This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff. How are you? Not so bad yourself. Good. I mean, we're here at Authenticate Fantastic conference. The Expo hall has been really nice to have gotten an opportunity to drop by a few booths, including the four truck booth. And you know, I got that.
I said what I said to them was how many people have stopped by and asked what's happening with four Truck and Pain. It's like, yeah, pretty much everybody so. What'd they say? I don't want to go into the whole thing here, you know, but it was it was good. And I think we have commitment to have some people come back and talk to us. So we will do that when they're ready to do that. That's always appreciated. How's the swag game in there? You know, I'm not my early days
are going to IT conferences. I wanted everything like I would go around with like. The shopping carts and trick or treat, you know, can I have my whatever T-shirt or stress ball? Sliding camera cover, which I hate. Oh, the slide camera covers. Yeah, hey, let's put this thing that ruins you your ability to close your laptop. That's a great idea. Yeah, they're fantastic. And then there was the the dongle for charging any type of phone, even though most people just have one type of phone.
I find that actually handy, 'cause I have so many different devices I'm travelling with. But yes, that was over. But you don't need each of them though. So swag game, we're not sure yet. I have to go through. I haven't really taken a walk through yet other than to get to our little room. We're we're behind. Because you ever notice as you walk the conference hall floor, some of the booths have
different levels of swag. So I think if it's like you just want the entry level swag, it's like you pop one balloon with a dart. But if you want the next level, you've got to pop three balloons with the dart. And then there's like the major SWAG, which really means that you're going to spend $1,000,000 with them. I don't know what are you talking about. Go out there and I'll, I'll point it out. Is there like a specific vendor that's doing that?
Well, I did see one vendor that had like a top level swag which. Was like a packing bag, one of those, like fancy bags where you put your clothes in and then put it in your luggage so you couldn't. I like, I was like, well, what do you have to do to get that one? Because other over here you have these camera covers. I think they're for everybody, right?
Well they let you scan your badge and you trade up your e-mail in exchange for 1000 emails from from BD person to you get the camera to get on the door. Yeah, but one thing I've noticed also. Now I'm not out here telling people not to let them scan your badge, but some places some vendors will scan your badge and then they will call you on the phone. Let's start getting these personal phone calls and like. Never call me on the phone. Do not call me on my.
Phone is not for phone calls. You're not my father or my mother. I do not want phone calls from you. You can send something to my e-mail, hopefully my personal e-mail, hopefully my Hotmail account that I opened 25 years. Yeah. That's that's that's good. That's good. Yeah. So I gotta go. I'm judging conferences, as you know, based on two things, swag and the quality of cookies. I've yet to see cookies, but we did have custom doughnuts last night we talked about in
previous episode. We'll see what the swag situation looks like. Do you want to talk about Microsoft? We thought we were going to talk about dessert the whole time, but. OK, let's do it. We probably shouldn't talk about them behind their backs, so why don't we invite Pam Dingell, director of identity standards at Microsoft, to the show? Welcome Pam. Well. Hello, thank you for having me. This is a conversation that has
been a long time coming. I feel like we've been like 2 ships in the night passing through conferences. Never actually don't think met until behind stage. Last night as you were coming off, we were going up and it's great to have you here. I know that you've been in the space for a while, but one of the things we do as ritual for first time guests is understand the origin story of our identity superheroes. Like how I did that. Can you tell us, how did you get into the identity space?
Is it something that you chose or did it choose you? Yes, how many hours do we have? We have 5 1/2, OK. No problem. No problem. You might want to speed me up like the little chipmunk chipmunk you know. No, I got into identity quite a long time ago. I started off. So I I was born in Canada, I am a Canadian, and I went to, you know, a local university, got a computer science degree there.
And so I was working right out of school as a System Administrator for an oil company in Calgary, Canada and ended up getting snapped up by a.com Darling. So that tells you how long ago this was. So it was 1999 and they actually sent me to. California for the first time in my entire life to do training with Netscape. Again, with the ageing, you
know, metaphors. But but I ended up training up in Directory Services then and I started to work in what they call middleware, which at the time was mail servers, web servers and directory servers. And it was just, you know, we were the imported Canadian talent because it was the.com boom and you could not get. Anyone to do anything. Everyone was all taken, shall we say. And so they used to fly us in and we used to hang out in computer rooms and install middleware.
And I didn't think of it, you know, the mail servers, web servers, director, servers, whatever. And then I ended up moving to a consulting firm that sent me to a conference and this was 2001 and I went to the Burton Group conference, the Catalyst Conference. Which, you know, some of your listeners might have I've been to. Catalyst the highlight for me was it's it's on the Bay in San Diego. Location is perfect. That will get me to a conference. Oh, yes, yes.
Well, this one was in San Francisco. It was at the Hilton in San Francisco, and it changed my life. I mean, it was people who were debating why things happened and talking about the consequences of these implementations and and. You know, why would it was important for people to have good experiences logging in? And for whatever reason, I got there and I did not like what people were saying on the stage. And so I stood up and asked questions in the conference and
I asked question after question. And at the end of that conference, Jamie Lewis, who ran Burton Group at the time, said, hey, you should present a talk, you should apply to talk next year. And for me, that was the light bulb going off. You know, I had loved the experience. I got invested in what identity management even was at that conference. But the idea that I could be part of that community just lit me up like a, you know, like a firework.
And so I spent the whole year excited and already and I applied to speak at the conference and they rejected me. They rejected me and then please. Submit this so we can say no. Exactly. No, no, it was. I mean, it wasn't funny at the
time. I was devastated, but four years straight, they rejected me. So just for anyone who is listening, who wants to speak at one of these identity conferences, just know that the people you see up there who are doing, you know, who just look like it's a piece of cake, and they were born to it. They they weren't they. Had to get rejected and they had to work their way through all of those same issues. And so that really kicked me
off. I ended up moving from Calgary, Canada to go work for Ping Identity and in the office of the CTO. And that's what got me really connecting to customers specializing in federation. Got me into the standards world and of course that's where I am now. So I you know, I worked in the office of the CTO there and then transitioned to Microsoft as Director of Identity Standards. So what does that mean? Director of Identity Standards. It's the best job ever.
Absolutely the best job ever. So I have a highly skilled team of folks who work in various different standards bodies, including i.e. T, FW3C, the Decentralized Identity Foundation, you name it. We go in and we try to write the standards in conjunction with our engineering teams that we think will power our platform for the next 10 years. And so that can involve standards like Oauth, Open ID Connect.
Right now we're working on Open ID for BC, which is the sort of the umbrella for a lot of the decentralized integrations with Open ID Connect. So that's a really big one. We're working in the international standards organization on ISO18O13-5. Do you like how I can just rattle that up, which is mobile driver's licenses, which we think is going to have a huge impact?
Going forward in the future, and yeah, the, you know, the goal is to understand in advance how the world will need to connect and then find the ways to do that securely. And of course, we collaborate with everyone else in the industry. So Microsoft is in there. But also all of the other big identity players are trying to accomplish the same thing. You should see my notes that I
just made as you're talking. So my first identity conference was O6 digital ID world right and it was Kim Cameron on stage talking about the the laws of identity, right. And I was like revolutionary. And that's where I got sucked in. I was like whoa, this isn't just, you know plug this into there. It this is like philosophical layered on top of technology and these guys are trying to solve the problems of the world with. So anyway, I see how you got sucked in.
One thing I noticed in that conference there, and this is 2006, right? You said you ain't no one, there are very few women. You're kind of that triggered to me. You're kind of a trailblazer. You know, I don't want to make you feel weird by saying that, but it's the truth. I mean, there were less than 5% of the audience. I mean, I still think it's pretty lopsided when you go to conferences, but I mean, night and day difference now versus 20 years ago, right?
It really is a night and day difference. I mean, I. Yeah, there were often ten women and I knew all their names. We all knew each other, still know each other. For that matter, a lot of them are still in identity. Doesn't matter. Like once you're in, you stick. And now you're right. It's much, much more balanced. And I love that I do work, do a lot of volunteer work for the Women in Identity organization. Of which we are members. Yes, that's fantastic. And yeah, it's really fun to see.
I mean, there's a lot more opportunity. But the thing that I was lacking at that time, I really did feel isolated. I was almost always the only woman in the room. And you, you get used to that. I mean, part of my consulting background, which was that sort of first job, beats it into you. You have to be the authoritative voice in a room. And so you figure out how to do that. But I don't know.
I mean. Right now at Microsoft, the identity division at Microsoft has an amazing amount of diversity to it. And so I am almost never the only woman in any meeting I attend. And I never knew that to be grateful for that until I had it, well, proper to you because somebody had to be, you know, the first, right? Or I'm not even saying you're the first, but Trail Blazers, like the role that you play like yourself, so important to what's happened.
Let's kind of get into some of the, you know, what's going on with Microsoft today. I think I've been a Microsoft person since my original IT certification was in Windows NT4 desktop, right. So I've kind of been a Microsoft person, but I've kind of gotten away from that with being in identity management because Microsoft solutions traditionally and been the leading ones and I think a lot of them, a lot of it was around very proprietary solutions for like Access management for example.
Just think of WS Fed right and but it seems like there's been a major shift, major shift at Microsoft and towards its stance on standards. Specifically, the ones I have my eye on are the identity standards. But to you what? What's the story behind that? Yeah, I agree. And I will say that I've only worked for Microsoft for five years. So I kind of came in in the the golden days, right, where where that stance had changed and there was investment.
I do think the fact that they hired a director of identity standards was in part of an expression of the fact that they could see that this was a a serious requirement. So I can't really speak about, you know. Why that change occurred because I came in after. But it is certainly the case now that we very much recognize that nobody wants to be locked in. That is the bottom line.
Nobody wants to be locked in. And so knowing that you can bring in the tools you need at the time you want and connect them all together is the reason why people feel comfortable signing up for some of these technologies. One of the things, the thoughts I have is moving or violating standards, if you will, is not just coming up with a new standard or ignoring a standard. It's changing a standard. Let's just add an attribute to SAML. Let's just make it a little like tweak it a little bit.
Do you talk to us about how it works at Microsoft? Is the are you like the traffic cop? Like, no, no, no, no no. Well if anyone tries to suggest we change SAML then I mean there is no changing SAML. You can absolutely try. I mean the the real truth is that the the forces that are applied are almost immutable forces. For example, Saml's a perfect example that that stuff is old. It works so well.
But nobody's going to go in and tweak those implementations unless there's a real business reason to do it. And so you know, there's a there's almost a time to value. Back and forth that you have to do. I mean, can you try to change SAML? Yes. Will you get adoption in any kind of size or anytime soon? No.
And so, So what we can do versus what we can do and gain adoption is really that that's the metric that my team often talks through and it's easier with newer things, for example, the the decentralized world right now we have a lot of flexibility. And or or for example another one is proof of Possession. So that's a specification that just ratified and one of my team members was very heavily involved in that and they it was
actually incredibly valuable. We took all of our knowledge of what we're doing in our in our token protection work right. So token protection is a feature of of the intra suite but but the Depop spec. Utilized a bunch of those learnings right from when the engineers realized something couldn't work right. So there is this, there's if you do it right, you're helping all of this knowledge make its way
to the public world. But yeah, if you do it wrong, you end up making things that no one will adopt or making things that that you know come out after your product has already put something in. And and that's the big thing, right? You have to know that. These things happen on cycles. You release it once, so you're not going to go in back and tune it six months later. So there's a huge problem there because the standards come out
in advance. But if they don't, if you're, you know, developing the standards at the same time you're developing the software, right, you really do have to have a tight, tight coupling. How do you make the decision of which standards to throw support behind and which ones are? Maybe it's not the right time yet. Right. That's an excellent question. A lot of it is product alignment. So you know, you can create a standard for something that you
have no plans to implement. But yeah, it's and it's a lovely idea and it certainly has happened. Sometimes you're so far ahead in your vision. But yeah, you, you need to be able to justify what you do and why you do it. We certainly do. My boss is Alex Simons, who, by the way, should really come on this show. You need to.
Open invite. Come on, Alex. But you know, it's really in many ways Alex's vision because he he runs the product management office, so he's, you know, he's working with the rest of our executive team to decide where our, our large priorities are. But the other thing is we can't just, we can't just lead. Just because it's convenient for us doesn't mean that anyone else cares. And so there. So the real judgement is what kind of momentum exists.
Is there community momentum? Because if there's community momentum and we're not ready, we will likely still participate because otherwise otherwise the standard gets developed and we don't have input, right. So that momentum piece is what's a really interesting question, Like for example, right now, authorization huge, so big, right. It's, you know, everyone's interested suddenly. And I for anyone who's been in the industry for a while, I mean
authorization. Has had its ups and downs, shall we say. You know, I don't know if either of you remember DSML. Yeah, very vaguely. I think it came out on parchment. Yeah, it might have, it might have and of course exact MO and so. So that's an example of something where you know we have interest, but there's also momentum and that momentum may grow faster than what we would normally try to push it into being.
But you you got to run with it. You got to roll with the flow over here at the Fido Authenticate conference. So passkeys. What's Microsoft's stance on passkeys? We are huge supporters of passkeys. We have been working, you know, for quite some time on the ideas. You know, we're working in all of this in that technical working group and within the web auth and working group in W3C on that. Tim Capelli is is the team member on our team who's really shepherding that.
Yeah, we think it's really important. We still completely support 5O2 credentials of all kinds, right? So it's not like we have shifted our interest. We are expanding our interest to make sure that synced pass keys are something that can work, security keys are something that can work, you know, platform authenticators or something that can work. So we see those three channels. As being a way that we can cover a ton of the population and have them have a fishing resistant credential.
Is it easier or harder having such a huge install base to do stuff like that? Oh, it's harder. It's absolutely harder. I mean that because the platform is so critical like the platform is what make passkeys a fishing resistant credential, you have to have that proximity element to be able to, to prevent secrets from being copied, right. So, So yes, changing the platform is a non trivial thing and and it's expensive and it's it takes a lot of cross company commitment to do that.
But the great thing is that our Windows team, I'm not on the Windows team, I'm in the IDNA group, the Identity and Network Access group. But you know, we have very strong commitment from the Windows 11 team on all sorts of security related pieces. And we also have a huge amount of support from our internal IT group, right, which of course is on the front lines of protecting, you know, not just Microsoft as a company, but Microsoft as a product and the
platform that we represent. And so, yeah, so there's sort of a virtuous cycle there of needing needing phishing resistant authentication just for ourselves, but also wanting to enable it for everyone else. We're a customer. I think one of the interesting factors is that Microsoft is so global, so many product lines. It's like it has to work for everyone. So you have cultural challenges. You also have like disability challenges. I mean, it's like the government's problem, but even
larger. Yeah, I agree. And This is why I really strongly believe that security keys are absolutely critical for the passkey ecosystem. Because the security keys are the pluggable piece, right? If you platform authenticators like Windows Hello and Face ID on Apple, those things are what are going to enable the massive part of the distribution curve to be successful.
But there is no reason why you can't create a security key that addresses a certain disability, right, or a security key that innovates incredibly and takes us to the next level. So without that plug ability and that ability to to not have to completely depend on the interface of the platform, I think we would be limited in how we could innovate in the future. Can you give an example of what an alternative security key
might look like? Because I know Microsoft has spent a lot of time on hardware and things like that, like Xbox has. Specific controllers for example, that are built with that population in mind. What would a security key look like in that?
Well, I can only tell you personally I, you know, I'm not aware of of the different projects that are actually officially going on. But I will say I did buy an Xbox Adaptive controller and the little button kit, and I do have this dream that one day you could actually, for example, you know, click a certain set of buttons in a certain certain sequence to unlock your security key hardware in it and send a secure credential. But you know, I'm not aware of
anything official, but wouldn't. It be cool but if anyone wants to you know try it let me know. Yeah, Microsoft has made a lot of, a lot of investment in those adoptions of those adaptable methods. The Surface Line has been with that. I have a new Surface Book or sorry Surface Laptop Studio Two at home. Right. The haptic feedback and being able to change the mouse pad based on your own ability to sense the touches, it's like a duh, right? Like, why didn't we think about that before?
Yeah, that's so true. And I find it impressive. I want to switch over to Microsoft Intra because every time I hear the word Microsoft Intra, it's always some news announcement of OK, what do they do now? There was some recent, you know, announcements made and rebranding or name changes. I'm never, I'm never quite sure what the announcement is, so please take this with all the love in my heart. What is Microsoft Entra doing?
Who's this for? All right, so Microsoft Entra is is the identity product portfolio that we own. So we we basically got into an issue where Azure Active Directory was our brand but directory was in the name. And the problem is we have expanded so much farther out from directories that we needed a way to sort of start differentiating between the different things within the identity portfolio that we delivered.
And So what we ended up doing is Entra is the is the umbrella portfolio and within that we have Entra ID which is the original Azure Active Directory. So that's where users are stored and groups and all the amazing things that happen in any directory. And then we have expanded into the the set of other products which are the things you're hearing about. So for example, there's intra ID governance. So that's your IGA tool.
I don't want to list them all because you all would have your eyes rolled back in your head and you'd fall asleep. However, the you know things like team, so we have a cloud entitlement management piece, we have intra verified ID which is our decentralized identity offering.
And so the idea is that these things can now have their own identities, they can grow and have features added, and people can easily differentiate, but also have the the sense that we are integrating everything, that it is all part of a family. So my experience with Microsoft's interest so far has been if you're in the Microsoft ecosystems are great. Tool, right. There's a lot of capabilities when you start to go away from the Microsoft ecosystem that
there are some gaps there. Is that a fair criticism of Microsoft's intra as a whole? Is that something that's being addressed or are there things that I'm just not aware of that maybe it's just a bad rap and it's not warranted? Well, we're definitely working hard. I mean, we have heard that criticism before. We are definitely working hard to make sure that it isn't actually true. So you know we are obviously standards forward as standards forward as we can be.
So we integrate via federation, we integrate provisioning via skim, we integrate and you know we're working on shared signals right now. So you know we're we're making sure that we are modular and and that goes a long way towards that and we are a stand alone identity product but we also are the backbone for the entire Microsoft platform. So we serve identity for Azure and for Office and for Dynamics,
all of that as well. So there, there's a balance there, but the way that we're really working on expanding, you know we can already federate to any application up there. So that piece is done. We can have folks federate into us. So we have you know folks like Duo and Okta and Ping have always been able to federate into the platform and then the the interesting piece right now where we're heavily expanding is in the multi cloud area, right.
So we can now govern GCP right or Google cloud resources, Amazon resources and that sort of stuff. So yes, we are. You know, we are moving in many directions. Yeah. So you're taking on the identity, governance and administration. That is a big nut to crack. Do you guys have a road map? Are you planning to kind of build it with the existing tools?
I'm assuming you wouldn't be able to tell me even if you were going out to acquire something, but I mean that's all a multi year road map to get to kind of best of breed. Yeah it is. It's definitely a multi year road map. You know we what we're trying to do is begin or center ourselves I guess is the right way to say with things being built in and inherent.
So for example historically in governance there were concepts of access certifications and access reviews and so we are working more on the self-service side of the house. We have a concept called access packages, which I think is really a useful concept, not not just for Microsoft, but for anyone, right? Which is groupings of resources that people can self-service request so that we can then manage and we can also do machine learning, anomaly
detection on right. So you know, the way that we think this is going to work is, is to be able to, to keep that governance centralized, be able to tell what's happening no matter how far out your governance world goes, but do it with simple concepts. So you know, we aren't to my knowledge. Am I going to get fired for saying this? Maybe. I don't think so, you know. I'll.
Beat this out. If we need to delete this, no, you know, to my knowledge, it isn't our plan to go and make sure we're doing role mining in every single part. We have partners who are really good at that and we love our partners. And so, yeah, what we're trying to do is make sure that there is an intuitive way for people to perform anomaly detection, which is really what governance is.
We never talk about it that way and we talk about governance as it's as if it's this sort of salty outside thing, right, like reports and and all that. But it's not, It's anomaly detection, it's finding risk in your organization. And so, you know, we think that there's just a ton to do there that is maybe great value. I love what you said there about we love our partners, the idea that be a platform people. Companies can build solutions that plug in.
To me, that's the fastest way to provide a solution and to expand the platform, you know, said Octane 2 weeks ago. They're talking a lot about the road map for Workforce Identity Cloud and it's just a very big road map. And can it be achieved by developing it themselves? I think so, since they get a lot of R&D dollars though and. You know, I think it was kind of platform focus and people could build the solutions. The customer still gets what
they need, right? And the nice thing is then you can build things that are specific to your verticals, specific to your needs, right. If if your success is dependent on us adding a bespoke feature, that's not a good way to go, right? This just isn't how a platform generally works. And so yes, I mean our partner ecosystem is how we managed to, to have everyone get what they need without that, without the massive backlog of, you know, tiny features for this or for that.
Yeah. For this industry or for that industry, I mean when you start breaking down what an IGA can do and for each different industry, it can be enormous now. You and I were talking about this, I think a few episodes ago where we would start if we were going to build an IM product. I think we settled on IGA. Is like that's where we would start, because it feels like that's the hardest thing to do because we already have standards for authentication.
We already have, you know, ideas around how to do authorizations and things like that. But IGA is just this big hairy beast. Yeah, and I honestly feel like I'm not trying to dictate what your road map should be, but it's just please. Tell Microsoft what they should be doing here's. What Microsoft should do now, I think the. Identity administration, like the request approve workflow, it's like, you know, there's so much already there in traditional Azure AD that does
what people need. But the ability to kind of like go through and either self-service request or manage your request access, to me that's one of the areas that people want the most. Yeah, I completely agree. I I mean, I think this is where the machine learning comes in of trying to understand what people are trying to do and give them whatever ceremony they need to be successful, right, And
understand it in advance. I think that's, you know, one of the ways that this industry is going to innovate in the next three years. I would say though to me the most difficult thing for our for the industry's future right now is actually ITDR, the identity threat detection and response because you have to have signal, you have to signal to operate on and there is and that that signal can be extremely low level signal right have. A ton of data to work with.
We have so much, but we we do and and we're working very hard on leveraging it. I mean, you know, the number that I think we're giving is 65 trillion signals or something insane like that. That's it, That's it. But a trillion? I don't even know what comes after a trillion. Do you know quadrillion? I guess a quadrillion. I'll just ask Bing with ChatGPT or Open AI integration, right. How's that for a plug or? Bing, right? Who is intra for?
And more importantly, that sets me up for my follow up question is who is Intra not for? That's a really good question. Also possibly a question that could get me fired, but I'm going to go for it. What the heck. So I think Intra Intra has a really interesting dual role in my opinion, right. The great thing about Intra is that you can stand it up with almost nothing else.
If you're a small company, you can stand up Intra that you know there's a free tier that you can stand up that is going to get you single sign on. It's going to get you managing your users. And so, you know, so I think that if you're someone who's willing to embrace that idea, who wants some of this rigor, you can have that rigor even if you're a tiny customer. And of course if you want premium features, you still have to pay for premium features,
right. However, what you don't have to be as a big customer because it's a platform and everything is generally self-service. So and there's a lot of community and you can go in and learn what's going on. So there's I think the accessibility for a smaller company is great. I do think that the there's a lot of complexity to running any large scale identity management enterprise. I mean I think you both know you're both living that every single day.
It's difficult for anyone to understand how to deploy access packages and access certifications and all of these incredibly complex concepts. However, what Entra is very, very good at is the top end, right. We work a lot with large multinational companies. We work a lot with companies who need to integrate their identity world with their security world and that's you know that's another place where intra can be extremely valuable.
But generally speaking you know we we are we suit those professional you know cases if you if you have a see so and you have a an identity management dedicated team then intro's a really good option for. You so in my day job I and the Identity strategies, but to stay sharp, one of the things I do is I get heavily involved in a lot of our projects. I got involved with AB to C Azure AD implementation over the past year. Plus, the product's really good.
One thing, notice when Intra basically said OK, we're not calling you Azure AD anymore, but the subtext to it was B to C is not affected by this. So still B to C Azure AD or Azure ADB to CI think is more rightly, but why is that? Why didn't you just roll that in as well?
We so B to C is considered a legacy product at this time because we actually have a new rolled out product in preview called Intra external ID. So you know we are still supporting B to C obviously we're still working a ton with customers on it, but intra external ID will is our sort of future direction in that case and it's you know they obviously do much of the same thing, but we have changed some of our fundamental architecture that we think is going to really benefit
people moving forward. One of the things, one of the, I don't know if you would call it a feature because I think it's core to the product is the Graph API and building that on top of that. Building B to C on top of the Graph API just opened it up to it can do whatever you want. I thought that was really cool. I wanted to call that out. Yeah, it's interesting that I mean what it's really good for both entry ID, external ID and and B to C are amazing because
everything is programmatic. So you, you know you don't have to be in heavily working with any UI if you don't want to. You can automate everything because a lot of our largest customers, they're not touching this thing with a 10 foot pole, right. Without like there isn't, there's no chance for typos. They have this thing regimented.
They do roll outs and you know and change management windows and so you know so the automation piece is a huge value for our customers and that you know that's that's a size thing at some point, right. How how much of A machine is your retail website? That kind of thing. Can we talk a little bit about AI? Because I feel like Microsoft has made a lot of investment obviously from AAI perspective with Open AI. I've been a big fan of it for a while now.
I think it's captured the minds and maybe the hearts of a lot of people. Bing was very much early on in adopting that. I don't want to get into like product, but I'm just curious where do you see AI fitting into what you do from an identity perspective for Microsoft, right. Yeah, it's really exciting. It's very exciting. I'm not the authority, so you know, I what I say I believe is true.
Others may disagree, but where we're really excited in identity about AI is that, you know, we've had machine learning for a long time, I don't know, maybe as long as 10 years, something like that. Where we're going in, we're doing the trend analysis, we're doing the the detection of anomalies. All of that stuff has been around for a long time. Where the generative AI comes in is being able in some sense to put a face on it. So you know, sense making is a huge problem in the industry
right now. We're churning out the the signals, we're churning out the data, but it doesn't help if we can't make sense of it. And that's really where the Gen. AI piece that you know that that you know we have generally branded as Co pilot becomes really interesting because now we can take all of that amazing trend analysis and use interactive conversation and interactive questioning to help people make use of it. So that's you know that's for me
at least that's the really exciting piece and of course Co pilot is a very intentional branding decision not. Not for selling stuff, but because it is not meant to replace people. It is meant to help people. And so it's really all about people working with the AI to learn and to grow and to leverage rather than, you know, the machine taking over. I do think that that is a rather brilliant branding of Co pilot. Did your definition of AI changed? Change when you saw what large
language models and generative? Could do or have you like yeah, that's just sort of the next. Yeah, for me it was a revelation. I had no idea like I I am absolutely the person who would say AIML as if it was one, right AIML. This, you're not alone. I think everybody was doing it. I was doing that, right? And then I saw the demo from Open AI and I was like, what? Right? Like that is going to change things. And I think even Microsoft has
jumped into having, you know. Organizations be able to run their own large language models in their own tenant so that their data is not getting somewhere else, which I think is brilliant because I do see this battle for dominance over who has the best model and I don't think it's going to be A1 size fits all. I think you'll have a general model that is sort of like this, interfaced everything, and then some sort of segregation of company data running within
another model. So I absolutely see the value there. That's not the final level of security then having a classification model that you then enforce to say this data can't show up in Jeff's. Yeah, I question. Yeah. And his copilot, right. He doesn't need to know the secret HR data. Yeah, and obviously identity controls are going to be needed to separate what bits and which model I can. Manipulator.
See. Yes. Well, the other big investment we've been making for a very long time is responsible AI. So it's not just a matter of, you know, creating the robot robots and letting them March on the village, right. We have for a very long time been looking at where the guard guardrails need to be so that this technology can be safely deployed. And you know, oversight, you have to have oversight.
So all of those things have to work together before the business tool becomes the accelerator we know it can be. How often do you use AI? Well you know The funny thing is I took a photography course a couple of weeks ago and so not tech, not geeky anything and the instructor just on a whim opened up Adobe Photoshop, highlighted a a circle on a top of building and said remove the crane like that. Yeah, Firefly and Sensei are pretty amazing.
Yeah. I mean that's I think that in daily life that is that kind of value is going to change how people use it. I certainly use it at work a little bit and I think that will grow quite a bit. Yeah, I think it's still, I mean, I use it quite a bit for a variety of things every kind of everywhere, right. It's a good starting point if you're starting something. It still will hallucinate which is a friendly term for straight up lie of information you know that comes through.
So I still think that there is you still need to know your subject. I don't know if I would trust it to really go down the path of learning something. It's probably good to a certain degree and then it starts kind of going off the rails. I'm sure that'll get better overtime kind of figure that out. But I use it for a variety of things. I use it for work. I use it for this podcast that helps with things like show notes and.
Audio editing and there's just so many different things that it's gonna be interesting to see how this is gonna roll through the next five years. I think it's gonna be crazy. I mean, we have enough audio at this point where, you know, I've toyed with making an episode with Jim and I using nothing, just a script. I have enough audio to train, you know, a voice to sound and all of our. Subscribers start unsubscribing. Right. But I think this is something you're gonna see is this.
It's almost like. You know, you see a lot of, like articles that were like, it was generated by AI and they're of varying quality. And big news organizations have started to adopt this where they say, OK, well, we can't possibly cover every high school sports game in the world. So they have AI write some little blurb about some data
that was fed to it by something. I think you're going to see that with video, with audio, where it's like, oh, I have this idea for a thing, you know, create a YouTube video that talks about this. And next thing you know you're watching this thing, it's interesting I'm I'm on the program committee for a couple of the different identity conferences and at least right now and it may not last very long, there are certain percentage of the abstracts that
might be wrong. I mean, I might be, it might be that the that I'm only identifying a fraction of the like, some of them might be so well written that I can't even tell. And if so, more power to everyone, right? But yeah, it's it's into a certain thing where you get an abstract that talks about things and uses all the right terms, but they're not actually related to each other in a way that would make sense to a rational human being. I like the keyword rational
human being. You spent a lot of time with us here. We definitely appreciate it. We hope you'll come back, but we want to end on a lighter note. We kind of talked about some different ideas before we hit record. You mentioned that you're in the process of renovating A Victorian home, and it sounds like you've been doing that for a while and maybe we'll be doing that for a while. What is the thing that you discovered that you just weren't prepared for when you started
this journey? Well, so yes, we have. A San Francisco Victorian home was built in 1891, if I remember correctly. 1891, yeah. And so I think the thing that surprised me the most, which kind of tells what kind of IQ I have, but I all of the trim in the house is Redwood first growth Redwood. They were mowing down the Redwood trees and to build these homes back then. And I, it was my job to strip all the paint off of the trim.
And I had the worst time because they were, you know, it's a lot of paint that you can apply to this stuff and it's all different chemical makeups and all that kind of stuff. And so I started with the Eco friendly paint, trim paint dissolver. That did not work. And I tried every single thing. And finally I figured out the heat gun was the way to go. And so I spent two years, not even kidding, two years stripping off. Not once did I think that maybe there could be lead in that
paint. Not once until my husband's daughter showed up one day and she said, you know, should you check? And, and we were almost done. I mean, I had been breathing those fumes for, for two years at that time. And then we freaked out. We freaked out. We didn't touch it for four months. We went in with hazmat suits to finish the last pieces of it. So yeah, not my finest moment. So there's a chance that you may actually glow in the dark. It's possible. It is possible.
We did test it after the fact and there wasn't very much. Left Well, one of the greatest things when you do an older house. So my mother bought an older house when I was a young teenager. And you peel back the carpet like this Harvard floors there. You're like, who put a carpet who for this. But you just feel like you just discovered found gold. Yeah, it's such a wonderful feeling.
We preserved as much as we could and we tried to stick with the same feel, but now we're we've finished the inside and now we're trying to do the outside and that involves recreating corbels and recreating trim and it's really nerve wracking because we don't know if we're going to do it justice. Or not now Pam, I didn't know you were a Calgary native and I was in Calgary last weekend and went to Bam for the weekend and. One of the greatest places I've ever been.
But you know you must have some fond memories. So what is your fondest Banff memory? Oh gosh, yeah, I I misspent my youth in Banff. I'm not sure it's my fondest memory, but one of my strongest memories is actually probably the trip I had where I we were mountain climbing, climbing a mountain called Mount Yamnuska.
I don't know if you saw that. It's on the way in, on the way to Banff and I fell off and I broke my ankle in two places, broke the tibia and wait tibia and yeah, something like that. Anyways, I got helicoptered off the mountain and so I have this huge memory that the helicopter couldn't land and you know we had climbers came from all over the mountain.
It's an amazing thing that that whole community because was way back, it's 1996, it was a long time ago and so there weren't just cell phones you could call on. And so and we didn't have cell service up on the mountain. And so probably 20 different climbers gave up their climbs that day because they ran a relay down the mountain. So the people at the top turned around. They were just coming to the top. They turned around, they ran down till they met.
The next climbers said somebody's in trouble getting ambulance and then those people turned around, they ran to the next people and so they did this crazy relay down just to be able to call the air ambulance to pick me up. And then they couldn't land the the helicopter on the apron. So they attached me to a stretcher that was hanging below the helicopter. And on a beautiful, beautiful day I got flown over the valley and that was great.
I, you know, I was a little preoccupied at the time, but my climbing partner, they had to, you know, they sort of sent me in a stretcher with one attendant, and there was another attendant there. And so they actually let my climbing partner clip his harness into the rope. And so he flew over the valley suspended on his climbing hardness, just underneath the helicopter. And so he got to the hospital and I'm groggy and I'm in pain and all of this, and he gets to the to the bedside.
He's like, damn, I'm so sorry this happened to me or to you, but that was the best experience of my whole life. His fondest memory? Not yours, exactly. I was going to say like, people probably had Banff on their bucket list. You just gave you that. That is your fondest story. And they're just like there's so much more. I mean Emerald Lake for example. If you go a little bit farther past, Banff is something you'll never forget if. You go Lake Louise, Lake Louise.
We got all the way up there and the parking lot was full. But my funny story was we were going through the town, there's a place that sold bear spray 1295, and we just thought, get that. And we told we I was there with my girlfriend Denise, and we started to say, yeah, if we get killed by a bear, the story will go. They're too cheap to buy 1295 worth of bear spray.
They kind of had a cup, right? Yeah, we did have definitely had some bear encounters, but generally speaking, if you leave them alone, they usually leave you alone. We're. Talking about brown bears or black bears, Oh yeah, very different. So brown bear you can scare away unless it's really, really, really, really hungry. And so if if a brown bear starts to follow you, it probably wants to eat you. So there's it is really important to know the
difference. Whereas a grizzly bear will charge you if it feels threatened and you can play dead, but if a brown bear charges you it, you know, if you play dead, you're kind of just offering yourself a business. Yeah, I saw Revenant. That didn't work. Pam, you've been really just of your time and I'm really glad we're able to get this conversation in long time coming long overdue. I hope you'll come back. Any final thoughts before we wrap up?
No, only that I'm really glad you exist in this industry. It matters a lot. Thank you. I'm happy I exist too, and I'm sure Jim is too. We'll go and leave it there for this week. You can find us on the web at idacpodcast.com. We're on Twitter or X or whatever at IDAC Podcast. We're on Mastodon at IDAC Podcast, at infosec dot exchange. We'll have links in our show
notes. You can connect with Pam ourselves, whoever you'd like, subscribe like thumbs up, review, whatever it is. Yeah, that's that's all stuff that helps us get great guests like Pam, and hopefully we get more. So we'll leave it there. Thanks everyone for listening and we'll talk with everyone in the next. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon.
But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on identity at the center.