Well, I definitely think higher Ed tends to be more one of the more complex use cases out there from a daddy's standpoint. I, I think we've probably talked about this in the past and yeah, not a lot of people I think are aware of of that and all the hats you're wearing, right? Think like a baseball cap. It's like, OK, I'm in this role. You've got like a baseball cap that has like 5-6 different bills. Yeah, you're like twisting it around. I went. And they're all on at the same
time, right? You don't swap them out. They're literally there all the time, right? Yeah. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you?
Not so bad yourself. Great man, just getting back from Identivers 2024 Las Vegas since our first episode since we're back and and I figured I could make it seven days. I was exhausted by the end. How about you? I was good actually. I mean, I was tired when I got back, but I don't know, I enjoy that kind of stuff. So had a lot of good conversations with people, got to catch up with folks, lots of good meals. So I'm a I'm a fan of Vegas just for that sort of thing.
And then Friday night got to hang out with my brother for a couple of that and went to Area 15, which was a very cool, I don't know how to describe it, kind of like a weird experience type place. Yeah, things to. Do yeah, it was fun. So I decided what I'd like to do today. Well, shout outs I wanted to make because we didn't make them last. I didn't get to make them last week. So see all this stuff on LinkedIn, right?
There's the identity beer and there's the author of beer, and this is from Sebastian and Roland from Umbrella Associates in Germany. I'm not sure what I'm say, what event I'm saving it for, but there's a good German beer here. I'm assuming it's good, and I'm really happy about that. Another shot out to the folks at Sabian and our friends there, Jamie and Henrique in particular. But why am I shouting them out? They had the best Concord swag I've ever seen in my entire career.
Look at these three shoes. These are van sneakers, you know. Hey, Enrique talked about him a little bit. But man, these are they're around like $3 shoes or something. These are ones like you would buy in the store. Other than the fact that they have the logo on it. What a cool swag. Swag. You're wearing their logo though, if you're if you're in their shoes. So yeah, it was a very cool thing. Henrika talked about it.
I thought it was very clever. I think, you know, getting a customer of yours to also use their product as part of your swag. That's that's pretty genius play. I always talk about swag at conferences generally sucks, but that was a good one. I'll give a shout out to the tallest booth.
I thought they had the best demo environment or experience, I should say, that I've seen from a vendor in a while kind of telling that story of enrollment and purchasing like a ticket and then, you know, getting access to a gated sort of event type thing, right? You went through it. I thought that was a pretty cool idea. You're kind of stuck. Through a soccer stadium, yeah.
Very interactive you could feel like you're in like a real world use case and then at the end you have a cool pair of socks, which I know that's not your thing, but I like it. I also wanted to shout out RSM. I mean, they sent us there. They they'll, you know, a week in Vegas, you're exhausted and broke. And I don't believe a gamble, man. But that place is expensive. So, you know, for them to be able to sponsor us to be there, I thought was awesome. So I wouldn't be able to shout
that out. I also wanted to shout out somebody named Jeff Sedmon, who took five episodes that we've recorded there and they're all dropping, I guess by the time this drops all dropped last week. So kudos to. You. Yeah, kudos to me. It was a challenge. I was working through some audio challenges, so, you know, probably not our best sounding material, but I think it came across decently enough. I think lesson learned.
We added video for this time. So all these things are on YouTube, so the content was great. Lessons learned for the next time. I've got some ideas on how to kind of improve the audio quality and the video quality. But yeah, it was a very interesting weekend and last couple days getting things kind of set up and I think I have officially run out of storage on multiple drives and recording 4K video takes up a lot of space.
It really does. Yeah. A lot of extra, a lot of extra work, too, just to get the room set up versus just doing audio. Yeah, I saved my last shout out to the people who were really doing the work. When folks like you and I are off, like having these conversations with really smart people and all the folks who got to go to the conferences because there's folks back home doing the real work. The I am practitioners of the world, you know, you often refer to them.
And I love it by I still concern that I am heroes who are running around getting things done, getting the job done, often times with too little budget, too few resources and tools that really can't get the job done. So shout out to them. You know, hopefully they're able to at least carve out a little bit of time to listen to podcasts each week because we do this for them. Yeah, you sound like you're campaigning there for like the mayor of I Am Town or something like that. So vote for Jim.
There you go. I'll give a shout out to Andy Handel and the Saber Risk Alliance, definitely, you know, appreciate them hooking us up with places to record and just for, you know, being so welcoming for us to come out there. So I think we've got a lot of thank yous. I'm sure, you know, we'll have missed somebody in the mix, but especially everyone who came up and said hello and introduce themselves and, you know, our listeners. I thought that was very cool.
We, we continued to grow. It was just like more and more and more. There was one point where I was in the hallway probably for two or three hours just talking to people who were randomly stopping and saying hello. And it was, it was good temps. It was very cool. Yeah, and we were like a 5 minute walk from our recording room back to our hotel room, but you could count on it taking like 1/2 an hour to get there. Yeah, it was cool though. I enjoyed it. I do too, yeah.
What else? So that was Identiverse. Now we're back to normal, relatively speaking, at least what's normal for us. We've got another conference coming up in just a few months at this point, and it'll be Identity Week, America. That's the one that we'll be at. But there is a few different identity weeks taking place.
I think as we're recording this right now, which is what is today, I don't even know the date, June 4th, the Identity Week. Europe is starting right now 'cause that's actually no, it's next week, June 11th and 12th now that I think about it. So by the time people listen to this, it will be starting as you're kind of listening to this. The one in America is the one that you and I will be at. That's September 11th and 12th. And then there's one in Singapore, October 22nd, 23rd.
IDAC 30 gets you 30% off of your registration for any of those. If you're listening to this and you're planning on going to Europe, probably want to use that code 'cause you're playing probably the the short notice. All right. But feel free to use that code anywhere on the world. We'll have a link in our show notes so people can check that out as well. What other business do you want to take care of, Jim, before we get things started? Well. We don't have our discount code
for authenticate yet, right? That should be coming along anytime soon, and I think we jump right into it. Yeah, Why don't we do it? We've got a repeat guest. He's been with us before, Adam. Michael. He's the chief information security officer and adjunct professor at Texas A&M University. Welcome back to the show, Adam. Thank you very much for having me. Good to be here. So Adam, I noticed that there is a new SISO title as part of your
introduction. How much credit do you give the identity at the Center podcast for obtaining that since since the last time you were on our show? Well, I think clearly that was the deciding factor for my institution. They they saw I was a guest and they said gotta have this. Guy, right? I mean, it's worth its weight in gold now. Yeah. What's been new with you since the last time we chatted? I think that, you know, there's a lot of things probably going on in flight.
You're you're teaching. I think we're going to get into a little of a conversation around like DevOps and probably some AI and things like that. But give us an update. What's what's Adam been up to? Well, so I think last time we talked we focused mainly on what I had been doing. My role at the time was managing identity security and we had taken over the identity management office from at, at our institution. Historically it had been part of
the infrastructure team. And we've kind of gone through this transition where we're stopped. We're not really referring to identity as identity management. We're talking about identity security and we focused those efforts on the security related platforms and tools that we provide to others across the institution. The, the management part of identity, right? Like adding people to groups and does this person belong here or not? Should they have access to this
thing or not? That's not really what my team does. So in the office of the CSO, we've tried to shift the focus to identity as a security function. You know, like many universities and anyone who has a federal partnership, we are dealing with the federal zero trust mandate. I, I mean, it's a good idea, right? So this idea of zero trust, I, I describe it as try to avoid the, the buzzword. But you know, zero trust to us just means we have less baked in
implicit access. And everywhere we can we try to explicitly define access. So we apply these ideas across a lot of different domains, networking, data, device security. But when you move to a zero trust world, there's a a very real aspect to which identity becomes your new boundary, right? Because if you're talking about no implicit access, you explicitly grant access whenever appropriate. You have to know the identity of the person or the thing that
you're dealing with. And so identity has become very much a security focused effort for us here at Texas A&M. Yeah, I kind of feel like from a university perspective, zero trust has kind of always been a thing. Right Before you were calling it zero trust, you just you're putting your services on the network that are accessible by so many people, in some cases maybe everybody in the world.
So when you do that, really identity becomes not only your center, but it becomes your perimeter as well. That's exactly right. You know, historically here at Texas A&M, we've had a very flat network. So like our campus network was very open. Once you were on it, you had access to a lot of things. Similarly for identity, for SSO, you know, we've had a, a centralized identity function and but once you have authenticated, oh, I'm me and I'm, this is my net ID.
There are many, many applications on campus that basically say as far as they go to check access, it's just do they have a net ID, is it valid, is it current? And then OK, I'll just give you access now. So we're trying to move away from that perspective to look just because someone has validated their identity, that's stage one. Now we know who they are, but we need an explicit grant of access before you give them access to
this device or this data. Yeah, I mean the, the way you framed it up digital security or I'm sorry, identity security versus identity and access management is more than just marketing, right. You, you're kind of living it. I also see and hear that a lot like we're at the identity verse conference last week and we're the identity security company and I chose to prove the question like this.
So if you're AC SO or an IM program manager out in the world and you're thinking about making this switch to saying I'm an identity security group for my organization, what kind of like makes you make that shift? What are the things that have to be behind that to make it real and not just marketing buzz? Right. So I, I think that it, it is important to distinguish, you know, is it real or is it marketing? I think it is there is a real
marketing aspect, right? So marketing in the truest sense of why did why is it important to name things? You know, there's an old joke about, you know, one of the only hard things in computer sciences naming things, right? And it's true, right? I mean, we can look at Microsoft in there. They put copilot on everything, right? And we we gripe about the fact that it's hard to talk about their products and what they're trying to do in this space because of the names they pick.
So the name is a signal to the rest of the organization about what you think about the activity you're doing. So when I renamed from identity management office to Identity Security, part of what we were doing was signalling to my security team and the other security practitioners within IT security and risk. And then we were signalling to the rest of our technology services organization. This is the important thing we care about, right?
The, the focus needs to be on the security aspects of identity and identity has a security role to play. And then we're of course, signaling to the rest of the institution, to the university itself, although that's probably the less important signal because our users just simply, you know, they, they don't really see those subtleties. They're just, OK, I need to set my password, I need to deal with
my net ID, right? Their their branded organizational ID, So we deal with them at at the level that they understand. But I do think that that signal that we send to our peers and to other IT pros that's important. And So what I would argue is, you know, if you want to call that marketing, OK, but I think that that's that's marketing that has a purpose and has reality behind it. Well, we shouldn't use marketing here as a, you know, a as a term
of in a negative context, right? You should be marketing like here are the things that we do, here's the benefits we provide, etcetera. And I guess that's sort of what you mean. My next, my next question here for you would be so you're, you're AC so now and you talked about identity security. Do you have a list of services that you provide for identity security to the organization? Are there is that something in flight? I mean, obviously it's always going to be something that's
kind of building out. But when you say identity security, you know, what exactly do you provide as a service or you provide guidance, those sorts of things? Right. Yeah, No, absolutely. We, we certainly have a portfolio of products and services that we offer in our our service catalog, if you will. It is in flight. We're still building it out. We are trying to focus our efforts on things where we're going to be able to have the ability to make a difference, right.
Where can we move the needle versus where can we do things that maybe we should lead to someone else in the org or within the technology services group? I I, we look at identity security as the group that provides platforms to other IT pros, right? So we talk about this a lot, the necessity of creating good platform documentation. You know, there's this middle
ground. We write documentation and explain to our users how they engage with the products and the things that mean identity to them, passwords and usernames and things. And then we have internal team documentation we have to write to let us do our jobs for business continuity when we have turnover and our staff. But there's this middle layer, right, which is my team provides a service that is consumed by another team, by another IT pro, right? So I usually call that a
platform. That's the term we tend to use for IT platforms and services, and we're writing tools that they can use. Often AP is that they're programming against or consuming maybe some sample code, maybe good documentation so they understand what's happening. There's training and education, All that layer in the middle where my team's a service provider for another team and not necessarily directly to a customer. Really well thought out. So one of the services that you
provide is Miss Deb OPS area. That's what we really want to dive into today. So can you describe what is the service this DevOps service for or I am for DevOps, yeah. However, you want to determine the service that you provide to the university. Can you describe that? Yeah, yeah. Well, let me take a step back a little bit. And you know, this kind of ties into my other role as an adjunct professor.
I've been teaching in a program here that does technology management and IT service management for about 7 years at the university. And I helped to develop with a, a colleague of mine, a class that to our knowledge, it was one of the earliest first classes in higher Ed and undergrad that focused on DevOps. We'll, we can talk more about that class later if you guys are interested. But so that's a little bit of
background. I've been interested in this for a little while and have some, you know, expertise in this to teach it in my different roles throughout that same time period, sometimes I was working at an academic college or I was working in IT risk and compliance. And then eventually I've moved into the the Cecil role. I've tried to bring that background and experience into
that role, right. So when appropriate, I've tried to advocate for and make changes that will allow us to deliver our services from the perspective or using the cultural practices of DevOps, right? DevOps is really a sort of a cultural movement more than anything else. It's not about a particular technology or tool. It's not about a job title. DevOps is about how you go about doing your your work. And it's about emphasizing things like agility and velocity
and the ability to scale. And I think a big part of it is about the humanity of how your team interacts with itself and with other teams, with empathy and with trust and trying to interact in a way that recognizes that we're all humans and we have to get work done and stuff happens and, and let's give each other a break, right? Let's try to work well together. So this idea of team affinity, I think is a really core piece of
what DevOps is about. Now, a lot of people are going to approach DevOps in a different way. That's, that's great. Everybody's got an idea of what that means. But I would argue very strongly that right DevOps isn't a job title or a team title. It's a way of approaching business. It's a way of approaching service delivery. So in that respect, anytime I've had the ability or the the need to, to lead A-Team, I try to bring those ideas to it. Some teams, it aligns better than others, right?
If you got a team of developers and you're building a product that's really clearly aligned with these ideas around DevOps. If you've got a team that's maybe managing a help desk, that's harder, right? So DevOps isn't truly around. It doesn't quite square up with sort of service delivery in that sense. And I've developed a lot of teams that we have, it spans this spectrum. And so sometimes DevOps concepts and ideas are more applicable
and sometimes they're less. But I think a lot of these ideas are, they're always available there, right? To make a difference and make a change and get you closer to this idea of being able to deliver services at scale and with velocity, and treating your team with humanity and empathy.
And now we think that when it comes to a large universe, I mean, look, granted Texas A&M is I think #1 in terms of the status of the undergrad Class A talking about a huge institution, yeah, you've got so much going on in terms of DevOps. Now you're providing services. This should kind of the core identity services that folks think of, right? Like authentication, authorization, identity provisioning.
Yes, the IGA, the identity governance, so we have several very large scale projects in flight right now. We are currently replacing our entire identity infrastructure for that IGA function with a commercial product. We've had a a homegrown legacy code base that grew up over 20 or 25 years. And so we finally, you know, taken the time to step back and invest and try to replace that with a commercial product. And that's going well. But it's a big project, right? We're a year into it.
We're on schedule, but it takes time. This is sort of rationalizing all those upstream data sources from the like things like work day, where do we get that information about our employees and our students, etcetera. And then making sure that all the business logic's happening to provision accounts correctly. And that's where it gets really tricky in an academic environment because we all wear so many hats and we wear multiple hats at the same time.
And a staff member can also enroll in classes and a student is also going to get employed and a faculty member, right, might also be a full time staff member like me. And I'm an adjunct professor. And so we just have this, you know, diffusion of roles and overlap of roles and juggling the, the number of different roles. And yeah, I'm not saying this well, juggling, I'll let you
correct that in post, right. Juggling all the different roles and how they interact together and overlap all the the different permutations, that is probably one of the things that makes identity in a higher Ed environment unique as opposed to other industries. I definitely think higher Ed tends to be more. One of the more complex use cases out there from identity standpoint, I, I think we've probably talked about this in the past and not a lot of people
I think are aware of of that. And all the hats you're wearing, right? You think like a baseball cap, It's like, OK, I'm in this role. You've got like a baseball cap that has like 5-6 different bills. Yeah, you're like twisting it around. And they're all on at the same time, right? You don't swap them out. They're literally there all the
time, right? Yeah, I want to pull real quickly on the thread about the custom code and then switching to a commercial product because what I found is, yes, I think there's sometimes, you know, issues with custom code and you know, people generally are building products in their own environment that they are, that there are commercial solutions for. But sometimes it's difficult to make a move from custom. We've built it, we know how it works and whatever and now we want to go commercial.
And what I find sometimes is the custom product that the organization has built. There is no comparison to a commercial product, right? You've built it, it meets all your needs and you will never find something that is apples to apples and equal or even better maybe than what you've already built. But still, maybe it's the right idea to shift to a commercial product because, you know, do
you really want to be? You'd be in the business of now maintaining an application in addition to, oh, the primary mission of whatever your organization is, in your case, education. But it could be manufacturing, it could be retail. You know, unless it's a competitive advantage, I'm not sure why you would build a product in the space. That you, you exactly expressed the thought process here, right? True, right.
You spend 20 years fine tuning a bunch of custom code, you're never going to find something that does exactly that. But that's your dilemma. You get yourself to this place where you expect that level of customization. OK, but now I have to balance that against the risk that exists because of the level of expertise needed to maintain it. And for higher Ed, it's hard for us to find staff.
It's hard for us to compete to, you know, with a start up or another company to hire staff that have that expertise. And so we found ourselves in a place where it was very risky. We had a handful of people that understood this code and then eventually it trickled down to one engineer, right? That's not a great way to to plan for your business. And you know, everyone always talks about the what if somebody get hit by a bus? It's kind of morbid.
So I like to say, what if, what if that person won the lottery and then they quit the next day? We would have been in a very bad place. And so that's that amount of risk needs to be mitigated out of the organization. And one way to do that is to take a step back and say, yeah, we're going to have to modify our customized process. It won't be, as you know, catered to our exact needs. We have to change the way we do business a little bit and
conform to a standard workflow. But you know what, The rest of the world's doing it and it's working for them, so it'll probably work for us too. And then we've changed to this element where now we can go hire someone who understands this commercial product. There's lots of people out there that do. Yeah. I think one thing you have to be careful of is it'll take the commercial product and somehow like make it into a Frankenstein
beast, right? Oh yes, yeah, that's, I have seen that happen multiple times at large organizations. I've seen it happen here at the university, which is I have my way of doing business right my, my workflow and I'll twist this commercial product to fit rather than let's change the way I'm doing business to a more conventional standard format.
Yeah. So when I going back to kind of the DevOps piece, what we talked about the way I kind of framed it up, I'm maybe made it sound too simple like you're providing like these services, right? And so everybody should just snap in. But traditional approach I think is just handled that all within the tools that you have now you're integrating to a central service. So how do you take the central service and you've got all these consumer teams that are running the rank technology stack and
have to integrate. I mean, what are you doing to make that consumable and for and is the feedback positive? Are people glad there's a central service, or do they feel like you're twisting their arm into doing those? Wow. Have you been sitting in on our meetings? Right. So historically universities are highly decentralized and and there is a lot of autonomy and control given out at the edge in the embedded units in the colleges and departments.
Our university has been going through a rather unique experiment over the past two years and we have been centralizing all IT. We had a president who came in, they did an assessment, they wanted to centralized a lot of these functions like HR and business and finance and ITIT was snap of the fingers all centralized. And we have been struggling with that decision ever since. In this in this sense, right that that was a big massive
organizational change. But practically, pragmatically, the management of the technology is still very decentralized because we had 40 different groups that all had chosen different tech stacks and all had chosen different tools and platforms. That didn't change with the stroke of a pen. What changed was now everyone's reporting into the same leadership structure, OK, But we still have these computers that have to be managed, right?
And we still have this data and these services and these, you know, servers and data centers. So that stuff has been changing slowly over time. And yeah, of course, you had a group that had a lot of autonomy, and they got to pick their tech stack. And now they're being told, now you report to somebody else and someone else is picking your tech stack, you're gonna have people that aren't really happy about that, right? I mean, they don't appreciate
that exactly right. So trying to engage with that idea with empathy and get everyone on the same page, that's hard. And we want to try to bring everybody along. Sometimes you don't have time, though. Sometimes you're being told by leadership, get this done right. And so trying to balance that is a big challenge. I think one of the ways we took this approach, right, we go back to this idea of DevOps and
delivering a platform. You know, we try to create tools and platforms that we can offer and say, all right, here's what it's going to look like, right? We're going to give you more control. We're going to give you self-service. Come to this tool and you're not going to have to wait on us or ask us, mother, may I or put a ticket in and then wait for something to happen. We want to enable you to continue to move as fast as you did before when you had that autonomy.
And we're going to do it in this way. We're going to create a platform or an API that you could just consume. And then we're going to put some monitoring on the backside so that we see what's happening, but we're not going to get in the way or or upfront stop you from from making a move forward. We are still struggling to make this happen all across our org, right?
This is. We haven't solved this problem, but I think we've taken some steps and shown in certain areas that it's possible to do it in this way and and be effective. I think that, you know, your legacy will be you're going to move the university forward in the centralization journey, if you will, for a lot of other universities, and they're just stringing further and further from that. And it just makes doing certain things darn near impossible,
right? So your legacy will be that, you know you move the ball in the right direction for as many years as you're at it, and the next generation of leaders will be able to pick up from a better place.
That's a good point. You know, our CIO has really charted the strategy about how we handle this consolidation and he's been very careful to try to get us to this place where we can continue to deliver services to our customers and bring along our staff so that they feel like that they've got a stake in what's happening and they're involved and engaged.
Yeah. I mean, I think in the higher Ed environment, you've learned leadership because there's difference between leadership and management, right? If you manage somebody, you can tell them go do this thing. If you don't manage them, you have to coerce the OR coerce them, or build a better mousetrap, whatever. You have to get them to still do the thing.
Incentives and we sometimes call it the carrot and stick, but I, I think that in higher Ed there's definitely a tradition that you see more leadership through influence than leadership through direct management or supervision in that that concept. I wanted to pull this back into this. I am from Del Ostrich. I think it's a real interesting topic and I want to kind of get into your journey from where you started to where you are today,
where you're heading. But I think kind of getting an understanding of your IT environment would be a good starting point. So are you guys in the cloud? Are you using on Prem hosting? What's the situation? So we have, yes, all of it, all the above. We have a multi cloud strategy. We've been moving into the cloud for a number of years. We are engaged with all three of the major cloud providers, Amazon, Azure and GCP.
I'd say probably we have more enterprise technology in Amazon and Azure, but we see a lot of researchers that are interested in using GCP. I, I used GCP in my class when we do DevOps and we, you know, have the kids write code and they containerize code and they, you know, deploy it in a, in a pipeline. We usually use GCP for that. There's pros and cons to all three of those platforms. We also have a lot of infrastructure still on premise.
Now we've been moving that into an environment that is virtualized and containerized as much as we can, but we still have a long way to go there, right. So we've, we're making progress, but I, I wouldn't want to pretend that we've sort of solved this problem, right? This is a journey for us and it's a a maturity. So you're the services that you're providing from a DevOps perspective, are they independent of where the
applications are hosted or? Yeah. So, well, there's, there's a couple things going on, right. So there are services that security participates in with other groups, things like GitHub and GitHub Actions and, you know, containers, containerization, hosting and container security and scanning. We're building some of those. Some of them we've had where they're pretty mature and
they're working pretty well. And that's independent of any of these different groups or different tech stacks, right? So anyone, no matter what they're writing and they can use GitHub. And we've got a, a GitHub enterprise, you know, license agreement with Microsoft and we make that available to developers or to researchers and grad students who want to use that. So that works well. We've got tools like that and
other DevOps like services. We also have elements where we try to go in and work with the team. They're like, they want consulting or they want advice. How do I change the way we've been writing code and delivering this? How can we be more agile? How can we deliver this in a more cloud native application type of way? And so we've got a a large group of developers and we have a wide range of experiences there.
Some are doing more traditional waterfall style, waterfall style development and some are really advanced along this, you know, serverless and containerized applications and very much cloud native software application deployment. So that there is a spectrum like you would expect across any large organization. Spectrum sounds like it's A to Z. Well give you some idea of the scale. I mean how many teams or applications are you supporting this DevOps environment? I am for DevOps. Right.
I mean, again, the spectrum, it really dominates here, right. So we have probably 25, 100 to 3000 applications that are consuming IAM services for SSO at a minimum. We have probably, when I think about teams that are writing code and deploying custom code for applications that aren't just commercial applications that have been purchased, I would say on the order of hundreds, multiple hundreds. And some of that code, you know, is older and hasn't really been
touched in a while. It just was written and then deployed and then left. Some of that code is active right now under active development. Some of it it's commercial products that have heavy customization. So we write code to customize a commercial product. It's a big spectrum again, right? And the scale is pretty large, right? So we think about the number of Amazon accounts that we're dealing with, right?
And again, we're up into the hundreds because, you know, we have researchers in labs that are doing their own research and they kind of need to isolate the work that they do in the cloud in that way. So we have a model where we have these master agreements with the cloud providers and we provide access to the cloud through this mechanism. It allows us to have some type of telemetry and oversight into
what's happening. We can ensure that we've got firewall set up and we've got network boundaries correctly implemented. We can watch security and compliance functions. But it allows the developer who needs to like just spin something up and try something in the cloud. It gives them, you know, as much degree of freedom as we can give them to continue to move in the
cloud with agility. Yeah, so massive scale and it kind of in a way was expecting that answer setting you up to this next question, which is you really want to understand your journey of providing IM services for Gov OPS because I'm thinking you weren't there saying me, I see this coming in a few years we're going to have all this needs. Let's send up a team to support it and get every new
application. No, I would assume at some point you came along and said we've had hundreds of apps that are performing identity and access management services for themselves and that creates all this risk for the institution. Yeah. Talk to us a little bit about that journey. When the when did you have the light bulb moment that happened that way and talk to us about what it was like before that and then after you stood up well. I think the light bulb moment, I'm not even sure we had one,
right. So it was as we were looking at the necessity to do a pretty significant upgrade to our infrastructure, our identity infrastructure. The second piece of that was the SSO components and the auth C auth and then happens at the app layer. And we knew these were tied. We needed the infrastructure to be handled and a good solid foundation so that we could do. The things we want to accomplish at the app layer and to do the type of access authorization that we want to have happen.
So we're building that foundation now and we've been making plans and sort of positioning ourselves to do more of that work. We've been calling it phase two. It's going to be focusing on the applications. You know, we've talked, we keep using this phrase like DevOps for IAM or IAM in DevOps. You know, I think it's really more for us, we've been tackling the problems that exist and are adjacent to IAM, right, and identity and identity security.
And we try to bring to the table when we tackle these problems, an approach that incorporates DevOps concepts and ideas because that allows us to deliver these things with
agility at scale, right? So when we deliver these platforms and services, my identity security team is doing these things in a way that is DevOps oriented, even if you mightn't call them a DevOps team at likewise, we have teams that are delivering cloud tech and they are doing things with a DevOps orientation toward how they're delivering the work. And that's spreading into our development teams and our other
operations teams. And it's sort of this thing that is sort of gradually diffusing across our organization in pockets. And again, it's a maturity level, right? So we're not, oh, we're a great DevOps shop everywhere you go. Look, oh, no, of course that's not true. But we have pockets where you'd say, oh, they're doing, they're, they're very much a DevOps shop. All the things they do look like they conform to these DevOps
ideals. And then you've got groups over here that might look a much more traditional approach to systems development and operations and then everything in between. Yeah. So, so in this scope that we're talking about is not just like CSDD pipeline and infrastructures code, it might be applications that need to authenticate service accounts. I mean, is that also within? Absolutely. And how do you consume the APIs
that let you do these things? So these things you mentioned, right, infrastructures, code, but all those principles, those approaches that I think we've definitely incorporated that in security in a deeper way than we'd ever done before, right? So over the last two years, we've had a very mindful approach to take those DevOps concepts and apply them to how are we delivering these platforms. I think also, as we've changed our, our thinking of we just,
we're running security, right? So there's one way to look at security function, which is, oh, I sit here and look at dashboards and I respond and detect and then go take an action versus building a platform and delivering that platform to other people that they can write against and consume. When you forced yourself to think about being a platform provider to other teams, well, now I'm responsible to build out and maintain this platform.
Obviously, bringing along some types of DevOps approaches to that platform delivery is going to have big impact. I would imagine you if you're delivering this to other parties, you have to establish some sort of SLA or SLO to those parties. Yeah, that's right. I don't, I don't think we've gotten to the maturity level where we formalize that. But we do talk about it between ourselves. So I'm delivering it to another group. That's my peer.
So my title is associate vice president and Chief Information Security Officer. There's maybe an associate vice president for enterprise operations and so we deliver things their group consumes or another associate vice president who's over all the development operations. We a lot of our stuff is consumed by their group, right? The developers that are building the apps and they need to consume these APIs and these tools and platforms to set up authentication and authorization.
So we talk between ourselves about what are our agreements about what we provide, what can they expect from this platform that we deliver and we're getting better about that. But it's something we have to develop over time. Yes. So I was wondering, adding like how did you figure out how to do this right? Nobody comes out of the womb and knowing how to do identity security for dev OPS. But not only that, just understanding the dev OPS process.
Did you learn it out of necessity or is this you know, how did you find your way into it? I think this probably goes back to my teaching, right? So before I got into security, even when I was an IT director at a college here on campus, the College of Architecture, we moved strongly into a DevOps model of delivering services to
our customers. And some of the custom application development that we were doing there, much smaller scale, 'cause it's one of the smaller colleges, we were frustrated with our inability to sort of constantly fighting fires. We couldn't catch up. We couldn't, you know, stay ahead of all the problems that we had. And one of my engineers, one day he walked into my office and he put this book down, slammed it on the table. Have you seen this?
I'm like, no, what is it? And he brought me The Phoenix Project by Gene Kim. So if you guys are familiar with that, anyone who's done any reading in dev OPS, it's a great book. And he's like, you got to read this. And I was like, OK, I'll, I'll read it. He's like, no, I mean, like right now you have to read it like. And he stood there. And watched you read. I like I started reading it and and he, no, he didn't stand there, but I started reading it and it hooked me immediately.
And I, this was like, I don't know, two in the afternoon. And so I just got up and I left the office and I went to a coffee shop and I sat there and I read the book. I read the whole book start to cover right to the to the end. And I came back in the next day and I said this was amazing. And I bought like 12 copies for all the other full time staffers. And I said everybody has to read this. And you got two weeks.
And then we're going to go off site and we're going to have a little like all day retreat and we're going to talk about it 'cause this is the answer that I think we've been looking for. There's something about it just resonated with me, right? And that was the beginning of my DevOps journey. And from that point, couple years after that, I started teaching. I wrote a curriculum, actually talked to Gene Kim. He came and spoke to my class the first semester I taught. He told me I have all my
students read his book. That's the first thing they do. They read the Phoenix Project and it sort of sets the stage for the entire semester. And, you know, I just continued to sort of get into this idea of what does it take to build a team that operates effectively according to these ideas and principles. It, it just resonated with me
really well. And so as I've continued to teach and develop and sort of gotten deeper into that, I think that just prepped me. So when I took this role as Siso and I looked at these things we were delivering and how we're going to deliver platforms to campus and then to our fellow IT pros and other teams, it seems natural that we would want to use some of these ideas as much as we could.
Infrastructures, code, you know, telemetry and measurement baked in that observability idea, the ability that we should be automating everything we possibly can. These are just natural extensions of these ideas. And someone who's good with note cards to be able to organize it on the wall. You know, you laugh about that. But that day we did that little retreat. I brought note cards, four different colors for the four types of work he talks about in the venues project.
I had everyone write down all the work that we did. I said bring this. Yeah, you, that's one of your homework assignments. And they brought stacks and we put them up all over the wall to get a visual idea of where is all the work happening, where are our bottlenecks. For the first time ever, we had a picture of the amount of work we had in flight and what our work capacity was and where we were over or under capacity. It was a very instructive. Exercise. It's a great book, definitely
recommend it for folks. If I remember, I'll put it in our show notes. So, Oh, yeah, you get a link to it as well. How do you define the ROI for all this work you've been doing? I guess, is there an ROI? Have you been able to figure out what that is? And I feel like that's one of the areas where, you know, you have to kind of justify the investments being made into this. You know you're getting your money's worth. That's a great question.
That's a question my CIO encourages me to answer all the time, right. He is definitely pushed us to think about the work we do in terms of ROI. I think that many times IT leaders don't naturally think about that, right, If you don't have a business background.
But in a very real way, anytime the university decides to spend money, if we're going to say we're going to take, you know, $2,000,000 and purchase a big new commercial identity system instead of something else, what is that something else? Instead of putting it into a scholarship for a student, instead of hiring a new faculty, instead of buying a new, you know, instrument that goes in a lab that lets us research this, these stem cells, anything that we spend our money on, we're not
spending it somewhere else. That really makes you think, right, Is this important? Do we really need to do this? So, yeah, being able to explain ROI to university leadership is important. That's hard, particularly for something like security tools where the ROI as well. We didn't get hacked this week, right. You know, be that's not a great story, a negative story, right. You're trying to basically prove a negative right, right, right.
So no, no one wants to do that. It's not a great way to tackle the problem. Building a narrative of what you gain is important. I think there is a story where you have to explain risk and we have to invest in tools that will mitigate that risk. We talked about earlier that our legacy code had gotten to a point where it was very risky because we only had one person that understood it. So that's a clear story. By replacing it with a commercial product, we have managed that risk better.
You know, I'm able to hire people who understand the commercial product because it's out there in the world and it's a common tool. And worst case scenario, if I can't hire anyone, I can hire a consulting firm who specializes in this very common tool. And we know that we could pay them to come in and do some work if we needed to. So that's one part of the story. It's not a great story 'cause it's kind of a, that's a compliance and sort of risk
story. But you know, our university leadership understands that they've got to manage risk. A better story is when you can't explain how this thing that you're doing enables the business the university's in, how does it enable teaching or enable research.
So when we can create a story that talks about that this IT infrastructure makes it easier for our researchers to in interact with their federal partners because now we're meeting a standard for identity and we can share that identity or leverage our identities with a grant Funding Agency. And there are consortium that we are participating with in at higher end where we sort of exchange identity protocols we in. Common. In common is a great example, right?
And so when we can do that, we have to maintain certain standards in order to participate in in common. So there are there are stories we can tell that talk about the benefits we can get from this as well. And Garrett can take a vacation or go to a conference or something like that. That's right. I want to wrap up the conversation with a quick dive into your teaching side of things. I'm curious, how has AI impacted the way that you approach your
class? Cause you've been doing this for a number of years at this point and I have to imagine it's been pretty disruptive it it. Has it's been fun. This last semester, I decided to take a, a break from teaching my typical class, which is on DevOps. And I said, hey, let's do a class on machine learning and AI. And, you know, I'd gotten to the point where I knew my, my material pretty well.
I could just kind of cruise in, teach the class, do the lecture, and halfway through or not even halfway through a month into the semester, I said, what have I done to myself? Because I felt like I was staying maybe two weeks ahead of my students. Oh yeah. It required a lot of reading and work on my part, but it was fun.
We, I had the students learn about machine learning models, deep learning, all the different types of networks, you know, recombinant neural networks and convolutional neural networks and what they're used for and kind of how they work, the mathematics of them underneath the hood. I had them going through and building some of these things in code in very minimalist, sort of simplistic ways.
Not, you know, these the students aren't in a advanced computer science program, They're not doing, you know, artificial intelligence engineering, but I wanted them to understand at a basic level what was going on. And they did and they got to do these things. And then until the last half of the semester, we did things like let's examine dark patterns in AI and what's going to be the impact on our economy and what are the impact on society and
fake news and things like this. For the I've got a here's a funny story, right? So my final for this class was that I let them build something. So I didn't want them to write a, a paper or just do it like a final exam. We've done that all through the semester. And so I said, I want you to take an LLM or some other type of machine learning model and I want you to put something
together. Maybe it's you stitch some things together and make an automation that does something in response to something and automates that. Maybe you train a chat bot and you have it, you know, just whatever you want to come up with. So I gave them some parameters, but I let them try to come up with their own thing. I had one of the teams, they trained like six or seven different chat bots with different personalities. And then they had them like go on Discord and talk to each other.
So the chat bots were interacting with each other. So I had a number of things like this, right, Pretty creative types of final projects. And then one group got up and they, so they stood up to do their final presentation and they, they pulled up the PowerPoint and my picture was on the PowerPoint. And I thought, you know, boy, like, what are, what are we in for here? So this group found YouTube recordings of me like at a presentation at a conference or something.
They extracted the audio. They cloned my voice using an AI cloning technique to create a voice, right? And then they stitched it up to Twilio and, and they pulled open their phone in class and they dialed a number and my voice answers and they start having a conversation with me. That's awesome. I know it was great. I was like, they got an A, you know, and then, and then they, so at first they set it up so that my voice was sort of acting
like a, like a help desk. And they would say things like, can you explain the OSI model? And it would start talking about the seven layers of the OSI stack. And at some point he just like hung up. He's like, you got to cut it off. It'll just go for hours talking about whatever. I told him that if they ask my kids, they'd probably say that was the most realistic thing about the, the model. But but then he's decided to say, well, what could we do with
this for, for evil, right? So they, they had it where it would call a student and it would say convince the student that the final exam schedule had been changed. Don't come to class on Monday. We've moved it till Wednesday and he told, he hooked it up to an LLM in the background. That was like the loop, right? And so he said you're a professor and told the LLM you're a professor. Just make up an excuse for why a final might be moved and it would just make up new excuses every time.
And it called, right? It's pretty clever. I love that idea. Yeah, that's that's very cool. Jim, your son is in school. Has has, has he seen anything from an AI perspective, from an education standpoint like that? You know, he's he's very early he he just finished his freshman year. So he's doing a lot of like the the build up courses besides the fact that he's way too cool to spend a whole lot of time telling me what he's doing in
his life. But we do talk about his past in a little bit and he's enjoying it anyway. But I actually had a question. I wanted to bounce off of Adam and I don't know if you've given this thought right. So my idea for how AI is going to fit into identity security products in the future is very much like prompt driven capabilities. So imagine you're an IGA system and a prompt could come up and you could start it hitting it with questions and iterating on those questions to find data
that you want. OK, so now a little bit easier to picture if the software has the AI built into the software stack and it's just one database, right, that's maybe even physically contained. But now you think about the scenario and can an identity company keep up with the likes of Microsoft or Google or open AI, right? Their their models just move way faster.
And if they were able to kind of lease their model and plug it into their software through APIs, maybe, yeah, it could just be way better than they could ever build themselves. So I think it goes that model, but now you have the data security, can you turn say you have a platform, you're an identity security company, you have 1000 customers on it. Some questions would be relevant to ask that made me spam all 1000 customers. Like how are other people doing
these things? What's a common practice? What's setting are most most of your customers using now? Maybe it's just you say no, sorry. I think that's exactly, no, I think you're exactly right.
And I think I suspect that many companies right now are under so much pressure to demonstrate to Wall Street and to their customer base that they are integrating AI in a effective, clever way that they are, I don't want to say skirting the boundaries, but they are definitely pushing the boundaries of maybe what's appropriate to use their
customers data for. And I think there's just saying, well, this is going to be to their benefit and they're convincing themselves that they can use the data in ways that if their customers truly understood how their data was being used, would they would not be happy. We've noticed over the past year
or two that. Many of our vendors are changing the terms of their and the conditions, terms and conditions to say what they can do with our data that they've never wanted to do things with our data before, right? But now suddenly that data is valuable in a way to them that it's never been before because they can build these models and train these models. It's a big concern for me. And you agreed to it because you got the little thing that says,
you know, accept or declined. To just want to. Use it. Yeah, declined me to just sum your entire. Eye Well, sometimes you have a choice, right? It's like you either have to accept it or you can't use our service. When I think about AI and I haven't, I haven't poked on this
very much, right. So you guys are kind of hearing my first thoughts on this, but this project that my student did right that illustrated how easy with just a couple of minutes of recorded audio, he was able to create a completely legitimate voice clone that my family when I played it to them said, yeah,
that sounds like you, right. So this takes me to this idea of we are about to enter a a time period, a mode where authentication of an identity is going to become very different than what we have now, what we've had in the past. The ability to say, yes, I really am who I say I am. Video and audio is either if it hasn't happened already, it's going to very rapidly going to lose its ability to prove that something happened or that someone is actually who they say they are. Right?
This idea, one of the things we do right now, if we doubt one of our customers identity and they're trying to do something like reset a password or reset multi factor auth, we make them open up zoom and show a government ID live with a help desk worker, right? That's that's what we do. That is I'm not sure that's valid anymore, right? I think that it is like I've seen technology.
We are very, very close, if not already in a place where that's capable of being spoofed with, you know, consumer grade tech with AI. So now what? What are we going to do about authenticating the identity of someone? I think we're about to see some really interesting things happen in this space, and I'm not sure what it's going to look like. It's going to be like secret
decoder rings and flash cards. And, you know, maybe even like what I'm thinking is like this very unique value that we share only with people we trust. I don't know. We'll call it password. Password. Well, you know, are we going to go back to do you guys remember the old Ring of Trust model when people were trying to do like they do public key signing parties where you get together in the same room and then you chain off of that?
You know, I don't know where we're gonna we're gonna go with this. Is this an Ave. for us to finally see some decent real application of blockchain tech? Maybe blockchain I? Feel like it's a solution in search of an identity problem for a while. Yeah, yeah. I don't know where we're going with it. It's gonna be interesting. Just when you think you know everything about identity, something new comes along and totally blows it away. So right. Yeah.
All right. Why don't we go ahead and wrap it up there for this week? Adam, thank you so much for spending time with us. Again. Always appreciate our conversations. Yeah, this has been fun. I you're going. To come back, let's see what title you get after this one. See how that goes. Let's see what else, Jim. We've got our YouTube channel that we're still trying to build up here, youtube.com slash at IDAC Podcast.
We got our website idacpodcast.com, XIDAC podcasts, we've got Mastodon IDC podcast at infosec dot exchange. I'll have LinkedIn connections for all three of us in our show notes so people can reach out, you know, provide comments, feedback, etcetera. All the good stuff we read everyone that comes through and do us a favor, hit that like and subscribe button. That's the best way you can help us out, helps us have great conversations with great guests
like Adam and others. So do us a favor and and hit that button, share it with a friend, share it with an enemy, don't care as long as you share it with somebody. So we'll leave it there for this week. Thanks everyone for watching or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at
identity@thecenter.com. See you next time on Identity at the Center.