#231 - Authorization 2.0 with Rich Dandliker of Veza - podcast episode cover

#231 - Authorization 2.0 with Rich Dandliker of Veza

Sep 18, 20231 hr 4 minEp. 231
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

In this episode of the Identity at the Center Podcast, Jim and Jeff speak with Rich Dandliker, Chief Strategist with Veza, about the topic of Authorization. They cover several questions, including the rise of authorization in the past year, the importance of the human element in being successful with authorization, and the impact that AI is having on the authorization space. Additionally, they discuss the early XACML standards which have shaped how authorization is conducted today and some use cases where an authorization tool solved a real-world business problem.


Connect with Rich: https://www.linkedin.com/in/rich-dandliker-591381/

Learn more about Veza: https://www.veza.com/


Identity Week America - use code IDAC30 for a 30% discount on your conference pass: https://www.terrapinn.com/exhibition/identity-week-america/index.stm

Use the code OKTNIDAC30 for 30% off your Oktane 2023 registration at https://www.okta.com/oktane/

Authenticate Conference - use code IDAC15PODCAST for a 15% discount on your registration fee: https://authenticatecon.com/event/authenticate-2023/


Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/


Visit the show on the web at idacpodcast.com and follow @IDACPodcast on Twitter.

Transcript

This is identity at the center. If it has anything to do with I Am, this is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff. How are you? Not so bad yourself. I'm doing great. I mean, there's been some interesting news in the identity space recently with Tom Abravo closing their deal to acquire Ford Rock.

It seems to me, based on my LinkedIn, that people from paying and from Ford Rock seem pretty excited about, you know, the the future. I mean, I've only seen positive come out. You know, I don't know that. I mean, everybody's speculating. What does this actually mean? What is this going to look like in the future? I'd like to extend an invitation to anyone from Tom Bravo or Ping or Ford Rock who wants to come in and talk on the record on the podcast to please reach out to to me or Jeff.

And we'd love to have you on, because people, we all want to know what's going on. Yeah, I think people been thinking about this for a while ever since. You know, the, the intent was announced several months back. Now at this point we asked the question on stage at Gartner to our, you know, our friends Henrique and Becky. They didn't know, right, just like anyone else. I think we're starting to see it now, right.

So the deal is closed and I think almost immediately they announced the, you know the the merging of the two companies for drag and Ping and Andre Duran has been announced as the the leader for. For that. So it's interesting times. You know, it's never a dull moment in the identity space. I think we kind of saw, you know, like Okay, like what's the plan here, Be curious to see how things continue to evolve in the space.

But yeah, definitely happy to talk with anybody from Ping or Ford truck wants to come out and talk about it. They wouldn't get Eve. Eve's always been good with us. He's been great. Yeah. I just don't know how much, you know how much freedom she'll have to talk about that kind. Of stuff, but I'm going to go out of limb and say none. I mean, it's companies, it's corporate, There's money involved, right? Stocks maybe. I'm sure we'll get company lines

and stuff like that. But it's seriously to see how things will turn out. What's the plan here between Ford Rock and Ping in certain areas? They're definitely competitors. What's the plan to fold those together and figure out how it makes each other better or stronger or faster or something like that? I mean the the, you know, the customer list of those two companies now combined is just unreal. But by the way, you did bring up Andre Duran.

If I could mention his identity at the center alumni, I'm sure that was the highlight of his career. Of course, up to this moment anyway. As it should be for anybody. Yeah, absolutely. So that's cool, cool news. I'm sure this is going to be the biggest thing that folks are talking about at the upcoming conferences. We've got quite a few of them planned. I mean it's kind of hard.

It's it's the elephant in the room, the girl in the corner, whatever the right analogy is. But I'm sure people are talking about it, especially when we start talking about authentication. So we've got a few things coming up like that. But yeah, we've got conferences coming up. So I'm going to be at Identity Week America. That's October 3rd and 4th. That's in Washington DC I'm hosting a panel discussion on

pass keys. Actually starting to get the panel together later this week, so we're actually starting to figure out what it is we're going to talk about and try to put together, you know, a good discussion around pass key and authentications, things like that. So we've got a discount code that the fine folks over there have provided to us. This works for both Identity Week America and also work for Identity Week Asia later this

year. So if you use the code ID AC30I DA C30 you get 30% off of your conference pass. Yeah, we're actually dividing in conquering that week because I'm going to be on the East Coast at DC at Identity Week America and you're going to be on the West Coast over at Octane. Yeah, I'll be at Octane. But one thing we will have in common is we'll both have the new updated Identity Center stickers and. What's the update? You got to be clear what the update means.

The update doesn't mean that you look, you know. But the old stickers had a fatal flaw, which was they were very hard to get the backing off of. And so now the new and improved stickers are super easy to get the backing off of. And you look, it's like these little tweaks, it's like the iPhone, you know, from iPhone 14 to iPhone 15.

I don't know what all the features are going to be sitting here today, but they're probably going to seem like small features that just make it so much nicer to have. So anyway, well, you'll have stickers. I'll have stickers. I'll be at Octane 2023 in San Francisco October 3rd through the 5th and we have a discount code for that conference as well, which is OKTNIDA C30 and gets you 30% off your registration.

So the registration link is octa.com/octane and we're also going to be Co hosting or Co organizing an event with our friends from accents. We're going to be doing the quote UN quote party bus, which shouldn't scare people, right. It's not like we're going to be driving all over the city and you know just going crazy. We're going to be doing some cool sane fun things and networking and seeing some of the highlights of San Francisco. I mean it's tech town, right?

So a lot of the corporate headquarters are there. I think we're going to do some of that. I look, I'm not the not the consigliare of the of the party bus, but I'm expecting it to be a lot of good scene fun. So anybody who's interested in that, check out my LinkedIn. I've reposted the link to get registered, and as we get closer I'll drop that more and we'll put it in the show notes as well. Yeah, right on. I saw pictures from the party bus in Vegas.

I didn't make it, but you were on there and. It was interesting going around to see the sights. It was a cool idea. I think it was kind of a a neat thing that they did. So yeah, I mean we did things like we went to the Welcome to Las Vegas sign, We all got to go out and take pictures. And yeah, it just added another element to the the trip For all the times they've been to Vegas, which was like over 20 times, I'd never gotten to that sign

before. When you get there, you're just like, Oh my gosh, it's just like I'm just some Rando St. Yeah, I I've never been to it either. So maybe someday. So we got that octane. We've also got the Authenticate conference that we're going to be at the week after that or a couple weeks after that. That is October 16th to the 18th Carlsbad, CA and just north of San Diego. We have a code for them as well. I D AC15 podcast, ID AC15 podcast. You get 15% off, which is very cool.

We're actually going to be on the mainstage part of the kind of opening festivities and keynotes and. We're going to do a live show in front of a live studio audience and also broadcasted to the Internet at large for guests and conference people and stuff like that. I still have no idea what we're going to talk about. We got to figure that out. That's coming up, but that'll be exciting. Can't wait for that.

I mean, we are the official podcast for the Authenticate conference and that that discount code of 15%, that's the best discount code available anywhere. So if you use that code, in addition to getting 15% off, you get registered in a raffle of some sort that the conference organizers are going to select one of the people and give them

a welcome gift of some sort. I don't know what the gift is going to be, I don't know all the details, but use the darn code because it's the best one out there anyway. Yeah. And it supports us too, right? Shows that people actually listen to the stuff and it's worth our worth our time. And their time, right, to help support that. So yeah, looking forward to that. That's going to be a lot of fun.

Anything else you want to bring up before we get to our main topic because we're going to talk a little about authorizations? Well, yeah, I do want to bring up one thing, just the thought that I have and usually I bring this up at the end, which is if folks can get out there, if they like the podcast, subscribe to it, leave us a 5 star review

would be appreciated. Let people know because that's how people get to know about it. That's how when you go into the podcast search feature of your your podcast app, we show up first when someone types an identity and it's really, you know, that's nothing that Jeff and I can do to improve the that algorithm. It's really not yet, you know, I got figured out. Maybe I could use the Flipper 0

somehow to to do that. Yeah, so far all you're able to do is copy your hotel keys, but that's still a nice little feature. Yeah, copied a hotel. I've copied hotel keys and also the the badge system for my inlaws housing complex. So definitely some things that could be done there, but if I saw you at Starbucks, I would not connect to the Wi-Fi. I did get the Wi-Fi dev board, so I have been playing around with that. There's a couple of, you know, interesting things you can do

set up like an evil portal. You can do a Rickroll attack, which basically creates a whole bunch of fake access points that are Rickroll lyrics. So I'm definitely not a hacker in quotation works, but there's some neat things you can kind of do that are fun and explain to people just why they should be using things like MFA and things like that. I think you are a hacker. I mean, you might be very green in the hacker stack, but you're doing hacker things.

Okay. Well, I don't want this to be evidence, so let's just keep going. Let's talk about authorization and kind of calling this authorization 2.0. I don't know if that will stick or not. But to help us with this conversation, we've got Rich. Dan Liker. He's the chief strategist with Vasa. Welcome to the show, Rich. Thanks, Jeff. It's great to be here. How you doing, Jim? Great to have you here. First of all, I love the radio Pipes. You got a great voice for

podcasts. I will try my best to keep up. I might, actually. I usually. I'm trying to like, bring people's voices up, make the sound, you know, sparkling, you know, right in the editing. I might have to, like, do the opposite for you, so that there isn't such a disparity between you, me and Jim. But. Well, usually people only tell me that I have a face for radio, but now now I also have the voice. Well, that's what we always say. We got faces for radio and voices for a silent movie,

something like that. Well, thanks for joining us and spend some time with us here today. We like to hit to really learn about the identity journey that people have been on. And it's kind of tradition around here when we have someone on for the first time to understand what their identity origin story is. So maybe you just spend just a minute or two kind of talking about how did you get into the space of identity and access management or digital identity or whatever the heck we're

calling this field today? Yeah, it actually started when I was at Octa and I actually back in 2014, I went and joined them and I led the product management team for about 4 1/2 years through the IPO period. And so, you know, I think Identity had definitely, you know, struck A chord with me and that was one of the things I would did a stint in data loss prevention. And really seeing how, you know, sort of network based security tools were just not the thing

you really wanted to see. You wanted you needed to get down to the person and that was really hard. You had to go through proxy. You had to do all sorts of fancy dancing to get there And so that, you know Identity was definitely something that was like top of my list. And then Ochter really cemented that for me. And I think it was, it was a it's it's been a fantastic journey and you know my my early on in my career, I definitely said wow, this is a lot more complex than I thought it was

when I started. It always is. I think the definition too, of kind of being an identity has changed. A lot of people find themselves, they just were in it all of a sudden, they didn't like, pick it. It was just, oh, I I guess I'm in identity now and now you're a chief strategist for an identity company. So I love titles because some of them are very cool. Some of them like okay. What the heck does that even mean? What does a chief strategist for an identity company like Visa

do? That's a great question because I definitely find it a strategy means lots of different things at lots of different places. It could mean a whole lot and it can mean a whole lot of nothing. But for us at Vasa, I tend to split my time between a number of different pillars. First is really around sort of high level product marketing and

messaging. So I think a lot about how we position the solution that we provide, how we talk about our customers, how we talk about the space that we're in. So that bleeds into a lot of analyst relations and speaking to the folks like Gartner and speaking to Enrique as well as sort of looking at the market as a whole and you know, so we're kind of getting into a competitive analysis as well. So that bleeds into the second pillar which is helping out our

sales team. So you know, really being sort of more out on the front lines, helping to, you know, to guide the folks that are actually talking directly to prospects about sort of how to talk about things, how to, how to position things, what people care about and and what identity folks. Really wanna you know what's top of their list And then the third

is on product strategies. So actually building new product, working on some of the advanced things that we wanna get done that are critical for sort of that long term positioning in the market and sort of really helping take us where we wanna go in the long term. So Speaking of products, you've got this company called Vasa VEZA. I'm sure you get confused with Visa. A lot people saying it. So let's get the word out there, right?

It's pronounced Vasa. For those people who are not familiar with what Vasa does, what's the elevator? Pitch 30, let's say 62nd elevator ride up. What do you guys do? Yeah, I think the way I like to talk about it is really that we help. The company's operationalized least privilege. So we do that by really putting together a graph around authorization that shows you not just what you have across all your different systems, but where it's wrong, where you need

to fix it right. So we have a core technology which is our authorization metadata graph, where we really put together all the different pieces of information about authorization from users to groups to roles, all the way down to specific resources that might be in a particular system.

And the permissions down to you know can you read, can you write, can you head it, can you delete and putting that together and I think I think that combination makes a really a really powerful solution to both see what you've got as I said fix it and also get to compliance, right. And that's a that's a frequent driver for a lot of customers and we have a, you know we're we came out of stealth last year.

We've got a number of big customers like Wynn Resorts, AMD, Intuit, Blackstone. Amex Global business Travel and Zoom. So it's something that's really, I think resonated in the market because it's so hard just to see what you've got and that's often where customers start with us. Yeah, I think a lot of people think identity, they think authentication, it's the next step. After that, it's really where you're going. It's the authorization side. So where does the name Vasa come

from? Yeah, well, actually it's an interesting, interesting story. When I first joined the company, we had a different name. We were called Cookie dot A I, and this is even before Chachi BT. So it was prescient in one way about, you know, having the A I, the, the the the dot A I there. But you know, obviously Cookie dot A I has a lot of, has a lot of baggage. So that was one where I was like, yeah, I don't know if that's going to really fly long term.

And so I actually helped drive that the new naming and Vasa comes from the Zulu word meaning to reveal. So I was like wow that's pretty cool. If I had to pick a language that I, I based the name on Zulu's probably Yep that's about the the peak of it and it has like a it has a good meaning you we could we could get the.com domain for not an outrageous amount of money and the ticker symbol was available. You know, you always got to be

thinking ahead. Hey, rich, authorizations really seem to have blown up in the past year or so. And if someone asked me, you know, what's hot in identity right now, I run down a list of, you know, converged identity, which I don't think is that exciting decentralized Kim, ITDR Pastor list and authorization. And it's like that whole list I went through until I got the authorization.

Those are all new things, right? They're all things that have kind of happened in the past several years, but authorization's been around for pretty much the beginning of identity. And so I'm wondering, what do you attribute this blowing up of authorization, as I put it?

What do you attribute that to? I really think it's a consequence of most organizations really pushing forward with authentication and props to Octa, props to Microsoft really for driving forward the world of SSO with SAML and OIDC and getting MFA implemented and driving forward

on password lists. So most companies that I talked to have really you know how they've kind of gone through that and they've said Yep, we've done, you know we've done the lion's share what we need to do around authentication and wow things aren't fixed yet. We still, we still have all these issues. We're still getting either we have security tax, we still don't really have a handle on identity. It's not just a, it's not a

solved problem yet. And so it's just as you said, it's a very natural thing when you after you've you've gone and tackled authentication, authorization is the next step. Right. And so I think that that natural sort of like you know what do we do next. We know there's something here. We know how core identity is to all these different things to the you know to the IT stack to the security stack and yet you know it's it's not we.

We know we're not done. Now Rich, when we talk about frameworks for authentication some of the the ones that our listeners may be familiar with our our back a back P back, some some of those people might not be familiar with. Could you help us define each one of those and helps which one's the best one? What a loaded question. That's awesome. So yeah, RBAC is a role based assets control. So this is, this is probably what I see as the most commonly used one.

And you'll be, you know, you'll be used to this in an enterprise scenario where you'll have some sort of description. You know, I might be like a, you know, W marketing or you know, I'm a super admin and that sort of gives you based on a role. There's some, ideally there's some commonality across an organization that collects up a bunch of different permissions that's organized in sort of your function at the organization into a role that's the ideal state.

Then you have things like a back, which attribute based access control and that's where you're not doing it necessarily in a role, but typically more dynamically like you can think of. I think the best analogy is. You're used to this around sort of, you know, attribute based

authentication, right? It might be geolocation based right, where you actually you're pulling in some attributes, oftentimes dynamically and making a decision about, all right, is this person actually allowed to get to certain resources and take certain actions and certain resources based on the value of those attributes? So there's it's typically done more at runtime and more

dynamically. And then policy based access control where you're it's a it's a pretty similar kind of thing and a lot of similarities to a back, but it tends to be a bit more around design so that you can actually make broad policy based changes across the organization without having to go through and rejigger all your roles, right. So it's sort of more, you know, a goal and A and a target design. From. From what I've seen RBAC is the most commonly used one and you

know. And I know we, we talked about this, it's like for for being, for me being in in in the authorization space. I'm amazingly not opinionated about which one is best. So that's a tough question for me. But I know that my my favorite one was like that's I was listening to one of this one of the C shows I was talking to. He says our back, yeah really

bad access control. And I think I have a strong resonance with that because even though that's the most commonly used one that's you know that's the one I see most often. It's just has so many gaps and so many holes. Can you have least privilege without RBAC? You know least privilege is obviously it's a you know it's a big slope. And I think really that the trick is like you know, and this and this is also, you know, I'm don't want to, don't want to pitch.

But you know it's like everybody agrees least privilege is something you need to get to. But getting it in practice and and you know, how do you actually get an operational program. You know we've we've all gone through those compliance surveys and said, hey do you follow least privilegedly? Yes we do. But what does that mean? Like you know and how do you know and where is it off and how can you get better. Those are the, you know, when the rubber meets the road.

I think those are the most important questions. So I I see it as less of a, you know, are you using RBAC or A back or P back? It's more around do you have the tools and the processes and the people to actually get to least privilege? Least privilege is the goal, no matter which of these frameworks you're trying to do. Jeff Rich refuses to answer my question. It's baby back. What's the best back? What is the best? I mean, without question. Got back and that is the winner folks.

OK. So Rich, it seems like that in the past at least in my experience authorization was an area focused on for CIM customer I M and less so for enterprise. But it seems like this blowing up that I refer to is really a reversal of that trend and it's becoming more of a shift toward. Enterprises doing more advanced authorization projects or taking that authorization focus, is that right? Do you agree with that? Yep, I do.

And I think I think traditionally authorization has been sort of front and center of a of a CI AM project because when you're building a custom application which is typically with those things, what's involved there, you you can't not build authorization in, right. You've got to have something and so you you have to build some sort of structure or some sort of componentry.

I think to be fair I'd say that you know the the the CIAM types of projects haven't gone away and actually we're seeing a really strong push here, not so much in terms of sort of the bulk users that are going into an application. For instance, if you're, you know, if you're a customer, a consumer facing company and have a CIM application, you've generally done a pretty good job of separating and isolating

customer one from customer two. Like I if I'm going into Expedia, I can't get to Jeff's travel profile and access Jeff's credit cards and then for the most part that's a well understood problem. The trick and I think the sort of the frontier for that on the CIAM side is really things like

help desk people, right? If you have or you have admins or DevOps people who are logging in and sort of getting access to customer data, getting privileged permissions into some of these things, potentially cutting across multiple customers, doing some sort of operational management. And of that, I think I find a lot of customers are really weren't they weren't thinking about that. That's not sort of the primary use case of authorization in

that custom app. And so it's they often have very little visibility, especially when you get to the security team, you've got the developers, you're kind of, you know, there's one guy who knows exactly how it all works. But then when you go to the security team, they don't have visibility, they don't have logins, they don't know how it works and that that's a real, real gap there in the CIM side.

But to your, to your point, I think it's now also hitting on this sort of the enterprise application side. And I think there's a lot of crossover because some of the data storage systems like going to the cloud platforms of AWS and Azure and Google Cloud, those are now sort of crossing over where they're being used for enterprise data.

They're also being used for customer data and so you know you, you really see a lot of commonality in leveraging similar platforms across the the internal enterprise, traditional internal enterprise applications and consumer applications and

customer applications. So when I talk about authorization with people, I my mind shifts back to the framework around the insaccharable standard and you know, Policy Decision Point, Policy Enforcement Point, and again like my reference point is a lot on customer I am. And I've always thought like, OK, externalizing and centralizing the policy decision point is pretty drastic.

You know, if you've got a couple of, you know, business portals for transacting, whether it's placing orders or warranty, it depends on what business you happen to be in. But a lot of times those applications were built individually. They're right. They're not just one big portal that does it all. And to centralize all that, I always thought to myself like okay, that probably makes sense for like the FBI or something like that where they want to have a centralized log of those

policy decisions. So to me, the policy decision point was always like the the big most important component of that framework. The way of thinking about Zackamal and I'm wondering like does that. Framework still hold value. Do you still use that framework and that type of those terms, Policy Decision point, Policy Enforcement point, things like that? And you know, is the policy decision point still the most important concept of that standard or is this something

else now? Yeah, that's a great, a great question. I think. I think those especially those concepts are very valid today as valid as they as they were when the, you know when the standards were being developed there. And I I think that that sort of methodology and that that conceptual division makes a ton

of sense. And I find that you know it's a, it's a still a small fraction of folks we we tend to not talk about those things as explicitly in today like in our in our marketing and documentation materials. But I definitely run across plenty of customers who still talk about it and say hey you know give me know tell me how

this fits into that world. And so I think it's they're definitely folks out there who still think about it this way and I think if you explain it to them it, it makes a ton of sense. Here's one where I actually am opinionated and this is 1 where I'm actually, I'll put in my vote for my favorite, my favorite component is the, the

policy administration point. And that's one where I think the issue with the with sort of centralizing as you pointed out with the decision point, you know it's it's really, you know you have there's a performance issue you you're generally you're looking at that with the with the enforcement point potentially and putting those things together I think tends to

make a lot of sense. But trying to reroute the network and trying to you know channel everything to A to a single choke point, that's not how, that's not how the modern cloud architecture and modern day, modern day systems are working. And as you said like once you've got it up and running no one wants to rearchitect that stuff.

No one wants to put a new a new component in the middle of something especially when you're talking about sort of customers and you know and production data or actually getting transactions done. It's a really hard pill for folks to swallow. So I think you know. Multiple applications that could be. Posted around the world you can have scalability, reliability, network type issues. That's right. That's right there. Just there's so many other

things that sort of drive that. And you know and you know I can imagine like an enterprise architect trying to go say hey we want to centralize all this to a single point and get thrown out of the room because it's just like it. There's so many other factors in there that that drive it. And so I think my personal take is attacking it at the administration point is the is the right way to go. We've been talking a lot about, I guess. Theory, for lack of a better word, right.

How things should work. I always like to hear like what's the real world doing in this space? You mentioned some of the clients that you've worked with in the past and some customers you've got. What are some of the use cases you know that you've seen where an authorization tool has helped solve some of these real world problems that we're seeing out? Because, you know, I think everyone points back and say, oh we're we're a role based access control company. Okay, Are you really?

And how good is it? It usually sucks and it's a pain, pain in the butt to maintain and you know they kind of gave up maybe after. Oh yeah, we have 5 rules, right? Something like that. And I feel like it's it's a struggle for a lot of organizations out there.

They every every company that I talked to says that they are or they want to be role based and it's hard in the real world, especially when you have these applications that are using their own authorization schemes and they have not moved to. You know a centralized policy, decision point or access point or engine or whatever it may be. What are you seeing in the real world around this space? How are you know these? How are these things moving forward?

Yeah, I I find that you know one of the big issues and I mentioned this before about you know the the really bad access control crack. But that one of the one of the challenges is you know you can you can do it at a point in

time. And typically I what I hear is like you know hire a systems integrator like Accenture to come in and get you know and get like a whole raft of you know warm warm bodies from from the consulting or to go and have tons of interviews with every organization across you know across the company. And that's a tremendous amount of work and they. Better yet, hire our son to do it. There you go. There you go. But then you get drift over

time. And then you get, you know, you get people you know and say, well, you know, maybe I'll use this role for something it wasn't quite intended for, but it sounds about right. Or things get tacked onto the role and so the permissions change and actually what's in that role changes the use and the and the and what it's what's

being applied for changes. And you know, essentially, you know, then then you're going or you, you know, you get someone who says, you know, oh, I need this new role for this new purpose. And this sounds about right, but man, I don't really know what that role does. Let me create a new role. And so then you get this proliferation. And So what I find is that most organizations, even when they want to be a role based access control company, they're trying to manage it just on the name of

the role. Like when you're trying to say, hey, is this right? It's like the role is named super secret admin #2 okay. Like what does that mean? And people have no idea. And so the thing that surprises me I think around all this and the real world customer examples that I see is that oftentimes the things that customers are struggling with is so much simpler than you would ever

imagine. And you know, so one example we have a, you know a very large Fortune 500 company and they actually went through this and that, you know they came to us and said hey you know can you tell tell us when a new admin is created in Salesforce, We're like yes, we can chew that.

And what it turned out to be is that they had an IGA, a very large IGA company that you would the name you would know as a leader in the IGA space and they were using that to provision Salesforce. And yet they found that when someone went around that provisioning process, the approved process and went directly into the Salesforce console or create a new admin in there, their IGA solution couldn't tell them And they would go around this and they

tried to actually custom code some solutions to do it. And there were just so many different ways to do it. They couldn't find that. They could plug all the holes. And what it turned out was that they had failed two socks on it because of that, right. And so it sounds so simple and you take someone outside of identity or peripheral identity and say you know, do you know, how can you not know when a new

admin is created in Salesforce? Like how is that possible and yet that's the thing that these very large, very sophisticated companies are struggling with. And so you know, so that's what we hear, see is sometimes it's a compliance driver. It's like when, you know, when your auditor gets the the taste of that and they know that you don't have controls, you can't demonstrate controls like that is a big deal and they will, they will drive that and companies are very, very

motivated to fix that. Other times it's just a visibility thing. And I know there was a former SISO of a very large telco that was telling me a story about sort of when he came to believe in, in authorization as sort of a really key thing. It was actually after an incident. And so they had, They'd had an intruder come in. They'd had an account takeover. And they ended up being able to block that and and locked out that account before they they lost a lot of data.

But he was doing a postmortem with all of his direct reports. And so he had them. We were all in a room. And he says, all right, here's the first account that got taken over. What did that have? What did this account have access to? And they all look at each other and they say, we don't know. He's like, okay, here's the second account. How about this one? We don't know.

He's like, how is this possible? How can we not do this thing that's so fundamental to security and being able to respond to these types of incidents. So I find it, you know different different organizations and people come at it from different sides.

But inevitably when they dig down and really see what's there and see what they know and what they don't know, it's a little terrifying and and you know it's it's such a basic thing you imagine like you know how how is this possible that we can't do this and yet it's incredibly hard it's made it's been a lot harder with the with the cloud. Rich, just thinking like you just told the story. I'm thinking, man, this folks who are in that room said, we don't know.

That must have been just like such an embarrassing and painful moment for them. It's like it's your job, you know? I mean, look, I'm not saying, like I would have gotten it right. I'm just saying that I'm sure, I'm sure glad I wasn't in their shoes at that moment. Because, you know, when you think about identity, it's ensuring that the right people

have the right access. You know, knowing who has access to what and when you can't answer that question, like, wow, that's that's downright embarrassing. It. It really is. And I think I think it's, you know, it. It underscores the fact that like just the the tool set has just hasn't been there. Like, you know, it's like we've done all these advances and you know, like we were talking about before, authentication has come a long way in the last five,

five, 6-7 years. The tools that we got available are so much better. And I think, you know, that's another common thread is that the tools for authorization have been pretty stagnant. There just hasn't been a lot. And so, you know, I think back to another, another guy who was in, he actually leads the engineering team at his at his organization. He was telling me a story about, you know, when they didn't have any tools.

He said, yeah, the auditors asked me for, you know, everyone who could access this one database. We had to really get in and the auditor was like would not let it go. And in order to answer that question of like who has access to this database, what can they do in this database, He said he had to take his best developer off for a week of custom scripting to go answer it for one database. So now multiply that across, you know your entire environment and you just can't do it.

Like, you know you can get the answer, you can figure it out. But the amount of time and effort and energy it takes to do it without a good tool set is brutal. Well, I think this is where the fundamental question that. I always ask folks is you know, can you answer this question? It's very simple. Who has access to what and how quickly can you pull that answer together? And how accurate do you think that data is?

Because if you can't answer that question, my mind your identity and access management program is failing. It's a basic question, right? And it's. I also find you really need to dig down because most people will say, well, yeah, I know you know these, the people in these groups, OK. But you know, like, dig it. Let's dig a little deeper, like. Nested groups? What does it even mean? It's been you know, that group is used for eight different things, one of which was the

original intention, right? Stuff like that, that's right. And you know, it comes down to, you know, to brass tacks. Usually it's like, you know, pick your, you know, your most sensitive, you know, data element, whether you know it's a table, maybe it's a box folder, you know, maybe it's a, you know, a data lake, you know, in Snowflake or something like that. And say like who can get to that and exactly what they, what can they do, right.

And like it's going, but it's going down to these data elements. Because you like, I think everybody has somewhat of a handle around users and groups and some connection to role. But I find the biggest gap is what does that role actually do? What does that mean? Like what can you actually get to with permissions? And then you get all these other things like what about local permissions, what about local users? What about system accounts and machine identities?

And like you know now it's pulling on all those threads where you know it's not in the 70 or 80% solution, but it's at the edges. And those are typically the biggest issues when you when it comes to security and compliance. Those are the ones that you really need to worry about are those ones that you? You. You know you. Most of the time you don't. You have no idea. Well, you've got the point in time definition. And then what are you doing to make sure that that definition

stays the same? Because things change, right? Exactly. Do you find that there is a particular platform or system or something? That is like the hardest thing to include when we start talking about authorization, maybe even as a program. I think people think of identity as a program. Authorization as a program might might need to be a thing as well considering you know that's that's really the keys of the castle, whatever, you know, what are people getting access to.

But I know I found you know doing integrations different, you know technologies out there. There are some platforms or systems that are just. Of real pain that you know what and it's either not well documented or you can't do certain things because API's aren't available, whatever it may be. But what kinds of platforms do you see as, like the hardest to include as part of this, this capturing of who has access to what?

Yeah, from a from a tactical standpoint, the hardest ones are definitely the, you know, the old and crusty on Prem ERP systems. You know, those are the ones you know there's no Restful API like they've been, you know they've been cut, they've been you've had an SI come in for eight years and is you know is custom fine tuning it. And so it ends up being something that has very little commonality with anyone else's deployment. And so it's just a tremendous amount of customization and the

hooks are not there. So from a tactical standpoint, those are the hardest ones or custom applications as well. They're just, you know, they're kind of, there's snowflakes, right. Nobody else has it And so there it aren't a lot of common tools that still like you to

integrate. But from a program perspective actually find it's the other way where you see that you know a lot of times when you look at you know identity governance programs they've got like the ERP system that was always the number one thing that was so that's priority one. So they've actually this you know gutted it through and you know by you know really you know brutal house to house search they've they've gone and figured that out.

But then you say well you know how many apps do you need for socks or relevance for socks compliance and are subject to that And and you know those is like well it's like you know it's like 30 apps. How many do you have covered in your Identity governance program? Three. And what are you doing about all the rest? And so from a program perspective, it's actually that longer tail. It's the stuff that's still relevant for compliance and it knows there's critical data in it.

But usually the lift is so heavy to get these things integrated into an identity governance platform that they have huge gaps and they know that. Yeah. You know, I kind of, I think one of the things about authorization is. You have to make a decision on how far you take your authorization program. So let's say we take one of those apps that you just mentioned, custom build. App developers have been hammering away on it for decades. Maybe building like, oh this view and that view and like

things that are not standard. Or take something that's out-of-the-box that I thought you might. Answer that question with which is like ERP systems where especially older ERP systems where you say you have access to this table, this screen, this business unit. So now it's like multidimensional access and it's like that's just you know if you spend your IEM program focus on nailing the authorization for that, that is all you're going to get done like you might have an IM program with.

A handful of people. So to me it's kind of been like okay, so, So what is our I am program going to do? It's going to take it this far. It's going to provision a person into these right groups or it's going to in real time present the application with some assertions of authorizations. But they're going to be at this level.

It's not going to be like they should be able to see all these tables and things like that, so. I guess to translate that back into your real world story where this uses like Okay, we're going to take this application, take this account that got compromised. What did they have access to in

our ERP system? I would say the I M team should say, well, we sent these authorizations or we put the person into these roles in these groups and then somebody from the ERP side should said be able to say. And that gives them access to these screens and these database tables or things like that, right? But somewhere along the way. So do you have a rule of thumb or is it really just having that that knowledge should be able to say, all right, here's a couple of rules of thumb that we're

going to apply. Yeah. The, the rule of thumb that I find is, is sort of the commonality. If I look at customers who have been the most successful at doing this kind of thing, it it's absolutely prioritization is the name of the game. I mean, that's the first thing is you cannot do everything right. And so you have to pick your battles. And I find that the one of the most valuable things is actually going, you know, you know,

starting at the end, right. And like looking at like, OK, what's the most critical data we need to protect, right. And that that's typically the thing that's fundamentally like the board cares about, you know the see, so the CIO care about and so hey let's figure out like what roles give access to that and what can they do, right. And so typically that's that's where I found it, it's most valuable is kind of starting at

the end. But to your point, Jim, I think a rate you raised a great point is like a lot of times this data to put that whole story together and to get their true visibility all the way down to the data level, It's on different teams, right. It's in different systems, they're different groups. And you know, does the identity group really understand the inner workings of the ERP system authorization scheme? Like heck no, right. And so and every single system is different, right.

You know, just because you know, one system like you, you got to kind of be an expert in each one And that it's that that translation across systems, that's also really, really hard. So now you think about, you know, now you boil it back up and now you're a see so and you say, hey, you know I just want to make sure that no contractor in China gets access to my customer data. Let me make that happen.

Now you think about like what do you have to do in terms of technical controls on every system that might have customer data. What do you, what knob do you actually tweak, what's the JSON actually look like for that? That's a really hard thing to answer, although that's, again, it seems like a very simple kind of thing that's, you know, that that's would be very reasonable for a SISO to want. And yet bringing that and actually putting that into

action is super, super hard. That's a great answer. You know the other thing that was as we're talking about, we kept talking about authorization as a program. And I'm not recommending that folks go out there and spin up a program and have an authorization program manager, but it reminded me the of the impact that authorization has to humans. I'm also sure that the impacts

on the end user. But definitely the application owners and these application teams and making sure people are clear on roles and responsibilities and to make sure that where I drop it, you pick it up, etcetera. What are your thoughts on that impact? Is there an impact to end users? And then the app owners, who are app owners, developers and database administrators, all those folks, yeah, absolutely. There's impact on end users because usually it's like, hey, I need access to this thing.

I need to get my job done and I need more access. That's typically how it goes. So you know, obviously you start off with birthright access, you get a bunch of stuff right out of the gate, but it's never enough. And it's designed not to be enough. You gotta go typically and ask for more and so then the trick is okay, how fast can I get that done, right.

If you're a developer that's working on a critical project like I guarantee you got a, you have a lot of organizational push behind you to get that access quickly, right. It's like if it, you know, if it's a revenue facing project and you know they need to get it done like they you will, they will push and they will get a lot of backing you. It's really hard to say, hey hold on, we got to figure out our role structure. That's not going to work right.

You got to get access. That reminded me. I actually have another customer example where they started using better tools, right? And just having more insight into what roles actually did can be extremely powerful even in the provisioning process, right? So their problem was they had Snowflake and they had developers that would come in and actually ask for additional access to something. It might be a table, it might be a database in Snowflake.

And so the challenge that they had and actually the provisioning was done by the Snowflake team just for this very reason because they were the only ones who sort of understood the inner workings of snowflakes. So the IT team couldn't do it right then. So they actually had to take down on themselves. Back to your other second part of your question is how does this actually impact app owners and and and data owners.

They were actually the ones doing provisioning and more than not because it was typically such a mission critical thing that was time sensitive, They over permissioned right. And that's the reality is like, well it's like gosh, I got all these roles. I got like 80 roles. I don't know which one gives access to this table. Let me just give them the real, you know, let me give them the good stuff. Let me you know, let me let me

give high level access. And So what they were able to do when they actually had some tools that were that allowed them to see what these roles actually did, like what did this role actually give permissions to and had that that sort of instant level of visibility, they were able to reduce that down. So once they granted a new role, they could really find the one that best conformed the least

privilege, right? They could find the one that gave access to that table but as little else as possible. And just by sort of implementing that, by having the tools around visibility, they were able to reduce the total number of permissions on Snowflake by 80%. That's what they told us. I mean, so it's you can really see the effect of that. It's not just, hey, does someone have access to Snowflake or not, but what role do they have and is it enough for them to do

their job? This is least privileged at its heart. All right. One last question around authorization for wrap things up, but it wouldn't be an Identity at the center podcast without mentioning of AI at this point. So what do you, how do you see AI impacting this space of authorization? Yeah, I mean, I I think about this a lot as everybody, everybody who listens to this podcast does. And I think, you know, there's certainly going to be a lot, some good stuff into like role

mining and cluster analysis. And I think there's a lot, there's a lot of of goodness there. And also, you know what we were talking about before, we're getting to the human component. When you're doing things like access reviews, which is almost always a component of any sort of governance program around authorization, it's really alleviating that that human burden.

And I think A, I can do a really good job there where A, I, A I might not be able to do that, give you the full answer, but it can at least guide you and say, hey, you probably don't need to spend a lot of time on these. Here are the ones that really, you know, look suspicious, right, or look like you should give it a little more time. I think you were using it for in those kind of those kind of situations are really great.

And you know, I think the best example I heard about the power of a I was really, it's like having unlimited interns, right? And so you can do things that are sort of like this, these sort of relatively relatively menial tasks, but you could do it really fast. You can do it really cheaply. But there still are things where, you know, humans are still better at doing the, you know, the, the outliers, right. The, the really edge case things.

You've got to have some humans involved in a lot of those cases. But A I can take a lot of the burden there. The other component and the other side of it is, you know, is what, you know, what's what's going to be the bigger security concerns around authorization,

protecting a I programs, right. And so that's another interesting one where you now see all these things around, you know, the, you know, like like the weights like after the, you know these training runs that some of these really large frontier AIAI companies are doing. You know it costs like a billion dollars to run some of these

training things. And so that you know the weights that file that records all the essentially the results of that training that is incredibly valuable intellectual property, right, you know, perhaps bigger than anything we've ever seen in history. And so and then you have nation states that have stated goals around becoming a I leaders and that combination of having these treasure troves.

I think it's going to be a, you know, it's going to really bring security to a whole new level because the value of the thing that we're trying to protect is so large and it's going to be way beyond even customer data and credit card numbers.

And so I think what we'll see is it's really going to force security providers and identity, identity people, identity teams to think about securing this stuff beyond just typical IT level security, but really break, you know, bringing it up to physical security, getting it closer, closer with a lot of sort of the three letter agencies that are actually protecting it. I think there's going to be a lot of more crossover between typical espionage scenarios and

risk profiles and what's normally been IT security, not having to worry as much about physical security.

I think those things are really going to converge around a I. And I feel like we're headed to a future where an organization's a I become sort of like their OS and is their secret sauce hopefully not as bad as like I robot goes a little bit nuts has your definition of a I changed within the last couple of years because I feel like mine has and I've talked about this before where pre you know ChatGPT pre large language model being available to the general public. I thought of AI as okay.

That's cool. It's it's like machine learning and pattern matching and stuff like that. And then you get something like, you know, ChatGPT or similar, you know, functionality where now it's available to the public and it's this conversational interface. I find myself using it more and more and more for important things and not important things. And my thought process now is that's AI. I don't think of AI as necessarily just machine learning and padding matching.

And I'm curious if if if you've thought about this from a definition standpoint of, OK, you know, what is AI? Because they feel like no offense. You know, a lot of vendors have thrown the word AI on the box of their product for years now. And now we're going to the point is like, oh, OK, well that's interesting. You know, what is, what do you mean by AI? I'm just curious if your definition has changed since the advent and the availability of these things.

Yeah, I I think it has. And certainly the way I think about it, you know, I think before ChatGPT, the ChatGPT sort of evolution, you know, I was just, you know, I was always felt embarrassed about using the term A I that's what that's what it felt like it was marketing. It felt like it was you know something in the future and not here yet where ML sounded you know much more reasonable and like yes, that's a much more

precise term. I think now I feel very comfortable using the term a I and I think maybe it it's just that it's still so new and still revolutionary that it feels very very different and you know and that's I've I've seen that quote before where it's you know AI is anything that's just new and and not in the current capability set. And it it feels like we're still getting our heads around what

this really implies. And really I mean it's it is mind blowing even though it's a, you know it, you know a next word prediction model. It feels like so much more and it and it looks like so much more from every every angle. It looks startlingly like you know an intelligence behind it.

So it certainly has changed the way that that I I treat things and I talk about it. We're going to start to wrap things up here and I guess kind of going on the lines of when I think of AI and where things are going as well. I think about the word longevity because I could see a point where you know, everyone's got their their own AI and maybe there is a. You know, Jeff, A I at some point in the future, that list that you know exists long after

I'm gone, right. And it's this, you know, facsimile of what, you know, my personality is like or whatever it may be. What's one of the most important things that you think you've learned about longevity? Yeah, I think it's, you know, my, I know we talked about this before. This has definitely been a passionate of mine to to think about this and and and learn about it. And I think it's really, you know, in the end longevity is important and longevity is

great. But you know what really matters is what you do with that time, right? It's like it's not about just living longer, but it's like you you've got to put it to some use, you got to put it to some value. And I think it's that, that perspective combined with the fact that, you know, if you look into there are few, you know, very simple worms out there that actually don't have programmed cellular death, right. And so you look at this, he's like how can that be?

And you look across all these different species and organizations and I've actually come to the personal perspective and I've never really heard it stated this way but that, you know, that a limited lifespan is is actually a it's a it's a feature, not a bug. And it's actually something that we've evolved. And so you know and you can, you know, you can look at it from an evolutionary standpoint, it

makes perfect sense. It's like you know you got to make room for the new the new era for the new folks, for the young people. And and so I that's that's come and that's been a that's a bit of a shock to say like wow. I'm sort of you know thinking about myself is supposed to have a limited shelf life and I think it just puts a a finer point on

on that. You know like if we if we all knew we were going to live forever would we really get get anything done what we needed to get done today Like if like well I can always do it tomorrow. I think it's it's really, you know, thinking about it that way, I think, I think makes you, you know makes you use your time that you that you have better and I think that's it. That's a good perspective from

from my my point of view. Well, time's one of the only resources that you can't make more of. Really, right? Everyone's got a only scarce resource. This time. Yeah, that's right. And I think, you know, it's one of those things I think is, you know, as I get older, right, I think about how much time do I have left? Am I going to get all the things accomplished that I want? And you're right, if I live forever and I would just keep kicking that can down the curb, right?

And, you know, play video games all day or, you know, I don't know, set up evil portals, whatever it may be. Jim, what do you think about longevity? Well, I. I really enjoyed listening to what Rich had to say, because I think perspective about longevity is so important. I think it changes over time too. You know, I have in my mind I'd like to live to about 80, feel like that's where the human body wears out. But on my 80th birthday, am I going to say, well, I'd like to die tomorrow?

Heck no. I'm going to set a new goal. I'm going to find new reasons why, a new ways to find meaning out of my life. But I will say. You know had a a passing away happen in my family recently and it got me onto a YouTube worm which was watching or rabbit hole watching these videos. They were frontline videos.

Frontline has like some really great content on YouTube, but it was you know about the aging process and going into like you know when people die if they don't have a living will like. Someone can decide, like keep this person alive for as long as possible, and they're, they're a vegetable in a bed for five, five years or whatever until there's nothing that can be done to keep them alive anymore. So I know I don't want to be there, right? I don't.

I also see, like, people in the nursing homes that just like staring off into space. I don't want to be there. So I want to live life to the point where I'm enjoying life. And I think everybody has to kind of like assign to assign meeting to like, yes, that's the kind of life I want to live or I don't want to live that kind of life. I don't know. But leave it to me to take the lighter note and bring it there, Jeff. Yeah, you're you're you're a real expert at that.

I was going to say I could pull a Seinfeld and like, you know, grab the pillow And when you say it's ready, okay. You know, put it over the face like, all right, we had a good run, Jim. Years and one day. I'm like, I set my calendar now. All right, here's a bonus question. Let's see if we can try to revive the lighter part of it. There's a lot of different items out there where people are trying to live longer and with the expectation that something in the future might help them.

And I'm thinking specifically on things like cryogenics, right? There's, I don't know, Arizona or something like there's a a warehouse full of people who have been frozen. With the hopes that it's someday they'll be able to be woken up to cure whatever, you know, issue that they had. Some people, it's their entire body. Some people, it's just the head, which I find kind of creepy and very Futurama to some degree. Would you consider that? I don't. I don't think I would.

I mean it's it's those things where again it's it. Maybe it'll work. That's possible. But you know, well, I guess maybe another good question is like, yeah, would you upload your consciousness if you could, Would you upload that into the computer? Or just, you know, just save it as a backup somewhere? Maybe I would do that somehow. That seems a little less creepy, but when I think about it, it's probably just equally creepy.

Jim would you freeze yourself or I was thinking personally too like that the you know the the Jeff A I right, the backing up your personality somehow right where it's it's good but. Would you? I wouldn't do that, but I I want to. Store a few things out there, some some such a an expert on this topic. One is I think from like a supplement perspective, should be taking vitamin D3 every day and in concert with vitamin K2. I also think that there is a supplement called N acetyl, L

cystine or N A/C for short. It's very cheap. It's. It's one of the. The great advances and great findings in the area of longevity. So check those out. Do a little research, Watch longevity videos. Man, there's so much out there. But it is another rabbit hole. We're not a medical show. I take my Col. system is cheap. I don't think anybody's making a lot of money on that. Yeah, I'll make my pitch for fish oil too. Like I have a hard time eating enough fish.

I think that's that's one of the best. Best researched and most clear advantages you know. Get your get your Omega 3S, take a take a couple tablespoons. It's good for you. Agree on that. I want somebody to create the brownie sundae that is healthy, that I can eat a lot of. Then I'll be a happy person. Nice. So Jeff, do you want to be frozen or what? I don't know if I would be frozen, but this idea of being able to somehow come up with sort of an AI intrigues me. I would do that.

I think that would be interesting. I think I would like to do it while I'm still alive to see how it would work and kind of tune it right. I don't know what would go into it other than, you know, I mean at some point I'm guessing somebody could take all these episodes we've done 200 + 231 I think is this one.

That's a lot of audio content that kind of shows, Jim, you and I are personality and at least with, you know, the one that we put out on the podcast, somebody could very easily take that, dump it into a large language model and. Create a, you know, replica based on what it understands. I'm sure you know. Obviously there'd be gaps and stuff like that, but I don't think it's too far off where you know you'll be able to talk to yourself or a famous person,

right? Or whatever it may be where there is enough audio or written or visual content that can be consumed to create something. Well, then you just need to ask Alexa to start recording all your conversations. And you'll have more. There'll be more data. Isn't she already doing that? I don't know. I guess I thought that was already par for the course. All right, let's go ahead and wrap up for this week. Rich, thank you so much for being part of this.

It was a great conversation. We're gonna have links in our show notes to a whole bunch of different stuff. We'll have links to Rich on LinkedIn so you can connect with him. Ask him questions. Compliment him on his radio pipes, you know, whatever it may be, we'll have a link to vasa.com VEZ a.com so you can learn more and more about what those guys are sold over there. We'll have a whole bunch of links to all the different conferences that Jim and I mentioned.

Identity Week America, Octane Authenticate Conference. We've got a bunch of discount codes. If you're planning on attending any of those, use our codes. They should be the best. And it also shows support for the show, that sort of thing. And you can find us on the Internet. Idacpodcast.com We're on Twitter or X or whatever at IDAC podcast We're on Mastodon at IDAC Podcast at infosec dot exchange. Of course we're in all different podcast stores, like subscribe, all that good stuff.

That's what it keeps. Jim and I encouraged to keep Keep this thing running along. Share it with a friend, share it with an enemy. Don't care. As long as someone's listening, we'll keep doing our thing. And Jim, I didn't tell you this yet, but I am working on figuring out how we get on YouTube. So YouTube has made some podcast announcements recently, and so I'm starting to slowly upload hundreds of episodes when I get time. To have them on YouTube at some

point as well. So not ready yet, but it's coming. It's in the future. And I did recently create find a way LinkedIn page for the show. I think right now you and I are the only people on it, but I'm starting to tag it and sort of build it out and figure out how that all that stuff works. So there we go. All right, we'll leave it there for this week. Thanks everybody for listening. And we'll talk with everyone in the next one. You've been listening to

Identity at the center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on identity at the center.

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android