This is Identity at the Center. If it has anything to do with IAM, this is the GoToPodcast. Now your host, Jim McDonald, and Jeff Steadman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey Jim, hey Jeff, how are you? Oh, that's a bad yourself. Don't great, man. We're here doing another sponsored spotlight episode. And these are fantastic.
And I'm really excited with the one that we got today. I mean, you know, we've, I think we kind of hit the jackpot in terms of what we're going to talk about today is a company called Veza. I don't want to steal the thunder of the show, but I guess if you, if you saw the, the title of the podcast, you know, already we're talking to Rich from Veza, but it's like this up and coming company, right? And it's like it can't be ignored for sure. And to me, it's
just like, wow, like we're going to talk about so many great things today. Yeah. So I guess you've already spoiled it. We're talking with Veza, but we want to make it clear, right? This is a sponsored episode. We actually work with our sponsors on these and kind of come up collaboratively of how we want to develop a show that we think will be entertaining, informative, but also get us, you know, deeper into specific, you point specific solutions,
something that we try to stay away from on our normal shows. But this gives us an opportunity to talk with, you know, really smart people and really ask specific questions that are maybe more product focused than we normally would. We're really talking big ideas, maybe stuff like that. Yeah. Not that we want to talk big ideas here, but gives us, gives a little more specificity we can kind of talk through things. Yeah. I didn't want to give
away the identity. What I really wanted to say was we got the man with the golden pipes back on the show excited to hear him talk because it gives like a Grover Washington type voice. Yeah. Definitely good pipes. So today's sponsor is Veza. They're the identity security company. They think that they've cracked the code on cybersecurity's hardest question. Who can take what action on what data question mark? Let's find out more with our guest.
His name is Rich Dan Leiker. He's the chief strategist at Veza. Welcome back to the show, Rich. Thanks. Yeah. Thanks, Jim. It's great to be here. And now I was just, I was just all the time when you were talking and on my intro, I was hoping my voice wouldn't crack right out of the gate here. Well, see, that's the thing is I do the editing so I can insert little imperfections if I need to, but I'm not going to do that because I'm absolutely jealous.
You've got a great, you've got great radio pipes as they like to say and the biz, right? Thank you. As long as as long again as you don't, you don't tell me I have a face for radio then I'm good. No, Jim and I have that covered for sure. We have faces for radio and voices for a silent movie is what I like to say. Rich, you've been with us before. You were with us in episode 231 back in September of 2023. We had a conversation about authorization.
We also found out really about your kind of background there. So tradition would have, you would ask that question, but we've already asked you that. How did you get into identity? You want to hear that story go back to episode 231. Why don't we get right into Vesa itself? Jim mentioned sort of where you guys are kind of coming up and really making a lot of
impact on the market, making a lot of noise. What specifically is driving the momentum around Vesa and how does that success reflect your unique values? Yeah, thanks Jeff. By the way, it is great to be back on the show. I really did enjoy the last time and it's nice to be here again. But around Vesa, I think one of the things that really is striking to me is I sort of look trying to be with an outside eye and
look at us is that I think it really does come down to customers. I think that's certainly my gauge for a rate company is like who's actually buying, who's actually using, who's getting successful and getting value from the products. I think that's been one where I've been really, really proud of what we've been able to do here, just some really great companies and some really passionate champions. That's definitely part of what also makes
people out in the market, makes Siso listen to other Siso's. That is typically how things sort of get bought, how things spread. I think we have been doing a really nice job there. The second big thing I think is really that it's a pretty innovative idea and a concept. I always try and make sure I'm not selling myself too much here, but I really think I've been an identity for a while and I think you guys have certainly been an identity for a
while. One of the things that I've noticed is that a lot of the players are just, they're kind of the same players you would have seen and expected 15 years ago. I think the Octa sort of came in, but that was back in 2009 that Octa started. I think the identity hasn't had a tremendous amount of innovation over the last decade and half and I think
it's been right, it's been ready. I think actually coming in with I think what is a pretty different approach in really trying to go deep into authorization into this question of who can and should take what action and what data. I think people respond to that and people have been hungry because I think everybody knows that identity is a big thing that needs to be really addressed. For people who aren't familiar with Baza, let's set
the table for folks. We've mentioned authorization, we've mentioned the question and the answer, who can take what action and what data. What is Baza's sweet spot? What do you guys do? Yeah, I think from a value proposition, I think fundamentally the most important thing that we do is we help customers get to the reality of least privilege. If I think about what from a security perspective, what's important that I think is absolutely critical. Sometimes
it's through governance processes, like access reviews. Sometimes it's by having a tool that a security engineering person can go and actually look and find the biggest violations of least privilege to go and fix them. But I think fundamentally it's that preparation for the next breach because that always resonates with me when I hear people talk about, hey, it's not a question of if it's a matter of when the next attack happens, the next breach
happens. I think really getting your organization ready, tightening down privilege, tightening around access, especially privileged accounts. That's like so critical. Fundamentally, that's how I think about the value that we provide. It's a very competitive market. You've got a lot of incumbents in this space. You've got upstarts. How do you separate yourself from others in this place? What's the core factor or thing that makes Vesa really stand
out in your mind? Yeah, I think it really is starting at the data model. When I think about the product and I think about the platform that we've built around identity security, it's pulling together all this information about what we call
is the reality of authorization. It's pulling in user information, group information, role information, decomposing, all that morass of AWS IAM and Azure R back, but then also going deep into the service level to pull out granular system level objects in all the services and things like the local users, aqua level permission. Really going and putting together a pretty unique data set into a graph and not just mapping those entities, but the relationships
between those identities. That fundamental data model is a beast as you can imagine. That is a tough problem to solve. But then once you have that, the things that you can then start applying that to, actually creating products based on that data model are really, really interesting. You can do things that are traditional like IGA types of things, provisioning and lifecycle management. You can do it in very different ways. That's one of the things
from a product guy at heart. That kind of stuff gets me excited when you can go and attack those things that have been around forever, but do it in a dramatically different way that provides and solves problems that have been around forever. Yeah, Rich. That really resonates with me. At the time you hear of a new vendor, you try to, in your mind, compartmentalize, where do I fit them? I think the area that
raises in the closest to is governance. I feel like it's a gloss over just to say governance. It's so much more than that. It's being able to drill down more than I've seen really anywhere else. I talked to you about the strategy of AESA in terms of the roadmap. I came up with the term the anti-convergence strategy. There's a lot of IAM players out there today
who are really in the strategy around convergence. Whether you like it or not, the route they're going, which is to bolt on additional IAM capabilities so that customers can go one place to get everything, your strategy is a lot different, which is to take this piece of the marketplace and really provide a solution with differentiation. Am I writing that? Am I wrong in that? Then can you elaborate on it?
Yeah. I think you're absolutely right in that, Jim, because one of the things that I noticed also, it plays into this whole tension and difference in the market when you look at the big legacy companies versus startups. Certainly, the approach of a big legacy company and pick Microsoft, pick Sailpoint, pick Cyber Arc or whoever you want in identity. The
general strategy is there, I need more stuff in my bag to sell. You go out and you want to say, hey, I know people spend money on this and here are some budgets and I'm going to go use the connection to the customer to go sell more stuff and get a bigger share of wallet. It's all about creating that portfolio. Typically, startups, that's where most of
the innovation starts. That's one of the challenges here is when we started, when I joined the company, I was like, man, I hope there's a market, but I don't know there's a market because it is so different and that I think it is true. It's not like we could go and say, hey, we know a bunch of people spend money on this kind of solution because there was no type of solution like this before. I think it is really deep diving on authorization and
answering this question is a bit riskier because there's not an obvious market. This is sort of functionality that cuts across access management and the players like Octa, Cuts Across Pam and the cyber arcs of the world that cuts across IGA as you pointed out and governance cuts across SSPM, SaaS security, posture management and data access governance
with Verona and all these different things. Authorization is something that's been sprinkled across all these different security markets and no one has really before taken a comprehensive approach and say, I'm going to solve that problem and I'm going to go deep in that and I think that's what really makes me a different.
Yeah, I mean, I think it makes sense for the company's strategies where there are in one spot like access management and to move into privilege or move into identity for the exact same reason you talked about, which is how do they take those existing relationships and build their company, right? But I think what you guys have done is built the better mouse trap, but it seems like your strategy is to build an even better mouse trap, right?
But it does seem like that mouse trap can be leveraged in certain areas, right? Because I think a lot of what you're talking about today, what we're talking about currently is taking access that exists and being able to analyze it. What if you provisionally at the access that a person needs? What are your thoughts there? Well, you're you're you're you're got a good crystal ball there, Jim, because that's exactly actually what we've been moving in. And so we've thought about this in sort of
a three-stage approach from a strategy. And we've started with the first stage is kind of visibility. It's like, hey, we just need to really understand what the reality is so we can show people and people could start using that data. And then we moved on to, okay, now how do we do remediation? That's step two. And so now I can see, but now how
do I fix? How do I see what's wrong? How do I see where the biggest risk, you know, most highly damaging, potentially damaging, or instances of overprivileged exists so I can go fix them? But then you go on to stage three, which is absolutely as you point out, it's around control. It's around provisioning. How do I make sure I actually create the right level
permission out of the gate? How do I actually create those accounts, either on birthright events, on, you know, join or move reliever types of things, or when someone is asking for access because they need additional access to do their job, that's where the magic happens. And then making a virtuous cycle, right? Now when you think about all the, you know, this grand access life cycle, when, for instance, you're in access reviews and you're saying,
hey, somebody, you know, somebody has access they shouldn't have. We should take that away. Well, how do they get that in the first place? Right? Because they had to get, that had to get provisioned. Somebody either, you know, if I fill the ticket or there's a birthright, policy, that's wrong. And, you know, just because you found one, one instance of it, is that the only instance of it? Is it where there's spoke, there's fire? Is this, you know,
something that's rolling for the whole group? Is there a whole role that's overpermission? Or, you know, there's something broken. And sort of how do you take those little instances that you find? And rather than just fixing, fixing those at a little granular level, how do you sort of take it and actually build intelligence into that to sort of fix the overall root cause of those processes that are, that are broken? So I want to take the conversation a little
away from theoretical and more into the real world. I was poking around the Bayes of Website, be easy a.com. There you go. There's a plug. You've got some really impressive logos that are kind of scrolling through there. And it makes me kind of wonder, you know, beyond the logos that we've got there, what are there any dedications of? Are there specific types of challenges that Bayes is best suited to solve? What is that actual sweet spot that
we've got here? Yeah, you'll find there's a range of them, right? And so it's funny how, you know, every company is struggling with something that's often a little bit different. So in some cases, it's around sort of struggling with identities, right? And so it's not just human identities, but often one good example here is machine identities and service accounts, right? They might be trying to, you know, sort of broaden the definition around governance
to include things like that. It might be instances where they're actually seeing that typical role-based access control doesn't work for them, right? That they're trying to manage by groups and roles. And, you know, and this is the canonical classic example is you've got a role that's named Read Only. And guess what? There are right privileges embedded in there. And so, you know, and what you start to realize is that you're not really doing
role-based access control. You're managing by names of roles and descriptions of roles, right? And so the reality is that, you know, hey, what does this role actually do? You know, does being a member of this role, being able to assume this role actually allow this person to go blow away my customer database as an example. And he said, well, I wouldn't
want that. And I hope it doesn't, but I don't know. And so this is one of the things that when you start to pull on that thread, it becomes obvious that a new solution is required. And sort of like the way that different customers pull on that thread can vary. Sometimes it's an auditor that sort of figures it out and starts asking lots of uncomfortable questions.
Sometimes it's the seesaw themselves. And, you know, it's like following up out of a breach where, you know, it's only in asking these really concrete questions and understanding how limited all the existing tools sets are that, you know, a seesaw or some executive of the company realizes that there needs to be a different way. So I was going to ask a follow-up question here around, you know, these are relatively
large companies, right? Well, no. And I'm going to have to imagine that they already have tools in this space for a Dunian access management, probably a number of them, which leads me to the question of, how do you get somebody who has already got tools in this space to say, oh, hey, you know, you've got this new tool. It's called Vesa. We should take a look at it and then actually get in to some of these organizations. I mean, how do you establish
that trust, that confidence, right? To say, hey, this is something that we've not been able to achieve with the tool sets that we have. And Vesa is solving for us this specific thing, or these specific things, maybe there's a variety of them. How do you, how do you even get into that conversation with the CSOs, with the other folks who are making those decisions on their investments? Yeah, well, the nice thing is that most CSOs are very, are interested
in new technology. So, you know, so even if you're, if they're saying, hey, you know, maybe I'm not going to buy anything, but they want to know what's going on. And so that's, that's always, you know, something where you can, especially if it's something new and something that they haven't seen a lot of tools around, it's, you know, they generally are, are interested. And then it's sort of a question of like, hey, how does this map
into something that's on my key priorities for the next year, right? So, you know, when you actually get down to, okay, like, you know, are they going to actually buy the product or not, it has to obviously be relevant for something that they care about. And, and that's one where, you know, it can, again, it varies, right? And, and I know one of, one of our customers, you're in the, in the first meeting and, and actually we're having the conversation and
it was sort of, you know, we're dancing around it. And it was kind of, you know, kind of interesting, but we saw something written up behind him on his whiteboard. And it was just, it was just the word China. And we said, China, what's that? And he started describing some of the problems that he was having. We had managing access to box folders. And so it was both the problem of having data from, because they, they had operations internationally. And
so it was both from the example of data from people in China. So, you know, PII of Chinese nationals being accessed by people outside of China. And the reverse that there were some, some sensitive things that if you were a Chinese national, you shouldn't get access to. And just being able to manage that, right? Of like, you know, this, this cross border issue with a particular place where they had a lot of data that was important to them. And so,
it was, you know, and so that turned out to be a key use case for them. And so again, you know, when you, when you talked to all these different customers, it can vary. Sometimes it's GitHub, sometimes it's Salesforce, sometimes it's Snowflake, sometimes it's AWS, Azure, GCP, sometimes it's custom applications. And this is, this is one where that, that was true for our very first customer. And they, they were trying to do it because they had
built a, on top of their SaaS platform, a help desk application, right? So, custom, custom app. But for all the people who were helping their customers resolve tickets, right? And resolve issues. And, you know, help desk folks are, you know, there are a lot of them. They have a fairly high tune over. They're not always the highest paid and highest level.
You know, you've got a lot of analysts level people. And this, so wasn't sure what the help desk people had had access to when, you know, when they were able to actually, you know, get into a customer tenant and, and, and get a pretty deep access, that was the number one thing that they were concerned about. So it really varies from customer customer sort of, you know, what the area is that's most important. But so much of it results revolves
around that core theme that we've been talking about who, who has access to what. And should they have that access? So Rich, you've been doing a lot of videos lately. And I saw a video on LinkedIn with you and your founder and CEO to run the core. So hi, to run. And he said something. I'm going to quote him here. Knowing who can take action on what data is the biggest identity challenge. So I wanted to break that down a little bit because I think when we talk
identity, it's not always brought back to the data. You're technically data and knowing who has access to what data is being important. So why is, why use the term data? Why, why is that the important difference? Yeah, for us, it really comes down to the overall priorities of an organization. And when you think about, you know, everybody talks in security about the crown jewels that more the most frequent thing there is the data are the crown
jewels. Like why are you protecting it? It's not really because you need to protect the servers. It's not because the infrastructure is that valuable because it's all dynamic, right? It's all in the cloud. Like I don't really care that my infrastructure is protected except that I need to protect the data that's running on that infrastructure. Right? That
tends to be the number one thing. And obviously there are exceptions to that. But when you go and have the board level conversation, when you're talking to the CISO, that that has been a strongly resonant theme is that I want to protect my data. Why are we doing all
this? Why am I doing security at all? And that that's the been the piece that comes out is is most strongly and something that gets board level attention that, you know, everybody knows if you if you have a breach around the data that, you know, that makes the paper, right? That's the that's the thing that really gets nailed. So it's really around that resonance of being able to connect it to a real business goal that everybody understands.
Yeah. And I know your role. You're not the the front line like cold calling people, we might run into this objection, which is, well, we do our back. So we don't need this, right? I think this kind of discussion really goes to, okay, level beyond our back. Towards a more data centric approach, right? Do you see that? Like is like people think our back is at the right level of managing security? I think most everybody does our back.
But when you point out some of these natural flaws and I think one of the one of my favorites to talk about this with is with reference to access reviews because everybody sort of gone through it. If you're a manager, you know, at any company of size, you've done an access review. And so you've gone through and done all these things where you said, hey, this is, you know, here's Fred. He's on my team. And here's all the stuff that Fred has
access to. And is that right? And I asked this question again, you know, I remember back to one of the one of the one of the seesos, one of my organization has said, you know, I said, hey, how what's your experience with that? Like, you know, is that a good experience for you? And he said, yeah, half the time, I don't know what I'm clicking yes to. And I like that is a, that's an extremely common experience is that people are saying yes,
but it's kind of meaningless. It's this whole idea of, you know, compliance theater or security theater, right? People are going through their motions because you have to, right? You've got to have access reviews. That's you've got to check that box. But wouldn't it be great if you could actually do that and do that compliance process spend the time ask everybody who's managing to spend the time and actually improve your security posture
at the same time? Wouldn't that be great? Is that too much to ask? And we don't think it is that you can actually do these all, you know, that's the real reason you're doing access reviews is you want to restrict access. You want to make sure that only the people who need it are getting access. And if you don't give people the right information about
what that really means, you're asking them to do an impossible job. And this, this is the thing that I think is so fundamentally broken with most of these processes is people are doing these things that they know don't really help. And there's a better way. Let's talk about the principle of least privilege because I kind of feel like least privilege
in our back, pull it up, sit into the, of the string. If you got our back where it's saying we need to establish these roles is going to give certain levels of application level access. But when you're talking about an enterprise, I mean, think of how many systems and how many roles within the systems that you have to manage amongst potentially
hundreds of thousands of of your workforce. Now, if you were to do truly least privilege share every one of those systems and to the data, doesn't it become unmanageable? Absolutely. Right. So the way I would look at it, I don't know if I'd say their polar opposite ends of the spectrum, but I think the least privilege everybody agrees within principle. Like I've never heard anybody say, nah, I don't believe in least privilege.
It's, it's, you know, everybody agrees. It's the right idea. It's really a question of how do you implement it? And so our back is sort of, is the way I see it's like most every organization at some level has the implements our back as a practical way to get to least privilege. But even within that, the challenge is, how do I get the right roles? How do I even assign the right roles? And so I'll give another example here. One of our customers
actually uses VASA as a provisioning intelligence tool. What I mean by that is what they have is they have a process around snowflake. And so when a developer who's doing their developer job needs access to something in snowflake, maybe a table in snowflake. And they submit a ticket and they ask, hey, I want to get the access to this. So the challenge this organization had before VASA was they had all these roles in snowflake and they didn't know which role
to provision. Because that's the question is like, how do you know what role best conforms to least privilege, the role that gives them access to that table that they need and as little else as possible? That's an incredibly hard thing to answer, right? Because there's no tool to actually see what does this role do in snowflake? Really? What does this give access to? And so by using VASA, they actually were able to implement that. So simply saying,
hey, now I know what role to give, right? And by doing that, and they, and they actually measured this. So they have, they had an internal process where they were actually looking at the total exposure and the total risk from all the different permissions on snowflake. When they introduced VASA, after a year of doing this process, they were able to reduce the total number of permissions, the total risk on snowflake by 80%. So that's by just
knowing what role do I grant because they had no way to know before. So, you know, so VASA can absolutely and almost always does, we actually make our back better, right? It's not that we replace our back. And this is also one of the themes about how we work in general is that we really, I think, have done a nice job of meeting customers where they are.
We don't force you to go take a different architecture. We're leveraging all the existing authorization schemes, the native systems that you're already using, but we actually tell you what it means and help you fix what's broken. Okay, so help me out here. Does VASA tell me what a person has or on the other end of this spectrum, who can do some action on my data? Which one? You can go both directions, right? So this is the beauty of having a graph is you can start from, you know, for
us, that person is on the left side of the graph. And by person, I mean, might be a real person or might be a service account, but then I can traverse through and say, all right, this person is linked to a group. And that group might be a nested group that then connects
to a role, that role might be hierarchical. Then that goes into maybe I'm going to go through a bunch of different policies and I am, but then all the way eventually I'm going to get all the way down to a resource in that target system and an action that can be taken on that target system. And so one of the big innovations as well that we've also
built in here is this idea of effective permissions and that we do a translation. And so we don't just give you the raw permissions that are in those system because oftentimes it's very hard to understand what those things mean, but we'll actually say, hey, does this mean you can create, read, update or delete the language of crud, right? And so you can do that on this object. And of course, you, and then you can go the other way as well. And that's
one of the beautiful things about the graph. You can say, hey, my customer database, a resource in this system in snowflake or, you know, bit bucket. You know, I have a repo and GitHub. I want to see everybody who has access to that thing, right? You can go the other way. And so it's a, it's a very flexible kind of data model. Yeah, I think that's important. It's like, you can go either way and then one of the nuances
I picked up on what you're just saying, you can start in the middle. That's what I started with. Hey, I want to see what this role or this group does or can do. And I think that's important. You know, there's this debate in the identity community around least privilege, or if you just like take a B line to zero standing privilege. But the thing is like, even if you go to the zero standing privilege route, eventually you have to put
it on to a user. If you don't really know what it does, then you're just like saying, all right, well, we're going to trust you with this machine gun for 15 minutes. And hopefully you use it as intended. That's it. That's exactly right. Now that's, that's great insight because that's always one of the things that makes me scratch my head is like, you know, zero standing privilege and doing just in time is great. I mean, that's an important aspect.
But you're still granting access. And if you're, if you're sort of going to, you know, all just in time privilege, like, you know, the number of approvals that have to go through magnifies, you know, by, by whatever that is, by whatever factor you want to pick. And
then those approvals just get rubber stamped, right? And so you're always have, you know, there's always a, you know, sort of a balance there because the more approvals you do and, and force through a sort of a just in time provisioning system, the less attention that gets paid to each of them. And so you, you always want to be judicious about that and say, hey, maybe there's some people who should never get access. I don't care who approves
it. I don't care if their manager says it's okay. Like, you know, Fred should not be able to blow away the customer database. Like, I don't care if somebody says it's okay. But it's Fred. Come on. I mean, I'm sure there's someone out there who's named as Fred, who's really his ears are steaming right now. He's not happy with, we're saying about him. No, I know. I know. I feel sorry. And just Fred thinks, I'm sorry, Fred, when you're out there. There was a video that was
saw around intelligent access. And one of the things that it covered or one of the things that emphasized was covering all systems. So all right, I've got my skeptic hat on now because I've been through enough of these appointments where there's always an asterisk or something. Is it really all systems, meaning legacy systems as well, modern systems, SaaS, non-SaaS? Help me understand what the coverage looks like here and what's, what's
realistic from a, I guess from that coverage or integration perspective. Yep. That's a great question. And you're right to be skeptical because that is always the, that is always the details, the devil's in the details. And the reality is for some systems that we cover natively, their cloud that have well formed APIs, integration can be very, very fast.
Right. And so, you know, on that example, for, I know of at least one customer where they were able to fully deploy VASA in about 30 minutes because they were all cloud and the CISO who happened to be our server customer champion there, happened to have admin level privileges for all the systems that we were worried about. So I won't comment on that, but that was the reality. Has it sometimes is? And so he was able to go set up the read-only
roles. That's sort of one of the necessary pieces. You want to, you want to make sure that VASA has least privilege that we only have access to the stuff that we need to do the job and the, and fulfill the use cases that you bought the product for. So it was, it was very straightforward and that was, and then we're off to the races. In other cases, where, for instance, the custom application or if it's an on-premise application that doesn't
have good, restful APIs, right? Then we've got to figure out a different way to get the data into the VASA system and that can take some more work. And so an example here is one of our larger customers that's using us for access reviews integrated in about the first, I think it was about the first four months or so, about 60 different custom applications
to do access reviews on, right? And so that took some work. But still, I would say, if you've ever gone through an IGA deployment and tried to do it, getting 60 custom applications in four months is a pretty good clip of things. And so that's, that's sort of the longer end. And the other thing I'll say is that from even on-premise systems, we have a couple of customers that are all on-prem, right? Zero Cloud. And so they actually, that was actually
one that was surprising to me because I remember asking this. I was, we were at one of these, one of our company meetings and I asked the questions like, hey, how are we, how are we doing on the on-prem? Is that, is that real? Because I was, I was wondering myself about how it actually worked in reality. And they were like, yeah, we got a couple customers that are
fully, fully on-prem. And I was like, that's really fantastic because that gives me the confidence that they can actually get the value out of Veza, even though they don't have any, any cloud infrastructure at all. I think that's a really important distinction. And maybe, I'm not going to try and take over Veza's marketing, but that is an area that I typically see a lot of struggle with is, hey, you know what, on-prem is on-prem. Not
even going to try it, man. We're going to focus on the cloud and SaaS-based applications and things like that because we know that they are having, you know, connectivity that got integrations right all the stuff's there. But, you know, I guess maybe something to think about is going to go to Marga's, hey, what is, you know, we can handle the on-prem stuff too, which I think is such a missing link for a lot of things in this space. So,
I'm happy to hear it. What I'm not happy to hear about is 30 minutes to install something that you think is good-figured. It's going to put people like me out of a job for integrating IGA. But I think that's another thing too, right? It's how quickly you can get in there. Now, 30 minutes, I think you mentioned, was a CISO who had admin access to things which, you know, say what you want about CISOs. A lot of them do like to have their hands in
the pie. What is a normal, I guess, integration time, what it look like? Is it days, weeks, months? I mean, it can't really be 30 minutes all the time. But what's an average deployment look like? Yeah, I'd say, you know, on average, you know, it's going to be in the term of weeks. And that's also because, you know, usually what happens is, and we certainly encourage, is the key to success is to start small. So start with your cloud, start with something
easy, and get some wins, right? And that's always the thing to, you know, to actually build momentum, to build knowledge with the system and understanding with the system. So, you know, it sort of, you know, it depends how, where you draw your boundaries and where you draw your lines. But, you know, usually customers will start with something in the cloud, get
it going quickly, get some wins, and then they're off to the races. So from, from a deployment in, you know, in, you know, a week or two, that's not unreasonable, because that's your approach. But if you're, if your goal post is, you know, got a thousand on-prem applications that are fully customized and on mainframes and AS4100s, that will, that will take longer. Oh, AS4100s, green screens. They're giving me, you know, flashbacks of our prior life.
The other thing that I thought was interesting was this idea of covering all identities. So I'm guessing that means human and non-human, machines, service counts, et cetera. I guess, how do you, how do you make sure that you've got all the identities, types, I guess, covered, and making sure you've got the right correlations in places to say, yeah, this is Jeff and not AI version of Jeff or some machine or service account that Jeff is using to run an application.
Can you walk us through a little bit about how that works? Yeah, and I think it's, it's really that, you know, I think, and I think the thing I'd like to, to really emphasize here is that the thing that I've seen that is pretty different
is also just the way that service accounts have been treated, right? And that, you know, obviously there's a, there are, you know, solutions out there that will go after service accounts, but typically the world of identity has sort of, hasn't really treated those as sort of, you know, full partners, if you will, where, you know, like, typically the, you know, the service account types of processes have been around in the palm world, right?
It's been in like, yep, you want to get your, you know, your secrets and your certificates into the, into the secrets vault. Yep, that's great. But in terms of doing things like governance around service accounts over a, hey, you know, I want to do an accessory, not around people, around like, hey, you know, do we know what this, what applications the service account is actually attaching to? And is it right? And has the person who developed a service account
and created the service account that they still work at the company? And, you know, who owns the service account? Those are the kinds of questions that we typically see are missing. And that's actually one of the things that I think has been most attractive with some of our, you know, our really large customers, especially in the financial services side, that's sort of where they're headed now where there's, you know, it's actually around
this sort of machine identity service account governance processes. That's sort of the forefront of that where they're saying, yep, we want to do the same kinds of things we do with human-based HR system-based access reviews, but we want to do it. We want to do it on service accounts. And so I think that's the big, that's the big, biggest missing piece. I say it's not necessarily the technology, which is, which is great. And I think the technology
is an important piece of that. But the fact that now that most customers have sort of treated it operationally and from a process standpoint as something outside, as something not identity-based. And I think that's something that's pretty, that we see changing, which is great. Rich, I have to key off that because it feels like security, or, yeah, securing machine accounts, non-human accounts is kind of like the bane of all of our existing cities.
We're starting to outnumber human accounts if not already. Do you find that your customers are coming to you to solve that problem? That's the problem they need to solve, or they starting there? Many are. Yep. And this is something we were, and like I mentioned, it's a pretty broad set of use cases that people key off, but definitely that service account coverage is a big deal for a number of customers. And I think, this is one of the things I know,
and you mentioned the Microsoft breach. That's certainly one that comes to mind here. As we start to see attacks that are sort of well-documented and well-publicized, that focus around, as the Microsoft one did, a legacy OAuth application that had the ability to go get elevated privilege. And that was, you know, a set of that OAuth app, and that service account linkage was key to the attack vector, right? That was really the key part of that.
And so, as we see more of those things, I think customers are going to start to realize how critical that piece is and say, yeah, we got to get, you know, our security tooling that covers those things as well. We can't just worry about people as we've traditionally
defined it. Now, it has to, we really do have to get to that because it's not only is it, as you point out, Jim, it's a huge and more rapidly increasing service area in terms of the number of accounts, the number of machines there, but also the fact that most security tooling, I think, hasn't emphasized that in the same way, especially on the identity side. So I just wanted to give for something else he just said there. He talked about that
Microsoft breach. So you wrote a blog, I read the whole blog, then I watched a video, and then I realized that the whole blog was basically the video. So either read the blog if you'd like to read or watch the video if you're like me and you don't like to read, I was just wanted to point out something. So it was you and Taroon were talking and you
guys went out of your way to compliment Microsoft, right? Because I think that one of the things that they did that really needed to be recognized was that they came out, they were honest about the issue, they document the issue, you know, it wasn't the best look, right? Because I think it was essentially something that didn't have MFA enabled, right? But rather than trying to sweep it under the rug and wait till somebody finds out and try to ignore the
issue, they were proactive. Absolutely. I still give them props because it's like those things are so valuable for certainly for me, but I think it's true for
the entire community to really understand what went on. And, you know, and this is the same deal, you know, and maybe, you know, I don't know if I'd give Octo quite as many props in terms of their transparency over the last stuff, but you know, the information has gotten out there and it's eventually gotten there around the role that inbound federation
played in the MGM breach. But again, when I compare sort of the outward response for Microsoft and Octo, you know, that's why I sort of do give Microsoft props because they were, you
know, they were very forthcoming. It had a lot of really good detail. It was like, wow, this is, you know, I really understand how this thing worked, you know, maybe not fully, fully, but, you know, 80% of the way there, I got, you know, it was, it was very useful and actionable in terms of sort of how that all went down. I was finding it a struggle and a challenge to figure out when do you make discosures like that because I think there's a rush to do you tell people right away and not know the
full story? Do you wait till you have the full story and then tell people? And there's all I don't envy anybody who has to disclose information like that because I think you're really caught in a rock in a hard place. You're already, you know, in trouble because you had an incident and now it's, well, what if we release information to early? It's not correct, right? Is it better to release early and then have to make corrections or do you
wait until you know a little bit more? What's the right balance? The longer you wait, people get suspicious and they're like, well, why didn't you tell it sooner? You know, it's a difficult balance and I don't envy any organization that gets put in that position. That's for sure. Yeah. My gosh. I look at the the CSOs that are at my customer organizations like that is a tough, tough job and it is, it's no joke. So I agree that's really, really
challenging. And it's also interesting because although it's not sort of what I'd say like our primary use case, but it's one that I think is going to be a really interesting one for us for Vezza actually in the future is actually starting to bring to Bayer this whole question of who has access to what, but do it in the context of post breach investigation.
So, you know, so, you know, in the security operations team, because this is one of the things that I've definitely heard is obviously the gold standard is, you know, I want to look at the activity. I want to look, okay, you know, I had a breached account. I'm going to go check and look at the logs and see, you know, what did this account access, you know,
after this time and, you know, time and date. But the challenge that I've heard from CSOs is really that, hey, you know, logging is great, but a lot of times logging isn't turned on, right? Because it's expensive and it's a lot of memory and people charge you, you know, left, right and center for it. And so sometimes it just never gets turned on. And sometimes when it's turned on, it doesn't quite give you the right information, right?
It's not enough to really understand what went on. And so you end up having some big gaps. And so you can never just rely on logging, you know, after an incident, like you've got to keep going, you've got to dig deeper. And so, you know, if you think about sort of a set of concentric circles, you know, the first one you go do is like look at the logging and look at the activity. But then the next, you want to say, well, what could this account
have touched? Like what were the permissions for that account? And that's one where VASA is extremely powerful. And I'll throw one other product, but so then I'll stop. But we
also do leverage the activity monitoring as well. So, you know, so now it's actually pulling both of those things into a single platform, not just the activity of who accessed what, but also who could access what and having those two things together, I think is going to be really powerful use case for post breach forensic security operations in the future.
Well, you must be reading my mind because I was kind of thinking here as a talking as I a tool like this would be really handy for a forensic interview, you know, investigation. I guess it's better to have it before that's what the incident happens to capture the activity of what's happening. But even afterwards, being able to do that diagnosis of, okay, well, here's the account, not at least we know the account that got popped or whatever phrase
you want to use, right? That that caused the breach. What else could it have touched? I think it's really interesting. So you kind of stole my thunder there. So pitch away. That was that was where I was headed anyway from a question standpoint. Nice. We're on the same page here. That's good. We are. So I want to wrap up a conversation with a lighter
note because that's how we typically will end our our shows. The last time you were here, we asked questions around longevity because that was something that I think you know, you've got some interest in and we talked about what's the most interesting thing you've learned about longevity. If you want to know more about that, again, go back to episode 231. But I want to stay in that same vein, right? Try to stay with interests. This one I think
is a little more fun, maybe thought provoking. Rich, I'll ask you first, the fountain of youth or the wisdom of age, if you absolutely, you can only choose one, which would you pick and why? It is a fantastic question. It depends on how old I am when you ask this question. Because I think one of the beautiful things about getting older has been appreciating the wisdom of age more. I also think about, as I've gotten older, there's a level of comfort
and confidence and just knowing who you are is just a wonderful thing. I think about it because I've got two teenage boys and just the challenges of being a teenager and thinking that everybody is staring at you is so mentally traumatizing. It's tough. Being a teenager was really rough and as you get older, you just start to carry less and less. This is why you see so many old guys walking around with plaid pants. They just
stopped carrying. There's a beauty to that that I've really appreciated. I don't have my plaid pants yet, but I aspire to that. So plaid pants is how we know that you've picked the wisdom of age. That's right. That's when you know I'm on the final stage of development. Jim, how about yourself? Which one do you pick? Fountain of youth or wisdom of age? I don't think anybody could have said better than Rich right there. I mean, seriously, like every
thought I was having on this topic, he just hit all of them. I actually feel like I'm happier now at 50 that I was at 40. And I remember having the thought I'm happier now at 40 than it was at 30. And I'll bet you it goes all the way back. And I have two teenage boys as well. I've got 19 year old who I love them to death, right? It's like he's working a job like manual labor and making like under 20 bucks an hour and he's talking about
going and buying like a $40,000 truck. And it's like as a 50 year old, you just look at that and you're just like, my goodness, kid, what are you thinking about? You have zero debt right now. And it's like he can't wait to get into debt. And what he doesn't realize is once you get into debt, you're in debt for the rest of your life. Because like, yeah, you know, you're just you're always running credit cards and you get ahead financially
and all that right. It's not like you're living paycheck to paycheck your whole life. But you've always got payments, right? Most people, most of us all have a mortgage and maybe a car payment, et cetera. What would be ideal? I know this is cheating with this question would be youth, physical youth, but also keeping your, your wisdom. And I know this. What about you, Joe? That's absolutely one. I mean, that's what everyone wants,
right? I mean, there's there's TV shows that, you know, vampires live forever. You've got altered carbon, which you've never seen on Netflix is fantastic. I love it. Same idea there. I've heard that Warren Buffett said that he would give up all his money to be like 21 again. So I'm not going to go with that though. I'm the knowledge that he's gained. Because I think, I think, you know, 45 to anywhere, I'm only 50 seconds, speak beyond
this too much with experience anyway. But I think in that range, I'm happy with where I'm at. Like I don't like all the signs of aging. But I'm really like happy with my life. I'm happy with the person that I am. If people don't like me, I really don't care. And I can't say that when I was in my 20s, like I really cared what people thought of me. What about you, Jeff? You know, Rich, I couldn't disagree more. I wish I was still 20.
I could almost dunk a basketball. Yes, I used to be able to. If you look at me now, it's like, there's no way that that dude is getting anymore in six inches off the ground. No, I'm just getting, I think, you know, I think you hit it right on the head. I mean, everything you just said, same thing, you know, more confident, more comfortable with who I am. The knowledge that I've gained, you know, now if I could pause time, I think
that would be great. I think Jimmy hit as well too. I'm happier now than I was five years ago, 10 years ago, et cetera. And I had some great times. Look, I feel like I've led a great life. I've had a lot of experiences, a lot of fun, fun stuff I've done. Very fortunate in that regard. But yeah, I don't think I would trade youth for the wisdom that's been accumulated over the years. So I feel like we're all, I don't know, maybe this is an old
hat question. If you ask a younger person, if they would ask, you know, answer it the same way, but it feels like we're all on the same page, except I'm not going to wear the plaid pants. I would still feel too self conscious about that. I felt like a real nerd wearing my Apple Vision Pro on a flight last week. And I did return it by the way that that experiment is over. But I have not felt that self conscious in a very long time putting that thing on.
I'm like, I know I'm going to return this, but I got to try it out. See what's like. And that's, yeah, you totally, you totally hit that question on the head for me as well. Awesome. Awesome. Well, you know, just as we, as we leave with parting thoughts, I think Jim, I think if you, if you convinced your, your 19 year old son, you know, really the beauty and, and all the benefits of a 15 year old mini van, I can, I can hook you up
here. I've got something. It's got a Mustang. I have to admit, my old, might be a bit like fresh to go Mustang and not good enough. I see your Mustang. It's a nice car too. I mean, I wish, I'll tell you what, I had a, the cheapest Chevrolet car that you could possibly have. It only had three cylinders in it for an engine. And I was thrilled to have it. So what, what car was that Mustang is good? Well, I'm not going to tell you because
that's a secret question. And you'll have to get it. Awesome. I love it. Yeah. So it means I could be high that hard to guess. And I think I've changed all those answers anyway. But if you Google three cylinder, what have been, I guess, mid to late 90s? What's in the Ugo? Did you have a Ugo? No, it was a Chevy. Oh, okay. It was a Chevrolet brand. Let's put that way. So there's the trivia for folks. Did you have to crank it up
before you drove it? Look, I've heard you, you can't make fun of me because I've heard every single joke. Nothing that you're going to say. I've not heard before about that car. But you know what? It was my car. It gave me freedom. I could get wherever I wanted. Jeff, Jeff, this car is these are your plaid pants right here. That was my plaid pants. I'm glad I outgrew it. Now I'm very happy in my electric vehicle. And yeah, like moves
on. Let's go ahead and leave it there. That was a whole lot of fun, Rich. Thank you so much for coming back with us and having a conversation. I hope folks will go out and check out. Baza.com, the EZA. And really check out what you guys are doing. I think you guys are doing some really remarkable stuff. And I think there's a lot of applications that at first glance me, it was like, oh, okay, it's this. It was like, oh, wait, there's so much more.
We'll have links in our show notes for people to check out. We'll have to connect with you, Rich, asking questions. I argue with you politely about fountain of youth versus wisdom and age and things like that. We'll also have links to Baza's website as well so you can check them out. And yeah, we'll go ahead and leave it there for this week. Thank you again. So much, Rich, for taking the time with us. Jim, as always, thanks for your time. And
thanks for everyone for listening. You can find us on the web IDACpodcast.com, or on Twitter or X or whatever it's called by the time you listen to this at IDACpodcast. And we'll leave it there. Thanks everyone. And we'll talk with everyone in the next one. Thanks much. Thanks. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review. And we'll be back soon. But in the meantime, hit the
website at IdentityAtTheCenter.com and find us on Twitter at IDACpodcast. See you next time on Identity at the Center.