¶ Introduction and Initial Thoughts
I kind of disagree with that. I think much better is kind of a a network of informed actors all sharing information, right? Do you have risk? Yes. Do you have a risk assessment? Yes. Do you have an idea of what's dangerous or not? You do as well. And so let's share information, kind of like dolphins saying, hey, the fish are coming to talk about dangerous actions or identities that aren't trusted anymore or people aren't using trusted devices or whatever
else. And saying whoever is listing, we're broadcasting this information out so that you, another component in my client's infrastructure, can take the appropriate informed action. Now, just like the dolphins and the Fisher people, the dolphins give the signal. The Fisher people don't have to throw their Nets. They have complete volition. They have complete control, right? They can just sit there and do
nothing if they want. Shared signals is a way of sharing information about identity context that let gives that freedom to the receiver of the information. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity of the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself.
I'm doing good, man. I've got all my beverages lined up. I've got coffee, Pepsi, water. I'm all set. You got a. Primary, a secondary and a tertiary beverage. Yes, in terms of caffeine order. OK, and this is a crinkly water bottle that's going to drive me crazy when you try to open that later. Oh, yeah. Oh, yeah. That's. You see, Jeff, I do things to drive you crazy. Yeah. I think all of the listeners and viewers know that by now. Yeah, I think it's an accurate
statement, yeah. So in for those of you who are watching on YouTube, you'll see I'm wearing my white jacket with black lapel. So it's a, it's like a white tuxedo jacket. And Ian Singh made a comment on one of the pictures of us from the Authenticate conference that said, I've never seen Jim and Jeff wearing the same jacket. And that's because I'm kind of known for wearing silly jackets. It's actually not silly. It's just a nice jacket.
But, you know, it's kind of like within the spectrum. It's off the spectrum in terms of, you know, bold style. It is definitely a bold style choice or as I am, more of a traditional, you know, blue spore coat. I love the blue, the the blue polo. This is my my jam. So I'm happy when I don't have to wear a jacket or anything like that. You like to do it Me now, I'd rather be cool temperature wise before I'm not going to give you that opening to get out.
I'd rather be cool. So we're here at Sale Point
¶ Conference and Discount Codes
navigate 2024 in Orlando, which, you know, is my favorite place in the world. Yeah, exactly. When it's 70°, you're hot. Yeah, it was last night. It was 70° and it was like, I think 146% humidity. So there was like, you know, water. What are we just forming in the air? But yeah, most of the time we're spent indoors in air
conditioning, so that's good. Yeah. And The thing is like the allergy, you know, people don't tune into the podcast here about the allergies, allergy forecast in Orlando. So we can probably cut right to the good stuff. I will say that one of the requests I got from a person named Rainer was a navigate discount code. By the time this airs, it's going to be too late for that to for this information to be
valuable. But what I will commit to is that I'm going to keep that in mind thinking about international conferences and getting discount codes. But I think that's one of the reasons people listen to the podcast, right, is that we're able to get these special discount codes, put them all in one place. And what we always commit to is that we won't publish a discount code unless it's the best one that's out there. Yeah. We don't want to be in
competition with better codes. That's a losing argument for us. So I do keep them on our website. So if you go to our website, idacpodcast.com, you Scroll down a little bit, you'll see whatever the current discount codes are. So I have them in there. Identity Week actually gave us discount codes from around the world. So when they had their Europe, the America and the Asia conference that that same code
work for all that. But yeah, we, we will keep that in mind and try to get as many as it can. Doesn't cost anything for us, doesn't cost anything for, you know, the person who uses it. And if somebody wants to partner with us to promote their conference or whatever and shoot us a discount code. You know, it does cost money as us getting here. It does does cost money to get here. So thanks to sale points and thanks to RSM for bringing us out here and sponsoring this.
So we're we're upping our video games slightly. We've got ARSM logo on that one. When we get to our guests, you'll see an RSM thing logo for that. So that is our day job that Jim and I do and we are actually sponsors here at Navigate. So Full disclosure, right, We're part of that Sale Point ecosystem when it comes to integration, things like that. So yes, thank you to Sale Point RSM. And then before we get to our guests, we're going to talk about Gartner.
Yeah. So the Gartner I am Summit is coming up. It's December. What is that 6th through 9th? I don't know. I don't want to start like a disinformation campaign as someone shows up in the Grapevine, TX area and there's no conference. So check the it's in early December and we have a discount code IDAC 375. Guess how much that saves you? I'm. Going to guess $375. That's a good guess. I know I'm just a savant when it comes to those numbers.
So we will have a link to the registration in the show notes.
¶ Guest Introduction and Background
And let's get on to today's main topic in our awesome guest who we I've been dying to get on this podcast for a long time. Yeah, I'm really surprised. This is the first time we've had him on the show. We're going to talk about SSF, We're going to talk about Cape, we're going to talk about risk, we're going to talk about skim events and a whole bunch of
other IAM acronyms. Let me welcome to the show for the first time, Mr. Mike Kyser. He's the director of Strategy and Standards at Sale Point. Welcome to Dining at the Center. Thanks for having me guys, pleasure to be here. This has been a long time coming. While we actually spent a lot of time last week for the Authenticate conference and that was great. I want to talk about that. And then you're going to speak
here tomorrow in real time. So today for us is Tuesday, October 22nd, but you're actually speaking tomorrow and this episode is not going to come out till middle November ish. Just the way things kind of work out. But I want to get into that. But tradition, first time you're on the show, we always like to find out our identity backstories. How did you get into the world of identity? Is it something that you chose or did it choose you? Good question. I think like most people like
kind of chose me, right? I started out in my early days, back in ancient history, looking to be a physicist, astrophysicist, astronaut, politician. There's a whole a whole thing there, a real Renaissance man. You. Know or drunk for a thirst for power or something, right? Eventually though, I did some some stuff in in those arenas. Not the politics stuff, but the
physics and astrophysics. But eventually wound up graduating from the glorious University of Texas gym with a computer science degree and then looked around for kind of hard problems. And one of those was security. And so kind of thinking, thinking about how to make sure people had the right access, but more from a authorization authentication perspective. And then kind of did different things with IBM for about 16 years and wound up at sale
point. So it wound up combining multiple streams of what I've done over the years, the technology side, but also the culture impact to what's called normal people side. I love things that combine different areas and different angles on the same problem because it it just helps people understand it and grasp it. And I like questions that have no real straight up solid answers. So I. Think you have the job where a lot of people are like, I wanted
to do that. I want to spend all my time working on standards and getting on stage and speaking at conferences like how does somebody become Mike Kaiser? How does somebody work their way into a role like? That First off, that's a terrible idea to become Mike Kaiser. I, I think that you always see the surface level of everything. So I think while speaking and writing is very visible, unless you're doing something of substance on the back end, it's kind of all for naughty, right?
I grew up with a father who is in public relations. And so I grew up speaking and writing. And then I also had the technical side. But I've always tried to to find things that kind of combine those, right? Putting things in ways that people can understand and grasp and, and use and talk about the next dinner party and not bore the entire room, right?
That's all kinds of things. So having substance working on something either as standards or developing products or educating people, whatever it is, and then doing the other things on top of it is possibly the way to go. I've got to figure that there's a lot of like doing the extracurricular right? Because I'm, I'm trying to get for somebody who's trying to figure out the path to become in the position or the type position that you're in. It's, this is my belief is that
it's working a lot of overtime. Not overtime, like for a job, but volunteering to be part of these groups, the Kantara initiative, things like that and getting in the know, but meeting people, networking, things like that. Yeah. And there there's a place for everybody, I would say. I think it's one of the things that ID Pro does really well is it gives that community where you can come in and say how does this work?
Where is my place? Your place might be standards or it might be doing technical stuff, might be architecture or consulting or implementation. It might be education, writing. The danger is saying, oh, I want to be like that person, so I have to be exactly like that person. That's not really true. If you look at most of the people in our industry who people know, most of them didn't start outgoing into identity. They kind of took a random path.
I think that random path kind of like you're implying Jim pays off right. If you're interested, if you're curious about lots of different things, then I think that that pays off in in the longer term, right? Because now you're more well-rounded person. You see different angles, you see the implications for for usage and everyday and and that kind of thing. So. But that's identity, right? I mean, identity is made-up of a whole bunch of different backgrounds, people, experience, etcetera.
So all of those contribute really to the success of the industry itself is we need those viewpoints. Because if you get into your little bubble, you start to design only for your little bubble, and it falls apart very quickly when you hit the real world where you have all those other parameters you have to account for. Yeah, completely, completely agree. So you were at Authenticate last week with us.
You gave a fantastic presentation that's I don't even know how to describe it. I want you to describe it because it was a Sonic presentation and it included bolero and graphics that you made. We were geeking out about After Effects earlier. Take people through who who weren't there, haven't seen this. Tell us about that presentation. Sure. It's I wanted to talk about a is
¶ AI and Authenticity
impact on authentication and authenticity and culture, right. And so I had heard about in talking about doing homework, I'm always listening for ideas and stories. There's a writer named Michael Korost who writes for Wire magazine. And a couple of years ago, he, he posted an article talking about how he had a hearing deficiency, had hearing aids from a young age, but he loved Bolero and he could, he had had difficulty enjoying music except
for this one piece. And Bolero is repetitive and it's clear and it's easy to grasp and it's got a clear message. And he heard it when he was 15, loved it, became part of his kind of authentic identity. In 2001, within 4 hours, he went completely deaf. He couldn't hear anything anymore. And he went and got cochlear implants. And when he did that, he turned on Bolero again.
Instead of hearing his beloved melody, he heard nothing but kind of distorted static, the signals coming to his brain. The way cochlear implants work as they bypass your outer ear and go right into your brain directly, your brain can't really handle the change and the side effects of technology adoption. Easy translation to AI, right? We're rushing to adopt AI, in particular generative AI, and we're dealing with the side effects as a culture. It's kind of eroding authenticity.
You combine Cross Story with the story of Bolero, which pits technology with a rhythm section and a recurring melody for 18 long minutes. It builds up into this conflict with you in the middle trying to decide what's going to win. You know, classic late afternoon thriller. Is technology going to destroy humanity or is humanity going to survive? Right. Listen to the song. It's pretty great. I think. Jeff, you did recently that poses the same questions we should be asking yourself.
What is being ceded to AI and technology and these kinds of things. So I was raising some of those issues from claiming authorship versus using AI as a tool to wholly ceding control. There's a a mayoral candidate in Cheyenne, WY you can vote for Who's Day chatbot literally or dealing with grief and loss through AI creations.
It's all those questions we need to ask what's being seated technology and then the end the end of The thing is I've totally ruined my whole talk is that cochlear patients actually they remember their brains remember what the truth was that they knew the sound to be and so the signals eventually get remapped
in their brain to that truth. And so my argument was we need to remember our authentic humanity and embrace those use cases, whether it's a personal assessment of what we do or using ethics canvases to guide our use of AI or supporting data provenance efforts through things like watermarking and, and the like, or combating disinformation campaigns.
Or the closest one in my heart right now is the death and digital estate with the Open ID Foundation, where we're trying to give people volition over their digital life and their digital identity, even after they're gone, how they're represented, how they're preserved or not, how to get their to their controls or the resources, all that kind of stuff. And so like I said, I wasn't trying to say, hey, here's the easy solution because I don't think there's necessarily an easy solution.
It's more of a let's think about this and as a collective, as a community, have these discussions so that we can try and safeguard as much of what I would consider to be authentic humanity as we could so. It was a really good presentation. And you gave homework at the end. I did.
And if we have time at the end of the show, I want to get back into that homework because I shared with you kind of before we hit record, here's kind of what I thought, but I'm curious to see and have that kind of recreate that, that discussion. And you're, you're here at sale point navigate just like obviously we are and you're going to give a conversation tomorrow around Cape risk and skin events. Give us a preview of what we can expect to see for that.
¶ Shared Signals Framework
Yeah. So with that talk, I'm starting from kind of the ground up with the shared signals framework and, and what that implies for all of us as practitioners. Since this isn't going out till later. I can tell you what I'm basically I'm talking about
dolphins. The reason I'm talking about dolphins in South America, there is a pod, pod of dolphins, pod of dolphins, OK, nailed it. Pod of dolphins that cooperates with Fisher people on the coast to the point where the dolphins swim up. People with Nets are waiting on the shore. The dolphin gives a signal. Fishermen cast their net, the the dolphins drive the school of fish in the Nets descend, they get they catch fish as they do, dolphins come in and take a couple fish and everybody's
happy. Scientific paper released this year early last year shows that that cooperation makes people catch more fish, makes a dolphin survive longer because they're not caught up in other fishing mechanisms. So mutual cooperation is the name of the game and benefits both. Combine that with the idea that the dolphins are giving a signal, saying hey, you need to know the fish are coming and they take action on that is a great stand in for shared signals.
Because the whole idea is to say for far too long we've been isolated in our knowledge base. Vendors tend to say we have all the information you need, just buy from us or our suite of products and we'll solve every problem you have. I kind of disagree with that. I think much better is kind of a a network of informed actors all sharing information, right? Do you have risk? Yes. Do you have a risk assessment? Yes. Do you have an idea of what's dangerous or not?
You do as well. And so let's share information, kind of like dolphins saying, hey, the fish are coming to talk about dangerous actions or identities that aren't trusted anymore or people aren't using trusted devices or whatever else. And saying whoever is listing, we're broadcasting this information out so that you, another component in my client's infrastructure, can take the appropriate informed action. Now, just like the dolphins and the Fisher people, the dolphins give the signal.
The Fisher people don't have to throw their Nets. They have complete volition. They have complete control, right? They can just sit there and do nothing if they want. Shared signals is a way of sharing information about identity context that let gives that freedom to the receiver of the information. It's it's not prescriptive, it's descriptive. This is going on heads up, you choose what you want to do right? And that's important and important to the success of the standard.
But we've a tool originally talked about Cape at an Internet identity workshop. I was there, it was really great and he kind of launched this discussion. But as it's grown, I think those kinds of keys help with the ever present struggle within standards of incentives, right? What's the incentive for a vendor to support it or something to adopt the standard? It has to be mutually beneficial. And so I think that's that's really helpful if that makes sense.
So I love the analogy because that brings it to a level that I think everybody can understand. Like, OK, what are we aiming toward? What I want to talk about is the shared signals framework. So this framework, who are the actors in the framework? Who's providing the information? Is that applications, its infrastructure? Give us some examples. Who's receiving it? What are they doing with that information? And then from a framework standpoint, is this going to be
like an industry standard for? Is that how you see it playing out? Yeah. I think it's important to sense that a lot of times people conflate some of these terms. They combine them and think they mean the same thing. You'll hear Shared Signals framework, you'll hear Cape, which is Continuous Access Evaluation protocol. You'll hear RISK, which I don't remember what the actual expansion of that acronym is. Ranks risk and incident sharing and collaboration.
There's a lot. Of ands in that one right. And so you'll kind of hear those together, especially Cape and shared signal. So first thing I want to say is that shared signals is the transport layer kind of pub sub sender, transmitter, receiver kind of vibe. Cape is the one that focuses on some of the session based use cases, which is great because Pete, that's where as you're implying people say, OK, why do I need this? What is the OR some use cases that benefit me?
Some examples say there is a single sign on provider that knows that an identity has travelled impossibly or done something else, that they're going to take action now and they revoke all of that identity sessions within their their vision of the world. They send out a session revoked event, say to an IGA vendor. Now we get that event and we decide what to do based off of that, right?
We can say, well, we could just say this is a high risk user, you know, take a stereotypical case CFO or something and we're just going to suspend all of his identities. Throughout the enterprise, because we want to start a certification or do some other sanity checks or we can wait until we get multiple of those, right? And then we can kick off a workflow and start a certification or suspend or it really depends on each side.
The the event can be shared and then the actions on each side are best practice for that sphere of influence. So I think about traditionally your SSO vendors, anyone with a authorization Oauth token or single sign on or in play, but also additional people, people that know about the network or about the device. They're all kind of in play as a transmitter or a receiver now, depending on. Either one, right? Right.
And you can be both. And I think most likely in my ideal world, everyone's going to be a bit of both. In other words, it's like from an IGA perspective, just because that's because that's my world, right? If, if I I want information about devices, are you on now on an untrusted device, maybe I change your access. From an IGA perspective, maybe I lock you out from particularly applications because you need to be on a trusted device for that.
And the other way around too, if I suspend an identity, what happens? Well, I use my connectivity layer to go out and suspend accounts throughout. But even if I do that immediately, and that takes effect immediately, a lot of those identities have Oauth tokens or some kind of session token with a time to live. And until that expires, Jeff can happily be Jeff, even though he's no longer trusted by the enterprise, right?
And so it's those kinds of use cases where people are like, oh, we don't already have that today. And like you do in places with specific API, you know, endpoints and that kind of thing. And there are other movements as well, but there's a lot of motion to kind of to make these all work together. So, and it's not just the extreme use cases either.
You can change levels of access. If something changes in an attribute about a user changes, you can send out an event saying, hey, you probably want to re evaluate all the tokens for this user because their access has changed. And so moving to a continuous or event based to pick who you're talking to, right, The particular flavor of it, it's a continuous process of evaluation.
Every time I access something in an ideal world, I want the latest information, the latest attributes, the latest version of the policy, all of that to be evaluated. And that's kind of what this what this does. So it's the idea then to have essentially instead of a, a, you know, a vendor specific, this is what we do for security. And I think we're familiar with things like, you know, the impossible travel conditional assets, right?
Any authentication provider typically will have that sort of thing is let's open this up to really the identity ecosystem or security ecosystem and say, hey, we've collected this data, we have this thing and we're both a, a sender and a receiver of this information. So that leads me to believe that there is something that is sort of outside of a specific technology stack to collect all this information. That's how it works. It's a standard.
So if you were going to do this without shared signals, I would have to call up every vendor I wanted to integrate with. I have to say, what are your APIs? What are my APIs? My legal department would have to get involved. We all have to. It's a long road. And then anytime your API changed or my API changed, now we have to do it all over again, regression testing, etcetera, etcetera.
Using a standard to share this information means I can hook in really easily without that overhead, right? And so I, I don't think there's necessarily a, a centralized repository for this information. It's more like, hey, I know this, you might want to know. And the receiver signs up to say, Hey, these are optionally the, the users I'm interested in or the groups of users I'm interested in. And here are the event types I'm interested in.
And so you subscribe, you basically set up a, a pipeline to call the stream basically saying I want all your these types of events for this class of users or just all these events period. And then they either get pushed or pulled across the across the pipe.
See, I think it opens up an opportunity for another part of the market and we're kind of infringing here now in the SIM space, right or other sort of event and logging and monitoring type tools where you know it is historically been well, let me send you my Windows logs or applications logs and it goes to the central spot. Now we've got a standard and say, OK, this is how technologies can interact very similar to like SAML, right? And this is how we want to
authenticate. Now we've got something to provide data around events that are taking place in a standardized way to say if I wanted to, I could build a product that is ASSF type product or maybe I'm a Splunk or some other, you know, SIM that someone I can think of as. Well, sure. Where I say, OK, we want to be able to, you know, pull those into our system because it's it's great to have it in one spot.
But I think the power here is what if we could leverage our IGA platform and our IDP and our privileged access and maybe even a non security platform like a work day maybe where our people data is. Let's pull that all together and have sort of like this overarching ecosystem and say here's Mike, Mike is in Orlando. We know that here's what IGA is going to do You guys do your own thing.
¶ Decentralized Identity Management
But by the way, if we know this about Mike, let's put this somewhere where people can, you know, receive that data and do other things with that. You, you will see, I do think you'll see a space pop up for transceivers, trans, you know, translators of some of these signals, relays, those types of things and architectural choices. I think that the impact I see is avoiding a single point of of this is where this is the keeper of the Kingdom.
Just to have some of that. If I were an identity practitioner, I want a team working together right now. Each of them are going to have a different perspective. IGA is going to have a different perspective than my SSO will, then my VPN will, then my HR system, then my sales force, whatever. You're relying party kind of application. But what it does is it provides
¶ Real-Time Identity Data Sharing
an event oriented, close to real time process for sharing information that didn't exist before. I'm sure people will suck it into a SIM, right? I mean, I feel like that's the natural inclination of a security team in an enterprise environment is we want all the data and we want to do something with it. Right, I think the I think the power to me, the usefulness right now is actually giving that real time response and control to all these individual distributed players.
I don't picture a centralized hub for controlling everything about identity and organization. I picture to use a, you know, lingo identity fabric kind of approach where there are deciders everywhere and informed understandings of thing everywhere, right. So it's, it's, it's more like
that. And then when you when you couple on things that aren't just session based, then you start to touch more and more, not just Cape which does continuous access evaluation, but more account level things and the risk stuff, suspending accounts, activating accounts. And then the more recent stuff, which I'm particularly about excited about, which is the skim events, which could optionally sit on top of this. And now you're starting to impact a broader and broader spectrum.
Yeah. So I want to back up to some of these that are, this is about developing a standard.
¶ Developing Identity Standards
And I heard Heather Flanagan say there's two approaches to developing a standard. One is kind of got an ideal of how the technology should work, you can develop a standard. The other is there's all the, it's already been deployed, it's out in the wild. Everybody's doing it now. You're trying to pull it together into a standard. I think this is like the latter, right? This is trying to build a picture of what it should work like. Or is it the other way?
I think I, it's a good question up for debate. I think it's the first way actually, only because people were kind of doing this a little bit, but they're one off integration. So maybe that's not even up for the second way. But I think this was such a different way of saying, why don't we just straight up share this data and not hold on to it really tightly and say we're the
only option here. So in that sense, I feel like there was a lot of idealism in the original assessment, but the use case was so strong that your session needs to needs to change in in close to real time and share information about that, that it was powerful enough to to pull people in, I think. I think it gets to the question though is are these logs? Are these identity bits of data that we're collecting?
Is that secret sauce for a vendor, for example, or is it something that, yeah, a vendor is willing to share with others?
¶ Vendor Collaboration and Challenges
Obviously, you know, you're not sharing code, but you're sharing. You have, if you have an API connection or a standard to say, hey, this is what sale point is collecting and here's what we're going to do with it. But we have an API or we've got a shared signals framework that you can tap in to say if you want to do other things with it, with other things, be our guest. Right.
And I, what you're hearing me too, is that you're hearing me, the idealist talking because that's usually how I approach standards. It's not, you know, how can we, it's always like, oh, what if we could do this, wouldn't that be cool? And then I have to think about, well, how does this monetize itself? Right? I, I think you're right.
I think it's, it's the we're going to take this knowledge that we know and we are also trying to monetize internally as a vendor, as a vendor, and we're going to make that known for other people to use. And I think that's the only way for us to protect. I'd use identity to protect things in real time. So that's that even kind of rules out a little bit of the same, same kind of stuff because it's a little bit more after the fact.
This is more right now. How can I share information for you so you can take a more informed choice. And if I know there's a danger, now everybody knows there's a danger. And that's got to be the way to go. Team sport would be my. On take and that's my I guess that's the key part here is this is a real time. This is a a quicker way to get
that information right. Because what we don't want to do is where we've been for the last 20-30 years is hey, there's data sitting in our SIM yeah, we didn't do anything about it because what is the average bridge takes like half a year to even discover right? The name of the game is speed. So yes, I want my IGA platform to detect this thing and I want it to move very quickly to mitigate risk that that event
might indicate. But the quicker that I can get it not just in my IJ platform, but into other platforms, right? How do I control my IDP? Do I prompt for an extra MFA? Do I shut down access to a privilege access management vault, Right? There's all kinds of stuff that can happen. And that orchestration really, I don't think can happen unless there is this standard to communicate that these events are even taking place, right? Totally, totally. And what you're also seeing in
¶ Event-Based Identity Architectures
the industry is a slow move to event based architectures, and this is a reflection of that as well, right? Are you going to use shared signals to do everything and every identity and every application? No, right. Because it's not worth it. There's right now it's not probably in your best interest because of speed and scale and other reasons to put event based architectures everywhere. Some applications, some portions of them. Yeah, I think it makes a lot of
sense. And so while you're seeing vendors in the Interop, right, I think you're going to see more and more relying parties and application owners and that kind of stuff adopted as well 'cause like, oh, that information is available to me, 'cause if you think about it, say, say skim events where you're updating information about the account, about the attributes, about the identity, right?
If you have that in place, well, now I've got a policy in my application that's only as good as the last update of that information, right? So it's like updating a policy information point saying, hey, the attributes about Jim have changed. Everyone needs to do this so that when you go make the decision, you're making the right choice, right? And so that is really powerful because now we're into the authorization space, we're into the policy space we're in. It's all of this working
together, right? The stuff that's going on in Oauth, the stuff that's going on in shared signals, stuff that's going on in Skim and, and all these various working groups kind of combining to. So, so Jeff made the point about having one place. I want to go even further and
¶ The Role of Big Tech in Identity Security
say why? Because I think you're talking about within your enterprise, but why is, why couldn't there be one place that everybody goes to get these signals, right? Or maybe the maybe there's a commercial landscape where a couple companies focus on this and it's pulling signals from all the major ID PS social networks, you know, Microsoft and pick building 1 picture of, you know, these are the identities that look to be compromised.
Rather than it being kind of a competitive advantage, Why not all kind of row in the same direction? Because we're all trying to to solve the same problem, which is don't get compromised, right, right. And if everybody's contributing, everybody's pulling it, it seems maybe I'm being too idealistic. What do you? Think well, I think is a First off is a distributed approach, right. So we're not going to have necessarily one repo with all the stuff it's live events being
sent back and forth. So that kind of to have one repository kind of defeats a little bit of the, the way that the approach is done. Secondarily, not every vendor is going to buy in, not every app is going to buy in, right? And so to that end, there are major vendors that are not doing shared signals right now and they have their reasons and their incentives for doing so. The idealist in me is like, why don't we all do this and just set it up right?
And then as a practitioner, what am I doing? I'm looking at my environment and my business policy and saying this is really what I want to see. And then I'm setting up those relationships. The technology is secondary. The technologist enables me to do this and share information in near real time, right? But it's really the policy and what I want to have give people access to and updating that near real time. That's the, the key for me as a practitioner.
So just like single sign on, right is commoditized right now, right? I, the policies, I want access to these five things, SSO and SAML is just the technology that lying behind that, right? And so as a practitioner, I get to decide, I want these people groups, these identities, people groups, these identities and, and these events. And I want this to happen and that to happen. When I talk, people are like, well, what, what's going to happen when I do this? And I say, well, each end is
going to make their own choices. Each application and each vendor, whoever it is, it's going to say this is the default action. We see something happen, we're going to suspend you, we're going to send out these events, and then the other side takes it in and has probably a default approach. But again, if I'm an identity owner, I wouldn't control over what that actually looks like,
right? Just because you sold me a product that sends these massive alerts anytime anyone goes out and gets a Taco, maybe I don't want, you know, Trisha, you'll have to go get a Taco. I don't want to shut down your whole thing. So I'm. Talking events that I can get behind, I want to know. Where this Taco is so. Let me know how do I subscribe to? That event as an event, right? Tacos service. How about that? Yeah, there we go. So yeah, there's, there's,
there's balance there, right. I think there will people be people that suck all these things in and put them in a repository. I don't think that's really the idea because we're trying to move to a real time distributed kind of approach rather than let's build 1 big repository. And I think you can be an aggregator and keep it real time. And that was like, I guess I
live with that minor point. My bigger point was, you know, it feels to me like we need big tech to get behind this, to say, all right, we've got massive numbers of authentication events. We have this repository of what we think are compromised accounts I think. Some of that is secret sauce for those vendors. That's the. Service that people pay for, that's what I hate and and it it it, it, it, it does sound altruistic to say, hey, why don't we all do the same thing?
But the reality is there are different vendors that are paying that are they've done the work and they are trying to monetize that. They're saying, hey, if you join our IDP network, not only are you going to get this product, but we also have these other events and we can help do an internal sort of product specific thing around that. I'm with you. I wish there was more openness around that. And I think it's coming.
I think there are large enough people in the working group, large enough people in the Interop in December that I certain standards survive or die because of adoption, right? Look at SPML, may die in a dumpster fire forever, but Skim had a lot more success. Has it been 100% successful? Not at all right? But I think shared signals and the event types that sit on top of it Cape risk Skim events
someday. Like I think those have enough backing to pressure organizations to adopt and incentives, like I said, incentives matter, right? So I expect some vendors to say, no, we're not going to participate until enough large customers say no. We have to have this until analysts like Gartner at the last Interop in March said you need to demand this from your vendors. That helped tremendously, I
think, right. And so it's all a, a, a push together of paving the way technologically, paving the way politically, paving the way for demand, customer demand, right? So, and you can still keep your secret sauce, 'cause just because I tell you an account is compromised, it's not like I'm saying, and here's all the Intel I have and all the data. Now you get this event saying I have taken this action, you might want to do something about it.
And optional additional reasons or something, but you're not getting my internals. I've taken a section you do. You right, right. And instead of us, instead of me building this API based thing to go into your system and cause action, now I'm like, let's do this standards wise. And the person who owns both of our products will demand it.
They own both. So they can say you're going to do this and you're going to do this and you're going to like it or I'm going to walk away and take my money to another vendor, you know, or another offering is my is my ideal anyway. Well. I think the important thing
¶ Customer Demand for Identity Solutions
there is customers need to demand it. That's really who's going to drive the adoption. If you're listening to this and you are probably a customer of an identity solution or a security solution, that's where that's where the sport's going to come from. Put it in your RF PS and your RF fives, put it in your requests for whatever and say, hey, does your product support shared signals framework? How does IT support it? And and really that's, you know, it's, it's almost like a
grassroots campaign, right? You've got smart people who are really thinking about this. You mentioned a tool. There's Sean yourself other Yeah, exactly. So there's there's a lot of thought behind this. There's only so much creating the standard can do. People have to actually ask for it and desire it and want it. Right. Just like the fishing and the
dolphins, right? Both parties benefit, I think in the long term we all benefit from this level of cooperation because just like the dolphins gets more fish and the Fisher people do as well. The same thing is here is true here. If if our goal is securing the enterprise via identity, then let's cooperate and I think we all catch more fish or something. So we. Promised we'd get you out of here at a certain time. But they do have one more question. So we've had one of our most
popular episodes. We had several folks like yourself help us out with a question. So we've talked about what's the difference between I am and digital identity. But now this term identity
¶ Identity Security and Digital Identity
security has become popular. To me, this feels like it's the definition of identity security because it's taking the cybersecurity area and digital identity and combining it into a solution. Am I on the right track? How do you see it? Yeah, I think so. I think, you know, identity security is, is the idea that, you know, identity is the key, right? Identity is, is that the center? Yeah, it's the old working my way to you. I know my audience.
Yeah. So I I think that information becomes power and becomes the operational knowledge on which to take action or not, right. And so now we're saying I've got identity information, you've got identity information. Let's share it and and use it together. It's one aspect of that right now whether it fits into a particular market segment defined by someone or some of the other, sure, I think you'll see it in different places.
You'll see it in base platforms. I think in the long term, in the short term, you'll probably see it in more risk based or ITVR environments, that kind of stuff. Do I care where it exists? Not really. As long as we have it right. I, I want it, I want it in places and I want it pushed because I, I think the obvious statement that we've already made is obvious that identity is the new key. It's not just the network, it's
everything. And how you define identity becomes the second question of that right. Is it, does it include device? Does it include location? Does it include past action or past behavior? Does it include the weather in Caracas? It might, right? It depends on how you define the identity for that person, which by the way, was also part of my
talk at Authenticate as well. It's like how you define identity influences how your policy expresses itself, and ultimately how you safeguard all that kind of stuff.
¶ Technology vs. Humanity: A Musical Perspective
So I want to go back to the authenticate conference to close out the conversation you gave homework at the end, and then to listen to the whole 15 minutes of Bolero. And what did people get? Well, tell me what the homework was and I'll tell you what I got of it and we can have a conversation with it. So during the the presentation, the talk I was giving, I played snippets. It's 18 minutes long. I had a 25 minute slot. I couldn't play the whole song. Find a very long song and just
play that. It's like playing a movie when you're in school. Right. So I played some and I and I played the rhythm section, which represents technology and I played the melody, which represents humanity, and they get louder and they get basically opposing each other. And I described the ending of Bolero as amazing and crazy and brilliant and really fascinating
and shocking. And then I told them I wasn't going to play it for them to the audience, which people groaned, which is what I wanted them to do. But I said go home and find 18 minutes and carve out the space and just listen to it end to end. You know, I didn't say this, but you either love Bolero or you hate Bolero. But the homework I gave was, given my premise, just running with my premise that it's
technology versus humanity. These two different sections, half the orchestra, 1/2 the orchestra, the other. The ending, I feel like gives a particular point of view that Rebel has about which will win out. Will technology destroy humanity or humanity preserve itself against technology? And so I said go home and listen to it and see what you think, and then come back and find me and tell me what you think Ravel's point of view was. So I did it. I did the homework because I'm a
very good student. Good job A plus. A+ for me. Here's what I got of it was two things triumph and finality. So it Chris ends and ascends throughout this entire, you know, track essentially. And the way that I perceived it was humanity overcomes and it's triumphant at the end, but there's an abrupt end. It's final and we're done. And then you got me thinking earlier today, I was like, well, is the final because we lost? My thought was OK, We we won. It's triumphant.
Humankind has always risen up and somehow evolved or, you know, accommodated or figured out right how to survive. We've made it this far. And then there's that finality of it. Yeah, but. We're going to be final unless you lost. Well, that's, that's see, that's what that's the thinking part of it right too. Right. What what's really fascinating also about Valero is there's an article that came out a couple years ago. He and Edgar Allan Poe were contemporaries.
And this person thinks or argues that Ravel was influenced by Poe, who had written this piece about how you create a work of art. And Bolero mimics the Raven from Edgar Allan Poe, where there's 18 repetitions in each. There's the Raven saying never more, never more. And in Poe's poem and you have this rhythm section that is inevitable and just going to hunt you down like a dog, wherever you are. Whether or not that's true, I think it it gives insight. I don't think Poe was nursely an
upbeat kind of vibe. And so that kind of does. He's like the original goth, yeah. It kind of shades it shades how I think about it maybe, but the the ending of Bolero after 18 minutes of the same thing over and over again, building up it it's always in this one, the key of CI believe the whole time right near the end it changes to a a different key, which you're like, Oh, finally some change in this piece that's been beating me down. And then it the melody of the rhythm section.
But then, like you said, this is chaos at the end that like trombone's going to worm or worm and just noise and then all of a sudden it goes BAM and silence. So I feel like he's worried that the machines are winning or that they've they've won. I would, I was telling you earlier, I feel like if, if the humanity angle was winning, you'd have this like. Like a soft landing almost. I would feel relaxed at the end of Bolero and instead I feel myself holding onto the table.
So, Mike, what minute are we in right now? Of. Of like in humankind. What are we in 32? We are somewhere in the rising crescendo part of it. I think we're hearing more and more reverberations, right? I think culturally we're only beginning and technology always outstrips culture and our ethics. And I think that while AI and Gen. AI, it's neither good nor bad inherently, it's just technology. It's how people use that that influences things, right?
And I do think, as I said last week, that our authenticity is is suffering. It's not irretrievably lost. We will change as a result of this adoption of technology. Is that more of who we already were or is that because of the technology? I, I think it's more revealing just of who we already were and technology is just accelerating and adding to, but we're getting into deeper waters. I would. Say deep thoughts. I feel like this is this is just the cycle of humanity right now.
It's AI. Yeah. Before it was electricity, it was running water, it was cars, it was horses, it was Spears. Nang. Indoor plumbing, I don't trust it right? Well, as someone who was living it lives in Asheville area, indoor plumbing is very important and I'm happy to have my back. So all right, let's send on a high note here. Thank you so much for taking the
¶ Conclusion and Final Thoughts
time with us. It was a fantastic conversation, both this but also again, just really well done to the authenticate conference. I hope actually you'll do it again so more people can experience it at some point. Is it on YouTube? Not. Yet I think it will end up probably in the authenticate. Somewhere of some sorts, yeah, it's still I think for attendees for a while, but if anyone wants to hear it again, I'm hoping to do it again, so. There we go.
All right, so we'll wrap it up there for this week. You can find us on the web idacpodcast.com. We're on YouTube, idacpodcast.tv. Gotta make sure to get that out for Jim this. Is very I'm I'm just here making sure that making sure we forget YouTube. Got our checklist, connect with us on LinkedIn. We'll have a link in our show notes for people to connect with Mike and to learn more about Sale Point if you're not familiar with Sale Point as
well. And yeah, don't forget to like subscribe, do all those fun social media things to help us continue to grow the show and get great guests like Mike. So thanks for joining us and thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com.
See you next time on Identity at the Center.
