#346 - Sponsor Spotlight - Veza

Tell me the top 50 people in my organization that have the most privilege and you can almost guarantee, and I'm, I'm sure you've had experience in this is in most organizations which they just ask that question. Tell me the top 50 people or the top 100 people that have the most privilege. The answer when you see that is like, holy cow, who gave them

all that access? And, and so the nice thing about a scaled solution as opposed to one of these more traditional solutions that's just kind of in a people review, doing things in spreadsheets or going through AGRC tour or going through something that's like human reviewing other humans accesses. You need to be able to ask these questions like who's got this privilege? Who's got the most access?

If this credential is compromised, what's the chain of attacks through the the identity graph that could result on an action on a critical resource, all of that kind of stuff.

I mean, one of the things that's fascinating and then you know, Tarun knows this as much as anybody is every to be use case of the Vaser. It's like every customer almost invents their new set of questions that are peculiar to their risks that other customers can learn from in terms of, wow, that's a really interesting way of getting to the most risk and figuring out how to reduce their risk.

The time, time is here for us to really, you know, not just lift one boat and there's something I, you know, shared with you and our teams. Let's not shift the boat, move the boat of visibility or move the boat of intelligence. You know, let's try to build something which can, we can lift all the boats together at a, at a singular time.

So whether it be IGA, whether it be Pam, whether it be NHI, we believe the fundamental of that is rooted in just completely rethinking identity from the scratch. This is identity at the centre if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Steadman.

Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. I'm doing great. You know, I'm super excited. We've got two of the top gurus in the identity security area today on the podcast. I'm ready to get into it. Yeah, Why don't we get into it? No, no whole no use. Like, you know, trying to wait and figure it out. If people read the title, they already know what they're in

for. But again, to make it very clear, right, this is a sponsored episode. This is what gives us access to people like Tarun and Phil and others to really kind of dive deep into those technology conversations, especially when we start getting into products. So they have generously, you know, spending their time with us and educate us on a few different things, but why we go ahead and get some introductions.

So today we're sponsored by Vesa BEZA or the Identity Security Company totally stole that from their website. And we're going to hear more about what that means. But if you go to the website, veza.com/I DAC, vasa.com/I DAC, we'll have some more information for you there. So with that, let me go ahead and introduce both of our

guests. Today we've got Tarun Thakar, he's the Co founder and CEO of Vasa. Welcome to the show, Tarun. Very nice to be here. Thank you, Jeff and Jim, Appreciate. Appreciate the opportunity. Yeah, thanks for taking the time. And then he's joined by Phil Venables. He's a strategic security Advisor with Google, and he's also a Board Director for VASA.

So welcome to the show, Phil. Yeah, great to be here, looking forward to. It so we have tradition around here that when someone joins us the first time is we like to find a little bit about their identity backgrounds and how they got in the space. Tyrone, I'm going to start with you and Phil. Just get ready because you'll be Next up in the wings. How you know, Tyrone, how did

you get into the identity space? Is it something that you chose or did it choose you? Yeah. No, Jeff, it's, it's, you know, I remember talking about this question with you before when we when we met at Gartner. I am. It's definitely the latter. You know, I, I, I don't come from the, come from the, from the identity backgrounds. You know, I've grown up in, in a systems distributed systems background and, and, and, you know, spent the past 20 years of my career building distributed

systems at scale. So, you know, my, my background is definitely how to build systems at scale and how to think about, you know, all the way from, I remember my first job was writing assembly language code to building globally distributed file systems and then globally distributed databases. So is definitely the latter.

But, but I would say, you know, fascinated by this space, five years in, I, I feel like identity has so much to be done that, that you're just barely scratching the surface. But thanks for asking. Yeah, there's so much to do and and learn in this space. I feel like I'm never, I'm never going to get caught up. And I think that's a great thing, because then it doesn't get stale. Yeah. And also it feels like, you know, identity is very much it's own island.

You know, it's, it's, it's so critical, but yet, you know, when you get into that space, it has its own, you know, weird nuances. Maybe that's true for network security. Phil will probably know, and maybe that's true for endpoint security. But Identity definitely has lots of, you know, lots of threads here. So I'm going to ask you about basically here in a second, but I want to get to know Phil. Phil is the first time that we've met.

I feel like we've been at a lot of conferences together. I've seen you speak, so I kind of feel like I know you a little bit, but at a distance. But now's my chance.

Phil, tell me about your background. How did you get into that? Any space? Is it something that you chose or did it choose you as well? Well, it's, I've been a CSO for companies, for major global organizations over about 30 years. I'm I'm giving away my kind of my, my generation there.

And if every one of those CSO roles as, as most people in security teams can imagine, it's, it's hard to avoid thinking about identity and access and access management is CNR, as I'm sure we're going to talk about today, it's one of the, the calls to security. But over many of those roles, over over many years, it, it became, you know, a significant part of being able to just ask and answer the question, what are all the identities I should care about?

What are all the things they can access? Is that access appropriate? And if not, what can we do about it? And then to do that, that massive scale. And so, and you know, and Tyrone knows this story because this is kind of how we first met is, you know, one of my prior organizations, I was really struggling to, this is like a decade ago, really struggling to find any solutions that could help me solve this problem at

scale. So we ended up building something and we, we built it wrong first, learned from how not to build things at scale and then built it at scale with a very similar architecture to what Vaser has, although it had none of the sophistication, none of the bells and whistles. And you know, if I'd have been around, you know, if Vaser had been around, then I'd have bought that solution because it

was all of a scale problem. And so I've been immersed in this at the sharp end for, for decades, decades. And it's, you know, it's so good to be partnering with Vaser on, on their journey and just figuring out how to solve this in the right way. So I have to imagine it was probably equal parts validating and frustrating that someone built what you built and it's like, Oh yeah, that's oh wait, that's maybe better. You know, I remember this, Jeff, this is 2021. I got introduced to Phil.

This is like, you know, we're only like 12/14/16 months old and we just had very rough sketch MVP kind of ideas. And, and you know, we started sharing with Phil that, you know, hey, here is what you're thinking, here is a graph, here is, here is here is access permissions, Here is how you bring it together. And, and Phil looked at it. It was a 30 minute introductory call.

And that call, I don't know Phil, if you remember, it ended up being a 2 hour call and, and you know, we talked about lots of challenges and Phil is like, OK, let's see if you, you know, we put our head down for two years and, and we, you know, had the opportunity to meet Phil again. And I remember 2023 and just so, so lucky and so fortunate, so privileged to have Phil on our board and and guide us pretty

much on a weekly basis. So this is probably a good segue for people who aren't familiar with Visa. Tell us something about the company, You know, what is it that you guys bring into the market? And then most importantly, and I'm going to put my jaded Cecil hat on, is why are you guys different? Why are you guys, you know, setting yourself apart? How do you set yourself apart from from your competitors and,

and things like that? No, I think there are three questions packed in Jeff. There's something to go fast, I

think. I think look with ways of what you're building is really, you know what we call internally the next generation identity platform. You know, we, we, we came to this conclusion back to your question of, you know, identity, definitely choose us or me

specifically. And, and I think the, you know, the observation that we made on why we started this company, the insight and the intuition was, you know, we were simply just asking questions, what I call the -1 journey of a startup before you actually found the company, which is what's top of mind. You, you said a seesaw, what's top of mind when it comes to securing the biggest asset in your organization, which is your data, right?

At the end of the day, if you're buying any tool with buying to really secure that asset and, and you know, the feedback was that, hey, look, we've, we've solved lots of problems from endpoint to network to securing multi factor, but we really haven't solved the hardest problem in identity, which was

principle of least privilege. And and so, you know, essentially with these are what S S Phil noted, you know, we started the company in 2025 years old, really have taken that mission to heart on on helping organizations really thrive towards the principle of least privilege, which is in simple words, who's Jim and what can he delete in snowflake or, or who's Jeff and what can he delete in article table?

And so that's essentially what, what what Wiza started with, what we want to go build is a, you know, our long term vision or act one, act two, Act 3 is really rooted in how can we build that next generation identity platform, which takes me to your question of differentiation, you know, which was as we started digging into principle of least privilege, you know, what became very clear to us is the world believes directories and identity and, and how fallacy that that that

thought is because that's not the truth. The truth is, you know, the purest form of access is actually permissions and entitlements. And so we said, you know, look to back to your differentiation, the way we speak with CIOs and Csos and Ctos is like, look, identity has to go beyond a directory service. We believe the purest form of identity is in permissions and

entitlements. We have built this beautiful, what we call a durable data model and and data model, which is realized as access graph really to help understand who are the humans and the non humans or even third party identities and what can what action can they perform on critical systems, whether it be SAS, whether it be data systems, whether it be cloud systems and now agenda AI apps.

And so essentially our differentiation, Jeff, is really in that data model, we call it the access graph, which really brings the entitlements for that individual into this beautiful data structure, for lack of a better word on which you have built. Lots and lots of apps. Visibility, intelligence, access, reviews, we have built these apps on top of that data model to really again go solve business use cases and business problems.

So the other thing that is you guys are making some news today, you know, when this episode releases.

Tell us a little bit about what's happening in the world of Asia. Yeah. No, look, we, we, as I noted, we've been very hard at work for the last five years. You know, you know, as Phil noted, we have, we have had the Fortune opportunity to partner with some very large Fortune 100, Fortune 10 organizations. It's become very clear, you know, after partnering with such organizations across both enterprise and commercial that we truly are solving a critical, critical problem in, in, in

cyber at large, right. Again, principle of free privilege. So, you know, the time had come for us to really double down, triple down. You know, we start-ups are all about product market fit. We feel like we have a great product market fit. And so, you know, we're announcing today our CDSD investment of $108 million financing which you know, double s our valuation from from the last time we did our CDC.

And, and really this investment is, is, you know, a very grateful to the to the new investors, NEA and Aaron Jacobson and Hillary from, from the NEA team to, to sort of believe in the mission and the vision of the team, but also to sort of double down and triple down what could be what we believe could be a very, very long lasting company. Tarun, congratulations on that and I'm glad you're finally on the podcast. We've had Rich Dandelaker on a

couple of times. Those have been some of our best episodes. And you mentioned how we bumped into each other at Gartner. And I've got to say, your booth, there are probably two companies that made the most noise of Gartner and, and Basil was one of them. And your booth just constantly had people there. I mean, First off, your, your logos, even on your website were out of this world, but I knew a lot of the people who were coming to your booth and it was like super impressive.

So congratulations big time. I think it's, you know, you're on to the right thing at the right time. Now, what do I mean by that? The identity security company, right? And so that this is the time for that. That's what everyone's talking about and there's good reason for that. And I'm going to actually turn this into a question for Phil.

So identity security, it's like identity is front and center when it comes to security. And Phil, I wonder if why is it that now this is hitting so hard? But yeah, I mean, I think it's it's really to do with just the breadth of what identities and missions and access and entitlements companies have to deal with. So they've got their traditional on premise environment, they've most often got multiple cloud environments. They've got multiple SAS services, some of which are big

data warehouse services. There's a whole array of things now and coming with AI that has a whole series of human and non human identities. So when you take a step back and you think about this problem, there's a set of human and non human identities that have access to various resources and organisations just need to answer the the relatively simple question of of what, you know, what or who has got access to

war and is that appropriate? And is that actually implemented according to the intent that we have now, all of us and probably a lot of the audience today have, you know, been in this battlefield of identity security for long enough to know that. Yeah, just stating the problem quite simply like that.

When you put that against the backdrop of the scale that even small to medium enterprises have to deal with in terms of their number of systems that contain access and privilege and identity and all of the external services that you then need to just handle that scale in a way that doesn't require manual reviews or tedious updates. You just kind of manage this and automated systematic way and to what Taroom was saying before.

Ultimately, and this is where a lot of organizations have failed in the past, if you don't architect this for the scale of trillions of combinations of accesses that can only be encoded in like an access graph like they have, then you're ultimately, even if you've got a great little system for dealing with a small number of privileges, ultimately is going

to fail. If you can't scale that kind of graph scale processing of of the massive amount of combinations of accesses that you have to monitor adherence to, even in just the smallest of enterprises. And that's really, I think what what everybody's dealing with. And I think why to your point, people are flocking to the Boo that things like Gardner is they've tried solutions that don't scale and they just need a solution that scales to cover all of their identity and access requirements.

And that comes down to the data model. Yeah, I definitely have sent the data model. But you know what I really love with you said there, and this is what I I love about you, Phil, is that you can take these big difficult concepts and put it down to something simple, right And and. So true. Yeah, yeah. So that, that is super cool. That's true. What what might you add to what Phil just said? If you can add anything. Yeah, no, no, no, I think, I think Phil is actually spot on.

You know, this this whole gem, maybe I can just share a couple of examples from, from organizations that that we work with, you know, just sort of give some examples. You know, we, we, we see sort of, you know, to me, you know, for lack of better or these sort of use cases, right. Who has access to what and what can they do with that access is like #1 in your any organization, like whether it's a Fortune 500, Global 2000 or a commercial organization, right?

So we see, you know, use cases sort of in the following order, Jim, just to give you some couple of practical examples, working with a very, very large financial organization and their entire use cases about identity hygiene. And they're like, look, we have these users, users about part of groups and groups have roles, as Phil noted below before. And you know, roles are embedded within roles.

Can somebody just, you know, demystify this and give us a very simplistic view on, on who has access to what role in, let's say a system like Salesforce, right Second. So 1 is very high hygiene, identity, hygiene, AD hygiene #2 you know, an example of, of an organization like a Blackstone, right? There were a large Fortune 500 organization where they were doing all their access governance, their identity governance on, on, on

spreadsheets. You know, as, as Phil noted, there are, there are not many people have cracked this problem. And so people are either living in, in, in, in PowerShell scripts or they're living in Excel spreadsheets, or they're architecting their own solutions for organizations that can, that can do that. And so Blackstone had architected a solution clues together in ServiceNow and we've completely transformed them in three years here. There were about 5 to 500 apps.

Think of a Fortune 500 organization configured on Visa for things like access reviews, things like access provisioning, deprovisioning, give you another example of a large organization. You know, think of an Intuit like they are are first of the 10 customers, 1st 10 customers for us. And they're like, look, we love this access graph you have, We love this data model. Can you go and apply this to us

to help us secure our GitHub? And we're like, why, Why do you want to us to apply this to GitHub? And they're like, look, it's the biggest asset we have in the organization. All our cord is in GitHub And so all our IP is in GitHub. We, we cannot let it get into bad hands. And so we want to, you know, we want to measure the permissions and the entitlements who has access to it. And we want to keep driving what they're called as over permissioning access score.

We need to keep driving that access score of over permissioning down to 10%. So just a few examples to to Jim to to add to work fill share. So I, you know, this, this concept of least privilege sounds simple, but it is actually pretty hard to do in the real world. And this is how I know we got serious. Jim Tarun took off his glasses. It's like now we're really getting into like the deep end of it. Tarun, this is such a hot spot right now.

Is this whole concept of identity security right? And obviously we're big fans of it here. You mentioned some of the issues that you typically see and Phil, you mentioned some as well. It's kind of like why we're having this moment in the sun. But I'm curious, what do you see as like the biggest identity challenge today that you're seeing in organizations Immediately? I think of things that are coming up this year that are also having moments on like NHI, non human identity.

It seems like it's the buzzword at every conference. It's like everyone's kind of talking about. But I also think about it from a less technical standpoint of just the fragmented ownership of the way that organizations may typically be structured from like a governance perspective. You know, you'd be surprised how many organizations go into and say, so who's responsible for identity? And, and people don't know, right?

Or it's fragmented and this person's responsible for this part of it and that person's responsible for that part of it. I'm curious if those examples make sense. Do you see additional challenges that are out there and, and what should you know people be aware of and cognizant of say, OK, these are some of the challenges that that other people are seeing as well? Phil, you want to take that for

us? Yeah, Yeah. I, I mean, I think you know what's, what's fascinating is, is again, it's this combinatoric explosion of all of the possible accesses. So I mean, every time a new system is brought online, the new SAS provider is signed up, a new cloud provider is signed up to a new device is added, or it's just another set of identities.

If they're not human identities, they're the non human identities you bring up and then you add that and then all of those things, they connect to the human or the other non human identities. All of them connect to resources that have emission various degrees of permissions, often to Tyrone's point before that are nested very, very quickly.

This just explodes and the ability to encode all this in a, in a, a data structure like a grass, it doesn't just give you the ability to think about whether that is conforming at the scale of what any reasonable enterprise is. It lets you kind of pivot up and down the questions. So like, for example, you can say, you know, is this particular access appropriate? Or you could actually invert the problem and say, tell me the top 50 people in my organization

that have the most privilege. And you can almost guarantee, and I'm, I'm sure you've had experience of this is in most organizations, if they just ask that question, tell me the top 50 people or the top 100 people that have the most privilege. The answer when you see that is like, holy cow, who gave them

all access? And and so the nice thing about a scaled solution as opposed to one of these more traditional solutions, that's just kind of, you know, people reviewing things in spreadsheets or going through AGRC tour or going through something that's like human reviewing other humans accesses. You need to be able to ask these questions like who's got this privilege? Who's got the most access? If this credential is

compromised? What's the chain of attacks through the the identity graph that could result on an action on a critical resource? All of that kind of stuff.

I mean, one of the things that's fascinating and you know, Tarun knows this as much as anybody, is every customer use case advasor it's like every customer almost invents their new set of questions that are peculiar to their risks that other customers can learn from in terms of why that's a really interesting way of getting to the most risk and figuring out how to reduce their risk. No, absolutely.

And, and Jeff, if it's OK with you, just to add, add to what Phil just shared, you know, you're absolutely right. First of all, non human identity is definitely top of mind #1 #2 you know, I'm here in Seattle meeting some of some of the, some of the large organizations and, and you know, just just today, just finishing a few discussions, you know, it was the four use cases, you know, that come out every day that we hear. Number one, there is no centralized non non human identity store.

So can you please help us just understand the access tokens and the service principles and the service accounts and even things like local users who gave, for example, Jim in local user in GitHub, like who did that right? And and finding that for So that's number one. Number two that we're hearing on non human is, is age, age of a age of a non human. When was the last time we we rotated the key and and and the third one is, you know, association of human to non

human, right? It's a very hard problem actually too, because non human is many times, if not majority of the times, efferminal in nature. And so you know, Jim, for example, is is in Active Directory. He spins up an EC2 instance, logs into a cube instance and and wants to go access

something. You know, if you if you think of again to the first point of that chain of chain of attack, you know, which is which is what is top of mind of customers is like look who who actually owns this non human, because we need to go and and clean that relationship and and figure out how do we get back to least privilege. Yeah. And actually that's fascinating because This is why I think it's important for identity solutions to deal with human and non human

identities together. One of the things you get if you go back a few years, you they they were often somehow and maybe still out today, different product sets. And one of the things I think Vase has done that's interesting is bring this together because often when, as Truman points out, when you're reasoning about a non human identity, you're connecting it often to a human identity that has the control and ownership over a set of resources that are accessed by

the NHIS. And I. And I think it's it's it's they have to be managed to get and that's going to be even more important in a world of AI agents where the humans are delegating privilege to agents that will act on their behalf, that will in turn interact with other non human identities to fulfill goals on resources. And so this is going to be even more important to make sure it's a holistic management of identity and access, governance and security. So, Tarun, you know me.

You trust me with standing privileges, right? I'm trustworthy. No, we don't want to hear about the Zero Trust. No, we hear it. You know, we, we heard two things right on those words. Zero trust is incomplete without principle of least privilege. And you know, my, my deepest thanks to Phil. You know, he's the one who helped us think through this very clearly. As you said, Jimmy's. That's the pleasure of partnering with Phil.

He says things in such a simple way #2 the residual access and persistent access needs to go away to to your point. That's right. It's, it's what you just said there. And then when you think about the non human identities and then look as as a practitioner, I've been a practitioner for over 20 years, you think, well, well, I've got a toolbox. It's got XYZ tools in it. I'm going to choose from my tools to solve this problem, but the problem is different than what your tools were built to

solve, right? And so when I look at NHIS, not literally, but I think about it, I'm like, OK, that seems the most like privileged access management. So maybe can I just throw a privileged access management tool at it? But I, so I have a question for Phil because I think for a practitioner perspective, just think about privileged access management. It seems like the landscape is changing, or maybe it's not.

Maybe I'm thinking about it wrong, but it's always been notoriously hard to solve privilege access management.

So I wanted to get your perspective on why is that so hard to do, especially at scale. Like why do why do the wheels come off when you try and do privilege access management in a large enterprise? Well, well, it, it's interesting, it kind of touches on where we were going before, which is it's hard to unpick these identities these days.

So like, you know, if you go back, I don't know, 10 years ago when you talk about Pam, really what you're talking about is managing say root access on unit on Linux servers, managing significant privileged accounts on Windows infrastructure or managing SSH, you know, credentials for significant

privileged access. And I think the interesting thing now is when you look at how all of those privileges have been broken up into service account keys and machine credentials and all of this other environment, it's hard to distinguish between what's Pam and isn't Pam because, you know, sort of beauty is in the eye of the beholder.

It's like you could have something that's classically not Pam that suddenly becomes a very highly privileged account because the way you've overloaded the privileges onto it. And therefore it just almost makes no sense anymore to have like a patent solution and a non human solution and a human solution and this solution. You've got to deal with it all together because at any one moment a historically non privileged account could become

a civilly privileged account. And unless you're picking that up and controlling that as part of the whole identity graph, you know, it's hard to stay ahead of that. And I think ultimately we just got to think about identity and access security is this, it's the whole environment. And you ask some questions of the identity graphs that you've built up to let you control the whole thing, because otherwise you just curve to living in silos.

And as we all know from brutal experience, sometimes personal experience, the attacks come in the seams between the silos, not full from all onto your controls. And so having this evasive view of everything is just absolutely critical. Yeah, through the seams. I, I like to use the analogy as the attacks are like water. They find the cracks. They they, they find their way in and then of course, if you're in a cold environment, they get in and then they freeze and break up your foundation.

And I think you're right. And I, I, I think back to some of the early days with Pam where we, you start getting into,

well, are you DVR style recording your sessions? It's like. Who cares? Right, that's like. Yeah. No, we. We. Term. What do you add to that? Yeah, No, no, I was, I was going to take that word of recording. You know, we, we, you know, we live used to live 10 years ago, maybe 15 now. You know, we used to live in the world of or we still probably live in the world of session recording and session management.

But you go back to those customers and have those discussions with them as like for work, right. And, and this architecture of going back to the, you know, we have this point of view that at the end of the architecture will sort of win at the end, which is, you know, take an example of Snowflake, take an example of data breaks. You cannot go deploy an agent in a cloud native system like a Google big Query, right? And so who's going to do session management and session recording?

My point I guess is a gym privilege access in the cloud or Pam in the cloud or Pam for SAS or Pam for a gentek is not going to have the architecture that we had before. I'm going to deploy a proxy in an Oracle server. It's going to record every action that I'm performing. That world is not going to be going forward.

That's right. No, I mean, I think I think you're right on that because you know, we all know the immutable infrastructure patterns and the need for declarative controls of code policies, code infrastructures, code 1 of the things I think, well, there's still use cases for session recording and other things. They're typically seen in legacy environments where organizations are for whatever reason, not been able to adopt these kind of immutable infrastructure

patterns. And then when you've got those immutable infrastructure patterns, it even further highlights not just the need but also the opportunity for least privilege. Because then you you're making sure that the slight reliability engineers, the cloud orchestration engineers, the development engineers, the security engineers are all working on the same page to actually minimize the privilege that drives not just improvement in security, but also consequent improvement in reliability.

Because you're then minimizing privilege to force people through the immutability infrastructure patent as well. Correct, correct. And, and Jim, I'll just say last thing quickly there. You know, the same customers we speak to, they're like, look, you know, we're buying a Pam solution because it says so in, in a, in a NIST playbook or some form of a playbook. But, but nowhere it says you need to do so, you must do session recording. Nowhere it says you must do session management.

You know, it just says you must do privilege access. Well, that doesn't mean you have to do session recording. It could be simply Ganesh or Vartic, right? So, so it's just, it's I think that that world of just back to identity, you know, evolving very fast pace. Similarly, the world of privilege access is evolving at a very fast pace. I'd like to get a little bit

about axis graph because as I mentioned a couple times here, it's obviously secret sauce. I think maybe a little bit for how this works. Tell me a bit about axis graph. What makes it unique? What can I see with it? What can I do with it? And then the bonus part of that question is you mentioned least privileged earlier, so how do I use access graph to get to least privilege? Yeah, I know. I think those, you know, thank you. Thank you Jeff for, for, for

asking. So, so I think look, first, first with the access graph as, as you know, Phil, I had noted earlier, you know, access graph is a manifestation of a data model of the data structure, right? So, so just to zoom back and then we'll zoom in. You have entitlements everywhere you know, Phil has access to 30 different systems, let's say so Phil has entitlements to 30

different systems. And so you know, applying a first principles thinking, if we are truly want to ask the answer the question who can perform what action on what data? You just start breaking their problem down in first principles. Who comes from your identity systems like an Active Directory or an Octa or a ping or a duo or, or pick your, pick your critical identity systems. And wherever Phil has access to, he has, he belongs to certain

roles. We used to have this framework called role based access control. That paper, the Seminole paper was written in 1982. I think of, you know, if anybody needs access to a system, you go through what is called role based access control. So, you know, we, we said, OK, if you want to take who can take what action on what data, apply first principles. And, and that became the data model. And, and we called the data model. Not many people can understand data model.

So we ended up calling it an access graph. But but think of access graph under the horde is, is a data structure, a normalized, A canonical data model, which takes entitlements from 10 different unique systems and brings it down to a normalized data structure, right? So that's what an access graph is. Now you can imagine the, the, the art of innovation, the, the, the IP and, and the Seminole innovation is, you know, as as fully used the word combinatrix, right?

A user belongs to a group. Well, you could belong to 10s of groups. You have access to hundreds of systems. Every system could have 10 or different roles. Each role may give you M number of entitlements to perform to N number of resources, right. So if you think about in a in a classical computer science, you're, you're, you're thinking about a data structure where every element is to the log of scale, right?

And so you're thinking about NP hard problems, you're thinking about, you know, computational problems, which are at a log or an exponential scale, right? So, so that's where that's where our, our, our so-called the secret sauce. And see is the word is, you know, how do you, how do you stream the data? How do you parse it? How do you store it in a, in a data store? And how do you query it in near real time? Imagine that data set, right? I'll give you an example.

Our access graph only up to 18 months ago, Jeff, was 200 million nodes and edges, 200 million nodes and edges. Today our access graph has 16 billion nodes and edges. And and you know something Phil and I talk about all the time, you know, the pace that we're going will have 100 billion nodes and edges in less than two years.

So, so that you know, that problem is of cardinality is the word we use the the problem is of very intelligent algorithms, graph traversal algorithms, and the intelligence is how to define the scheme of the data model. So that's where our core of the IP and and we believe, you know, speaking very humbly, we believe it's industry first.

You know something Jim said earlier, you know, back to NHIS, if I can bring it here in this, this, this, this security leader said it in a very beautiful words that on real problem and I have no tool that can solve that problem. And this is like Fortune 100 actually Fortune 10. I want to know where my NHIS are. I have every tool in my toolbox, the Pam solutions, the IGA solutions, the IAM solutions, the and I have no tool and therein lies the opportunity, right?

Taking that graph and applying it and sorry, what was your second question, Jeff? I got, I got fashioned about. I think you covered, I think you covered all of it. I was curious like what is this thing? How does it work? And. Oh, sorry. Yeah, I remember. I remember your question. Sorry. Yeah, I got your question of how to release. So, you know, once you have that baseline of who has access to

work. And again, there's something, you know, Phyllis coaching, I said, you know, once you have their baseline is not enough Phyllis on our board. And and so the other board members are like, you have to get into actionability very quickly. And so our phase are Act one, you know, very classical startup language or Act 1 was visibility intelligence is working very well for us. And our Act 2, which we started about 18 months ago is about actionability access reviews.

You define a baseline, you define a policy and you monitor the deviation or a drift or a creep and and you and you do active operationalization on it, right. Could be a service, not ticket, could be AG re ticket, could be a solar platform orchestration. So that's how we're we're we're in the process of sort of pruning the over permissioning access. You know, I'm so interested in

this topic of identity security. So if I can pull the conversation back to that and ask Phil, you know, kind of from from what he's seeing in his own organization, talking to his peers, you know, I'm, I'm thinking about identity security and OK, I'm going to start with my extra credit question.

Phil, my extra credit question is, is it the identity practitioner who needs to change, adapt, learn new skills to do identity security or is it folks in other areas of cybersecurity who need to learn identity?

The, the other question is, OK, when you start to put together a program around identity security, like what are you, what are you driving toward in terms of key metrics, OK, Rs KPIs like what, what is it that you want to show the organization that hey, I talked to you about we're going to do identity security, assuming that's how you have the conversation and we're going to send a couple of $1,000,000. What? What do we get for that money?

Yeah. I mean, I think what's interesting about this problem is identity is in many organisations is kind of split up across various teams and there's often, no, very rarely is there consistent organization on that. So you may turn up at a bank and they've got like an identity security team inside the CSO function. You then go to a different bank and they've got it in the. DTO or the support function, then you go to a pharma company and they've got in a different

team. I think the main thing we're seeing though is for most organizations since they recognize this has become such a challenge or they did recognize that and then they're solving it. And essentially what they're doing is they're building this into their environment rather than bolting it on after the

fact. And so a combination of the CSO and the CTO or CIO are driving an integrated identity and access governance process that's treating this as an enterprise wide risk management problem that not only manages security risk, but it delivers transformational efficiency gains. Because often in getting this right, they're reducing the need for Dublin, if not hundreds and in some cases the thousands identity and access administrators that are doing all this manually.

And so this is one of those beautiful spaces compared to some other spaces in security where you can do security productivity efficiency and save money all in one go rather than having to just increase all of them when doing security. And I think to your question about the metrics, So one of the risks though with this is, you know, as I'm sure everybody knows, it's easy to drown in hundreds of different metrics on

these things. And I, I, I like to kind of elevate this up. And now you do have to get to the detail. But the simple level though, success or failure for me of identity programs in, you know, small, medium and, and especially large organisations, it's really about three things. It's like 1 is coverage, but what percentage of your universe of identities do you have under central management or at least central visibility in a tool like Vaser or, or something else?

So that's coverage. And, and as you know, if you know, you could probably kill yourself nearly trying to get to like 100% coverage. So many of these things may not the goal may not be 100%. It may be 100% of your most critical systems, 70% of these other systems, then a long tail of other things to pick up. But it's important to understand where you're at on, on the percentage of coverage.

Then once you understand the percentage of coverage, it's what's your percentage of adherence to enterprise policies. These could be least privileged policies, it could be privileged scoping policies, it could be our back, a back separation of duties. But basically once you've got all your coverage, you need to know what of those identities and access conforms to your

enterprise policies. Now the third and final thing is what you might call accuracy, which is Harlow's enterprise policies that you're driving adherence to, do they actually represent what your business risks are? So like for example, you could have everything under control, everything under access management and it looks great, but everybody's massively over permissioned because we didn't express your business rule according to your actual risk.

But I think ultimately, if you an organization just really understand where they're at percentage wise on that journey to full coverage, full adherence and then an accurate statement of whether your policies conform to your business risks. I mean, that's that's a decade worth of work there. But hopefully Vaser makes that like 18 months or two years

rather than a decade. And and Tarun, I'll follow up with you and we got to make a quick answer here because if we don't get this next question in, Jeff might up and quit because I know he wants to talk about AI, but can Visa basically provide the information that Phil just went over in terms of? Coverage absolutely no. We, we you know, we have taken, we've taken that construct of access policy and a set of access policies and we have codified.

So you know, meaning the user journey to to to simple answer to your question, the user journey that we aspire to give as you connect wizard to your 5 or 10 critical systems. And we want to give you very quickly those access policy risks, right? And they are baselined against a least privilege risk and over permission risk in on human identity risk, a global admin risk that you can then go act very quickly, Jeff to your point of least privilege.

OK. So I'm glad Jim is giving me just a minute to ask an AI question. And so I want to turn to you because I, I'm curious what you think is going to be the biggest impact that AI and specifically maybe generative AI is going to have on an identity security practice. What should I, what should people be listening for when it comes to these are impacts we

should be aware of? Well, I think it's, it's, it's two things, it's opportunities and risk, just like with most things to do with AI. So first, on the the opportunity side, I mean, I think the the use of AI tooling to analyze large amounts of data to be able to translate human express expressible policies into machine readable code that can help you manage your access policies. We're just seeing that all the time. And it may not even just be things like large language

models to help with that. One of the nice things about having an access graph data model is this technology like graphs, neural networks that let you look for anomalies of access and clustering of privilege that may be anomalous at graph scale. And so there's a lot of opportunities to apply AI to help people productivity productively manage the risks associated with, with all of their complex privileges.

On the flip side, though, one of the things we're seeing, and I'm sure everybody's starting to kind of project this forward in a world of, of AI agents acting on behalf of people or behalf of systems. We're going to see an even bigger amount of non human identities, identities associated with with agents, identities associated with back

end systems. And we're again just about to see an explosion over this year and the coming years on the amount of AI agents that individuals have, that companies

have, that systems have. And it's again, things like the, the model context protocol standards that that, that that came out late last year from Anthropics that many companies are adopting provides this standard layer by which services can implement accessibility and connectivity from AI agents is going to even further add to that. One of the things that's going to be fascinating is on things like MCP, the model context protocol. There's much work still to be done on identity access and

authentication in that layer. And I think that's where a lot of solutions are going to be needed. And again, like we talked about before, you can't really think about that as a unique solution just to manage AI identities. And it's so intrinsically embedded.

For example, if you have an NCP server that's going to connect to a tools API gateway, that's a bunch of non human identities, you can't all of a sudden have an AI, you know, privilege management system that has no concept of all the other non human identities. It just, it would be yet another silo like we talked about before.

And so positioning an environment where you've already got your your human identities, your non human identities to add into the mix, your AI agent identities that act as delegated permissions from your human identities or your system non human identities. Having that in the mix and the graph is going to be important. And if you can't scale that, the scale of AI agents is just going to be, you know, off the charts even compared to where we're at today.

And I don't think there's many solutions out there, particularly the ones that haven't built for this scalable grass that are going to be able to cope with that. So I think that MCP or model context protocol is one of the more important developments to come along because otherwise we run into the risk of data silos again, which is kind of where

we've been. It's almost like, you know, that group and I'm going to simplify it for my fetal brain and we're going to have to do a whole separate episode on this. But it's, it's almost like you're developing a standard for how should these AI's talk to each other? Can they speak the same language? It's, it's like USB, everybody uses a USB port or, you know, it's like Olaf or SAML or something like that, right.

Where there is a, there is a common way to talk to each other, which I think is hugely important to be able to share information back and forth. So I am totally all into having a, a conversation about that. But I want to pitch the last question to Tyrone and this is my, my AI at the center question. Where is Ibiza at from AAI perspective? How are you guys leveraging it? What is your overall look forward on on how you see this impacting your organization and your product?

Yeah, Well, thank you. Thank you, Jeff. I, I will try to again keep it, keep it quick. You know, again, having having somebody like Phil on the board sort of helping us think through N + 2 N +3. You know, we launched a brand new product called Access AI. You know, Phil is a big proponent for for me and my Co founders to be thinking about those things very early. So we launched Jeff to to your question, we launched Access AI, which is which is our generative AI solution.

You know, again, if you go back to the fundamental question that you're trying to answer, who can take what action on what data, you know, imagine that as natural language. Imagine that what you do on ChatGPT and prompt engineering based, right? So, so we launched a new product. It was geared, the first app that we built on Access AI is for search. So now you can come and ask a question. My AD user whose location code is in China, can they access

data in Salesforce? Access AI allows you to ask those data sovereignty questions, right? And, and so the next, you know, the, so we're building apps on top of access AI. It's, you know, built on top of bedrock. You can, you can imagine all the, all the good things that enterprises care about. The next app you're thinking, of course, is, you know, we are now customers saying that look, you've done so much for access reviews, you know, approve and reject.

I belong, you know, I have access to something and did approve my access or not. And they're like, can you apply access AI where if I get a quarterly access review, I hit the access AI button, it tells me from the 100 entitlement reviews I have to do, I only have to pay attention to the five, you know, again, filter for, you know, signal and noise. So it's a really good product. It's a new beginning for us.

And now if you think of the agentic AI Jeff, with, with what, what Phil was sharing earlier, you know, now we're going into the world, we get a notification. Now we can respond to it, right, with the agents versus just a notification that you're running late for a meeting. Now you can start to talk to it. And if those two agents, the only common entity, the only common attribute is actually

permissions of entitlement. So we're actually very fascinated, You know, I'll even spill some beans, you know, just just three weeks ago, 4 weeks ago when we met with Phil, you know, he encouraged that, look, this is going to be such a transformational Seminole force that you should perhaps think about, you know, setting up subsidiary and just heads down focusing on on access here. That's the focus that will be needed. So there's something on that.

Maybe the future, you know how much we're going to embrace, you know, by by by by putting our focus and team around it. It's clear that there is so much more room for innovation at this point. And I love what you guys are doing. And I'm a big fan of the AI stuff. So things that make our lives easier are things that I'm interested in. And there are so many people out there that are still spending their time pouring over spreadsheets.

Phil, here's a list of 500 people who have access to this weirdly named Active Directory group that nobody knows what it does. And it's nested in underneath four other different things. Hey, Phil, does that look right to you? And Phil, you know, no offense to you, you don't know what you're looking at, right? So I think there's a a huge opportunity to humanize the way identity's done. And I love what you guys are working on. So it's super cool.

I know we're running out of time, but I want to give Tarun and Phil one last chance here. Any final thoughts you want to take with Tarun? I'll start with you and then we'll end with Phil. No, Jeff and Jim, thank you so much. You know, been wanting to be to do this together and it came together very well with Phil. Thanks for thanks for really an exciting conversation. And you know, I would say, you know, the time time is here for us to really, you know, not just lift one boat.

And there's something I, you know, shared with you and our teams. Let's not shift the boat, move the boat of visibility or move the boat of intelligence. You know, let's try to build something which can we can lift all the boats together at A at a single time. So whether it be IGA, whether it be Pam, whether it be NHI, we believe the fundamental of that is rooted in just completely rethinking identity from the scratch.

So again, very happy for the very grateful for the opportunity and I'll give the baton to Phil to to help close. Yeah. I mean, it just just to build on that, I mean, I think we've covered a lot of this since we've gone through the session today, but just really encouraging everybody to just think about this problem more simply and in bigger terms. Like thinking of it as a simple way of, do you know where all your identities are? You understand all of the resources they can access?

Do you have a record of all of that? And everybody of course knows they should be doing that. And then when you look at the reasons they've not done that, it's because of complexity, it's because of scale, it's because certain systems couldn't be brought together.

And one of the things that I think, you know, the laser team have done such a great job on is figuring out the technology and the secret source that had to bring all of that together so that all different types of identity problems and access problems and management problems can be solved from the same structure. And that's why I'm, I'm very optimistic about the challenges of managing the even bigger set of AI identities and connecting them to the axis graph is going

to be so critical. Fundamentally, this is the, this is the, this is the scale problem. Then being able to interrogate that access and understand the adherence and the policy conformance at the scale organizations actually work, as opposed to the Gale of some old legacy system that could only deal with like a hundredths of it. Now is the time, as Tarun was

saying. So with that, I thank you guys for spending some time with us and we'll have links in our show notes for people to check out, both for both your LinkedIn, but as well as to learn more about vasavasa.com/I DACVEZA and Phil. I'll put a link to your blog as well 'cause you're a prolific contributor to the body of knowledge that that we have in the identity. Space. All of us wait on Sunday morning to read Phil's blog.

At least I do. All right, so with that, we'll go ahead and leave it for this week. Thanks everybody for watching and or listening. You can find us on the web, IDC podcast.com and you'll share this with your friends, like and subscribe to all that fun stuff and we'll talk with everybody in the next one. Jeff, thank you so much. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon.

But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.