#277 - IDAC & AI Answer Listener Questions - podcast episode cover

#277 - IDAC & AI Answer Listener Questions

Apr 29, 20241 hr 2 minEp. 277
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

In this episode, hosts Jim and Jeff reached a major milestone with 300,000 downloads. They took the opportunity to answer mailbag questions using AI, providing their own critique of the AI responses. Questions ranged from key IAM metrics for organizations to track, challenges of implementing IAM strategies in large multinational companies, and upcoming trends in the IAM sector. The hosts also posed a fun question: Would you rather have the ability to teleport or the ability to read minds? Tune in for their answers and more!

Identiverse 2024: As an IDAC listener, you can register with 25% off by using code IDV24-IDAC25 at https://events.identiverse.com/identiverse2024/register?code=IDV24-IDAC25

Attending the European Identity and Cloud Conference in Berlin? Use Discount Code: EIC24idac25 for 25% off. Register at https://www.kuppingercole.com/events/eic2024

Attending Identity Week in Europe, America, or Asia? Use our discount code IDAC30 for 30% off your registration fee! Learn more at:

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at idacpodcast.com and follow @IDACPodcast on Twitter.

Transcript

Where do you think you are now? You're probably way behind the curve. You're probably like, you know, getting breached and stuff like that. You can't take a vacation from investing. Hey, I'm not saying I agree. I'm just trying to play AI advocate here. I'm trying to think really hard because budgets are tough. And if you have magic IAM people, IAM heroes is what I like to say, running around behind the scenes,

just making it work. And the organization doesn't feel the pain of not having modern tools, let's say. Could you have gotten away with it? I would argue, yes, it happens. It still happens today, right? But should you? You can get away, Jeff, you can get away without buying life insurance. But if you die, then your family will have no money. Well, that's their problem, not mine. Yeah.

Yeah. This is identity at the center. If it has anything to do with IAM, this is the go to podcast. Now your hosts, Jim McDonald and Jeff Steadman. Welcome to the identity at the center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. I'm doing great, man. I'm in a good mood. How are you feeling? Oh, all right, you caught me. I'm a little crabby and I

don't know why. I just have one of those days, I think. You know, whenever I'm feeling crabby, I think about crabby patties and how they're like the jam. I never actually had a crabby patty, but that was like the hamburger looking thing that they had on SpongeBob. Any time to have a crab cake? No, no, like the hamburgers on SpongeBob that they made at Mr. Crab's restaurant. Jim. Have you ever watched SpongeBob? Jim,

I'm a grown ass man. I have never seen SpongeBob. Oh, you're missing out, bro. You're missing out. It's not, it's not, it's like the Simpsons. It's a cartoon, but it's something like hidden. I've seen pictures of it. I've seen like memes or something like that. It's funny, whatever, but no, I've never, I've never sat down and I don't think I've ever seen more than three seconds of a SpongeBob thing. Oh, yeah. I'm

missing out, man. So is this something you're doing? Just watching SpongeBob all the time? Well, no, I guess I did have kids that were in the right age range for that show for a while. So I'd wind up watching it. But then I realized that, oh, there's one of those cartoons that's meant to keep adults entertained as well, like Simpsons. See,

there you go. I don't have kids. So I never, I never have not gone through any of those phases. Just keep just watching a pursuit or two. Like, what do you have to lose? I don't know. You're not in the right mood for that kind of suggestion. Yeah, yeah, don't try and don't try and solve the problem, Jim. I just want to be crabby. Crabby

patties. Well, you know, one thing that I'm not crabby about, and this is kind of a milestone for us this morning, was we crossed over 300 ,000 downloads of this tiny little IAM podcast, not so tiny anymore, I guess. I know. I'm going to sound like a broken record to say. I remember when we had 20 downloads of the first episode and we knew all 20 people were. But we literally just started

by you saying one day, let's start a podcast. I was like, OK, thinking this won't last. We're coming up on 300 episodes and 300 ,000 downloads. Pretty amazing. Well, it's pretty amazing as it took. Yeah, we had no idea we were doing 100 ,000. And it took four and a half years, roughly, to get to 100 ,000. Because I remember we celebrated

that at Adeniverse last year. And we're at 300 ,000 and it's less than a year later, which is absolutely bananas. And we saw a ton of growth just within the last several months and stuff like that. But it's a lot of fun. We still do it. You know, this is not our job. We do it because we like doing it. And, you know, thank you, everyone who's listened, subscribed, shared, you know, all that fun stuff.

And yeah, it's kind of fun to take a step back and, you know, that'll probably put a smile on my face now here for a little bit. Yeah, well, you know, just thinking about it, like that doesn't include our YouTube stats. So if you count those in, we have like 301 ,000 downloads. No, 300 ,000 and one, you mean? Our YouTube channel is still very small, but we are

putting more emphasis on it. Starting to think about how we're going to do video episodes. Still a little bit of a challenge from a timing perspective, just, you know, forth, forth, forth wall here is we're recording this on a Friday. And this needs to go out Monday. I have other stuff to do and I still need to get this edited once we're done and trying to figure out how that quick turnaround will

work. So this might end up being only an audio episode, but if it, if I have time, I can figure out a good workflow and get better at it. There may be video episodes showing up on YouTube. So go to our YouTube channel. Subscribe, like, do all that stuff the same way we'd built up the audio podcasts. We're going to keep doing that, but we're going to start

doing video as well. Um, as time permits and hopefully time will be more permitting in the future. Yeah, because the real thing is like, I think when people find out about the podcast, probably half of those people will continue to listen or in the future, watch the podcast. So when people go out and like and subscribe, it helps more people find the podcast and. You know, hopefully, I mean, the way I look at it is

it's a community. I depose a community. I think the listening of identity center is a community. I see a lot of people, you know, really get a lot of value out of it. And we get to meet folks and introduce those folks to other folks. And it's, it's everything I hoped it could be. Yeah, it's a lot of fun. We're having fun doing it and we try to keep it fresh. So we'll keep doing it until one or both of us gets

bored. And then that'll be it. Let's see, it's a Friday night. What do we want to talk about this week? I think, well, first we have to talk about like all the conferences that are coming up. The first one is identityverse. As everyone knows, it's like the one of the biggest conferences within the digital identity industry. It's May 28th through the 31st at the ARIA. We've got a 25 % off discount

code. It's IDV24 -IDAC25. It's kind of a long code. But hey, when you get 25 % off, I think it's worth using. And you pretty much go to identiverse .com and you can figure out how to go through the registration process. I know early bird pricing is up soon and might already be up. But the longer you wait, the more expensive it gets. So I'd say get out there and register as soon as

possible. Jeff and I are going to be there. We'd love to meet every one of our listeners or as many people as want to come up and introduce themselves. We'll be at multiple places. So we're having a happy hour. I think it's Tuesday night, but reach out to Jeff Rai on LinkedIn. Choose the DM if you're interested in meeting us and going to the happy hour. It's going to be with TALUS. It's going to be at the one of

the bars in the ARIA. I think, do you remember what it's called? I don't remember, but it's with TALUS and RSM, right? I think that's the plan. Yeah, TALUS and RSM. We're also going to be recording live episodes. So there's one room that's kind of like a fishbowl recording studio. And folks can stand outside of that, look in and they have headphones available that people can put the

headphones on and listen to what's going on. I know you're laughing, Jeff, but that's a huge improvement versus what we did last year where nobody could hear us. Yeah. I mean, there's two options, right? You can either, I think that's going to be in between both of the expo halls. There's two expo halls this year.

It'll be a fishbowl. We're kind of sharing it with the CRA, TV folks, the folks who help put on a number of cyber risk alliance. We've been great partners throughout this. So we'll kind of be using unused time from them and we'll also have a

conference room somewhere. I don't know exactly where it is yet, but there will be a sign outside of it where people should definitely be able to hear us then because it'll be a little bit further away from everyone. We'll be kind of in a room. We'll have different guests. I hope we'll have some chairs, maybe one or two people will show up and watch us kind of record one of these things live. And

yeah, that'll be a lot of fun. Yeah. So the third thing, we had a third thing going on as well for people, we're going to be with RSM and TALIS at the TALIS booth or whatever. Yeah. Was that the booth or whatever it is on the expo floor? Expo hall. So there's going to be an opportunity to drop by and

meet us there as well. Again, if like you're interested in any of those things, just reach out to us with DMs or play it by ear. We'll drop by any of the things. Just like we do here on the podcast, just we'll do it live. Just yeah, just wing it. Yeah. I'm also hosting a or moderating a panel, I guess, probably a good way.

So former guests on the show, Sean O'Dell and a tool, Toolshed Bagway, are going to be talking about CAPE, C -A -E -P, Continuous Access Evaluation Profile. And they've asked me to moderate a panel that they'll be on. So I will be the everyday man trying to figure out what the heck they're talking about as I moderate the session. So that'll be on Wednesday, May 29th at 1140 AM. So I hope people come out and

check that out too. I've not done a lot of moderating for conferences. I guess maybe my second or maybe third time. So watch me be nervous up on a stage with a bunch of people. Yeah, that was such a good episode that we did. I mean, those guys are really on some of the cutting edge stuff. So I think a lot of us in our day to day, we're

doing things that have been kind of established. I always think of identity as like, for the most part, you're kind of like doing things that have been proven to work. People call it best practices. I don't like that term, but they're proven technologies. These guys are kind of like moving into areas that are, I wouldn't call it bleeding edge, but they're newer. Like

CAPE is newer. So you can learn a lot because I think, if it picks up steam and gets more folks adopting, it's going to be proven technology. You know, Sean would probably already argue it is proven technology, right? But he's out there proving it. Yep, exactly. So then let's see, after a Denver, we've got people probably hopping on a plane going straight to European identity and cloud

conference that is June 4th or the 7th in Berlin. We have a discount code for that as well. EIC 24 IDAC 25 gets you 25 % off. We'll have a link in our show notes for that one. We will not be there, but fortunately we have a code that we can share with folks. Well, we will be back later this year is identity week and there's a handful of conferences throughout the year. So there's Europe, which is in

Amsterdam, June 11th and 12th. There is Americas, which is Washington, DC, September 11th and 12th. That's the one Jim, you and I will be at. And then Asia, October 22nd, 23rd IDAC 30 gets you 30 % off of all of those conferences. So looking forward to that. So kind of cool. One of the things we should do is kind of try to highlight the different conferences that are happening throughout the

year. I think we'll have authenticate coming up at some point later this year. I mean, it'll be happening, but we'll have, I hope a discount code for that one. So that people can reach for that. And Andrew Shikiar will come back on the show and help us understand like what's going on there. We'll play a part in that with the podcast. I also wanted to mention RSA

is coming up. We don't have a discount code for that, but how many times have you been asked so far, Jeff, if you're going to be at RSA? I think everybody has asked and I, I have been in the past. I think this is the second year in a row that I haven't gone, but I think there's probably a streak of like three or four that

I went to, but just not this year. So here's my approach to it. I mean, I'm not looking to ask you to try to put it down or anything or pump it up. But what is your, what's your thought on RSA? I think it's great for meeting folks. I'll be honest. I don't think I've ever

actually attended a session. The way that I go, and this is a pro tip for folks is if you want to go to RSA and it's expensive, for sure, get just the business hall pass and go walk to the expo hall. You can literally spend two days just exploring it, seeing what new technologies are out there and stuff like that. That's usually what I go for is that kind of thing.

Everyone wants to know you might be able to sneak into a side room or something like that to catch a session. But I don't remember, I don't know what it cost this year, but it was like 50 bucks a couple of years ago. You know, maybe it's gone up in price, probably like

everything else. But that was all as my pro tip for RSA was just even, you know, if, if you're looking to save some costs, the money you save on travel or the money that you save on the, on the conference pass can be for the travel that's a little more expensive for services. Let's go. Yeah. My problem with San Francisco is like $400 hotel rooms per night. I mean, they would move it to Vegas. You

could get a lot cheaper. I mean, $200 and now you can get a nice hotel room. Yeah. Let's Vegas. It's built for that, but some people don't like Vegas either. So can't win. Can't win. You can't make everyone happy. Yeah. Well, let's see. How can, how can we make some people happy this week, Jim? Mailbag? We can, we can respond to their questions. Okay.

And you have this crazy idea of how we're going to respond to these questions from listeners out in the world. Explain your idea here so that we can kind of set the stage because this is definitely going to have visual as well as audio components to it. And we're trying to make sure this comes off well for audio too. Yeah.

Yeah. So considering the audio podcast aspect of it, we're going to read off the questions that we've gotten, uh, these are real questions and we'll put them into an AI engine. So we're going to use gem, Google's Gemini, not just Gemini, Gemini advanced. Cause I should pay for it. We're going to use the advanced version. So I have no idea what's

going to happen, but we'll enter them in. Jeff is very good at like command line prompting or prompt engineering. They call it, right? There you go. So he'll get us to as tight of a answer as possible or say it's a bit of an answer and it's like two pages long. We're not going to bore you by reading that. I'm going to get down to kind of like, you know, top five or, you know, short descriptions. Then

we're going to read them off. Obviously, if, if we get this out to YouTube and you can see the questions, you can see everything, the AI outputs. But I mean, I think the takeaway from doing this is like folks can start to get the idea of like, all right, this is what you might be able to get from AI. If they're not using it already, like we are, and, you know, put in like top five of this or top 10 of

that, see what comes back. And then my thing with AI is like, I kind of felt like my first start using it, like the answers were so super generic that anybody who had been in the industry for five or more years, but would know more nuance than what it was spitting out. So I'll be real interested, like literally we're entering these for the first time as we go. So we'll be evaluating how good the answers are and

whether or not we agree with them. Yeah. And hopefully helping out some listeners who actually sent some questions in. So your mileage is going to

vary based on whichever AI model using. I just happened to pick Gemini Advanced is the one we're using today, but if you're using Claude or if you're using open AI, AKA chat, chat GPT or Microsoft's version of, of chat GPT, the reason I like Gemini is it's tied to Google, which means theoretically it should pull back more current information than some of the other models that are

not trained on anything that's like within the last year or so. The only exception to that, I think is meta put out their AI model this week, meta .ai. You can go to the website and that's supposed to be connected to both Google and Bing, but I have not really tried it out yet to see how good it is. So we're going to just go with Gemini. I just know that mileage may

vary. So let's see here. I'm going to put this question for you just to start. What is the top identity or digital identity podcast? Are you going to make me take this out? What is the top identity and access management podcast in the world? Yeah, this is going to be very embarrassing when it comes back with no idea who you're talking to. Yeah, there is no top. All right. So it's not even giving like

answers. So it's, you know, basically saying, okay, well, where subjectivity, evolving landscape, consider your interests, and then where to find podcasts like, oh, we're on here. Where to find podcasts. So podcast directories like Apple Spotify, blogs, some popular IAM podcast gets you started in no particular order. Just something called identity and access management. I don't know what that is. Let's

talk about digital identity. That's by the folks over at Ubi Secure. I know I've heard about that one. Manage engines, identity and access management podcast series. I am pulsed by Biokey International. I'm not sure if I know what that is. The identity brief and there we are. Identity at the center. So hey, I'm going to guess. No particular order, but we're last. Yeah. So all right. Well, that was a good warm up. Let's

take the first question. This one's from Jay in the USA. And let me go ahead and paste this in here. Jim, you want to read the question while I'm getting this set up? Sure. So the question is, what are the top IAM metrics an organization should collect, track or monitor for? Okay. And so the way I've done this is. Yeah. What you added was give

this, go ahead. No, no, go ahead. I was going to say what you're going to do is for like a comp engineering perspective, give this an executive summary format with no more than five points. Yeah. And hopefully that keeps it to like one page. So there's not a lot of scrolling and stuff like that. But yeah, there we go. So that was kind of the idea

was, okay, take the top five points here. So one of the top IAM metrics and organizations should collect, track or monitor for an executive summary format with no more than five points. Let's see. So to ensure effective identity and access management, organizations must prioritize the tracking of crucial metrics. Here are the breakdown of the top five. All right, Jim, you read them off. All

right. First is time to provision and deep revision. Second is privileged account activity. Third is failed login attempts. Fourth is number of inactive or orphaned accounts. And number five is IAM policy compliance. Okay. So I'm going to pick on some of these and say what I think about them. Like number one, time to provision and deep

provision. If you're just talking about fully automated processes, like what's the point of tracking the amount of, yeah. Like, oh, that took like 12 seconds. Right. If you're talking about something that's disconnected, probably you're having to go out to an outside ITSM system to get the information. And that's a kind of a complicated thing. And you may not have all that automated to pull that

metric. Are you going to do all the figuring of that out just to provide a metric? I just, you might have to. That might be the reason why you go for, if you're not automated today, we're spending way too much time on tickets, creating active directory accounts or email accounts or X accounts, whatever it may be. Well, let's do the analysis. How much time did we spend

when was ticket created? What's the dwell time or how long has the ticket been open between when it was created and when it was resolved? You know, does it, is it four hours, two hours, 48 hours, three weeks, you know, whatever it may be. So I think it's, I still think it's a relevant metric, even though you should be automating chances are you're not automating

everything. And that metric might give you either a piece of mind to say, okay, we've automated as much as makes sense, or we're deprovisioning accounts within what we said was a policy, we will turn off accounts within 24 hours of notice, eight hours of notice immediately. Are you actually doing that for the automated ones? Yes. Because it's programmatic for the manual ones, theoretically, right? Those

probably go into a ticket queue. Does someone get paged in the middle of the night to say, oh, Jeff's gone. I've shut down his account and make sure that he doesn't have access over the weekend, right? Things like that. Yeah. So in my mind, one of the things you can do with metrics is show how you're improving over time. And so I think that one potentially could show

improvement over time. But here's what I don't want to do, which is, all right, right now I'm at two minutes to provision everything I provision. Now, I'm thinking about like bringing these other apps into my scope, they're going to have to be manually provisioned. That's going to screw my metrics.

Maybe I'll just like say they're not, I'm not going to do that, or I'm going to do one at a time so it doesn't affect my metrics too much. So are any of us that devious? No, of course not. But it's like a, the motivation is a negative motivation to doing it. Well, if you're working in a large call center, ticket resolution time is a metric

that staff gets measured by. I know because I got measured by it when I was in the call center. So that's why I background was how long did it take you to do it? That can be a negative, right? Cause you're now motivated to hang up the phone and that call. Get the person to agree that they, you know, I can't help you. Can

we hang up the call? Like, all right. What really matters is was the person's issue resolved to

their satisfaction. Now you could just kick them out to some kind of survey, but however you wind up gathering that metric, I think when it comes to provisioning or onboarding or and it takes two days or three days, if you go from three days to two days, yeah, that sounds better, but if the person feels like in the three day scenario, they knew what was going on and like, they're getting

constant updates versus the two day scenario where, you know, they weren't getting updates or they just felt like nobody cared. You know, then your customer satisfaction score is going to be potentially worse than in a two day scenario. I mean, it's all about customer satisfaction when it comes to something like this. Well, that's why most taking systems have a stat, have different statuses of resolved versus closed

resolved means we think the problem is resolved. And you have X number of days or hours or whatever it is to reopen that ticket and say, no, this is not resolved, whatever troubleshooting or whatever thing you did did not work, right? Or in this case, the access provided is still not in place or isn't working correctly. You can reopen the ticket. So ideally you would measure

the final status, which is closed. Now, if I think I've done the work correctly, you know, and I mark it as resolved and no one tells me that something's not right or not working, I'm going to

assume it's correct. So you could measure, you know, how many tickets were, you know, marked as closed and shouldn't have been, but then how do you kind of match a new ticket to the old ticket because you don't really want to reopen a closed ticket, be

able to measure that time. So it gets a little bit sticky within that regards, but I still think it's a valid metric just to be able to articulate how much time do we spend in identity and access management. If you had to sit down and like track, you know, like a consultant, let's say, Jim, like, you know, how many hours or days or minutes do we spend on

each task? And if you're out there in the real world, you know, doing identity stuff, track it for one day. And I think you'd be shocked on how much time you're spending on each individual task. It probably adds up quite a bit. It's like people have full -time jobs on this. I kind of think that you

need to incentivize the right behavior. And if what you're incentivizing is potentially shortcuts or if you're trying to get off the phone, I think we've all been on the receiving end of that. Your customer satisfaction, your satisfaction level goes down. And really that's what you're driving for is, you know, and a lot of organizations say, Hey, we're going to outsource this part of our

organization. Maybe it's the help desk, for example. And then the help desk is kept to like, if you don't end the calls on average, time of 10 minutes, then you're going to lose 20 % of your money. So then the manager within that call center is like, close those darn calls. And if you have to like provision part of the access because you don't know what the full access

is, provision part of the access and close it. Now, the customer is going to be like, okay, I still, yeah, you closed my ticket, but I still don't have the access I need. That's a huge fail. So it's all about incentivizing the right behavior, just like bonuses. When you pay bonuses to people, it should be because we're doing the behavior that you want them to do, not just that, you know, we're doing

extra. The extra might not be helpful. All right, we're never going to get through this entire list. And in one show, if we spend 10 hours at each point. One question, everybody. So not one question, one question, one point. Yeah, right. So let me move on. All right. The second one is privileged account activity. I'm going to read this one out. Monitor's the use of accounts with

elevated permissions, Ergo administrators. This is vital in detecting potential misuse or breaches targeting sensitive data. Personally, opinion like big red X, this is not, this is not a top I am metric to track. Not tracking privileged account activity. It's not a metric. What's the metric? How many times you're like, how many admins do you have? How long were sessions,

privileged sessions running? Okay. How many admins you have potentially, but if you go from 70 privilege admins to 71 or 75, like, are you doing things poorly? Or if you go from 70 to 65, are you doing things well? I don't know that that adds up to me. That's not a good metric. This is how people gain access to systems as they elevate, right? Up

and over. So let's say you're a small organization and you have 10 domain administrators, even that might be actually might be too many for, for even a large company. Let's say you have five domain administrators and you have a learning set up to say, Hey, if there's any domain, a new domain administrator account pops up, we have six. That's immediately a problem because we should only have

five at all times. The keyword used there was alerting. Absolutely. That, but that's not a metric to track. To me, a metric to track is like something that shows progress in one direction or the other. I, that's why I don't think that's a good one. Well, the next one failed. Collect, track and monitor or monitor for. Or monitor. What are the top line metrics an organization should

collect, track or monitor for? I do think you should be monitoring your privileged access. I think you should know who is privileged. You should have a count on that somehow. You should be able to identify when there is weird behavior taking place, whether it's session length or maybe it's kilobytes, megabytes, gigabytes transferred in a session.

What if I'm dumping an S3 bucket through a privileged session that I shouldn't be doing like things like that. Those are things that I would want to monitor for. I don't know if I put that in an executive summary dashboard. And this is, you know, the wrong format for that, but I do think it's a valuable

metric. Well, you sold me on what you just said there, but it just feel like you colored outside the lens a little bit versus like metrics, but yeah, no, I, I agree with everything you said. I found log in attempts, I think is a good one, but I also think it's. So I think so many of them progress over time. It doesn't even make a sense.

I mean, anybody who has a Microsoft personal account, go to your Microsoft personal account and look at your account, log in attempt history. And I bet you, you will find thousands, hundreds of thousands, millions of attempts that are just automatically blocked and, you know, they're just, it's just, you know, password spray attacks. People are just trying to get in, you know, brute force,

whatever it may be. And Microsoft just blocks by default. So yeah, this is definitely not Jeff trying to log in from X country, you know, 48 ,000 times within the last minute, right? Stuff like that. Yeah. Right. I agree. Yeah. I know you're right. I didn't even think of that point, but to me that, that one's not a good one. A number of inactive or orphan accounts. Now

this one I like. I like this one too. This is now I, I do think if you're doing identity governance and you're adding say 10 systems per quarter, you're going to increase the number of orphan accounts each quarter when you add those applications. So you have to understand that with growth of that platform, you're going to find more orphans and more inactives, but steady state.

If you can somehow adjust for that increasing orphaned accounts, increasing inactive accounts, like that's some, that just shows that's work that you need to do. And if you can reduce that number over time and you're keeping your environment clean. So I think actually that's a good metric. And then the last one is I am policy compliance. Absolutely something that should be tracked. I don't think it's easy to

track within an I am system. I think there are ways, you know, like that's one of my big things in life, which is that you're, you know, the policies that you create are the rules of the road and whether systems are leveraging your central I am systems or not, they still need to apply comply with the policies. You have to have some way to test the adherence to those policies or track the adherence at least. But

that's very hard to do with an I am system. Yeah, that's more like a, I don't know, that's something I would definitely see a kind of a manual dashboard somewhere, percentage of applications using single sign on percentage of applications using MFA, maybe even, you know, critical apps using MFA, non -critical apps using a different type of MFA right over the media. But yeah, that was a little

more wishy washy. I don't know if I would. It's good to know, is it executive worthy? Probably not. Unless there's some sort of risk that you're not able to get by and for it to say, Hey, we're trying to get this thing on single sign on. And XYZ group is really not being a good partner with us to help that happen. Exactly.

If that's a major issue that you're trying to resolve is that, Hey, we're putting out these policies and various businesses are taking them seriously. They don't think they apply to them. And you can say, Hey, within this business unit, 50 % of the applications are not compliant with our SSO, our password policy or whatever, any of the policies, then you can start to bring light, shine light on the darkness. Okay. Okay. Not

bad. If you had to give us a score from zero to 100, Hunter being perfect. It just replicated the mind of Jim McDonald, which is a scary thought. And zero, meaning you're probably safe from any sort of replacement Jim. How do you would you score this one? I think I'm going to get this like a 50%. That's

what I was thinking. I would be real embarrassed to just highlight those, paste it into a deck and then show it to executives because they started picking on you with questions. You're, you're going to be exposed. Yeah. You have to know your content. I think I think it's good for us for a starter, but yeah, I was thinking this is about halfway there. Good start. It's

good to writing prompts. Okay. Now let me start thinking about why these matter or why do these answers make sense versus just here's information. Okay. Right on. Who cares? Like what are you trying to do with it? All right. Do you want to read the next one from Maria in Spain?

Yeah. What are the biggest challenges when it comes to implementing a successful IAM strategy in a large multinational company, give this an executive summary format with no more than five points. By the way, that less sentence is something that, that Jeff had, right? Yes. Yeah. All these, I, I had to give this an executive summary format, no five, no more than five points just to have it be something. None

of our mail bag questions came in with that. It's right. Yeah. Uh, although I would be impressed if somebody did that. Um, so I started a new chat also just so it wouldn't get confused with a prior question. So that's probably a good thing for if you're switching topics is to start fresh every time. Yeah. So biggest challenge is when it comes to implementing a successful IAM strategy in a large multinational company. So

it looks like it's got the five here. Key challenges, global regulatory complexity. That's number one. System integration and legacy infrastructure. Number two. Number three is managing decentralized identities. Number four, achieving cross departmental buy -in and number five, balancing user experience and security. What do you think, Jim? Really good. Um, I mean, sitting here looking at the first three,

I'm like really impressed. So I did get hung up a little bit on the third one, because when I saw managing decentralized identity, we're not talking about like, um, self

-sovereign identity or verifiable credentials. What we're talking about is when an organization says, you know, we're not going to have just one central approach to manage all the identities in one place for enterprise, all the active directories that exists from all the companies and all the octa universal directories and ping directories and LDAPs and

databases. Identities are spread everywhere. And it might even be managed by different teams and different, you know, systems and different rules and all kinds of stuff. Yeah. So just looking at the first one, global regulatory compliance. Is

this one of those no particular order? Because I think that is one of the toughest ones for, uh, I am practitioners like you and I is that, um, you know, the, these talk about things like GDPR, CCPA

areas that I'm not an expert in. We have to go as practitioners and pull in the experts and really get guidance in terms of, you know, do we have to maintain identities in countries or certain countries where you do and the privacy of a person's data, you just can't take some of those things for granted. It doesn't all work the way it works in your country and other places throughout

the world. So I know I learned a lot about that. Um, when I was, you know, earlier in my identity career and working with groups in Western Europe, like for example, Germany and France had very strict privacy laws in terms of you actually couldn't take some of that identity data from their HR system, for example, and move it into systems in the United States. And you actually couldn't even ask for some of the

information, right? It was like, they had like, I forget what the workers' councils, I think, is what they called them in Germany. It's kind of like a union where like you could only ask certain types of questions, only collect certain types of data. So I think this is actually like a very important topic. What do you think? No, I think it's, it's a

reality, right? And the world we live in is data sovereignty, sovereignty, or whatever the word is, where, you know, where does it stay? And this might be a reason why you do have to have multiple active directories, multiple tenants, right? Just to keep data within specific regions. I mean, you try not to, I think you look for reasons. Do

you have to do that? First of all, and then if you have to, what are the rules you have to play by? And, you know, just go from there. But I think it's a good thing for a high level discussion and to say, hey, okay, yeah, we need to think about what are our regulations? Um, you know, number two is good too. All the different integrations,

legacy infrastructure. Your answer to the first one about what regulations may actually answer, what can you integrate and what needs to stay and, you know, what can you modernize or do you need to keep around, right? Things

like that. Yeah. And I don't know if I can specifically tie this one to identity, except my experience in working in a large multi -national company was that there were a lot of legacy systems, mainframes and old systems that were hard to integrate to. Um, and I just, I think part of being part of a large multi -national corporation is like, that's a fact of life. And when you have to integrate, I am into those systems,

sometimes it's a very difficult thing to do. Um, you know, regardless of, if you're talking about provisioning identities, provisioning passwords, you know, if you want to use MFA on some of the systems, it's just, it's not even a possibility. And so, or, or to do it, you have to like jump through so many hoops that it becomes a near impossibility. So yeah, that one hits home

for me as well. So then like I said, the next one was managing decentralized identities and the idea of that it's not all central command and

control, usually large multi -nationals. Um, and I've seen some of that break down over time, you know, in my, my consulting career is going into large multi -nationals where they have made the move to one active directory for us. And that is a great indication that they're saying, look, even though we have to have some level of division of autonomy, you know, put some autonomy in various

places, some of the enterprise services just doesn't make sense to completely delegate control, administrative control at that level. So it's finding the right level. Each organization tries to figure that out for themselves. It used to, a lot of it used to be driven by, you know,

the speed of networks from continent to continent. Uh, I don't think that's as much the case anymore, but I do think language time zone and just the fact of, well, you just like, right? Things like that. And the way that different countries in the world approach different things. I think it ties in with number four a little bit,

which was achieving cross -departmental buy -in. If you don't have cross -departmental buy -in, or even this case may cross -country buy -in, how are you even going to try and figure out how to manage all those decentralized accounts, identities, teams, right? Et cetera. I think there is, you know, that's, I think that's, I think that's actually pretty good insight for an AI to

answer with that here. Achieving cross -departmental buy -in is not a technical thing. It is more of a psychological thing, right? How are we going to convince Jim sitting in Germany to adopt the way of Jeff sitting in, I don't know, Italy? Right? Is, are there things that are lining up like teeth where it's like, okay, yeah, it makes sense, like from a gear perspective, there might be missing, you

know, links as well. How do we make that work? I think it's actually pretty insightful for an AI to include that as part of the answer. So I'm somewhat impressed by that. Yeah, I think that's an excellent point. I think at the most basic level, you've got information security policy. It has to respect local regulations and local laws

and cultures and customs. But I think that's the underlying is like, if you can get a common policy that applies across the organization, and then I think it starts going layer by layer into the technology, and that's where you can start to run into more of the pushback. I found it's very hard to drive major technology gains

across the globe without support from the top. If you're doing, trying to do things always at a grassroots level, and trying to make major changes across the board, you're going to face a lot of resistance. You need support from the top. And usually it's got to like, say, for example, the CIO gets behind. And it's security initiative like having one active

director. If you have an organization, there are 50 active directories and business units and geographies have their own, you know, trying to be the active director team and corporate and say, Hey, why don't we make this one big active directory, show me five thumbs. The CEO has to get behind it. And the CEO has to know he has the back of the CEO. In my experience, that's kind of what is required for driving it. I

think there's one exception. I think there might be a scenario where it might be a global organization, but the vast amount of revenue is driven by one business area that can really, you know, impose its will on the rest of the company, because people are very upset to rock the moneymaker. So it could be a situation where, you know, you really need to be thinking about what are the financial impacts, where is the money

being made? Chances are that's one thing you want to think about is you need the moneymakers on board with whatever strategy is that you're trying to adopt. Yeah, excellent point. The last one is probably just as good as the rest. Like I. It's not what you're doing though. User experience and security. I'm like, OK. You did ask for an executive summary. So the being fair, I think that's a very good one. And

this is the lifelong battle. And we would love to say, OK, if I do two security keys or five to two. Help me out here. But I don't know what you're going. I don't know where you're going with it. Like pass keys. Pass keys. OK, thank you. Had a little brainstorm there.

It's Friday night. One of the few security tools out there where you get an improvement in both because everybody hates dealing with usernames passwords and, you know, getting to possession based authentication, like having control of your device and then having a device ecosystem where you just get away from passwords. All that's great. But usually when you're deploying. And. Cyber security system of

some sort. It. Has the negative if it is improving security, it's having a negative impact on user experience like we talk about DLP all day. To get should be improving security. It's making it harder to exotrate information from the organization. But whoever sat there in their desk is like, that DLP is blocking me from copying my files to the jump drive. I love this thing. No one, no one's ever said that. Yeah.

All right. Well, that was a very long way to just say, yes, consider user experience and security. Yeah. Well, that's part of the show. We're almost 45 minutes. Do I do one more? Should we get one more? We can only do one more. All right. Carlos from Brazil. Go ahead and read it while I set this up. What are some trends in I am that you think will become more important in the near

future? I'm trying to stay ahead of the curve in my industry. Executive summary format with no more than five points. All right. Survey says zero trust. OK, I guess I don't that's future, but more like current. AI and behavior analytics, of course, is going to say AI is important. Cloud centric. I am. OK, I feel like that's kind of where we're at right now. Prioritizing user centricity and number

five, identity governance becomes essential. So my first question to you, Jim, of these five, zero trust, AI and behavior analytics, cloud centric, I am a prioritized user centricity and identity governance being essential. Do you think these are near future from a trend perspective? Because that's the question. I can't take my eye off. I can't take my eye off the last one. Identity governance is becomes

essential in the near future. Ten years ago, maybe. Exactly. Like running water in your house is going to become folks. That's the trend now. Well, let's play. Let's play devil's advocate, right? Could you have gotten away with manual processes ten years ago if you're, you know, let's say you're not a super complex organization that has multinational implications? Yeah, you probably could have

gotten away with it. Is there a better way? Sure. But are we at the point where IGA essentially is mandatory to even be considered doing OK at identity? Here's the thing, Jeff. You can't take time off of investing in technology and information security. If you're ten years ago and you're like, hey, we're doing manual processes. We have 5 ,000 users. We just got, you know, these folks who they just take care of it. Where

do you think you are now? You're probably way behind the curve. You're probably like, you know, getting breached and stuff like that. You can't take a vacation from investing. I'm not saying I agree. I'm just trying to play AI advocate here. I'm trying to think really hard because budgets are tough.

And if you have magic IAM people, IAM heroes, as we like to say, running around behind the scenes, just making it work and the organization doesn't feel the pain of not having, you know, modern tools, let's say. Could you have gotten away with it? I would argue, yes, it happens. It still happens today, right? But should you get away, Jeff, you can get away without buying life insurance. But if you die, then your

family will have no money. Well, that's their problem, not mine. If you own your car outright, you can maybe not have comp and collision. And then you hit a stop sign. Stop sign jumps out in the middle of the road and you hit it. And now you've got a busted of car. And that's what's happening. Like companies are getting breached. If they knew what they need to do, they would have

obviously done it to prevent the breach. But under investing for years, like you're just passing, you're just kicking the can and then the next leader is going to, I don't know, I can't get out of that mode on that question. So look, I'm just trying to be the other side of the coin. I think, I agree with this. And that's only because really, IGA within the last 10 years has been solved for the most part. It's

a mature space. Gartner doesn't do magic quadrants on it for the last, what, four years, five years since 2019, I think. To me, that tells me it's done. And so within the last five years, there really isn't an excuse to say, oh, we can't do IGA. There are plenty of price points, you know, options for this space. It's somewhat commoditized. There's

always new ones coming up, right? We've had some of them on our show that are really good as well. But I feel like this is an area where if you're really going to do identity and access management as a program, you need to be doing some form of IGA identity governance. You know who has access to what and you know why they have the access and whether it's appropriate. That's

it. Yeah. I think you, okay. So going through the list again, zero trust takes center stage. I think you can still make the argument that it's still on the way up. AI and behavior analytics. To me, that's like, that's a pure winner right there. I mean, listen to the show, right? We're using it. It's the best one. Cloud -centric IAM, I think you can make the argument that that's still growing. Team,

team, CIM. Yeah, I mean, well, just even the idea of like, even organizations that I've worked with that are doing a very excellent job in the cloud can still do better. Prioritizing users, centricity. How can you argue with that one? It's kind of like, you remind yourself, be a good person, be a good person, right? Even if you are a good person, generally, you just have to keep reminding yourself, be

a good person. But when it comes to identity governance, becomes essential. I'm not buying on that. I want that old hat. That should have been, but for you individually, if you're not doing it or you're underinvested in that area and you just know you're not doing a good job with it, do a good job. Okay. Well, I disagree. I think it is mandatory or let's just say, I think

it's essential now. I think there were, I think there were arguments to be made that it wasn't necessarily as essential 10 years ago with some very big asterisks next to it. It's not like, finance regulatory reasons, right? Things like that. But I think as identity becomes much more the new perimeter, it's at the center, right? It's the name of a podcast. You have to have governance around that. You

have to have things like single sign on. You have to have MFA. You have to know that kind of thing. So I'm going to, I'm, this is a hill I'm around. You can't say you disagree. You said, identity governance is essential now. But that's not what it says. It says identity governance becomes essential. Meaning it's not essential now. It will become essential.

That's not true. Well, I think it's based on the maturity organization, the sizing industry. So let's read the rest of it. So identity governance becomes essential as organizations sprawl keeping track of who has access to what becomes difficult. I would agree with that. Identity governance tools will gain priority allowing you to visualize and manage access rights and enforce lease

privilege. Right? I don't, you know, that's a little bit too floaty for me at the end there. But the idea of you do need to know who has access to what the larger your organization and as the organization sprawl. Yeah, I would agree with that. You'd need automation too. Otherwise it becomes. I kind of want that. You do as much as you can with the people you have.

I did want to bring up AI and behavior analytics because it's on the interday jobs we work for RSM and one of our peers put on a presentation about AI governance. Was that Dave Mahoney, the man? Dave Mahoney? Were you on that? No, I wasn't able to catch that. I got to watch for replay on it because I was in middle of another meeting. But yeah, Dave's the man. So Dave, you're listening. I'm looking forward to see what

you put out there. But Jim, go for it. No, it was really good. So, um, he's talking about like, you know, companies really need to have, you know, starting point is you have to have a policy around AI. And I asked the question like, what are, there's so many use cases for AI, right? There's AI in products that you buy. So let's say you buy an IM system and it's got AI or N number of tech systems.

It's got AI, right? Maybe it really has AI or maybe they're calling it AI either way. You know, you start plugging information into it. You should know, I think, what's happening with it. Other use case for AI is people doing like what we're doing. You're typing a bunch of information into an AI prompt. What's happening with that information? Does your company trust or want your employees doing that

or not? Do you want to put some rules around it? Etc. There's, um, you could be deploying IT systems that you build your own AI into. Let's say I'm building a website for our clients to go to and they can start using a chat bot to solve their issues. And I wrote some kind of AI formula or maybe I use some open source AI and you have policy around

like, you know, who's I have to go through? The last use case is let's say we build, build products and we build AI into it. So I make smart home sensors and I want to build AI into that. You know, you should have policy around that. So I just think it's such a fascinating area and we're really like, it's just like the cloud actually where I kind of feel like the cloud was out there and devs went out and said,

wow, this is great. We can build these apps and then they started building things that went from pre production to okay, now we're going to use it for production. And then information security comes along and you're like, oh, we got to put some guardrails on this thing. I feel like that's what's going to happen with AI. It's like, you know, people are

using AI every day. People are building AI into their products, deploying software into their enterprise that uses AI. It's about to get an interesting. Yeah, I mean, already is, I think, and I think that's, it's a wave that's coming. I don't think you can stop it. What I think you can do is

educate about it. Make sure that your, your workforce or your users or employees or contractors or whatever, understand the ramifications of how they can use it. Yeah, but all the guardrails in the world, you want, okay, we can access our computer. Guess what? I'll

put it up on my phone and do it there. There are always ways around it. So I think the education is super important right now to make people aware of, yeah, if you type in people's names into Google and Gemini Advanced, guess what? They're in a learning model now somewhere. That's why I don't have the names

listed here, right? I just still it down to just a question and, you know, should be relatively benign, but you need to be aware of what's being put into those models. And I think it's important for education. Okay, it's Friday night. I'm ready to be done. Should we end on a lighter note? I would love to. Okay. Would you rather have the ability to teleport or the

ability to read minds? I would love to be able to read minds, but I'm a little afraid of what would happen. Like if I started realizing people. Yeah, what am I thinking right now, Jim? Yeah, exactly. Well, I'm sure it's not great. And so I think I would like it, but I'd like to be able to turn it off and on. Teleporting would be pretty awesome, man. I

wonder if you don't get any miles. How are you going to get platinum status or diamond status with Delta or whoever? If you're just teleporting, what's the fun in that? Just think about it. You would not need miles. Can you imagine a commute? It'd be a truly global, you know, thing if we could figure out teleportation where, you know, my job is in Amsterdam, but I commute from Asheville, North

Carolina every morning. So here's a better question. I don't think mind reading is likely to. I shouldn't say that. Put that aside. Do you think that someday humans will figure out how to do teleportation? I don't know because I'm not smart enough to know if it's within our understanding of science and physics and all the things

that could happen. But what I am, and I feel like I read something within the last year or so that talked about teleporting like a single atom. I don't know exactly what it meant. I'm too dumb to even figure out what the article is about. So I feel like if it's within the realm of possibility, eventually we would figure out something like that.

But if it truly is like an unbreakable rule of the universe, whatever that means, then obviously I don't think it would ever happen. But I'm not going to rule it out. I mean, I'm, you know, we're carrying around cell phones. You know, we're recording this podcast through the internet and we can see and talk to each other. I mean, that would have been magic, you know, 10 years ago, even 15 years ago. Yeah.

I mean, if you if you think about it, the the laws of the universe, one of the laws of the universe, nothing can travel faster than light, which means we'll never be able to get to other galaxies. Then unless you figure out some sort of wormhole folding space, right, sci -fi stuff

like that. Hundreds of thousands of years with the technology that we have right now, I think to answer the question myself is that if you were to take this cap and you were to teleport it, what you'd actually teleport is a copy of it. So to our eyes, it'd be maybe indistinguishable. But I think the thing with with a person or an animal

is that it would also be a copy. And the thing with personal animals that you have electrical and chemical signals going from your brain. So I kind of feel like you can make a copy of the mass, but probably not of the energy and that you probably be transported and then like, what would happen? Probably.

Interesting. Drop dead. Or yeah, what if it's more of a instead of a of a teleporter, a replicator, right now I'm now taking Star Trek, you know, T Earl Gray Earl Gray hot. Right. No, I'll take that. I bet honestly, that would be that'd be enough for me. So I'm gonna change my answer and I'll just take the replicator. Well, that wasn't the question. It was teleportation or the ability to read minds. My

gut reaction is of course read minds. I'd always want to know, okay, what's going on so I can kind of figure things out and make sure that, you know, I'm on the, but that I'm on the good side of whatever it needs to be. But then you did mention the thing about being able to turn it off. And I was like, oh yeah, that, you know, that could be pretty crowded in someone's

head for a while. Yeah. Yeah. So if I can turn it off ability to read minds, if I can't turn it off, then yeah, I'm going to sacrifice my Delta diamond status and go with teleportation. Have you ever, have you ever heard or have you ever seen the show True Blood? Yeah, of course. Okay, I only saw it because didn't use someone to watch it. It's not my kind of show. I liked it. I thought it was great. She

could read minds, right. And it like would drive her crazy sometimes. Yeah. I mean, that's, that's typically the drawback you see in any sci -fi thing is if you can read minds, how do you filter out like Professor X from the X men, right? Same thing. And, you know, other characters of the like that can do that kind of stuff. Okay. We got really fantastical. You're on a Friday. I

don't know what you're talking about anyway. Yeah. All right. Let's keep this under an hour. We'll wrap it up there. We're on the web IDCpodcast .com on Twitter X whatever it's called at IDC podcast. Mastodon at IDC podcast at info sector exchange reached out

on LinkedIn and connect with Jim and myself. If you're interested in attending the happy hour, whatever it is we're trying to do at IDeniverse reached out to Jim or I on LinkedIn and follow us on YouTube. We're starting to build up that channel. So like subscribe, get notified. All of our audio episodes are already there, but we're going to try to put some

more video stuff up there too. So you want to, you know, subscribe and hit that bell to be notified when new ones come in. So, all right, ring the bell, ring the bell. All right. That's it. Thanks everyone for listening and we'll talk with y 'all in the next one. .

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android