#329 - Discovering Effective User Access Reviews with Stephen Washington

The only reason financial services is doing it is because they've regulators making them do that. So 1, is that true? And you know, 2 like where is the value? Is it just to be compliant with regulation or is there something more? Really good question and I'm thinking now don't want to answer it positive or the way I already feel. Let's go positive first. So you are absolutely correct in terms of regulatory just environments, which has cost

multiple industries. There's a ton of value in use access reviews because it is both a detective and really a corrective type of control. The end of the day it's done to say, hey, should Jeff and Jam still maintain this access? And if they shouldn't let me create an action where I do an attestation and say Nope, I want them out and then some technology, some tool goes and remove them from that access.

And for small and mid sized companies, it works really well because there's not a lot of bloat in small and mid sized businesses. The larger the company is, the more job roles of companies are really strong. When I say on our back, you know Rd. based access control, the more our back you use the larger your access role environment is going to be, the more access certification use access reviews you have. Once you hit that threshold, now it becomes more of. Is there value in this or is it

just a checkbox activity? This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Doing good. You know, obviously we always start every show off with banter. So I was like, OK, what am I going to hate you with this time?

And I was kind of thinking back to, you know, one of the areas where I've really been wanting to put together an episode and the topic is device identity. And So what I did this week on Monday was I launched a, a poll question on LinkedIn. So it was in your mind is device identity the discipline focused on? And then I put a couple of options like a device, a device's role in authentication, the accounts local to a device, both or something else.

And it got 55 responses, they got 3 reactions. So basically 3 thumbs up and they got over 1200 impressions. I'm wondering what it was about how I put that poll question together that didn't make it very popular to respond to do. You think, did I respond to it? I feel I know I saw it and then I don't remember if I clicked my answer or not. Well, I don't know. I don't know if you did.

I don't have that data point. We'll just say I did because I'm a, I'm a, I'm a good, you know, partner in crime on this type of stuff. Yeah, yeah. So, you know, I think with the whole non human identity topic, right, that's getting all the attention. But then we talked about device identity a lot and you know, like my perspective has been, I don't really think a device has identity and I'm starting to change that opinion.

So I'm, I think within the whole non human identity realm, you've got workload identities and then you have device identities. And really it's this whole, I think at the core of why a device identity is even important is this whole shift of identity is at the center. Identity at the center, of course, is the name of our podcast.

We could take full credit for that from, you know, six years ago, but the idea that, you know, firewalls used to basically say, all right, you can either come in or not come in based on IP address and port and things like that. And now they're getting smarter where, you know, they can

actually use authentication. And then when you think about zero trust, you're not just talking about the firewall, but you're talking about the infrastructure layers below the firewall and you're talking about traversing from one network segment to the other. And should you simply do that based on IP address and port? Like, no, some devices and some identities should have access to certain network segments than

others. So to me, like there's where we're kind of like circling in, but I'm still trying to wrap my brain around this. And I would say basically the community either, you know, is kind of like where I have been, which is like, I don't even know what that definition is, or you know, there's a mix of answers. I think most people came to a divisive role in authentication, which kind of makes sense.

A few, only 5 people out of the 55 said the accounts local to a device, which I think is this non human identity piece like 25% said something else. So anyway, you know, I think that there's confusion on the topic out there and what I want to do is have some podcast episodes where we talk about this and kind of start to solve or at least put an answer behind it. The official identity at the center answer behind What is the vice identity?

Got it. Well, I just looked it up and I didn't vote, but I just voted now. And I think it, I, I tend to think of device identity as the device's role in authentication because the other options were the accounts local to a device. I feel like that's more like local, local account management or something like that.

But I think this is an area where context matters maybe and who you're talking to, because maybe I'm approaching, OK, well, that's what makes sense to me from authentication standpoint. You know, while somebody who maybe does like, you know, MDM work all the time or, you know, endpoint management might be thinking of a different way. I mean, IM community is really good at having multiple definitions for the same thing.

So you kind of have to know who you're talking to and making sure that you're communicating effectively to make sure you're on the same page. That's, you know, I don't want to one up you man, but you know, 1000, you know, impressions. I had 5000 on when I asked this week. I got a lot of really good answers to a question that I posed on LinkedIn and I got to tell you that I am brain trusts. The hive mind of people on LinkedIn came through.

I was asking a relatively vague question around device identity essentially. So this idea of tap and go, but without the tap part, almost kind of like an ultra wide band key or some sort of proximity authentication. The challenge being what if you have multiple people in the same room? How do you identify the right

person as part of that? I gotta tell you, after 5300 impressions and a whole bunch of views and like 30 or some 40 comments so far and counting, I had so many good people like reach out, put their thoughts into it. So there's no way I can reach out to everybody and thank them. So I'm just going to like as many comments as I can. But if you're listening to this and you posted, thank you so

much. If you reached out to me on D, you know, DMS or whatever, maybe I know I've got a couple meetings already set for next week to kind of talk through options, but it's something that's, you know, it's called like AI don't call it a pet project, but it's something that I've been thinking about. It was like, OK, is there an option in this space where tap to go can be just go or be and

go or something like that? So shout out to the I am experts on LinkedIn for, you know, for taking a look at that and taking the time to to respond. So I appreciate that. I think LinkedIn, like any social media platform, has algorithms, right? So you posted that you started getting comments. LinkedIn picked up, hey, this is a really popular thread. We're going to show it to more people. More people see a more people

comment becomes viral. Obviously I posted mine my poll in it, but was not a very popular topic. So maybe we should have a bunch of we should not have a bunch of episodes on this. But I still think it's something that we need some clarity around. But maybe we should have something on top and go.

Yeah. Well, I mean, I don't, I don't know what's there yet and what's realistic because I think some of the caveats I throughout were like, OK, not proprietary, give me something that's built off open standards. You know, maybe it's something that we can use Fido authentication for. Maybe it's something already exists elsewhere, SAML open ID and it's just putting the pieces together. But yeah, I mean, this is the great part of running this podcast.

Like I don't have valid answers. You don't have answers. Let's find smart people who do and get them on and, and ask them about it because I'm sure other people have, you know, somewhere or questions or, or things that they can contribute to. So it's not a, it's, it's not a race. I, I'm not, you know, it's, it's not that I got five times as many impressions of you. That's not what it's about, Jim. I've only said it like five times. Hey, by the way, I did one post

one time and it got over 10,000. That's. Great, I, I, I only, I only bring it up because like I've never, I don't think I've ever had a post that had that much traction. Like even when I do the podcast weekly that's, you know, maybe a couple 1000 something like that. That's just people, you know, checking out our new show.

So for whatever reason, this idea of non human identity and password, more user friendly, password less right, frictionless or friction, less friction I should say, from authentication seems to strike a chord. And I'm wondering if we can I, I let's put something up around that. I think we should just show about it. Absolutely. So hey, if anybody's listening who has a strong opinion, vendor agnostic, strong opinion, reach out to us questions at idac.com.

It'll get to Jeff and I and we'll try to do something. Or if you're a vendor with a strong opinion, come on, we're on a sponsored episode and we'll get your, we'll ask you questions about it and get out there. So absolutely, yeah, we got a couple conferences that we're going to be at later this year. One that we're not going to be at, but we do have a discount code for is the Gartner IM Summit taking place in London this March 24th and 25th.

If you use the code ID AC425 you save and I'm not sure if it's €425 or pounds, you will save 425 of some currency for that region which is better than nothing for sure. It might be rupees it. Could you know? Who knows? Maybe it's, you know, League of Legend gold coins. Who knows, You will say 425 of those. It's not 425 bitcoins, I can tell you that. No. Yeah, if you got 425 bitcoins, you're probably doing right.

But that's a conference that has been nice to have to extend out a conference code for people to take advantage of. I'll have it on our, it's already on our web page, idacpodcast.com. I try to keep all of our current discount codes on that. So we've got the Gartner IM Summit in London again, March 24th and 25th. One that you and I are very excited to go out, we've talked about a couple Times Now at this point is the European Identity and Cloud Conference in Berlin, May 6th through 9th.

If you use the code ID AC25 MKO, you get 25% off. And so you and I are going to be out in Berlin for a week roughly. I think we're putting together what some podcasts might look like and hopefully we even have time to actually attend the conference and not just be in recording room the whole time. Yeah, it's going to be so exciting. I mean, I've never been to Berlin for great things about the city and I've heard great things about this conference. Heard that.

It's like information you know will be coming out of your ears by the end. And I can say the organizers, obviously, we've had Martin on the show, He's had us working with this conference team. Marina has been super fantastic about, you know, helping us coordinate our activities while we're there. So yeah, we're going to record a few podcasts on site and like you said, get to enjoy the conference a little bit. So hopefully we'll get to meet a

lot of you there. And the conference code, discount code will help you save a couple bucks. Yeah. And then hot off the presses, we have Ideniverse 2025 that is in Las Vegas, so June 3rd to the 6th. If you use the code IDV 25-I D AC25, you get 25% off. I know that's a mouthful. Again, the links will be in our show notes. They'll be on our website and you can check it out there. But that's another one we're looking forward to.

We've got some exciting plans that we probably shouldn't announce quite yet until we have things kind of sign sealed and figured out and, and well say delivered, but planned and ready to go. But if you like prior conference activities that we have done, we may be doing something similar at ideniverse. Is that vague enough, Jim? Yeah, I don't know. Anybody's going to figure it out based on that? But two fives wild. So that 25% off for ideniverse 25 IDV 25 dash IDAC 25 code.

I mean, look, it's if you, if you can get to a conference this year, if you're US based, do it. It's a fun conference too. There's a lot of really smart people that'll be there and you learn something. So I'm a fan of it. Obviously, hats off to them and thanks for them for their partnership on it. All right, why don't we turn to our guest because he's been patiently waiting in the wings here for wow, over 10 minutes. I promised 5 to 10 minutes.

Over at 12 minutes. Let me welcome to the show, Steven Washington. He's the head of IAM at Discover Financial. Welcome, Steven. Hey Jeff, Jim, pleasure to be here. Looking forward to to a wonderful show you guys have. Well, thanks so much for taking the time. And is this your first time being on the show and hopefully not the last. We'll find out at the end if you still like us or not. But tell us about your I AM Orange story. How did you get started in I Am?

Is it something that you chose or did it choose you? It shows me, I went to college, I got my degree in computer engineering. I wanted to be the best Java program in the world. I'm like, yes, go Java 2, Struts all the way. My first job out of college. And they said, yeah, you going to start managing, you know, web service like, OK. And then they said you need to manage LDAP directories like LDAP.

What is a LDAP? And until this day, you know, I I realized how the godfathers of I am basically was Novell, you know audio dev directories and I still use it's called LBE dot jar is why it was the greatest LDAP browser utility ever created as I started using it in 2001 and I still have it on my computer today. It can do wonders and it's a 25 plus year old Java Java. So I'm not familiar with this. I guess what makes it timeless in your mind that it's held the

test of 25 years on your? And about two, about 2010 I think Soft Terra must have found no way to take it because they had the same exact interface. It was just modern. But the thing about it is you was able to use every feature possible in terms of certificates, you know, and do things that you couldn't do with modern security controls. So I was able to connect to almost any Active Directory domain, you know, Oracle directory, I mean, almost anything. And then I love virtual

directories. So I was able to actually use it and kind of play around with, you know, multiple directories or through one proxy, you know, way back in the early 2000s. I remember Softerra, that was the. I used their LDAP browser as well, but probably not to the level you were. I was looking at maybe 1 or 280 domains and then I think I was using it all for. Also maybe some sequel stuff. I don't remember, but I was definitely not a pro with it. But you mentioned the word

software. I was like, oh, I just had a flashback. No. And I mean that interface was exactly the same thing. It's just that this was a matter of fact. It was Java Swing, you know, user interface. So it was old school. So tell me about your role as the head of IM at discover Financial. What does that mean? You know, tell me, like, what does your like day-to-day look like? Managing the largest team in cybersecurity at Discover because as you all know well, I am has the most challenges and

also the most opportunities. But we are deployment and I tend to call I am cyber adjacent. Some people like it when I do, some people don't, but I call it cyber adjacent because identity is really a combination of infrastructure, services, cybersecurity and risk. GRC like risk management, it's a combination of both of all three.

So it is that it cannot fit in just one specific space, but most times it's either infrastructure or cybersecurity and that discover we are withstand cybersecurity so. Cybersecurity adjacent? I guess I've always thought of IM as in cybersecurity. What makes it adjacent for you? So if you think about what the the major utilities, the Igas, the IDM, the the vaulting solutions, they all are basically shared services, which means they have a large component, which is infrastructure base.

And you think about it gives more focus on resiliency, operational overhead, consumption, you know, and those are more infrastructure services. When you think about cybersecurity, you're not thinking about that. You're thinking about sometimes, you know, governance risk, thinking about, you know, security incident, response to tech, you know, response. Those are kind of the areas of cybersecurity that most people

think about. But identity is kind of like the that mixture of it has more products within it. So managing a product life cycle you are already doing more infrastructure based services than strictly cyber. I was looking through your LinkedIn profile, doing a little soothing and saying who is this guy? Steven? I noticed you've spent some time consulting and we have a lot of consultants.

Jim and I are consultants ourselves, you know, that are listening and I'm curious what are some of the things that prepared you for your role? Because y'all still work at Freddie Mac and you would discover now, but what are some of the things that you did as a consultant that really kind of prepared you for roles, we'll call it in industry, right? Or civilian lifes maybe I might call it. No, no, I have a really good story about that.

I actually went from engineer, developer, architect, but I wanted to learn more about, you know, how to run a business. So if you look at it, my pathway went from big pharma, big retail. Then I jumped to a startup. After the startup, I spent a few years there and I understood how to run a business when there's less than 10 employees. You have to basically wear every hat when there's less than 10

employees. But then I went to Deloitte after that because I said, OK, I know I don't run a business, I'm learning it, but how do I articulate what it is that we need? Like, how do I get people to yes? My biggest mantra is I'm going to get you to yes. People say no by default. So as a consultant, the job is to understand how to do PowerPoints, how to do decks, and how to communicate the vision, the operator model to the right audience.

That's the most important part is to the right audience. And when you focus on that, you can basically sell anything. And I leverage that because now in financial services, everyone wants to say no. It's just, I mean, it's corporate America. It's easier to say no than to say yes, so. I kick them to to yes by doing

one thing. If you tell me no, I say why you give me data, I'll go back and use my consultant net and craft another or a better story to come back to me and say, well, you say no because of ABCI saw it for that and then here's more data. Now do you say yes and at some point in time that iterative process, they are going to say yes or say, Steven, get the hell out of here. So. Stop bothering me, Here you go. Just get it done. One more question I want to ask

you. I know we're going to talk about like user access reviews and, and maybe get some of that, but so there's a lot of people that I've known as wanting to get into IAM. What would be a word of advice that you have for people who are looking to get into IAM as just the start of their journey? Or maybe they're looking to pivot into IAM from some other field? That is one of my favorite questions, Jeff.

Let me tell you why is you can learn almost every other aspect of cybersecurity through a class, through a course, through some training, but you cannot learn I am through a single entity at all. You have to be broad in your skills to do I am. You have to know a little bit of, you know, operating systems, you have to know about directories, you have to know about networking, you have to know about firewalls. I mean, especially today,

everything is cloud based. If you don't understand the simple proxy, reverse proxy, how to open up a point, you're not going to do well here. Even things as simple as IDP configurations now from cloud to cloud, SAS to SAS, you have to be well versed in everything. So one of my favorite sayings is Jack O or trades master of none, but oftentimes better than a master of one that that creates an iron professional.

You have to know a lot about a lot, but you don't got to be super deep in any one thing to be amazing in this field. Yeah, I really love that answer. I think what I would add to it is you mentioned a lot of the technical skills you need, but you also need to have business skills. You need to know things about human resources and how the business works. You have to at least be geared toward that to be really great as I am.

I also thought it was funny when you're talking about consulting, you brought it back to how do you sell things? But no, how do you sell an idea? So that is pretty funny. And as Jeff mentioned, I'm going to drag you down the route of talking about user access reviews. But before that, when we're talking in the beginning of the show about the idea around device identity, it almost looked like you wanted to jump right into the conversation at that point. So I was wondering, did I, did I

see that right? And is there anything that you you wanted to say or that you were chomping at the bit to say? Absolutely, I said this is their show, so let me be quiet and stay on mute until my time is up. However, Matt Atkins, I'm going to have the floor. I'll take it. But I think of device identity. It's, it's so important that we think about every device we have. I mean in my house alone, there's probably 6-7 Alexis 810 series.

I mean every device has some type of access management component to it. But I like what you said Jeff, about when you think of it, you think about the authentication piece. Well, what folks don't realize is every device is doing a form of authentication, a lot of it sometimes anonymous, a lot of it is some form of PKI, but is

doing something or phoning home. And that's the part where it's tricky because most, most cyber professionals don't even use those, you know, home utilities, like they say Alexa is disabled anything else. But in general, Jim, I think it's just device identity exists. We need to find a way to actually manage the life cycle just like we do human accounts and not human accounts, you know, And it's only get to a point sooner than later where we just have objects, identity, objects.

Everything is looked at through the lens of identity. And ironically, I'm going to use your pun, but yes, identity is at the center, the center of everything. I mean, identity is the front door. And what I say is to a house, identity is the front door. But also when you go to each room, each lock on the door is

another layer of identity. And then over time we get to the point where as you in your kitchen and just hanging around, you would have something doing a check on should you still be here? And is it still your own, which is a deeper layer of identity. So it's it's definitely at the center. Yeah, it's crazy. You hear identity is the new perimeter, then someone will say the next sentence. Identity is the center. So it's like identity is everywhere.

Identity is the the whole kit and kaboodle. This could have been that could have been the name of the podcast. That's too long for that's too long for a URL, so just keep it at IDAC podcast. You can. You can use a TinyURL Jeff. And you can use a TinyURL Sir. So. Security people don't like tiny URLs because you don't know where you're clicking on. We found that out early on where I was like, all right, we had to think. A sponsor gave us a TinyURL and I got so many emails about.

Secured. Yeah, you should not use tiny URLs like I understand. I get it OK. Yeah, OK, here's a QR code. So OK, let's talk about user access reviews or what I've used traditionally called recertification. I don't know if you even use that term, but you would user access reviews, you know, you see them used a lot in financial services and heavy heavily regulated industries. I say 5-10 years ago outside of heavily regulated industries, people question should I even do

this thing right? The only reason financial services is doing it is because they have regulators making them do that. So 1, is that true? And you know 2 like where is the value? Is it just to be compliant with regulation or is there something more? We have a good question and I'm thinking now don't want to answer it positive or the way I already feel, let's go positive first. So you are absolutely correct in terms of regulatory just environments which is course multiple industries.

There's a ton of value in use access reviews because it is both a detective and really a corrective type of control. The end of the day is done to say, hey, should Jeff and Jim still maintain his access? And if they shouldn't let me create an action where I do an attestation and say Nope, I want them out and then some technology, some tool goes and remove them from that access. And for small and mid sized companies, it works really well because there's not a lot of

bloat. And small and mid sized businesses, the larger the company is, the more job roles of companies are really strong. When I say on our back, you know, Rd. based access control, the more our back you use, the larger your access role environment is going to be, the more access certification use access reviews you have. Once you hit that threshold, now it becomes more of is there value in this or is it just a check box activity?

So I have a person who I have people in multiple companies that they have to attest or certify over 1002 thousand users. And sometimes it's twice a year, sometimes it's once a year, saying things like privilege access, maybe every quarter, depending on the standards or the requirements of the company. When you have to do something this frequently, if the user interface isn't smart, most people tend to just do a check box activity.

They say, you know what, we just got a blindly check it all because I don't have the time, the bandwidth or the understanding of what's needed. And when you think about that or kind of, you know, like traveling that out, if that's being done, let's say 50% of the time, where's their value in it? But their value does come from the auditors, the regulators, because that's something that they can say, how do I trust that you're doing something? Something is always better than

nothing. I mean, we can all agree to that, but at least I have a name associated to a decision. And that's why the biggest value of use Access reviews is you have a named resource making a decision on access. Regardless of how they made that decision, that certification is important. And that's needed because for a regulatory body, they can say, OK, 99% of these folks attested in the positive, great, 1% they're not. But all the access has been certified.

I can take that and support any action or decision the company needs to make. So it is. So that's the value in that just overall. So you're kind enough and diplomatic enough to take the positive side, I'm going to take it down the negative side a little bit and see if you agree with me. Are user access reviews a reaction to poor life cycle

management? Meaning we have to do user access reviews because we just don't do a good job of cleaning up accounts and accesses that shouldn't be there after they're no longer needed. I did not know that question was coming, but I would say that that's a perfect segue to, to to what my vision is in terms of what I've been designing for user access reviews. You are absolutely correct, Jeff, and I'll take the steps further.

The way that I think about this is the reason why they exist in general is because now your life cycle management is really the access chain is how do I know that Jeff is using his access? So if you really think about it, let's give an example. If I say, hey Jim, you have access to application A, but I modified my standards, my requirements to say a user should only have access to an application for 30 days. After 30 days, the access is automatically removed.

That means that Jim access the application day one. He gets in just fine. On day 32, he tries to access it, he says access denied. But so that alone is great. But then it becomes a really poor user experience because now Jim has to go through a whole access request again. No one wants that. But in terms of, I mean, we in 2025, we have so much tools out, so many tools out there that are

great. So let's add some orchestration, some ID PS into it and say on day 32, Jim goes to the application, the IDP says, Nope, you don't have the right claim, the right access. However, it makes a call, was Jim approved to have his access previous? If that answer is yes, then they can actually go ahead and give Jim the access again, because the standard states is only going to be good for 30 days because of that. That process makes it a great music experience.

Jim doesn't have to lose his access, but there's no standing permissions. Jim doesn't have the access more than he's needed. And if there's a need for a certification, then it's probably going to be empty because most people don't use applications, you know, day in and day out. They already don't. I didn't give you, I mean even AHR tool like a work day which is really generic. Almost every company has it. You use it maybe to do your goals or a check in right?

Like you're not using tools all the time. Steven, I wanted to ask you what you meant about UI, but I think that's going to be part of your answer to my different question, which is, you know, so Jeff and I are very fortunate. We get to go to a lot of conferences doing the podcast, a lot of vendors reach out to us. We see a lot of demonstrations of IGA products and the amount of innovation that's still

happening in the space. IGAI mean it's it's been around for quite a long time, right, But people are continuing to innovate. I'd say why is that? What are the innovations that to you are exciting without getting into specific vendor names, right, Yeah. Yeah. No, no, no, no. I think that the biggest one is the use of AI of causing ML right the end of the day. Let's go back to the example I said of the individual that had 1000 access request.

He had the test. Well, AIML now has the ability to go look at it and do some of the things I mentioned. Hey, when was the last time they used this access? Hey, did all their team members use the same access? So now we can have more smart IGA, more smart services to say, hey, Jeff out there 1750 are because of the team name, the team description and they're all operation and support.

They should have that. You can then say, OK, I'm going to blanket approve that because those 750 I don't have to look at now you're down to 250, which is much more manageable. But then the AIML can do even more stuff and say, hey, only about 25 of these are privileged.

So now that 1000 goes down to 25 and what you're doing now hopefully is saying, let me, you know, you use a fine tooth comb and go through those 25 each and hopefully remove actions that shouldn't exist or just say, yes, they all should be

maintained. So that's really where the innovation is coming from, Jim. Yeah, I think, I think that's a a huge innovation is the AII also see back end changes that are happening where it's like no longer are these IGA systems running on a relational sequel database, right. They're running big data platforms and allowing organizations to identify what is identity data to them, what is risk data to them or data that can be part of the risk

story. So if you start to say what is not only what am I using, but what am I not using, that is of relevance, right? So if I don't look at the cafeteria menu or are you going to take the cafeteria menu away from me? Like what's the point is 0 value? The value is I've got a very powerful role in a very important risky system. Now let's challenge on something like that.

Well, you know, I've got to be able to draw the connectivity to that, that risk level and that might be very specific to my organization. No, no. I would say it is, Jim. I like it is really well around. I love the construct of an identity data lake. And what I mean by that is we need to basically put all our identity data access management, data access row data request data access chain and data. And you're right, seek SQL databases aren't always the best for that.

Some of the new graph kind of DBS already good. But the whole point of this is now if I have to do something like give to a regulator one order, they say, hey Steve, I want to know all the access that was provisioned for this application over the last six months. Well, right now I'm going through my tools and extracting reports and doing some pivot tables or some V look UPS.

That's a lot of work. If we have orders in like a data lake, I can easily create a query to pull that data, but now I can also align and correlate it to an access request number, let's say a service now that ServiceNow request and then they can actually see that it was actually done and they can give the reason and the description or in place.

So using that data from let's say a data lake, you can now pull from now only the access request data, the life cycle management data, any friendlers access as well as any pre-existing certification data. All that is now combined in one location where you can do easy queries to extract that and make better fine grained decisions on the actual real data. Yeah. So let me let me ask this question. So obviously we talked about the AI and kind of like narrowing the focus on the important

decisions. Is that really also being driven in part by what we call identity fatigue? Just, you know, it winds up in a large organization where there's a few people who become I, I don't want to use the term bottlenecks because it sounds so negative, but the idea that they wind up becoming the person who approves or disapproves a large amount of access and really trying to tailor identity becomes an exercise so that they don't get overwhelmed and start

rubber stamping access. Is that kind of the driver in your mind? That's the largest driver. But I guess in addition to that, you also have identity. I call it identity hygiene. Most people do it now. It's the hygiene part has been what's been missing over the last decade. We all, even tools, products, vendors, startups, they all want to do the action. Let's make a better IGA. Let's make a better LC and life

cycle management. Let's make better tools to actually and better products so we can sell the product. But what if we get is the cleanup is actually more important because you can have one of the best products in the world if you keep on provisioning, keep on adding and never clean up or remove your actual audit data is poor because the hygiene is poor. And that means that now more people are doing request and guess what?

That leads to the fatigue because now it's saying, I don't know why I'm improving this, but I've been doing it for seven years. They could be no one even use the application can be gone in the environment where people can still be potentially approving that access because it's the name you know isn't on the sheet that comes across every six months. You know, I've, I've seen some scenarios where the access review with AI looks like this. So Steven, Jeff works for Steven.

Steven, here's the access that Jeff has. And then AI highlights 3 or 4 entitlements that, hey, you may really want to look at this. So if you're Steven, you're only going to look at those three and ignore the rest, right? So why even show the rest? Is it because some organizations just say, hey, we have to, we have to check this box from a regulation and compliance standpoint. So we're going to show all 25, We all probably agree it's only

the three that matter. So it's, and I, I know I'm asking a super generalized question. It probably depends a little bit on the situation, but do you feel like that's something that regulators are going to push back on and say, no, sorry, the rule says you got to review the access. So you need to look at all 25 and you can use AI, they kind of point people, but you can't eliminate 22 of them. So really good question and I

have a great answer for that. If you think about this, Jim, if he didn't change anything in the organization and you brought in a tool to do that, that would not pass an audit exam, it would not pass a regulatory exam, because even though it's better and it's actually reducing more risk and it's actually a better hygiene. Most companies, the auditors, the regulators, their job is to validate what you have written in your standards and your requirements.

Think about it as like a soft skills. A lot of engineers like working and consultants like the hard skills, the hands on, the tangible skills. But even when it comes to things like access reviews or just anything that's audit related, you have to focus on changing your actual requirements and your standards and your policies

by changing that. If I just change the line, Jim, and say we're going to certify multiple times a year, access that is determined through a systematic slash AI generated method, the ones that need to be reviewed, then I can now use that because the auditor, the regulator has to look at what the requirement is for our organization. OK. So you have to kind of take that step wise approach where you first change the policy and then you comply with your own policy. That makes sense to me.

You got it. Last thing I want to kind of explore when it comes to access reviews is what is your advice for the practitioners out there who are maybe doing access reviews the old fashioned way or let's call it IGA Gen. 1? Are we really now at IGA Gen. 2? Do you think if I wait a couple years, it's going to be dramatically better and I should sit around and, you know, watch what happens in the market or

Yeah, what are? Your thoughts are, I would think, I would say the last conference I went to a few months ago, there was two complete rows of just IGA startups and vendors. And even though to me that seems like it's overkill, it actually gives us hope because that means people are now invested heavily in doing this. Not not the best, but doing it in a way that is modernized and

that's more efficient. So at some point in time having access to the data is going to translate into leveraging tools, slash processes to be able to make better decisions. So right now we say IGA one is the normal HEXA certifications. Do IGA two, we going to skip Gen. 2V2 because right now V2 is now adding AIML into it, but it's still in its early states. The next generation is going to have that more hard and fast. I guess it's going to be modernized, it's going to be

tested. But even the vendors have to understand it can't just be by the technology. You have to look at it as how can you approach some of these regulatory bodies and these compliance bodies and say, hey, will you be OK if our solution shows you this? Because that's how you really get to the next level is companies can just say let's have the best product because it does have the best product that can comply with water regulations out there. Well, I think the best product

is what you can afford. Also, I think there's an underserved market for IGA. Where you've got the big behemoths and we all know who those people are. Those companies, there's a lot of companies that can't afford those types of things and there's a lot of good IGA or you know, sometimes they're called IGA light vendors that are also helpful. But even those vendors I'm seeing kind of what their pricing has been and it's there.

There isn't a fine, there isn't much of A financial benefit to just say, OK, well, for, you know, 10% more, 15% more, whatever the number is, right? I'm just making them up. I can go with a tried and true, you know, established, you know, world class, you know, partner of this. Or do I gamble on something that is nobody's ever used before and they might have a great product, but trying to get in the door without references, without a track record.

I feel like in that case, and I'm focused mostly on small mid sized businesses, they don't have the money to afford, you know, an upper right garden or quadrant for the most part, unless they are heavily regulated or maybe they've had an impact, you know, an incident or something like that, right where they have to do something about it. Do you have? Does that make sense? It makes sense if I want to chime in on something from Even Jim Said, how did the Kermit practitioners do this?

In most SM DS? A lot of people do. This was just spreadsheets today. So let's talk about tools. Spreadsheets today are easy. Some of the easiest ways to go ahead and say, hey, I've done my Access certification because depending on the volume, if it's only to say 50 people in a company, you can do that for

these. Now most, let's say financial companies or companies have the alliances, say PCI as an example, PCI 4 point O, you know, rig was published and came out truly like last year, but it goes into effect starting this year. There's a requirement about service accounts, not only my identities having to be kind of certified. Most IGA tools today don't really do service account or not humanities.

Well, like they're not because it's not as simple as just pulling from an existing, you know, life cycle management tool and it's showing on the screen, hey, accounts entitlements. So because at PCI, four more companies are trying to not get into service accounts or non human identities certifications. And it's driven because now PCI is saying you have to do this. So sometimes the regulations and the and the regulators kind of help lead and define where the industry is going.

And that's a very positive thing. That's a great point. Yeah, I mean, there's a lot to unpack there and I think I want to try and take advantage of your big brain when it comes to the stuff. I, So we have a listener out in the western part of the US, Bert and he and I were trading a couple of messages on LinkedIn and he wanted us to do a podcast on how in scope companies can

comply with NYDFS. And I'll explain in a second because one of their IM requirements is periodically, but at a minimum, annually review all user access privileges and remove or disable accounts and access that are no longer necessary. So first of all, let me explain NYDFS because we have people around the world and people not

being familiar with that. NYDFS is the New York Department of Financial Services, and they have a cybersecurity requirement for financial services companies that operate in the state of New York where they have to have a cybersecurity program and certain controls to, you know, maintain confidentiality, integrity, availability, right, all those types of stuff. And of course, if there are cybersecurity regulation, there are IM components, and one of those is this idea of doing user

access reviews. So I want to bring this back to you because obviously, you know, this is something that's probably near and dear to your heart is can you talk about NYDDFS and specifically the user access review component of that? How should financial services firms be looking at how to comply with that? What should we be looking at? What should we be certifying? What should we not be certifying? And are there any gotchas or things or tips and tricks that you might have?

No, absolutely. So NYDFS, I've worked for a few companies that have been in scope for that, but I'll make it a little bit more broader for like the entire audience. I mean, think about NYDFS, think about the Federal Reserve Board, FDIC, you can think about even socks, you know, socks compliance, sock one compliance. They all have these similar

requirements. And sometimes the best way that tell people to kind of point them to is if you have a security program alliance with the NIST cybersecurity framework, you go into naturally 99% align to everything else, to whatever it's already bodies because most of the bodies pull from things like NIST, I mean, other frameworks as well.

But the NIST CSF Cybersecurity framework, especially that 2.0 is where a lot of the government cybersecurity programs, the NYDFS and others are pulling from. And they're really important of access reviews from NYDFS or anyone else is really defining what is the scope of the access video meaning newer heading Jim mentioned earlier or something like Adobe or something like that. Do I want to a test or certified Adobe Acrobat Reader? What's the value of something like that?

You know, it's just a it's a product that most people have Chrome, I mean web browsers though, is there really value in it? Now there's a financial Sox tool, there's a ton of value in a testing there. The problem in the industry is this everyone have not scoped out the applications or the access that truly require it. So a regulatory body or an internal auditor or they can do is say show me everything. And that's the.

That's the biggest issue. Without having that scope clearly defined, you have to produce everything for because, and it does make sense. It's like if you can't tell me exactly what's in scope, I have to see everything. I like that idea of scoping because I do see that as an issue. I think one of the main things to consider in this might be non public information, right? Who cares about the stuff that is public? It's public while you're reviewing that access.

But I think one of the areas that maybe helps fine tune, right, what you should be looking at are what are the things that are not public? And then from the non public information, what are things that do carry the risk factors that might be associated with either data breach or, you know, maybe it's transmission of that data, obviously customer data or

you know, things like that. I love that idea of getting your scope right because if you don't have the scope right, it's like you said before, you know, my experience, auditors, they're just checking what you're said you're going to do. And if you haven't written your policy or your standard or whatever it is that you do, you know, to to articulate that and you leave it open to interpretation, that's where you

get into trouble. So I think if you craft very well defined policy standards and processes around what are we looking at, you know, and try to leave as few argument points as possible that someone can go against, you'll be in a much better position. Does that make sense? No, it makes a lot of sense and, and even more so, there is so much value in taking the time to architect and design the processes for a program, for an identity program.

And what I mean by that is I'm teaching my own organization, my team. Don't just look for technology to solve the problem. Create a process that you want to solve for and then you can look to see, do you mean technology or do you just need, you know, people like not everything is solved by having a just a big as hammer, you know, and. But we bought IGA, it's going to solve all our problems. If that was the case, the world

be in a better place. And I don't haven't talked to any regulators or auditors in my life. Unfortunately, even they don't like automation. I mean, I mean we always have some automation and we got scripting languages and we can do all these wonderful things. Even when you give it to them, they are saying the next question is, well, how do I know this is complete and accurate? And it's like, oh, so the end of the day is trying to be fancy with the regulators and the ordinance does not work.

It's. It's simply giving them your scope and saying. This is what we're doing for our scope. Now they could always argue all their points, right? You should be looking to start thinking, OK, well, that's a different discussion now. It's not what we're looking at is what else should we be looking at? Which is probably a better position to be in. I guess I've, I've had the right management responses in the past. They're not fun. Oh no, no, they are not at all.

And at some point the, the world and the industry and everyone is going to start shifting to automation and AI and all these, you know, cool tools that are still relatively cutting edge for a lot of organizations. And auditors are going to be like, you know, that the policy or the configuration is going to be all right. Well, we do this through our IJ platform and it's all automated. At some point, the others are probably going to ask more questions around the how is the

product configured? What are the configurations or policies that you've set up within the actual tools? Do you have any thoughts or guidance on how you might want to address that in the future for people who are listening? Yeah, one of the first things is you have to make sure that you train your auditors. And I know that sounds kind of funny, but the end of the day. It's absolutely true.

It's so a choice. How much time do you want to spend every cycle teaching them about what you're doing? But even things, I mean, we all know that a policy based access control is probably the best thing, but it's so challenging and difficult to get to policy based access control no matter what tools exist, no matter how much you try, because RBAC is

just easier. I mean, RBAC is just easy, you know, even attribute based access control, a back, even a back is a little bit easier, you know, But when it comes to policy based, that is where it's going. And once we can tie together that a policy is almost his own requirement and that requirement can be tied to a standard, then the auditors can actually start to take that because they can easily correlate and take and tie this policy here is referenced in this standard or policy or policy.

And I can actually control and validate that myself. So we need to get there and doing weed automation is going to work is that we actually get to the point where they can trust the policy. But that also requires a lot of training and teaching to to to let them know how this actually works. It's interesting you said our back and a back are easier. I think they're easier to explain to people, to actually be successful in managing them, to get the results that you want.

I don't know that it's easier. Yeah, I know I would agree with that. I would say that it's the, it's, it's the name, you know, like everyone understands our back. And when most, most people who call me to do an assessment, they always say, Oh yeah, we can talk about, you know, the best

our back model to use. And whenever someone says our back model to me in the last 2-3 years, how they condemn with trepidation like are you telling me that are back that they use right now with this whole cloud size base just in time, no standard permissions, Are you sure you want to go in there? It's hard. I think there's a lot of companies who wish they were RBAC and there's a lot of companies that are RBAC and wish maybe they hadn't gone on the RBAC route. It's, it's difficult to do.

It's, it's why I typically will encourage organizations that are starting on that road to maybe focus on attribute based access control because they feel it's a little bit more of a, of a hill versus a mountain. It still requires good data, right? And the, the, the idea is like throughout any of these back models, whatever they are, is you still need data to drive that. And I feel like most organizations, even if it's just basic attribute based access control is, is the person an

employee or not? That might be, as you know, that might be as grand or as you can get based on the data, But hey, at least it's something and you start working with your business partners on the HR side, right? Hey, if we got this data, we could do this thing, right? And I think it's funny, you mentioned training auditors and I think that is the importance of establishing relationships with other groups, right? If you are, if you have a good relationship with your auditors,

they can be advocates for you. I think a lot of times they come in as the enemy to some degree. But if they understand how you're operating and you've trained them, you've educated them on, look, here's what we're doing and you actually engage them in a pro proactive way and say, hey, here's what we're doing, what am I missing? You're going to audit me, Tell me what I need to be looking for, help me out here.

Their job isn't really to get you into trouble because most likely, especially in the bigger organization, and feel free to correct me, am I wrong? You have an internal audit team that does like an internal check and then the external auditors come in and those are the ones you want to be very concerned about. So almost like a catch before the real audit comes through. That makes sense.

Absolutely no. I tell everyone this internal audit, which we call the DARE line of defense, their their job is to be independent, but their job is the same job as first line defense, which is normally us is to protect the company, period. You know, when we look at them as the bad cops, for example, we're not getting the best out of the partnership. Yes, we can't share everything because they have to still maintain independence and that's

important. Now the external auditors just come in with industry best practices in the check box and say we need to say are you doing ABCDENF? And they're showing me that you're doing ABCDEN. So you really can't build relationships with external what it is as much where your internal audit program is there to protect the company the same reason as you are. Well, I appreciate you spending time with us. I think there's, there's so much going on here.

And you know, this is one of those things where I wouldn't say it's a sexy part of I am, but it's a necessary part. It's plumbing, I guess how sexy it is, is based on the UI maybe you've created, you know, maybe that can have, you know, some bells and whistles on it. But I really appreciate you spending time with us. I want to end the show on a lighter note. We were talking and I just kind of sprung this before we hit record here.

You mentioned that you are, you know, you're definitely into fitness. You mentioned things like Tough Mudder, Spartan Races, Pelotons, you know, working out. Obviously, you and Jim can probably go on at this for about an hour. I'll just kind of plot, you know, not politely and stare at my Peloton row that's over here that has been collecting dust. Tell me about Tough Mudder and Spartan races and all these things that you're doing just to

sort of stay fit. And I guess explain them in a way was like, OK, not everyone may be familiar with what these are. Explain for people that aren't familiar what a Tough Mudder is, for example. So I get there. I want to talk about the why behind it. The why is when you run large organizations or just have a lot of work, I will work. Cybersecurity is stressful. I don't care what anyone says it is stressful is a lot of work and we all need a reprieve.

So if he would do that different ways, you know, health, healthy ways are working out like crazy. You know, other ways are drinking. I mean, whatever floats your boat. But the end of the day, I got into just physical fitness about five years ago. Doctor was like, you had to want to make a change, Steven, or you're not going to be around. So I said let me go all the way in and make a change. But the Tough Mudder is an

afternoon course based race. You know my first one we did 3.1 miles like a 5K. But next we doing one in April which is 15K. So you're close to 10 miles roughly and it's about 25 obstacles. And when I say that you get it's called Tough Mudder half the half the obstacles that require some form of mud or water. But when you already have mud and you go into a pool of water, it will become muddy. And it's but it's fun because it's not just a race. You got to work as a team, as a

group. And I think the reason I love it so much is that it's about 10 to 15 of us who do it together. And it's not about who can win. Because some of the races or some of the after groups, you have to use 3-4 people to form a base. Then two people have to climb on top of them, then the one person have to climb on top of all of them and then you got to pull each one up as well.

So it really is more teamwork in building that Comrado and most of my workout partners, we all met during COVID 1 pedaton. So a new one. COVID, no one was at gyms and we just used the pedaton as a way to engage, interact. Yeah, you know, Facebook groups. And it was, we said when it was over, hey, let's meet up in real life and do some. Physical activities, I love that.

And you mentioned you've got the whole peloton Armada between the the row, the bike, the Tread, if somebody, which is your favorite of those three because I've only used the the bike and the row. So the tread is my favorite, but it's any any of the machines are great. But I have such a competitive spirit that the reason why I like Peloton is because the one thing the leaderboard and some days I wake up and say I'm gonna have a low impact day and I'll get on the bike.

We get on the tread. I do a nice job and if someone will high 5 me which and like they're right next to me but they below me in terms of like the output, but then they'll high 5 me and then pass it. And my gut feeling is, is that intentional? Like I'm fine. That was like that peace dude, I'm flying past you. I'm like, I'm fine too. So when I see that Jeff, it's like here we go now turn everything up, take the shirt

off and now I'm just running. Now it's like now I was like, OK, let me get to the six minute mile and let me see how long I go with this and we out. I love that. What's your What is your favorite and least favorite Tough Mudder obstacle? The ice, the ice bucket, or the ice pole is probably my least favorite. OK, what is? What is that? So is we ordered the ice bucket challenge from a few years ago.

We're basically in a bucket of ice or even going to like ice bath is basically 2 ice baths put together and you got to go underneath 2 walls or inside inside of the ice bath. So you literally got to climb inside and then go under the water. So it's all ice now and they got to come up and then go under it again and come up. And this is normally at the end of the race. So it's you're already mighty. I mean it's just some people say what is cleaning you up? No, it is still I can.

Think of better ways to get clean 7. 0° And what happens right after that is the electrical shock. So it's like a whole lot of strings of just electrified, you know, tape and you got then went through that. Have you just came out the ice mask? So yeah, that is not the best part. I think it was one obstacle that was fun. It was huge tree logs and they had like little notches in it, complete mud. And you have to literally throw your body up or try to jump and grab on.

And it reminded me of when I was young. I used to watch what is it American Gladiator and Jazz that that show how we wanted to do things like that and you're trying to like climb over, you know, like those rollers in American Gladiators. So I always send a thing that I'm back in the 90s and 2000s watching American Gladiator and going crazy. Jim, I know you work out. Jim, I've known you for what, nine years, 10 years, some like

that. And ever since I've known you, you are religious about your workouts every day. I don't know if you've ever done a Tough Mudder. Is that something you would do? It's not so it's it's so funny when I was listening to Stephen talk about why he started, how he started, it felt like he was telling my story. But I've been at this probably 15 years. So I exact same thing. You know, I'd be in this stressful world of IT and Infosec and I and the day like I

had to wind down. So it'd be a couple beers or something and then you just start to realize like that's not good for you. So I started running and you know, I worked my way all the way up to doing marathons. It didn't take really that long, maybe a year from going from, you know, having a few beers after work to just I'm going to go run for a couple hours. And what a stress reliever.

I did wind up hurting my back running and I started doing more like cross training and trying to build up strength in my core is what I realized was you get these really powerful calves from running, but it doesn't necessarily build a strong core. So I started building my core that led to more or less like bodybuilding style workouts. And I love being strong. I love seeing muscle in my body. It makes me eat better.

And you know, I truly used to do it because like I liked looking better made me feel better about myself. Now I just do it because it's like it's my stress relief. It's my outlet and I don't know how I would deal with stress without it. So yeah, that's it's very similar story to Steven. But why I couldn't see myself doing like Tough Mudder or something similar is like in my old age, I've kind of realized like I can only do what I what I

do if I don't get hurt. So if I do something that's going to risk injury, it doesn't mean you're going to get injured. But you know, when I hear about people doing things that are, you know, prone to injury, like doing like dead lifting heavyweight and stuff. Like jumping at a muddy tree log and trying to hang on. That kind of stuff. I'm like, yeah, well, what if I slip a disc or something and I'm, you know, out of the gym for six months? I'm, I'm not going to do that.

So, you know, yeah, it's like super risk averse, but that's kind of the reason reason I don't do things that are risky like that. But that makes a lot of sense, Jim. I mean, one other thing that I thought about as you were speaking, Jim, is I also work out about two hours a day because my vice is a grilled

cheese and French fries. So in order for me to maintain when I'm traveling to have some fries when I want to pay to make sure that I work out, but my 19 year old daughter says this about me. She says my dad has two explains. He's got the kids menu guy grilled cheese and fries or he's like an 85 Wagyu steak guy. And I said I mean she's not wrong, but it is like, hey, I can go eat at any restaurant. There's a kids menu or I can go to a nice steakhouse and enjoy myself as well.

That's actually. So now you're talking Jeff's talk. Yeah, now I would say now you've got me, now you've got me interested all. Right describe your. Perfect grilled cheese What's What's the right cheese for a Steven Washington grilled cheese sandwich and the bread? Too So sourdough bread first and foremost. I'm with you. And now no cheese. Not better than American. However, as we get older I realize American probably isn't already cheese, but I'm say that for a different show.

OK so cheddar, white cheddar. I also like Gouda. I like some Swiss and mozzarella so it's so it's a crazy combination. But if I want to do 1 is like the white cheddar. But I also enjoy Gouda cheese, which is kind of odd because it's a more smoky flavor as well. But sometimes I buy sourdough bread and just cheddar cheese combination is great. And some restaurants like like Melt is really awesome.

Even though if I had too much butter, I think they had like a whole stick of butter for one sandwich. But when you work out for two hours, you can do that guy. You got a little leeway there. I'm with you on the sourdough. I think sourdough is fantastic. I am a American and pepper Jack mix because I want a little bit of a spice to it. Not crazy, but enough there. And I'll never turn down ham or

bacon or something like that. But what I like is when we we press the sandwich as thin as possible, like almost in between, like not a Panini, but like pressed and man, I can, I can put those away. No, no Jeff. OK, so so now I got to add this. My my best thing is when I say I've been fasting because I went too many fasting as well. So when I eat, I eat a ton and sometimes like I want some bread, so I get 3 slices of bread, lay a multiple layers of cheese between each thing, some ham.

And then I really will have a press. Not not convenient, but it's like a matter like a cast iron press that I just put down on top of the skillet and I just push that down. And as the best, most unhealthiest thing potentially in the world. So good. But it's so good. All right, we're going to wrap up grilled cheese at the Center for this week. Steven, you've been so great with your time. Really appreciate it.

Looking forward to maybe giving you an official fist bump of gratitude for being on the show at a conference at sometime in the future. I'll have your LinkedIn profile as well in our show notes, if that's OK. People can reach out with questions or grilled cheese recipes or whatever it may be. And then Jim, you and I will be

on the web as usual. idacpodcast.com, connect with us. If you're listening to this, go on over to our YouTube channel, hit that like and subscribe button that's helping us grow and appreciate you sharing with friends or enemies. We don't care. Whoever listens as long as they like and subscribe, I don't care. So with that, we'll go ahead and leave it for this week. Thanks everyone for watching and or listening and we'll talk with you all in the next one.

You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.