This is Identity at the Center. If it has anything to do with IAM, this is the GoToPodcast. Now your host, Jim McDonald and Jeff Steadman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey Jim. Hey Jeff, how are you? I'm actually not so bad, but I'm operating at a 60% clip right now because I've been sick all week and my voice just sucks. How did you like me getting your sick last week?
Yeah, I appreciate that. It was either you or my wife. So you and I traveled all last week for client work, our real jobs. And you were sick, coughing over the place most day away from me. And while we were out there, my wife was sick at home. So by the time I got home Saturday, I think by Sunday night Monday, I was like, all right, when are you bastards giving me something? Yeah, well I feel kind of responsible, but then I also think that you know, you interacted with
about a thousand people in the course of that week also. So it could have been any one of them. But anyway, usually I'm the one who's sick and grinding through it. You don't get sick very often. I'm not a lot of bullies. Good to see. You and I were texting. I felt like I feel like the last couple of months with all the travel I've been doing, a hundred and two flights last year. So a lot in the third quarter or fourth quarter, especially. I was like me in the matrix dodging
like virus and plague bullets coming my way. And I have not been sick in a very long time. And then here we go. It happens. Fortunately, I feel like I'm getting better already, but my voice sucks. So there may be point parts where I like point you and say, you take that excursion. Do your best, Yoda. But yeah, I was, I mean, I've had my years where I've done a lot of flights. A hundred and two is a lot of flights. But doesn't it seem like every time now, there's a delay.
Like on this last trip, I was delayed in both directions. Yeah. I was too. We got delayed. Or we actually got stuck in Atlanta overnight. We had to stay in Atlanta and then fly out the fine morning getting where we're going. And then you got delayed coming home. I got delayed coming home the following day. And then I was actually supposed to have two flights this this week. And I'd missed the first, the first flight was delayed. And I wasn't going to make my connection. And I
wasn't going to be able to get to ready to go in time. So I was like, I just canceled that, which actually worked out well because that was sick anyway at that point. So I was like, I'm not going to go. Is that worth it? And then at that point, it was just kind of like, which is, which is, which is stay home this week and get free and clear. Don't be that guy who gets on the plane is like, yeah, lower the place. Do something. Do something. Go somewhere. Yeah. So we were
focused a lot on privilege access management last week. And then the announcement came out that Delinia acquired, um, optimize. That's really interesting. I always thought pretty highly of those guys and, you know, Gal was on the podcast in our early days, right? Before we had good audio quality or any of that good stuff at, you know, episode 98 all the way back in June of 2021. And by the way, you know how I found that? I went to IDACpodcast.com. I clicked listen to the show.
We've got a handy dandy search bar that you put out there. And I'm telling you that search bar is like, it's better than most search bars that are out there. Like it really, it really works actually. I spent literally minutes putting that together. It's something glad you appreciate the anti work of a simple search. But yeah, you're, you know, you're a natural promoter. You know, promoting the website already. This is great. Yeah. Well, and in addition to
that on the website, we've got the leave us a voicemail button. And so as a special promotion for the leave us a voicemail, we're doing a little, let's call it a contest. I don't know if that's really a contest, but if you leave us a voicemail and it's a question that we can use on an upcoming episode on February 5th, we're going to pick five questions, run them. You and I are going to answer them. That's going to be the episode, right? And we are going to have links that
people will get a free ebook copy of learning digital identity by Phil Wimley. And we had him on a recent episode. Great interview. Awesome book. So if you're interested, you want to copy the book or you just want to play a role and hear your voice on the podcast, go out to iDACpodtest.com. Click those or I'm sorry, leave a voicemail or what is it? Is it that or contact us or something? Yes, like you go to the homepage and there's a little flyer on the right hand side that pops
up. So it's talked us. And then yeah, you just record. You can do that. And thanks to I think it was Tim, maybe who spotted that the mobile website was broken. So I fixed that and we got his. So that's good. So yeah, you can go to the mobile website or the radio website. You'll see a little bear says talk to us. You can also go to the contact pages there too. Send us a voicemail, comes to Jim and I and yeah, we'll use the best ones. We'll pick five of them and get yourself a free ebook.
It's first time we've done a contest giveaway. It's kind of exciting for us. Yeah. And I would say that look even if it's not one of the five we're doing that episode, I think if we get some extra questions, we'll incorporate them into future episodes. You're responsible for by the way for contacting winners and getting stuff out there. I'm putting that on you. Oh, well, that's my reward. That is your reward. What else? Anything else? Go on. Or should we get to our main?
Let's get to it, man. I mean, like this is an episode I've been looking forward to for a long time. We met these guys all the way back at a dinner verse last year and it's kind of finally come full circles. So let's get into it. Yeah. And we got like a little bit of an alphabet soup. I'm not even sure what I'm going to call this episode yet. Maybe it'll name itself as we're going along or maybe if any of us come up with a good name for how I should call this, I'm looking
for ideas. We're going to talk about Cape ITDR SSF. We've got a tool from a signal. He's a CTO tool tool. I knew I would screw it up. I'm so sorry. A tool. Tushy Beguale, CTO, a signal, and co-chair of the shared signals working group and corporate board member at the OpenID Foundation. Welcome a tool. Thank you. Thanks for having me. We have to be here. You know, I was practicing before the show hit. I was like, all right, let me try and get this in my head and we get to get right.
And then immediately I goofed it up. I'm going to wait for you on the sickness. We've also got a bonus guest as well. This is a two for one today. We've got Sean O'Dell. He's a senior staff security engineer, consumer and workforce identity and access management at Disney. A small little company that people might have heard of. Welcome to the show, Sean. Thank you both for having me. Pleasure to be here. So as with some of our guests, sometimes we
need to make sure that opinions that are expressed are their own. I'm going to make sure I read this out so that people understand viewpoints here. This podcast appearance by Sean O'Dell is for informational purposes only. The content should be regarded as general information and serve as a springboard for your own independent investigations. All perspectives expressed by Sean O'Dell here after our his own. All right. Now we're free and clear. We can talk about anything we want.
Why don't we start with you a tool? Tell us a little bit about your identity or story. We're going to get to Sean as well. But how about you go first? How did you get into the world of identity? Is it something that you chose or did it choose you? Yeah. It's actually an interesting story that I was working on super computing and I was in India back then and I was working on the first super computer that India developed and the day we got the first order for that super computer
USA and brought down the export control. So we were in the free market after that and I was certainly feeling the pressure of commercial pressure from American competitors. So I was wondering what to do next and I was like, okay, you know, there's this thing called the Internet and you know, you're never going to be sure who's on the other end of that Internet and
and that's how I got into public key cryptography. It was something that I had read about and I found a job in in Pune in India that was a startup that was doing cryptography based stuff and like, hey, that's a good place to be. Well, I go there and it turns out that I built on the software and the toolkit, the you know, the cryptographic toolkit that I was supposed to be using,
they couldn't export that to India. So that's how you know, I ended up in the US after they got some kind of clearance from the Department of Founders to have me work on that to get over here and when I was here in Atlanta, I was sort of introduced to this company called Verysign which was a very tiny company at that time and I was sort of really, you know, I just got my imagination like all the different possibilities that the public key cryptography
and, you know, the public certificate authority and all that. That's how I got into it is I joined Verysign as they, you know, the protein engineer there. And you also do some work with the shared signals working group with the OpenID Foundation. I kind of mentioned that when I introduced you, tell us about the shared signals working group. What is it and what would you say you do around there?
So the shared signals working group is the part of the OpenID Foundation. People know the OpenID Foundation mainly through the OpenID Connect protocol, which is the signal sign on protocol. The shared signals working group we can think of is a generalize framework for asynchronous
communication, right? And so you can think of something like a web hook like an API web book where, you know, you've got an APN and I say, oh, well, you know, tell me about this when something changes or something like that. And that's what the shared signals framework is. What goes into those asynchronous communications are events that in the form of security event tokens or CPS and keep an
and risk or two applications that sit on top of the shared signals framework. And so the development of these standards, the shared signals framework, the key events and the risk events all together is the work of the shared signals working group. And so we've just recently even these the second implementers draft of the shared signals framework, which is a pretty big effort. And, you know, onward and forward. And, you know, because we're talking about the shared signals
framework, maybe I should make a little announcement here for our cool speaker. Are you ready, Sean? Let's hear it. So as of Tuesday, you'll be shedding my burden of being a co-chair. So, you know, I'm happy to announce that here. So, the original issue is on the workload and the honor. Appreciate it. I'm going to post a little pause on that one. I got sound effects for everything. Well, that's great. That's exciting. Sean, we're going to get to you. So I got to ask again about
a tool your background. I mentioned also you're the CTO of Signal. And it's sgml.ai. For people who aren't familiar with Signal, what is Signal's purpose in life? Like, what are the problems that you're looking to solve? Right. So I think, you know, the immediate problem that we're trying to solve is the ability to manage authorization at enterprise scale. So, we think that the
access management of access control problem is being solved largely at the developer level. And in some cases, and you know, through more static systems that don't really scale to the speed and the automation that is required in today's enterprises. And so what we do is basically, we work on the principle that you should not have to manually, you know, decide permissions for anyone, really, at any point of time. And so that, you know, naturally leads to what we call as, you know, zero
standing access. And then you want to manage your access policies at scale. So you need to have a very, you know, human readable policies that you can organize in reusable snippets. And, you know, have very good controls on how to manage them and all that. And then you need to be able to enforce
that access at various levels. You're an infrastructure like AWS and Azure or, you know, even Linux and SSH and all the way up to like your APIs and, you know, VDC, PIA, Gateways, or internal applications and stuff like that. And then all this needs to be, you know, audited in real time and, you know, be able to, you know, enforce these decisions in real time. So in a nutshell, that's kind of what signal does. Well, we'll have a link in our show notes to people. Can check out, kind of,
learn more about it. Sean, let's, let's turn over to you identity origin stories. Tell us how you got into the wonderful world of identity. We give you a part one and a part one dot one. So first, the first time came around. So we're working for a logistics company doing like LTO or Treble afraid even small package shipping. And had to hand build a CRM from scratch. But I had to see you're out using the lovely principal identity from Microsoft doing it in like a dot net one dot one
before it was actually like a saying. So I had to figure out authentication authorization and access before it was really a thing. Built out homegrown authorization engine, build out a homegrown access engine, migrated it out of SQL and put it into its own standing thing. Then they got acquired and I went and worked for a medical company. So that was my first foray to it. And it looked kind of interesting. And it was it was it was a very good domain. I was much more intrigued with
authorization than authentication. That was pretty easy. So and here's the part one dot one to it. I had to take over a thing which is a surprisingly still well-known called Bitcoin Keystone. I had to learn that from scratch and it was it was it beef. So my origin story is like two parts to it. First it was the the double and oh it shows me for sure. And then I dive in deeper and won't look back. It's so much fun every day. It's some different. It's like a horse head left
in your in your bed. You try to get out and you just can't. You work with Disney now. I guess tell us a little about your role with Disney and sort of the maybe just kind of briefly what does a you know engineer do from a I am perspective. I work with the entire company on Workforce and Consumer Identity. Everything from pushing standards to be adopted doing it the right way with standards. Helping build out implementations, rollout services, own services, run security services,
insert I am being go buzzword here across the gamut. We do privilege access all of it. So my scale is the company and my scope is I am and it's it's honestly so much fun. I enjoyed every day. It's again I did it. Never sleeps. So that quote from Gordon get go from Wall Street. For sure. But instead of one is still on the steel. Exactly right. It's it's a mixture of like
your engineer your architect and your consultant all in one. Your scope is it's so fun. And you were at a dinner verse last year and you gave your presentation there and can you tell us a little about that and are you going to be at a dinner verse again this year. And it's so yeah everything planned to talk about there did a couple submissions and a panel being on the you know participating in the working group and now being you know officially responsible for shepherding that along. I
did submit two submissions one on his fur is zero standing privilege. The other one is for I don't want to give it away but it's an interesting title but it involves share tingles and cape and what powers it because you know we'll talk about a more on this on this podcast and the other one is as a panel with all of the co-shares on the shared
signals working group. It sounds really cool. So Sean before we hit record you had come up with an analogy and I think we should use it because you know these terms share signals and cape. Most people are not familiar with it. Why don't you throw your analogy out there and we'll we'll see we'll throw it against the wall see if anyone salutes. Well this is going to show my age
so that's okay. The analogy with what cape and shared signals is goes back like let's say way back so you can look at it from my if a law enforcement agency wherever to issue an all-point bulletin that would be essentially a cape event like this is a person of interest this is a
person to watch out for if you see this person they're really dangerous don't engage with them that's the event but the shared signals framework is when you have law agency in Denver standing of facts here's the age to someone in Atlanta or a counterpart over in Colorado or in LA
the transmission of the facts is essentially the protocol to send the cape event that is what shared signals is another way to look at it is you had a a wanted flyer I know that I'm in search of something or a wanted flyer I'm walking around and putting one of flyers out over
telephone poles and whatnot again the event is flyer the transmission is me walking it around one by one so it's kind of like a good analogy to start sticking into like what is cape what shared signals how does it trans how does it transpose from real world to digital with one minor nuance there's a
look is a lot of the difference in the digital world versus the real world real world do you know this person's like a person of interest or like a malicious actor whereas in the digital world it's a signal like we think it is like this IP looks suspicious or this behavioral event that
Bob did looks bad or what a total profiling let's be honest you're profiling these folks these these poor folks are only profiling because the p in cape stands for that okay well no I mean yeah it makes a lot of sense right you have the the central agency which is like your your central
it capability and ascending it to the individual departments which are like your applications right so that's the that's the message that you're sending is watch out for this person of interest correct yeah they're throwing off these these they're fitting this profile of like oh they're
hitting it with a headless browser or they're you know they've tried to authenticate unsuccessfully 50 times etc etc so I just wanted to add to what Chun just sent right so it's not necessary that you know each event could be anything suspicious in itself right like it should could just be an
you know curious kind of observation like hey you know I saw this user come to this application you know that by itself doesn't mean anything but then if you see the same user within like a span of the few seconds visit like you know five or ten different applications then you know
that could be a lateral moment attack and you know you want to respond to that right so an event by itself doesn't necessarily mean anything's wrong it just means that you've observed something that could be of interest to others and it's all can I I'm gonna add one you perfect I'm gonna
add one more thing it's it and Jim I think the way he said it is not every signal is bad the whole point of the shirts and most framework is the beginning one of it share as you know to get to zero trust be off to share it's not same language right so if I present an a leading indicator
that you Jim your system sees you might leading indicator of what you're seeing could lead to an aggregate signal that you have collected to say oh Sean set me this Jim has this both of them together to you it could say an informational signal for me and a medium one from you could
equal a high which means you Jim as your system could take action on it you don't have to but you could yeah I see a ton of value in this it is kind of complex so I want to try to bring it back to building blocks especially for people who might not have all the context so a tool if you could
kind of help us define and understand so it's cape is continuous access evaluation profile that's the profiling bit that we're joking about a little bit earlier C-A-E-P you know the funny thing is like if you go on to Google and Google C-A-E-P identity by the way C-A-E-P also stands
for other things but within our space within this identity space it's like a tool a tool a tool listed over and over again and you so we're hearing from the extra what what is this what is cape yeah so it started us and that's maybe some of the confusion that it started us
continuous access evaluation protocol and it was you know based on a little blog that I wrote when I was in Google back I guess five years ago now and then what happened was we started meeting it's normally as a as a cross industry group developed about you know 30 or companies
from around the world that were meeting outside you know any standard body at that point and then we realized that hey you know we we although the objective that we are trying to achieve which is session security is different we are sharing the mechanism of asynchronous publishing
and subscribing with this other thing called risk and so the two merged and that's for the shared signal stream work came about and then cape became you know continuous access evaluation profile of that shared signal stream work right so just just to clear up that the new confusion there right so
so you know what keep this really all about is being able to improve your session security machine signals that are relevant to your user session right because in today's world a you're always signed into a large number of services you're using large number of services simultaneously
and b there are many independent services that are actually being able to tell information about what about your posture about your security about you know something about your ability to have that session right and like for instance while I'm using my computer you know there may be
an endpoint security program that is on my computer that is detecting something about my computer if they detect something then they need to be able to tell someone else that hey you know this person is on this computer and I'm detecting some malware on it and so you know you should
sort of take care of the situation or a service provider that you're working like and let's say using Google Drive or some uh fire sharing service and they detect that all of a sudden the same user who was previously in you know Cucardino California is certainly in Iwan version like that
right so you know you should be able to share this information about what you're seeing in order to bring a more complete security picture and then in real time you're able to affect you know what that uses experiences in terms of using those services that they're using yeah I love that
example you just brought up which I often hear referred to as impossible trial or you can't go from Cucardino to New York City in 15 minutes um so or 15 seconds is cases right yeah so um just thinking about that you know I usually hear that associated with conditional access or adaptive
authentication and mind the reject are though but there's got there's more to it right yeah I think I'm talking I think there's recognition that this is a problem that a lot of different companies have attempted to solve and the difference with K-PEN everything else is basically K-PEN is a
standardized way of doing things right so you may set rules of continuing conditional actions and let's say you're a zero or you know other systems where you can see oh if this user is coming from this IP address and allow them or it's not don't allow them but that's kind of specific to one
particular system whereas what K-PEN is trying to do is expand that across different vendors across different uh you know services and why that is important is because every enterprise you know without exception is gonna have a multitude of vendors right and you really cannot control
what kind of technology is that play so you need to establish some kind of a baseline that everybody can communicate with so that you know you improve the overall security for all users right yeah that's a really good explanation and um you know you mentioned a blog article we're
gonna throw a link to that in the show notes you know the other thing Sean that this is sounding a lot like so when I when I hear a tool talk about K-PEN reminds me a lot of what an ITDR can do so what are the similarities and differences between K-PEN and an ITDR or am I am I missing the plane
here I think there's an element of K-PEN ITDR so the way I broke it down is the ITD is the K-PEN the R is the ITD is like the ITD is how you figure out how do you assemble a K-PENK right but the R is the response and the response is using the shared animal's frame or with a K-PENK so it's
very tangential to it and it it it should be pivotal in any ITDR strategy because it is like a tool said you you can use this if vendors vendors have heard of solve this independently right but if you have them all speaking shared signals using K-PENK then you get true vendor interrupt which then
you you lower your security threshold of having to have a privileged API into Azure or privilege at privileged API inside your IDP or into your your PAN system so if vendors all support shared signals using like K-PENK for example your identity threat detection you can focus harder on that
and then your response is a mid signal to A a mid signal to B a mid signal to C so the word we're I think companies should focus more on is their business and what looks suspicious than worried about I have to call 15 system API independently and I have to worry about when they change their
API versus if you just accept this standard everyone wins I really like that explanation how you just said okay the the the cape and the shared signal framework is essentially the ITD and then not the R a tool actually where would you come from on the the R the R is the response and the
response is the signal so the response is the shared signal the ITD is the brain behind it so the response is the the shared signal with the cape and so if I misspoke target okay no that's great a tool like you're you're ready to jump in and add something yeah I just wanted to mention that
you know threat detection is easy mostly home to kind of you know well exercise right because you cannot detect it right by just absorbing someone in one little corner of you know all the multiple systems that you're having right if those systems can communicate with each other you
even improve your threat detection right so it's not just the response it also like helps in the threat detection itself that's right I mean yeah you I think that's one of the things that we we talk about with our clients and we talk a lot about it on the podcast is you know you if you get
overwhelmed with the number of events or things that look suspicious then the things that actually are a problem just kind of like hide in that you have to be able to separate the wheat and the chave as they say and Jim I want to add on to what a tool said it's it's a it's a good follow-on
where it's almost like the response of multiple systems helps with your threat detection so it's almost like sharing is caring as part of my identity of our software sharing is caring because if you have 15 systems all doing this and they all share the same information you get better
the detection because you get you get better response itself just thinking about diverse just a little plug out there for people who are thinking about going it's going to be in May this year and there's an awesome conference so Jeff and I are planning on being back there Sean I mean one of
the really cool things about having you on the podcast is you're an actual practitioner putting these things to work give us a look like it maybe not like really how you're what you're doing it on but an example of like real life where how do you put something like this into
into motion and then I also think like it's always starting from you know from the base level this is like they don't have Cape or Share signals but they're really intrigued by this concept where did they get started so first some kind of a grow world examples then maybe some real world
guidance of like how you go from not using this to using it what's actually a good plug for there so part of what a tool has asked that I helped shepherd along is contributing use cases in the working group so that it addresses the exact question you have is where do I start
because you have to always start with the business case first and why it's needed and what the use cases are and build backwards because you can build a shared table system of Cape awesome what the adoption look like so it's yeah they have to start business case first like what do you
what do you want to go after because you can very easily get into a signal to noise ratio problem very quickly and by signal to noise meeting I'm going to pepper you with 10,000 events and you're going to know not know which one is which one did you act on so yeah I think you asked like what's
a real world example I'm going to give this to and this is a pretty pretty wide known problem it's more of more than a noise everyone subscribes this sunshading platform pick them across the board and this is not a plug for Disney plot so please do not think that sometimes you get locked out
of your TV and I don't know about everybody else but like I hate putting my password in until broke coup or name system x it is so bothersome and annoying what this could help do is helping hands the user experience through security so let's let's give a prime example let's say we talk
about your favorite example jam the the Superman case I can't be in Cupertino in Atlanta and then in the same 15 seconds if I'm on my screen subscription all of a sudden I see like a a device came from Atlanta but you know I usually watch stuff in California using cap and share
signals powered by some detection engine that has to happen so that you can't just some implement shirt and was going to watch it happen there has to be some kind of threat detection or behavioral analysis that says I only watch this show or I only watch this platform from California you're
coming from Atlanta that looks weird so using the show's almost spammer you would emit a session revolved cape events or that device not four year entire account so you can still be at home in California streaming your your favorite shows and you're not burdened because someone
got your password on how I've been pulling or take your pick slight x right so the applicability there is it's very real it's it's being it's being prescriptive in security and being very consumer friendly to not just not not to disturb someone's user experience so it's very very good
to harp on that you security you get through security you get better user experience as one exact case but that's one of many that you come up with but that's a very one that should hit home with most people let me throw a twist in there because I think that's that's a it's a
compelling use case let me flip it out its head though I travel a lot I'm constantly lying into things all over the US for the most part is there a way that something like cape or this shared signals framework can help me maybe is picked up that I did log on to one system already and it's not going to throw me another work another system that I tried to log in our application is there a way to help my scenario with something like this if you travel a lot you if you travel a lot
it is consistent because you go to different places you have to make a lot a lot of assumptions but whatever's powering your shared signals implementation using cape that is your behavioral analysis that we know Jeff travels to fifth one apparently 102 flights a year so that's a lot right so if
you travel a lot maybe the geolocation where you're at is not an indicator for your given account but maybe it's like okay we move your geographical maybe we move your geographical boundary from state to country right but if we see something coming from like UK Columbia Switzerland that's suspect
or other thing is even if you travel you tend to use the same device right so it's your iOS person or an angry person let's say your iOS person but all of a sudden I see Sansa or high tech or whatever now that we can move you move the behavioral analysis from
some fact to some other dimension so you don't go just based off a location you go based off device even time and day you could but in your example I would say device would be the device is the next leading indicator and again that's why it's important that we could
send signals that looks like mm-hmm Jeff's in Arizona Louisiana may wherever you are not a bad thing but of all of a sudden we see you in Montana when we know you don't go there could be and you could have some friction but that's kind of where you have have to have this is not a
cape or an SSF spec but you have to have that feedback loop from your gastric from your users and say no this is really me this is really me that way you know that it's really you and that your behavioral signal that you're powering to enable signals in Cape Hoppin your data your
data analysis has to be accurate and has to always be given that feedback model great question or great twice I think the the deficing was what I was thinking at that's all what do you want to add in well I can add a couple of entry price cases because one very early adopter of Cape although
they predate the standard and so they have adopted it in their own sort of way is Microsoft and how they've done it is that you know previously they used to use short-loop tokens between you know Microsoft as your AD and you know exchange and teams and what the short-loop tokens
meant that the user had to re-log in every hour or so in order to prove that they still are sort of the same user right now what happened is after they started using Cape they were able to extend the token like token lifetime to a much longer time so that if something was wrong with
that user they could just send a Cape message between Azure AD and exchange or Azure AD and teams in order to say that this user should be loved out right for example and that sort of was a grand you know it was something that they were actually said that you know it's one of the four pillars of
their you know reliability strategy right and so it's a huge thing for you know the top service as well of Microsoft to be using something like Cape it's not the standard itself but it's something very similar right and they even call it continuous access evaluation and they
acknowledge that it's sort of leveraging the concepts in the standard. The other news case I was going to talk about those the Apple use case they recently announced in the WWDC that they require custom IDPs to support shared signals in order to be able to indicate with Apple business manager. No Apple business manager is making this device management thing where if you get a Mac from your employer you know you can manage it using a business manager and that you know you can
have certain restrictions aboard its use and things like that. No let's say you're you're using your Mac or your iPhone and you know your IDP says well this person has changed their password and you need to change you need to enter your changed password on your device they're going to send a Cape message which is a crescent credential change message to Apple and then Apple is going to
lock you out of your device and to do it re-enter your password for example. So those are some of the sort of publicly known you know enterprise use cases I'm sure there are more and I'm sure Sean knows of more but you know those are the ones that you can talk about here. And until I want to hit on something that Jim said earlier like what's the difference between conditional access and adapt about the indication the irony here is getting a thing and getting a thing in your
business in the workforce like Cape gives you that because you could give the work your workforce user a longer session with bigger trust if you have a thing like Cape in place and it's very shared signals and Cape brings together a lot of I am domains it really does like authentication
access authorization it brings it all together and it I don't want to say it's core to a strategy but it can it can power a lot of what like a product team to put what I want to do not in space from over course you're stuck there's a lot over force so I thought about two still so here's
an update that I would like to see I don't want to have to keep logging into my Blizzard account play a world of warcraft every time my network changes I mean that's that's where I'm looking for Cape to benefit me or shared signals for America or something it's like dude it's the same laptop
yes you're logging in again why are you prompting me again like I feel like you know I think very I mean we've been doing this podcast like four and a half years and I think very early on I kind of pointed to the gaming industry is one of the early adopters of just MFA at large because of
account takeovers and things like that and how valuable you know some of those things those digital things were and I was like oh yeah like Blizzard is great like they're they send you a push notification and you click a button in your hand and now it's like super annoying it's like
all I did was go from one network to another it work it's still the same device like what's the problem here right shouldn't we have a better way to do that you know I got to do my daily man come up this has been an interesting discussion I'll be honest I don't know quite sure if I get it yet
you might have to do a follow-up conversation it's okay is this what you mean I feel like I'm a little bit into that first month of like high school chemistry and you're like what just happened and then all of a sudden it's gonna start to click but I think I'm starting to get it
let me try to wrap things up here and and actually Sean will ask you and I just want to have as simple of a definition as you possibly can make it pretend I'm an idiot you know to pretend but you know for the for the podcast just pretend there's not true what is Cape Cape in its current
state as a way you can manage user slash identity sessions and the shared singles framework is the way in which you can communicate that message just okay that's very helpful I appreciate that my simple brain was starting to explode and I need to save some room to to talk about well a couple
things the first thing is your I usually I have the most interesting like office kind of background just because I've a nice camera and monitor and trees and license like that behind me but Sean you got to you got to explain to people what a tool Jim and I have been looking past you at for
like the last 45 minutes or so tell explain your office to people well I'm a new father I used to have a bigger office downstairs that had life size star wars stormtrooper bust from episodes two three and four so clone troopers to stormtroopers but I got moved upstairs because he now runs
the first floor and I have been reclused up here so what you can't see in the background is I have a problem I collect hot toys and sideshow collectibles I'm a collector and I have a 37 hilt and 22 helmets and eight full-size bust from star wars they range from commated gree to all the stormtroopers
I have a so many helmets and I have probably I don't know many but I have a very forgiving wish to just be collecting like more stuff but I have a lot of cool things I have I have a rose gold saber from Gerald Leia as well I have a too much to talk about but they're all it's all very
gets limited I don't go for like the black series stuff I want like the the collector stuff yeah and it's all behind UV glass and yeah what's the most I guess the rarest item that you've got in your collection the rarest thing I have is a mint in box 1977 male invocin oh wow dude I when I
was a kid that was what I wanted so badly I never got one I have to talk about the one that I've played with and one that is like not open that's so cool let's keep with the sort of the the Disney theme here in honor in honor of Sean and the small company that he works for this is a
question for everybody a tool will start with you what's your favorite star wars marvel or Indiana Jones movie or TV show yeah I think there's so many good ones but I got to go with the rogue one which was a recent movie from the star wars series and you know it's so good it was so good I did
not expect it because you know ever since sort of the merger between Disney and Star Wars happened that was like you know where is all this going but the real one just completely you know astonished me and I just loved everything about it that's a good movie it's funny it's I don't want to spoil it
but I feel like it's kind of like oh it's kind of out there because it's already I mean really it's kind of what happens to get the death star plans right that's sort of like the thing and in the first well fourth episode I guess depending on how you watch the original you know arc of the
movies everyone dies at the end so it's kind of like a it ends on kind of a downer but such a good movie I'm with you and I got I got I love what Disney has done with the Star Wars franchise they put out so many good things I mean you know I'm sure there's care taking going on to make sure that
the brand doesn't get you know screwed up but between Mandalorian you got baby Yoda I mean there's you got I liked Obi-Wan I thought it was great I liked the Boba Fett stories you've got I haven't seen us us us talk about yet or yeah no what is it what's our name the Jenna a soka soka like a
second that right that's a place a soka I haven't seen that one yet but I've heard good things about it so I feel like there's there's a lot of good choices out there Sean what's your favorite Marvel Indiana Jones or Star Wars movie or show well it's all took my answer so probably should say
Row one again because we just heard that because I talked about Star Wars the entire time I'll go Marvel and it's traditional Iron Man Iron Man one step the foundation for the MCU it was an epic movie that if you haven't watched the the special on it see how it was filmed on like a shoot sharing
budget a favoro made that feel like he he's dead the stage really I'm see is that behind the scenes is that something that they can see on Disney because I haven't seen that I'd be I want to see that yeah it's I think it's on Disney plus yeah okay nice it's shameless plot but no hey I mean I
have Disney I'll have to have a Disney says they don't need our help showing subscriptions that's one thing if if I didn't the setting or makes a drop in the Disney numbers hey you know we'll be happy to have them sponsor us Jim what's your favorite Star Wars Marvel or Indiana Jones
movie actually I was gonna surprise you with by picking a show so I saw the Mandalorian a while ago and like I really enjoyed it but I've got to go with like old school return of the Jedi I enjoyed that man and like you know I think that was it's it's funny you look back some of this movies now
you're just like oh my god these graphics suck you gotta remember the time frame when they were created yeah and I mean you know it's the time they just completely blew me away I mean it was such a shift right it was like at that point when those movies came out there was like everybody wanted
a lightsaber like everybody wanted it right it was like the thing I remember my you know my my I have younger brothers in the next young guest we each had plastic lightsabers and we would chase each other around in the front yard swinging at each other and I have a scar in my nose from
defeating him in battle and then him throwing a chunk of a door sighting at me because he was not happy about that so I have a Star Wars story oh yeah just before you do that I just want to my last notes would be I kind of wish I did more than what Sean did and kind of collecting them
because I remember having like all these figurines and toys from Star Wars and like I remember I had the Luke Skywalker in the orange jumpsuit and sticking his head in the dirt and pushing it and breaking his head off like that's how I play with my toys like I got full value out of like
destroying them but I wish I could go back and have that in the box like never open I have two of each one to play with and one yeah at the time they're like Sean's just do college no but again they're like they'll put you to college I'm like me it's either right now they're going to they didn't
they didn't approve state that one step fall I want to I at some point we have to unpack why Jim was taking action figures and ripping their heads off I feel like that explains a lot Jim yes that was young Jim that was like six seven years old like yeah but I mean all my toys were
broken Sean you took mine I'm a I'm a big Iron Man fan I really didn't know the character until Fabro and kind of put that out now I was like holy yes like this is this is amazing right it was kind of like this is Marvel's answer to Batman for the DC and it's like so much better I not
what I love Batman think it's great too but the whole character of Iron Man and I think especially with the way that it was portrayed as Tony Stark and it was just perfect casting so I don't know can I pick this I don't I'm not going to pick the same one I'll say I'm going to enjoy a lot of the
different things the one I think that captured me most recently was probably Loki the series on a Disney for the Marvel series I really enjoyed it I thought it was fantastic and alligator or crocodile Loki is awesome so if you ever watched that you know what that's all about but I thought
it was I thought it was original and it was a good story and I still have to watch season two but I'm with you Iron Man is is is the bomb is the kids say I don't know if the same one so they asked I'm going to make a casting for him is amazing yeah yeah sorry no no I'm going to
make a suggestion because I'm sure most order listeners like these genres as well and if you're listening you're just like shouting your answer at your iPhone or however you're listening go out to LinkedIn where we post this comment or when Jeff posts this episode and just drop in what
your favorite was we'd love to hear it yeah I'll be sure a lot of out of context like hey this episode is available and I was just a bunch of TVs movie stuff things like that I think that's really funny all right I think that's a good spot to leave it we'll go ahead and wrap things up
a tool Sean thank you guys for spending the time with us I think there's such a dense topic it took me a little bit to get my head around it so I feel like this is an area where it's kind of like just beginning so definitely appreciate the work that you guys are doing as part of the as part of
the working group right to get this out this is how things start right it starts at that level and then all of a sudden next to you know it's like Samil open any connect right these things that everybody knows about understands so I appreciate you guys being part of the conversation kind of helping
start to demystify how this works we'll have links in our show notes if you want to connect with Sean or a tool on LinkedIn you can definitely check them check out the show is there we'll have a link to signal sgml.ai so you can learn about what a tool and his company does leveling to the blog
that a tool wrote around this rethinking federated identity with the continuous access evaluation protocol which is now profile my understanding what I got from this conversation and yeah you can always connect with Jim and I am LinkedIn around the web idacpodcast.com run twitter or x
or whatever it is now at idacpodcasts mastodon at idacpodcast at infosec.exchange and yeah connect with the suddenly to as well don't forget to leave us a voicemail when a copy of the book that Phil Wimley wrote and hear your voice on air February 5th so anything else Jim that I forget
or are we ready to go no you rocked it man and you know you did really well considering that again you have the cold or flu or RSV or dare I say you've got the uh no I trust the 19 I'm not sure I'm good on that I think it was just the allergies or some sort of this is allergies
scientists don't wear a sneeze right on you but don't worry it's just a flesh wound don't worry about it the show must go on see this is what I do because I love it all right that's enough uh thanks everyone for listening and we'll talk with everyone in the next one you've been listening
to identity at the center we hope you've enjoyed the show make sure to like rate and review and we'll be back soon but in the meantime hit the website at identityatthecener.com and find us on Twitter at IDACpodcast see you next time on identity at the center