One of the things that I've started talking about is I this may be me tilting in a windmill. I think we need to put some in classic relational database terms, standardized views so that everyone, whether it's a third party product or home grown, can implement these views such that for a core set of objects, maybe user and entitlement and system, I can get data out no matter what the back end is, no matter whether it's third party provided or it's first party provided.
Because that can reduce the cost of switching between vendors. It can reduce the ability to the challenge to do bake offs between technologies. It can facilitate people bringing their own models or buying models to look at this data to find interesting things about them. So I'm, I'm a little bit on this, what I'm lovingly calling Oids open IAM data schema, those of you who've been around for a
long time. And OID is an object identifier famous in Ldapland. And this came from a realization that the last time we really as an industry standardized data objects at rest was like inet org person and Edu person. And so with love in my heart, I'm like, you know what, let's
do a throwback name here. But I'm kicking that conversation off with a bunch of folks and I'm getting a lot of feedback and I'll it's really interesting seeing the questions and the challenges to it. But that's like in my To Do List to the next couple of months. And then we'll see where it leads. It may all just crash and burn, but someone may take like a ember of the remnants of it and go use it to start a fire and that'll be great. So let's let's hope that happens.
This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Doing good, but it's been a hectic couple of days. I mean, you know, 2025 is going to be a fantastic year for the podcast. We've got some great sponsor
spotlight episodes. We've got our our series talking about the tie between different infosec areas or cybersecurity areas and digital identity. And then we've just got a a lot of fantastic guests lined up. So I'd build out the schedule pretty much all the way through April at this point. And already is shot to hell, right? Different, different folks have kind of said, hey, I'm not ready
to do the podcast. So I've got 2 openings within the next couple of weeks and I'm working my tail off to try to fill those openings. We might have to do the Jim and Jeff episodes. I like those. Those are easy. Those are easy to schedule. It's just you and I. We can actually disagree on a bunch of stuff for like an hour, so I'm OK with that.
Yeah, I'm OK with it as well. But I think one of the one of our secret recipe ingredients has been bringing in great guests who bring different perspectives that we do. Obviously you and I disagree on certain things, but I can pretty much predict what those things are going to be. I like bringing in somebody new to disagree with things. Yeah, and I. Always had on the OR someone we've had on the show like 10 times.
That's also great. Yeah, I mean, look, we have, we have a tight knit community here in the identity space. So obviously, you know, if you're listening to this, you've already seen the scripture, you know who's going to be on. But yeah, I mean, look, we have so many people. I love talking to new people. I love talking to people who are out there in the real world doing, you know, I call it real identity things, right? There's so much we can learn,
you know, from each other. And even if we don't have all the answers, like let's get it out there, maybe someone else does or maybe someone else is struggling with those problems. So if you're if you're, I'll put a I'll put a thing out there. If you're interested in being a guest on the show, don't hesitate to reach out. We're very friendly. You know, it's a safe place, right? We'll take care. Yeah. And we just like to have conversations.
That's all it is. I think a lot of people maybe get intimidated, like, oh, it's a podcast. Like, OK, So what? It's just microphone. And after about 30 seconds of talking into it, you, you totally forget about it. And it's just, you know, us talking here on the web. Yeah. What I also like to do is to get folks like our guest today who is a thought leader. But I've kind of decided in my mind, you have to be told by somebody else that you're a thought leader. You can't declare, hey, I'm a
thought leader. I'm a thought leader in this space. I know people who do declare, make that declaration, and Oh yeah, you know, sure, we all have. A warning. Listen to a warning if you If you have that on your LinkedIn website, go delete it immediately. Well, I think there's a whole subreddit called LinkedIn Lunatics that is all about just the crazy LinkedIn stuff that people post. And there's some good ones on there. And thankfully I haven't seen
myself mentioned. I, you know, I don't know if I would consider it a badge of honor or not to be somewhere listed in LinkedIn Lunatics, but there are, there are definitely some, some lunatics that have opinions, just put it that way. Yeah, absolutely. I have to go out to check out my own LinkedIn, make sure I didn't call myself a thought leader. Maybe I nominated you and I posted something you did. What were you doing on their site to begin with?
We keep teasing them, but let's take a minute to talk about discounts. It's never too soon to save some money and we're excited for this discount because this is our first time actually going to this conference. It's the European Identity and Cloud Conference 2025. It's May 6th to the 9th in Berlin, Germany. That's put in by the fine folks over at Commuter Cole and they have partnered with us to give a discount code to all you fine folks listening or watching here.
If you use the code ID AC25M KOI know it rolls right off the tongue. Don't worry, it'll be in the show notes and if I can remember, I'll put it on the graphic down here. That'll get you 25% off the registration. And Jim, you and I for the first time are planning on being out there, will be, I'm sure, trying to figure out how to do some podcasts maybe. But I'm excited. It's the first time I'll be in Berlin, second time technically in Germany.
I was in the Frankfurt Airport for about 6 hours, my way to India. So I'm excited to go to Berlin. And then I think maybe I'll take some time off after that conference and maybe try to explore other parts of Europe that I have not yet seen. What do you think, Jim? Well, I'm going to go the week before, I'm definitely going to Oslo because that's where my, I already booked the flight.
So I'm going to Oslo. Where I go from there, I'm not sure yet, but what I want to do is identify her in a few different cities. I'm thinking, you know, stick to the Scandinavia region and meet as many of our listeners as possible. So as the details of those things start to formulate what cities I want to go to, things like that, I'll be announcing that here.
Also, like you mentioned what podcasting we're going to be doing and maybe getting involved with sessions, things like that, we'll be announcing that here as well. But definitely grateful already to the folks over at Cooper Coal for collaborating with us and making this discount available. I can say that we will not be upended with the bitter discount code. So use ours, get out there, register early while they still have the most attractive level pricing. It only goes off from here.
Yeah, show support for the show, which is always appreciated. And we're going to have Martin coming around here and I think it's next week or the week after, but he's coming up here pretty soon on the show. So we'll hear from more from him and maybe some about what's planned for the conference itself. So I'm looking forward to it. First time in Germany and yeah, let's do it man. Yeah, man. All right, why don't we get to
our guests? This is his 9th appearance on the show and we were talking before we hit record here. You know, what do you get for being, you know, on the show, you know, 9 times. And Jimmy, you're in charge of guest swag and I think jackets, you know, SNL does 5 time, 5 timer jackets. So we're up until like 9 timers. Think. Andrew Shikiar is another one who's been under a bunch of times, but this is his ninth
time. He's the founder and president of Weave Identity. He's one of the founders of the Digital Identity Advancement Foundation. He's one of your team members from Team Identifriends at Fido Feud at the Authenticate Conference earlier this or I should say late last year, he is Ian Glazer. Welcome back to the show, Ian. Hey guys, thanks for having me.
It's good to see you. So I got to start right off with what was your impression of Fido feud and how that thing kind of all came together and and when can we do it again is kind of what I'm thinking already. But tell me what your your your perspective was as a team member on that? As a team member, I was not prepared for the level of competitive energy coming from the other team, people who will remain nameless, who may be parts of organizations.
Yeah. Megan. Wow. Lot, lot of competitive spirit. Let's say I feel like the tequila came out too late. I feel like that would have helped earlier. And I was dumbfounded by how poor my answers were across the board. Like I was a boat anchor of answering questions. Like absolutely useless. So yeah. But it's super fun and I hope you guys bring it to more places. Yeah, I would love to figure out how to get to more conferences.
I think we're already talking about the next iteration for the Authenticate conference, you know, later this year. And again, it'll be in Carlsbad, so stay tuned for that one. I was, so I helped come up with the questions and they were sent out by the Authenticate team to all the Authenticate attendees. And we got a bunch of responses back. And there were some responses that clearly had, you know, leanings one way or the other, either politically or whatever
that I had to censor. But I was surprised at some of the answers that came out there. And you know, the the most popular answers. I think if you watch look, if you watch the episode, it's on YouTube. Just search Fido feuds on our. Channel and you should. You should and. You should, because it's really one of the best times I've ever had at a conference. I had so much fun hosting it, but the answers were not at all what I expected from the identity community at large.
So I'm hopeful that we can make it bigger and better next time. But I just had such a blast with it and you. Know, you know, I just have a thought which is ID Pro is releasing their skill survey questionnaire. It's just going out now. I wonder if there's like an Idoc ID pro team up here where we can take the questions from last year's identity feud and actually fold some of that stuff into the skill survey. Like we should, we should talk about this with Heather and Andy.
Like that would be super cool. See, like just as an interesting sort of interlude, like, huh, here's some like kind of simple questions in theory, in theory simple questions and wow, wildly different answers. So like that could be fun. I think I'd be up for that. Heather or Andy, if you guys are listening, hit me up. Let's figure out how to do it.
I look, we can make it fun. I think that's one of the fun things about stuff like, yeah, this space is just when you think you have it figured out some some question like this comes up and it's like, whoa, I. Didn't even think about. That Where did that come from? For sure. Let's talk a little bit more about some of the stuff that's been going on. I guess let's let's talk about 2024, kind of recap it here. I know you're at a lot of different conferences, but how did 2024 go over all?
What do you think? Did you have any, any big sort of identity epiphanies or I don't know, things like that? It was it was a blur of a year. Like I still haven't recovered in my sense of time from COVID, right? I don't know about you guys, but like, yeah, that's still like mushy and I feel like a lot of a lot of velocity in a lot of different directions. I'm just not, I still don't quite understand what's going on in the market. But like highlights for me, the shared signals framework
interrupts. I didn't catch the one in London. I did catch the one at Gartner in in Dallas in December. Adeniverse, there was some stuff there too. It was like, that's really great to see the, the, the real push. I think right now between SSF and Cape and Risk, that's super cool. What else? I think there's a lot of new energy. There's a lot of new players. I keep learning about companies like literally every day.
It feels like it's like how many people can, you know, come into this market and come at it with like like a real genuine energy to like do something different. And I think that's that's healthy and that's really good for the market. It was good as my first full year on my own, like full calendar year as you know, just a A1 man show to see the kinds of companies that are out there, what they're doing, be able to help where I could be able to just see trends.
So like it's it was a good year, but man, it went fast. Yeah, time flies, I think when you're having fun, which hopefully that's what's taking taking place more often than not. Yeah, for sure. What conferences are you planning on hitting this year will we see at EIC? So I'll definitely be at EIC. This year's a little bit different for me. So I think I'm going to do for sure EIC. Haven't been to RSA in a long time, so I'm going to go back there. I've never done blackout.
I'm going to check that out. I've done that a couple times. I'm probable, let's say for maybe the Gartner conferences this year, but there's one that's not going to be on my list and that's Identiverse this year. Man. Well. Look, I feel like I can miss a CIS slash identiverse once every 10 years. This is like certain time at 20th. It's my 20th anniversary. We're going hiking like see you like.
So we'll I'll be on a trail somewhere when when the conference going on, which it bums me out, but I'm still going to do all of my content committee review work, which I need to go do before Andy and Nishant beat me up. And you know, that's the kind of the first half of the year. And then I'm not sure really the second-half. It's been a long time since I've been to an IWI really should change that. And I am Jim, you just triggered
this thought. I'm going to be at one of the Identity beers and in fact, I'm going to be at the Identity beer next week in London. Now, I know this show won't air until probably after that. So if you're hearing this now, then you've already had a beer with me in London because obviously you would go to Identity Beer in London. Or you're about to. So I think, I think this is going to go out on the next Monday. So it'll be the 13th. Yeah.
All right, so then you have two days now that you're hearing this. In three days time in Thursday, I'll be at the identity here. And I'm I'm really excited just to see some people that I know and I haven't seen in a while. But more importantly, like see a whole new group of people. I have no idea who they are and just meet them and, and understand what they're up to. And, and I will be coming right off the plane. So I am going to fall asleep in a pint. It'll be great.
I'm sure it'll be photos, but I'm really excited for it. Like it's, it's about, you know, another opportunity to, to meet more of the community, which is going to be great. Sounds like a lot of fun. Now your conference schedule is pretty busy and you know you've been to these for a long time as you've mentioned. What's something that I guess your assessment of the scene today, how do you see IM conferences? And have you noticed any evolution maybe within the last couple years?
Is it, I feel like, you know, a couple years ago it was all right, everything is zero trust. And then it was maybe before that it was everything was blockchain and then it was, you know, AI is kind of like the thing right now, like we see these waves coming through. But I'm curious kind of like what's your assessment of where I am conferences at large are
kind of at right now? So I think my take is not so much thematic in terms of like what you know, conferences are sort of choosing as their themes. I think it's more about a little bit more meta, which is I think that last year certainly was more evidence to the fact that identity based is becoming more and more mainstream. It's a mainstream concern for more parts of the enterprise and certainly within the security organization.
And so one of the things we're seeing is that people that are coming to conferences are first timers. Four of those conferences, Identiverse, you know, Andy always asks like who's, you know, first time is this to Identiverse. Half the room raises their hand. And I would posit that a third to half the people that raised their hand for that question are new to identity. Same basic thing happened at Gartner.
I am in Dallas in December. So we're seeing a lot of new faces and we're seeing a lot of new beginning practitioners, people that have done their career in security in other places are now coming to identity. And I think that's really great. One of the side effects is that we're gonna, I think we've already seen this and it will continue to happen. Most conferences are needing to
Orient to those people, right? And so there's a lot that can be taught and yet still to we can get better at teaching it about identity and there's always emergent topics. That's important. I think one of the side effects is that it's going to get harder for conferences to put more content on that's longer and more technical.
I have a feeling just because of who's going to be there that we're going to see a kind of different optimization for content in the majority, like in the sort of, let's say, mainstage identity conferences. It'll be interesting to see where some of the, the longer term, the more difficult, the more challenging identity problems continue to be discussed. Obviously, IOW is one of those kinds of places Eici think does a good job in this.
I think Authenticate is starting to find its legs and its voice in this regard, but it'll be interesting to see that emergence of conferences that are tending towards the more mainstream identity topics and practitioners and then places where people can have the harder conversations. The, the more in depth, the more I would say nuanced conversations about like you've got a three to five year problem over millions of identities. What does that start to look?
Where do those conversations happen? Who's participating and how do we how do we foster more of that? Yeah, there's a lot of good thoughts. I, I wanted to echo something you said earlier when you talked about 2024 with all the, the new vendors that you're seeing and the really there was a ton of innovation. And when I talked to other practitioners, they talk about things like this massive amount of identity data that they want to be able to use to automate
provision tasks. So you go back to the nuts and bolts, but do it in a, a way that leverages this data that they have. And you're starting to see solutions that actually are things that put them in control and give them the ability to do that. So I kind of get the sense that those are the companies that could shape the future. We've seen it happen a couple of times within the last 20 years where incumbents, I don't know if they get fat, slow and lazy or, or what the case is, right?
Maybe that's a little too harsh, but young, hungry companies come and eat their lunch. And I wonder if we're in the reflection point for that again. I think 2024 was good evidence that we are seeing on one hand a return to the best of platform days that we saw an identity. We've seen it two other times. 1 was basically CA and IBM and a little bit of BMC. It was like who's got the most complete essentially suite of identity. We saw it again and that well
that was a moment in time. We saw it again with Oracle and Son. Now we're seeing it again and it's Octa sale point. Ping maybe Cyber Ark Entra like and we have these best of sort of sweet platform type things.
But at the same time, every time we saw one of those movements towards a best of suite or best of platform, we also saw a huge influx of new identity vendors coming out with novel ways to approach problems or augmenting some of those more traditional suites to give them more innovative features without replacing them entirely. A Better Together kind of
strategy. And I think that's what's going to continue in 2025 is this kind of tension towards some incumbent vendors that are getting super, super large from a sort of footprint inside of IAM customer base as well and a bunch of new folks coming in and saying yes, but they're missing a bunch of things. We can't claim that we're going to displace your 10 year old sail point installation or what
have you. But what we can do is add these capabilities to it. That's going to help reduce your burden, make you more efficient, get you better integrated with security, what have you. I think there's a whole influx of that's going to happen in 2025. We'll start to see that in the market shortly. So I wanted to talk about something that you published last year, which to me, I, I loved it because it's like, I'm going to, nobody asked for this. I'm just going to put it out
there. It's kind of a, a mini series blog. You broke it up into a few different parts, but the idea was you're kind of laying out that the argument that modern identity architectures need to be or are different. You kind of talked about almost what I would call a reference architecture or some of the major themes that, that make up this modern identity architecture. Originally, I think it was 4 principles or 4 layers, if you will.
I think you're evolving it, which just goes to show, I mean, to me, that's, that's what it should be, right? Otherwise it's just, it's going to be thrown out there and die on the vine. You're evolving it, but kind of the five principles that I've heard you talk about anyway, policy, data, orchestration, execution and events. Did I describe that right? I mean is that? Yeah. Let me paint the picture, which
is that I, I last year had two things I realized. 1 is that the names of the markets that we have with an identity don't make any sense anymore, right? Case in point, access management. Is access management single sign on? Is it authorization? Isn't it the teams that field the tickets from service now that then go build people's accounts? Isn't that managing access? Like what the heck does the do
these words mean? And access management is not the only one where you're like, I don't understand what's in this bucket. Like I don't understand what the feature boundaries are of these markets anymore. It's super, super blurry. Part 1. Part 2 is I don't know where the IAM market is going per SE, but I'm starting to see sort of evidence that there's a foot race going on towards some form of a enhanced data tier.
We can talk a little bit more about that informed by more robust and contextual policy, powered by real time events. And that, by the way, does not fit neatly into the identity security bucket or any damn bucket, right? So I'm like, OK, I've had enough of this. I'm going to write everything out of my head that I've got swirling around because what I think I'm seeing is an emergent architecture for what we should be heading towards that acknowledges the realities of an identity team.
And one of those realities is you don't replace major constituents in your architecture very often. Once a decade you change out your IDP, Once a decade you change out your IGA. And if you've got different kinds of needs that the business is bringing to you, like case in point, you need fappy support. Your IDP may not have that. Are you going to throw out that IDP? Heck no, because it's doing SSO for like a gazillion things plus
all your O auth brokering. What you might do is augment it with a specialized solution that has it. Well, all of a sudden now you find yourself that's an identity fabric. How the hell is this all going to work together? And so I started just writing like just getting it all out. And I thought it was going to be a short piece. That was a lie I told myself.
And so one of the things that's in there is a notional reference architecture and it talks about those five components that you mentioned and describes the interplay between them as this is what I think, this is where I think we're headed from an architectural perspective. At least you write the documents or the blogs for. I just needed to get it out of my head right And for. You right, Ian, It's kind of like thinking out loud. A lot of look, I am.
I've found in my career that I've only smarted in the presence of other people. Like I need other people to critique and push back and comment on and nudge to actually produce anything. And so I was like, look, I'm going to get this crap out there and then people are going to beat it up and then someone's going to pick up a piece of this thing and run with it. And it's going to be, it's going to be better. Like, let's just do that.
So in some regards, yes, I wrote it for architects, I wrote it for product managers also, like I always sort of write for myself in that regard of like, hey, like how should I be thinking about the next three years of where I want to take my product? If I'm a product owner or product manager? And if I'm in large enterprise, like same thing. Like I've got a whole bunch of piece parts. How the heck is this all going
to work together? And how am I going to be, how is that architecture going to be stressed in the coming years? And what should I, what should I think about as I keep going forward? So I didn't write it for a single persona. I wrote it for people that were just genuinely curious and could find something in there that they could use. Maybe not the whole thing, that's fine, I just wanted to get some ideas out there.
Yeah, I I think that you hit the nail on the head in turn like you used a great example, what is access management. But as you think about what we have been doing for a living for the last 20 plus years, it's identity and access management on now you, how do you even define that? People? You say what is access
management? But I, I think that's, that is the under pinning or the under churn of what we're doing here, which is these definitions are constantly changing the identity access management, that's digital identity. What is it now? It's an identity security. Is that just a buzz term or is that actually something real? And that's not a question for you. I'm just, yeah, I'm just talking out loud.
So, so Jim, my reaction to that was like, let's focus on the outcomes that the things that I have can have, right? So like I've got these pieces of things in my identity infrastructure, What outcomes can I achieve with them? And I I've been trying to drive to like focus on the outcomes that you want the architecture to have or your infrastructure to have. And then let's, we can give those things names or not, it doesn't matter.
And if you're using a tool in kind of a funny way, but it, it scratches the itch, it reaches that outcome. Who's to say that's wrong? Like I'm, I think we got to get away from some of those sort of strictly bucketed market terminology and start thinking about like, what do we need to get done? What is the most efficient way for me this organization, given the constraints we have, to get that done, get that achieved? Well, let's not forget the most
important thing here. It needs to have another acronym and it needs to conflict with something else within the identity space. I'm not a barbarian, of course. We need something that's utterly confusing and, you know, conflicting, of course. It's got to have, yeah, it's got to be catchy so that everybody can say now there's more modern identity architecture. To be fair, Dave Birch said. I should have called the architecture dope.
I'm like, yeah, but that's like the 80s calling and like that. I have like control essay nightmares when you start doing that. And so like, I don't think that's super cool, but. Everything's just a cycle, Ian. It's dope. And then you have belt the bell bottom principle, right? We have to figure out how that works. And I am, Yeah. And then classic rock like Nirvana, which, oh, that makes me feel old. Yeah, exactly.
That'll be cool. And it's by the time you're like, oh, turn, turn the music down. That's when it'll be cool again. I think we can agree classic rock is music from the 70s. Everything else is not classic rock. I agree with that. I'm with you. That's that's a platform. But here's the thing. I mean, the 70s are like a billion years ago and it's like me in the 70s are like Oh my God, like Glenn Miller is the classic rock of like my grandparents generation. Like oh God, what does this mean
for me anyway? We went, we went way off with that one. Sorry. What's these five elements? Are they layers of this like a reference architecture? Or is there just too much blurring to call it layers? I refer to them as layers and you know I sort of start with policy is the first one like it's the backdrop, right. We are awash in our enterprises and policy, both sort of business rules but also the
technical ones. And we know the well and identity, right there are provisioning policies, who's supposed to get what you know, what are the attributes we need to set like it's the configurations in our SSO tools like we recognize those things. But one of the realizations I had was traditionally speaking, our identity products only could describe policies and knew about data that they could interact with through their execution layer.
So if I was a provisioning product, the data I knew about which things that I had a connector for and I could write policies about those things. In the modern era, I want to describe a policy that says, well before you go accessing production Azure instance, there's got to be a ServiceNow ticket open in your name referencing the specific Azure account that we need to go talk to. You need to be coming from a managed product or a managed laptop. It needs to be fully patched.
And then if all those things are true and we're not in the last days of the quarter, then get this ephemeral role that I want to assign to your access and let the IDP do that. And then it will go away when things are done. That's not the kind of policy you could write in a traditional system. It is 100% however, the kind of policy that if you step away from the technology, what people want to have as outcomes, what they want to put in place in
their enterprises. But they got a jury rig it between 5 different technologies that don't talk like this only gets worse when you realize, well, how many components are in my identity architecture, like in my infrastructure, how do I coordinate that stuff? So policy is The thing is the backdrop, right? That is the that pervasive layer and it will be tiered. And I know that's a hard topic
in and of itself. And I don't want to make light of it because the more I talk to people at large enterprise, they're saying I, as an identity team, want to describe a set of guard rails. The people that are actually doing the identity work in terms of implementing systems that consume identity services, they're at the edge. They've got their own rules because they're closest to the application. How do I make this coherent?
How do I link these things? I don't have good answers to that yet, but I acknowledge that like this is still a place that we can do better. And I think it's actually an interesting opportunity legitimately for AI. I'm just not sure how yet. Like the oh, create a policy from natural language blah blah blah. That's boring. I mean like real interesting use of AII, just haven't seen it yet. Well, I think that's like what you just described is like
Nirvana, right? It's a whole bunch of like if, then statements and that forms your policy of when you're allowed to do things. And I look, I say it's all due respect. I love it. I just don't see it happening anytime soon for even half of the organizations out there with I am stuff. Because it takes so long for organizations to invest in technology, they're going to need probably a couple different tools to do that. They're going to need good data, right to do sort of things like that.
And you know, for every cutting edge Google, Microsoft, Apple, TikTok, PayPal, right, whoever it may be who is really cutting edge of I am, there are 100 a thousand times more companies who are still getting a fax to get somebody on boarded. Right. I mean, it's, it's, it's, it sounds cool, it sounds neat. And then I get so I feel like pessimistic about like, well, that's, that's 1015 years ago realistically for, you know, most companies to aspire to
that, if they even get that far. Help me talk to you about the ledge because I love the idea of it. I just don't see it happening anytime soon. So I think there's two things that might give you hope to carry on. Like I didn't realize that we're doing this as like it's the Wonderful Life edition of. I am therapy with Ian. So so two things to consider. 1 is standards help us build a better identity fabric and allow for orchestration between components.
And I think that's really important Things like shared signals is one of those things that I think is really, really important to help us here. Both respond more dynamically closer to the incident, closer to whatever that that that decision making moment is. And that that allows us to put smaller components into our identity architecture without
upsetting the apple cart, right? So if you're, if you've got a lot of sort of tech inertia because of whether it's on Prem legacy that, you know, you want to migrate, but that's a five year project and that's what we're doing and we're going to go knock it down. Or you've just got sort of basic components to begin with. You still have an opportunity to add fit for purpose components, essentially capabilities.
I still think that's true. What you might lack is the staffing to be able to operate it. What you might lack is a seat at the table that says, hey, security, You've got a bunch of requirements here that you keep pushing on application teams. Like for example, they've got to be coming from, you know, I want a full ZTNA type situation and I
want this MFA. You, you, you're doing all these things, but all of those controls are disjoint and they're not actually been sort of laid out together because they have to really run in parallel in a lot of ways. And I think this is, this is an opportunity for, to me, what I think what Gartner would call identity first security. They really hate the identity security term.
It's really entertaining to watch them kind of go off on that of just the, how do we make our security controls and our identity controls first and foremost in that sort of set of security controls and orchestrate that to happen one side. The other side of it is, but one of the trends we're seeing is that people are building data tiers that are considering more than just one flavour of data, right? Used to be my IGA tool had admin time data. What could I write a connector
for? Pull data back, provision back out again, right? And our access management tool knew about systems it was connected to. And who attempted to create a session? Did we create that session? When did we log that person out? Never. The two shall meet, right? Like totally silo data. Now we're starting to see people say, let's bring those sets of data together, let's bring those things together and then be able to have signal information.
So say shared shared signals framework from things like our EDR starting to facilitate this thing where now you've actually got the data you can reason against, even if you're writing basic policies. The thing that I struggle with is it is bananas. If you look at someone's identity architecture, each component in their architecture, their IGA, their Pam, their SSO, who knows what else they've got in there. They're specialized MFA, each one of them has their own data repository.
I guarantee you that like 20 to 30% of the data in each one of those things is duplicated with one other component, if not all of them. How on earth are we supposed to operate this monster if we're not all reading from the same
page? And so one of the tenants I say in modern I am is a unified data tier that everything in the fabric can pull from and use at least as a system of record and bring proper data management practitioners to this conversation as opposed to us I am people being like, cool, I know what I'm doing down here in the data tier. You don't. You just don't, right? Data governance is a real thing. Let's bring those practitioners
into this story. All right, let me try to swing it back to the positive side because you sparked a couple thoughts in my head. And one is, is there a catch up point here or a level skip or whatever we want to call it where we say, OK, yeah, maybe we missed the boat on IGA, you
know, over the last 10 years. But if we adopt this mindset, this modern architecture, this modern identity kind of thinking, is there an opportunity for organizations who maybe missed that boat to skip ahead to, hey, you know what, we've got some new tools that are coming out. We're better at our data. Maybe we're more organizationally sound when it comes to, you know, how we collect that kind of stuff and store it.
Maybe I don't need all those other components that at that point might be considered more legacy. Is there an opportunity for that? I think there is an opportunity. I think it's around taking the heart where you can, where is most impactful 0 standing privilege. Leave aside the plumbing, leave aside all the things that I actually talked about in in those blog pieces and focus on where do we have the opportunity
to use ephemeral access? And can we describe what the appropriate access is for a certain job function? So a production instance, break glass scenario. What do developers need in stage? What do they need in test and where systems and increasingly especially our cloud ones, do facilitate ephemeral access. So you get something assigned at the beginning of your session and when that session's over, it goes away.
Holding tight to that as a goal I think will have sort of knock on effects of like, OK, cool, I can do that in these environments. Now, how do I better describe the rules of the game here? Where should my control points be? I think it leads to better conversations in places that don't facilitate ZSP as easily
or efemoral axis as easily. That's places to then take a really sharp eye and look at it and say, is this the place where we need to do more role engineering, more QA, Rs, what have you And really like focus the scope of where we're doing more heavyweight traditional I am and start to find pieces critical, critical systems, cloud systems, what have you to actually try to bite off some of the ZSP concepts and start to
develop those that muscle there. And I think there really is an opportunity for kind of a catch up there because we're now increasingly finding high impact systems that do facilitate it. That means you don't have to bring all the tools of the last decade to bear. You actually can do this differently. Lighter weight, easier to audit, more effective. I can see where you broke this into multiple blogs for instance, than just one blog and
layout. I'm threatening to glue them all back together and make like an e-book that I don't know I'll print out for my mom or something. I'm not sure what I'm doing. So you talked about policy. I had a bunch of follow up questions, but I think we should keep pace when it's the data talked about data lake earlier I even had just a foundational question of like, OK, what is identity data? You actually started a whole piece around what is identity data?
I have always kind of felt like there's the black and the white and then there's the Gray in between. There's information like transactions that Ian did on Amazon, those are not identity data. There's Ian's credentials to log into Amazon, that's identity data. Then there's a whole bunch of stuff in between like billing address and other things that maybe they're application specific, but they could contribute to, oh, you know, Ian lives in this part of the world
and things like that. We can make some identity decision based on it. What I'm finding as I talked to more identity practitioners is that they want to solve their business specific identity and access issues with data that matters to them. You know, if they're, you know, say in the insurance industry or something like that, maybe there's some data elements that come from other systems that they can make access decisions on.
Do you see that's, I kind of feel like that is enabling that type of approach is something that technology vendors are starting to say, all right, well, there's all these different use cases that are specific to not only industry, but specific to clients. We're not going to try to solve them all. We're going to give you the platform to build it from. And it's not only maybe it's not even like a technology or product thing to solve. Maybe it's, you know, it's just building a platform.
So I, I guess like turning all that into a question is what were you talking about with what were you? Thinking what the what? The heck were you thinking? So, so two things. One is I wrote about this not in the same series, but a post which is a probably bad idea, which talks about workforce identity data platforms. Get that in a SEC in the consumer world. And I'm not talking about consumer, I am just, I'm talking about in the consumer world you have data platforms called
customer data platforms, CDPS. It's its own market and it consumes all manner of data, everything from click stream analytics on websites to e-mail open statistics to self provided preference information. You know, I'm into these colours, these styles, what have you. All of that goes into ACDP and arguably all of that then is used to build better customer journeys and experiences.
And so if you are on a major e-commerce site, you are very much have information that is now in ACDP somewhere. The credential that you used to log in, let's say it's a social credential, that's also interesting. So in my mind, I've always had the attitude of the data that is
associated to you, the consumer. CDPS are designed to do these things from a data management perspective and then the ability to reason across it and make decisions across it and then affect changing it. How you authenticate to This site is a thin wedge of that information that an identity team is responsible for, but they should be the data custodians for the entire CDP. They don't own the CRM like that would be crazy to think about that.
But the notion of ACDP that takes all these different kinds of data in terms of different velocities of data, structures of data, and puts them together so that you can actually build a better customer experience. That's really cool. So when I took that idea, I was like, what if we did that for workforce? This is a horrible idea. And I kept going through like how horrible of an idea is.
Like I'm going to throw what training classes you've got in there and I'm going to throw your your 360 surveys. Like I'm gonna throw everything in that pot. And not dinner. I'm sorry if I'm interrupting, but are you talking about like taking copies of the training data and throwing it in your lake or you're just pointing to
it? Well, so here's the beautiful thing is that, and This is why we need more data management professionals in conversations about any practitioners is that things like lake house architectures can do reference without copy for massive data sets. Like I didn't really learn this until I was at Salesforce for a couple of years and looking at how they're building their CDP and the ability to do 0 copy. But on the, you know, petabytes of data, you're like, holy crap, like blew my mind.
I got my start as an Oracle sales engineer. Like good old relational tables and Oracle seven man, the world is a really different place. And if you're listening to this and you take one thing from this is go find your data management practitioners because they're fascinating and the things they can do are fascinating. So I think it's reference, not copy, but you may copy for a variety of reasons.
One of which guys, you know, this, how much in the, the customers that you have and the work that you do is dealing with data quality issues and you find those data quality issues and what are you left to do? Go to the upstream system and be like, Hey, can you change this? Cause your use of like street is just all baffled and weird and it's causing all sorts of problems that that's not a conversation that often goes
well. So it's left to the identity team while they're marshalling data to fix these things. So there's actually some legitimate reason why you do want to copy some of this stuff so you can improve its data quality. And so long way around, very long way around, I think there is an opportunity to bring together a variety of different kinds of information, whether it's copy or reference, that's the data management team's
decision. But whether that is workforce and workforce related training information, those kinds of things, plus why don't we bring in other kinds of information? And that leads to the conversation of like, should this thing be its own? Should it be its own identity like, or is it part of your security data? Like closer to things like IP intelligence, other threat information, zero trust, telemetry, things like that. And now identity has its components in there that it can
reason across. I don't. Know that's going to be. Some of it's going to be log data, some of it's going to be resident in some system for sure. Some of it's going to be third party data that you can only write you only get through an API. Yeah, all of those things. And, and this is the important part, I've talked to organizations who have built these things either inside of their security data lakes or on their own.
They are a rare breed of organization, right to, you know, the person who's like, I'm barely holding it down as it is. I'm not building a data lake for this identity type.
Are you kidding? I think what we're going to see, and the market is showing us this, is that vendors are coming now and saying we can at least combine different kinds of identity data, admin time data, runtime data, event time data, and give you a better wider view of the playing field, the ability to affect controls better. So I think there's this democratization going on. And yeah, some set of companies are going to go out there and
build these things. We're starting to see vendors here saying we're doing that for you, but no one's going to buy that. No one is buying one of these things. What they're buying is I need to be better about my IGA practices. I need to be better about my standing access. Oh, by the way, the thing that's powering it is this really cool data tier. Don't worry about it right now. In a couple years, you'll be ready to start doing other things with that. That's the hope I have for the
market. So the third layer was orchestration and you know, it's, it's kind of funny because I was reading through this, I kept thinking back to Strata Strata's, a company that does a lot of what you're talking about, like policy, orchestration and other types of orchestration. I, I do think a lot of these terms is kind of funny because I think policy could be these technical policies or they could be your infosec policy.
Data could be the not when you talk about who has access to what, it's the, what the data is, the what that you have access to. But there's also this whole identity data concept. Orchestration could be the orchestration of, you know, these identity systems and you have legacy identity systems, you have modern identity systems. How do you hook them all up so you can achieve full integration without just wiping out everything every time you want to do something new?
But it also could be orchestration of work flows. But you're talking about, I think more the first type that I talked about, right, which is orchestrating modern and legacy identity systems. I would think about it this way is so you've got this data tier, you then need to evaluate and take action based on either changes in it or discoveries in
that information. And so you, that could be everything from a classic provisioning policy to AITSM ticket ticket, classic workflow ticket flow could also be a hey, I'm the IDP, we are using XYZMFA provider. I need you to go actually challenge this user, right? So I think there's a different, lots of different kinds of orchestration. It doesn't need to be massively
complex. It can be, but I actually think a lot of it is just the basics of how do I evaluate policy based on some changes in information and data? And then what do I need to go tell to go do something like what's my execution layer that I want to go reach out to and nudge it along to take an action? So it can start very, very simple. Most people have these things in their IGH tools. In fact, I would argue they all do. But you even have it in your ID PS in your Pam systems.
That's just an acknowledgement that the real value in a lot of our systems comes from that orchestration layer. As complicated or as simplistic as it is, that's the thing that really is doing the heavy lifting. So you have OK, we went policy data orchestration executioned. I think the execution is kind of the these domains of identity. I am technologies. It's the single signal platform, it's the IGA PAN. Is that right?
Not quite, but it's close. Think of it as the execution layer is the interface between your IAM architecture and the applications that you actually want to go manage access with it. And so that is your provisioning connector lives in the execution layer, your SSO configuration effectively like the brokerage of a SAML flow that's an execution layer example we used to pay for stuff in that layer like we used to buy connectors. Like that's crazy to me.
Like the execution layer should be free. And increasingly, as you have integration platforms as a service, that's not quite the right the abbreviation, but essentially there's whole businesses out there. They're like, we can basically give you a unified API service over everything you got out there. So I can trigger create user or an update record anywhere you want. That's not fun. Like that's not a the IAM business anymore. Like you shouldn't be paying for that.
But it's where identity, the orchestration meets the real world. That's where the rubber hits the road. OK. The last one that you had, and I don't think this was part of the original framework of layers was events. And I think you kind of tease us a little bit in the beginning talking about how we're moving toward more of a real time event type of environment, so recognizing things as they're happening and some of those things are going to be attacks, right? Well yes, and think about it
this way. Identity systems traditionally have is a piano with about 5 keys, join, move, leave, log in or verify, log out. But no one ever plays the log out key like that never happens. So we have 4 * 4 notes that we can play. We are not going to be the most popular keyboardist in the town, right? Our ability to affect controls was significantly limited by the events that we could actually instrument join, move, leave,
log in or verify event time. Identity totally changes that because now what we can say is look, an application out there says, hey, I have my own inbuilt transactional fraud system built into me and I just terminated a user session because it was super weird. Basically shared signals framework is Twitter for apps. It's like, hey, I'm just going to shout into the void. I did a thing. I terminated this session for this data subject because that was weird. I don't know what's going on.
Maybe someone out there wants to take an action about that, but I don't have to know about it. I, as the application don't have to know about who my IDP is or my IGA system. I simply say I terminated a session because of broad. Now I can pull that information in and say, oh, now what do I want to do if I see these kinds of things? Let's go find the data subject. Let's go tell the IDP, terminate all their sessions. Meanwhile, let's go change maybe
more dynamically. There is zero trust from a network perspective. Let's sequester them. Let's do these other things like it gives us this opportunity to bring our controls to bear in more places than just join, movely verify. That's hugely important. I mean, more than that, I think it's an opportunity to be almost creative with events and what are things that we can do with, you know, the data that we have available to us? What what are things we haven't thought of or maybe couldn't do
before, right? I think this is a real opportunity to say, hey, you know, this, this shouting into the void thing is great. What if you had a very specific app or function or whatever it is that's looking for this very specific thing. It's available now. It is. Yes. And the other side, it is the things that generate signals.
Now, if you're the kind of organization that has data scientists on board and AI scientists, you can actually start to build models that look at this data tier and be like, hey, I know something weird. I'm going to emit a signal. And now we can take action on that immediately. Versus I'm waiting for my HR purse, HR trigger to add a new user to the system. Like it's, it's really interesting what these things open up. By the way, I feel like we're late to the game, right?
Security has had much more dynamic sets of controls, not limited to I only do something when the user boots their laptop, right? Welcome to the party identity. Like now we can actually work in concert with security controls because we can act on the same cadence, we can act with the same velocity they do. That's hugely important. Yeah, I kind of feel like that's the the idea that we're going for with identity security. It's just hard to put a definition around identity security abuse.
Anytime you're talking about identity, it gets into something. Oh yeah, that's identity security. So. So Ian, with this framework, where do you take it from here? I mean, are you going to continue to evangelize this or are you looking for the community to kind of start to pick it up? And you've done so many things, by the way, like you started a lot of organizations. Like did you just give me the what have you done for us lately question? I just want to check.
I didn't want it to sound that way, but. Ian, you're doing way too much. You're giving us stuff we're not asking for, man. Come on. So, oh God. All right, we'll get it back on rails. All right, so here's what I want to do. Like I, I do want to keep talking about this. Like next week I'm going to go visit an enterprise and talk unpack some of these thoughts a little bit more. This is a absolutely leading edge organization in terms of identity and more.
It's about conversations of just like this is how I'm thinking about it. How are you thinking about it? Like it's just going to refine my own thinking. I think it's really beneficial. Maybe I can help them too. I really hope so. One of the things that I want to do from this is I'm really enamored with this data tier thing. And the more I talk to people that have done it and it brought real data practitioners into the story and why they're doing it. Like it's fascinating to me.
And one of the things that I've started talking about is I, this may be me tilting in a windmill. I think we need to put some in classic relational database terms, standardized views so that everyone, whether it's a third party product or home grown, can implement these views such that for a core set of objects, maybe user and entitlement and system, I can get data out no matter what the back end is, no matter whether it's third party provided or it's first party provided.
Because that can reduce the cost of switching between vendors. It can reduce the ability to the challenge to do bake offs between technologies. It can facilitate people bringing their own models or buying models to look at this data to find interesting things about them. So I'm, I'm a little bit on this, what I'm lovingly calling Oids open IAM data schema, those of you who've been around for a
long time. And OID is an object identifier famous in Ldapland. And this came from a realization that the last time we really as an industry standardized data objects at rest was like inet org person and Edu person. And so with love in my heart, I'm like, you know what, let's
do a throwback name here. But I'm kicking that conversation off with a bunch of folks and I'm getting a lot of feedback and I'll it's really interesting seeing the questions and the challenges to it. But that's like in my To Do List to the next couple of months. And then we'll see where it leads. It may all just crash and burn, but someone may take like a ember of the remnants of it and go use it to start a fire and that'll be great. So let's let's hope that happens.
Yeah, I'm, I'm thinking Oids and now I, I'm thinking about the old, I think it was Domino's Pizza, the Noid. Do you remember? That, yeah, void the Noid, Yeah, so I did. I did think about that. We're all of similar age on that one. I'll let you explain it to the listeners what the Noid was and put that in the show links like the Wikipedia article for Noid. The 80s were a weird time for commercials. They just put it that way. Yeah. I look, there's so much to unpack here.
And here's what I would recommend is like we're grabbing our show notes, the, the link to the articles that you that you've written here. I would read those definitely. And then I would listen to this or maybe vice versa, depending which, whichever one comes first, because I think there's a
lot to impact here. And I love the discussion that you started and I and I think you've turned some of this as well into some talks maybe given like Identiverse, maybe it was Gartner, I can't remember which one where you've started to kind of posit this. And I love this idea of theory crafting, right. Hey, here's some ideas we have to solve some of the problems that we're seeing. What do we think Many has a better than one. So I would definitely encourage people to to check it out.
I also want to ask about one thing I noticed on your LinkedIn when I was, you know, doing some cyber stalking of you before you joined the show. You recently became a faculty member for IONS. Yep, the Irons Institute. Yeah. So tell me about this. First of all, not everyone may be familiar. What is irons and then what are you teaching? Yes, faculty is an interesting word too.
So Irons Institute has been around for for quite some time and I knew it as a place where really kick ass security practitioners would teach classes, could do consulting engagements, could actually just engage directly with an enterprise to answer a question. And a while ago a friend of mine who's one of those absolute kick ass security folk was like, Hey, you should totally become a faculty member.
Let me do the intro. And I went through the evaluation process and I got to say it's the opportunity to do calls with enterprise customers who are having challenges and just be able to see if I can help. It kind of brought me back to my Burton days and like, I love it. It's like a way just to kind of play stump the chump. Like they've got a rando question, which I love doing and
like seeing if I can help. But also it was just destiny because it's literally my institute, so obviously I have to be a member of it. So, you know, there's that. That's actually a pretty good segue. You just kind of kind of say, hey, this is this is my thing. Yeah, take it over now. Yeah, I'm not charging you for likeness fees. It's cool.
I like the idea of the whole stump to chump, you know, trying to trick the professioner, you know, ask the questions and hopefully, you know, there's answers. If there's not, let's figure it out together. I think those are the I think those are the one you learn the most. It's like, OK, yeah, I don't know about that. I mean, let me go look at that because I feel like whether you've been in in any industry or any topic, right, there's always something new to learn.
And I know Jim, you're very fond of saying sharpening the saw. So there's. If you want to learn something, teach it. Yeah, If you want to be really know something, put yourself in a position to teach someone else about it, and then you'll know whether you know it or not. So I gave a in as sparks my my member from today. I actually gave a class today to a bunch of auditors on IM1O1, right. What should auditors be looking
at from an editing perspective? So sorry for the IM teams who are now dealing with smarter auditors. You know, there are people too, but the idea was like, hey, you know what, let's level set here. What is that we're doing? And I, and it give me an opportunity to get on soapboxes like, Hey, auditors, stop telling your organizations to change your password every 90 days. Like that's, that's old guidance from like 5-10 years or seven
years ago. Now probably some of that area, you know, time to get with it, man. You know, so it gives me an opportunity to maybe do a little influencing on some of the areas that I think, you know, organizationally things do, but I, I enjoy doing that kind of stuff. You know, I'm, look, I'm not a technical expert in deep and everything, but I know certain things and I do enjoy the teaching aspect of it.
I think you've got the opportunity to share knowledge and you know, maybe we do with this podcast or other things. Go for it, it's great. All right, I have AI have a lighter note question. Uh oh. If you could teach anything, doesn't have to be identity related, what would you teach? Does this have to be something that I know today or I could learn and then teach it? Oh, you know what? That's a good spin. Either one, that's fine. So I, I would love to teach
music theory. I don't know really the first thing about it. I mean, I played an instrument junior high in high school and what have you. But I'd I'd love to teach as it Wood Forest me to learn about music theory and like how the construction of music comes about and what are the sort of basic tenants for it. If it's something I do know, I don't really know much.
I don't know. I think you want to fall back on the like, let's just go with the I'm going to learn musically and I'm going to teach it. I like that. Oh, that's good, Jim. What would you teach if you could teach anything? So I've been able to think about this question for about an hour because you. I spoke on I spoke on all of this at the last minute here.
Yeah. And so I originally thought like, oh, you can't just go and say identity and access management vendor developing identity strategy, that's going to be way too boring. But then I started thinking about my hobbies and what would I teach, What would I take of my hobbies and turn into a college course? And I thought, no, that would ruin my hobby. I'd much rather just work a little bit longer and keep my hobbies, you know, pure. So I'm going to go with identity
and access management. Oh, that is such a blame. And I was expecting something baseball, or anyway, I thought of money laundering, you know, something that's a little more interesting. Those two hobbies I don't want to ruin. OK, well, all right, let's see.
You know, you got me. I was originally going to go down a video game track, but I wish I could teach people to play guitar because I have this guitar that has been sitting in the corner of my office for a couple years now, and I can't do a darn thing with it. I have. Now, to be fair, I have not really invested the time into it and I'm always looking for shortcuts. But I wish I could teach guitar because that would mean that I know how to play the guitar. Yeah.
So there you go. You got me on the music theory one because I, I, you know, I, I do like music. I, I have no musical talent whatsoever other than the Jingle for this show. That is about as creative as I've gotten. Pretty like that. But I do listen to a lot of music. I challenge myself to try to listen to something new every week. So I'm constantly kind of evaluating and OK, I like that. I don't like that, so I don't
become one. Of those people, like, can you put what you listened to last week in the show notes to this one? Because like, I'm always looking for new stuff. I mean, there's so much, man. I'll tell you what I have gotten into recently and kind of recently. It's not new I would say but the orb and massive attack so. The. 90s. 80s, nineties, yeah. Electronic music a little more casual and chill so you know if you're looking for good listens, go back and listen that stuff
it's. Not a lot of work. I mean, some of those songs have so many different layers to them that I'm constantly picking up. Oh, I never heard that before. And so I'm constantly. Orbs Perpetual Dawn isn't their sort of their famous track. It is. And they I think they just re released a new version, actually a new video just hit YouTube of all places. And yeah, so there's there's a lot to discover there.
And I think, you know, I don't want to be one of those people where I'm like, you know, 60 or 70 and I stopped listening to music after a 90s grunge, you know, so I want to like learn new stuff. So I'm with you, all right. We've been talking for an hour and 5 minutes. It always goes by so quickly with you, Ian, So I appreciate it. By the way, I want to say 1 noted thing. Jeff teaching a class about identity and access management would not be boring.
This is a fantastic topic. We just talked about it for an hour. Was it boring? It's only podcasts that are boring that are about I am all right, all those leaving on high note. We'll Costanza this thing. Ian, thank you so much for joining us. Jim, as always, thanks for your time. I will have links in our show notes to pretty much everything we've talked about. Go read the stuff that Ian has been posting. Really, it's kind of thought provoking stuff.
And this is how these conversations and these thoughts are what leads to what's next and what you'll see in products and services and eventually those things trickle into organizations. So I would definitely recommend that and I did find the link for the avoid the Noid. So you'll see a Wikipedia article for that as well. So with that, we'll go ahead and leave it for this week. You can find us on the web, IDC, podcast.com, visit Ian's website, weaveidentity.com. Even though it won't let me
access it, go ahead. I'm sure other people will not have the same problem that I have. All right, Thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.