This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff. How are you? Oh, not so bad yourself. I'm doing pretty good. OK, so today is November 5th. We're recording. It's going to get, This is going to be dropped on November 13th. In between, I'm going to have
surgery on my sinuses. So I've got ADV to supplement, which means I'm like a heavy breather and a mouth breather. And one of the reasons it's not fun, man. Yeah, Well, no, no. I mean, this might be the last episode that I get text from you. Like, I can hear you breathing. I mean, this might actually even change how I sound. So I may go from my kind of nasally voice. I might sound like Morgan Freeman in a month. Well, I could certainly make
that happen. I can make it also also sound worse, maybe like a chipmunk I guess if I keep out there listening and like they listen to this episode, right? Kind of the kind of pre surgery and then the next few after this post surgery. Like, is there a difference in the voice? I don't know. I mean, it'd be interesting to see. Definitely a scientific experiment we can run here on the show, but we could make a YouTube short out of it.
Could could do that. We're starting to put our episodes up on YouTube, so I think we're just before we hit recourse. It's Sunday morning, right? You said November 5th and episode #170 just went live on the YouTube channel and then this is going to end up being episode probably 246 I believe. So it's slowly catching up, this dedication, man, with I think this is our first episode recorded on Sunday. I thought Saturdays were bad. You know, Saturday is dedicated to college football for me.
I love college football. And I was actually listening to one of our YouTube that you know, our episodes from. I don't know, it might have been two years ago and you and I were going back and forth and you're like, I hate college football. I don't watch college football, but you live in the South now. I I believe you will be converted. I don't think so. I it's just I still not interested, still don't care. I am a NFL person.
Talk to me when they're professional and that's pretty much how I look at it. I think part of this is I don't have like an alma mater to to be able to be like say, oh, OK, like that's my team. Like if I lived in Chicago for a long time. The Bears, you know, are kind of my team I lived in. California. So the Niners are kind of like my team. I haven't changed those two allegiances having moved to North Carolina. Now, I'm not a Panthers fan. I'm still a Bears and a Niners fan, but I don't.
I don't feel that same affinity towards a college team because I just, I don't have that connection now. Are you the type of person that would you? I know you haven't moved around that much, but now that you move somewhere, do you feel like within the next 10 years that you could become a fan of like local teams like the Panthers? I don't think so, but. Maybe that's just me getting old
and stuck in my ways. I mean, it's not that I it's not that I won't cheer for them or something if I don't have, like, an alternative to cheer for it, right? If the Bears are playing the Panthers, I'm cheering for the Bears. If the Niners are playing for the Panthers, I'm cheering for the Niners. If the Bears play the Niners, I'm usually a bit conflicted. But you know, that's that's doesn't happen very often. Don't have to worry about that. But I just don't see myself.
I don't know. I just For whatever reason, college just doesn't do it for me. It never has, and I don't think it ever will. But who knows? Well, I did my undergraduate in a school that is the division two school that I was supposed to never heard of. I did my graduate degree at Rutgers. When I went there, they literally had a season with zero wins. Now they're pretty good. They played Ohio State yesterday and they were respectable, but they're still not like in the
national conversation. It's but I live in Georgia. We've got the best team in the country and it's exciting. I have heard of all those teams. Yes. That's pretty good. Yeah. So I mean, between YouTube and AI, you know, there's now a new Beatles song. Yeah. Have you heard it? What's it called here? I I haven't heard. I heard about it, but I haven't heard it. Yeah.
So if you're if you're a Beatles fan, I think it's interesting to check out on Apple Music. They have the song, obviously, but they also have like a 10 minute short film. That you can watch, kind of see how they kind of put together. So it's pretty interesting. I think the AI is a little bit of a misnomer because it's really more machine learning, which technically, yes, AI. But I think the perception is that it's like, oh, somebody cloned, you know, John Lennon's
voice or something like that. That's not what happens. I don't know if I want to spoil it. Do you want me to spoil it for you, or do you want me to tell you how it actually what they actually did? I wouldn't mind if you spoiled it for me, but I don't want you to spoil for all of our other fans, so maybe we actually we should even put a link in the show notes. Spoiler Jeff, I'm going to leave it to you. You decide. OK. Well, I feel like I need to explain it just a little bit to
kind of help understand. So if you're interested in seeing how it was done, go watch the Apple Music, take 10 minutes, watch that and then come back here and listen to this. And in, I don't know, two or three minutes, we'll probably be done with this part. But OK, that's the warning. So the way that they did this was. They had a tape recording of John Lennon and a song that he had like a demo tape basically from 1980 or 81 or something like that towards the end of his
life. And they had tried to work on creating new songs based on this in the past. And so if you remember like in the mid 90s they released the anthology album that had like. A bunch of their old stuff and there was like a new song on there, and that was based off of some of the stuff that John Lennon had already kind of recorded and was put there but was never released.
What they struggled with the time was this other song that they ended up calling here and now where it was John Lennon playing over a piano and sort of again, very rough. Obviously it's a demo tape, you know, it's literally recorded on tape, you know, tape itself, right.
But putting it together and they could never quite figure out how to. Separate the channels to be able to have just John Lennon's voice as a stem and the piano as a stem, because then that way they could kind of separate it and kind of figure out how to make it make it work.
Fast forward to a year ago 20/22 and the rise of AI and kind of the computational things we're able to do now and they actually enlisted Peter Jackson. Of Lord of the Rings fame and The Hobbit and stuff like that and all the techno industry they that they have put in place to figure out a way to separate John Lennon's voice from that track that also contained the piano that was giving him so much trouble before. And so they're able to take that and basically extract his voice
just out. And now they've put together this song and McCartney and Ringo put together. Kind of their parts of it. They use some stuff that George Harrison had done in the past and pulled together this thing and now there's this song and it's it's amazing to think about kind of like that kind of thing because you know, being able to separate out voice from something else, something I do all the time and I take advantage of. Definitely AI in this podcast, right?
Trying to make sure our voices sound, you know, as reasonably polished as I can, background noises, things like that. But if you think about. Where they were. And now like this, this technology is out there for, you know, normal people to be able to use. It's pretty amazing. Yeah. That's really cool, man. That's.
I mean, that's that's a beauty. Like a really positive view on AI. Because I think sometimes you can get dragged down with like a is going to end humanity as we know it. A is don't put us all out of jobs. It might, yeah, it might. But I don't think it will. It's like anything else.
I feel like it's a tool. It can be used for good, bad and everything in between, and hopefully we have enough guide rails and things like that around it to try and steer it in the direction that it should be going. But it was interesting and I think he's just, again, the kind of misnomer of, like it wasn't like somebody cloned John
Lennon's voice to do this. It was literally just the extraction of his voice off of a track that had a lot of background noise to it. In this case, a piano that was making it very difficult for them to do that in the past, but it was pretty neat. I think it's, you know, if if you're a fan of that sort of things or The Beatles, check it out on Apple Music. They said they have like that 10 or 12 minute sort of like making of video and then the actual
song itself. So I don't know if it's necessarily what I would call a banger, but it's a new Beatles song. I know people kind of go crazy for that kind of stuff sometimes. How many people did you have come to your house for Halloween? I don't know because I wasn't home. I know I I live kind of up on the side of a mountain and then we had kids come through. It's kind of like a pack. There's probably like maybe 30
homes I think up here. So I'm not sure how many kids came through, but I want to say somewhere around 2025, maybe at most had I absolutely. That surprised me, considering you have like the long driveway and everything. It's a lot of work. That's probably why if I come to your house, I'm expecting a full size handy bar, I'm saying. We we did have Snickers and Twix I saw in one of the buckets.
So I did notice that last night. But yeah, I wasn't home because I was on my way to Durham for for work, which was kind of cool. So I thought this week was like, this week was kind of like a good showing of like the differences of like what an identity consultant can be, especially like some of like our like our roles and things like that, like just kind of going back, right. So this is the week of Halloween and.
I was home on Monday for the first time in like weeks to be able to like work from home like fully. And then of course because I was home that meant like meetings basically from like 8:00 AM to 8:00 PM non-stop. And then Tuesday I had meetings in the morning and then needed to drive out to Durham to run AIM Workshop on Wednesday, which was a lot of fun. You know, great group of people.
It's interesting to me that we're still finding people out there and we you and I are so close to this, right. And everybody probably listened, This is like oh OK, you know, of course identity, access management, get it, blah blah, blah. But there are still lots of people out there that really don't know the space. So being able to conduct like a basically an all day workshop and kind of educate on here's what I am, is here's what it means to run a program. You know, here's what IGA is
like. Educating, like, just stuff like that was a lot of fun. My voice was shot man by the end of the day Wednesday. I think it talked straight for another 12 hours, but yeah. Then had lunch on Thursday with our friend Arturo. We talked identity over chicken and waffles. For those interested. We went to Dame's Chicken and Waffles and I give it A7 I think, or 8. The chicken was good. The waffle was a little bit small and it wasn't a Belgian waffle. It was like a cinnamon vanilla
waffle. It was OK, definitely. I would say it's third place. Am I tearing of chicken and waffles? Would the chicken Was the chicken like bone in or was it boneless? Well, you could choose. This is kind of cool things. You choose your chicken, so you could do like a cutlet, you could do wings, you kind of whatever you know pieces you want. Then you choose the type of waffle you want. Normal in quotation marks, which was their cinnamon thing, and then like sweet potato gross.
Or like these other flavors of waffles that that should not be allowed. And then you pick like a schmear, which is kind of like Nutella or like a Maple butter or like a whole bunch of different things. And then you can choose a sauce to dip your chicken in. So they had like a bunch of stuff that sounds amazing. And and of course, then, you know, syrup, you know, for the waffle and stuff like that. So yeah, it was good. Like I said, the chicken was good.
The waffle was OK. Not the worst I've had, but definitely not the best. I'm a Belgian waffle guy, so I feel like to have the best chicken and waffles, you need Belgian waffle. Bonus points if you've got bacon in the batter. And then really good fried chicken. And yeah, it was fun. So we talked to Identity Chicken and Waffles and I drove home, had a bunch of days meetings Friday, and then now I'm turning around the Sunday. I gotta fly out tonight and spend all week on the road again.
Pretty much doing stuff, yeah. Do you think that most people think, oh, Jeff's got this glamorous life, He's traveling all the time. It's so, so interesting. It's. I think so. I think if you don't travel, it may seem like that sometimes, but you know, for every, I don't know, great travel experience, we've kind of talked about that. Like there's probably a dozen
bad ones like. You know, I had to leave San Diego when we were at the Thunder Cake Conference like very early Wednesday morning, like 4:30 in the morning to make it out to Indianapolis for for another work item. And we sat on the tarmac in San Diego for 4 1/2 hours, not going anywhere because of fog and a whole bunch of other things. And so that was not great. But I like to travel. So it it it doesn't necessarily, you know, bother me, but I could
certainly wear on you. This will be like by 12 week in a row. Going somewhere on the road for something and it'll be interesting. I don't really like to travel. I mean I I like to do a little bit of travel or some travel. So I I mean I guess this is the, the hopeful message for folks who are considering getting into consulting but are afraid that they'll be on the road every week. I think that's the way it used to be at a lot of consulting firms and probably is still at
some consulting firms. But most of the people who are on the delivery side that I work with and including myself are not traveling every week. I haven't. I mean, I travel for the conferences. I did one client travel. Actually, the client travel was super fun because the part I like about travel is getting in a room with people whiteboarding.
It's just so exciting to actually sit there and kind of like think through a problem and try to solve a problem and get as far as you can with the whiteboard. I love that stuff. And especially when you are kind of in our role which is you know, you're, you're using your experience, It's interesting as you're talking about like people not kind of knowing that I Am and IGA space and stuff like that. It kind of made me think of like, well, you know, you and I, we use CRM all the time.
We're well familiar with CRM, but would you be able to go up and explain it to people like no, but this I am space we really know. So we can actually sketch things on the whiteboard and people ask questions like oh so how would this talk to this And then you, you know from your experience, so it's a lot of fun and you know I'm I'm working still like my focus is still I am advisory or digital. I like to say digital identity advisory because it can span the
whole space. You know, still working a lot with, there's still a lot of organizations that are kind of working through the blocking and tackling like what is IGA, should I have IGA in most places kind of start with single sign on. But now they're getting into, you know, how do I do a better job of administering and governing access? How do I deal with privilege access management. And so I'm working with a client right now where you know we we went on, so I did the workshops.
Now we're going back and kind of building out the deliverables and to me that's fun as well. Like you know, thinking about everything you heard, putting together an assessment, making recommendations based on that assessment and turning it into a consumable story that has a logical beginning and a logical, you know, ending and everything in between.
So you know that that is I think the the contrast is you know I know you're out kind of like meeting with prospective clients or we're actual clients and I'm more at home being able to do it. And you know I will say I had to do a lot more travel pre pandemic too because a lot more clients were 100% in the office and wanted to have you on site.
And we're less used to using video conferencing to accomplish really what it's hard to accomplish what you talked about you know one day workshop and get everybody to pay attention to like a teams meeting or Webex all day. But everybody I think is used to doing it for an hour to two hours at a time and and staying focused and getting things done. So I think that's been a a huge way to cut cut down on it.
And then the other thing was, you know, we're kind of like working through like coming up with a big picture strategy for, you know, potential projects in the future which would be converting from a legacy access management solution or web access management to a modern system. It's like it's right in my wheelhouse.
So it's not like I don't have to think, I definitely have to think about it, but it's you know one, that's one of the things that I think, you know, I'm sure everybody who's like early in their career wants to go faster. They want to move up the chain faster. And like, hey, I wanted to do the same thing, but there's a certain amount of experience that when you build it up, it's like you have these knowings and you have like, I've done that.
I've actually done that. So you can talk about it, and like you, you can't skip that step. Yeah, that experience like is so important, but being able to communicate all that stuff. But I just thought it was really interesting because we're just before hit recorder, like, all right, you know, we had like really different weeks. It's like, OK, that's just, I guess you know. You know, part of its role I think kind of we each play within, you know what we do for our our real job.
But it's interesting. I was, I was like kind of peeling back on that and then it'll be another interesting week on the road again and hopefully. Your your thing goes well right. And voices sound it'd be interesting. I'm, I'm curious, I'm, I'm really interested to see how this turns out in the voice because I know our voices so well for doing all the audio editing, you know, over 246 episodes. And it'll be interesting to see, like how it changes, if at all.
Maybe it doesn't. Well, yeah, I'm going to have to rely on people like you to tell me because I listen to the podcast. I'm like, I don't sound like that. Everybody hates their own voice. Yeah, But I think mine's changed over time, too. I think, like, I can tell you right now, I'm not breathing through my nose. I can't breathe through my nose
while I'm talking. Just. I can kind of tell congested basically well hopefully this works out for you brother I I'm I'm curious I want to see from a scientific standpoint but also from a health standpoint you know hopefully it's clears things up for you. We had a bunch of questions come in that we've like been saving sort of like a mailbag. We'll see how many we can get to today, but. A very worldwide mailbag as well, like a lot of international folks reached out,
which is very cool. What what is our listenership as far as the the globe is concerned? I mean, it's not all USI think that at one point we said it was like 60%. Yeah. It's like around 40% is international. Sometimes it kind of goes up and down kind of depending on the month or whatever it may be. But let's call it like 40% is international, which is pretty cool, you know, for a couple of.
Guys here who can barely speak English as it is, that are people around the world are able to to listen in. But yeah, so it's cool we get any sort of feedback right from anybody who's listening out there. But when they send questions and it kind of helps Jim and I out like, OK, what should we talk about? Like we have an idea of what's interesting for us, but it's helpful when people. You know, send stuff to us and usually they send it in via LinkedIn or or things like that.
Every once in a while they'll hit our website, idacpodcast.com and fill out sort of the contact form and kind of things like that. But yeah, why don't I just jump into this, I'll ask the question and let's see if we can stump you on anything and then if I have any color to add, I'll do that. All right, that sounds fun.
OK. So the first question comes from Chloe in Melbourne, Australia. How should companies approach the integration of IEM with legacy systems that were not originally designed with modern IEM solutions in mind? I feel like we get this question a lot. Yeah. What do you think? What what I have to do is like not try and look at it as a trick question but kind of take it at face value. I think most I most legacy systems or even modern systems
are not designed with like. Hey, you're going to hook this into an IM system. They almost all have IM capabilities built within the application, but especially legacy systems do because there were not centralized ID PS when they're first started up and they don't have any great integration capabilities for systems. But you know kind of the OG legacy system that I think of our like mainframes and mid range computers and application and they still exist in a lot of organizations.
They don't interface well with an access management system. They don't typically work super well with an IGA system. Really what you're looking at is kind of for them. It's like a middleware situation where if you have like a top secret type of application, if you can, you know from an IGA perspective kind of extract and populate user accounts and. You know, do the best that you can in terms of like password management. That's a major benefit.
Obviously if you're only Max accessing that application through some kind of front end processor, maybe like a web front end that you built to that application, that's great. But usually that's not the only way that people end up accessing those mainframes. And of course you have like web-based technologies and fat clients and a lot of those
things are going away. I think one of the key things is like if you are rolling out an IM technology I you know modernizing your IM platform and you think about those applications, you have to really ask yourself like is this application going to be around more than two, three years? If it is, then it's worth the effort to integrate it, especially if it's a high risk application. I think if it's. If it doesn't qualify, it's either you're not sure. It's like, do you really want to
spend the money? Because those can be very difficult to integrate with. That's my initial thought, yeah. The the part you talked about is what I kind of started with this. Is it worth it? You know, are we going to get value out of this? Are there other things that we need to be working on that are either quicker, faster, you know, whatever.
It'd be easier if, like, I wouldn't start with stuff that doesn't lend itself well to integration because the next question is, OK, So we've determined that it's worth it. Now we have to decide, well, what do we mean by integration? Are we just talking authentication? Are we talking authorization? Do we need to do identity governance, privileged access, audit logging, you know, behavior analytics, right, things like that.
So I think you kind of figure out like, OK, what's worth it to do is a big part of the answering that question. And sometimes the answer is no, it's not worth it. Let's focus on the 80% that we can do. And some things will just remain the way they are until the mainframe dies again for what, the fourth time in the last two decades at least that I've been hearing about it. So it's kind of like the password.
Like everybody keeps expecting mainframes to go away, but they're still around and still actively being used. But I think those are the two things. Everything you said was like, right on, definitely, like, for sure. And it's is it worth it? And then what do you mean by integrate, like define what that integration looks like? Because I don't, I think you can also say, OK, well, for this application, maybe it's just
authentication. We've got to put an MFA in front of it and that's it. We're good. Like it's not worth doing the rest. I think calculating that, you know that benefit and whether it's worth the time or the effort makes a lot of sense. OK, let's move to the next one. This one is from Priya in Bangalore, India. What are the emerging trends in IAM that you believe will shape the way we handle identity verification and access control in the next five years?
Well, I think you know, identity verification to me brings up the whole idea around verifiable credentials, which is something like a passport or a driver's license or some other. You know, government issued identifier or identification card that can be scanned usually both sides where they have some kind of encrypted version of your face and then a picture of you and can then use your your camera to identify you. So I think that's, you know, we see it.
Very minor use cases. I think the commoditization of that capability is a very real possibility in the next five years. So you know, I think that's what we start to see that you know, ubiquity is it's, it's not just about like being on the bleeding edge and and spotting something that you know is way far out there and saying, OK, that's that's the trend to me. It's like OK, what is now building this head of steam in ubiquity.
Is ubiquity so important? It's like with passkeys, it's like it's starting to have ubiquity. When Google uses and things like that and people get used to it, now other companies can follow and then everybody's doing it like there's no passwords anymore potentially. So I think from an identity verification standpoint, you're starting to see it. It's running into some privacy concerns. But I think that's the the way that within five years we start saying, OK that's normal.
Yeah, I feel like this is less of a technology problem at this point and more of a people and process because what's going to drive verify credential will be really government I think to some degree because I want mobile driver's license. So I have one less thing that I have to carry on with me, right. It's in my wallet. I mean it's in it's in my wallet today. But I want it on my phone. So I have you know, less of those things.
But I can only go as fast as my government will let me, right. And I can only speak from the, you know, from the, from the US perspective is I don't know how quickly all states in the US will catch on with this and sort of get there. I hope it's within five years. And I know there's certainly a few states that have already kind of gone down this road. And I think I think Georgia is one of them, right. Isn't there a mobile driver's license in Georgia?
And you're in Georgia. Yes, Georgia is one of the few. Yeah. So I think that's one thing to think about is how quickly will it actually move based on people, governments, organizations and citizens and things like that. Because I don't think this is a technology problem anymore. I think there are enough solutions out there and enough sources of truth to actually validate A credential that that's where my head is at right now. Change is hard.
I mean I think you've got great technology options out there, but now we're talking about changing the way people do business, people interact with government. You, you rightfully so, need to have a lot of caution. Privacy concerns, you know, things like that certainly will rear their ugly heads as we're going through this process and make sure that things are covered and designed to be secure and and that's kind of what I'm thinking about right
now. Yeah. I mean if if you think look at it from AUS perspective, there's kind of like distrust of the government built right into the US Constitution where you have the right not to be searched in some. Situations. Yeah, Yeah. Well, like, could you imagine being pulled over and then the police person asking you to unlock your phone and hand it to them, Would you want to do that? I wouldn't want to do that. And I don't think I have a lot
to hide from. Oh, they're going to find something and arrest me for it. But it's just it's it's not, it's not appropriate. I don't think it's fair and I don't think that is the way it should work. So that's just one example. Yeah. OK, let's go to the next one. This one is from, and I hope I pronounced this correctly, Takumi in Tokyo, Japan. What role do you see artificial intelligence playing in the future of IAM? And how can we ensure these systems are transparent and fair?
Wow, that's a loaded question. You go 1st. I'm going. To yeah, I'll go first, but I'm going to like pick on the first part of the question, which is like the role that I see. And I think if you look far enough out, it's artificial intelligence can run IM systems for organization. So a lot more can be right now we're relying on humans to run the run the software. I think that AI could become the runner of the software because I don't think there's a whole lot that can't be automated.
And I also feel like there's when you say run, what do you mean? Like going in and configuring workflows, resolving errors and configurations? Like what do you mean? So I always like to try to take the 8020 rule, and I don't think that everything's going to be automated, but I feel like just like SoC is being outsourced. By companies to companies that run socks.
For many other organizations, I think I am will kind of come the same way, where it'll it'll be run by an, you know, outsourced by an organization to some third party. But that software will do most of the running of the software, providing support through a automated fashion. All that plus I think the other thing there's shortcomings in.
Identity management now. So I I can see a big functional up ramp where we say OK, IGA is not only knowing who has access to what, but also what are they doing with that access. In order to do that, there's a lot of big data that needs to be pushed into some kind of store and analyzed and those are things that that people can't do. So this is like the the two major areas that I see. How do we make sure that it's transparent and fair?
You know, I think that really comes down to artificial intelligence is just computer code, right? I mean, it's lines of programming and it's going to have hard coded decisions. So if there's decisions are not transparent and fair, then the IGI AM system or the AI system will not be transparent and fair.
So there's got to be some. Kind of rules of conduct, I here's one of my concerns is that like I feel like if AI goes so fast that we don't get these rules of the road in place, we're going to say, OK, we rely on on AI to make certain decisions. For us, but we don't know how it's going to make those decisions. So it's already happening. It to some extent where we say identity threat protection is going to spot certain types of
behaviors and then block access. And so right now for the most part where I've seen it, it's kind of a black box. It's not like oh you want to allow headless browsers or don't allow headless browsers right now that's probably clearly we don't want to allow them. So maybe black box is all we
need for the moment. But I kind of feel like if we don't, if we say, well we want to block people from North Korea or we don't want to block people from North Korea, like if that's black box and everybody needs to block people from North Korea, Well doesn't that go right to transparent in fairness like maybe people in North Korea should be able to you know enjoy the Internet. Obviously these other issues, I don't think they don't think they they weigh into that
decision at all, these people. I don't think so either. But I was trying to come up with some kind of example. What if it was like China or some other country that you know it's like oh that's a a state sponsored terrorist country And we're not going to, we're you know we as a corporation we're going to block those people and now you as an organization who buys their their AI software, you're blocking all those people. Is that transparent and fair?
I don't even answer not I think I don't know if we block people or more organizations I guess, but it's clear AI is going to have an impact on IM, right? We, we keep talking about it on this show. You hear it at like every conference and every webinar that you go to has some sort of AI component. At this point, I'm bullish on it. I think it will be helpful. I think again things like large language models have really changed my perception of where this kind of take things in the
future. The transparency and fairness around it I believe is, you know, you want to have systems that are well designed, they're secure and they're accessible for people. When we start introducing a black box as you start, you know, call it at least for the AI perspective, their duty is there does need to be a way to look at how the decisions are being made, you know, even programmatically. And I think this is an area that I'm starting to see more thought go into, is attacks on large
language models themselves. So what happens if you poison an organization's AI to give wrong or misleading information? That could be another way that I think people are gonna have to start thinking about. It's like, how do we make sure we keep our AI secure? And that how do you validate that the decision making that it's making is based off of accuracy on facts versus maybe something that somebody put in
there, right? Maybe it's, you know, somebody gets in and says, hey, just, you know, just move this decimal point over a little bit and take fractions of a penny, right. You know, that kind of scenario, right. I think it's like, OK, how do we make sure that that stuff is there? And I think we definitely have seen, I think the industry's starting to come together on this. I think the White House in the US just put out a directive on this.
You certainly see Microsoft and Meta and other and Open AI and like others that are in this AI space starting to kind of figure out how are we going to tackle this? I don't know. I think it's, I think it'll be interesting to see it comes out as they move things along. I think there's two things I just want to throw in there based on what you said. First off, I don't know how we're going to solve this Rules of the road thing. Like we still haven't solved privacy policies.
You go to a website and it's like, oh, by clicking accept you agree to our privacy policy. Click here to read it. If you click here to read it, it's like 8000 pages long and. You don't read it anyway. It's like if you want to use the website, you just accept that is not the spirit of what's meant to happen. And if we run into that same kind of thing, then, you know, it's going to be every person
for themselves. The other thing I I think with AI and I am, is mostly when I hear vendors talk about, Oh yeah, we've got AI. And then when they explain what it does, I'm like that's that's not revolutionary. That is not revolutionary. So does that mean it's not going to be revolutionary? No, I do think it will be at
some point. But I also wonder if it's just going to be the major tech companies are the only ones who can provide the AI because they're the only ones who can actually create the AI. Yeah, it takes a lot of resources to develop this thing. So do we end up in the cyberpunk mega Corp world where the world is right, like 8 different organizations and it's all it's all business?
OK, we've got another question from Japan and I definitely don't know how to pronounce this, but I'll try to get it right, either UE or maybe we from Kyoto, Japan asking. Glad you're to it. I'm glad you're taking taking the I'll. I'll take the heat if I pronounce that green correctly. Let me know how can I am solutions be designed to be more user friendly without compromising on security features. I mean, that's the usual question. Talking solutions be designed to be more user friendly.
I say it's the usual question because it's always been like considered a bounce between usability and security. Meaning it's like you if you had a slider, if you make it more secure, it's going to be less user friendly, can make it more user friendly, it's going to be less secure. You know the the tagline for everything Pastor list is like
actually, it's one of those few. Scenarios where when you make it, you're more user friendly, you get rid of passwords, you actually make it more secure, which I do think is true, but I think you know the spirit of the question is like, OK if I'm designing an IM system, how do I make sure that I get both things? I think it's involvement. Of the users. It kind of goes back to the discussion we were having about workshops.
What's one way to ensure that your IM deployment will fail is like, don't include people that it's going to affect. Yeah, you don't include them, it's almost guaranteed to fail, but you do include them. You increase your likelihood of success. They'll also give you the feedback of like, what do they not understand?
Because a lot of times user friendliness just comes down to making it more understandable if you kind of get inside the head of. You know whoever your customer or user is, and you design around that, you can increase the user friendliness without even affecting security. You may also find that like there's no way we can remember 16 character passwords. Like that's not going to work and so you might have to, you might have to. I'm. I'm presuming that's a really
bad example, but. Just using that as an area where you might say, OK, well, actually involving the users made me rethink this password policy. But if you, you think about it, like, yeah, when you give people 16 character passwords, they're going to find ways around they're write down the password or they're going to do whatever they have to do to not make it so that they have to go through a reset password every time. No, there's a added number. I think it's the number at the end, yeah.
That's how we get it. Include this. Folks in your process and and really listen to them. And then I add a question to this as well because I think this next one is kind of in the same vein. It's from Beatrice in Rome. How can organizations ensure that their IM solutions are inclusive and accessible to all users regardless of their technical skill level.
So I think he kind of touched there and the question previous question around do people understand what they're doing like what's the training, what's the, you know, how do we bring people up to speed. But thoughts on inclusivity and accessibility and how that how that aligns with technical
capability? Yeah, it's it's not only technical capability, but you also think about disabilities like some folks have, you know, different types of issues and there are browsers made for, you know, different disabilities that you know, if you can't, if you're blind for example, that they can. Read for you.
Or, you know, if you just make assumptions that everybody fits a certain mold, everybody has the ability to see or everybody has the ability to hear or they're all using a keyboard to enter like you need to challenge his assumptions. And I think this becomes more and more true as you're providing services to the citizens.
So I I think that's it's so easy to kind of like fall into the mindset of like oh, I've been working with you know, B to E kind of scenarios with you know, certain size employee populations, captive audience or they're just in the US and everybody's going to kind of have the same understanding and
all that. When you're talking about like you know the citizens or you're talking about large global outreach or you're talking about B to C, you have to take up all these things into account even more and challenge yourself on those moves. Basic assumptions that people
have these capabilities. I think from a technical skill level, you know, again I think it's technical skills can be a lot of things, but I think it also can map back to you know, age and experience especially like the older population within our world they were did not grow up with technology in their hands from a very early age. I I kind of feel like the technical skills of teenagers is probably a lot better than you know, technical skills of of senior citizens.
You know, we haven't talked about your dad in a while. Like, how would you? That's exactly who I was thinking. I figured, How would you explain a passkey to your dad? I wouldn't. I would not even try. I will tell you that he's found e-mail within the last couple of years and it's like he's bonkers over e-mail. He like, emails me all the time and I'm like and then he gets mad. If I don't e-mail him right back. I'm like dad, it's not like it's not.
It's not a real. Time messaging platform, right? Yeah. We were out the other night and sat down with some folks who we didn't know. They're just strangers. And the guy next to me, the guy who like, shared their table with us, he's very excited. He took a picture of he and his wife and posted to Facebook. You got 32 likes on it in like 1/2 hour. And he's like, showed me. I was like, Oh my goodness, Oh my goodness, I've already been through.
I was on Facebook for a decade and then closed my account like 5-6 years ago. And like, you could tell he just got Facebook. And he's like excited that so many people like this picture with his wife, which I was happy for him because he's kind of like almost in that infancy level of dealing with Facebook. He hasn't. He hasn't like. Felt the like the hatred for it yet. Embrace the joy that happens. Embrace the joy. All right.
This is our last one and I think this is 1 near and dear to your heart. So from Rachel in Seattle, WA. With the proliferation of micro services and containerized environments, how can organizations effectively manage and secure machine identities at scale? You're all about machine identities recently, so let's have at it. Well, yeah. Well, we had David Mahdie on and I think that was a fantastic
episode. So if you want to really dive in to that that topic, I would go back and listen to that episode. But you know kind of pulling Rachel's question apart here, I think, you know there's two different types of machine identities of those that are static and those that are created and destroyed, you know, perhaps within seconds. But I think what we're trying to get to is like 0 sending
privileges. So I think that even those machines that are created and destroyed, you know, the the idea is that OK, you're not creating an account that should be around and and like I'm going to create the account. I'm just going to let it sit there until I need it again. And then we had to just check it out and do what I have to do.
But the idea is already pre thought in terms of what access that account needs to have to do the thing that this application or service wants to do. And so those rules of the road should be set. They should be built into the micro services that create and destroy that account. Like you can only get an account that has this much and then business rules may be that all right if it's not destroyed within a certain amount of time, then it's destroyed.
Those you know as information security professionals we need to talk with the the developers of these micro services to you know agree on the rules of the road so that they understand. We understand we can stay within our controls, You know, for these accounts that always have to exist and maybe have standing privileges, we just have to have controls around them. You know, we need to understand what they're being used for.
And that way we can build our logging around, you know, knowing that we can build our life cycle processes around, you know, making sure that that account is created properly and reviewed periodically and destroyed. So I I kind of feel like the rules of Rd. are kind of the same. You know, in terms of you've got to understand what these accounts are intended to do, use least privileged in terms of, you know, either creating them
or allowing them to be created. And then in the long run, you have to monitor what's being done with them. I think I don't know if I have anything better to add to that other than listen to Jim's answer and then go back and listen to I think it was episode 239. It was the first one that we did. With the authenticate kind of slew of episodes that we threw out there. So yeah, that's probable. I guess I'll leave it there for that one. Why don't we go ahead and start to wrap things up.
And I was thinking about how we want to end on a lighter note
today. And I'm drawing on my experience of yesterday, which was a Saturday and heading up into the Blue Ridge Mountains. Very faint cell phone service where we were in the middle of nowhere, basically at a friend's kind of. Barbecue, hang out, campfire something or other or whatever you want to call it and you know, a bunch of people just hanging around playing games and eating food and just talking and chatting and sitting enjoying the the great weather that it was.
What is your favorite backyard BBQ party game? I've got one answer in three different parts, of course. So well, my OG original, I think OG stands for Rich from gangster, right? Yes, straight from the hood. Yeah, Mike, that's Jimmy Mack straight from the hood. Jimmy Mack in the hood. Well, my favorite lawn game or BBQ game was Jarts. Remember Jarts? I definitely remember that. That didn't last very long. Didn't they ban that? Well, imagine if one of those
Jarts landed on your forehead. You'd be DOA man. I remember heavy. I was probably like six or seven, I think, and we had a we had a set. And yeah, that was the first thing you thought I was like, all right, how much damage can we do with this thing? That was a great game, though, too. Like, even if you just played it by the rules, like, let's be hard not to have fun with charts.
So for people who aren't familiar with charts, explain what it is. So they were like like very large darts and the ends were, yeah, the points were heavily weighted. So you can basically swing them to your on the side of your body and like launch them maybe 100 feet or 50 feet to a target and they would always land heavy side like dart point into the ground and they would land and they would stick. So that was the game. It was essentially like a a bullseye.
You set up some kind of target on two ends and you have some scoring system which I think worked like, you know, horseshoes, which is my second answer. But it was with these darts and they, I think they somehow were banned, they disappeared. Yeah, I think real quickly too, because I think it's like, oh, maybe we shouldn't have people throwing lawn darts basically into the air and having them come down and spiking people and they weren't there. It wasn't even a pointy tip, right?
It was just weighted. But if it if anything falls from a high enough distance, it's going to do some damage. And yeah, yeah, it was heavy and there wasn't pointed like a sharp point, but even that dull point I think would have cracked through a skull. Yeah, definitely not safe.
Yeah, not safe. Anyway, my second one is horseshoes and my third one is cornhole, which, I mean, everybody plays cornhole now and it's, they're all like tossing things, yeah, Which even if you've had a few micro brews, it's you're still able to throw things. Yeah, maybe not well or accurately, but yeah, I like the, I like cornhole. I, you know I have a couple. So cornhole, we definitely did that yesterday.
We did the other thing that I'd like to do, and this is something my wife's family introduces, Bocci, so Oh yeah. Super easy. People can, Kind of.
Of all ages and skill ranges can play and we have like a a Christmas tradition when we can make it out there to have a Christmas Bocci game in the backyard and it's if and usually it's in Chicago which means it's like you know less than 0 degrees freezing and no one is dressed for the occasion typically and we're out freezing in someone's backyard in the dark trying to play Bocci and a lot of good memories kind of around that. So I think that's probably my
favorite one. But yesterday Jim, I did something that I am proud slash saddened to tell you that I won a particular game and I'll I'll give you one one guess but I'm I'm sure you won't guess it. What is the game you think it was shooting? Arrows. Prouds at a OK. How about it? No. Is that it? I'll tell you it was food related. Oh, hot dog eating contest. No, I definitely wouldn't win that, although I look like I would. I we did a doughnut eating contest.
Now, I have never done this before, but it was not like consume as many doughnuts as you can. It wasn't. That was not the contest. So what we did is we took doughnut rings basically and ran a string through them. And then who could eat the doughnut fastest off of the string without using their hands? And the doughnut could not hit
the ground. So there's some strategy there, right where you've got a string running through a doughnut in the doughnut hole and people are trying to eat it and the string is moving because everybody is trying to eat it at the same time. And I am proud slash sad to report to you that I won, You won. I was not the fastest, but I was the most strategic. I went slow, methodical. And people who were very close to the end, they were about to win. And then the doughnut fell on the ground.
So it was very hairy there. At the last few seconds, as I kind of took the last big bite, I had to do the lean back and try and make sure that nothing fell. But yeah, my proudest, it was just one doughnut. That was it. Just one doughnut. It was a glazed doughnut. They had a vanilla frosting on it, but that was it. There was like six of us in a row and we were all trying to. You know, eat the doughnut on the string without letting it hit the ground.
Well, congratulations. I'm proud of you. Send help. I don't know. This is my proudest moment. This is my proudest moment of you, Jeff. This. Is a. This is a real. This is a real highlight hearing a second hand story about your donut eating contest. Yeah, and I love doughnuts. Yeah, I certainly. You don't need to put a string through it and put me in a contest. I will have a doughnut any time of day. But yeah, I don't know if I should be proud or sad of it.
I think my wife was both as well. Honorable mention to the Dizzy Bat race. OK, yeah, Dizzy. We did like the ping, the ping, the tail on the donkey type thing. So it was someone's birthday party. So yeah, we did that as well. And yeah, Sasha, you had a great time. It was a good time. We're out. I mean, you know, out in the literally the middle of like nowhere probably, you know, Blue Ridge Mountains for sure, you know, barely any cell signal.
And yeah, it was fun. It was good times, you know, kind of relaxing and stuff like that, so. But now I'm off to the airport for another week filled of travel and identity hijinks and then I'll be back later. So say hi to the people at the Delta Club for. Me. Yeah, I definitely will. All right, let's go and wrap it up for this week. Listen to the show, like subscribe, share with your friends. That's how we motivates us to
keep going. We'd probably be doing it if no one was listening, but we've definitely seen a large growth in listenership and. Definitely thank everyone out there for for sharing the word. We're on the web. And Jeff, can I throw one thing in there? Absolutely. If people like the show, even if they don't get the show from YouTube, if you could go out next time you're in YouTube, look us up and subscribe. That way we can start to see that subscriber number grow.
That would be fantastic, yeah. So go to the website idacpodcast.com. In the upper right there'll be a link to the YouTube channel. Go over there, start subscribing. I only do 3 uploads a day, so we're not spanning people's YouTube feeds. And eventually it'll catch up with where we're at in real time. And then you'll expect to see podcast there as well, just like we do all the time.
We're on Twitter, X whatever at IDAC Podcast Mastodon at IDAC Podcast at Infosec dot Exchange, and of course Jim and I. You're on LinkedIn. We also have the LinkedIn page that I started recently starting to see, starting to tag that and all the announcements for the show and stuff like that to try and make it easy for people. Not sure how we'll kind of leverage it yet, but I figured, you know, after 200 and some episodes, it just posts all the same things that you and I post.
Yeah, exactly. And yeah, so definitely reach out, thanks to the listeners who sent in their questions. If we didn't get to them this time, we save them up every so often and we kind of dress them as much as we can and when we can. But feel free to send those in. And yeah, thanks everybody for listening and we'll talk with everybody in the next one. You've been listening to Identity at the center. We hope you've enjoyed the show. Make sure to like, rate and review.
And we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on Identity at the Center.