This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. I'm doing great man. We're here doing another sponsor spotlight episode and that these are fantastic and I'm really excited with the one that we got
today. I mean you know we we've, I think we kind of hit the jackpot in terms of what we're going to talk about today is a company called Visa. I don't want to steal the Thunder of the show, but I guess if you if you saw the the title of the podcast, you know already we're talking to Rich from Visa. But it's like this up and coming company, right? And it's like it can't be ignored for sure. And to me, it's just like, wow, like, we're going to talk about so many great things today.
Yeah. So I guess you've already spoiled it. We're talking with Vasa, but want to make it clear, right, this is a sponsored episode. We actually work with our sponsors on these and kind of come up collaboratively of how we want to develop a show that we think will be entertaining, informative, but also get us you know deeper into specific viewpoints, specific solutions, something that we try to stay away from on our normal shows.
But this gives us an opportunity to talk with you know, really smart people and really ask specific questions that are maybe more product focused than we normally would where we're really talking big ideas, maybe stuff like that. Not that we want to talk big ideas here, but gives us, give us a little more specificity. We can kind of talk through things. Yeah, I I didn't want to give
away the identity. What I really wanted to say was we got the man with the golden pipes back on the show excited to to hear, just to hear him talk because like he has like a Grover Washington type of voice. Yeah, definitely good pipes. So today's sponsor is Beza. They're the identity security company. They think that they've cracked the code on cybersecurity's hardest question. Who can take what action on what data? Question mark. Let's find out more with our
guest. His name is Rich Dan Leicher. He's the chief strategist at Vasa. Welcome back to the show, Rich. Thanks, Jeff. Thanks Jim. It's it's great to be here. And now I was just, I was just all the time when you were talking and on my intro, I was hoping my voice wouldn't crack right out of the gate here. Well, see, that's The thing is, I do the editing so I can insert little imperfections if I need to, but I'm not going to do that because I'm absolutely jealous.
You've got a great you've got great radio pipes, as they like to say in the Fizz, right? Thank you. As long as as long again as you don't, you don't tell me I have a face for radio, then I'm good. Now Jim and I have that covered for sure. We have faces for radio and voices for a silent movie is what I like to say. Rich, you've been with us before. You were with us in Episode 231 back in September of 2023. We had a conversation about authorization.
We also found out really about your kind of background there. So tradition would have, we would ask that question. But we've already asked you that. How did you get into the identity? We want to hear that story go back to episode 231. Why don't we get right into Vasa itself. Jim mentioned sort of you know, where you guys are kind of coming up and really you know, making a lot of impact on the
market, making a lot of noise. What specifically is driving the momentum around Vasa and how does that success reflect your unique values? Yeah. Thanks Jeff. And by the way it's it is great to be back on the show. I really did enjoy the last time and so it's it's nice to be here again.
But around with the Vasa I think one of the things that that that really is striking to me as I sort of look trying to you know trying to be with an outside eye, side eye and and look at us is that I think it really does come down to customers. I think that's that's certainly my gauge for a great company is like who's actually buying, who's actually using, who's getting successful and getting value from the products.
And I think that's been one where I've been really, really proud of what we've been able to do here. Just some really great companies and some really passionate champions. And so that's that's definitely part of I think what also makes people out in the market makes Seesos, Seesos you know listen to other Seesos like that is typically how how things sort of get bought, how things spread and I think I think we have been doing a really nice job there.
The second big thing I think is really that it's a pretty innovative idea and a concept. And I think I, you know, and I always try and make sure I'm not, I'm not, I'm not selling myself too much here, but I really think, you know, I have, I've been an identity for a while and I think you guys have certainly been an identity for a while.
And one of the things that I've noticed is that a lot of the players are just are, you know, they're kind of the same players you would have seen and expected, you know, 15 years ago. And I think, you know, the Octa sort of came in, but that was back in 2009, that Octa started. And so I think the identity hasn't had a tremendous amount of innovation over the last decade and 1/2 and I think it's been, it's been ripe, it's been ready.
And so I think actually coming in with I think what is a pretty different approach in in really trying to go deep into authorization into this question of who can and should take what action and what data. I think is, you know, I think people respond to that and people have been hungry because and I think everybody knows that identity is a is a big thing that needs to be really addressed.
So for people who aren't familiar with DAISA, I guess let's set, let's set the table for folks you know, we've mentioned authorization. We've mentioned the question and and the answer, right? Who can take what action on what data? What is Beza's sweet spot? What do you guys do? Yeah, I think you know from a from a value proposition, I think fundamentally the most important thing that we do is we help customers get to the reality of least privilege, right.
If I think about like what you know, like from a security perspective, like what's important that I think is, is absolutely critical. Sometimes it's through governance processes like access reviews. Sometimes it's by having a tool that a security engineering person can go and actually look and find the biggest violations of least privilege to go and to go and fix them. But I think fundamentally it's that it's that preparation for
the next breach. Because it's just, you know, that always resonates with me when I hear people talk about, hey, it's not a question, question of if it's a matter of when the next attack happens, the next breach happens. And I think really getting your organization ready, tightening down, privilege, tightening around access, especially privileged accounts, that's like so critical. So fundamentally like that's how I think about the value that we provide. I mean it's a very competitive
market. You've got a lot of incumbents in this space, You've got upstarts and I guess you know, how do you separate yourself from others in this place? What's the core factor or thing that makes Vasa really stand out in your mind? Yeah, I think that it really is
starting at the data model. Like when I think about the product and I think about the platform that we've built around identity security, it's pulling together all this information about what we call is the reality of authorization.
So it's pulling in user information, group information, role information, decomposing all that morass of A WSI AM and Azure RBAC, but then also going deep into the service level to pull out granular system level objects in all the services and things like local users, ACL level permissions. So really going and putting together a pretty unique data set into into a graph and you know not just mapping those entities but the relationships between those identities.
And I think that fundamental data model is, I mean it's it's a beast as you can imagine like that that is the really a tough problem to solve. But then once you have that, the things that you can then start applying that to you around actually creating products based on that data model are really, really interesting. And you can do things that are sort of traditional like IGA types of things like provisioning and life cycle management. You can do it in very different ways.
And that's one of the things from a, you know, I'm a product guy at heart. And so that that kind of stuff gets me excited when you can sort of go and attack those those things that have been around forever, but do it in a dramatically different way that provides and solves problems that have been around forever. Yeah, Rich, I mean that really resonates with me. Anytime you've here of a new vendor, you've tried to, in your mind compartmentalize, OK, where
did I fit them, right. And I think the area that vases in the closest to is governance. But I I feel like it's kind of like a gloss over just to say governance, right. It's like so much more than that, right? It's being able to drill down more than I've seen really anywhere else. But talk to you about kind of the the strategy of Visa in terms of the road map. I came up with the term the anti convergence strategy, right?
And there there's a lot of IM players out there today who are really in the strategy around convergence, right? Whether you like it or not, that's the route they're going, which is to bolt on additional IM capabilities so that customers can kind of go one place to get everything. Your strategy is a lot different, right, which is to kind of take this piece of the marketplace and really like provided a solution with differentiation, right? Am I right in that? Am I wrong in that?
And then can you elaborate on it? Yeah. No, I think I think you're absolutely right in that Jim because one of the things that I notice also it it plays into this sort of this whole tension and sort of you know difference in the market. When you look at sort of the you know big legacy companies versus start-ups you know and and certainly the approach of a big legacy company and pick Microsoft, pick sale point pick Cyber Ark or whoever you you want sort of in identity and the
general strategy is there. I need more stuff in my bag to sell right. You go out and you want to say like hey, I, you know, I know people spend money on this and here are some budgets and I'm going to go use my, you know, my, the connection to the to the customer to go sell more stuff and get a bigger share of wallet.
And so it's all about you know creating that portfolio whereas typically start-ups that's where frankly most of the innovation starts And and that's one of the challenges here is like when we started when I joined the company I was like man I hope there's a market but I don't know there's a market because it's so it it is so different and that I think I think it is
true. It's not like we could go and say hey you know we know a bunch of people spend money on this kind of solution because there is no, there was no type of
solution like this before. And so I think it is you know, really deep diving on authorization on and answering this question is a, it's a bit riskier because there's not an obvious market that this is sort of functionality that cuts across access management and the players like Optic cuts across Pam and the cyber arts of the world that cuts across IGA as you pointed out in governance put cuts across SSPM, you know SAS security posture management and data access governance with
Veronis and all these different things. You know, authorization is something that's been sprinkled across all these different security markets. And no one has really before taken a comprehensive approach and say I'm going to solve that problem and I'm going to go deep in that. And I think that's what really
makes Mesa different. Yeah. I mean, I think it makes sense for the company's strategies where they're in one spot like access management and to move into privilege or move into identity for the exactly the reason you talked about, which is how do they take those existing relationships and build their company, right? But I think what you guys have done is built the better mousetrap, but it seems like your strategy is to build an
even better mousetrap, right? But it does seem like that mousetrap can be leveraged in certain areas, right? Because I think a lot of what you're talking about today, what we're talking about currently is taking access that exists and being able to analyze it. What if you provision only the access that a person needs? What?
What are your thoughts there? Well you're you're you're you're you got a good crystal ball there Jim because that's that's exactly actually what we we've been moving in And so we we've thought about this in sort of a three stage approach from a strategy and we've started with the first stage is kind of visibility is like hey we just need to really understand what the reality is so we can show people and people could start using that data And then we moved on to OK now how do we do
remediation that's Step 2. And so now I can see but now how do I fix, how do I see what's wrong, how do I see where the biggest risk, you know most highly damaging potentially damaging instances of over privilege exists. So I can go fix them, but then you go on to stage 3, which is absolutely, as you point out, it's around control, it's around provisioning. How do I make sure I actually create the right level permission out of the gate?
How do I actually create those accounts either on birthright events, on, you know, joiner, mover lever types of things or when someone is asking for access because they need additional access to do their job, That's where the magic happens. And then making a virtuous
cycle. Right now when you think about all these, you know, this, this, this grand access life cycle when for instance, you're in access reviews and you're saying, hey, somebody, you know, somebody has access, they shouldn't have, we should take that away. Well, how did they get that in the 1st place, right. Because they had to, they had to get provisioned somebody either, you know, fulfilled a ticket or there's a birthright policy
that's wrong. And you know, just because you found 11 instance of it, is that the only instance of it? Is it where there's smoke, there's fire or is this, you know, something that's relevant for the whole group? Is there a whole role that's over permissioned or you know,
there there's something broken? And sort of how do you take those little instances that you find and rather than just fixing, fixing those at a little granular level, how do you sort of take it and actually build intelligence into that to sort of fix the overall root cause of those processes that are that are broken? So I want to take the conversation a little away from theoretical and more into the real world. I was poke it around the Beza website, beza.com, there you go. There's a plug.
You've got some really impressive logos that are kind of scrolling through there and it makes me kind of wonder, you know, beyond right, the logos we've got there. What are there any indications of? Are there specific types of challenges that Beza is best suited to solve? Where? What is that actual sweet spot that we've got here? Yeah. And you'll, you'll find there's a, there's a range of them, right.
And so it's, it's funny how you know every company's struggling with something that's that's often a little bit different. So in some cases it's around sort of struggling with identities, right. And so it's not just human identities, but often. One good example here is machine identities and service accounts, right. They might be trying to, you know, sort of broaden the definition around governance to include things like that.
It might be instances where they're they're actually seeing that typical role based access control doesn't work for them right? That they're trying to manage by groups and roles. And you know, and this is the the canonical classic example is you've got a role that's named read only and guess what they're right privileges embedded in there. And so you know, and what you start to realize is that you're not really doing role based
access control. You're you're managing by names of roles and descriptions of roles, right. And so the and the reality is that you know, hey, what does this role actually do, you know, does does being a member of this role and being able to assume this role actually allow this person to go blow away my customer database as an example And he said, wow, I wouldn't want that and I hope it doesn't,
but I don't know. And so this is one of the things that when you start to pull on that thread, it it's it, it becomes obvious that a new solution is required. And sort of like the way that different customers pull on that thread can vary. Sometimes it's an auditor that sort of figures it out and starts asking lots of uncomfortable questions. Sometimes it's the CISO
themselves. And you know, it's like following up out of a breach where you know, it's only in asking these really concrete questions and understanding how limited all the existing tool sets are that, you know, a CSO or somebody or some executive of the company realizes that there needs to be a different way. So I was going to ask a follow up question here around, you know these are relatively large
companies, right, well known. I'm going to have to imagine that they already have tools in this space for Identity and access management, probably a number of them. Which leads me to the question of how do you get somebody who has already got tools in a space to say, oh, hey, you know, you've got this new tool, it's called VASA. We should take a look at it and then actually get in to some of
these organizations. I mean, how do you establish that trust, that confidence rate and say, hey, this is something that we've not been able to achieve with the tool sets that we have and Vasa is solving for us. This specific thing or these specific things, maybe there's a variety of them. How do you, how do you even get into that conversation with the Cesos, with the other folks who are making those decisions on their investments?
Yeah well the the nice thing is that let most Cesos are very are are interested in new technologies.
So you know so even if you're if they're saying hey you know maybe I'm not going to buy anything but they want to know what's going on. And so that's that's always you know something where you can especially if it's something new and something that they they haven't seen a lot of tools around it's you know they they generally are are interested and and then it's sort of a question of like hey how does this map into something that's on my key priorities for the next year,
right. So you know when you actually get down to okay like you know are they going to actually buy the product or not. It has to obviously be relevant for something that they care about and and that's one where you know it, it can again it it varies, right. And and I know one of one of our customers we were in the in the first meeting and and actually we're having the conversation and it was sort of you know we're dancing around it.
It was kind of, you know, kind of interesting, but we saw something written up behind him on his whiteboard and it was just, it was just the word China. And we said China, what's that? And he started describing some of the problems that he was having with managing access to box folders. And so it was both the problem of having data from because they they had operations internationally. And so it was both from the example of data from people in China.
So you know PII of Chinese nationals being accessed by people outside of China and the reverse that there were some some sensitive things that if you were a Chinese national you shouldn't get access to and just be able to manage that right of like you know this, this cross-border issue with a particular place where they had a lot of data that was important to them. And so it was you know and so that turned out to be a key use case for them.
And so again you know when you when you talk to all these different customers, it can vary. Sometimes it's GitHub, sometimes it's Salesforce, sometimes it's Snowflake, sometimes it's AWS, Azure, GCP, sometimes it's custom applications. And this is this is 1 where that that was true for our very first customer and they they were trying to do it because they had built a on top of their SAS platform, a help desk application, right so custom
custom app. But for all the people who were helping their customers resolve tickets, right and resolve issues and you know help desk folks are you know there are a lot of them. They have a fairly high tune over. They're not always the highest
paid and highest level. You know you got a lot of analyst level people and this Cesar wasn't sure what the help desk people had had access to. When you know when they're able to actually you know get into a customer tenant and and and get a pretty deep access, that was the number one thing that they
were concerned about. So it really varies from customer to customer sort of. You know what the area is that's most important, but so much of it result revolves around that core theme that we've been talking about, who, who has access to what, and should they have that access? So Rich, you've been doing a lot of videos lately, and I saw video on LinkedIn with you and your founder and CEO Tarun Thakur. So hi Tarun.
And he said something. I'm going to quote him here, knowing who can take action on what data is the biggest identity challenge. So I wanted to break that down a little bit because I think when we talk identity, it's not always brought back to the data that you're protecting the data and and knowing who has access to what data is being important. So why is Why use the term data? Why? Why is that the important differentiator?
Yeah. For us it really comes down to the overall priorities of an organization. And when you think about, you know, everybody talks in security by the crown jewels that more the most frequent thing there is the data are the crown jewels. Like why are you protecting it? It's not really because you need to protect the servers. It's not because the infrastructure is that valuable because it's all dynamic, right.
It's all in the cloud. Like I don't really care that my infrastructure is protected except that I need to protect the data that's running on that infrastructure, right. That tends to be the number one thing and obviously there are there are exceptions to that but when you go and have the board level conversation when you're talking to the CSO that that has been a strongly resonant theme is that I want to protect my data why are we doing all this why am I doing security at all.
And and that that's the the been the piece that comes out is is most strongly and and something that you know that gets board level attention that you know every and everybody knows if you if you have a breach around the data that you know that makes the paper right that's that that's the thing that really gets gets nailed. So it's it's really around that resonance of being able to connect it to a real business
goal that everybody understands. Yeah. And I know your role, you're not the the frontline like cold calling people. We might run into this objection which is well we do our back so we don't, we don't need this, right. I think this kind of discussion really goes to OK level beyond our back towards a more data centric approach, right. Do you see that like is like people think RBAC is at the right level of managing?
Security, I think most everybody does RBAC, but when you point out some of these natural flaws, and I think one of the one of my favourites to talk about this with is with reference to access reviews because everybody's sort of gone through it. If you're a manager, you, you know, at any companies of size,
you've done an access review. And so you've gone through and done all these things where you said, hey, this is, you know, you know, here's Fred, he's on my team and here's all the stuff that Fred has access to. And is that right? And I asked this question again. You know, I remember back to, you know, one of the one of the Csos or one of my organization. I said, you know, I said, hey, how, what's your experience with that? Like, you know, is that a good
experience for you? And he said, yeah, half the time I don't know what I'm clicking yes to. And I like that is a very, that's an extremely common experience is that people are saying yes, but it's kind of meaningless. It's this whole idea of, you know, compliance theatre or security theatre, right. People are going through the motions because you have to, right? You've got to have access reviews, that's you've got to check that box.
But wouldn't it be great if you could actually do that and and do that compliance process, spend the time, ask everybody who's managing to spend the time and actually improve your security posture at the same time? Wouldn't that be great? Is that too much to ask? And we don't think it is, in that you can actually do these all you know that that's the real reason you're doing access reviews is you want to restrict access. You want to make sure that only the people who need it are
getting access. And if you don't give people the right information about what that really means, you're asking them to do an impossible job. And this, this is the thing that I think is so fundamentally broken with most of these processes is people doing these things that they know don't really help, and there's a better way. Let's talk about the the principle of least privilege, because I kind of feel like least privilege and RBAC pull it opposite ends of the of the string you've got.
RBAC where it's saying we need to establish these roles is going to give certain levels of application level access. But when you're talking about an enterprise, I mean think of how many systems and how many roles within those systems that you have to manage amongst potentially hundreds of thousands of of your workforce. Now if you were to do true least privilege to every one of those systems and to the data, doesn't it become unmanageable? Absolutely right.
So the way I would look at it is, I don't know if I'd say they're at polar opposite ends of the spectrum, but I think that you know least privilege everybody agrees with in principle. Like I've never heard anybody say Nah, I don't believe in least privilege like it's it's you know everybody agrees it's the right idea. It's really a question of how do you implement it. And so RBAC is sort of is the way I see is like most every organization at some level has implements RBAC as a practical
way to get to least privilege. But even within that, the challenge is how do I get the right roles, how do I even assign the right roles. And so I'll I'll give another example here. One of our customers actually uses VASA as a provisioning intelligence tool.
What I mean by that is what they have is that they have a process around Snowflake. And so when a developer who's doing their developer job needs access to something in Snowflake, maybe a table in Snowflake, and they submit a ticket and they ask, hey, I want to get the access to this. So the challenge this organization had before Vasa was they had all these rules in Snowflake and they didn't know
which rule to provision. Because that's the question is like, how do you know what rule best conforms to least privilege, the role that gives them access to that table that they need and as little else as possible? That's an incredibly hard thing to answer, right, because there's no tool could actually see what does this role do in Snowflake, really what does this give access to? And so by using Vasa, they actually were able to implement that. So simply saying, hey, now I
know what role to give, right. And by doing that, they and they and they actually measured this. So they have, they had an internal process where they were actually looking at the total exposure and the total risk from all the different permissions on Snowflake. When they introduced Vasa after a year of doing this process, they were able to reduce the total number of permissions, the total risk on snowflake by 80%. So that's by just knowing what role do I grant because they had
no way to know before. So you know, so Vasa can absolutely and almost always does We actually make our back better, right. It's not that we replace our back and this is also one of the themes about how we work in general is that we really, I think I've done a nice job of meeting customers where they are. We don't force you to go take a different architecture. We're leveraging all the existing authorization schemes in the native systems that you're already using.
But we actually tell you what it means and help you fix what's broken. OK, Rich, so help me out here. Does Visa tell me what a person has or on the other end of the spectrum, who can do some action on my data? Which one? You can go both directions right? So so this is this is the beauty of having a graph is you can start from you know for us the person is on the left side of the graph. And by person I mean might be a real person or might be a
service account. But then I can traverse through and say all right this person is linked to a group and that group might be a nested group that then connects to a role. That role might be hierarchical then that goes into maybe I'm going to go through a bunch of different policies in in IAM, but then all the eventually I'm going to get all the way down to a resource in that target system and an action that can be taken on that target system in the end.
So one of the big innovations as well that we've also built in here is this idea of effective permissions in that we do a translation. And so we don't just give you the raw permissions that are in the system because often times it's very hard to understand what those things mean. But we'll actually say, hey, does this mean you can create, read, update or delete the language of CRUD, right. And so you can do that on this object and of course you and then you can go the other way as well.
And that's one of the beautiful things about the graph. You can say, hey, my customer database, a resource in this system in Snowflake or you know, Bitbucket, you know, I, I have AI have a repo in GitHub. I want to see everybody who has access to that thing, right. You can go the other way. And so it's a it's a very flexible kind of data model. Yeah, I think that's important is like you can go either way.
And then one of the nuances I picked up on what you're just saying, you can start in the middle. You can start with, hey, I want to see what this role or this group does or can do. And I think that's important. You know, there's this debate in the identity community around least privilege or if you just like take a beeline to 0 standing privilege. But The thing is, like, even if you go to the 0 standing privilege route, eventually you
have to put it on to a user. And if you don't really know what it does, then you're just like saying, all right, well, we're going to trust you with this machine gun for 15 minutes and hopefully you use it as intended. That's that's exactly right. Now that's that's great insight because that's that's always one of the things that makes me scratch my head is like you know 0 standing privilege and doing just in time is great. I mean that's a that's an
important aspect. But you're still granting access. And if you're if you're sort of going to you know all just in time privilege like you know the number of approvals that have to go through magnifies you know by by whatever that is by whatever factor you want to pick. And then those approvals just get rubber stamped right.
And so you're always have, you know there's always a a you know sort of a balance there because the more approvals you do and and force through a sort of a just in time provisioning system, the less attention that gets paid to each of them. And so you, you always want to be judicious about that and say hey maybe there's some people who should never get access. I don't care who approves it. I don't care if their manager says it's OK like you know, Fred should not be able to blow away
the customer database. Like I don't care if somebody says it's OK. But it's Fred. Come on, I mean. I'm sure there's someone out there whose name is Fred who's really his. His ears are steaming right now. He's not happy with what we're saying about him. No, I know. I I feel sorry. Just Fred things. I'm sorry, Fred, when you're out there.
There was a video that we saw around Intelligent Access and one of the things that it covered or one of the things I emphasized was covering all systems. So all right, I've got my skeptic cat on now because I've been through enough of these appointments where there's always an asterisk or something. Is it really all systems meaning legacy systems as well modern systems, SAS, non SAS?
Help me understand what the coverage looks like here and what's what's realistic from AI guess from that coverage or integration perspective. Yep, that's a a great question and you're right to be skeptical because that is all that that is always the that is always the the devil's in the details and the reality is for some systems that we cover natively their cloud that have well formed AP is integration can be very, very
fast, right. And so you know the on the on that example for I know of at least one customer where they were able to fully deploy Vasa in about 30 minutes because they were all cloud. And the SISO who happened to be our server customer champion there happened to have admin level privileges for all the systems that we were worried
about. So I won't comment on that but that was the reality as it sometimes is And so he was able to go set up the read only roles that's sort of one of the necessary pieces you want to you want to make sure that BEZA has least privilege that we only have access to the stuff that we need to do the job and the and fulfil the use cases that you've
bought the product for. So it was it was very straightforward and that was and then we're off to the races In other cases where for instance the custom application or if it's an on premise application that doesn't have good Restful APIs right then we've got to figure out a different way to get the data into the Vasa system and that can take some
more work. And so an example here is one of our larger customers that's using us for access reviews integrated in about the first, I think it was about the first four months or so about 60 different custom applications to do access reviews on, right. And so that took some work. But still I would say if you've if you've ever gone through an IGA deployment and tried to do it, getting 60 custom applications in four months is a pretty good clip of things.
And so that's that's sort of the the longer end. And the other thing I'll say is that from even on premise systems, we have a couple of customers that are all on Prem right zero cloud. And so they actually that was actually one that was surprising to me because I remember asking this I was we were at one of these one of our company meetings and I asked the questions like hey how are we, how are we doing on the on Prem is that is that real?
Because I was, I was wondering myself over how it actually worked in reality And and they were like, yeah, we got a couple customers that are fully, fully on Prem. And I was like that's really fantastic because that gives me the confidence that they can actually get the value out of Visa even though they don't have any any cloud infrastructure at
all. I think that's a really important distinction and maybe you know I'm not going to try and take over iveza's marketing, but that is an area that I typically see a lot of struggle with is hey you know what on Prem is on Prem we're not even going to try it man. We're going to focus on the cloud and SAS based applications and things like that because we know that they are having you know connectivity, they've got integrations, right.
All the stuff's there. But you know I guess maybe something to think about to go to market is hey what is you know we can handle the on Prem stuff too which I think is such a missing link for a lot of things in this space. So I'm happy to hear it. What I'm not happy to hear about is 30 minutes to install something, get things configured. It's going to put people like me out of a job for integrating IGA. But I think that's that's another thing too, right, is how
quickly you can get in there. Now 30 minutes I think you mentioned was a Seeso who had admin access to things which, you know, say what you want about Seeso's. A lot of them do like to have their hands in the pie. What is a normal, I guess, integration timeline look like? Is it days, weeks, months? I mean, it can't really be 30 minutes all the time, but what's a what's an average deployment
look like? Yeah, I'd say you know on average you know it's going to be in the term of weeks and that's also because you know usually what happens is and and we certainly encourage this is the, you know the the key to success is to start start small. So start with start with your cloud, start with something easy and get some wins right that and that's always the thing to you know to actually build momentum to build knowledge with the system and understanding with
the system. So you know it, it sort of, you know, it depends how where you draw your boundaries and where you draw your lines. But you know, usually customers will start with something in the cloud, get it going quickly, get some wins and then they're off to the races. So from from a from a deployment in you know in you know a week or two, that's not unreasonable 'cause that's your approach.
But if your if your goal post is you know got 1000 on Prem applications that are fully customized and on mainframes and AS4 hundreds that will that will take longer. AS400 green screens, They're giving me a flashback. So it's of our prior life. The other thing that I thought was interesting was this idea of covering all identities. So I'm guessing that means human and non human machines, service
counts etcetera. I guess how do you, how do you make sure that you've got all the identities, types I guess covered and making sure you've got the right correlations in place to say, Oh yeah, this is Jeff and not AI version of Jeff or some machine or service account that Jeff is using to run an application. Can you walk us through a little bit about how that works? Yeah.
And I think it's it's really that you know, I think I and I think the thing I'd like to to really emphasize here is that the, the thing that I've seen that is pretty different is also just the way that service accounts have been treated, right. And that and that you know obviously there's there are you know solutions out there that
will go after service accounts. But typically the world of identity has sort of hasn't really treated those as sort of you know, full partners if you will, where you know like you know typically the, you know the service account types of processes have been around the Pam world, right. It's been in like Yep, you want to get your, you know your secrets and your certificates into the into the secrets vault.
Yep, that's great. But in terms of doing things like governance around service accounts over like, hey, you know, I want to do an accessory not around people but around like hey, you know, do we know what this, what applications the service account is actually attaching to and is it right. And has the person who developed a service account and created the service account, do they still work at the company and you know, who who owns the service account?
Those are the kinds of questions that we typically see are missing. And that's actually one of the things that I think has been most attractive with some of our, you know our really large customers especially in the financial services side that's sort of where they're headed now where they there's you know it's actually around this sort of machine identity service account governance processes that's sort
of the forefront of that. Where they're saying Yep, we want to do the same kinds of things we do with human based HR, system based access reviews, but we want to do it, we want to do it on service accounts. And so I think that's the big, that's the big biggest missing piece. I say it's not necessarily the technology which is which is great and I think the technology is an important piece of that.
But the fact that now that most customers have sort of treated it operationally and from a process standpoint as something outside as something not identity based. And I think that that's something that's pretty that we see changing, which is great. Rich, I have to key off that because it, it feels like secure or yeah, securing machine accounts, non human accounts, it's kind of like the bane of all of our existence these days. They're starting to outnumber
human accounts, if not already. Do you find that your customers are coming to you to solve that problem? Like that's the problem they need to solve? Are they starting there? Many, many are. Yep. And this is, this is something we were you know and it like I mentioned there's you know it's it's a pretty broad set of use cases that people key off. But definitely that service account coverage is a big deal for a a for a number of customers.
And I think you know this is, this is one of the things I know and if you you mentioned the the Microsoft breach, that's certainly one that comes to mind here as we start to see attacks that are sort of well documented and well publicized that focus around as the Microsoft one did a legacy Oauth application.
Had had the ability to go get elevated privilege and that was it, you know instead of that Oauth app and that's that service account linkage was key to the attack factor, right, that that was really the key part of that. And so when as we see more of those things, I think I think customers are going to start to realize how critical that piece is and say, yeah, we got to get you know our security tooling that covers those things as well.
We can't just worry about people as we've traditionally defined it. Now it has to. We really do have to get to that because it's it's not only is it as you point out, Jim, it's a, it's a huge and more rapidly increasing surface area in terms of the number of accounts, the number of machines there. But also the fact that most security tooling I think hasn't emphasized that in the same way, especially on the Identity side. So I just wanted to key up for something else you just said there.
So you talked about that Microsoft breach. So you wrote a blog. I read the whole blog, then I watched the video, and then I realized that the whole blog was basically the video. So either read the blog if you'd like to read or watch the video if you're like me and you don't like to read. I just wanted to point out something. So it was you and Tarun were talking and you guys went out of your way to compliment
Microsoft, right? Because I think that one of the things that they did that really needed to be recognized was that they came out, they were honest about the issue, they documented the issue. You know, it wasn't the best look, right? Because I think it was essentially something that didn't have MFA enabled, right? But rather than try and sweep it under the rug and wait till somebody finds out and try to ignore the issue, they were
proactive. Absolutely. I I still give them props because it's like those things are so valuable for certainly for me. But I think it's. I think it's true for the entire community to really understand what went on and you know, and this is the same same deal. You know and maybe, you know, I don't know if I'd give Okta quite as many props in terms of their transparency over the last stuff.
But you know they the information has gotten out there and and it's it's eventually gotten there around the role that inbound federation played in The MGM breach. You know that. But but again that when I compare sort of the outward response for Microsoft and Okta, you know, that's that's why I sort of do give Microsoft props because they were, you know, they were very forthcoming, had
a lot of really good detail. It was like, wow, this is, you know, I really understand how this thing worked, you know, maybe not fully fully, but you know, 80% of the way there I got, you know, it was, it was very useful and actionable in terms of sort of how that all went down. I always find it a struggle and a challenge to figure out when do you make disclosures like that?
Because I think there's a rush to Do you tell people right away and not know the full story or do you wait so you have the full story and then tell people and there's all I don't envy anybody who has to disclose information like that because I think you're really caught in a rock and a hard place. You're already in trouble cuz you had an incident and now it's well, what if we release information too early?
It's not correct, right? Is it better to release early and then have to make corrections, or do you wait until you know a little bit more what's the right balance? The longer you wait, people get suspicious and they're like, well, why didn't you tell us sooner? You know, it's it's a difficult balance and I don't envy any organization that that gets put in that position, that's for
sure. Yeah, my gosh, I, I, I, I look at the the Cesos that are at my our our customer organizations like that is a tough tough job and it is it's no joke. So I I agree that's really, really challenging.
And it's also interesting because although it's not certified what I'd say like our primary use case, but it's one that I think is going to be a really interesting one for us for Vasa actually in the future is actually starting to bring to bear this whole question of you know who has access to what, but do it in the context of post breach investigation.
So you know, so you know, you know in in the security operations team, 'cause this is one of the things that I've, I've definitely heard is obviously the gold standard is, you know, I want to look at the activity. I want to look, OK, you know, I had a breached account. I'm going to go check and look at the logs and see, you know, what did this account access, you know, after this time and,
you know, time and date. But the the challenge that I've heard from Csos is really that, hey, you know, logging is great, but a lot of times logging isn't turned on, right, because it's expensive and it's a lot of memory and people charge you, you know, left, right and Center for it. And so sometimes it just never gets turned on. And sometimes when it's turned on, it doesn't quite give you
the right information, right. It's not enough to really understand what went on. And so you end up having some big gaps. And so you can never just rely on logging, you know, after an incident like you've got to keep going, You've got to dig deeper. And so, you know, if you think about sort of a set of concentric circles, you know, the first one you go do is like look at the logging and look at the activity. But then the next you want to say, well, what could this account have touched?
Like what were the permissions for that account? And that's one where Vasa is extremely powerful and I'll I'll throw in one one other product pitch and then I'll stop. But we also do leverage the activity monitoring as well.
So you know, so now it's actually pulling both of those things into a single platform, not just the activity of who accessed what, but also who could access what and having those two things together I think is going to be a really powerful use case for our post breach forensic security operations in the future. Well, it must be rid of my mind, 'cause I was kind of thinking here as talking as like a tool like this would be really handy for a forensic, you know,
investigation. I guess it's better to have it before the incident happened so you can capture the activity of what's happening. But even afterwards, being able to do that diagnosis of, OK, well, here's the account. Now at least we know the account that got popped or whatever phrase you want to use, right, That that, that caused the breach, What else could it have touched, I think is really interesting. So you kind of stole my Thunder there. So pitch away that was.
That was where I was headed anyway, from a question standpoint. Nice. We're we're on the same page here. That's good we are. So I want to wrap up a conversation with a lighter note because that's how we typically will end our our shows. The last time you were here, we asked questions around longevity because that was something that I think you know, you've got some interest and we talked about what's the most interesting thing you've learned
about longevity. If you want to know more about that, again go back to episode 231. But I want to stay in that same vein, right? Try to stay with interests. This one I think is a little more fun, Maybe thought provoking and rich. I'll ask you first, the fountain of youth or the wisdom of age? If you absolutely you could only choose one, which would you pick
and why? It it is a a fantastic question and I think you know it depends on you know what we how old I am when you when you ask this questions because I think one of the beautiful things about getting older has been appreciating the wisdom of age more. And, you know, I I also think about, you know, as you as I've gotten older, I just, I there's a level of comfort and confidence and just, you know, knowing who you are is just a
wonderful thing. And you know, I I think about it because I've got two teenage boys and just, you know, the challenges of being a teenager and thinking that everybody is staring at you. It's like it's so mentally traumatizing. It's tough. Being a teenager was really rough. And you know, as you get older, you just start to care less and less and and This is why you see so many old guys walking around with Plaid pants is they just stop caring.
And there's a there's a beauty to that that I've really appreciated. So I don't have my Plaid pants yet, but I aspire to that. So Plaid Pants is how we know that you've picked the the the wisdom of age. That's. Right. That's when. That's when you know I'm on, I'm on the, the, the, I've, I've reached the, the, the final stage of development. Jim, how about yourself, Which one do you pick? Fountain of Youth or Wisdom of
Age and. I I don't think anybody could have said better than Rich right there. I mean, seriously, like every thought I was having on this topic, you just hit all of them. And I actually feel like I'm happier now at 50 than I was at 40. And I remember having the thought I'm happier now at 40 than I was at 30. And I'll bet you it goes all the way back. And I have two teenage boys as well. I've got a 19 year old who I
love him to death, right? It's like he's working a job, like manual labor and making like under 20 bucks an hour and he's talking about going and buying like a $40,000 truck. And it's like as a 50 year old, you just look at that and you're just like, my goodness, kid, what are you thinking about? You have zero debt right now and it's like he can't wait to get into debt. And what he doesn't realize is once you get into debt, you're in debt for the rest of your
life. Because like, yeah, you know, you're just, you're always running credit cards, you get ahead financially and all that, right? It's not like you're living paycheck to paycheck your whole life, but you've always got payments, right? Most people, most of us, all have a mortgage and maybe a car payment, etcetera. What would be ideal? I know this is cheating with this question would be youth, physical youth, but also keeping your your wisdom.
No, I mean that's that's absolutely, 100% cheap. I mean, that's what everyone wants, right? I mean, there's there's TV shows that, you know, vampires live forever, you got altered carbon, which you've never seen on Netflix is fantastic. I love it. Same idea there. I've heard that Warren Buffett said that he would give up all of his money to be like 21 again, so I'm not going to go. Does he retain the knowledge?
That he's gained. Because I think it, I think, you know, 45 to anyway, I'm only 50, so I can't speak beyond this too much with experience anyway. But I think in that range. I'm happy with where I'm at. Like, I don't like all the signs of aging, but I'm really like happy with my life. I'm happy with the person that I am. If people don't like me, I really don't care. And I can't say that when I was in my 20s, like I really cared what people thought of me. What about you, Jeff?
You know, Rich, I I couldn't disagree more. I I wish I was still 20. I could almost dunk a basketball. Yes, I used to be able to. If you look at me now, it's like there's no way that that dude is getting any more than six inches off the ground. No, I'm just kidding. I think, you know, I think you
hit it right on the head. I mean everything you just said, same thing, you know more confident more comfortable with who I am, the knowledge that I've gained, you know Now if I could pause time, I think that would be great. I'm I'm, I, I think Jim you hit as well too. Like I'm happier now than I was five years ago, 10 years ago, etcetera. And I had some great times. Look, I feel like I've LED a great life.
I've had a lot of experiences, a lot of fun fun stuff that I've done very fortunate in that regard. But yeah, I don't think I would trade youth for the wisdom that's been accumulated over the years. So I feel like we're all, I don't know, maybe this is an old hat question. If you ask a younger person if they would ask, you know, answer it the same way but it feels like we're all on the same page except I'm not going to wear the Plaid pants. I would still feel too
self-conscious about that. I felt like a real nerd wearing my Apple Vision Pro on a flight last week. And I did return it by the way, but that that experiment is over. But I have not felt that self-conscious in a very long time putting that thing on. I'm like, I know I'm going to return this, but I got to try it out, see what's like. And yeah, you you totally, you totally hit that question on the on on the head for me as well.
Awesome awesome. Well the the you know just as as we as we leave with parting thoughts. I think Jim I think if you if you convinced your your 19 year old son you know the really the the beauty and and and all the the benefits of a 15 year old minivan. I can I can hook you up here I've got something. But if he's got a Mustang, I handed him down my. My old might be a bit like. Frazee Mustang and not good enough. He's a. Senior Mustang. It's a nice car too.
I mean, I wish I'll tell you what I had a the the cheapest Chevrolet car that you could possibly have. It only had three cylinders in it for an engine and I was thrilled to have it so. What? What Car was that? A. Mustang is good. Well, I'm not going to tell you because that's a secret question, man. But you'll have to. Type. Guess it. I love it. Yeah. So I mean it's not going to be hard that hard to guess and I think I've changed all those
answers anyway. But if you Google three cylinder, it would have been my guess mid to late 90s. Was it a Yugo? Did you have a Yugo? No, it was a Chevy. Oh. OK, it was a Chevrolet brand, let's put it that way. So there's the the trivia for folks. Did you have to crank it up before you drove it? Look, I've heard you. You can't make fun of me because I've heard every single joke. Nothing that you're going to say I've not heard before about that car. But you know what? It was my car.
It gave me freedom. I could get wherever I wanted. Jeff, Jeff, this this car is your these are your Plaid pants right here. That was my Plaid pants. I'm glad I outgrew it. Now I'm very happy in my electric vehicle. And yeah, life moves on. Let's go ahead and leave it there. That was a whole lot of fun. Rich, thank you so much for coming back with us and having a conversation. I hope folks will go out and check out beza.com beza and really check out what you guys are doing.
I think you guys are doing some really remarkable stuff. And I think there's a lot of applications that, you know, at first glance, me, it was like, oh, OK, it's this. I was like, oh, wait, there's so much more. We'll have links in our show notes for people to check out. Want to connect with you, Rich? Ask you questions? Argue with you politely about Fountain of youth versus, you know, wisdom and age and things like that. We'll also have links to Vasa's website as well, so you can
check them out. And yeah, we'll go ahead and leave it there for this week. Thank you again so much, Rich, for taking the time with us. Jim, as always, thanks for your time and thanks for everyone for listening. You can find us on the web, idacpodcast.com or on Twitter or X or whatever it's called by the time you listen to this at IDAC podcast and we'll leave it there. Thanks everyone. And we'll talk with everyone in the next one. Thanks much.
You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on Identity at the Center.