDP the policy decision Point. That's not how it works today. Day.
So we need to kind of understand those all separate components that can reside in the technology itself, not just in the authorization solution and that's how we need to think about it. Maybe I got the Nuance that you're talking about their the distribution which I think is kind of like okay if you're talking about a pea back system, you have the IDP that somewhere in the chain of Person to the applications and authenticated User, it's doing some call to
that P. Back system to get, give me the authorizations. I'm going to stick these in the information I'm sending to the application. Yes, for example. Yeah, that would be one one example, and it's a good example. It's not against how authorization should be treated because again, the, he's a technology that needs to consume the authorizations. We can't Force the technology. How to walk? We can't force the application to call out each. And every time it needs a
decision that failed. It didn't prove itself. So we need to be more flexible. We buy, we, I'm saying the authorization solution. There's always action, solution should be flexible to accommodate the different technology requirements application. That needs everything in advanced and application that needs more elaborated. Decision, that is fine. A And surely the objective is to be able to see the decisions to
manage them. In a centralized way to be able to govern an audit, all those authorization policies, that's what we want to achieve. Not at the underlying technology, which controls enforcement. There's so much to unpack here. Well, we can do some more vodka. Yeah, each and every suffix, your death is going to come back, but I know we've got different engagements that we all need to get to probably Colonel but so will probably
rise. Start to wrap things up but To close us out with a lightning round something where I'm going to say something and you give me your gut reaction or prediction or whatever you'd like to go off of it. So it's kind of a dealer's Choice. That's we're in Vegas, are back and P back, what comes to mind also, we sections, that was kind of a softball just to get things warmed up. Zero trust wide concept need to be better understood in the market. Artificial intelligence. Oh cool.
Interesting future and one I'm just got throw in blockchain. Yeah, absolutely. I absolutely believe a big believer. Yes, I am. What do you think? Is the killer app? The killer use case for blockchain other than cryptocurrency. Okay, so not allowed to talk about crypto and this to the can, if you want but just just well, they'll many there are many and they think decentralized identity comes into mind because that's the
space. I mean, I think it would be very interesting to see how that would evolve having each person own its own identity and the data, which is associated with his identity and having the ability to share that, not as you know, just one package but in a more smart way and certainly I want to go back to artificial intelligence for a minute because relative to authorization, I think is a big opportunity for AI, which is again, with these Provisioned
accounts to be able to Crunch the data of you have this access, but you're using this access. So therefore, all this other access, you don't really need, we could take it away. One of the things have been kind of turning on is, well, if you don't write those rules very carefully. So let's say you use this access in six months, you don't need it. Well what about like route annual review? Just like you, do the annual reviews of people?
People annually. What if that got taken away in August because you hadn't used it in a year, man on a good thing, right? It happens all the time, you your aunt's cycles and it's true. It happens. Anyway, right, how do we get smarter about that maybe more? Maybe there's a way to say, hey we're you know, because of the time of year and attribute or policy comes up and says, for people who don't normally carry this access throughout the year, but we know it's a busy time
this season. Maybe you were ramping up Password reset support because we still are killing the password. 20 years later, you know things like that where you have more of a dynamic or a femoral access policy where it only exists when you need it. And because you have the data to be able to determine predetermine when you're going to need it, we know there was going to be a spike in something or we know that we're going to kick off a certification.
All the people who don't care the access kick, you kick it on for the pilot for the axis owners or whatever it may be. I think there's I think there's ways to go with that nose. Let's see. Now we're getting into AI at the center again. Yeah, we've been told our podcast is becoming a at the center. It's that could be a compliment. I mean, it's we can't ignore it. I mean, it's you, it's everywhere here at identity versus people are not well. We've gotta figure out how to
how we're going to work with. It's not going to go away. I think we at some point in the last two years, the name identity at the center, kind of finally hit like, oh my gosh, genius. Like you guys saw this coming? Yes. Well, here's why I say, we just call it identity. The center people say, identity is the new perimeter and then we're at the identity as everywhere conference. So it's just identity, identity identity. All right, let's end on a
lighter note. What's been your favorite identify verse experience so far this week? Okay. So the many, the many Event Zealand and, you know, discussion panels and so on. I was primarily in meeting. So I'm just being locked in a meeting room to speak with customers. That's what they do. So I would say my favorite experience was the pizza place. I really like pizza. Okay. Which pizza place one here. That's where I saw you. Yo, yes, exactly. That's what we met on that first day.
Yeah. What did you what did you end up ordering to eat? Well, what's on your pizza basic? You know, Oh the napoletana. Like they call Italy love something like that. Just plain tradition of picture. I like the margarita. Yeah, my beliefs and yeah, yeah, exactly. I actually went to this place to get pizza and I wound up getting chicken parm and I don't regret that decision. One bit, it was fantastic. I had Margarita Pizza on Monday when I fill in, so hey, of course, we're good.
Yeah, Jim. What's been your favorite experience? So last night we went out of on on this party bus with my friends from accents, thank you to them. They had that Jason, Statham impersonator his, by the way. His real first name is Jason, Jason Stanley's is real name. Very cool guy. And what I realized was when you get a bunch of it, people together, right? We're kind of like a tame crowd. So having somebody like him kind of like get everybody dancing and doing their thing was really cool.
So party bus kind Sounds a little intimidating, which is, I think why I probably didn't have a bigger crowd than they had, but I mean, we basically took a bus and they had some like, an open bar on the bus. We took this bus to that, welcome to Las Vegas sign, which is a very everybody knows it. And then we went to the Fremont Street Experience, they had an outdoor concert. I mean, so if you need a recommendation, it take. Next time I come to Las Vegas is
either. Spend some extra non-business time or come here on vacation Fremont Street. Looks like that's my speed man. Like you know they've got the 1199 steak and lobster dinner. They've got open concerts and its technical Wizardry. Like you think Times Square or the strip here is like neon. Go there. You feel like it's full day time because they have an overhead TV. Just bigger than one I've ever seen before and just like, great, fantastic experience.
So, yeah, last night sounds like about you, Jeff, you know, it's a lot of little little moments walking through the hall seeing people that I haven't seen before being able to thank guess that we've had on the show that we haven't been able to meet in person over the years. I'm not, I don't know what it is, but I guess I'm not as approachable as you because I know you have always had people coming up saying, Hey, listen to the show and for that, which is very cool.
We always appreciate all our listeners, I had one last night, which was great. I was walking back to my hotel room and I think his name was John John. Hopefully, with John, from transmits times like, hey, Jeff, I listen to podcasts like, oh, very cool. Thank you very much. So you're definitely the more social butterfly but little interactions like that. I think are very cool and being able to kind of talk with looks like that. Yeah, yeah.
Like well half of it is like me grabbing people that I've known over the years I saw Ryan Rossi in the vendor Hall. And, you know, we go back a long time and back from his board Rock days and he left word Rock and now he's back and forward Rock. So yeah, it's great seeing him and he's supposed to come out and do karaoke tonight. So we'll see. We'll see what you're supposed to sing something tonight. You still haven't told me what your songs going to be Jesus. And told me what
misunderstanding. Okay, well I won't be singing. So hopefully people come out and join me on the bench watching. There you go. Hey I think you guys will have just as much money on if not. More definitely. All right, let's go ahead and wrap it up for this one. Gal thank you so much for being part of this conversation for folks who are interested will have links in the show notes. But you can check out plain' ID.com to learn more about what you guys are doing a speech was very cool.
We'll also have a link to gals profile on LinkedIn, so you can connect with her and tell her why she's right or wrong when it comes to, I guess anything. But probably something identity. Right? Is what I'm guessing we're on the web. Idac. Podcast.com On Twitter at idac podcast, Mastodon at I still have mastered. So I still post we have one or two people who sort of engage on that side and like a post, we definitely help appreciate that. Our friend, Chris is one of
those. So I basically do it for Chris, do it, because it's hard. Yeah, Chris Powers but yeah, we're on Macon. At idac podcasts at infosec got exchanged. Obviously, you can always connect with Jim and I we got a lot of interesting things coming up. I think I want to get into a little more. I run this Chief identity officer role and Jim and I are going to kind of fall some ideas
and take it back again. We've got Ian Ian's coming up next here, except so yeah, so that would be a good one to springboard off of maybe. Yeah. And that's pretty much it. So subscribe like all the cool fun things that you know people like you to do when you listen to podcasts and we'll talk with everyone in the next one. Thank you. You've been listening to Identity at the center. We hope you've enjoyed the show.
Make sure to like rate and review and we'll be back soon, but in the meantime, hit the website at identity at the center.com and find us on Twitter at ivac podcast. See you next time on identity at the center,