#303 - IDAC Sponsor Spotlight - Zilla Security

We're here with a new take on an identity, identity security, identity governance, and we're here to disrupt the space. These organizations are sitting on a treasure trove of data that could absolutely reduce risk, and a tool like this sounds. Awesome. We looked at this and said there's got to be a better way. You have to be able to go where the data is, and you have to be able to do this with a business user who we think of as somebody who is almost always a novice,

like a perpetual novice. This needs a solution that just works and works with the system where the data is, and that's what we set out to build. We want to be the best integration platform that our customers can rely on. We're building a system around this to solve what is probably a decade old problem, but it's one we're very confident about solving. This is identity at the center if it has anything to do with IAM.

This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the

Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Hey did you say identity at the centre? Because I thought this was AI at the centre. I think I'm on the wrong podcast. Sometimes, but no identity at the centre. That is our maybe our our future podcast, AI at the Centre, but it seems like it's creeping into a whole bunch of different things these days in the

identity space. I think you should just start getting the domain names locked down now. Yeah, I've already thought about that. But why don't we turn into this is a sponsor spotlight episode,

right? So we create these in collaboration with our partners that are out there and they come on and share insights and things like that. So to make it very clear, right, this is a very, this is a sponsored episode. So everything you hear is sponsored today by Zilla security.

We've had them on in the past. So they were with us back in March. We had Deepak Taneja from Zilla join us kind of earlier in the year and that was episode I think 269 back in March. And so we've got another one today and I'm very excited to announce we've got Niton

Sonowang. He's the chief product officer and Co founder of Zilla Security. Welcome to the show, Ninton. Thank you very much for having me. Yeah, thank you so much for taking the time. And as I mentioned before, this is the second time that we've done one of these with Zilla and the first one was well received and hopefully this one will be as well. I'm sure it will.

Why don't we get into this though, because you know, this is the first time you've been on identity at the centre or AI at the centre, depending on where we're going to go with that. How did you get into the space of identity? Is it something that you chose or did it choose you? No identity identity chose me. Actually, I got into this this domain when we started Zillow security.

And, you know, as I was getting off my previous startup and and looking to do the next one, a friend and ex colleague connected me to my Co founder and our CEO, Deepak Taneja. And, and we, you know, bounced ideas off of each other for quite some time. But very early on it became clear to me, you know, hey, I want to work with Deepak and start my next thing. So, and over time, as as the idea evolved, it turned into it turned into Zillow security.

So you're a chief product officer? I'm always fascinated by titles and roles in our industry. What does a chief product officer do? And that's a very good question. And and you know, and another dimension to that question really is the role itself changes as the company changes and the company grows. So at Zilla, I run our product and our engineering teams. So both on the engineering side and on the product management side. And you know, the role has also

evolved over time. So early in our days, I would write code and, and now less so now there are better people than I am that write code, better engineers and and also better people who are better product managers than I am that that do the product side of things. So that's how the role has evolved. And you know, as as the company will continue to grow, it will evolve even more. Yeah, I feel like that's an important part of of any role,

right? You have to adapt to whatever, whatever the needs are of the organization or the moment, whatever that looks like. For people who are not familiar

with Zilla, if they missed the first episode that we did tell us about Zilla Security, what is it that that you guys bring to the market that people should be aware of? Yeah. So at Zilla Security, you know, we've really taken, you know, a step back and as you know, our our CEO, my Co founder, Deepak Daneja has spent an entire career in the identity space. And and I think you you folks on an episode that he was on, you called him like the Tom Brady of

identity. And and honestly, it is so apartment and in part actually, I really wanted to come on a podcast podcast with you guys also because you know, I'm not from the identity world and and like today's episode, to me, it feels like I've arrived right? So and just one of your episodes I listened to and it was like, boy, that intro music like I gotta get on this podcast so flatter. Get you everywhere in this podcast and keep going.

Yeah. So, you know, all that said, so you know, with Deepak's background and deep expertise and, and sort of a fresh set of eyes at, at, at the identity space and honestly as, as the tech world at large, as it has evolved over the past decade or so. And there's a couple of, you know, completely orthogonal evolutions that have happened in the space, right. One, of course is cloud and SAS and everything else has taken on a scale and magnitude that it never had 10-15 years ago.

But the second thing that's happened is the level of business involvement in systems and applications and business owners and people who really are not, you know, IT administrators, leave alone identity people, right? They're not responsible for for managing, you know, really much of what it turns out to be identity related.

And so, you know, at Sozilla, we're, you know, we took a look at look at this whole landscape and there's got to be a better way to do things than what the legacy systems have taken the path down. So we're here, you know, we're here with the, you know, with the, a new product, a new take on an identity, identity, security, identity governance. And we're here to disrupt the space.

I, I, you know, it's funny that you mentioned the business because I feel like this is something where, you know, if you're, if you're in this industry, especially if you're working as part of an IM real world scenario. A lot of times there's this idea of like, hey, we want the business to be more involved in identity, but they're not identity people. And yet we're asking them to make decisions on is this access appropriate? And we just kind of assume that they know they they don't have

those answers. And that's not always true, right? That's right. In fact. In fact, what's interesting is that we are now more so calling on business people to do a lot of things for us, right? We call on them to set up and configure and build integrations into systems we call on. And when that fails, we call on them to do screenshots and screen scraping and things like that. And we call on them to do access reviews.

And we put in front of them some very complex entitlements and tell them to say it's OK. And more often that they don't know what to do. And so they do what is, you know, naturally allows them to go do their day job, which is to say, say approval, and they move on, right. So I think increasingly we've called on, you know, business users and we'll continue to do so, right, Because this this is not a, you know, this is not a trend that's going to disappear

overnight. This is a long lasting tectonic shift in the way IT operates and this is here to stay. So everything we do around, you know, around security in general and identity, particularly in this new modern world, plays a much more central role than it ever has. So it's all it's plays a central role around security.

And you know, wherever there are security concerns, obviously compliance follows because compliance wants you to show them that you're doing what you said you were going to do. And, and so now you have a security problem or a compliance problem in this particular new world. And of course, if you are giving people access and you're taking away access, you have a provisioning deprovisioning

problem, right? So, so it's all, you know, it's, it's all in some sense a new world where business users are being asked to play much more of a active role and something that they'd rather not do. You know, Nathan, we've reached out to Deepak, Tunisia, whatever it was maybe 6-9 months ago. I guess he's really somebody who is around the beginning of identity. Then he was one of the key people who kind of developed this IGA space. And IGA space in my mind is all about ensuring that the right

people have the right access. I don't think IT or information security can make the decisions on who gets access to what. That's got to be the business users. What IT or IS needs to do is give them systems that make sense that they can use to do that role, to fulfill that, that role that they have in managing access. And one of the things that like knock my socks off with the

Zillow platforms, what you do is use and the ability to kind of use a tool that I've never seen and I, I still haven't seen from any other vendor. I'm not just saying that because you're doing a sponsor spotlight, but seriously, this is innovative stuff that people need to go out and check out if they haven't already. We're just kind of like highlighting on your screen where certain fields are so you

can do an access review. Does that level of automation that can really enable a business user? It's not just, you know, using more friendly business terminology, which basically gives it a quantum leap, but now that you've introduced AI into the process, I mean, fundamentally like improves your ability to put those decisions in the business's hands. That's right.

And, you know, again, we, we took a step back and we look at what our customers were doing right and our customers and, and the people we wished would be our customers when we started Zilla Security, you know, they, they, they had this problem in, in, in droves. And the, you know, it, it was appalling how, how we ask business users often with who have, who manage very sensitive systems, right?

So these may be things like banking portals or insurance portals or, you know, and things like that for where there's a real need for identity governance, right? And so we looked at this and we said there's got to be a better

way. You have to be able to go where the data is. And you have to be able to do this with a, a business user who we think of as somebody who is almost always a novice, like a perpetual novice because he or she gets called on to do, particularly when it comes to things like Sox compliance, gets called on to do this every few months or so. Or, you know, six weeks, 8 weeks, whatever your cadence might be.

And they dread it. And and so Zeus was born out of this, you know, this needs a solution that just works and works with the system where the data is. And that's what we set out to build. You know, in fact, one of our engineers who who spent time building, building Zeus, somebody that I've worked with ever since he was in, you know, I joined me in a start up many

moons ago as an intern from MIT. And, you know, and he sort of really got creative with how we can make it, you know, super easy to essentially learn from the Dom of the, you know, of the console of the application that that you're on. We've been, we filed a patent for the work we have done.

We're very proud of it. And you know, we've taken that many, many steps further and we continue to we, we intend to take it even more further so that, you know, the app owner just simply trains us. It's a one time exercise from then on. We know what the system is. We can enable them to set Zeus up so that it runs in a headless

browser on a nightly basis. It's able to bring in credentials from a secure storage vault, login into the system, get the identity and access data, whatever it needs. You know, we extended zoos to be able to go grab things like lost login. You know, this is always a blind spot. And like, are people using the stuff that we give them, right? What what the MFA status of this account that they have access to and any other data that's

present in the system. And it comes back into our, you know, into the Zilla system, if you will. So we're very proud of Zilla universal sync. But more than that, you know the I have been surprised at how effectively many of our customers have used Zilla, Universal Sink or Zeus to solve their business pain point. Yeah, I'm going to echo what Jim said. I I have not seen another capability that looks and feels and smells what like Zeus. It's very it's very interesting.

I would definitely encourage people to go go back because we did spend time with Deepak talk about that earlier this year. So episode 269, go back and and watch their list of that one. Let me put you on the spot here real quick, because something you just said sparks a question I've got. You said you were surprised at kind of what your customers are doing with Zeus. Is there something you know, is there a creative thing or something in quick?

Just like, wow, I never really kind of thought about it from the angle that it was like, oh, like what does that help me manifest the surprise in my brain? Yeah. So the so the so The thing is, you know, and I think you, you, you alluded to earlier, which is, you know, identity governance and Deepak was part of sort of forming, forming the identity governance.

You know, last week we were at an event here of, of Cecil's in, in Boston and, and we jokingly said, you know, Boston's the birth place of IGA and which is really true because, you know, because IGA was Co founded by in part Deepak, sort of it was a outcome out of Sarbanes, you know, Sarbanes-Oxley regulations and and things like that, because it was intended to avoid

a lot of fraud, right. And so, so if you, if you come back and say, OK, well, the whole purpose was do identity governance because people do bad things with the access that you give them. Sometimes they do trades they're not supposed to. Sometimes they do just downright downright, you know, financial fraud. And so this means at its core, really it comes down to is that there are systems where people have sensitive financial transactions can be conducted and, and things like that.

And, and that's what they need governance for. And, and what surprised me is how many of these systems are just so, you know, 1990s, if you will, right? Like or, and they are that way for a good reason, because, you know, a banking portal has no real business driver to just become modern because we all say so, right? Like, but that the governance problem doesn't go away, right?

Or, you know, or even other administrative systems that you look back on and you're like, Oh yeah, it is critical. It is very important that there be governance around who has access to being able to manipulate your corporate Wi-Fi network, right? Of course, you need to be governing that. And that's, that's not

important. That's sort of what I mean by I've been surprised by that is because the range and the breadth of systems that have, you know, that have been used with Zeus particularly and all our other integration capability, right? So one of the, you know, one of the observations that Deepak also had early on in the founding of Zillow is basically, look, you know, IGA programs go sideways because they just don't, they just don't succeed

at onboarding systems, right? And whatever terminology you use, whether it's onboarding systems, whether it's integrations or whether it's, you know, the, the reality is it's all anchored in being able to effectively connect to the systems that you're trying to govern and be able to either collect from them if all you're doing is compliance or being able to provision into them, deprovision into them and so on, right? So IGA programs are anchored in

integrations, right? So that was, you know, that was an early observation. Like, you know, if there was a thing that said, you know, this I believe, right? Like I think at Zilla, this we believe, right? Like IGA programs are anchored and integrations. And so we're like, OK, well, if that's the case, we gotta be. And if that's the case and that's the pain point that our customers are facing and the customers we want to have are facing, then the we've got to be an amazing integrations

platform. So let's go build that, right? And so you know, all the API integration capability that we've built, all the stuff that we've done with Zilla Universal Sync, all the things that we're building in order to be able to get in a very secure manner in a hybrid network. All of that's kind of borne on effect, right? So which is that we want to be the best integration platform that our customers can rely on. And you know, Zeus was part of that. We've also done and Zeus is all

no code, right? So nobody needs to write Java code. As I say, it doesn't get much easier than. Point No, I mean, it's a, it's like you're on an identity, you know, identity and access team in a, in any enterprise. I mean, like, do you really have the ability to hire Java developers to go build stuff for you or, you know, so it's a challenge and it's a very practical, the practical reality of the world we live in.

So you know Zeus is no code. You know, in addition to a very large number of API integrations that are out-of-the-box in the Zilla product, we've built no code capability so that you can simply tell us for a system that Zilla has never seen, you can simply tell us this is going to be O auth authentication. By the way, here is the client ID, here's the client secret, here's the REST API endpoint that you can call to go get the user record. And here's what you would do to

go get the group record. And in, in a short period of time, you will have built yourself an integration, right. And so that's sort of the standard that we're holding ourselves to. And you know, this started validating itself early in Zilla's life because we would routinely and that was the time when I did Pocs.

And you know, it's like the chief product officer of job evolves over time and when I would do PO CS and it was very important to sort of learn, you know, learn from the customers first time. It continues to be so. But it was like people would tell us that, you know, I've done more in the hour that I've been on the Zoom with you in APOC than I did at my previous job, right?

Like it would be, we would hear things like that and that's sort of validated that, you know, the belief that we hold here in civil security. Well now, now Zeus is old hat, right? There's new stuff coming up. Oh, it's going to be amazing. I think there's a lot, you know, there's a lot that we are doing with, with Zeus. There's a lot we want to do with no code integrations.

We are in the process of building, you know, community that can collaborate on sort of, you know, helping each other and, and with the integrations that that get built. This thing that's taken the world by storm in the past year or so. Large language models are amazing at figuring out stuff that's in public documentation, right? So we want to figure out how to bring that to bear to, you know, to essentially solving the foundational problem, which is luck.

You got to make it easy for an IGA program as it gets up and running to just integrate and then the program runs on top of that. It's kind of like you can't lay a foundation and and build an amazing house on a rickety foundation. I think that's really how we see it. Well, you can, but it'll fall. Over. It'll fall over pretty quickly. Not, not advised. Well, why don't we talk about

what's coming up next? Because you're, you're here to tease some new features and new capabilities that are coming up for Zillow, right? Yeah. So, you know, you know, we've, we've taken a, a real hard look at, at IGA and sort of, you know, the, the, the problems and all of the manual work that people have to do and people called up get called upon to do. And the thing that we talked

about, right. So what are we working on is, you know, we, we a year ago or so as we started taking a hard look at sort of AI and ML and, and we did a bunch of experiments and we're like, OK, what is it that we can do and build that adds real meaningful value to an identity team and makes a difference, right? There's a lot of gimmicky things that one could be doing and, and, and, you know, we're sort

of shying away from that. And so, you know, the, the fact that we call upon people to do the same sort of access review quarter after quarter after quarter is just, you know, it just shouldn't be this way, right. And so we're bringing AI to bear on a, you know, on a somewhat age-old problem, which is how do I take all the data, this amazing set of integrations that are there in the Zola platform that connect to your, all the systems and now knows who has

access to what. Now how do we take that who has access to what at an individual level and, and have a machine learning model learn from all of that and say, OK, from here what I can tell with, with the high degree of confidence that just about everybody who is doing QA has this access in, you know, in Jira, for example, right? Or all sales people should have

access to sales force, right? I think we as humans intuitively understand that, but we as IGA practitioners have failed to take that intuitive understanding into practice, right? Like so, so and, and, and honestly, the problem here is that, you know, even people don't know where to begin, right? And people don't know where to begin.

And it used to be, there were valiant efforts made a decade or so ago, including by some of my colleagues here at Zillah to help organizations figure this out by creating, you know, what one might call now organizational roles, right? And organize sort of these teams that go and a role mining team that centrally tries to figure out who should have access to what. And and then they try to solicit feedback from business users who want nothing to do with this,

right? Having been on one of those role mining teams I can tell you it is tedious work and. Sometimes effective and sometimes effective, right? And so it's, it's so, you know, one of our team members here who, who was on the founding team at, at Deepak's previous company, you know, he, Dan likes to say, you know, roles and, and he, he's spent just like you, Jeff.

He worked with the largest enterprises in the world trying to help them solve this problem by what was an emerging, emerging tech at that time, right? And, and he came to the conclusion he goes, you know, rolls are like a floor wax and a dessert topping all at the same time, you know, and the first time I heard it, I was like, you know, fell off my chair laughing. But it is like, you know, it, it just doesn't work. And, you know, it has a lot of promise.

You embark on these things with a a tremendous amount of promise and hope and, and, and a lot of man hours and sweat later, you know, they're out of date, right. So, so, but and and part of the other issue has happened. And we we talked about this earlier, which is like, you know, the the context of what type of individual in the organization should have access to what type of app is now even more Federated than Endeavour was, right.

So, so while one might argue that, you know, 1012 years ago, the central IT teams had some hope of doing this, you know, it's like here we are in 2024, they have no hope of doing this. Like they have no context left anymore. And so, but the context is then in the business, right? The application owners know this.

And when you logically say to the person who owns Salesforce, all S ES have this and they yes, yes, I know, I give it and, and I review it. And so, you know, the, the, our goal is bring machine learning to bear on this problem and really help the business owner out in a manner that they can then say, OK, this makes sense to me. Everything else is an outlier. And that I'm happy to look at, by the way, because they're outliers.

But the things that are not are once that AI is able to identify in a meaningful fashion and and then allow you to then make a very defensible case to your auditor, which is what the auditors also want to see, right? And so at a very high level, you know, that's sort of what we're working on. Of course, there's a lot of complexity behind this, you know, and there is the data that we get from HR systems and so on has attributes in it.

If you have to leverage them, you have to make sure they're right. And so we're building a system around this to solve, you know, solve what is probably a decade old problem, but but that's one we are very confident about, about solving. It sounds like a really interesting capability and one that's important too, because I think it's this, it's this application of data, right that

you've got in your organization. And now how do we use that to make our lives easier, which I'm I'm always a fan of. I would imagine, you know, this, this comes into a situation where why do we keep asking the same questions over and over again if we know what the answer is going to be, right? It's kind of like doing an access review for access review sakes. Yes, here is Jeff, here is Jim. They have access to this. Of course, the answer is always yes because of the role they're in.

Why are you asking me this? That's correct. And that's what's so frustrating for business users and supervisors and so on, right? And so a system that can get away from it, but then more call attention to the things that actually need attention, right? I think that's really what's getting lost in this is, you know, you, you dump a pile of stuff in front of me and then expect me to, which is not my job at all, to sift through every single, you know, leaf in

that pile and, and, and so and. All we're going to do is just get it like, yeah, I didn't find that and then move on. After I move on Exactly right, exactly. So whereas this will, this will meaningfully help people focus on the things that really matter and, and pay close attention to that administrative privilege that's been sort of being handed out like candy perhaps and, and, and immediate things like that, right? Which is really what we want.

And you know, again, you know, this is both the compliance outcome. Of course, that's what brings people, forces people into action. Often we wish it wasn't that way, but it is what it is. But compliance is there for a real, you know, business reason, which is, look, the business doesn't want to have problems and data leakage and and breaches and things like that, right? There's not a single business leader that would say to you, yeah, I'm perfectly fine with

the breach, right? Like that would never happen but. If you if you want to be a hero to the business, make their lives easier, easier and get them easy buttons to reduce risk, reduce effort, things like that. I think, you know, that's that's something that everybody who's listening to this probably should be the you effort. I am like, how does this feature or thing that I'm doing helping that helping, you know, those

efforts? I'm curious, I, I know we're kind of teasing this, this capability coming out. Are we able to share the name yet of it? Like what's this thing called? Or do we need to wait a little bit for that? Yeah, I think, you know, we're putting finishing touches on on this. We'd love to tell the world more about it pretty soon.

And you know, and, and the, the ultimate objective in this is which is, you know, when my, when a new employee steps into the door at my company, I should be able to figure out what access they need in order to be productive on day one, right? And it should not be something like, oh, make them like John or make them like Jane because you know what? No, Jane's been around here for a while. Jane has a bunch of administrative access, right?

Because Jane's super smart. We don't know about this person and super careful, but so, so something that's really, you know, and, and in a way that is that makes that person productive. Again, we talked about the security side of this, you know, we wanted to make sure we do this in a least privileged manner.

And so, you know, tee up sort of like the, the three stools we think of, of identity government, the three legs of the stool at 3 stools, 3 legs of the stool, you know, sort of the, the security compliance and, and provisioning which is making people more productive as quickly as we can make them. So Newton, you talked in terms of outcome around a compliance outcome, but I'm seeing many other outcomes.

I'm seeing a security outcome. So Jeff and I often use this fictitious scenario of do people really need to approve access to the cafeteria menu, do an application or a file on a share that is the cafeteria menu? Does someone actually have to go and approve that? Or is the risk so low that we

could just give anybody permission to the cafeteria menu has an account. They've they've gone through enough vetting that that information is so low risk to the organization doesn't have to pass through human hands. And by not passing through human hands, you no longer have the hurdle of now I have to manage X number of approvals and I start getting into rubber stamping because this is just too much. I have a day job. I don't want a part time job

approving access. So now you have, well, obviously the efficiency driver because there's fewer approvals to make. You have an accuracy driver, which leads to better security. So you have a security driver. So I'm seeing all those things

in in what you're saying. That is, that is exactly how we, you know, we, we see the world too, right, Which is an, an, an early advisor to Zilla Zasiso. He said to us, you know, he said I think of security and compliance as two sides of the same coin because compliance all about about demonstrating that the security best practices that you said you intend to follow are the ones you follow, right? And so, you know, securing compliance outcomes kind of go hand in hand.

What is interesting is that the compliance outcome comes with an additional burden. And you alluded to that just now, which is about accuracy and completeness, right? And because, you know, because as soon as it becomes a thing of compliance, now the auditor wants to wants evidence. And so, you know, another problem that we set our eyes on at Zilla around access reviews was sort of like this evidence

problem, right? Which is, which is, you know, now, now we're kind of flipping it a little bit, right? I think now I'm a business user. My job is to make sure the organization is compliant, right? So in the same way as that the other business users are there to do, I as a business user have to become compliant, right? And so, so, you know, our direct customers, the people who buy the Zilla product, they need a business outcome.

And their business outcome is no Dings on the audit, certainly not socks and things like that, because that gets the CFO's attention. And nobody wants the CFO's attention and, and prove it to auditors who in their past life have been accountants, because they're, they're making, they're used to making sure that the pennies add up, right? And so, so, so on the compliance side, we're faced with auditors who really check every ball line and they need all the evidence.

And, and so that's another thing that we brought automation to bear, right, which is lock. Nobody should be manually saving these things in Google Drive folders or in SharePoint folders and, and things like that. It's like, why can the system just not automate this? And that's the other thing that we do with, with part part of the accessory product is we just automate all the evidence collection.

And in some sense, we help the organization with the business problem, in this case happens to be one.

Yeah, I kind of feel like in this case, when it comes to AI, it can take that compliance outcome because you can achieve the compliance outcome the old way, which is you need to review and approve every single request. The security outcome is actually improved by inserting AI by just putting a focus on what humans really need to decide. Now the AI has to learn and be able to accurately recommend or make decisions that are going to that auditors aren't going to

question. So it's there's probably an element of, you know, people have to build that, that confidence auditors IT people. But I think it builds over time as you can show that actually we're getting more accurate results using AI than having people, you know, potentially rubber stamping access. And if you use a, a risk model and speak in the terms that CSO's think in, right?

I mean, all of us as identity consultants and practitioners, we're in the game of, you know, being risk evaluators and, and speaking in terms of risk. And this is really about reducing risk. That's right. That's that's the goal of compliance. But then when you look at actually how you achieve compliances, it's it's I don't know that it necessarily always drives better security. That's that's, that's exactly

right. And in part, I think it happens because, you know, because you're overwhelming, you know, you're overwhelming people with things and you know, what you put your finger on is exactly right. I think being able to assess the risk and calling attention to the entitlements that are high, high risk and highly sensitive versus, you know, I, I like the cafeteria menu analogy, right?

Because because you know, it's, it's, you should not, they should not get commingled in a manner that, that everybody thinks of the, you know, the administrative entitlement in an AWS account equivalent to a cafeteria menu access, right? Like they're completely very different levels of risk.

You also want to call attention to to other aspects of as well, like you know, for example, identities now that are related to machine integrations, right? So identities that are service accounts intended for a application, identities that you know, inherit entitlements and not very obvious ways, right? And this is where we can bring, bring even large, bring AI and more more specifically large language models to bear.

You'd be surprised at how good they are at being able to tell you whether an AWS policy is something you should consider privileged or not. You know, and, and most people can't do that. So so again, I'm I'm a ten career writer. I want to try to envision how this new functionality is going to work. And let's take a scenario. Jeff hires Jim for the IDAC Corporation and which I. Would. Never view. That would never happen. Well, we don't have a cafeteria menu either, Jeff, so I would

like to file a complaint. It's been getting very boring in terms of what we eat. But let's just say Jeff wants to give Jim access to the cafeteria menu on, you know, one of his first days. And that's not a birthright provision. Walk us through kind of how the system evaluates that and decisions on it.

Yeah. So the way to think about this is, you know, when Zilla integrates into all the systems in HR system and so on. Now we have a good map of, you know, what type of individual gets access to what. And now we can answer the question of with a high degree of confidence. And you know, if Jim walking into into the corporation with so and so job function as identified by different attributes that that are there in the HR system, what must Jim have access to and what may Jim

have access to right. And then the, you know, the last thing is that everything else is just outliers, right? So if you sort of think about it, and this is probably how we as humans might even think about it, logically speaking, right? It just has not been very easy to operationalize. And so it's like, you know, if you, if you've determined that this is what you must have access to in order to be able to do your job, then those just in some sense should be treated

like birthright access. And if there are other entitled that you may get, then those could be things that are in some sense not standing entitlements, but perhaps pre approved. Pre approved in the sense that you ask for them, you get them, nobody needs to review and and approve, right? And so you get it. And then there's a separate decision that's application owners can make on whether they are standing entitlement. So what they are ones that are time bound or, or whatever that is right.

But it's sort of like, you know, this is what you must get and and then therefore it is something that I as an application or I have determined it is something that I don't need to review it. It is something that I can present as defensible to an auditor. An auditor looks at it and goes, OK, here is your great, this is your review. Here is this thing that you told me these sort of people may have.

And that makes sense to me. I don't need to look at every single granular entitlement or I may want to look at I'm an auditor. I don't know what I'm going to want to look at, right? Like, or I should rephrase. The rest of us don't know what they're going to want to look at. And you know, the, The funny thing is that, you know, every auditor is different and, and every auditor in every audit firm is different. So, but at the end of the day, we think of it as like, I, I

don't really care, right? Like I want audit is a business outcome that just got to happen, right? Or other a successful audit is the business right the audit. Can take place and that was. All it took to be successful. I think we had a lot of happy people out there. And so, so, you know, so making that defensible in an evidence package that, hey, this is our practice, right? And, and so that's sort of the shape of the, the solution.

I hope it logically sort of makes sense, you know, to all of us. So, and then then, you know, people get what they need. People can request what they need. It doesn't get gunked up in, in approval process. And then the reviews are streamlined. So it's a, you know, deliver value in, in all of these three different, different legs of the stool, if you will, right. We've talked a lot about this, this, this sounds like a, like a data thing, right?

Is we're pulling data. You've got all these connectors that are in place already. And so you're, you're taking that data and say, okay, here's here's what we think is, is what should be. And I would imagine then some IGA analysts or I am analysts would probably look at that day and say, OK, do we need to maybe tweak our onboarding roles or do we send this to the business and have them make a decision and sort of help with that modelling process?

You talked about the auditor use case, which of course, they're going to look at everything and sometimes they don't even know what they're looking at. Sorry, that's my jab at at auditors. But what about folks like Cisos?

I mean, I could imagine it'd be very powerful to get like their data back to say, here's what my organization has and here's what people have access to. And what are some of the scenarios that you see like a CISA would take this data and help reduce risk for their organization? No, that's, that's a very good question, right. So as a CSO, there's a bunch of different outcomes you would be

looking for. The risk reduction is clearly, you know, clearly one that is, there's another outcome you want is that you don't want, you want to be a partner for the business and you want to enable the business and that means, you know, being able to make people efficient and productive and so on and so forth. So the other thing you wanna be, of course, is you're responsible for a compliance outcome. You wanna make sure that happens, right?

Because that is, again, a business outcome as far as you're concerned. So as a CISO, you have to do all of those things and then in, you know, in terms of risk, risk reduction, getting people to least privilege in a manner that doesn't in, you know, doesn't have them pulling their hair out every time, right? I think that's that's an important. So so sort of just evolving, evolving this practice as they go.

I mean, it's interesting you put it the way you put it, Jeff, which is that it's all about data. I mean, isn't it amazing that the entire industry has done so little with the data that we're just sitting on, right. And and, and so that's, you know. I feel like as an untapped resource that people really aren't leveraging the organizations. You know, it takes a while, right, for cycles to for, for, you know, the organizational cycle for investment, right?

Identity access management tools typically are not very cheap and it requires resources to run it. And so it takes time, right, to get those tools in place. And you might have a good idea now, but it really doesn't see adoption until five years, 10 years, whatever that upgrade cycle looks like. But man, I mean, these organizations are sitting on a treasure trove of data that could absolutely reduce risk.

And a tool like this sounds awesome to be able to say, hey, what are we doing with that data? Let's pull it back. Let's do something with that data. I mean it doesn't do any good sitting in a in a SIM or some other logging tool where it just doesn't do anything until something bad happens like. That's right, That's right. And and also, you know, let's be more proactive and also be able to tap that data when you do need to pay attention to something, right?

So I'll give you an example of, you know, the, the recent incidents that happened around, around Snowflake, right? And, and you know, if you, if you think about it, though, it was essentially a chain of events where there happened to be certain service accounts tied to Snowflake databases. And these accounts didn't have MFA on them, right? And so they were susceptible to passwords, spray attacks and what have you, right? It's always the basics. It was, it was really the basics, right?

And so if you think about it, when, when, when something like now, first of all, you would think you want to be proactive and you want to be able to catch this very, you know, very proactive, right? So, so that's certainly one outcome you want, which is, hey, if you have a risk reduction strategy of having multi factor authentication across the board, you as the CISO should be able to say, answer the question, where are my risks associated with this lack of control,

right? But the other side is that when an incident does happen, you should just simply be able to ask the question, where does this affect my organization? And I think a system like Zilla will and many of our customers got that answer, you know, practically right away because, because that data was there in their Zilla system, right?

And and at an enterprise scale and an enterprise security team should be able to similarly answer the question well, which one of the 1200 Snowflake instances we have across the board that have this problem and what is the extent of that

problem, right. And that's also another interesting, interesting dynamic that we'll see unfold over the next few years in this industry at large, right, which is the, the security threat detection threat hunting teams that have sort of kind of stayed away from identity, right?

Like we're not bad people, but but but like the whole, you know, having operationalizing this, this identity data as part of the SEC OPS is also SEC OPS practice is also something we will see evolve over the over the next few years. Again, in part of what we all know as identity professionals that it really is like increasingly going to be more relevant for security. So, so Nitin, one of the things

that we end up debating on the show maybe every episode or at least every other episode is where's identity 3-5 years down the road? What's going to have the biggest impact? And nine times out of 10, it's AI. You guys aren't waiting five years, right? You're you're getting some of the benefit of that right now is Zeus we talked about today.

It seems like you, you know, if we just asked you the question, what's going to be the biggest pack of impact on IGA five years on the road, you would have said AI. My question for you is, what's next? What's the future for Zilla Security? Yeah, you know, I mean the, the, the future for Zilla security, we, we are, you know, we, we are really excited about this particular space and, and, and the importance of identity as we see in the future around security and and compliance and

everything else. So we really want to bring sort of this modern automation centric approach to to bear on the problem. And sometimes the solution calls for creative uses of AI and ML like what we talked about. Sometimes the solution calls for creative uses of different forms of technology, like Zeus and and bringing it all together in a simple, easy to use, intuitive interface, sort of pulling

together a complete solution. That's how we see, you know, that's how we see us evolving, you know, not not building techie solutions for techie's sake, right? Where you have to go every integration of a Configurator to bring up a JDBC driver, you got to go do this. That like none of that, right? No other vertical does this. I don't understand why. Why we we would or should. I'd tell me a special like that. You know, we are very special.

So so that's sort of how you know, that's sort of how we see it. And and so you'll see us bring bring as appropriate AI to bear on the age-old integrations problem. You'll see us bring it AI to bear and other creative solutions to to the classic roles problem. You'll see us do a lot more automation in terms of helping the lives of, you know, people who are worried about compliance easy. And there's a lot there in in all of these three.

And then you'll see us helping the security and SEC OPS teams with the Zilla product as the, you know, the spaces are just no doubt meant to meant to get closer and closer.

So you're used to looking to the stars for inspiration and to find out what's next. That was my very clever segue to get into what I really. Want to ask you which is. Astronomy. We were talking before we hit the record button. You mentioned that you're a amateur astronomer. Now I'm going to say you said you're an amateur astronomer, but then you said I I was it Co rent or Co own a telescope. OK, When you say I own a telescope, that doesn't strike me as amateur.

Well, it's interesting, right? The, the, the professional astronomers are the people who get PhDs and such and really, you know, spend their day job, day job doing astronomy, whereas we're day job doing identity and identity security and then as a hobby doing astronomy. But yes, I think, you know, there's, there's multiple very, very active astronomy clubs throughout the country, no doubt. But one of the oldest ones, he is here in the Boston area.

And believe it or not, at that time, 100 plus years ago when it started, it was called the Amateur Telescope makers of Boston. And so and so the name is stuck. And you know, because back then, of course, making a telescope was a big deal. There was no easy way to get one and so so we joined that astronomy club all 20 plus years ago, actually maybe 25 plus years ago so.

You're a long timer. Of of and, and we really enjoyed being part of the Astronomy Club and we would go on long camping trips in dark sky areas with the Astronomy Club north of Maine. And, and then a few of us got together and purchased a telescope that's, that's lovingly called a Godzilla. And, and it has a 36 inch mirror, which is a very large mirror, But you know, it's very impressive to kids because it stands 15 feet tall, right? Like, so it's like, whoa, what

is this thing? And, and it's amazing it's in. A trailer too, right? This is. Not and it has its own trailer. That is correct. It has its own trailer and it's a very, you know, it's beautifully engineered with all the trusses and things. Then you have to put it together and you've set it up and it takes about an hour to set it up and, you know, a little less than that to tear down. And so we would have a great

time with that. And I say we would because, you know, in the intervening years, kids came along and astronomy has been on a bit of a hiatus for a, for a period. But that telescope is incredible. It's the it's the largest telescope on the Eastern seaboard here. Oh, wow. So Boston is the birth place of IGA. It has the biggest telescope on the Eastern seaboard.

I feel like there's like some, there's some grassroots moves and each come here like can we get that written into like, I don't know, the, the Constitution or something for Massachusetts or something like that. We should, right? The only thing Boston doesn't have is is a is is weather. That is not very friendly to doing astronomy right. As a Chicagoan, I can I can absolutely empathize, that's why I'm from Chicago.

So. Ninton, I'm wondering, does the light pollution of being in the Northeast and being near a big city like Boston, does that affect your your amateur astronomy? It absolutely does. And in fact, it it gets worse year after year after year. In fact, there is a, you know, one of my, you know, friends from the Astronomy club is very, very passionate about, about like pollution and so on, an advocate, advocate across

multiple towns. And, and you know, the tragedy of all of this is that it doesn't have to be like this, right? It's like, why would you take a, a light and point it up when really you want to see what's on the ground that you don't report? So you'd think it would be, it would be the most common sense thing to do, which is to have these full cut off lights that are pointing to the ground and not necessarily leaking like to the to the sky, But it is what it is.

And so, yes, you have to seek out, you know, darker skies and, and it's amazing when you do and you can see the Milky Way in the sky. It's unbelievable. I mean, you can see that with the naked eye and places like Utah, even I was on vacation in central Utah and just the you can see the Milky Way and kind of like these clouds of I guess there's gases in the universe that it's mind blowing. You can. See in a dark state I guess is the way to put it versus nearest city.

That's correct. It's mind blowing. I mean, there's a bunch of things like this that are very mind blowing when you look through a telescope. I think the one that comes to my mind is something called the Orion Nebula. You know, I don't know if you ever, ever had a chance to see it. It's sort of like in the Sword of Orion the Hunter. And even if you take a decent pair of binoculars and point to it, you can actually see what looks like a star is not a star,

right? And and through a telescope like that, the one that we have, you can actually see an incredible amount of detail. You can actually see like, you know, like this fog around stars. That fog is like has structure to it and, and it's amazing because that's where stars are being born, right? And so now it's like, Oh my God, like talk about blowing, you know, your mind, right? Like stars are being born because gas is coming together and with gravity and you can

actually see that. Yeah, I think what's also mind blowing is like when you're looking at a star being born, that might have been 5 billion years ago. Exactly. That's right. By the time that light actually reaches the Earth, that's how long it takes. It could be on the decline by now, yeah. That you might see the birth and and end of it all in in a in a very flash of a pan or flash of

an eye, so to speak. Yeah, so I mean, my, I'm not an astronomer as in hands on like Newton is, but I watched a lot of these YouTube videos and, you know, with the the Hubble telescope that was launched, what was it like 40-50 years ago or something like that? The amount of things that they're seeing now deep into the universe, they're starting to have new understandings about the universe and things like

the. You know, I mean, if you go back 100 years, astronomers thought the extent of the universe was what we call the Milky Way. Now it's the Galaxy that. Our solar system is somewhere in the middle of it's one of what is it millions or billions of galaxies? This is totally mind blowing. Observable versus the unobservable universe. Right. Yeah, that's correct. You know, Hey, invite for you

guys. If you're ever in the Boston Air, we'll find time to go find a dark, dark spot and and hopefully the clouds will cooperate and we can go look at some cool stuff through our telescope. I will absolutely take you up on that, so be careful. Cool, we can talk identity while we're at it. Yeah, right. Well, let's be honest, identity is still at the center no matter how many of these nebula and. Galaxies. Are at identity is still at the

very center of all that. All right, let's go ahead and

wrap it up for this episode. Nitin, thank you so much for sharing your time with us. It's been really great to kind of catch up with you and really kind of understand where Zilla's coming into this. I'll have links in our show notes for people to connect with you on LinkedIn if they have questions, whether it's about IGA or Zilla or astronomy. Either way, I'm sure, I'm sure you're happy to engage on that.

Go out, visit the website zillasecurity.com, ZILLA, security.com and of course you can always visit us on the web, idacpodcast.com, we're on YouTube. Come check out our YouTube channel. You can see the faces of these conversations that are taking place at idacpodcast.tv. That'll take you right to us. So I think with that, we'll go ahead and leave it for this week NIT and Jim, thank you so much for your guys time this week and we'll talk with everyone else in the next one.

Thank you very much for having me, it's been a pleasure. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.