You're only one misconfiguration away from a breach. What are your thoughts when you hear a quote like that? I think when I hear a quote like that, it is absolutely true. It is an asymmetric problem. Attackers have to find just one weakness to get in. Defenders, as a customer, have to have their 100 % coverage. But it's not that you got to do everything perfect. That's going to be, you're never
going to stop attacks. You're never going to, you know, if there's going to be some challenges coming in, it's what is the risk of inaction? What is the risk of this access? So people are built identity systems for the last two decades. But the concept of risk of an identity, the fact if I'm giving access to Jim means I'm taking on a risk. I'm
hoping Jim is a legitimate employee. He does legitimate actions, but sometimes that's not the case. Sometimes your account could be compromised. So the solution threat vector we are looking at right now means every account has a risk. This is identity at the center. If it has anything to do with IAM, this is the go to podcast. Now your hosts, Jim McDonald and Jeff Steadman. Welcome
to the identity at the center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, and that's a bad yourself. I'm doing great. I'm, as always, very excited for this episode. I discovered Venkat a while back at an event and Ian Singh, who probably most people who are listening to this podcast know Ian. He's very much a contributor to our community on LinkedIn and various other formats
as well. He introduced me to Venkat. I got to learn a little bit about the Stack Identity product. And so I'm glad we're able to bring their message to our community. Yeah, we're looking forward to this one. And definitely want to give a shout out to Ian for the connection. He's also been a great supporter
for the show. So shout out to Ian. Today's episode is a sponsored episode, something that we developed these in collaboration with our friends over today at Stack Identity. If you don't know a Stack Identity, they are your co -pilot to solve identity security problems. We're going to find out what that means. You can learn more about them at stackidentity .com. And so we've got Venkat Raghavan, founder and CEO
at Stack Identity. Welcome to Identity at the Center. Venkat. Thank you, Jeff. Thank you, Jim. Good morning. So thanks for taking the time. One of the things we like to do is really find out about the background and the origin stories of people who appear on our show. So let's start with that. How did you get into the IAM industry? What set up your or ignited maybe your passion for this sector of cybersecurity?
Gosh, I got to go back 25 years back here. So my first start was I'm an engineer by trade. So built early distributed systems for companies. And I was working on a specification called security assertions markup language, or SAML, as it's very popular these days, which
is the kind of the rule break of identity today. I got really excited about the opportunity to kind of have a common language by which we can speak identity to each other electronically. And
so that got me excited. Somebody's in a dug in this a bit more and joined a startup called Ascom, based for pioneers and using SAML to build the first generation of identity management and single sign on systems, which powered the lot of Java applications back in the first days of Internet era. So had a great experience in
this identity space. And never left, frankly, got to know SAML, build products, was part of a start up on BASCA, we got acquired by IBM. And I am still head 25, we said, still doing this. So you've got a long history in this space. So let's talk about stack identity. What's the core problem that stack identity looks to solve for? And this is a very competitive space. How do you set yourself apart
from others in such a crowded market? I think it's useful to kind of go back and look at how industries evolved in the last two decades, right? I mean, then we first started BASCOM and worked on the early generation of activities technologies. The problem we were trying to solve was simplifying granting of access. And so that was very complicated. IT
was growing, leaps and bounds. And people had a lot of applications and so on and so single sign on, nothing a single password is a big, big issue, big pain point. That we saw that we saw successfully the last 25 years or so. But now the issue is granting of access is the easy part. Removing access is quite difficult, quite challenging. Why? When you're able to access people's free mature, you
don't like it. And they feel like they've taken something away. They were taken something away from their daily work. What a reason becomes immortal, cultural, sometimes political. And so what happens is that if you don't remove the access under whatever pressure you're in, in companies, then what happens? There's some access for all. A hordes of access lying around years and years. And
it's easy picking for attackers. The last 100 breaches, attackers always compromised the same pattern, a compromised identity, but with a compromised or re -credential that should have been removed, that wasn't removed. And we only find out after the fact. So the problem that Stake is solving is to kind of figure out, how do I simplify and make it easy,
an easy button, but removing access? And so that's, I think, the innovation we're applying. And it's very difficult to convince people to remove the access, but we got to do that. And that's what we're empowering teams to go do that. So I'd love to find out also about the names of companies. How
did you come up with the name Stack Identity? Well, I think if you look at at least even a decade ago, we were operating just Active Directory WSU L -BAPs. That's it. In a today's world, companies, you know, there's 25, 30 different identity systems. You have your AD, your L -BAPs, you have EntraID, you have Aqta, your applications that have their own identities, and it goes on and on. So the sprawl of identities
was massive. So now we're seeing identities built into your operating systems and clouds and applications and databases. So we see stacks of identities. You know, all over the place. And so for customers, it's very difficult to manage all the identity populations they have. And so the stack is named to kind of reflect the fact there's now a distributed identity system. And it's going to be that way for the next several
decades. How do we still bring the unified perspective of identities and what they're doing in the environment? So that's what we're trying to accomplish here with Stack. You know, Venkata was thinking, oh, stack could also mean the stacks and stacks of entitlements that people accumulate over time.
Because that's really what it sounds to me like, the problem that you're solving, right, is that this entitlement creep scenario where you keep getting more and more access, whether it's, you know, I don't think it's intentional, right? Nobody's out there trying to do the wrong thing. But we, you know, as consultants in our day -to -day lives, Jeff and I see scenarios where companies are still doing what we
call model after. So Venkata joins the company and he's, you know, backfilling for Jeff. Make him like Jeff. Well, what they don't realize is that Jeff has been working here for 15 years, and now he has all this different access. So
that's one scenario. But kind of what I'm very interested in is, where do you fit into that life cycle or that workload of getting from the point where it's like, you're provisioning these entitlements to now you have them and you may or may not be using them? Where does stack solve the problem? Which part of that workflow is it? Yeah, great question. So you're right, it's all
about stacks of identities. And we should be clear, it's both human as well as non -human. Because most of the time we are seeing a new era of machine identities coming in workloads and whatnot, APIs, AI applications and so on and so forth. So we have stacks of identities, so stacks of permissions, stacks of privileges, stacks of policies, right? So that's a complete mess we have. So granting access is easy, right? Many
tools do it effectively. So we're not solving that problem. Once access is granted, what happens on day two, day three, day five, day 10, day 100? Are you using the access? Or is some of, do you have more access than necessary? And are you approving access that's not required? And so we look into, how do we understand and help customers understand where
are they over -permissioned in their environments? Where are unusual access patterns, unusual behaviors of access? Because anytime there's an access, there's a risk of somebody doing an exfiltration or an attack on your critical systems. So we are always focused on continuing to understand the access, attack surface, and always helping you to
automate the reduction of this. So the primary goal that we're trying to solve is post -grant of access for any identity, machine or human. How do we make sure they only get the right access for the right reasons, for the right duration, for the right purpose, and that's it. And help customers to continue to operate in least -for -permission mode. That's our goal, and that's our IP, but to the company.
Yeah, that's fantastic. You know, one of the things that Jeff mentioned is, you know, he asked a question of how did you come up with the name of Stack? I'm also interested to understand, so you've got this tagline around co -pilot for identity security. So what is that all about? What was the mentality there?
Yeah, if you look at every CISO you've talked to or an identity leader, they will internally talk to themselves, and they know they have to solve this problem. They know they have a challenge with access of access, access running a muck, whether it's employees, contractors, third parties, whatever it is, they know this. But they can put their arms
around this problem. And so, so why is that? They know they have to do this, but they cannot do this, because things are too complex right now, right? They have to do many different systems. They're dealing with, you know, identity systems, access control systems, applications, databases and whatnot. So they're struggling to figure out, how do I get my arms around this? And so the answer for customers
is to help them leverage automation. So co -pilot is the ability for us to work and concert with the customers, and be almost like a co -pilot to the customers and environments. Watch over their environments continuously, understand where the problems are, and clearly, half of them are children, seeing there's a problem here. So co -pilot is all about the sort of AI world of automated visibility, automated access control,
automated resolutions. So customers don't have to put human labor and all those things. And today, we've seen many, many companies that use spreadsheets and screen charts and emails back and forth just to just figure out, hey, this is actually required for Jim. That's a back and forth that happens for like a couple of weeks. So co -pilot takes a different approach. It's
entirely automated. It's data driven. And through that approach, customers are informed of problems automatically in our console. So they kind of get to see, okay, these are the areas I'm focused on. These are my exposures. These are my exploit, things I need to go look after, right? And these are the ways I need
to resize the right side of my policies. That's the whole idea of co -pilot is to give you the automation layer so you can automatically detect these unwanted access, unauthorized access, shadow access, and help customers to kind of go through a process of fixing these things as well automatically. Yeah, I thought that was one of the points that you made there was real interesting around not only the human
identities. It's so easy to fall into the trap to think about identity as human beings, but there's also all these non -human identities, especially in your cloud environments. So let's kind of like shift into stuck meat and potatoes. So what are the environments, the cloud platforms that you guys support? And then if I'm wanting to use stack in that environment,
what is the implementation of that like? In other words, how do I go about it at like a 10 ,000 foot level? Yeah, it's quite simple. We support all the major cloud platforms today. We are a multi -cloud and a multi -IDP, multi -cloud mainly support AWS, Azure, GCP, and things like that. We also support multiple identity providers like Octa, Active Directory,
EntryID. We also support identities that are built into databases, database identities, database admins, and things like that. So the platform is a SaaS platform. It's easy to deploy and onboard. And we take read -only access for a particular cloud account. Customers create a couple of policies for us and give a limited access scope. Through
APIs, we ingest this data. It takes about five minutes to onboard a specific cloud account or an identity account for us, like Octa, for example. And then we do the analysis, we do the detections, and the time to initial value is about 60 minutes or less. So very simple to use to product. We have a nice dashboard that builds trust with our customers to tell, we tell some where things are in
the global population space. What are the various activities, behaviors, what are the risks of identities, what are the over -informationed access? And we go through a guide and process to help customers to understand, agree, acknowledge, and then take action from the platform. So forgive me for sounding a little bit incredulous, but I'm going to paraphrase
what you just said. If in about an hour you're able to pull all this information together and really start having actionable data across GCP, Azure, AWS, various IDPs, etc., you're pulling that data, that quickly, and really starting to be able to get your hands around the cloud, right? Which is kind of like this amorphous thing, right? How
do you grab a cloud, right? You're kind of trying to get to it, but did I hear that correctly? Absolutely. I mean, I wish I could show you a demo right now, but maybe the next time, or the next episode here. But the point is, that's about all the cloud, right? API -based applications. So, you know, we're going to be assassins and API, we ingest this data, so it's
easy for us to grab data, put it together. The power of our platform is not the ingestion, but the correlation, the detection, the analysis that we do automatically. And we're going to be throwing very large accounts too. So, we have customers who are kind of small, medium, or large, extra -large kind of accounts. So, you know, we are able to then, the IPU, the Birtistic, and understand and the entire populations.
The challenge in this problem is always going to be, am I going to miss an island of identities lying around, which I'm not even touched, right? That's a problem. And that is an exposure, customers don't have the visibility. The idea is getting a 100 % visibility of all the identities across your environments. And that's what we do. So,
that's an important statement. You start doing for one cloud or one platform and calling it a day, it's about looking at the entire identity populations that we live in, your cloud accounts, your identity providers, your databases, on -prem, hybrid, cloud -native, and whatnot. So, it's the comprehensiveness of our ingestion and the correlation with the customers' complete trust and visibility. It's their data. It's
their story. And we just help them to kind of get to the quick conclusion and remember all the toil of managing, you know, spreadsheets and emails and back and forth and have them manage their policies. And automatically, we have the co -pilot, things that can take action quickly, right? And so, the goal is to continue to shrink this attack surface to lose automation. And I believe this is the way
to go. At the end of the day, the customers don't have time, the resources are constrained. They're going to use technologists like General Bay App, which we were brought on our technology, to kind of bring this power of automation to market and get them to take action to kind of remove the access. That's a really important goal. Not to kind of show nice, pretty pictures, but to
have them take action. Hey, Venkat, I want to get your thoughts on a statement or a quote that I've heard a few times, which is that you're only one misconfiguration or maybe is one over entitled account. You're only one misconfiguration away from a breach. To me, that puts a lot of onus on the identity management practitioner. But I kind of feel like that just means you have to
have the right tools. But what are your thoughts when you hear a quote like that? I think when I hear a quote like that, it is absolutely true. It is an asymmetric problem. Attackers have to find just one weakness to get in. Defenders, as a customer, have to have the 100 % coverage. But it's not that you got to do everything perfect. You are never going to stop
attacks. You're never going to, if there's going to be some challenges coming in, it's what is the risk of inaction? What is the risk of this access? So people are built identity systems for the last two decades. But the concept of risk of an identity, the fact if I'm giving access to Jim means I'm taking on a risk. I'm hoping Jim is a legitimate employee. He does legitimate actions, but sometimes that's not the
case. Sometimes your account could be compromised. So the solution threat vector we are looking at right now means every account has a risk at that evening understand and take action. So the focus is really not about do the basis correct. For example, if there's over permissioned access, clean it out. If there are unused access, clean it out. If there are excessive access, clean it out. If you have poor posture,
clean it out. Doing the basics correct and having complete visibility around these basic hygiene, if you will, solves 80 % of the problem in this market. Now you've got 20 % to go. The remaining 10 % now we've got the hygiene done. It's comfortable with that. Now look at the next 10%. How
do I look at the critical clown jewels? In a data, in a databases, in a customer data, supply chain, look at external actors who want to come in, tighten those things up. That's another 10%. Another 5 % is where are my policy gaps? Where are my blind spots? Fix that. Now you get a 95 % pretty much. And the remaining 5 % is just
to excuse you to accept. So by methodically looking at brass tacks, hygiene, configuration practices, least -fruits practices, better posture, improved posture, and tightening your policies, tightening your guardrails, education, you get to the 95 % mark and then the remaining 5 % is the risk of doing business. That's why I think about it. That way you can make progress. It's never going to be about
100%. But it's always about having a method in place. And tools currently don't have this methodology. They built for 20 years ago for compliance and audit and automation for productivity purposes. Now I didn't even speak about thread dimension. Access is a thread dimension. This is the change the market is using in the last decade. It's going to get worse with the arrival of AI and machine identities and
things like that. So that's a new part here. So I asked you earlier about lifecycle. We have to now leverage thread as part of the identity lifecycle, which we've never done before. So the notion of thread as part of a lifecycle of identity management has to be a front and center thought. And that's the area where it
will be a part of the great innovation around. You know, another thought that what you just said, they're triggering another thought to me, which is a lot of the cloud environments were spun up not with the inclusion of informational security and the IAM strategists and practitioners within an organization. Application development teams were given
like, hey, make this happen. We need to have this data lake and this great WISBANG project. And they went out and they built it. And a lot of times they're not security minded. So they weren't trying to get each account down to least privilege. Now this is someone says to see so, hey, buddy, the buck stops at your desk. You're responsible for protecting our data. And now the see so he or she has to figure out, oh,
we've got this. We've got those crown jewels out there in this cloud. Now I need to figure out how to make it more secure. And I think one of the great places, sorry, it's not going to give you everything, but a great place to start would be to start looking at, especially this machine accounts, but all accounts, which ones
are over provisioned? A great point. Yeah, the power of the cloud, right, this automation, I saw the cloud, we love the cloud so much, it's tremendous amount of power, right. Things like using, for example, you know, infrastructure is code, like Tataform, for example, you can spin a
cloud in like five minutes, right. You can imagine you can set up a database in 30 seconds, you can put up a database, right, and have an upward customer data and do it, right, and go away. So the environment is quite difficult. So by all accounts, most cloud environments are automatically over provisioned because of automation, you know, and developers are driven by, that are their KPIs or productivity and velocity of
code, not examination privileges. That's not their job. So they want to go where they want to build cool applications and monetize data, bring the latest AI, ML model, general AI, show value, right, and run and create value for the business. Security teams are pretty much on the outside and looking at this cloud. It's so fast and growing so fast. So when the buck stops for the security teams, they
struggle, right. At the end of the day, they didn't have any policy control over this environment. And so what we're trying to do is to kind of bridge the gap, is to kind of bridge, help the security teams understand the risk of already over permissioned access, all the over, you know, exporters created. Coming to data assets, because it's so easy to spin up a data asset of the cloud and build an application to
share data. So data sharing is ubiquitous. Like imagine how easy it is for us to, you know, not to share, you know, a Google sheet, right? Or, you know, it takes two minutes for us to create a spreadsheet or doc and share it with you. Done. Imagine now you're dead, you're sharing the same terabytes of data. With that, with that lot of simplicity, I can share my Google Drive or my Stoflake instances to my third
parties and do interesting applications. So, and I just in two minutes, you have changed the world from, you know, kind of highly change control environment to a completely, you know, sort of, you know, ad hoc way to share data of our customers and whatnot to various third parties using APIs. So there's no visibility to these entire things. So
that's why I go back to the Copilot. Thought is we need to bring the part of automation to work to solve this problem. The very, this problem is going to be automation in the first place in the cloud. So let's leverage automation and AI together to bring the early visibility, to bring that, you know, continuous visibility to
practitioners of identity and security. So they can kind of keep up with this thing and start to figure out how they can speak about risk, right? The job of the C -SOS is not to talk about, you know, not to take on risk, but to speak about risk. If this is where I'm exposed, this is where the risk is, and this is where the impact is going to be. You guys take a call on this.
So we're going to help C -SOS and the board ultimately take a call, and these are the exposures, but now we're going to make it super simple, super easy. And that's the reason why we so thrilled about, so worked about AI and machine learning and data lakes and whatnot. So this ability for us to bring that continuous visibility as things happen, you're able to respond to events and other shut it
down or take action. That's super compelling. And go back in the day of, you know, change management, and you have three months to do reactions reviews today. And people don't even do reactions reviews today, you know, three months, every manager hates it. And when you want to review actions for your employees or your reports, you go
find your favorite tool. I won't name these tools today, but you can find select all button and bulk approve. Done. It's a headache. I'm done. So nobody's examining access trivillators. It should be there. So when it doesn't happen through either a fraud process or a complex process, access accrues. So we want to bring automation and simplicity, because without simplicity and data, our customers will not take
action. That's the differentiating aspect of what stack does. So how do you, how do you use something like stack to measure the success of the implementation or the data you're getting out of it? Because you talked about risk, right? And access permissions and cleanup, etc. I have to imagine that you've got, you know, customers right now that are using
the product. How do they measure success to know that they've gotten a return on the investment they've made? Yeah, let me give an example of this, you know, you know, our customers and talk to the security teams, even the CISO, right? Their job is raise risks and awareness. And so now let's say they have an environment in which
they found all the risks of AWS. They're going to knock on their colleagues, VP of engineering, who owns the cloud, hey, you got to go fix this buddy. The VP of engineering says, you know what, I don't have time for this. I'll look at it when I can, right? So now we have surface intelligence and the risk. The CISO has told his peers you got to go fix it, but nothing happens. So
what happens now? A month goes by, still nothing happens. It's like, so now there's a back and forth, right? So what we do is it can be a bit SLAs out of the product. Now, you know, if that risk you're generating, but it's a high severity risk, it's got to be fixed within one week, right? And now we become the broker. So our ticketing mechanism includes this SLA. So now the cloud engineering
VP has to respond to this. They can say, look, I accept the risk, I'll fix it within a week. I will accept the risk. I will fix it in two weeks. I will not accept the risk escalate. This is the business. So our job is to kind of make sure they come together, collaborate, collaborate on the single platform, cost tag, identity risks of high fidelity, high urgency has to be
taken care of. And at least everybody's on the same page. That's the same data they're looking at the CISO and the identity of looking at the same data as the DevOps and security teams are looking at. So we're able to bring this, this collaborative platform through SLA. So the end of the day, it's not, you know, I'll do it
when I can. Let's look at the risk. And if you can resolve this at this level, we elevate this to the, the head of operations or the business unit data, whatever it is. Our goal ultimately is to kind of keep on nudging, nudging through SLA. So somebody can actually remove the access. Until such point in time access
is not removed, you're not done a job. And that's where it goes to kind of take that last mile, help leaders and owners and stakeholders and risk managers and teams understand the risk, agree on the risk, and then I've delivered plans to fix these problems. So measurement of what our product is, how many of these tickets have we, have we sold have actually removed the access? Is
it growing? Is it shrinking? How's it happened on the last, you know, however, what is the trending? So when they see the trend lines coming down, they see value in the product that we're able to now, you know, take a fairly chaotic environment of unbroadened access and brought it down to manageable sort of issues and risks and be able to provide continuous visibility and operational
fidelity around this. So that's what customers measure, right? And do it in a very automated fashion, which means they're not repurposing their teams to go to this, you know, co -pilot takes it further automatically. You talked about those nudges and I, and I see this as well as sort of in the real world is people are always hesitant to take away access because they're not sure what it does. It's going to break something.
And so they just kind of leave it, I guess, you know, is that fair where we're at today where people just don't know what they're, what they're, what they're human and sometimes non -human accounts are doing. And so that, that hesitancy is real. How do you take something like that and say, okay, well,
here's a better way to do it. Maybe there's more context around what this account does or the continuous evaluation, right, of what the access is doing and shrinking attack surfaces and things like that. Can you talk a little bit about why you see those nudges being needed still and then how does that reduce the attack surface
once you get through the nudge factor? Yeah, most of them, for example, you know, when you're trying to remove access, you don't have the full context, right? Because the removal that access could impact other downstream applications, legitimate reasons, right? Why users could be disabled and not get access to the system. So the worry is, am I going
to break something down the line? So the first thing you do is give you the complete picture. If you remove this access, this is going to be the impact, right? Of all these systems, we build that map and we show that graph. So we build trust in our data itself, number one. So the first thing is to avoid confident, hey, nobody's access is the last 90 days. Okay. And you know, this access
is very risky. It's got a high degree of impact. You know, I think of some of the breaches that's happened over the last, you know, massive breaches, right, you know, you've seen in a time and again, and you got to take action on and so that's one example is to kind of give visibility. The second area we have helped customers is look, even if I have to remove the access, you know, some people call it the screen
test, right? You don't access on a screen. Oh my God, I need access. Okay. If you need screen, you need to do screen test. You go out to a URL and you'll request access again. You'll access the store
immediately. So we remove the issue of, you know, we remove the issue of, you know, if we, if customers do need access, you know, and take enough for some reason, you can now give them access back, but now it's more just in time because you're only using it once in 90 days. So we're able to kind of bring in, bring this process together to kind of institutionalize a behavioral change. It's a behavioral change. And
behaviors won't change overnight. It needs data. It needs impact to downstream applications. And what happens if I do make a mistake and I resort that this day quickly, that's the third point, all three things are part of the art platform. So customers are comfortable. Hey, even if I remove the access, you're going to scream at me, go to the swing or request access within 30 seconds, we'll
reprovision the access. But now we can give you a limited based access, right? Now I've culturally removed the access and also kind of give you more of a time -based approach. So I've made, you know, great progress in the behavior and sentiments of these problems. So those are the couple of areas we really customers like this. And again, all of this is automated. So there's no kind of back
and forth around this to remove the human toil. And that's a big issue. Now these things are more complex in the machine editor days, right? And there's nobody to tap in the verify access. You know, so we see a lot of cases, for example, when people are using machine editor days and abusing it,
human users, vice versa. So we kind of have all these environments where, look, where there's a risk of access or an abuse of access, but things are sort of awry, we kind of bring it back. But at the end of the day, we take a lot of pride in operationally making sure customers are able to manage this entire problem within their culture, within
their workflows, within their environments. Only then we see, you know, a big adapt happening in our customers. So you mentioned, we've been talking awful a lot of the cloud, I think, early on you mentioned that there were also some capabilities around on -prem systems like Active Directory and Database. Are there differences in how that integration works? Is it relatively the same?
Talk a little bit about sort of like the divide between cloud and then maybe on -prem resources. Yeah, I think mostly for cloud being such a modern platform, it's all API based. So most of the times we have very good APIs to integrate. So you don't have to have agents deployed on any systems. We can just use APIs. I use the cloud control plane to look at our data when
it's really on -prem. Then there's no, you know, native cloud, there's no cloud native way to kind of talk to the resources, right? We need some sort of a connector or an agent where you deploy on the premise itself, which acts like a
broker, right, to kind of to look at this. So, so, you know, so those are the ways that I think, you know, for on -prem environments, we do need some agents deployed, but that's really a consequence of where the technology is for the end of the day. It's all about the universal visibility, right? The single layer that aggregates
all the information together at a single place. And so we kind of build this abstraction where whether it's cloud, whether it's on -prem, whether it's hybrid, whether it's cloud native or, you know, customer managed, doesn't really matter. Good identities or where they are. And so we are job is to go pick up these identities
and give, you know, give this focus. I'm also going to address one other issue, right, in terms of, I think, I think Jimmy brought this up early on around this access issue and we talk about stacks of identities and stacks of access, right? Now, stacks of access was always a problem given the
complexity. Now with the stacks of identities coming in, you know, all these platforms in the cloud, enterprise, in database or whatnot, many cases, for example, right, a user is called multiple accounts. You might have five, six, seven accounts in your system and they cross cloud platforms and on -prem. And the idea that everything is going to be on a single identity or a single IM is
almost impossible. That's the end of the station. For the last 20 years, we built a system with the premise that I can manage gyms out of any one single place. And that promise is gone. So now we're living in a world where you're going to have multiple identities,
multiple personas, and multiple access. So for example, if you were to log in to a system and you've, you've, you've failed your passwords three times, today, what is the typical response for a company? They would automatically research a password, good practice, and they would do an
Auduband MFA challenge, again, good practice. But nobody was going to look at whether or not these three password failures was really Jim forgetting the password or illegitimate attempt by an attacker trying to pawn Jim's account or do an account takeover. Because the fourth signal doesn't happen right away. So you have a process that's
dear to password users when you move on. As a co -pilot, we watch you go at these things, say, what happened? Wait a minute, there's now a fifth attempt happened two days later. They put the three together, two together. Wait a minute, this is now early patterns of ransomware attack on a particular account. So these are the things we're doing is really, you know, this is difficult for humans to figure out. They,
they're going to watch every event every time. So this automation that we've built helps us understand what are really legitimate access patterns, what are illegitimate and unauthorized, but I'm going to indicate attacks and whatnot. So I just want to kind of add the bit of a color as well as to what we do really at a product
platform level. You know, it's just what I wanted to say there, Venkat, was early on with what you just said, you talked about, well, you know, primarily the, the on -prem infrastructure doesn't have all the connectors. I know if I was building a product right now, I'd focus on the cloud because my perspective is you've already seen cloud take a
big bite out of on -prem infrastructure. And I think that five years down the road, 10 years down the road, I mean, it's going to be smaller and smaller. It's just like the same progression we saw with mainframes. I'm not saying that I think it'll ever go away. Mainframes are still around. They'll probably still be around when I retire, but you know, it's becoming a less significant piece over time.
So that was where I would focus. But I think there's another thing at play here, which is that the cloud environments were built in a way that tools like Stack Identity have what they need in order to do the type of analysis, right? You need to know what the accounts are, what access they have, but then you also need to know what
access they're actually using, right? Because it's the bumping up of those two things to say, hey, here's all this access this account has, that's not at use. Why is that important? So to me, and I'm hoping you can either validate or correct me, but why is that important? Okay, so this account has these seven roles that it's not using. Who cares? Well,
it's about a tax surface, right? It's about, hey, if I have an account out there that has its over provisioned with entitlements and somebody gets control of that account, now they have all those entitlements. Even though those entitlements haven't been getting used, well, now they just open up a whole new door. Now that account could be taken over regardless, right? That's a totally separate control. But
do you want that account to be least privileged? Or do you want it to have least privilege plus who knows how many additional privileges? So am I, and like I said, the cloud environment, the cloud platforms have the pieces and parts to make
that determination. If it was, if the on -prem environment had all those things, this would have been getting done 10, 15 years ago because the problem existed then, and people wanted to solve it then, but they just, they didn't have visibility to where all the accounts were being used. And we had SIM and we tried to pull all this information together, but everyone knew it wasn't
complete. So if you just started taking access away, that's that part that you started off the conversation with is like, that's scary. You start taking away roles just because you think they're not being used, but they actually are being used problem, right? But in the cloud environment, you have a higher level of confidence, maybe 100 % confidence that that role is actually not being used. Yeah, absolutely. And
that's it. Do you put the nail on the head? You know, if you look at the pattern of ransomware attacks, you know, the big one or another health group and all those, it's all the same pattern, a compromise identity. And then that's not enough. You need privileges and permissions to elevate yourself and laterally move across the organization. It's all about lateral movement, right? What any worse lateral movement? It's
access and privileges. So if you can cut off these
links by removing access, right? And, and, you know, then you can, you can limit the damage you can contain the, the attack, you know, and so, so understanding how our leaders can move within the enterprise, how can they flow and what actions they can use to get from a to V to C to D to go to the target, that's crucial, which means that in cloud, even in regular environments, we need to
look at not just the provisioned access, but how is Jim using this access or a service to condensing this access? That means you got to look at, for example, what's happening over a period of time? And on the time could be in a 90 days, for example, or 120 days. Okay. What's happening with this time boundary? Now, the user, if it regularly, if there's a regular role, you'll be using this account to, you know, to
do things, right? There'll be some activity on this account. There'll be some actions on the target resource. There could be some, you know, some behaviors. But if none of them are present, then the problem is you just under our necessary access. So the access or type surface is really by product of you, if you're not using the access, you got to give up the access. That
should be the very simple process. If you're not using the access, you should just give up the access automatically. Now, today, we don't have these tools for doing some cloud is very easy, right? But you also need two data points. One is, what's your access and are you using it? So we automate that, that the time based analysis that we can easily give you without a without any false positive, right? We
clearly really you're not using this access. There's proof. And so you don't need access. Okay. So I'm going to remove the access. Let's say Jim says, you know, I'm going to use it once in 90 days, because it's a quarterly report, great. Then I'm going to give you a just in time access or one
time access, you can just use it. So the number of ways we can look at data, and we can analyze activities and behaviors and actions to then compare with your intended goal of giving access and to solve this problem. In cloud, by the way, many cases because of automation, nobody even knows why an access was granted. Let me show our dashboard on our product. The first thing customers ask us is, I don't know why
this happened. It's a very common refrain. I don't know why this access was given, which means there was no way for them to contemplate why somebody would give an access. Maybe it's an emergency access and just state permanent. So there are a lot of scenarios where at the end of the day, it's about are you using the access yourself for what purpose? You
search behavior is going to be important for us. And I figure them along in a window, then we remove all the false positives, we remove all the problems, you remove access with 30 days, that's not a good practice. You might still need the access, but they will be for us to use automation and to provide the visibility and show evidence and compare with their policies to remove the
attack surface. And those are the things I think we can get tremendous ROI. You can do this because these are all early signals that we're going to stop. By the way, every leader in
the identity practice agrees with this. There's a survey done by one of the security group, one of the top identity groups and 96 % of the identity leader survey said they could have stopped an attack, they could have stopped an attack and they had signals available to them. They didn't say, wait a minute,
this was a complex zero day, nothing about it. So 96 % of saying, look, in retrospect, and I had they had a data evidence, I could have prevented this. So that's great, great opportunity for us startups to go look at, let's solve the problem and get the last mile out, remove the access somehow, and then all of a sudden, right? That's why you're seeing this
broad moment to more just in time. And don't even get into the problem of managing access. If you need access anytime you have access, you know, just come in, make a request, you get access anymore one. Anyways. No, no, it's a great point. And I think so we've talked a lot about risk. And I'm wondering, I want to get your perspective on what is the biggest risk that CSOs face? Because to me, here's what it is. It's
not the, it's not the mechanics of all this. It's the ability to identify the risks, communicate the risks, and assign the risks to somebody other than me. And that look, I'm not just trying to be Teflon Don here. But reality is, is either it's something I need to fix. And I probably need some money to fix it. Now, if I have everything I need, that I can go fix it, then I have nothing to
worry about. It's completely within my control to go ahead and fix it. But a lot of times, these risks that pop up are things that other people need to do. Or I need additional investment. And so I need to be able to identify those risks, communicate those risks. And then if I am fulfilled with what I need, then I need to be able to go and
remediate those risks. But I'm wondering, maybe you give a more insightful response on what is the biggest risk that CSOs face? I think if you look at all the ransomware attacks, you know, all these customers have tremendous amount of products, great technologies, right? And they got 30, 40 plus tools. Yet these things happen, right? Time and again, it happens. You know, happens to great companies. But there's something
fundamentally flawed here. That is, how do we understand what is the biggest risk is? And in our view, the biggest risk is access. Access that could have been prevented or revoked. And if you can have a truly, you know, you know, we're not saying that's going to be stopping all the attacks. But I think what we are saying is that that's going to be a number one priority in terms of investments going
forward. Because at the end of the day, an attacker on adversary needs access to let me move and get to where they want to go. So by the way, every CSO will agree with this. There's no dispute about this. Challenges, you know, I have my on -prem projects. I got my IGAs going. I got this and that going, got Pam going. I'm looking at Pam for this. I'm looking at X, Y for this.
So we are saying at the end of the day, the environment is changing dramatically, you know, and so it's time to relook at these priorities. I mean, people are spending a lot of money on identity projects today, even today. It's one of the largest investment categories in the budget. However,
this notion of risk is what is a new phenomena. I mean, even analysts and gutters talk about this all the time, like more and more continuous controls, risk -based controls. So we are seeing this big change happening. At the end of the day, you've got to look at what the risk is, speak about the risk. But you cannot speak about the risk if you don't have visibility into what's happening. You don't know how to explain
why something is happening. So with our, you know, with our, you know, with our automation and our approach to providing an easy way to go look at this, everything in concert, we are job is to provide evidence of the risk and help to see so communicate the risk to the
stakeholders and to take action. So that is the approach where we feel like, you know, you know, that, you know, people cannot wait for this, you know, process that they put up place 20 years ago, right? We have this quarterly order process. But it will be actually done for age of Sarbanes, Oxley and compliance, still required. But now the landscape has
changed automatically. It's cloud first, data first, API first, we live in. Speed is not security's best friend. And so at the end of the day, attackers know this, they
have these weaknesses. So our job is what if I can come back and tell you within one hour, your exposures, your exploiting, your bare pathways, which are going to be exposed, your policy gaps, your blind spots, your risky accounts and help you fix it through automation, I can generate code and do
this. And now you can start to not put this and say, wait a minute, I'm going to use this product to figure out where do I need to product as my investments in even ordinary in access management, where do I invest in it? Rather than going off and building a product, look at the process. The world has changed now. So do I have the right visibility into looking at overall risks? Can I communicate these risks
to my peers and to the board? Now based on the risks, can I not focus on actions in these areas, particular on access and what not that I can help you with? So this starts a different paradigm. I think Jim, we're focused on is that we're seeing the market go towards that. Is that, you know, just look, you know, attackers are now waiting for your quarterly audit reports. They're
finding a gap and zoom they're going in. And so we're seeing that they're ready for us to close the gap, give billboard assurance and more confidence and data and help CISOs broker this conversation. They're not, they cannot do it alone. They're going to talk to their colleagues, agree on what the risk is, agree on risk types, agree on how they can remediate, time to
remediate. And these are all operational things that we can go from findings to the operations. That's the area where we feel like we can really help optimize investments and get on this treadmill of getting this more continuous, continuous access management, continuous verification, continuous detection, continuous tuning of policies. These are the areas we believe we can, we can, we can help customers get to the
95 % quickly and manage those risks. So I think you made a lot of good points there. It's kind of like I want to rewind one of the security architectural principles is like this layers of security, defense in depth, but it's the idea that you try to stop the hacker here, you try to stop the hacker here, you just keep going and adding layers of
security. It's almost like you hear this paradigm all the time, which is if you haven't been breached, that just means you don't know you've been reached or it's not a matter of if, but when. And the idea is that, I mean, you still look at like what's the most common pattern that attackers use. It's phishing, social engineering, right? These things have literally been around for more than 20
years. And they're still the top two ways that people get access. So you almost can look at your accounts, say they're going to be breached, someone's going to be able to get access to them. The question is what can they do when they get to access? So that's that paradigm of least privilege access and why it's so important. So I think you've made an excellent case here today for what you're doing with
Stack Identity. And what I'd like to know is if our listeners are interested in playing or, you know, getting more hands on with Stack Identity, what's available to them? Yeah, we have a very easy way to assess the current risks using our Shadow Access Risk Assessment Tool, they call it CERA. So you plug it in, you
connect your accounts, you connect your IDPs. And again, within an hour, you get a report that shows you all the code of code access for all issues you have, right? And then you start the cleanup process, you know, cleaning up our units and access is
an important thing. Because the environments are grown so widely now, you know, on -prem and cloud and whatnot, that singular dashboard and singular view of single pane of glass, the command and control of all the risks that you have currently in your environment, having a quick view of that is a starting
point. Now you look at these risks and you look at what do we do about tax, like I started to dig into this and figure out where you need to, where are you exposed, what are the critical systems, your crown jewels, whether it's third party, all those things. But it starts with where am I today? What is the where am I exposed? Tell me that, that view. Let me start with that, that
assessment view. We call it shadow access risk assessment. Generally speaking, all these problems are really, you know, a gap in access, that should be that of the first place, we call it shadow access, kind of the shadow IT as a term. So you start with the shadow access, you know, discovery
and assessment tool. Then that gives you the foundation to clean up all the identities, tighten up all the weak identities, make them strong, look at all the over permission access, start to reduce your tax service, you can start to put an action in place based on the data. So initial thing is data gathering, data visibility, and you know, a report that gives you a way to kind of action that starting your program. And
again, it takes about an hour. So it's not that we can effort together, but it gives you enormous value add. I go back to look at the example the day before any breach, imagine if you had a report of all these exposures, and imagine tomorrow you're going to be breached, you will run fast to fix those things. So you'll drop everything and then go fix it, right?
Imagine it's always a small thing, you know, an S3 bucket or a startup chart permission, or some lateral moment permission. Hey, I never thought nobody's going to use it. Oops, yeah, somebody used it. So it's all these small, small things that is very difficult to spot. And it's lying around, you know, creating these pathways. Let's just blow them off, you
know, in a systematic fashion. So yeah, the shadow actually has some sort of a starting point. And customers can use it, it's free of charge, and they get immediate visibility, and get to see what we can do. And that gives confidence then. And then, and then from there, we can start to starburst, and then many different ways to for them to cannot
take workflows and take action. Yeah, I think that it's really great that you've made that available as a free resource to our listeners. Just so folks know, the URL stack identity .com slash IDAC is where you can go to get right there and get that thing downloaded. Wanted to ask you one more question, Venkat, I know you guys are going to be at RSA. Sounds like you have a booth. What's going on at RSA? What's
your presence there? A great, great plan at RSA. Being super busy with this. First time here at RSA, so super excited to be there as well. So we have a number of devos planned, customer sessions and meetings. So please stop by our booth. And we'll be running, devos, Ian is going to be there. So we have a lot of great team at RSA. So super excited about this.
Again, at the end of the day, what we are trying to look at is how do they give customers time back? How do the customers capacity back? Those are the two things customers don't have. Already having a lot of projects. And again, this is again, complex problem. Let's make their jobs a bit easier and get them the help they need. And every CSA I talk to knows this problem. They feel in their hearts, they
got to do something about it. But they're constrained by ongoing projects, this and that. But so we are coming in and saying, wait a minute, let's give you the unified layer, the visibility layer. Just talk to look at taking some control back. And for CSA, the particular cloud has gone to the sprawl. I mean, they're going to pull rain this rain this back and put some policies
around it. So we think with our automation and our data platform, and we can cannot really have customers get quick time to value. That's our main focus with demo. This is RSA. We also want our one session for the customers at RSA. So please TSM, if you want to show a demo or discuss more, we have a great team at hand to support your doors customers at RSA. Yeah. So Ian Singh on the spot again, he's given us
specific location where to find you. It's booth N6564. It's in the North Expo hall. So RSA is huge, right? There's a North and I think it's South Expo hall and there's the tunnel in between where everybody has collected all their swag and they had their bags sort of wind up there. So definitely go check it out. You know, I think this is an area where you kind of mentioned this, Venkat. It's like, you know, it's a
problem. What are you going to do about it? There are solutions out there. Stack Identity is one of them. You know, you can't claim that they're, you know, you don't have the right tools or the arrows in your quiver right to solve this issue. So I would definitely encourage folks go to stack identity .com slash IDAC. There's a link on there for Sarah, which is that shadow access
risk assessment. I think you also do office hours, Venkat. If I remember, there's like a link where you actually people can book time and yeah, absolutely. I mean, for example, we are getting out of inquiries on the new SEC, it's coming with new rules for disclosures. Now you cannot just be silent about disclosure incident. You got to report it within five days and then you got to report your 8K filing.
So a lot of pressure is he's putting on leaders to kind of report incidents and to kind of drive these practices. So let's help you stay ahead of these disclosures and reports. Nobody wants to put their hand up and say, I got a problem with the inverse more scrutiny. So yeah, definitely office hours is the way to kind of, you know, you know, bring in our knowledge, you know, any topic you can
bring in and sort of time with us. And again, one of the good things about being a startup is, you know, we have extremely knowledgeable people that are on the block a number of years, you know, but first generation products, second generation, not third generation. So they can help customers to kind of get to the where
they want to go. And that's a unique value beyond just the technology and platform that sort of ring in as a huge amount of knowledge and approach and practicality to solve very, very thorny issues and then some deep technologies. So we're going to wrap it up there, but we were talking before we hit record that you play competitive tennis.
So I'm always curious about sort of rituals or superstitions or things that people do before they get into any sort of sporting event, you know, where they're competing. Do you have something like that that helps you kind of get into the zone and mentally prepare or be physically prepared for what's about to happen?
Yeah, absolutely. I think, I think most tennis people, I would say they are, you know, and for me, for example, certainly, you know, warm up is an important aspect of ritual, at least 30 minutes, a mental cadence of how you're going to play out doing some, you know, some, you know, very specific targeted drills for the particular opponent in case. And most importantly, kind of managed by my emotions,
because tennis is a very one on one sport. So me, one of the things I do really well is the alternate national breathing, which helps me calm down a bit, about five minutes, just kind of research my mind a bit. And it's just in the next 60 minutes is what a match. Because as you know, we're getting a lot of messages and some
bad emails, all those things. So at least being a place where you can kind of free your mind, be calm, you know, you know, stable, you know, focus on the likelihood and enjoy. So there are a few things that I definitely go through. And, and that's one of the things I look forward to is the rituals as well. Sometimes we can't control the outcomes, or we certainly can control the rituals. I
love that reminder to enjoy, right? It's supposed to be fun, right? I mean, competition is competition. But if you're, you know, playing a, you know, tennis or basketball, or baseball, or football, whatever version of football that you that you like, right, you had this idea of like, this is still supposed to be a game. It's supposed to have fun with
it. Jim, when it comes to yourself, do you have any, you know, rituals or things that you go through for if you're about to engage in something? And maybe it's not even a sport, maybe it's just getting in front of a crowd and talking. We're doing a podcast. No, it's definitely that. And it's also whatever sport, you know, it's kind of become an unconscious thing.
And I think if you start to incorporate those throughout your life, it'll happen unconsciously, which is to visualize yourself doing the activity in a successful way. And you hear about it in almost every sport where some people will play the entire match or the entire game before they go out and play it. And they do it very successfully. So I mean, my fitness has really become going to the
gym and everything. And it's much more like a very solitary sport. You're completely in control of your results. Nobody else, you're not against somebody else. So a lot of times, like before I go and do a set of weightlifting, I'll visualize that set. And I don't, like I said, I don't even do it consciously anymore. I just kind of wind up doing it. And I think what you said for public speaking, that's one
of the things I do. I'd like sit there and visualize myself presenting. And the more I do that, I find the better results I get. What about you, Jeff? I know I'm probably a blend here of what Venkat said in yourself. I subscribe to the Littlefinger School of Thought, which is fight every battle everywhere all at once. You'll never be surprised. So to me, that's about
preparation. So, you know, for example, the podcast, you know, I have meticulous detail that I put into this to try to solve or anticipate every single issue that can pop up. Now, there's always something in the pops up, right? But it's kind of like, okay, let me visualize how this is going to work or, you know, in this case, listen to how this might work or whatever it looks like.
And, you know, if I'm playing, you know, basketball or something like that, sure, research might point it, you know, do they tend to break left, break right? Do they prefer a fadeaway jumper versus a hookshot versus do they do a euro step and want to cross you up, right? Things like that. I think there's, there's intelligence that you can gather and is part of the reconnaissance. I say, okay, what am I, what
opponent am I facing? Now I sort of know what to expect. Now, how am I going to counter
that? Okay. Whether it's basketball, you know, speaking in front of a crowd or doing a podcast, okay, well, I know that, you know, I want to have good lighting because the camera is going to be on or I want to have a good microphone because, you know, this is going to happen or I want to have my notes prepared because we're going to have somebody really, really smart like Venkat on it. I
don't want to like an idiot, right? Things like that. So I, again, it goes back that little finger thought from Game of Thrones preparation, you know, visualize, prepare for every potential outcome and you can't, it's more difficult to be surprised. So if you're playing basketball against Karim Abdul -Jabbar, you know, he has killer skyhook. Yep. What are you going to do?
Punch him in his knee? No, I mean, well, there's obviously quite a high advantage there that he would have over me, but you know, he would, he had the skyhook and you know, it was almost unblockable for people in the NBA. I mean, it was, it was really down to his execution and anything you can, you can put in front of him to disrupt either the timing or the execution
was the important part. He was going to be able to get over you. That's a good point, Jim. This is a border risk management, right? You give Karim his points, but he stopped the others, right? You still win the game. That's a good point. You hear that in sports a lot. Don't let the superstar be the one that beats you. Take the superstar out of the
game and let, let the rest of the team beat you. And if that happens, that happens, but it's a strategy. Exactly. That's a good spot. We'll leave it for this week. If you want to learn more about stack identity, you can find them on the web,
stack identity .com slash IDAC. It's a nice little landing page where you've got a bunch of different links to talk about everything or go to everything that we talked about, including Sarah, the shadow assist, a shadow access risk assessment, Venkat's office hours and just getting more information. And of course you guys will be at RSA again, the North Expo Hall booth N6564. And
you can always connect with Venkat on LinkedIn. We'll have a bunch of links in our show notes as well. So make it easy for people to find and they'll also be on our website. And then of course you could always reach out to Jim and I. We're all, we're both on LinkedIn. We're always curious to see what people think if they have ideas or, you know, direction on how they'd like to see things go in the future. That's
something we're always open to. So don't forget to visit us on the web, IDACpodcast .com. Check out our still growing YouTube channel. And the link to that will be on our website as well. So with that, we'll leave it. Thanks everyone for listening. Venkat, thank you so much for taking the time with us today. And we'll talk with everyone in the next one. Thank you, Jeff. Thank you, Jim. You've
been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review. And we'll be back soon. But in the meantime, hit the website at identityatthesenter .com. See you next time on Identity at the Center.