#297 - Navigating the Future of Digital Identities with Chris Power

So the way that we've looked at it is, is that we'd look at it as a, or at least the way I've been looking at it, I'll say it that way is, is that if I have a function that is running on its own and it only has one purpose, to basically turn this one widget or turn this one wheel and it does it on its own, then that's a non, you know, that that's the non, that's non human

identity, you know, at work. And that that's how we define it. So therefore, it's, you know, it's the Lambda that goes off and does the thing and then, you know, and then you get an end product and it can't do anything else other than that one thing. But that's the, you know, that's kind of the overall goal. And that's the, you know, that's where they access and everything. That's kind of the guardrails in which it sits on. So Chris, you picked a real easy one for your first topic.

What do you have for number 2? This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Not bad for coming live to you on a Sunday morning. It is a Sunday morning, that's for sure. I think we're both struggling with like allergies or colds or something, I don't know.

Yeah, I, you know, I, I figured by this point of the summer I wouldn't have to worry about allergies, but I checked The Weather Channel. We're high for ragweed, which is probably the thing that hits me the most. So I'm like breathing through my mouth. So if you hear me gasping, it's because I've been too talking too long. But what's a good reminder to shut up? What's that? That's a good reminder to shut up.

Yeah, exactly. It's like if I'm gasping for air it means I've been talking for too long straight. Exactly. Yeah, so scoured LinkedIn last

night and you know what a what a treasure trove of ideas. One thing that I, I got into was an article about the Oklahoma mobile driver's license. That wasn't even on my radar, right? Oklahoma's now moving forward the mobile driver's license. I feel like every state at some level is moving forward with mobile driver's license. And it definitely feels like it's in the lane of digital

identity, don't you think? Well. Yeah. I mean, you're, you're presenting a credential to say this is who I am. That is absolutely digital identity. Yeah, it's a new area. I think that a lot of us are, you know, needing to learn. So this goes back to the digital identity versus IAM. You know, our foundation was more in the IAM space, which included customer IAM, so

internal, external. But now there's this new newer area around like decentralized identity, blockchain, stuff like that, where, you know, most of us haven't specialized in, but understanding not only the use cases, but also the technology. I think is, is, is a real, you know, challenge, but

opportunity. I kind of feel like overall, that's the that's the thing in the digital identity space is what makes this feel so exciting is the challenge is, is while you constantly things are coming up and things are moving forward where you're having to, to learn and figure things out. But that's also the exciting part is that it doesn't sit still and it's not static and we're having the opportunity to

learn all these new things. Yeah, I mean, that's, I think that's the natural evolution of any, of any role anywhere. Anytime things move forward, you got to stay current. Unless you're a COBOL or mainframe programmer, apparently you can like do that work and then like go away for a while and then come back and make a ton of money because nobody

knows how to do it anymore. Exact Well, that's that's the key as well as like sometimes sitting still can work to your benefit, but I don't know, that's never been my personality style. So yeah, but I, you know, we always talk about our conference discount codes. I think we should get into that in a minute. But that's a great way to stay current too, is just going to those conferences. You know, we always talk about the hallway conversations and that's such a great value.

But actually sitting in the sessions and seeing how people are solving some of these new use cases for identity is a way to stay current. And so, you know, to the extent that you know, you can afford to be afford to take the time, spend the money to be out of conferences, especially looking for events that are local to you or local enough that it's not a major expenditure, I think it's great.

And of course, you know, having a company that supports that is great as well. You know, our guest today kind of ties together the two points I was making because we see him in a lot of conferences. So obviously his organization has seen the value, sees the value in sending him to conferences. And that's how we've, you know, built a contact and I, I think a friendship as well.

But also, you know, just the idea of like being out of conferences and, and learning all these new topics and then taking the position of, you know, wanting to share that information with the rest of the community. So I think that's, you know what you get all the conferences. Yeah, Let's talk about those conference discount codes. We've got Identity Week. We've got the America and the Asia conference both coming up here.

You and I are going to be at the Identity Week America in Washington, DC on September 11th and 12th. We're going to be doing podcast stuff, but I'm actually also hosting like an hour of identity and access management talks and the panel and stuff like that. So still working through the details on that, but I have volunteered to do that. So if you use the Code Ida C30, you get 30% off of your registration. And that code works for both the

US and the Asia shows. So if you're going to one or both, feel free to use that code. Good Freeway to save some money and show support for the show. The other one we've got coming up is the authenticate conference from the Fido Alliance that is October 14th through the 16th in Carlsbad, CA, which awesome weather. Love it. We were there last year and I think we've been to the last few authenticates at this point, but we have a discount code for that one as well.

ID AC15I D AC15 gets you a 15% off of your registration. So you and I are going to be at that one too. I know there's a meeting, I think, I think we had to reschedule a couple times, but there's one probably next week to kind of talk through a little more kind of what we're going to be doing, some of the ideas we had for for doing shows there, but. Looking forward to Andrew Schicchiar as the guest on an upcoming episode.

I think the next episode. Yeah, I think he's the reigning champion right now on number of, you know, appearances on this and. We had him on during our dinner verse. We had him on during our dinner verse, and I think that was #8 so he's looking at episode #9 so it's not only in the lead, but he's got a couple. He's lapped people a few Times Now. Well, he, well, you know, Saturday Night Live does like a, you know, five timers club with like a, you know, like a smoking

jacket type thing. And you're all about those, you know, flashy jackets. I want to know what you're going to do for if someone makes it to 10 episodes on what, what are we going to do about that? Take one of my class jackets and and throw an identity at the center sticker on it. That's that is a gym answer if I've ever heard one. That's weak soft, right? All right, well, we can come up with something. Come up with something.

That all right. Well, why don't we get to our main topic and our main and only guest today, I guess his name is Chris Bauer. He's a senior manager of identity and access management at Sallie Mae. He's been with us before all the way back an episode 162 where I believe that's the first time at least I remember meeting Chris and we had a nice little kind of conversation up in the suite suite. If you remember that at Gartner at was at Caesar's a few years back.

Got to know got to know Chris a little bit. But welcome back to the show, Chris. We'll say thanks, Jeff. Yeah. And I'll say it's it. It's been a long ride, but it's been a fun ride for the last two years. Getting, you know, getting, you know, going from that and

getting to know you, you know, getting to know you too. And of course the the identity space A lot better over the last two years through those conferences. Yeah. And Speaking of conferences, this is actually technically your third appearance on the show because you, when we were at the Ideniverse conference earlier this year, we had kind of like AQ and A with Andrew Shikiar asking some questions about password lists and, and authentication, just Fido in general.

And I believe you stepped up the microphone in our little kind of area that we're recording and actually asked a question. So if you recognize the voice, there you go. You This is technically your third time on the show. I'm shooting for 10. I'm shooting for 10, Jeff. I want, I want to, you know, I want to get AI want to get a jacket. That's that's when you know, that's my goal now. You want Jim's leftover jacket with a hastily applied identity center sticker applied to it.

A marker of writing #10 on the back. That's right, Chris. People in the US might be familiar with Sallie Mae, but I always like to talk about, you know, we're talking about this as a global audience. Not everyone's familiar with what Sallie Mae does. Why don't we start with that? Tell us a little bit about what Sallie Mae does, and then I'd love to just kind of hear about your role at Sallie Mae. You know, what does a senior manager of Identity and access management do for an

organization like that? Well, Sallie Mae is a, you know, Sallie Mae is a private student loan provider. We, you know, we help, you know, we help individuals get through, you know, get through their journey of, you know, getting a better education through various, you know, through various colleges and universities by providing ways to get, you know, ways to get you, your, you know, the funding that you need to get from, you know, from one point in your

journey to the next. From from an IAM standpoint, you know, standpoint, what I've been doing and what, you know, what I work with primarily is the, is on the inside of the house, the workforce management side of Sallie Mae. So everything from the B to B to B and to the individual employees to contractors that we use on a day-to-day basis, helping manage the, you know, helping manage their access is kind of is my, you know, is my bread and butter is what I focus

on on a day-to-day basis. As a senior, you know, as a senior, you know, IAM operations manager, my role is to help manage a team of roughly 10 people who spend their days taking care of that, what I call the pillars of IAM from a workforce management side of things.

That's, that's the governance of the house, you know, doing, you know, doing regular access certifications on a quarterly basis, taking care of, you know, taking care of the day-to-day provisioning of access joiners, movers, levers, all the, you know, basically through the entire life cycle. As well as taking care of just, you know, overall, just day-to-day aspects of what the workforce needs to be able to get into their, you know, to be able to get into their

individual applications. Helping, you know, helping our, you know, helping our teams, you know, make those connections between new vendors and new applications, getting them, you know, getting them on boarded into our systems. So Chris, you, you're actually, you're really living the identity and access management life, right?

So you're, you're in there and I saw your LinkedIn post last night, actually, I'm not sure how old it was at that point, but you're out there now committing to blog about identity access management topics for the betterment of kind of like paying it forward, right? I think it's the, the right, the, the fancy way to say it these days, getting this, you know, at least your opinions out there on many different topics. You started with your first

blog, which is kind of just saying, I'm going to do this thing. So now the commitment's out there and I hit you up and said, Hey, the commitment's out there. How would you like to come on the Identity Center podcast and kind of talk about what some of these topics we can expect to see you blogging about? So maybe you could kind of walk us through a few of those. Let's start with the first one. What what's the hottest topic that you have in mind for for

blog #1? So blog number one, I think is going to be around maturing the non human identity that, you know, we, you know, we've been going through a quite a process lately and been talking about it a lot internally for the, you know, for last several months, really through a little over a year on how to properly manage and maintain a, you know, you know, a listing of all of our access that doesn't belong to a human being, doesn't actually, you know, isn't connected to a

contractor or an an employee here at Sally. With that. We've, you know, we've had, you know, we've actually had our own database that we've been using for quite some time to basically kind of we've homegrown our own system, so to speak, to basically take care of that for the, you know, for the, you know, for the last several years. And lovingly we would like to, you know, we would like to kind of put that to bed and actually try to see what the next level of, you know, what the next

level of that looks like. So much like when we, you know, when we saw each other at a dinner verse that's, that was kind of one of my main purposes of being there was, is to stroll the vendor hall and kind of get, you know, you know, get a better feeling of what, what was out there in that space. And what I found was, is that it's, it's a lot more mature

than I thought it was. But yet I also, yeah, but talking to them, I also recognize that there was a lot of room for, you know, that they, they all know that there's still a lot of room for growth. There's still a lot of room for, for standardization and for governance around it. And that's, I'm going to say that's what I've been, you know, really that's what I've been researching lately.

And that's kind of that's where my, you know, that's where my next set of articles are going to go towards is, is basically that research and kind of the, you know, what I've acknowledged or what I picked up to, like Jim said, pay it forward. So in, you know, in line with that, you know, Jim, I'm going to kind of throw this back at you a little bit. When you think about non human identity, what do you you know? What do you think is probably the most important things to

look forward to or look into? So you're talking about the the non identity space right at the moment. So, you know, I want to first kind of put put on the table a thought that I've been having recently, which was around this crowd strike outage that we all kind of like experienced at some level. And I'm not sure how how badly that hit you. But one thing that I thought about is that we have all these machines now going out and

performing updates. And it got me thinking about, you know, the the whole SolarWinds thing that happened or was it a year and a half two years ago now where we have powerful machine accounts in the environment that we just say, OK, they have a legitimate requirement to exist and they do these things. And so from an identity and access management standpoint, we say they're legitimate and the business tells us they need them. So we're OK with that. And that's that.

I think as cybersecurity professionals as a whole, we need to know what our risk is relative to those items right to those non human accounts. I don't know that we necessarily have the technology right now to catch something like that on the fly, to necessarily have controls that could prevent a solar gate or prevent what happened with crowd strike. But I certainly think we need to do a better job of inventory where our risks are relative to these accounts.

I don't think that a lot of people even understand all the accounts that exist and you know, have a way to kind of like, all right, well, you know, it again, it's kind of like what I say is it's hard to manage what you can't measure. Do we have that measurement of those accounts of the risk relative to these powerful non human identity accounts? So I think that's one big topic that I've been thinking on that

I'm out there looking for. You know, people tell me, no, you're wrong, Jim, we are doing that or that's not important to do or yes, you're right. That is something we need to get our arms around and here's a framework for doing it. I think the second thing overall that makes non human accounts, you know, one of the things we keep hearing in the industry is that non human accounts now outnumber human accounts. So I think you're very much on to a a topic that is, you know,

absolutely critical. And I don't see that going back the other way. I only see you getting, you know, bigger and becoming bigger and bigger of a problem to solve in terms of we're doing more and more automation and that requires more and more non human accounts that can go about, you know, carrying out these activities. And so I think you have the traditional Windows service

accounts. And if what I'd encourage people to do is like not look at like that as the entire problem because I'm, you know, I feel like in the past I gained access management and said, OK, you've got these Windows service accounts and that's 75% of the problem. And then you've got these applications in Linux situations where, you know, maybe somebody hard coded an account and it's like that's 10 year old thinking.

You've got to also think now about the whole DevOps environment and how accounts are being used to build infrastructure and deploy applications and what is the risk of those accounts and then robotic process automation. So there there's just like a much bigger picture of non human accounts. And I think the the first thing is really understanding the landscape and then the second is understanding the use cases for those accounts and then applying

controls in a proper way. So I'll stop there and kind of see what what Jeff is thinking. But this isn't a new problem. These accounts have been here forever. Since the dawn of IT, there's been service accounts. I think yes, it's going to get peril for 8:00, but to I don't, I just don't see this as a new problem. This is this is forever now, the technology has probably gotten better to the point where it's easier to manage and track these things. But I still believe this is a

governance first issue. These didn't just start popping up when AI was invented, right? Or things like that. There's been service counts for, for as far back. I think this is where we fall back on policy and standards and procedures to say, OK, we've created a service account. Here is the purpose for it. Do we have good metadata around it? Who's responsible for it? You know, is it being used for its intended purpose or did we share it and use it for another service that, oh, this looks

like it's similar. You know, let's let's just reuse it for that kind of thing. I'm hopeful that some of these new technologies in the non human identity space will be able to dissect that a little bit, but I find that really difficult onion to kind of peel to say, OK, you know, how is it going to know who it really belongs to? Right? There's no human identifier tag to it. You're going to have. You're still going to have to go through a process.

To say, OK, Chris, you've got these, you know, 50 different service accounts that you're using to run your, your applications or your services and your environment. Tell me about them. What do they do? Are they scoped correctly from a permission standpoint? Or did we just say, well, let's give them domain admin and they

can do whatever they want. So I think there will be a lot of business conversations and helping the business and the business in this case might be IT understand, you know how what you know, what is the risk associated with these accounts? What are you using them for? Do we still need them? Because a lot of times these service accounts or other types of non humanity stick around forever because we're afraid to remove them or disable them because oh, it might break

something. And the next thing you know, you've got a whole bunch of little, you know, micro perforations in your identity wall where if one of these accounts were to get breached, you'd be able to come through and do whatever you need to do. So I, it is interesting, I think this is a topic that is definitely becoming more important, especially with, you know, the more automation we do some things. But I'm curious to see, Chris, where, where do you think this is heading?

And if you've seen any specific products or things like that, that or capabilities, maybe that might be like, Oh yeah, that's I need that to to make my program more effectively. If I could, Jeff, I just wanted to follow up with one other point that I forgot to mention, which is, you know, service accounts traditionally have weak authentication controls, right? They're not eligible for multi factor authentication. So if somebody could enter the network with those accounts,

that's a big problem. And then of course, they have very simple passwords that you know, if you're relying on password only or certificate only, but let's say password only, you know, you've got to make that as difficult and not guessable as possible and be rotating those passwords if possible so that no human being, it was the even within your

organization knows the password. So I agree with everything that, you know, that Jim and Jeff, you're saying they're going to say we're definitely, you know, we're definitely taking a look at it from a governance point of view first, you know, first and foremost to kind of go along with what Jeff was, you know, talking about. We've been, you know, I've been

doing research. There's, you know, you know, not the name drop too much, but like on LinkedIn, there's actually a non human identity organization that's kind of being founded, you know, founded out there. They have their own website that basically kind of is, is beginning to bring awareness up to, you know, up on what what a non human identity is and how to kind of how to start building controls around it.

And I, you know, I really appreciate what they, you know, the work that they've been doing as well as I think that NIST actually is beginning to take their first swings at it to trying to, you know, trying to get, you know, trying to get the details down of what, you know, a what up a not they call it, I believe they call it an NPEA non person, you know, entity is and try to go in, try to get into that.

So there's been, you know, that's the research that I've been looking into on that end, as well as knowing full well that the, you know, the auditors, you know, the auditors and the GRC groups that we work with are very, very, very interested in trying to, you know, trying to figure out how to, how to say that, you know, how to build controls around it. In the sense of saying, can we get to the points of an, an application identity only having one, one select purpose.

So therefore, you know when it, you know when it kind of leaves its boundaries or leaves its area of expertise or it gets over scoped or overused in some way. Again, bringing us back to identity and that into the whole space of least privileged. How do we just cut, How do we keep it in its own swim lane to keep it going? Hey Chris, let me follow up with one more thing because you just

trigger something. So you talked about governing these non human identities, which brings me to the question is, is there such a thing as a non human identity? And I think most people answer the question yes, but is it a non human identity or they're non human accounts? Because from a governance standpoint, I think somebody's got to own these accounts. I don't really think they are identities. I think identities are like the

people process. And and now maybe with AI we get into the point where there's actually intelligence enough to you say, OK, that's an identity. It can do the activities that a human being would do an intelligent enough way to say yes, this account is still required. Yes, that is still least privilege for this account, but I think that's what an identity does.

I think an account is really what we're what exists for the most part today and those accounts or the process that creates those accounts needs to be owned by human being. What are your thoughts are? I absolutely agree.

I mean, the way that we, you know, the way that we currently manage them and the way we're, we'll manage them in the future, absolutely that there will be owners involved and, you know, owners for each of those individual applications, be it an IT business owner or an IT technical owner in some way.

You know, and, and they do, you know, and they get, they get applied through certification processes just like it, you know, just like any, you know, any other account that we, you know, any other account that we handle. So they they get reviewed for what they can do. So I have for topic. Number hold on. I I slightly disagree here. So I think absolutely any account can have an identity associated with it. So if we're talking about a, let's just call it machine

account, right? Non human, it's in the name non human identity. This is what we're talking about. So we're saying, OK, this account belongs to some entity that is performing some sort of transaction or action. That entity can be human or cannot be human. And in the case of a non human entity or identity that we we definitely need to have ownership assigned to that. But I don't know if it's necessarily a person. It may be another entity that is

responsible for that account. IT is responsible for this non human identity. The identity and access management team is responsible for this specific identity or marketing or e-commerce or whatever it may be. And I think as these non human identities start to evolve and become more, well, dare I say it, self aware, there may be some associate with that to say, OK, well Cortana, right, let's call it that or the Microsoft parlance.

If you're a Halo fan or whatever, you know, there's probably a whole bunch of different service accounts that run underneath the non human identity called Cortana. Now Cortana might belong to, you know, an IT organization or an AI department within it. So I, I can see the argument to be made to say, no, these are these are identities. The it's just that we have to wrap our head around a different way to think about it. It's not just human or or non human. It's there is an account.

What is its identity? Certainly if we don't have a strategy around it, it, you know, just might be a loose collection of accounts that are just, you know, these belong to IT. You whoever runs Active Directory, here you go. You guys figure it out, right.

But I can I, I can I feel like I have to make the case for we need to think about this more strategically in broader terms, OK, we're talking about logical constructs here, an identity, an account, you know, ownership or responsible party, right? Things like that. And it is. I don't always see a one to one match that it's human to non

human or vice versa. So the way that we've looked at it is, is that we look at it as a, or at least the way I've been looking at it, I'll say it that way is, is that if I have a function that is running on its own and it only has one purpose to basically turn this one widget or turn this one wheel and it does it on its own, then that's a non. You know, that that's the non that's non human identity get

you at work. And that that's how we define it. So therefore it's, you know, it's the Lambda that goes off and does the thing and then, you know, and then you get an end product and it can't do anything else other than that one thing. But that's the, you know, that's kind of the overall goal and that's the, you know, that's where they access and everything. That's kind of the guardrails in which it sits on. So Chris, you picked a real easy one for your first topic.

What do you have for number 2? Well #2 I want to say I would be interested in hearing more about the another topic that's, you know, top of mind to me is, is, is the identity, is the IAM space moving away from RBAC? Is RBAC something that I, I recognize that RBAC is going to be around for quite some time.

This is not like, you know, I forget, I forget the particular tool like, you know, you know, Samuel that, that we talked about is getting ready to die or Samuel's dead when we, when we go to the EI Identiverse. But instead of that, you know, instead of in that instance, is the hourglass turned over on our

back in which we are now kind of working our way to sunsetting our back. Are we at the beginning of that and moving towards a policy, you know, moving more towards a policy access control instead? Personally, what I run into is, is that, you know, is what I run into is, is that we've been too connected and too heavily reliant on our, for example, HR, you know, basically our HR systems and our HR data.

So therefore it is, it's great that you know that, that is the beginning of, you know, identity. But using, you know, but using that, you know, using that identity information as kind of the foundational layer has become, has become more challenging because HR systems and HR groups and benefits groups and all the other groups that are out there that basically interact, that interact with that data have decided to start architecturing

it differently. Have, you know, have started using it in different ways and have put a different lens on it. So I, you know, so when they decide to make big sweeping changes, it affects my, you know, it affects my R back. So therefore, at this point, I'm looking at it more in a curious state of should we, you know, should, you know, has the industry kind of acknowledged that, you know, those things do happen or those things are beginning to happen and maybe we

should start bread crumbing? Basically our policy, you know, our policy engine to, you know, to basically take care of these

things instead. Sure, still use that, that workforce management application or that human, you know, human resources, you know, data that comes in, but use it as a metadata or use it as an attribute on top of it to or as a, you know, as a, as a note to it to be able to say, OK, if you're, you know, if you belong to this department, you get this limited amount of access and then you work for this manager, you get this little bit more access.

And then your title says this. OK, you get this. Now that you have those things, then we start talking about the denies. We start talking about because you have you, because you are in these departments and in these things, maybe you don't need to see all this other types of access that's out there and maybe you shouldn't because of toxic combinations, you shouldn't be able to get into these things at all either. I'm curious if you're seeing

more growth in that space? I think the the RBAC hourglass has been perpetually tipped on its side, cracked with little pieces of sand falling out of it for a very long time. I can't think of too many IAM constructs that have such a, a positive that could have a positive thing on access that has been so poorly implemented and just addressed by not only the market, but the organizations that try to

leverage as well. I see so many organizations that struggle with RBAC in general because it's become way too complicated for organizations to actively, you know, perform the

exercise of creating the roles in a way that makes sense, is scalable, and they can actually keep up with it. Most organizations that I've talked to and I've seen got down the road of maybe six months to a year into it and we're like, oh, this sucks, forget it, go do something else. So I think there are, and I think this is, this is where things like policy based, attribute based, you know, other types of, you know, back have come along to try and fill in

the cracks around this. The, the, the idea of RBAC sounds great on paper until it hits the real world and you have a real organization that has hundreds of applications, hundreds of different types of metadata available at your people, job titles, you know, physical location, you know, job codes that don't match with titles. The, you know, the organization doesn't recognize the difference between a manager, a supervisor or a director or an analyst in

one for or one part of the, of the company versus an analyst in another. And So what are you left with? You're left with these alternatives to try and fill in the cracks or on RBAC. Now when I look at RBAC, I think, OK, that's a great, that's a great goal to have, but why don't we start with something easier like attribute based? Are you an employee or not? That should be hopefully a very simple question and answer.

Sometimes it's not. But can we at least agree on who is an employee versus a, you know, a contractor or a customer or whatever that, you know, the persona might be? And I think if you can layer different attributes together, then he had a little bit better chance of starting to put together a axis control model that is actually effective, scalable, and an IM or an IT team who's responsible for this

type of stuff can actually live with it. So I feel like this is a soapbox I get on a lot, but I, I, I just feel like RBAC is one of the, you know, under underutilized because it was so difficult and such a good idea. And the promise was, well, I'm just going to put my IJ tool in there and it's going to do role scanning for me and fix all this for us. I haven't seen it work that well. And I live and breathe this

stuff all the time. So I, I feel like that's my, my two cents on it. So I'm going to stop off my soapbox and ask Jim what he thinks. I think authorization is a difficult topic. I mean, you know, authentication used to be a difficult topic, right when you had all these web applications and FAT applications and, you know, they were using different technologies for managing authentication. Different authentication was being mixed with coarse grained

authorization. And then along came Samuel and it just became a standard that it was just easier to live by, like let's get people into the application, then let the application handle authorization. So now, now we kind of think authentication is way easier than authorization. And I do, I think even before Samuel that was true. Now when you take authorization, you have some applications where it's like there's a list of finite, a finite list of roles and you put a person into those

roles. Then you have other applications take your ERP platforms or take custom built applications where the authorization model is tremendously complex. Now, you know, when you take something like RBAC, which, you know, I think our tendency is to say, well, how can I solve all this problem with RBAC? And I don't think that's the answer, but I do think there is a place for RBAC.

I think especially for, and I think RBAC and ABAC, they kind of combine because you can get into the same conversation with what Jeff was saying is like, are you an employee or not? Well, you can create roles that trigger off of that attribute in your IGA system, for example, and say, all right, we're getting the this feed from the HR system that you are employees, we're going to create a role called employees and we're going to provision certain birthright access for employees.

So I still think whether it's ABAC or RBAC, it kind of accomplishes the same thing. But when it gets to some of these real complex applications, I think the the utility of RBAC breaks down. Now could PBAC help solve this problem? Potentially. But I think even when you get to these BERP systems really becomes a matter of people caring about homogenizing the different types of access that can be provision, right, So that there are different types of people within that system.

So you can get closer to that finite list of roles rather than everybody having an ad hoc, you know, access to that

application, an ad hoc compilation of attributes and permissions within that app. As long as you're allowing that, I don't think any back model will really work. So it it the hard work is also on the application or platform side in terms of homogenizing authorization so they can fit some type of model. So you say homogenizing application that you know, the obligations together.

My curiosity there kind of peaks a little bit because with the new with SAS applications and with all the different applications coming in from different areas, it's homogenizing doesn't seem to be the thing that is happening. You know, they're, they're, that's the part that we're that's the part that we're missing. I you know, there we spend a, you know, we've been working on RBAC for six plus years at this point.

We, you know, and been, you know, been building it out as best we can and it's, it always still comes down to you will know that application doesn't, you know, doesn't have that type of granularity to it. It's that's not an option. So there's a, there's a balancing act that has to happen between systems that allow you to handle front door access essentially that that that, you know, that entry level access to

the application. But then does doesn't have the APIs or doesn't have the connectors to do individual, you know, to get into the granularity, you actually have to go to the you actually have to go to a portal or whatnot to be able to get that access, you know, get that access figured

out further. Do you with, you know, in those scenarios, are you, are you still seeing a situation where you want to bring in, you know, where you where you want to actually have, you know, where you want to actually have somebody build out, you know, you know, basically like business owners build out that access or build out, you know, build out how that works, I think. It's ultimately what it comes down to, right?

So if you're implementing something like an ERP system within your organization, even though the ERP system might be able to handle, you know, thousands or hundreds of thousands of permutations of what a full set of authorizations could be, you can still have the discipline within your organization to say we're only going to do these. This ten types or these hundred types, which really like these are the important fields that we want to drive access based on.

Now understand I'm that might not be appropriate in all cases because I think the biggest thing playing against any kind of role model or you know, when you try to make authorization simpler and by making it simpler, you're going to say, well, you know, 90% of the people that need this access need these things, so let's just give it to 100%.

That is not least privilege. You know, at least it's not a black and white view of what least privilege is, because black and white view of least privilege is you only get the access that you need. So if we're giving you access that you don't need because it's more convenient, I'm sorry, that's not least privilege. I know that it might be just the academic argument, but I mean that's the reality in my

opinion. Since there isn't going to be that you know that that standard for the next, you know that won't that won't occur for the next 5-10 fifteen years if we're

being optimistic. I think that's what's driving me to policy because policies more customized policies more a Jason statement or an XLML statement of some sort that I can take and I can actually put in my if and then's and whiles into the into it. I hope that, you know, I hope maybe in the future in that, you know, in that standardization that you're talking about, we'll actually, you know, we'll take that into consideration and use, you know, going to use that as

kind of the the backbone of it. Gee, gross. It looks like you're picking some real easy ones to start off with, so I know you had at least three in mind already. Sure. So let's take a step back. So I know that I, you know, I've, I've, I've hit you with, you know, I did, you know, with the non human identities and got into the granularity there. I know we've been and then we just got done talking about, you know, about policy and our back.

Why don't we talk about the team for a little bit, you know, you know, a little bit at this point, what, you know, going to Identiverse and going to different conferences and talking, you know, you know, talking to dozens and dozens of people at this point and kind of getting into their stories and getting into what the, you know, how their I, their IAM teams work. What I find most interesting is, is how different we really all are. We all feel like we're doing the same thing.

We all feel like we're basically heading in the same direction and trying to go after the same things. But our, you know, our mode of transportation or our, you know, our group that we're using to get there is so vastly

different. And another article that I'm going to be working up is, is going into, you know, kind of going into that. There is, you know, there are groups, there are, there are businesses out there that of course focus on all the different pieces. But you know, they, you know, that in the end you have to kind of have all the different elements. But the question is, is do you have a dedicated team to anyone

particular area? How how heavyweight or lightweight do you go and into, into each one Personally, we're a, you know, we're a governance shop.

We're, you know, we're very much there to help the business and they're very much there to enact what, you know, you know, kind of, you know, enact whatever, you know, enact whatever controls that are around it. That's kind of where our heavyweight is. And then we work toward then, you know, and then we do, yeah, we help facilitate that through taking care of the day-to-day provision.

But with that, I'm learning, you know, I'm learning that there's not just, you know, there are teams out there or there are departments out there and other organizations that solely focus on governance and then solely focus on provisioning. And then I'm finding out about new groups that are being spun up, especially with this latest, you know, this latest trip to identifiers that are focusing on the cybersecurity side.

You know, the more cybersecurity focus side of it, being able to find fishing, you know, trying to define and trying to build out fishing resistant IAM accounts or, you know, identity accounts. And then there's the cloud teams that are trying to help the dev OPS groups keep their infrastructure up and running and keeping this, you know, the spin up and spin down and the keys that go along with it up

and, you know, up and running. These are all things that, you know, I'm, I'm at the kind of the beginning of that journey of understanding that they're, you know, we don't as an operations team, we don't have to do it all. We have to do what's most important to our, you know, what, what's most important to our individual groups. And then, you know, but making sure that each one of those are touched in some way, form or fashion by someone within the

organization. How do you, you know, do we feel as though that that's the way you know, you know, I, I'm so used to the idea of, you know, everybody kind of just knows where they're going. You knows, you know, knows the mode that they're running in, sure. You know whether or not you want pepperoni on your pizza or whether or not you want sausage. You kind of like, you make some, you make some little variations, but for the most part, it's

still pizza in the end. You're using a bad analogy at this point, I admit. Especially around lunch. Especially around lunch. But a delicious one. But is that is there going to be different, is there going to be bigger changes than this or is it you know, or do you see this being or you see those being still being the core, you know, the core pieces of it going forward? Is there where? What should I be looking out for as far as as an operations manager of IAM?

Kind of the doers of IAM what what should I be looking out for? I think I'll go first. So I think you're getting into organizational design, which is somewhat or very specific to the organization, which has a lot to do with the size of the organization, how geographically dispersed whether or not I am is completely essential service or if it's more localized to where the people are. But I think we can make some general assumptions or talk

about some general topics there. You know, I think that one thing you have to look out for is because especially in this identity space, if you design your organization around all right, this is the product that we use for governance and start just fixating on, OK, the product can solve these problems. And now there's another team that is really focused on another product that handles authentication maybe or another product that handles privileged

access management. So I think those are the big three with it when it comes to internal identity or workforce identity. Now the products will shorten it to encroach in each other's space. And what you you had the potential for is that if you take a product view of the world that then you start doing things, doing the same services within each other. And I think that's a real danger.

So I think the teams, if you have separate teams supporting those that you're doing all site workshops or something, so those teams are collaborating on OK, what is our strategy going forward for each of these teams to support and where do we know where our lines of demarcation are? I think that's very important in a very large organization where these different domains are being covered by different

groups. I think what I see more often is smaller teams where people are cross trained across the groups and they're working within those groups, especially on the not as much on the operation side necessarily, even though I do see that on the operation side as well, but build side. And certainly like the architect level where they're doing the the big time planning of how all these tools work together. But I think that is very important.

It's not to get just locked into too focused of a picture. Yeah. What do you have, Jeff? Yeah. And I agree with you, it's this is mostly organizational design. I think this is the classic centralized versus decentralized strategy that a lot of organizations might be looking at of, well, how do we handle our IM functions? Do we try to build a central team that kind of does it all and separate that from the

business? Or do we allow the business to administrate their own applications as long as they hopefully adhere to whatever standards or policies have been set up by a central organization? And, and I don't think the answer is, you know, right or wrong either way. It really is a very personal decision for the organization. A lot of it comes down to the people from the organization itself. You know, where where do your skill sets lie? You know, is Active Directory an IM tool or is that IT

infrastructure? Most organizations ADS been there forever. And so there is like an, you know, a general IT or network group that kind of handles the Active Directory stuff. And maybe you have a different team that does your IGA platform or privilege access or maybe.

So I think it's an interesting, you know, discussion to have because I think this is one of those things where you have, if I had to guess, Chris, when you write this, the comments are going to kind of fall into two different camps of a more centralized approach and a more of a, you know, governance decentralized type of approach. And, you know, nobody's going to be wrong and nobody's going to be right.

It's just like, well, here's what works for our organization or what hopefully it works for our organization. Some organizations that, you know, maybe they could stand to be a little more centralized and, you know, or at least put out together, you know, put better policies or standards or maybe anything. This is where I am.

Program management becomes so much more important when you're dealing with multiple areas of the business that are not directly underneath, you know, your control as an identity person or even as an IT person. So I think it'll be, I'll be curious to see what, what feedback comes through for for, for that article. Yeah, I agree with you both as

you know, not surprising. And let's say, and Jeff, I think you, you know, what you said really, you know, rings true to me is 'cause you know, Active Directory is an, you know, is an IT function. Is, you know, is, is, you know, in our cases is an IT, you know, is an IT function.

But who takes care of the day, you know, the care and feeding of, you know, Active Directory. We do, you know, and we're on, we're underneath the, you know, we're underneath the security side of the, you know, side of the house. There's so much it's so, you know, it's so interesting to me.

And, you know, in the last three years of being in this position of, of trying to learn that my, you know, that I have different audiences that I have to, you know that, yeah, that we have to work together with to be able to get, you know, to get identity handled, you know, handled properly.

There's how do I, you know, how do I talk SL as to the business and then talk about, you know, how does single sign on actually work in the background to that, you know, to the IT side of the house and what you know and what you know and their concerns with it. While then keeping a balancing act of my, you know, my stakeholders insecurity. Asking the question of, well, can we make sure that we know that this guy really is in California or is he in New York?

Let's let you know, let's let's know who were the right answer of that. You know, the location of these users are, it's a, it's a, It's an interesting, interesting challenge. You know, another thing you brought up in your question or your topic, Chris, was are some of these things going to go away?

And I don't know if you were hinting at like, OK, AI is going to do these things for us. Because I look, if AI does, if five years down the road, we're not just allowing business users to go into AI and say, I need to rerun a recertificate recertification campaign of all of my users who use this application. And I want to send that to this manager or the person's manager or whatever and basically use prompt engineering to construct their own access certification.

If that's not available in five years, like what is AI really done right? I mean, that should definitely be available in five years. And I got to think IGA companies know that if if they're not doing that, someone's going to come along and invent that. So, yeah, I think some of these jobs that you know, I remember when I ran the IAM program for a bank, we had a person completely dedicated to running access certifications and managing access certifications that were

in flight. Once those were all done, generating the reports and getting the next round started so that we could attest to access on a quarterly basis, those things had better go away, right? I still do have that guy, that guy you're talking about who does the quarterly certifications that we do

function as a bank. So therefore, you know, I do have that person on my team that that they really do or they do run access certifications day in and day out, night in and night out trying to trying to help manage, you know, trying to help

manage that expectation. I've been, you know, we are of course, you know, interested in AI and kind of looking into what, you know, what AI can do. But as a side note or tangent, I've been looking at it as a, really as a, as a big data model kind of scenario more than a, you know, more than necessarily an AI one. It's how do I take the, yeah, you know, how do I take not only my IGA data, but my ServiceNow data and my cybersecurity applications data and my, you

know, and other forms of data? And how do I put those things together to, you know, build a bigger picture of what, what's out there to be able to answer, you know, to be able to answer more concise questions of is that access really being used? Does that access? It does, is that access really appropriate anymore by by looking at the, the metadata around everything around it? It's a it's a great question and I would love, I would love an AI to help me do that, but I'm I'm

not there yet. It's going to get better, right? I think AI, this is the worst it's ever going to be. It's going to keep getting better from here. And it's already pretty darn cool. I mean, I'm a I'm a fan of it. And the good news is you picked three really easy blog topics to get into. So I'm sure it'll be super easy to to come up with different viewpoints. And I'm curious to see, you know, the comments and the feedback. So I'll be looking forward to those.

You've been very generous with your time and it is a Sunday, so why don't you go? You even went in, you even went into the office to record this. So you know above and beyond, but I have something very important to ask you as a Marvel fan or as a Co Marvel fan, what are your thoughts on Robert Downey Junior being announced as Doctor Doom coming back to the Marvel Universe? So I'm really curious on whether or not the mask will actually come off.

You know that when reading the articles and reading the things that they talk about, you know, about Robert Downey Junior doing that, you know, being Doctor Doom, I think the actor has the, you know, has a great ability to play, you know, to be able to play the part. Can he play that villain? Can he play that, you know, that kind of empowered just like, you

know, master of all kind of, you know, kind of character. Absolutely. Robert Downey Junior's can knock that will knock that out of the park. Will they, though, take the mask off? Will, you know, will there be scenes in any way, form or fashion where we really know it's him underneath it in any way, form or fashion? I don't know how they do that. I don't know if they had I, you know, I would like to think Doctor Doom can't take it off. And therefore it's not a, it's

not a question. But if there is, you know, are we doing a multiverse thing here? You know what's the, you know what's the, you know what's the play. Well, yeah, I mean, he is Iron Man. He told you this, you know, point blank to the camera, right? And then he snapped his fingers. You know, that's that mean,

that's a benefit, right? He's used to playing a character with a mask, being an Iron Man. Now, obviously, Tony Stark, you know, pulls the mask off much more frequently than Doctor Doom. And I'm sure they'll take liberties because, you know, they have to make a movie kind of out of it. But it'll be interesting to see how it goes, I think. I think it's interesting to have the same actor playing two different roles within the same universe. And how do they explain that?

Is it a multiverse angle? Well, you didn't, you know. If you didn't, you know. I don't want to, you know, a little bit of a spoiler if you haven't seen the Deadpool Wolverine movie yet. I have. Not, don't spoil it. All I'll say is is Captain America makes a, you know, makes an, you know, makes an appearance. And then you'll see something else happen there too. That'll be you know that you'll that'll come to that same question.

OK, well, I'm a fan of Deadpool, so I'm looking forward to seeing that what I can. Jim, do you have any idea what we're talking about? None. None whatsoever. Actually, I did know that there was a Deadpool movie. And Wolverine. Jesse for Ryan Reynolds. Yeah, you're right. I know that Ryan Reynolds is the Deadpool, but that's all I know. OK, now I'm kind of like anything else they say is totally uninformed. So when you hear the the character Doctor Doom, what comes to mind just.

As amazing. So those comic books were around when I was a kid. So I'm familiar with Marvel comic books. And what I've found is like when these movies come out and they had the the surprising things nobody was expecting, it was in one of those comic books like #138 that I mean, who the heck is going to remember every

section of a comic book? So I think the creators go back into the comic books and one of the things that I, I'm always shocked by is like how dark some of those comic books really got because I didn't realize it when I was a kid. I was collecting them and looking at them, but I wasn't looking at them in the way an adult would look at them, right? To really understand like the subplots, it's just like you're looking at him like kid, like, oh, that guy's cool.

That guy's a bad guy. I don't like him or whatever. So, but I always think it's neat how they tie it back to a real comic book. And there was like, Oh yeah, we should have known that was coming. It's kind of like how Game of Thrones tied back to those books and like people who are like, really geeked out on the books. What was it like fire and ice or something like that? They'd be like, Oh yeah, they kind of knew what was coming, etcetera. So it it's similar to that,

yeah. Well, it'll be interesting to see that Doctor Doom. So he's the the main villain that's opposite of the Fantastic Four. So I know that there's been a Fantastic Four in the past. I don't think it was fantastic, but it was it was fine. So I know they're kind of rebooting that, but it'll be interesting to see how it goes. I just thought it was

interesting. And you know, if you've seen the clips at this point, right, Robert Downey Junior comes on the stage, there's a bunch of different Doctor Dooms and he pulls off the mask and then you see him. And this is how they announced it like Comic Con or something like that. So it got it was it was it was kind of a cool reveal to be I guess maybe if you were in the room, you're like, you know, holy, you know, whatever.

That's Robert Downey Junior And you know, after him having had such a successful, you know, journey to the whole Iron Man kind of process and then to the The Avengers, it's kind of interesting to see how they. How they tackle that or if they just ignore it, they got. It's just it's a different.

Role so aren't there like 2 lines of comic books There's like that and then there's the one where they had like the what's the the the League of Nations or something and I remember seeing a commercial now where Aquaman is fighting that one guy who's got like the the. What are you mixing DC and Marvel? DC and Marvel, that's what I'm saying. That's yeah. I can't keep up with that soft man. I don't know how you guys do. DC has not had a successful film

background. I would say with the exception of Batman's movies, they've probably done the best, but they haven't really been tied to like ADC universe of like Superman, Wonder Woman, Batman, The Flash, etcetera, those sorts of things. I think Marvel has definitely done a much better job of getting their characters out there and, you know, producing

good fun films to see. Wasn't there like a Superman versus Batman where they were fighting with each other and it was like, that was pretty dark, wasn't it? Most of the DC films have been dark.

I don't know Chris about you, but I feel like DC tends to be a little of a darker approach to their characters compared to Marvel. Yeah, DC's always been darker that, you know, Marvel's always been, you know, Marvel's always been a little bit more upbeat and a little more like there's a, there's a happy ending to the story kind of thing. Where in ADC movie, there's no guarantee that the movie doesn't end with people, with everybody dead.

And, you know, and like you and, you know, and the storm clouds basically, you know, dissipating around the, you know, around the, you know, around the world. That's a normal. That's a normal look. All right, Well we got into it. I was curious, Chris's to see what you would thought about our opportunity to coming back, but let's go ahead and leave it there for this week. Chris, thank you so much for your time. I'm going to have a link in our show notes to your LinkedIn article.

Connect with Chris on LinkedIn and you know, maybe provide some some fodder for articles coming up or opinions and things like that. Jimmy and I are on LinkedIn, so definitely connect with us and you know, send us comments, feedback, etcetera. We're on the web, idscpodcast.com, Twitter X, whatever it's called at IDSC podcast. If you're watching this on YouTube, thank you so much. Hit that like and subscribe button. That's the best way you can help

us out. If you're not watching us on YouTube, do us a favor and jump over to YouTube real quick and and give us a subscription. That would be fantastic to make it easy. You can hit idacpodcast.tv. That'll take your right to our channel. And yeah, we'll go ahead and leave it there. Thanks everyone for watching and or listening and we'll talk with you all on the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show.

Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.