¶ Introduction to Mission-Critical Identity
Every second that when you hit that button on the app to say start my vehicle, unlock my door, call for help, right, Whatever it may be. That is all mission critical things where you cannot have identity be the slowest link in the chain. How do you tackle speed when it comes to make it secure but make it fast?
Yeah, that's, that's part of the process of bringing things to production to make sure that you have the, the performance, the response, the, the, the, the least latency involved when making. So there's in all of the best practices that need to be brought to bear when it comes to
edge computing, right? To be able to make calls to an API services layer that can respond and, and recognize that a a user is authenticated and have authenticated with MFA and that we can process this request versus yeah, this doesn't look right. Let's reject the request. Let's cancel this session because they've been compromised, right? We get a threat signal that says that the user may be compromised, right. So those are things that have to be taken into account.
But yeah, at our scale and, and to be able to have a response time when you start your vehicle of a couple of seconds is, is something that is AI think it's the highest level of of distributed system engineering at our level that to be able to get that done. And it's there's a lot involved.
Like you just said, there's, there's so many systems, so many interactions that happen that the customer never sees right, but that we have to get involved with to make sure there's policies that get touched, that get triggered so many points along the way. This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Steadman.
¶ Welcome to the Identity as a Center Podcast
Welcome to the Identical Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good guess what I'm thinking about but. Yeah, I mean. Wrong. Wrong. This is a safer word podcast, so I don't know what what are you thinking about?
¶ The Value of IDPro Membership
Well, I was thinking about ID Pro. I was on, you know, I was in the Slack channel and it's just so full of treasures. So I was just scrolling through the general post and Hannah Souter had a post out there that was about demonstration of proof of possession. I'd never really write up on that. And someone posted an article that broke it down into like the one O 1 level. And I was like this. This is why I'm a member of ID Pro.
And I would encourage anybody who's listening to this podcast through you found the wrong podcast or you should be a member of ID Pro. Yeah, it's worth the I think it's, I think it's 150 bucks and it is well worth it just for the Slack channels alone. But you get so much more with it too, right? You get access to a bunch of resources and just cool people, nice people, friendly people. This is why I like the identity space.
But yeah, big fan of ID Pro. There's also, I think it got posted maybe in the last couple days or so, there are some board positions open up. So for people who aren't aware, that's something, if they're interested in giving back, there is, I'm not sure how many one, maybe 2 board spots open, but go check out the ID Pro website if that's something you're interested. And then of course ID Pro has a big presence of things like Identifer and and so forth.
Yeah, I mean, they're they're dedicated to the education within the industry. I would also say it's like, you know, Hannah made that post. She's a very advanced identity practitioner. Anybody sitting out there listening is like, yeah, I, I don't even know what that is. And feeling intimidated. You could be a total beginner first year or two in the industry and post a question. Nobody's going to judge you negatively. You can be a total expert and I do just not have had the
experience on that. That's fine too. Yeah, yeah. I found myself posting questions sometimes the I wonder if people are going to think this is a dumb question, but I shouldn't have that thought because I don't think people look at it that way. They're excited. People are excited if they have an opportunity to kind of give back and respond to some of those questions. Yeah. I mean, look, yeah, This is why I got into consulting was when I was in, you know, the real world of I am.
You really only know what you work on, and the opportunity to get into other areas that your organization doesn't do is generally not going to happen. So there are lots of people who are focused, like, for example, IGA, privilege, access management. Maybe they're just a funnication they work at just in Microsoft, right? There's so much to learn, so much to know. You will never know at all. Jim, you and I have been doing this for what, 2025 years each. Our guests have been doing it
for a long time. There's just too much to learn at any, you know, at a very expert level. It's very difficult to do. Plus, there's always something new coming up. I mean, remember when self sovereign identity was like the thing that was going to change the world? Still waiting for it, you know, a couple years later, but there's always something new coming up. Now you've got AI that's going
to change things. So ask the questions, go research it, and you'll find that ID Pro Select Channel is an awesome place to get answers. How do you prove Slack channel and then this podcast, because a lot of times when you brought up the that that topic, we a lot of times get guests on, you know, say David Motti or something and he'll talk about something like machine identities. It's like, yeah, nobody's
talking about that. Two years later, it's like everybody's talking about machine identities and not human identities. And so, you know, we keep pushing ourselves, like, all right, let's bring a guest on who's going to talk about something that we don't know a whole lot about, but we're good at asking questions. Yeah, I mean, you can explain that to to us, to dummies, hopefully other people who are way smarter than us and pick it up over audio or video from a podcast standpoint.
Exactly. You know another great source here. Here's my tricky lead. And another great source for learning is conferences.
¶ Upcoming Conferences and Discount Codes
We happen to have discount codes galore. Yeah, that that was a pro Segway, I got to say. So yeah, conferences, we've got a bunch of them. The one that is coming up next is going to be London, the Gartner I am Summit there. So that's March 24th and 25th. If you use the code IDAC 425, that will save you 425. I think we settled on EUR 425 of some currency off of that. But that's a great one to go with time, especially, you know, for for folks that are maybe in the London area or maybe Europe
at large. We won't be there, but we will probably be at the one later this year in the USI have to imagine we've kind of gone for the last several years, but they were nice enough to extend that. So we're passing along. And you don't have to remember any of these. They'll always be on our website. If you go to idacpodcast.com and just Scroll down, you'll see all the different conference discounts that we've got or any other things we have going on. I kind of fight there real
easily. So there's that one and then the one you and I are pretty excited about. Yeah, this is Berlin. I just booked my flight yesterday, or maybe it was the day before. So May 6th to the 9th, It's in Berlin, it's the Cooper, your coal, European identity and cloud conference. If you use the code ID AC25 MKO you get 25% off. So Jim, you and I are going to be there very excited. All I have booked right now is a flight into Germany and a hotel.
I have not yet figured out what I'm going to do after that. My wife and I are still kind of planning post Berlin but I'm excited to be out there for the first time. Never actually been in Germany other than the Frankfurt Airport on my way to China. India so. Yeah, and getting outside of the airport will be great. Yes. Yes, I will.
And I'm going the week before, I'm going to be in Oslo the week before and we're doing an identity beer and already have at least four people signed up for that and hopefully that list extends further. So if you're a practitioner involved in identity in some way or at least interested enough to listen to this podcast, and you can be in Oslo the week before or live there, reach out to me on LinkedIn and love to get you involved in that identity beer. Yeah, We haven't picked the
exact date yet. Those are all I, I have. I don't think I've ever been to one. But you'll be out there touring the countryside, beer identity, beer in hand, I guess. I had a couple people reach out to me on LinkedIn, you know, graciously being, you know, offering to like show me around and things like that. I don't know where I will end up yet. So I apologize if I don't get back to everybody or if I don't
hit your city. There's just too much to do in in one week that I have between Berlin and trying to trying to get back to the US. So. Hopefully this isn't the last time we go to. No, I think hopefully we can turn this into an annual pilgrimage or something, maybe for IDC to head out to to the cooker. No conference after that's done, vacation a little bit and then Las Vegas for Ideniverse, that one is June 3rd to the 6th. Again, you and I are going to be
doing some stuff there. I don't think we're quite ready to announce some of the fun things we've got lined up, but we're still coordinating on how that exactly will work. But it will be a very fun, another type of thing that we have done in the past that we're excited to bring to Ideniverse. I'll just leave it there. Probably not a probably not very good. I, I, I probably didn't obfuscate that enough. So people will be able to figure
that out. But June 3rd or 6th IDV 25-I D AC2525 percent off and you'll be able to take advantage of that. And that's, and that stacks up the discounts as well. So you definitely want to take a look at that. Yeah. So, Jeff, between those two conferences, are you going to get any work done this summer? I have to because I have clients so they're going to be expecting work to get done. So yeah, I will be working things in between editing, broadcasting, publishing,
working, all that good stuff. And hopefully I'll be able to unplug a little bit and while I'm in Europe to to check out the sites. Exactly. Yeah, enjoy yourself a little bit for sure. Yeah. The other thing that we wanted to mention was we don't have the discount code for it yet, but we've been going to the Fido Authenticate conference for I don't know what is it in three or four years now in a row. And we've been doing something there, will probably do
something again this year. We just haven't gotten that far with our planning yet. The conferences in October, but if you want to be a speaker, if you have an idea for a paper to submit to present on that deadline's coming up. March 3rd, 2025 is the deadline. Go to authenticatecon.com. We can figure out the navigation then to submit a paper, and I would definitely recommend that. I think our discount code's usually pretty good, but I don't think speakers have to pay to
get into the conference town. But if I say that and that's not true. Andrew's probably like shaking his fist at the at the radio right now. Oh yeah, yeah, he's turn up the heart if you're listening and to turn apart and stop listening to this. So no. But if you're interested in presenting our, that's the deadline. OK, that's enough babbling from us again. Check out the website that'll have the discount codes. I'm excited to welcome our guests on.
¶ Introducing Andrew Cameron from General Motors
He has been in the identity space for a very long time. He is Andrew Cameron, he's a technical fellow in identity and access management at General Motors. And before we go any further, Andrew, I don't want to say hi yet. I got to make a disclaimer, right? These are your views. The views expressed on this podcast by Andrew are his and not General Motors. So we're going to make that very clear. So I'm I'm going to swear you in Andrew, do you agree? No, that's fine.
Yes, I agree 100%. Welcome officially Andrew to the show. We're very excited to have you here. Gentlemen, I am honored and privileged. You can't be in the identity industry and not know about this podcast, and so I'm excited to be here. Well, we're happy to have you here. People still discover it. So you know that's it's always great when you have new listeners and new guests on the show.
¶ Andrew Cameron's Journey in Identity
We have tradition. First time anyone comes on the show, we ask them for their identity background. You've been doing this for a long time, not to age you, right, but you've been doing this for a long time. Tell us something about how you got into the identity space. Was it something that you chose or did it choose you? I feel like it chose me. I started off in app dev, you know, doing all of the early Microsoft development
technologies. And even in my early years at at GM, I was a application architect that I was my primary responsibility and one of my early roles was an, an architect lead on the deployment of an, a, our employee portal, right? So this is a pretty massive undertaking, you know, hundreds of thousands employees. This is going to be the face of of IT for our employee population, right?
And so there was a lot of effort that went into not only kind of what was built around in the portal, but we also position this portal to be in a way to access applications in throughout the enterprise, right? And so where most of the discussions ended up happening was, well, how do we secure access to application A once somebody logs into the portal, right?
And so that typically always involved LDAP directories, access control list and all of those legacy ways of securing things that we did back in the early 2000s. And so I being involved in that so much, I ended up being on a directory team, right? And so we were known as the LDAP team and, and our big deal was to socialize SSO across the enterprise, right? That was actually a thing in the
early days. And so that really kind of kicked off my, my learnings around identity and I ended up meeting, you know, all the luminaries that guys that have been on this podcast previously. I mean, I remember we were deploying a product called open SSO in the in the early years, that was a sun product. And we had a trainer come in and train us on, on how to deploy open SSO. And that trainer was Alan Foster, right? And that's, that's a guy that you guys had on not too long
ago. And, you know, those are relationships that have endured over the past 20 years, right? People, folks like Ian Glaser, somebody who's been on 100 times on this podcast that have helped kind of guide me in terms of being embraced in the community. And, and, and when things like ID pro came along and there, you know, you guys promoted ID pro and, and, and Jim's example is, is 100% accurate in terms of the
value. Because you know, it's typically you don't have that kind of an engaged community to be able to bring issues and topics to and be able to get that kind of rich response, right. Typically, you know, out on the Internet, you're just a dog, right? So it, it's, it's really great to see how ID pro and the community has grown in, in the years that since it's been
created. And you know, I've been privileged to be part of it, privileged to be around this community for so long because it's something that's it's giving me a career, it's giving me a focus. So you've been in this game for a while. How many years do you or how many rings on the tree do you want to claim as being an identity? Yeah, 20 years this year actually. So I don't know if there's any kind of celebration that I have planned, but it's, it's really interesting to see how things
have evolved. Because when we were early on, it was, you know, we were trying literally to go to other organizations within GM just to get them to on board to our enterprise LDAP environment, right? Like we, we didn't even own Active Directory, right? It was come to our enterprise LDAP environment and we can give you single sign on, right? And then the amount of time that went into debating things like password strength, it seems silly now, right? We were, we're heading into
actually password list, right? We're, we're literally rolling out password less capabilities today. And so to think of how far we've come from a lot of the things that started off that kind of was the foundation of the identity and access management discipline. You know, some things haven't changed as much as they need to. I think IGA is somewhere that is, is kind of begging for some, some innovation, I think, but there have been a lot of other
exciting areas. Customer identity is 1 area that I've seen a lot of innovation and a lot of definition and then that aspect of the market in recent years. And so yeah, it, it's just, you know, 20 years in, still passionate about it, still excited about it. So we're we're really looking forward to it.
¶ The Evolution of Identity Standards
Is there something that you kind of look back and say that was a game changer or identity? Is it something like, it could be something as simple, I don't know if it's simple, but hey, we've got standards now, SAML, Open ID Connect or you know, whatever before that, or maybe it was the advent of single sign on. Is there something that you might in your mind that like jumps out? It's like, oh, like that's that's it. I think what really kicked the things off was the adoption of
standards. I think things early on like the adoption of SAML and eventually O auth and Open ID connect. Really, because that was, you know, most companies want to, you know, align on that and then, you know, everyone interacts with other companies in some way or another. And that gave you a language, it gave you a protocol on how you could allow external parties to come and authenticate to your enterprise and give them access to things.
Right. And so we started really early on in a partnership with Sun and Microsoft where we were evolving the SAML standard early on. And then we just we promoted the fact that we were part of the Liberty Alliance and then we were, you know, promoting what, you know, making products from Sun and Microsoft work. And this is in 2007, 2008, right, where that kind of thing was relatively unheard of.
So, you know, those are things early on, I think the adoption of standards and, and, and the fact that standards like SAML and O auth and open ID connect have really endured, right? And, and that's what's so exciting about things like pass keys where, you know, that has gotten industry adoption at a rate that that we haven't really seen before, right?
It seemed like it was probably a year or two where we started hearing about Pass keys to everyone is supporting it, all the big names are supporting it. And now you know, we're as implementers, we're really trying to catch up to kind of bring that feature set and to bring the all of the goodness of what Pass keys are to our to our users and our customers.
¶ Adopting Passwordless Authentication at GM
So I know G miss, you know, obviously a very big company and I've always been curious about this adoption of pass keys because they feel like the groundwork was laid a couple years ago. But just because it's like, hey, we had this new thing. It takes time to adopt those sorts of things and get them into plans, etcetera. What was it that was like, OK, now is the time where GM is looking at this and say, hey, let's do let's do passkeys.
What was the the key to that? A desire to get away from passwords. Just an overall recognition. We had adopted kind of 0 trust principles and practices formally probably 3 years ago. And the desire to move the authentication level to kind of raise the floor in terms of authentication levels that we would be willing to accept to do things like privilege operations is really, kind of really what kick things off and be perfectly honest.
Pass keys prevents a user experience benefit that we really haven't seen to this point, right? So you're being able to move away from passwords to kind of increase that? That base level of security when we're accessing things within the enterprise and you make everybody happy by not having to enter passwords, not having to do, you know, less secure MFA steps as a second action to get access to things really ends up being pretty much a, a, a win
overall. There's there's effort to get there and there's a lot of kind of turning of the battleship when you're dealing with enterprises of our size in order to not only get users configured and set up correctly so they can take advantage of the stronger authentication methods.
But there's a, there's a lot of cross boarding of applications in a lot of situations to make sure that they're leveraging modern authentication in order to take advantage of the single sign on that comes with leveraging modern auth in the cloud and things like that. So it's, it's not a turning of a switch and just make everybody work.
There's a lot of internal, you know, collaboration that happens across a whole lot of teams to be able to bring an enterprise of our size, to be able to take advantage of password as technologies. And it never moves as fast as, you know, we in the identity space want it to move, right? There's all. But this is the reality of especially a larger enterprise where like you said, you know, turning the battleship takes time, right?
Where or if you want to use a training or whatever analogy, you're right of a big thing that needs to shift direction or speed. It does take a lot of time and a lot of planning too, because you're, you're dealing with, you know, not just the technical aspect of it, but the change management aspect of it from a business process perspective, which can make or break how successful something like that might be, right? No, and you have to prepare to
over communicate. You have to prepare to make sure that you give all of the guidance necessary. So you know, are you going to be force feeding some of these changes or are you going to make them self-service, right? Are you going to encourage people to go in and set up their account to take advantage of password lists? Those are decisions that have to be made pretty early on. And over communicate is my highest recommendation.
And everything that we've done is that you don't want to make people have to pick up a phone or call somebody or, or, you know, fire up a, a slack session. You want to make sure that they have all the information available to them to be able to, to make the decisions needed to get switched when they have to. And so, you know, the lessons
are learned, right? You, you on our side of it as implementers, we're, we want to rush these changes in and say, Hey, we won, we did it. And it's not quite that simple in our size and scale. It's never that simple and it's never right quick, right? And so it's a process, the change management like you said is a huge aspect of it. And yeah, I mean, we, we started we're, we're probably over a year in to transitioning the, the enterprise completely.
And it involves users, apps, devices, data. It's it's a full, full level transition.
¶ Challenges and Benefits of Passwordless Adoption
I know there's so much we want to get to, but I got to ask what is like been the common question maybe that you've gotten from end users about this whole pass key, you know, password list type of approach. Is there something that is out there? Because I'm sure people out there listening, it's like, all right, what should I be thinking about from a deployment standpoint for this? But has there been anything common that you've noticed?
Not, not quite yet. I think that the biggest adoption that is still surprisingly that it's so much of an adoption challenge is, you know, and typically in, in enterprise platforms, there's the authenticator app, there's the ability to use some password less mechanism to confirm an
authentication flow. And those are things that people, you know, they typically think they wouldn't, they're already either using their own, they want to bring in and use or, you know, they're suspect about using it on a personal
device. And those are things that we have to kind of coax through through policy and then making sure that they're aware that there's no, no personal information involved in, on those devices that you're tapping a, a push notification is, is there's no private information that goes that gets involved in that. So those are kind of the main questions that we get when we transition a lot of our activity to use in things like an authenticator app. But the user experience benefits
are pretty significant. So they usually, once they get used to that in their flow, they literally forget their password, right? They literally haven't used it in so long that they end up when, when they actually ever get something that requires and they enter a password, they forget it and have to end up resetting it. So that's a good thing. And then and hopefully we'll get to the point where they'll never need it. Yeah, well, just write it down and just stick it on your
keyboard. That's the. Same thing. So much work to get away from that. But yeah, those were the days.
¶ Role and Responsibilities of a Technical Fellow
I introduced you as a technical fellow. I don't think we've ever had a technical fellow on our show before. What the heck does that even mean? And was it? What is the day-to-day like for a technical fellow? Yeah. So I, when I complete like, like when I sign up for a webinar and it'll ask for my title, I just put identity guy because in, in my role and it is, it's pretty much a, a technical specialist at an enterprise level. And it kind of recognizes that I've been doing it for a while.
And so my role is, is pretty much to guide all things related to implementing identity and access management technology, right. And so whether it's on the enterprise side, whether it's on the customer identity side, all of the projects that we run throughout the enterprise, I'm responsible for making sure that there is a level of quality in. And then every integration point is, is doing what it should be in that we're meeting the needs of our business stakeholders,
right? Those are things that typically, you know, my whole engagement in getting into customer and ID and access management started with a, a phone call. It was like, hey, what do you guys know about customer identity, right? Because they knew that we were, at the time we were, we were primarily responsible for enterprise identity, workforce identity. And we really didn't own that part of the environment.
And it was a single phone call that got me involved to say, let's see where we can help here. And ended up with suggesting a product, implementing the product and getting it deployed. And you know, there were by the time we actually got it deployed, there were hundreds of
people involved. You know, 456 organizations across the enterprise were involved in it ended up being a really big deal and we actually did it over COVID while we were actually realizing they were about to be shut down through COVID as when when this deployment actually happened so and. You're going to be at Ideniverse, right? So I think we're going to be maybe even on the same panel. I think our friend Sean is putting something together. But give us a preview of what to
expect at ideniverse. So Sean and I are putting together a continuous identity workshop. So we're really excited to really get into some of the futures of kind of where we think identity is headed. And so there's a lot of activity and you guys were at the most recent Gardner conference and I authenticate as well where there's a, there was a, an interrupt that they hosted that brought a lot of companies together who are supporting Cape and the shared signals framework specification.
And there's just a lot of real benefit when it comes to being able to be completely dynamic in terms of how we apply policy around access control and being able to integrate multiple security products is, is really a huge benefit over taking advantage of the shared signals framework. And so we're going to host a workshop that kind of gets folks immersed in, in what's involved to be able to take advantage of
that. And so that's I, you know, I, he didn't bring me along kicking and screaming. You know, Sean is so excited about it. You can't, you can't deny his enthusiasm around this topic. So I'll just come along for the ride. You know, Andrew, I figure with the technical fellow, it would be like, who's who's this Andrew Cameron again? Oh, he's the technical fellow down the down the hall there. I hear that that's a, that's a piece of comedy gets thrown my
way once in a while. But yeah, yeah, I just, it's easier to just talk about it as I'm the guy, I'm the identity guy at GM. If there's something going on with identity and access management at GM, probably I'm aware of it. I'm definitely interested in
¶ Customer Identity Management at GM
this customer. I am topic because I imagine you've got a ton of complexity and I could probably, you know, talk to your ear off for an hour or ask you question or all day and ask you questions. So I picked a few that I think that you can probably really speak to. I would imagine that you guys have a pretty wide mix of legacy systems, modern systems and everything in between. And that changes over time, like the mix of technologies that you're carrying on. You probably still have some
mainframes, to be honest. Sure, maybe not. OK, not a not a shame to say that we do, yes. And that makes it tougher to get an identity solution that works for everything, right? Yeah, Yeah, we when we initially kind of rolled out our customer identity strategy there are our biggest goal was to, you know, own the the features and functions that were most important for authenticating the
customer, right. And so that meant standing up an identity platform that was able to perform at scale for, you know, our 10s of millions of customers. And that also included things like taking profile management out of the hands of their applications, right? And providing a service that allowed our application teams to say, let's give can we look up the profile information for this customer and not have to replicate profile information
¶ Establishing a Scalable Authentication Platform
across application environments. Those are some of the, you know, simple goals, but it was important to establish that is it as part of our platform to be able to allow it to scale and to be able to allow other applications to come on board and they don't have to worry about how does authentication
work? As long as you're able to support a core standards Open ID Connect Oauth, you know your your application can plug into our environment and we can get you your customer authenticated and we get profile information available for the customer and that's for everyone who plugs into our platform. Yeah, and and something like profile information, it sounds so simple, right? We're just come on, applications don't keep the profile information and then it's like, OK, well, what is central
profile information? Is shipping address centralized, centralizable or does it matter what application they're using? So there's that technical complexity and there's also the complexity of do I want to give this up out of my application and you know, and done there. Was a lot of that there's a lot a lot of angst around that as well.
¶ Centralizing Profile Information
Yeah, it was you know, we wait you're going to you're going to remove these key customer attributes out of our application and put them somewhere essentially or what do we want to allow them to change it? Well, the customer go to one location where they manage profile and they can make that change there, right.
And so those are well the concepts there early on that didn't didn't sell immediately, but that the benefits from my overall enterprise and platforms perspective were really kind of key to kind of getting that accelerated once we got it stood up. Everyone sees the value of it two years after it's implemented and they forget how hard it was to get there. But it takes somebody like yourself. I don't care. Don't miss an opportunity to remind them. I don't know. I know.
I mean, that to me though is like a big deal, like getting profile centralizes is different than just doing single sign on. And it's now you're starting to dig into what is built into each
¶ Challenges and Benefits of Centralized Profiles
and every application, which is this picture of an identity. Whereas, you know, let's take something like privacy information or communication preferences. You know, I don't want to receive a newsletter. So say I go into one application, I turned off newsletter and I keep getting newsletters because all the other applications I didn't go and turn it off in my profile there, right. The the customer experience
right there would be garbage. But if you can get all the applications to see that and save the better for the better. Good. It's let's centralized that now you not, but it takes somebody like yourself caring. And when I hear like, you know, I I've worked for large companies and you know, I've done a lot of the CIM stuff and you know, lasting somewhere 20 years, you go through you have to you have to have a little bit of a tough skin.
And then I'm also sure, Andrew, that you're in the role that you're mentoring people and encouraging them that like, look, sometimes you have to go through the grind and you're going to hit some lows. You ought to be able to bounce
¶ Mentorship and Collaboration in Tech
off those lows. Can you talk about that a little bit? Yeah, I mean, there's, there's probably 1001 stories. I mean, there's a lot of, you know, you want to make sure that you're, you, you prove the desire to want to collaborate with people, right? You, you don't want to come in with AI know I'm right and you're wrong and this is how it's going to go. So being able to listen is always been really key, right?
To be able to provide some feedback to people that is, is not deprecating or demeaning in any way has been something that has worked for me, right? And it GM culture in, in the 2000 or in the early 2000s was very different than how it is now. And I was fortunate to be around leaders who, who didn't necessarily believe we needed to rule with a, an iron fist to be able to get things productive in an enterprise environment the size of GM and solo.
That's kind of what has allowed me to kind of lead in that way, right? I'm, I, I don't lead large team. I don't manage large teams as a individual contributor. I, I'm more focused on leading by example, by the example that I set. And so I, I don't get into trying to make sure that people know that I'm right. Consensus building is still something that is valuable and it makes people feel like they're included. And so that's something I've always tried to follow.
Yeah, I really love that, you know, So again, I have to kind of pick my topics because they could bend your ear all day.
¶ Complexities of B2B Identity Management
But the last thing I wanted to talk about was I can imagine that you have a very, let's just call it complex, for lack of a better term, complex B to B environment where you've got obviously suppliers, you've got dealerships, you've got a global dealership network. You know, you've got to supply those dealers with the ability to order new cars.
You know, maybe you have also beyond dealers, you have like national accounts, like maybe a Hertz or a national, you know, car rental kind of company where they buy thousands of cars. Well, they're not maybe going to buy them from a dealer, but there's all those complexities within. But one of the things that I think from an identity standpoint, that becomes the hardest to manage and all that
is delegated administration. You know, so that you don't have to have like your help desk having phone calls come in like, you know, from a dealer in Toledo saying, hey, we just hired Nancy and she needs to have access to XY and Z systems and all that. Somebody in that Toledo dealership can go ahead and set up Nancy and then when Nancy no longer works there, take away her access. But that's one of the hardest things to solve. I think they talk about that a little bit.
No, it is probably one of the hardest in workforce identity. It's one of the hardest aspects to manage. And just think about even what you see in the industry, you don't even see that many products out there that are targeted towards external user management, right?
You, you know, the IGA tools can do it to some degree, but it, it's everyone's enterprise is so different that you really have to put in some effort into, you know, what you described was kind of the base level use case where yes, every organization, every dealership, every supplier company has a security coordinator, a someone responsible for onboarding their users. But as you might guess, they're, they're not exactly diligent in removing their access when
they're supposed to, right? And, and how do we handle that, right? And, and how do we work with those organizations when they have breaches in their environment, when they have security issues, right? All the things that we have a, we have a dedicated security organization in our, in our IT organization that focuses on 3rd party security, right? And making sure that our partners that we work with maintain a minimal level of, of
risk in their environment. And we have a, you know, some very important requirements or any partner that we interact with to allow them to access GM systems. And so those are things that when you start dealing with, you know, we have 10,000 dealerships globally. We have hundreds of, we have a supplier network that's multiple tiers where we have suppliers that manage suppliers that manage suppliers. And so it's very, very complex.
We have entirely dedicated infrastructures to to not only make the delegated admin piece happen, but I would even say that there's AB to B to C segment that comes in that is doesn't fall into being managed in our with our workforce identity infrastructure. But they're not exactly
customers, right? They fit into this little example that you brought up. The rental car companies that we deal with probably fall into that space where they, they have a need to be able to do things like self-service registration, sign up and get an account to have access to certain systems. And they don't need to have access to all of our enterprise systems, but there's a certain segment of systems that they can get access to in a self-service manner that we manage that that
they have a need for as well. And so that's a another segment of our external user population that we've, you know, had to manage and create additional solutions for in that matter.
¶ Global Privacy and Language Challenges
I've got to imagine that the the global aspect of what you do is probably been around like the entire time that you've been involved. But that brings on the whole language issue. How many languages do you need to support? And I'm going to ask the question this way. What is what is the the harder thing to manage is that the languages or the different privacy laws that exist throughout the world. Wow. That's a great question.
I'd say that the complexity of privacy laws has been something that in recent years has really started to, to get attention, right, Because, you know, the fines in, in, in these regions are starting to get significant. So you don't want to get that wrong, right? And so especially when it comes to EU and, and how we handle location of personal data in those regions, it's really important.
And so, yeah, it, it's being able and, and actually being required to build solutions to allow our customers to do things like right, to remove and things like that. They've been. Part of what we do in recent years, and so I'd say that's been the biggest challenge, right, Being able to respond to the varying demands of privacy globally for an enterprise of our size has been something
that's really, really important. It's a struggle for everybody, I think, trying to this all together, but I think it underlines and sort of underscores the value that I am comes in maintaining compliance with a lot of this stuff. If you're doing good, I am stuff generally speaking, you're going to be that further ahead when it comes to compliance with regulations. At least that's that's my thought. Does that make sense or do you disagree? It makes perfect sense.
So if you're doing things like not making multiple copies of customer profile information everywhere, then when it's going. To sync it, it's fine. Yeah, yeah. See, that's the and that and that where, you know, that's where it sells itself, right? Where you don't have to, to be worried about how many copies of, of, of databases that have been, you know, thrown around the enterprise. That being able to satisfy private privacy requirements gets a a bit easier at least.
And it's not as complex as it could be, right? And so, yeah, now those are, those are things because that's real money, right? That's real. That's real cost that can get hit if you're not on top of, of all of the requirements. If you're not, if your solutions don't don't meet those requirements right, you can get a lot of trouble really quick. I'd like to take the
¶ Enhancing Vehicle User Experience with Identity
conversation more to the consumer side. I feel like a lot of people listening probably have a vehicle. And one of the things that I've noticed over the last several years is the rise of what I'll call like a, a car account, right? Whatever the manufacturer is, you know, GM is one of them. But Volvo, Tesla, Rivian, right, all you name it, tend to have an app and vehicles are moving now into almost like this cell phone on wheels type of thing, right? Software defined vehicles,
etcetera. Can you talk a little bit about how that works from an identity standpoint? Like what are the benefits of you know, having AGM account or maybe in, in the case of GMA, if it's a brand account, right, whether it's Chevrolet or Cadillac or whatever it may be.
It's probably the most exciting part of what I would say, although the customer identity space is the impact that we have on the user experience in that way, in that everything that the customer sees starts with what you do when you access your
product, right. And that's usually, you know, when you when as excited as you are, when you buy a vehicle out of the and you take it out of the dealership, the first thing you do is you log into whatever that mobile app is and check out all of the features that you can do through the mobile app,
right? And so it's really exciting that we have been able to impact, you know, the overall vehicle experience in that way and then be able to have, you know, not multiple accounts from that, multiple logins when it comes to kind of taking advantage of those experiences because, you know, we're bringing more and more services into the vehicle experience, right? So, you know, you're driving along the road and you and, and you come across Starbucks,
right? You can, you can order your Starbucks ahead of time and, and, and not do it through, you know, not do it through your mobile app. Those are things that are you can actually do through a head unit. And so it's important to be able to make the experience as seamless as possible and to bring a single identity into that experience. And so it should be as something as simple as here's an e-mail address and I sign up for an app and I can be secure in accessing
my vehicle features. And that's, that's a, that's a destination, right? And there's a, there's a lot of ways. And that's why kind of focusing on a single identity is so important because you don't want to, to add friction to the user experience by, you know, forcing them to poke in a password on the on the vehicle display, right? That's not, that's not the best
way to go about that, right? So those are things that we've been working really hard to make sure that we bring that best experience to the vehicle, vehicle customer. I feel like this is an area that is still ripe for conquest by audio manufacturer where you can personalize the vehicle. There's so much telemetry and so many things that you can now control in the vehicle through an app or AP is right through
the app. And those sorts of things where you know, if, if you're carrying your phone, for example, and you know, you're using maybe an ultra wide band for your, your mobile key, right? Or or some other Bluetooth proximity, whatever. Maybe in in some scenarios it knows that Jeff is getting in the car. So let me set the seat position to this. Let me log into, you know, my Spotify account or Apple Music
or whatever it may be, right? Set Google Maps and my direction based on a calendar entry, right? There's a lot of neat things that can happen, but you can't do that without the identity layer actually pulling that together, or this is an opportunity to connect those
experiences. Yeah, or delegate privileges to do things in the vehicle to your kids, right, To be able to, you know, work the work the display in the rear of the car to whatever they want to do and be able to have their preferences saved to a family set of preferences. All the things that are also part of the picture, right? And those are all huge, right? Those are those are selling points, right. When you're able to provide those that kind of granularity of features within the vehicle
experience. So yeah, I mean, that's, that's what's exciting about it, right? And that's it. It's really exciting to be able to see, not only to be able to enable those cool things, but from our perspective, we're trying to keep it secure, right? And so we're trying to, and I know you guys bring, you've had Andrew Shikiar on several times and I know that Fido has created an automotive working group
that's pretty exciting. And I can't announce anything, but I'm just keep in mind that we're looking at it, we're aware of it and, and, and we're excited to see how that progresses. I feel like this is an area that a lot of people struggle with, not people meaning auto, auto manufacturers, when it comes to really nailing that app
experience. I promised before we hit record that I would not get on my soapbox about the experience that I've had with one of my recent vehicles and the let's just still call it not barely passable grade that I would give it from an experience. Why is it so hard to get that right? Is that are there?
And you know, this is probably more of an app development question, but are there technical underpinnings from an identity perspective that make developing an app like that have those capabilities more difficult or thought process? Or is this like, hey, we've got the identity side, but there's still more work to do on maybe API management or other telemetry, you know, items that might be coming from the vehicle? Yeah, huge aspect in terms of
¶ Speed and Security in Vehicle Identity Systems
security to be able to have a consistent set of security controls that are end to end, right. So that you know, not only are you doing things like MFA and securing the account experience when the customer logs in, but to be able to maintain that context all the way back into
back end systems. And so it is important down to the developer level to be able to understand the differences of experience when you are showing a webview versus a native app experience and the differences of how that is perceived by the customer. Those I, I can't tell you the level of discussion that I have been involved in when it comes to making decisions around showing a, in a mobile app, whether you're showing something as simple as a webview versus a
native screen. And, and, and how people get very passionate about what's, what's, what's best versus what's most secure, right. And so the standards do have a play in that. And, and as standards evolve and as products evolve to be able to support those better
experiences, that's great. And I think Oauth and I think what's been exciting is kind of the version of Oauth that has near approval, the 2.1 version of Autumn is coming out that's addressing some of that actually keeping things more secure, but it's allowing more to be bring more native experiences to our
customers. And so that's something that's it's a help overall, but it's, it's huge to be able to make sure that there's consistency across the experiences in the, and not only from just the app itself, but to how interactions
get into your back office. And so things like WAFF and API gateways and you know, all of that plays a role when it comes to the customer, you know, authenticating, doing MFA and doing something as simple as hitting the button to start their vehicle that there's, there's an awful lot of interaction that happens. Attempt to secure that from end
to end. I feel like this is an area that maybe people aren't as aware of is the speed of all this needs to be like sub millisecond because you just, you just listed a whole bunch of like speed bumps, right? The laugh and API bouncing back and forth, micro services, etcetera. Every second that when you hit that button on the app to say, start my vehicle, unlock my door, call for help, right? Whatever it may be.
That is all mission critical things where you cannot have identity be the slowest link in the chain. How do you tackle speed when it comes to make it secure but make it fast? Yeah, that's, that's part of the process of bringing things to production to make sure that you have the, the, the performance, the response, the, the, the, the least latency involved when making.
So there's in all of the best practices that need to be brought to bear when it comes to edge computing, right, to be able to make calls to an API services layer that can respond and, and recognize that a a user is authenticated and have authenticated with MFA and that we can process this request versus yeah, this doesn't look right. Let's reject the request, let's cancel this session because
they've been compromised, right? We get a threat signal that says that the user may be compromised, right. So those are things that have to be taken into account. But yeah, at our scale and, and to be able to have a response time when you start your vehicle of a couple of seconds is, is something that is AI think it's the highest level of, of distributed system engineering at our level that to be able to
get that done. And it's, there's a lot involved, like you just said, there's, there's so many systems, so many interactions that happen that the customer never sees, right. But that we have to get involved with to make sure there's policies, they get touched, they get triggered so many points along the way. And that's what it's fun. That's what's made the whole journey of the fun, to be able to get into all of that.
I was going to say it's you sound like you're having fun with it. It's getting more and more fun as time goes on. You know, in addition to kind of the speed bumps that Jeff mentioned, and I think he was right on with that. The thought that I was having the whole time was, you know, you got to remember it's a car, there's all these things going on. It's got to be able to stop when it gets to that red light.
And if it's got to send an API and like, you know, it gets to the point where the technology can compromise safety especially, that would not fly. Those are just some background thoughts. So I'm not asking you to react to that because that's kind of obvious, right?
But you did bring up something about standards and I would think, you know, one of the hurdles would be that this is an area when it comes to technology in the cars that's going to be a real differentiator between car one and car 2. But the security piece of setting standards for security, to me, everybody's a long term winner if there is some standards work that's done together.
So is that your perspective that you bring when you're working with a group like Fido in terms of, you know, moving forward this this working group? And I know you didn't have an announcement, but I just wanted to know if that was your perspective. Yeah. So absolutely the the answer is yes, that when you consider that you know, as consumer technologies take off, so things like pass keys that people are adopting that their technology
platforms are adopting, right? You would think that they would be customers would be wet ready and willing to leverage those technologies with their in vehicle experiences, right. So using pass keys for payments might be something that people are interested in, right. And so to have those and to see the industry adoption at this point is an indicator that the customers would like to be able to continue to use these kind of features as they're made available.
So, yeah, I mean, again, we're aware of that and we want to make everyone's experience easier. So we'll be paying close attention to those as we as that evolves, right. So, yeah, we're really excited to to hear that. You know, I've talked to Andrew a number of times about this that the, the, the working group around Fido has kicked off for automotive. So that that we're expecting a lot of great things to come out
of that. As I'd say like some level talking, going back to that exciting feeling, it's like all of you only just like start your career over right now and like just see where things are going the next 20 or 30 years or whatever it's going to be that a career becomes after in in that time. But let's talk about AII mean
¶ Future of AI in Automotive Industry
that's on the tip of everyone's tongue, right? That's it's almost scary to think right now, like if you're just starting out right now, like am I going to be obsolete 2030 years from now? I think it's more of an enable. I think it's AI is going to be built to serve humans and make life better. That's my optimistic perspective. What's your perspective on, you know, a couple of big things that are going to happen in your industry, in the automotive industry because of AI?
I think we're going to see a more at a larger proliferation of, of agent based AI that will interact with customers and to be able to give that first level of service and experience that is more responsive, you know, more accurate in terms of, you know, what you may have been able to get from the the, the chat bots that that kind of preceded agents today.
And so I think that's going to be kind of low hanging fruit to be able to take advantage of those kinds of experiences within the solutions that we build and deliver. I I think, you know, machine learning and AI has been used from a security perspective, right? Where we've been getting threat signals that have that have been based on AI for a number of years now, right?
And so, you know, things like password spray attacks, things like impossible travel, all of that is based on machine learning that the that the vendors are providing. So I think you'll see that evolve, right? And we, you know, enterprises of our size are building a pretty rich set of data around users and entitlements and the resources that they access. And so to be able to do all the things like automatic deprovisioning if you're not using a resource make a lot of sense, right?
You don't have to go through that manual effort of removing somebody through an access review. You have some kind of of of agent, you know, watching all of that activity and if they don't touch something for six months, then you must not need access to it. Let's take you out of it. So I think those are kind of things that are will start to make a lot of sense within the enterprise and things that touch customers.
I think you'll start to see some form of agentic AI in the vehicle eventually where you'll be able to do things. If you can do it within your home, you should be able to do a lot of those things within the vehicle. So I think you'll start to see a lot of that eventually. So I think that's probably a good spot or maybe we can leave
it for this week. I want to thank you because I told you before we hit record that we're going to take your brain and like splay it out and we can keep going on and on for this. I, I feel like this is an area that is like super exciting. I am, I'm I'm an EV fan. I think that's kind of on record at this point and the the identity experience is such a core part of that. I want to see you guys nail it, right?
It's like I want to see everyone nail it because, you know, this is the experience you're having the vehicle. So I and I and I think of the future, right? Where is this going? OK, we're all connected vehicles and things got to be secure. What happens when vehicles start talking to each other and things get safer, whether it's self driving or even just shared signals maybe between vehicles which are devices to say hey, I'm slowing down or I'm accelerating. I mean, I just think of the
safety applications when our. Standards for that too. Yes. So I think it'll be super cool to get there. And you know, identity is going to be such a core component of that. And and as Jim mentioned, we can talk about this forever. So, but I want to talk about a couple things.
¶ Detroit Pride and Personal Insights
You're a Detroit guy. I want to first of all, and I'm a an Alliance fan. You can see on your shirt there I'm Bears fan. So I want to thank you first of all for Ben Johnson and having him come over. We're very excited to have him. I've kind of been on record with my friends as it's Ben Johnson or bust. We got the guy. So thank you for letting him come to us. I that being said, I was rooting for Detroit Lions in the play offs. I wanted to see them. Yeah, at least make the Super
Bowl, but that didn't happen. So I'm going to put you on the spot for Detroit Lions. Give me, give me a win total for next year because they had a great year this year. No, I think 12 wins is the floor, right. So, you know, we're bringing the cast back. We don't have our coordinators. So that's going to be interesting evolution of of how things happen. But yeah, twelve wins is the kind of the minimum that I would say. And yeah, let's get a home
playoff game. And, and and that's, that's, that's the lowest expectation at this point, right? And as a Lions fan, you know, after 60 years of 60 plus years of, of what we have realized, you know, what we've seen in the past couple years is been great, you know, so, you know, and that's regular season. You know, one of my most tremendous playoff disappointments was last year when we were at halftime of the NFC championship and thought we were in the bag and it didn't happen.
So yeah, we'll stick with it. We'll we'll keep the faith and I think, yeah, a minimum of 12 wins next year, get a home playoff game and we'll take it from there. OK, so we're going to put that on record. That's the that'll be on ESPN. 12 wins or bust for the Detroit Lions, courtesy of NFL analyst Andrew Cameron and also technical fellow. I am at GM. All right, another for Detroit thing, pizza. Are you a Detroit style, New York style or Chicago style
pizza? I am Chicago style primarily and we have a Chicago style pizza place here in Detroit called Pizzapolis. It's in downtown Detroit that has been a staple for decades and I would recommend anyone to hit that. It's it's as good as any Chicago deep dish that I've ever had. And I've been, I've had, you know, I've had George Donald and everything else from Chicago, but I'd say Pizza Papolis is probably our our best kind of deep dish Chicago style pizza and that's the one I've enjoyed
the most. It's the one thing I'm one of the things I miss living in North Carolina now is the pizza down here is nowhere near as good. It's the Chicago area, so I'm always. Looking for pizza? Spots to to hit up. OK, Jim, real quick, are you what, New York? Chicago or Detroit pizza? I've always been Detroit or you know, I used to work at the Renaissance Center, Andrew and. You know. Greektown. There's, there's, I don't know, I always felt like Detroit was
coming back. I was there around 2009 through 2012 and I felt like Detroit was really coming back. But what I really loved the most about the place was the pizza. And but given that I love New York style pizza, there's not many pizzas I don't like. So. But Detroit's my favorite, yeah. At the early stages of our, of our kind of the, the downtown rebirth was right around 2011, 2012. It's, it's a lot different even now than it was 1012 years ago. So it's it's pretty exciting
down there now. Yeah, I, I've always been rooting for Detroit to come back because I think it like, you know, it became like the thing that people would, would almost joke about is like, oh, it was a safe to joke about. Like, oh, Detroit is falling apart. And it's like, First off, that's it's not really funny. And 2nd off, it's really a good, a good city. And now I felt like it was coming back while I was there. Yeah, I've been here all the life.
I'm a lifelong Detroiter and I will, I can represent, you know, if you want to know the truth, talk to me. I'll give you the truth. Don't, don't, don't follow the Internet and what it's been saying from a downtown perspective, it's so totally different. And it's, if it's anyone that's, you know, the NFL draft that was here a couple of years ago, I think was an overwhelming example of us being able to host large events and people all having a great time when they're here.
So it's pretty cool. I've never been to Detroit other than the airport. That's pretty much it. One of the. One of the cities. In Midwest I haven't been to. Come, come, come one, Jeff. We'll, I'll give you the the Grand Tour anytime. You're welcome. All right, all right, that's probably a good spot. Well, I'm going to head up to
¶ Conclusion and Final Thoughts
Detroit. We're going to get some pizza, and then I'm going to continue to take little slices of Andrew's brain and tear it out and put it on display for people in the podcast. So that's what we'll do. Andrew, thank you so much for being part of this. You're it's funny right now because you're using the virtual background and you've totally faded. It's almost like homework going. In Slime I. Think, yeah, the lighting just changed in my room, which is really interesting. But yeah.
If that's not a signal, it's a wrap up. There you go. All right, Andrew, thank you for being part of this. I'm going to have your LinkedIn profile on our show notes so people can reach out, whether it's, you know, about identity or maybe just better places to eat pizza in the Detroit area where you can have those conversations. You can find us on the web, IDC podcast.com. Again, we'll have all of our discounts for the conferences on our homepage.
Reach out to Jim and I and we get lots of great guests come on through word of mouth and networking and things like that. So let us know if you've got folks that'll be good for an episode like this. And yeah, like and subscribe. That always helps us out. Doesn't cost you anything. Hit that button. But it does help us out immensely. So with that, we'll go ahead and
leave it for this week. Andrew has almost completely faded into the Bush Lake Homer and thank everyone for watching and or listening and we'll talk with you all in the next one. Thanks guys. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.
