The biggest thing is to have a story and know your data because you could go invest tons of money in this. And if your data is a swampy, you're going to have a swamp. When I say know your data, clean data, marshalled data. And I know that sounds like a very, a very pipe dream, but get your identity data right first. What does that mean? So how many companies onboard people without doing verification or proofing in the workforce?
A lot. They take HTM systems work for it. Like, yeah, I approve the person they faxed me over the I nines and the the thought license thing, manual entry. I mean, let's face it, it's out. It's out. It's public knowledge that there are some countries that are coming after domestically and they're faking. They're faking documents. Jenna, I is a thing. It's very easy to fake stuff now, right? So getting that right at the entry point makes everything else clean and simple.
But if you get it wrong at the entry point, you create a fractured web of just distributed nonsensory. And yes, you can trademark that word and use it royalty free. But you want to create line segments like you want to have event data, event action. But if you have is, is this Jeff? I don't know.
But if you give Jeff the wrong entitlement, security risk, if you give, if you onboard Jeff twice now I have 18 accounts to worry about South, in a way, if you get your data right, you can decrease your spend across the board on Pam, IGA systems, account management. You might you won't have account drift. You won't have account sprawl, real sprawl. All those are real problems. They always start at the base foundation of your data.
Like know your data. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity of the Center podcast. I'm Jeff. And hey, you're not Jim. Who are you, stranger? Not Jim. No, you're Sean Odell, your identity guy at Disney. You're going to be my Co host today. Jim is on assignment as we'd like to stay in the press business. So he's got the the night off. You and I are going to record
something here. So I'm going to have to swear you in because we're going to have to make sure that this is official. So I'm going to have you repeat after me, Sean. I state your name. State my name Sean Odell. Of my own free will, I'm here on the Identity Center Podcast. Of my own free will am here on the identity. Center Podcast. The views expressed here are my own and do not necessarily
reflect that of my employer. The views expressed here on my own and do not necessarily reflect that of my employer. You got it. It's official. Welcome to the Identity Center Podcast, Sean again. Good to be back on again. So it's been about a year since you were here with us. You know, we're just talking here. Record Button one year and one day since our last episode went live. And I'm not going to make you relive your origin story. I'll point people back to episode 255.
That was back in January to 2024. This is going to be episode I think 328. So we've been rolling along here. I guess give me a little bit of update before we get along. Anything new in your world that you want to share? I have AI know I have two kids versus 1. So I have a Kelly Ray named after, you know, Ray because something is Luke named after obviously Luke Skywalker new stuff at work, but just more responsibility doing more doing
more cool stuff. But other than that, I mean taking more of the role in the industry, working more closely with the likes of like Atoll, Toshiba, Inglazer, doors opening a lot First off and O&OIDF. So I'm I'm pretty excited about it, honestly. And it's like why we're talking to you about this exact topic is because things are starting to all meld together. So I thought this would be a good topic to to bring to the, the, the greater population of people. So a lot of is changing, but
it's for a lot of good stuff. Well, I'm glad to have you back. You and I have actually kept in touch since that last episode and I've gone back and forth with texts and messages and a bunch of different stuff. I will say I'm going to give you credit because you have the coolest background of, I think any of the guests that we've had. I know a lot of people like mine, but yours is next level
with all the Star Wars stuff. Give me a quick tour because it looks like over your left shoulder is maybe some lightsabers, and then you've got some figurines and statues and things like that. So I have these are the dark side sabers over here you can't see. But in my office there's the light sides over there. Then I have like a Mando closet and I have an Armory, but top shelf is just more like statues of you can't see about. Oh, I'm going to wiggle my camera if you're OK with that.
Sure, there's like Ahsoka and Ray and Ahsoka, but then the the middle one is more of like my my clone wars army. Then that's like the the traditional Jedi. And the bottom shelf is the the dark side, but can't go that low because I mean, unless you're OK with this. So let's see how it turns out. But there's the dark side stuff. You have the royal guard and more stuff. But I've always wanted to and since I was a kid, like love collecting. I have all, all the old, old
toys. But I have a very, very forgiving wife who allows me to do this. So I love having it. It's just, it's my thing. It's it's my advice. You know, it's, it's pretty cool and definitely forgiving. A partner is always helpful with that. I also hear some younglings or padawans rolling around the background. So they're they've started their training early, I assume.
They have they're earning their both their IAM certificates and their their paddle one training certificates at the same time so. Sounds pretty happy about that one too. The last time we were met in person, I guess would have been probably in the fall and you and I were at Identiverse. And are you going to be at Identiverse again this year? Yep. OK. And I assume you're going to probably be looking to get on the schedule, do some things.
I know this stuff haven't announced yet, but you know, I'm sure it'll be a fun. So people who missed it last time you were nice enough to ask me to host a panel around shared signals framework and Cape and I thought it went real well.
We have we had a full room. I think a lot of good questions come out of it so. Yeah, it, it was, it was enough to wear the Q&A, the Q&A format that that we did like you, you asked, you asked great seating questions, but then it just took off and you know, shirts didn't you know, the shirts didn't, didn't hurt either. But I think the format went very well. I submitted for another panel. So if it, if it gets picked up, you know who I'm going to call
to come moderate. So I, I can't wait. So we'll see if it gets if it gets picked up, but hopefully so well. I'm happy to do it. So you let me know and I'll be there for you. I'm going to actually going to be at EIC for the first time 2025 in Berlin. Have you been to EIC before? European Identity and Cloud Conference now a card to travel across. The the big ocean when you have a three month old right now, can't, can't we do that? Yeah, I can see that. It's also expensive too.
So yeah, we're figuring that one out. But Jim and I are planning on being out there, give people a heads up. It's like, hey, we're going to be out there in May. We've got a discount code. So if you're going to be at EIC 2025, it's May 6th to the 9th in Berlin. I've mentioned some previous podcast, my first time going to Berlin, so I'm very excited for that. And I'm probably going to hit
Europe at large around. They're not sure yet what I'm going to be doing, but I know that like Amsterdam is on the table, maybe Denmark, somewhere in that area, maybe somewhere like Munich. So still figure it out. But you can show support for the show. If you want to register, we've got discount code. It'll be on our website right on the homepage. It'll also be in the show notes. But if you use the code ID AC25
MKO, that gets you 25% off. So be sure to use our discount, take advantage of free savings, doesn't cost you anything and just show support for the podcast here. So I appreciate that if you guys. I know you're AI, know you're a foodie. I am Europe unmatched. The food is amazing there. I'm looking forward to the food. I think that's the one thing that is is always unique when you go somewhere new and if there's local or regional type stuff.
And we actually had Martin Cooper on here last couple weeks ago, I think it was at this point. And so I asked him some questions about that. So if you've got food suggestions, hit me up on LinkedIn, especially in the Berlin area, because I'll be looking for stuff to do while I'm there for that, that EIC week. So yes, thank you for bringing that up. I had some of the best carbonara in Berlin, really, which is on me. I don't even understand how. But then I went to Italy and had
like, oh, just kiss like. Yeah, stand that. You know, hold my jacket here while I make you real Carbonara. I introduced you as an identity guy at Disney. Help me understand what an identity guy does. Maybe just kind of level set and kind of provide some context around sort of your background. So I my official title is Senior Staff Security Engineer for consumer and workforce. I am because identity and security should should be planted into into one domain. I think most companies are.
Most companies are going that way anyways. I, I do, I traverse the consumer. I am domain at Disney. I work a lot with a lot of you may know him, Chuck Mortimer, you know, you did a lot, a lot of stuff with Oauth and on the workforce side. I every global brand you can think of at Disney, I have my hands in the pie of I am pick the pick the flavor of domain you want to talk about provisioning, LCMSSOO, factor
management, all of it's there. So my scope is a global, so I don't really have like fix this one use case. It's more like here's this problem for 100,000 people go after it. So it's it's a lot of fun. Yeah, every day is different. Learning a lot that identity is the lifeblood of the business and it all starts there. It's very it's a very identity is intertwined in almost everything you do at at a company. So it's very tangential and it's also important to not get wrong.
Yeah, kind of I would say it's at the center, right. We call the podcast for that that reason and I don't know about you. I did. Not say that out loud, but it is at the center. You're correct, yes. Cha Ching that trademark you have to give me a nickel every time you say it.
I, I have seen at least, you know, from my clients in my day job and things like that and other people I've talked to where it seems like at Denny's having a little bit of a moment here where the recognition I think is starting to get to what I would call the appropriate levels even within an organization, say, oh, this is, this is something we can't skimp on or wait on. We've got to get it right. And it could be for any number of reasons, right?
It could be security, it could be appliance or risk type things, or it could even just be, hey, you know, we, we need a better user experience for our customers, right? Things like that. Do you see that same sort of trends in your travels and discussions with other folks in the space? I. Do I used to always think consumer identity got all the bang for the buck, all the money because of the user experience, But it's, it's traversing into workforce.
A lot of the stuff that you're seeing like in the, in the consumer world, you have like consumer data platforms. You want to know the 360 view, you want to have the 360° view of your customer to know how you upsell market, cross market, make money, right? Same concept in workforce. You want to know what your workers doing, why they're doing it. How's it more efficient? Like if you can drive down login times 10X, that's efficiency. If you login less, you can be more productive.
And you know, everyone's talking about AI now you're going to want, you have to know what a worker's doing because if you start offloading work to a, to a bot, get to understand, is it ethical for that bot to do what that, what that person's doing? But AI is a different conversation. Not why not, not why we're here. But I do, I do see it very much so. And across many travels I had with a lot of friends who work in different companies, they're seeing the same thing. They they really are.
So the last time you were here, we talked about some new, at least to me at the time, a year ago, we talked about shared signals framework, SSF and continuous access evaluation protocol. I got it right. Tape is how we pronounce it. CAEP. I want to take a stab at sort of summarizing it real quick and then you can tell me if I got it right. Because they feel this is an area that people are still kind of trying to get their heads around and, and understand.
But I see this as potentially a next wave that we're going to see here. And I am, but let me start with SSF. It's basically a standardized messaging system that allows different security platforms to share threat information in real time. And I guess maybe not necessarily threat information, but share information in real time. Stated stated a little bit a little bit differently.
It doesn't have to be a security platform or you just do platforms, but you're you're you're you're spot on and I. Guess what, it is it similar to what we feel like? Think of maybe like a service bus or a messaging bus. The messaging bus is how you orchestrate it. The framework is how you talk the same language because like to get to 0 trust people gotta talk. So if you speak Japanese and I speak English, I gotta translate, right? But as long as you speak the
same framework, it works out. So if I, if you're company A and I'm, and I'm company BI, send you these three things and these three things together, you know, oh, these things map. So we're, we're good to go. So the messaging bus is more about how you orchestrate it. The framework is more about how you talk the same OK. And then Cape or continuous access evaluation profile is basically leveraging SSFI. Got the thumbs up. Thank you.
To continuously monitor user access, user sessions, things like that. And then because it's an event, you're able to do maybe more dynamic things like, you know, access controls or just sharing that, hey, this particular thing happened and you share that on using SSF, other things can pick up on that and do what they want with it or not, right? Spot on. Very session based, very very user heavy. You it is. It is a a layer on the framework. You're correct. Cape can be done with more than
just users though. It's identities. So you can do different things like groups of people like or or units. You can do people, you can do IP addresses, you can even do machines if you wanted to. Not there yet, but you are spot on about it. You are absolutely correct. So Jim and I had this conversation a little bit. I'm going to throw something out there that we we haven't really had a chance to talk about, but is can non humans have an identity or is identity reserved
for humans going to? Channel my inner Dean here. Non humans can have an identity, but not every non human identity should be backed by a carbon based identity. I like that description actually. That's pretty good because I, I feel like there's a delineation between identity and account or whatever thing you want to call the access vehicle of how you're going to get to something.
That's the way I look at it. OK, we're going to stop there because I'm, I'm winning now because that means you're, you agree with me and not Jim. So sorry, Jim, I. Am Jim. I'm acting as. The other thing that I've noticed is Interop events seem to be picking up for SSF and and I guess maybe Cape by extension
is part of that. There was one at the Gartner conference late last year that I know like Mike Kaiser was, was a part of. And I guess tell me about these interop events like what are these things and help other people, normal people understand what what value they provide to framework developments like like SSF and Cape? So the interoperability events happened at Gartner. I mean that they're huge. There's one happening in London as well. The last one was it was at
Dallas, huge turn out. I mean it was magnanimous here. So Mike Kaiser was there from Sail Point Otto Toshi Begwale, the the godfather of Cape, he works for, he works for signal ease. He was there, he was blown away by how many, how many companies and how many vendors are have have adopted in our in our promoting. And it was again immense. Like I know I'm like touting it, but it was it was like when he gave me the readout, I was just
like, wow, this many people. It was enough so that like, because I'm also a side note, I'm also a Co chair of the shared channels working group along with Shane Neil from Cisco and and and Otto. We had to be very careful about how we made our made SSF backwards compatible to not
break implementers. So the the interoperability event is there to to really understand how companies can share security information and demonstrate how like vendors that support it can help you achieve zero trust principles. Because again, the way the way you that's where the link zero trust and like Cape ish things is we're her talk about is you never trust. You always verify continuous identity is the foundation of a zero trust environment.
And how you get to that is you got to talk, you got to communicate. How do you communicate shared signals, right? Cape events ride on a searchable framework. So that interop event is how do you share things like session revoked, assurance level change, token claims change, session presented, session established or a risk level change. Those are all Cape events. But if I send you an event, Jeff, it says, hey, this guy, Sean looks suspicious. You're like, oh, I have Sean on
my system. I got a Nope, Sean's gone. But that's hard to do because you'd have an API. You have an API. How do you, oh, you speak this language? I speak this language. Whereas Cape gives you the mechanism whereas SSF gives you the highway to say how do I how do I communicate? And so I know you weren't able to make the one in Dallas because you were introducing, you know, new members of the family to you, to your side. What I guess take me behind the
curtains if you can. Like, do you know what takes place these things? Is it basically a bunch of people talking? Is there like demonstrations actually? You're right. It it's demonstrated. So they actually, they actually get a room there and they set up tables and they actually showcase like here's how this works. Like no smoke and mirrors, like actual hands on keyboard. Like watch this Cisco interrupted with vendor company A for example. And I'll use Otto and Shane, for
example. Cisco and Signal can talk, right? Or like to be very agnostic here, Microsoft Octa can talk, Octa and Bing can talk. I'm not saying they can or they can't, but just it's that kind of that kind of that kind of that kind of a situation. So company A can do it at Company B. It doesn't mean that there's there's not political or legal barriers, but you've demonstrated the ability that I can share with it with another company. But then legally can you do that?
That's a whole different conversation, but it's a, it's a really hands on interrupt to showcase that we can we can actually share, we can actually share information. So it's actually really, really, really awesome. I'm I'm convinced that this is really important and I don't know if people really understand it yet because it probably won't
manifest to normal. I am people like me into products probably for a little while still yet while products are being updated or developed to take advantage of it. But the idea here of having sort of this shared language and being able to take the best out of different products and combine them in new ways that we just haven't been able to do before because everything's been so siloed and proprietary.
I, I don't, I don't, I, I don't want to sell this short because I think this is really a really exciting development and it's going to be open up a lot of eyes for people. Am I drinking the Kool-aid too much or are you with me? I'm thumbs up. I'm right with you. It, it is going to breed in Iran because not everyone, not every company is going to be all in this vendor.
They're going to be, I have a suite of vendors or I have a suite and it's going to force standards to work because I, I, I keep saying this standards will set you free if you adopt A standard, it works, right? So. On the timeline of kind of where we're at as a industry, where do you see us now? Because I feel like maybe we're on the bubble of maybe another era or another phase or a coming phase that might be coming through. I am but help me understand, like where do you see I am today
for people? It's a very loaded question. It's actually a good question too. I think where we're at right now is we're in a mixture of like an admin and runtime. So we're still very much like offline back office happens before login. And then there's the runtime that can't ever go down.
Like I got a login, I have SSO, I need access management like and the admin pieces are more like your IGA stuff like your, your provisioning, your role management, your access request, your certifications, pamish things, you know, PIM privileged, any privileged, any management things. So it's like an awakening like the calm before the storm. But I right now we're still very much the between runtime and
admin time. And it's starting to creep into efficiency of work and even security because stay full entitlements that last for years as you, as you travel between jobs or job titles in your where you're employed. You shouldn't have access to things if you, if you, if you change job roles. But right now that's on a that's on your new hire manager to say, oh, Sean left his job A to job B go revoke roles or entitlements. We both know that never happens
at companies. It it just doesn't happen because they just don't have the cycles right. Or they forget, right? Humans involved. Humans are kind of human, as I like to kind of put it. It's. Go ahead. No, we're we're very much at that pre Renaissance layer. Like it's like, OK, we got to do something. We don't know what that something is yet, but it's something. I like that, that description though, of admin and runtime, because I think that maybe helps
people understand. It's like, yeah, admin, right? It's people doing stuff and they're doing it to the best of their ability, I hope, right, Or at least best effort, and you're only as fast as the humans can do it. This idea of runtime though, I feel like it's like this is where the puck is going and hockey and we're skating towards it. So this idea of runtime is I'm assuming things like automation and more data-driven or maybe
it's more event driven, right? And leveraging things like SSF and Cape and other things like that. Is that fair? Are they just? If I say something is event driven or data-driven, are they the same thing? So one quick, one quick terminology change there. The runtime is more of like where we're at now like login, OK, moving towards event driven, you're correct. And now your question is, is it a vent driven or deed driven? The answer is yes.
Chicken and the egg carton, the horse, peanut butter and Jelly, which, which one you put on 1st? We are very much there. We're, we're most companies that I, that I'm, that I have people that I'm friends with in, they're doing it. They just don't know they're doing it or they're doing it in pockets like, you know, oh, I had to side project this thing. They're like, oh, I have this data feed coming in. You're doing it, you just don't know it.
So if you're making, if you're making decisions off of data and taking actions on it, you're, you're essentially doing event driven IAM, which is AKA continuous. Any management or whatever garden wants to call it. I Ian and I Ian Glazer and I will talk like they will fix the terminology. We're just going to call it one of those two things and hopefully it sticks. And if it doesn't, great, we'll we'll we'll pick a new buzzword,
right. But you were right, you need data to drive the vents, but in order to get data, you need events. So chicken on the egg, right? So that unlocks a lot of things like signal processing, continuous auditing. It changes. It's going to change governance as, as, as we know it, which is a different conversation because that's hours of talk there. It's going to change the dating management, session management,
access management. And it gets you to like zero trust, but the real zero trust, not like network access, but like essentially moving more towards a zero trust foundation. But I can't trust enough that with change, auditing, governance, it's all going to change. But again, slowly, bits and pieces, not, not, not not all at once, But it is coming. It is like the the golden age of I am the Renaissance. It's like, hey, I am figured out. Oh, this is event driven
architecture. This is awesome. Let's do this. And it's like it is. Like we just invented like I don't know, the the calculator or something like that. It's like it's going to get a lot better, but I, I tend to be a little more conservative when I think timelines and I am because while certainly organizations might be on cutting edge, I think for every cutting edge organization there's probably 100 or 1000 that are not right. They're still trying to get the
basics done. They're still maybe accepting a fax and saying here's my onboarding form, right to get onboarded or they're just now getting into multi factor authentication and maybe they're forced to do it because of either cyber risk or an event or things like that. As much as I like where this is going, I tend to be more conservative from a timeline perspective.
So I'm going to throw out there something and say, OK, is this like for my, from my perspective, I think this is a 5 to 10 year sort of migration or shift from runtime to event driven for the majority of I would call organizations that are doing something for identity to really kind of do it. I don't think it is like this is going to happen this year or next year. I think those are going to be leading edge. They're going to be early
adopters. They're going to be organizations that are well funded and really have their sort of identity act together. Is that a fair? And I don't wanna call it a criticism 'cause I don't think it really is criticism. It's just, hey, this is the timing of the real world. But is that a fair, I guess, observation that I'm having? Or should I readjust that's amount? If only money grew on trees, right? The fact is businesses operate on a budget and everyone's budget is different.
I can see the the mom and pop shops going slower. I can see the companies that do Billings and trillions of dollars in revenue to have more risk will adopt this faster. It's going to sound crazy, but it's going to be it's going to be a risk based approach. Because if you look at it from from that aspect, you're going to want to secure something that
makes $14 million a minute. Whereas if you're securing a flower shop that brings in $100 revenue a year, no. Well, if. You're doing a flower shop at $100 a year Maybe. Maybe. It's not really a shop, it's more of a an Etsy or a hobby. At that point. But. But you, you make, you make a, you make a solid point where I don't think it's 5:00 to 10:00. I, I, I, I think it's three to five, I think. Organizations will move that
quickly on to this. I think they're not gonna have a choice because of the advent of technology and how fast it's going where even if they can't move it that fast. I mean, the what I'm seeing and I am right now is the startup community is rampant. They're they're taken off. There's a lot of start-ups out of that are going to offer this as a service and it's going to work, do you think? Organizations get pulled along by their vendors. Or do organizations push their vendors in this case?
Depends on depends on the organization, but some people like the tell me what you want me to do approach. Some people like to actually drive a vendor. I mean, I've, I've, I've seen both in my tenure across my career. I think you're going to get the early adopters that are going to push the vendors to, to, to play with standards like Cape and SSF. But like every company's in in it, every company has businesses
just to make money. But if you, if you're marketing to like the Fortune 50s makes sense. The Fortune 5 hundreds again, you, you, you hit a nail on the head. Is it data or event companies that know their data that can invest in their data will drive this because they're gonna, they're gonna, they're gonna drive the vendors and be like, here's how I wanna talk to you. I wanna talk to you using these standards Then.
And then at that point, this sounds very draconian, but things like your ID, PS your Pam systems and your IG assistant become, become appliances, but they're important appliances. It's just, it's not gonna be like a converged solution. You're not gonna have like, oh, vendor A does all my stuff that I, that chip is sale. I think get my opinion again it it can work for some companies but not all.
We kind of hit where I was thinking here is, is it is a data problem to solve for a lot of organizations just don't have good data management or maybe they're collecting, they haven't done anything with it. So now we're back to that chicken egg of events, generating data data, being able to generate more events, right? Things like that in the real world, what do you see as like, OK, you need these things to really think about this next step when it goes to event
driven, is it go get your data. If you're if you know you're talking to the the millions of identity, the center viewers and listeners and they're like Sean told me to go do this so we can set up for the next stage, which is this what is this? And then, then. The biggest thing is to have a story and know your data because you could go invest tons of money in this. And if your data is just swampy, you're going to have a swamp. When I say know your data, clean
data, Marshall data. And I know that sounds like a very a very pipe dream, but get your identity data right first. And what does that mean? So how many companies onboard people without doing verification or proofing in the workforce? A lot they take HCM systems work for it. Like, yeah, I approve the person they faxed me over the I nines and the the thought license thing, manual entry. I mean, let's face it, it's out.
It's out. It's public knowledge that there are some countries that are coming after domestically and they're faking. They're faking documents. Jen, AI is a thing. It's very easy to fake stuff now, right? So getting that right at the entry point makes everything else clean and simple. But if you get it wrong at the entry point, you create a fractured web of just distributed nonsensory. And yes, you can trademark that word and use it royalty free.
But you want to create line segments like you want to have event data, event action. But if you have is, is this Jeff? I don't know. But if you give Jeff the wrong entitlement, security risk, if you give, if you onboard Jeff twice now I have 18 accounts to worry about South in a way, if you get your data right, you can decrease your spend across the board on Pam, IGA systems, account management. You won't have, you won't have account drift. You won't have account sprawl,
real sprawl. All those are real problems. They always start at the base foundation of your data. Like know your data when I say know it intimately, know it like know how bad it is. Like, do you accept people to come in with like my last name's? Oh, really? Why? Oh, it's an apostrophe. Oh, I hate when that happens, right. You don't want to do the, the ampersand NBSP calling. No, I don't want to do that. That's just what is that? We're just going to scrap that,
right. So, and, and, and this is, this is, this is a different topic, but when you get to continuous management, you're, you're providing building blocks for an architecture that has real benefits for security, privacy and user experience. And you're gonna, you're evaluating context and data signals. Context is supplementary to data signals. So getting your, you know, going identity first as a, as a dream
for most companies. But how you on board and who you are as a person are two different things. Prove to me you are who you say you are through a vetted process using identity document verification like talking licenses, passports, etcetera. Once I have that and you are who you say you are, the rest of it is just a relationship and it's an it's an engagement and it's just consent. Jeff wants to work for company A. Do you consent her? Do you consent to share this
information with me? Absolutely. Great. This is you. I'm good to go. I know that you now now contextual signals. Jeff always logs in using a device from a location to these to these places. It feels very Orwellian, but it's not. It's meant to keep you safe and your company safe because it's it's a problem right now. The government's passing sweeping regulation to where they're putting the onus on the companies to keep their data safe because we're a target.
Every company, that every company is a target and goes back down to never trust, always verify. That's the beginning. Continuous identity is the foundation of a zero trust environment. As much context you can pull into your, your, your data fabric if you will, like you pulling stuff like your ITSM systems, your CMDB systems, your change management, JIRA, GitHub, anything you can hang off of an identity that says this is what Jeff normally does and it's good.
You can derive what's normal, what's not normal, because at the end they're not that no one should be tracking what you're doing. It's more of that one time you accept that push, you're like, oh, I shouldn't have done that. That's the time. That's what you don't want to happen. So the this this idea of data hygiene and knowing your data really strikes me as a business process problem to solve for, you know, you're a lot of times identity teams are not the ones generating the data.
And I'll go beyond things like authentication and authorization, things like that, right? Might be application owners who really are the ones who are, you know, generating authorization data. It might be like you mentioned that, you know, HR teams or Hirs. However, your organization works for people data. Maybe there's not even a source for non humans. Maybe it's well, service accounts to live in our Active Directory and it is what it is.
What are some tips for having this this this discussion with non-technical people to help them understand that we need to fix the business process so we can fix the data problem? Or. Part of the data problem I should say. I think I already alluded to it. You have to have proofing and verification at the gate whether you do it at hiring, interview or onboarding. A lot of times the person you interview for the job who shows up may not be the same person. That's the security aspect mind,
I think. So you're talking about business process if you really look at it from identity first, not access first standpoint. If you flip the model and say Jeff wants to work in a company, prove to me who you are Jeff. OK, thank you. Appreciate that. Now you have an engagement with a company I want, I want to employ Jeff a company a awesome identity drives it all. So I now can provision to your HRHIS systems and seamless user
experience. You can do, let's use the word birthright provisioning, which I personally don't like because it's, again, you need good data for this. So if you hang, hang off this great identity data and you have supplemental HRHRISHCM data attribution, you can start driving things like if Jeff's the manager in finance, he gets
access to these things. But vice versa, if I still know you're Jeff and you're always Jeff and you say who you are and you change jobs automation or it's like, oh, there's another manager had to onboard Jeff again because they got a new job title and you know. Or maybe converted from contractor to Employee or vice? Versa, let's go there yeah, I'm glad you went there a lot a lot, a lot of times it's I can't wait for process of the fire. I'm just going to circumvent him
and go that way. This would stop that because it wouldn't allow that data to come into the ecosystem and create that. No more of a line, just a fractured web. Because now it's like there's three Jeffs, who are you here? You're the same person. But it's like, why do I need to have nine accounts, 15 profiles and SAS application 12245? Just really annoying, right?
I cannot stress enough that your data is the most important piece of this because without without your data, the event stuff is just it's more problematic, honestly. So let's talk about that. Data because I feel like what the, you know, we're going to find data everywhere. Like everything is generating data. Is this a situation where we need to do maybe some internal cleansing or centralization of it? And I think, you know, things like the data lakes have been
and probably still are popular. Do you dump everything into sort of like, hey, here is a central repository of everything that we want our identity team to do stuff with? Maybe it's a SIM, or maybe it's something custom. How? Much of that I don't know. Cleansing or centralization of data really needs to take place for this to work. Can I get away with having 810 a hundred different data sources? In which order do you want me to answer those questions? Whatever.
Order makes the most sense to make make sense of my gobbledygook, so. Ian and I talked about this ad nauseam there. There's a need for a schema. So that'll be a different conversation for hopefully a different, a different podcast. But let's just pretend that there's one out there. The the reason why you want to centralized this, it's for taxonomy and single pane of
glass. A lot of companies want to get to the question who has access to what, why and when and who did it. That is the easiest question to state and the hardest to answer. I'm sure, Jeff, in your travels with your client, just like, yeah, everyone wants to get to that. Yeah. The. Angel's usually like IGA can do this. No I can't. It can, but I can do. Parts of it, but not everything. Exactly. So how many sources do you pull in? That is a very that is a very
subjective answer. I would start with separating identity from HR because the two are not the two are not the same and they are, they should be treated mutually exclusive. Because here's a use case for you. I may have pre hire activity that I have to do that won't put me into an HR system. So how do you, how do you get access to those applications? You have to do it from an IAM context. I got, I got to give you some of the log in with to access some systems, but you're not, you're
not an HR backed identity yet. You're just like you're Jeff. You're a guest. I'm sorry for the company. Yeah, you're you're interested. So that's the first concept is like, get that right. And that comes back down to how do you, how do you ingest that? And that that's a four hour conversation. But again, you could, you could do proofing verification. You could just have a form Excel spreadsheet. Don't recommend any of that stuff. It's bad.
But going identity first solves a lot of a lot of this problem because this isn't, this isn't a knock on anything in HR. It's just they don't, they don't fed it like you get a request and it's like, hey, I'm a hiring manager, hire this person. Cool, safe. They don't. They don't check. Well, I don't. I don't, I don't know if that's fair because I, I feel like, I feel like our HR people out there do do things like I nines at least in the US, right? Kind of initial verification,
no? They do I'm. With you and that it doesn't take place past that first day. Correct. But let's let's play your your contract a full time employee case again, I'm converting. There's take your work days, your SA, PS, your bubble, your, your, your Bamboo software, the stringent, the stringent security model you have to have an IAM does not exist in HR systems because that's getting you into their system to do
their stuff. But if your HR systems get access to things you've opened up, you'll open up can of worms. And to your point, it's not fair to say all HR, all HR employees are all HR workers. Don't don't don't validate or Fact Check it but talk to practitioners. They I'm not. It's not a hill I'll die on to say it's 100% I think. But it's. Not zero. It's not.
Definitely not zero. I think what typically happens is especially in this world of changing from a contractor to an employee, that is sometimes very iffy because a lot of organizations don't do a good job of tracking their contractors being with all they're not employees, vendors, partners, etcetera. People have access to different things. I think it's gotten better over the last five years or so as I've been in the consulting biz
for about 9 years now. I've I've seen it improved, but it's still not where it needs to be. So my question now becomes, OK, now we're talking about a business process and I keep going back to the business process of this and say, OK, whose responsibility is it to let HR know that, oh, this is a contractor converting to a full time employee or vice versa? Is it the manager?
Is it the contractor themselves? But what is like, I, I think there's a, a shared responsibility here for people who are responsible or have accountability for identity or person data to have a business process that makes sense and is livable the real world. And I see organizations do it a lot of different ways. I don't necessarily I, I don't think there's like a right way and a wrong, the wrong way to do
it is to not do anything. There's a lot of right ways you could do it. And I guess you know that that idea of business process seems like it's such an important part of this data problem. Yeah, you're right. I I think it's, it's more about shared responsibility and I think when you combine HR teams and managers and identity teams, that's why having both HR context and any context in your data lake swamp helps to give a feedback loop.
So you should always be pushing back and forth to say, listen, this looks weird. Is it legit? Oh, it is OK, cool. We're good to go. But it's, it's always good to have like a reconciliation or a feedback loop in any data platform. It's actually one O 1 by building data platform. So. Well, I'd say it, but there's a lot of one-on-one that needs to maybe take place for for data
for a lot of companies. I know there were some other things you wanted to bring up. We haven't really talked about things like sessions and and things like that. But what else is important here that people should be thinking about? Yeah. So it's it's more of the, it's more of the continuous aspect. So I want to get into like session management and access
management. So let's say for example, that you're valuing some context and you have you're pulling in endpoint logs or you're pulling in device logs from pick your vendor, pick your vendor of choice. This is the whole problem of like some really big companies that are in the news for security incidents that happened then like he could very keep his very, very high level.
When you have context coming into your fabric and you, you know that something looks that looks anomalous, you now have the ability to start revoking sessions. Now is it just like, oh, put this into a data lake and it magically happens? No. But this comes back down to like all of your IM systems become appliances to help you orchestrate session management. So an example, if I know you continually come in from North Carolina on an Apple device, it's you.
But if I see you all of a sudden coming in from Nebraska, Texas, you travel a lot. OK, But ordinarily same, same, same things. But what this gives you is session manager at scale, which is very hard to solve it in in in identity right now. So that that's that's one example that I think is tantamount. What is what another another good, important one is I'm going to say identity management. And what does that mean?
So not only can I not only can I can I, can I revoke things, but this is going into like the Cape ish things. But if I know that you're constantly under under attack, like everyone's going after Jeff because he has privileged access to a ton to a ton of stuff and they're spraying it across the board. And let's say forbid someone grabs your session has your token and they're just going after all your apps. Not only can I revoke it, but now I can be like, oh, there's a pattern here.
There's a behavioral pattern that they're going after this. I now can turn your accounts off, revoke your access. I can call your IGA platform and start revoking all your roles and entitlements to keep, to keep the company safe and keep you safe because you may have not done it knowingly, right?
So there's access management pieces to this in the, in the continuous aspect where it, the, the data fabric, the ingest of data signals gets you more secure, but it also gives you the ability to start being dynamic. And this is Jeff. We'll just use Jim because he's he's out here. So sorry, Jim. Jeff and Jim are of like roles when you have a data lake and you collect like Jeff's a manager, Jim's a manager. Why do you have access to 500 system that he has five Who's
right, who's wrong? So now you get to actually go look at this from from from an analyst standpoint and be proactive to say, do we have roll drift here? Is this right or is this wrong? And then you actually can using this framework, act on it and say, please do this. And then when I'm saying way the magic wand, I'm those of you who are listening on podcast, I'm waving my hand across right now.
You can use your ID, PS, your ID, your ID platform to say, remove them from Group A Group B, remove them from this role, remove, remove these applications. So we're getting towards more event driven. So when you have an HR signal that changes that says Jeff has went from engineer one to manager, guess what? You've lost your GitHub reply access, your confluence, your lassie and stuff. This is policy now. Now you could drive this to a policy framework.
So this is gets even more interesting now. So this is where auditing comes into play. You're no longer doing user access reviews. Your policy states that any manager in this company is baseline access, any engineers baseline access.
So if I have an event that comes in and says event went, I'm sorry, job title went from an engineer to manager policy happens now when your auditors come in and say I want to evaluate user access usually like you don't have to here's the policy and you want audit logs, insert vendor insert thing. Here you go here, here, here, your auto logs. Not only does this revolutionize things, but it actually drives costs down from an auditing
standpoint. I mean, the the big four, maybe like the big four will have to probably change how they audit some things, but it should make it easier all along. Because if you, if you have a policy that states these four things, these four things, that's more binary. Is everything going to fit into this puzzle? No, absolutely not. Is the 80% we hope shrug
question mark. But I, I do, I can't say it enough that identity management and session management access it's, it's I purposely couple identity management and access management as different things because one's behavioral and one's data-driven. I, I think it's this is changing how we're going to do our jobs at in identity. I really do. Well, I think it it'll definitely change the way auditors need to look at it.
And I think this is some education will probably need to take place by identity teams out there to say here's how this thing works. You know, they're going to want proof and you know, isn't working the way the system is designed, right documentation and all that. And there's probably a break in period where, you know, they're probably going to look at a little bit harder or weirder as, as they get more comfortable with it.
But as, as it becomes more commonplace, then identity teams are able to demonstrate that, look, it does work. We do have a policy. Here's how the policy works and how the configurations work. And that comfortability grows. It'll become a lot easier, I think for for auditors to look at it and. What you can and and you make you make a great point. You made me think about something to that one and I wanted to touch on it.
It's a zero touch principle. I love Wendy and said this and he always takes the contrary viewpoint, which is which is great. At least privilege is a lie. I am, I'm a, I'm a believer of that. I know we've talked about that ad nauseam. When implemented the right way, purchased, implemented, built, purchased hybrid of things, you kind of get 0 standing privilege for some aspects of things. Let me explain what that means. You have this data fabric of HR signals and contact signals.
I want to say you, you do change management right now. You can start taking your most targeted system and let's take the the most beloved cloud provider that has the the most target in most companies, which is AWS, right? I gave a talk about this at at identifiers last year. You now can take authorization with context that says Sean does not need this access. Sean is an engineer, he should have access. Awesome. That's one guardrail. Do I need it on Saturday at 8:00
PM at 9:00 AM? Maybe, maybe not. How do I know that you use things like Salesforce, whatever ticket system you want to use, ServiceNow, Jira, GitHub, take your pick, right When you have that additional context on your fabric that says Sean is an engineer that has an open thing attached to him, I'm, I'm going to be granting him AWS access for this ephemeral period of time. Great. So you just minimize your footprint. You haven't really destroyed a
user experience. You should have proper change management in place for production system that connects do that could do financial harmful company. That's your business. All right, there is we need this for security, but it's also not going to it's actually going to improve user experience if you, if you think about it, because you're still going to be able to to apply provisioning aspects to
this with security mindset. So I just gave you a zero trust principle, but with provisioning, it's the it's the same concept. Shawn's been proofed. He got hired. Here's your policy. Shawn's an engineer. He should have access to GitHub, GitLab, take your shoe to short of of systems. That doesn't mean I'm granted access to every, every project in there. It means that I can get into it.
Great, now what? OK, now I'm working with team A-Team B, Team C OK, I have a jury item associated to me.
I can now grant you really granular access to the to those platforms based on a task or a just in time approach to me as a practitioner, I love that because you don't get that call saying like, hey, Saturday, I need to know what so and so had access to. It's so and so point in time because so and so hit that accept that MFA prompt like, Dang, I hate we'd be able to keep people keep doing that,
right? But that's the security side of me. But there's also business value here where provisioning in this gets more real time versus like see you in two weeks, see you in a week, wait for a device, wait for an e-mail where event driven gets you both business procurement quicker, better security, better access management in, in better session management. So to me, it's the, it's the, I want to say trifecta, but it's wrong because there's five things there.
So 5 facta if you will, I mean. Quinfecta. Is that a quinfecta? That's right, yeah. Penfecta, if you will. Penfecta. This smells a lot like 0 standing privileges to me, which to me and, and, and shout out to John Morton, who opened my eyes up to this a couple years ago when I when we first met.
But this is kind of like the the Holy Grail almost for authentication authorization, where people are walking around and they have this ephemeral access where they only need it and the point in time that they need it and then it goes away. And then right, you know, super secure if account gets popped. It's less about authentication, it's more about authorization. I I said it at at my talk. Take, take my session, have it.
I don't care. I mean, I not really, but like I'm saying, you can have it. That isn't the attack point anymore. Like you can go after and go after my session hijack it. OK, have fun, have Syria menu but talk talk. Elsewhere, and you're using shared signals framework and you're taking advantage of things like that and Cape and interop between all these different tools, right? They've, they've signed on and now their tools are capable of it.
Can you imagine, right? It's almost like identity 2 point O or three-point O or whatever phase we want to call it, right? It's like, OK, this is I love. What you're talking about? I. Love what you call it that because I was actually, I had a conversation with a couple of people about it and I'm like, is it continuous? I am or is it identity 2.0? They're like too soon, too. Soon. Yeah, it's too soon. We got to wait. It's got. All I know is it's got to have a
cool acronym. That's the most important thing. And then we'll figure out the name. So we need to come up with the acronym first and then we'll figure out what to call it. Exactly. Let's see, I feel we covered a lot of ground. I'm sure we missed something or I'm not thinking of something. Is there anything else that you want to bring up to the table
now? Because I know you're going to have maybe, probably more conversations about this Identiverse and it's too much to cover in a 45 minute or an hour episode. Oh yeah. Yeah, there's going to be a 2 hour workshop at Identiverse. I highly encourage you to go to the site, check it out. Might be running it. I'll know later in February, maybe given talks if if I'm if I'm chosen by the the board,
which is great. I do want to end on like, you know, we never really covered like define what continuous IAM is or continuous identity. And I just want to give a very blanket statement that way you people are like, this is great.
Give me a sentence that I can go back and say this is what this thing, this thing is so, so continuous identity thing is I am used and used interchangeably is the ability to apply controls to an existing identity based session utilizing signals received and processed by your fabric. Fabric is very nabulous term, but it could be like your data lake or in your or your orchestration layer.
But essentially that's what this is and you're building a foundation to get to real time and continuous and event driven things. And you're right, Jeff, we covered a lot. I think it's almost like sensory overload, but it's a lot, a lot to think about. I'm open on LinkedIn questions. Hit me up. I'm I love talking about it so doesn't bother me at all. All right, let's end on a lighter note here.
Jim and I were very fortunate to be at the Gartner conference at the end of 2024 and turnabout is fair play. Our friend Rebecca Archambault invited us on stage to interview us, which is really a shoe on the other foot because we did that to her and Henrique Teixeira when we were when he was with Gartner, I think two years ago at this point. And so we had this conversation kind of, you know, learn more about kind of like what do we do in the podcast and some of the
interesting stories we had. So it was like one of the last sessions of the event. So thank you for all the people who showed up for that. And I think we had a really good kind of fun discussion. One of my favorite things that I've introduced to the show over the years has been this lighter note because it gets me, it lets me ask really challenging, interesting questions. And this is one that I brought up to the audience and I brought it up before in the show.
And so, Sean, I'm going to ask you, this is a profound question of if you were a potato, how would you want to be prepared? Initial thought is not like Mark Watney on The Martian. OK, but bad. So don't don't like that so. There's a couple ways you can take this, and I and I shared my my thoughts on this with the audience of Gartner. But do you take it with the idea of, oh, what's delicious right in your mind? Like what's your favorite style
of potato when you eat them? Or do you take the gym route, which is an, and Jim, Jim McDonald as in like, like, oh, is he thinks about it from a pain perspective. What is going to be the least painful way to go as a potato? And there's there's other very variations on that, but those seem to be the two most common. Yeah. I was thinking raw, but that's not how you serve potatoes because Melanie's raw potato. This is not happening.
Somebody out there the The Raw Potato gang is getting ready to send you a bunch of DMS and and messages on LinkedIn. I'm, I'm almost leaning towards loaded or mashed and I, I think I'm going to go with mashed because it is the most delicious. I love mashed potatoes. I am, I love potatoes. So butter cream potato. It's the simplest thing. It goes with anything. It it, it goes well with all the, all the, all the things and it blends well. So and. Eat just that and have sustenance.
Potato the perfect food. I don't know, maybe that's our next our next podcast episode also. Because my kid loves potatoes, so he's like potato. I'm like, OK, we're good. I mean, it's, it's hard to beat a McDonald's French fry. I feel like when it's prepared and fresh, that's really good. I'm an all gratin person myself, so I have like kind of a cheesy potato, you know, experience as I'll call it. Hash Browns are really good. A nice crispy hash brown. I mean, yeah, I could go on and
on for hours. Maybe we'll make it potato at the center. At some point, potato at the center. That's funny. All right, well, you're hungry. I'm hungry. We've been talking to you for a bit. I do appreciate coming back. I'm looking forward to seeing you at Universe Away this year. And congratulations on the new addition to the family. And again, very cool setup you got behind you. So if you're listening to this, hop on over to the YouTube channel and take a look at
Sean's background. It's rife with Star Wars stuff, which is super cool. Thanks, we'll go. Ahead and leave it there for this week as I mentioned, I'll have links in the show notes for your LinkedIn profile. Sean also have linked for our discount for EIC again ID AC25, MKO. What else links to Jim and I and. Yeah, like. Subscribe to all that fun things that are great for social and share it with friends and enemies. I don't care who you share it with as long as they listen and
or watch. So go ahead and leave it. Thanks everybody for watching and are listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.