#351 - Jerome Thorstenson on B2B Identity First Security

If you go to a mom and pop shop and say, hey, bring your own identity, they're just going to be looking at you. Like, yeah, sure. Here's my driver's license, Yeah. Exactly. Here's my passport. Yeah, have fun, right. And then it is the the matter of how do you actually control who has which access is in your system. So let's say you on board a partner, they are predominantly doing something, some infrastructure project for you. How do you ensure that that project doesn't give them access

to, to confidential information? If you have a milk supplier who, who brings in fresh milk every day, right? How do you make sure that they have access to their sales numbers and and all that, but can't see the the competitive competitors information? So. So yeah. So Eve Mailer was on the stage yesterday. She talks about treating identity as a product, right? Because you have all these different stakeholders who want different things and essentially

become a product manager. You know, you're a security practitioner in one sense, but you're also thinking about marketing and the the customer experience and prioritizing that. Did a lot of what she talked about yesterday bring true from your perspective of how do I balance all these stakeholders to get to what I'm going to be

releasing next month? From an enhancement perspective, how do you keep up with the authentication or the delegated administration or hey, the users are having a problem with this, like how do you balance all that? This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Steadman.

Welcome to the Identity Center Podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey. Jeff, how are you? Oh, not so bad yourself. Doing great EIC 2025. Berlin, Germany. We made it to the stage. We made it to We're on the keynote stage. We are on the keynote stage with an audience of literally four people. I think. Yes, exactly. So, yeah, good time. So thank you very much to Marina, who is just over there

behind the camera. Give us a thumbs up for helping us set this up. Obviously, Martin, for, you know, inviting us out here and it's been a great conference so far for first time being in Berlin, first time being at AIC, I'm sure. No surprise, this is one of the best organized conferences I've ever been to. Everything's like clockwork. And you know me, the snacks. Let me do a rating of the snacks right now. Fantastico the the cooler with the soda.

Pop, that's the highlight for me because I don't drink coffee, I don't drink tea, but if there's cola or something like that where I can get my coffee, chips, orange soda, thumbs up for that. I will say I'm so far been disappointed by one thing and that is the lack of cookies. I everyone knows I judge the conference on the quality of their cookies and I have not seen a cookie yet. Maybe they'll make an appearance. This is only two. Different cookies here they're

they're over by the coffee. That's a problem. OK all. Right, I stand corrected. Apologies to. Wonderful butter cookies this morning. Oh, you missed out. OK. All right, why don't we get into it? Because we have our gentleman guest sitting here next to us. He is Jerome Thorsensen. He is the I am architect with Selling group. We're going to find out what that means, but welcome to the show. Thanks. So thank you guys for having me. It's been a pleasure to meet you

in in life a long time listener. So I was really psyched when you guys reached out and and asked me to come on the show. Well. We're so appreciative you taking the time. I know that this is a busy time. You're going to be giving a a presentation I think later this week we're going to talk about that. But if you're a listener, you know what our first question is going to be. Oh yes. How did you get into identity? Is it something that you chose

or did it choose you? I think we kind of trauma bonded

identity and, and I so back in the day, I started out as a techie, I was heavy into infrastructure, servers, some network firewalls, all that stuff. And if you asked me like 10 years ago that if I saw a future in I am, I might have been smiling and saying, Nah, that's

just user management right? Then I I've got on boards doing cybersecurity, did a pen test on a fairly big international client and to my horror I was like 5 minutes in doing it enumeration on Active Directory where I started pulling out passwords and clear text in the description fields and found custom attributes with initial password set. So people always hear about this story, right? Oh, there's clear text passwords. Yeah, it is legit. It happens in real life.

Oh yes, Oh yes, to this day it. Still happens. So for people not familiar with selling group, give us a little bit about what selling group is. And I just realized my microphone was like over here. So I'm going to try to make this a little bit better for me. Yeah. So selling group is kind of a fun size. So to to compare it for the US listeners, it is kind of like having a parent company that operates Target, operates Nordstrom, operates LD, Trader Joe's, stuff like that, right.

So we have 5 major labels that we fully own. And then we do franchises for stuff like Starbucks, we do some flowers, food delivery servers, fresh fish to your doorstep, stuff like that. And we are located in Scandinavia, so we have the HQ in Denmark. We are represented here in Germany, Poland, and we just acquired Remy Baltic, so now we're in the Baltics as well, heavily. So it's a small company is what you're. Trying to say small company 72,000 employees. Oh, that's it.

All right. Yeah. So tell us about you're here to present. You'll be on this very stage Friday, right? Yeah. And you're going to be talking about securing and navigating B to B. So that's. Your focus within the identity suites, Well, tell us about that, that presentation, what is the main topic? Oh, I'm, I'm going to be

standing here on the stage and, and sharing my, my pain points with the managing B2B. So basically it is all about how do you take your supply chain and making sure that they are just as compliant and as, as secure as you are, because it, it comes down to, to trust at the moment. Then we have the the NS-2 hitting us. It's just a past as a law in Denmark like 2 weeks ago or something like that. So it is the whole how do you fast track and this to implementation?

How do you make sure that you have cybersecurity resilience within your supply chain and how do you on board and off board vendors because we have everything from small mom and pop shops to to big corporate climates. So I knew said the the title of your presentation starts with identity first, which I think really means their identity at the centre. I think they're somewhat interchangeable. Feel free to disagree with that, but why did you start the presentation title identity

first? Well, because I'm a strong believer that the identity first approach is the key in this modern tech stack we we worked in today. I mean, we don't have any perimeters anymore. We moved everything or slowly moving everything to, to the cloud. So that parameter is long gone. And that's why you you need to kind of look at. So how can I manage security and what are the, this, this stuff I can deal with, right? So for us it is definitely

identities. We can manage and control access on identities and on devices and all that more easily today than than just applying the old logic of perimeter first rank. So there's a lot of, I guess, struggle sometimes where you have these external partners and I guess how do you make sure that they're on board with what it is that you're doing?

So, you know, it's a challenge is you've set up this, you know, maybe it's a federation or maybe you're studying up SAML or open ID connect or whatever it may be, but you're still reliant on the vendor, the partner, the B to B side of things or B, you know, whatever it may be to actually hook up and then follow your own policies and standards. How do you essentially train your partners to do it that way with you? Oh, it's a headache. It's a headache.

No so, so you usually if you look at retail, we are really good at doing something like private label or white labeling stuff. So instead of a fully on boarded partner, we could potentially say, let's say we have a line of products that we sell at a discounted price because it's our brand, but all the, all the product descriptions and everything we get from whoever made the product.

So we would like to onboard them and say, OK, so if any product changes happens, then you have the ability to to go in and and edit this. I won't say real time, but but close to, to real time, right? And the thing here is for a big company or supplier, it is easier for them to hook up to doing single sign on or Samo or something like that, right? And that's perfectly fine. But if you go to a mom and pop shop and say, hey, bring your own identity, they're just going

to be looking at you. Like, yeah, sure. Here's my driver's license exactly. Here's. My passport have fun right and

then it is the the matter of how do you actually control who has which access is in your system. So let's say you on board a partner, they are predominantly doing some some infrastructure project for you. How do you ensure that that project doesn't give them access to to confidential information? If you have a milk supplier who who brings in fresh milk every

day, right? How do you make sure that they have access to their sales numbers and and all that, but can't see the the competitive competitors information? So. So yeah.

So Eve Mailer was on the stage yesterday. She talks about treating identity as a product, right? Because you have all these different stakeholders who want different things and essentially become a product manager. You know, you're a security practitioner in one sense, but you're also thinking about marketing and the the customer experience and prioritizing that.

Did a lot of what she talked about yesterday bring true from your perspective of how do I balance all these stakeholders to get to what I'm going to be releasing next month? From an enhancement perspective, how do you keep up with the authentication or the delegated administration or hey, the users are having a problem with this, like how do you balance all that? It rings true in, in my world, I am a firm believer that you can actually put I am as a business

enabler. So it's, it's, it's kind of a fun balance you are looking at we. So no, actually let me rephrase that. So what we're looking to do is providing our vendors with a self-service portal. So let's say you buy or get access for for 10 people in your organization to have access to to our system. For whatever reason, we would actually prefer to give self-service portal saying here

is the general framework. This is how we run business and we are going to rely on you managing your employees access. We are just sitting in the background on doing the final tracks right. That's right. Now, Jerome, this is the one thing that I was interested in. I had a chance to talk to Eve was all right, as as the identity practitioner, the owner of identity. Is it my responsibility to, you know, kind of work with all these folks and take all their inputs, get them to work with

each other and understand? Because one of the keywords she had in her presentation yesterday was to get the stakeholders to empathize with the needs of the other stakeholders. In other words, marketing to understand the needs of security and vice versa, which I thought was tremendously insightful. But I wonder, is it our job to kind of orchestrate and to facilitate all of that? It seems to fall on us a lot. It falls on us a lot, yes.

And I, I'm also a firm believer that it is part of our responsibility because I believe that we are kind of in a unique situation where we understand where they're coming from and we know where they're heading and, and stuff like that. So we are kind of the, the in between a lot of vendors and us and our suppliers, right. So we're kind of navigating this as that's collaboration. Yeah, well.

Let me pull something else out there. What happens if no if? If you don't do it, who does? If the I am person doesn't do it except who's doing it? That's why I think we usually wind up because I think I am or identity, digital identity attracts a lot of people who are. Not a good looking people. Yeah, identity, people of the greatest. Let's, let's just start there. No, I think a lot of people who

are are leaders. I think being a leader in today's day and age isn't just barking out orders. It's getting people to the table, getting them to empathize with one another. And I think it's just natural for many of us to step into that role. So basically leading without Oh, what's it called without? Leading without title. Right. Exactly. Yeah, absolutely.

Yeah. So no, I think there is the whole human aspect of it. And I think if you look at the classical set up where you have security, they are more compliance based. They are more, these are the rules, stay within the boundaries we set and go have fun. And we are kind of more concerned with, yeah, that's fine. But we we also need to to put a human angle on it and be like, OK, but this will affect you in this and this this way.

And if it is very bad, it's simply us who's going to be having that conversation with security and say, OK, guys, we know this is best practice, but come on. If we need to to get our day-to-day jobs to work, can we relax this policy a little bit and then enforce it? Yeah. Try to negotiate.

Yeah, exactly. So I wanted to point something else out that you wrote an article last year and it's so if folks connect to you on LinkedIn, they can see you posted it and get to the article. But it was about A back in the context of B to B. And I think you called it a game changer. And I wanted to ask you why do you think a back is game changer which is attribute based access control? Yeah, so we we've all been messing around with role based access control for for years now, right.

It came out in the 90s. The struggle is. Real in the years. Yeah, exactly. So no, what I'm my approach was I was managing a huge stack of security groups. So if you do the classical RBAC, you have one security group that links to an application and and role within the application. Now imagine you have two and a half thousand stores already. You, you just bought, you just had two and a half thousand security roles by default. Now Add all the applications. Let's just pick a #1600.

We'll see how that that spins out of control real fast, right? To to put some real world numbers on I'm I'm managing just close to 61,000 users at the moment. And that's just that. Is that everybody? Is that B to B? Is no, that's, that's, that's core employees. OK, Yeah, I have 67,000 security groups. Which sounds about right. You have more security groups and you have users. That's totally normal part. Exactly. But if you don't flip, flip it and go to ABAC, then you're

looking at attributes. So now you can do stuff more dynamically. So you don't have this rigid security group structure. You don't end up with security groups nested in security groups because that's how we did it in the old days, right? I can't believe anybody would ever do that. That doesn't happen. You're at full of battle scars here. So how do you track? So attribute based access control is obviously very dependent on attributes, data, data quality, data timeliness, all that stuff.

How do you manage getting that data into a spot where you are comfortable to say, OK, yeah, attribute, we've got it and we can automate or make policy decisions off it, whatever that may be. But talk about the data part of the attribute side and how you manage that. Honestly, it's it is a struggle. So we all know the the pain of having clear and concise data, right? So first of all, it's the wonderful discussion with the HR on what attributes we use for, for what, right.

Then it is in our situation where we have a third of our workforce that is 18 or younger. We also have some, some privacy issues. So we don't want to pull in too much information, just enough. And based on that subset of data we have, we, we do our very best to, to say, OK, how much of this can we actually control on pure ABAC? How much of this needs to be reliant on RBAC? It's that happy mix of these two that we, we live in. So we, we can't sit here and say, Oh yeah, we're purely a

back. Because honestly, I don't think it's ever going to happen. But if you have, let's say, 9 predefined roles in your organization, well, that is a perfect fit for, for our back. And then you can always tighten security and and find a sweet spot with a back. Yeah. You know, I've kind of an out of band question for that, but I was thinking, so really it's the you have the delegate administration, so the customers say, well, I just hired this new person.

That's got to also be you've got to have high volume in terms of turnover. I would imagine that's a big part of what you deal with. But so let me get to my question first. So I was wondering because most

of your footprint is in Europe, so many different languages, do you do all the front end with English only? Because I would think as you get out to retail in maybe some of the more rural areas, people don't speak English maybe. So I'm in that lucky position where we we're in a company where we said our company language is English. So that makes my life a little easier.

OK. But fortunately we are heavily represented here in in Germany and and and Poland and they're fairly good at at English. So, so it's not a huge issue, but we do run into it and then we rely on on people in the store just to get back on the other party you. Mentioned the high turnover. Yeah. So we do have a high turnover just before summer break. We on board something like 2 1/2 thousand employees and our mid of August they're heading out the door again.

So, so yeah, we, we actually have vendors compare us to something like universities in the, in our approach to, to on board and off board people. That's got to be a busy time. No one can take vacation then, right? Well, the in Europe that would be tough to say. No one take vacation in August, right? Oh yeah, yeah, that's not going to happen. That's not the vacation's happening. That's for sure. Right.

Yeah. No. But I mean, I think a rule of thumb is we we do something like turnover between 200 and 500 employees a month. So it's a big river balding door, yeah. How do you manage those terminations? Do you keep them around for a certain amount of time? I guess you know, there's probably errors that are made sometimes, like, oh, didn't mean to terminate this person or there's a change in mind and they come back. Do you totally deconstruct the ID?

Do you put it into some sort of dormant status for a little bit? How does the management of the ID behind the scenes work? Well, that's the the great thing about the GDPR. So we just lean up against the framework saying, OK, generally we keep you around for 30 days. So let's say you're terminated on your current contract because you're starting in a new store

or something. So we off bought you on the last day of the month and, and the night before you start again, we, we basically strip you down and, and build you up again with your new role. And I don't see. And then we have a rule saying we, we don't keep user data around for, for more than the, the absolute amount of time we needed. So 30 days, give or take. OK. Sounds like one of those situations where the compliance is also in line with doing

things more securely. I think sometimes folks think it's one or the other. Yeah. No, it's you. You got to find the sweet spot between the compliance and and usability, right? Because I mean, there's no sense in off boarding, let's say 500 on the last day of the month just to to rebuild them the day after. Yeah, totally. Yeah, I mean e-mail addresses and stuff like that, you would definitely hit that magic dorm and state on the e-mail address saying, oh, it's already been assigned.

You can't have your own e-mail address, e-mail address back and stuff like that. How do you handle duplicates? A number? A middle initial? Different spelling of the name? Oh, I'm picking a, I'm picking a wound here it sounds like, right? Yeah, tough. Questions here. Yeah. So, so no, luckily what we, we do is we say depending on which position you're hired in, then you are given an e-mail address or not. So if you're just stuck in shelves, you might not need an

e-mail address. So that helps us a long way. But yes, we're stuck in the same situation as everybody else with your name, some random number or something, right?

OK. Yeah. I want to talk a little bit about IGA because you're one of the few people that I snooped on that has done IGA twice. So you had an IGA product and we're like, this isn't about product, this is more about the shift.

So at some point there was a decision made to say, OK, this IGA isn't meeting our needs and we need to move to this other IGA, whatever that might be. I think a lot of people are probably in this state where they're like, OK, well, when you essentially pull the plug and say, OK, it's not it's time to RIP that Band-Aid off or do whatever. Talk to me a little bit about the that transition. How did you make the decision? What was the decision like?

You know, as an organization said, OK, it's time to move from one platform to another. And for people who are out there listening, you know, what are some tips that they should be thinking about if they're considering, you know, that journey? Yeah, well, you guys are consultants. So you, you've seen all the, the fun stuff that people use to, to an IGA system, right? So what ours was what I would consider legacy. It was around 10 plus years old, right?

They had basically mangled the system to do anything from Weld underwater to brew your coffee to do your I am. So it's very custom then? Oh yeah. Which means it's going to be hard to find something that's apples to apples or a straight comparison. And I do have a consultancy background and I love the whole concept of keeping it lean and keeping it close to whatever commercially off the shelf product you have, right. And I, I am a big advocate for keeping stuff agnostic.

So if you want to go ahead and change the, the engine of your, your IM in in three years time, then you should be able to swap that engine fairly easily. And that was kind of one of the drivers for for this because we were looking at a legacy product. We are looking at an organization that was moving into, I would say cloud first

strategy. So we suddenly were in a situation where we needed to either create custom connectors or switch a product and say, OK, should we actually get ahead of this and say if the organization is adopting a cloud first strategy, let's jump on that wave and see what we can actually do and what we can actually achieve and manage

users in a smarter way. So if I should give a tip, then it's all about knowing what you have and it's about looking at where you want to go. And then MVPS, minimal viable products all the way. I mean if you do it right you can do a transition in like 6 weeks. That's pretty quick. Oh yeah. But but if you know what you have and where you want to go, it is a fairly simple exercise and saying OK, so how do I get

there? How ruthless do you need to be when you're making that transition to plan to say we are not going to carry this over to the new system? Oh, good question. I was Mr. Unpopular. Let's just put a little bit like that. So. So yeah, I got very good at saying no. So what? Gave you the confidence to say no, though, because I think there's this natural desire to say yes. Let's figure out how we can do that, yes. How do you say no in a way that hopefully keeps keeps people

relatively happy? What's the diplomatic response there to say? No. So, so the diplomatic response is you listen to their their issues, you figure out with them whether or not it is something that the organization needs and then you road map it. So I'm not sitting here telling everybody to to give a hug. No, because that's not going to fly. I would be out of the job same day. You give them a soft no, saying it's not going to happen right

now. But in phase 234 it might be of interest re exploring this, this idea, right. So phase rollouts King. I think a big emphasis here DIC

has been on the identity fabric, right? And I, I feel like it's more of an emphasis maybe in Europe than the US where maybe the emphasis is more product focused. Do you feel like that's true? And then what's your take on the identity fabric? Is that an important concept for

you? Oh yes, it's definitely an important concept for me. I'm a firm believer of that if we are smart about it and we go the identity identity first route and we we focus on how we manage identities and what kind of shared signals we can get, we will be in a much better place than than where we are today. Honestly, I, I don't necessarily care about which product does what. A vendor as a vendor, there's going to be new ones tomorrow.

They are getting smarter. And at the rate that we are applying agnostic AI to, to everything these days, who knows what's just around the corner, right? Yeah. Every product is like now with 100% more AI and before it was 100% more zero trust and before that was more, you know, whatever the the security did you return was. So, yeah, so whatever opened us opened up the company wallet, right? And today it's AI. So yeah. It's kind of. Yeah, to your .0 trust then.

Before that I was thinking REST API, REST API and. It was blockchain was like The thing is a revolutionized There's so many buzzwords. I want to ramp up the conversation. On a later note here, I did more LinkedIn spying and I noticed that you're from the Caribbean. The Caribbean. How does a native say it?

Well, I say it as being from the Caribbean. The Caribbean, OK, what's the best thing about being from the Caribbean? What's the worst thing about being from that area? And for people who aren't familiar, kind of maybe explain geographically where the Caribbean is? So geographically, I will say all the islands and north of the Venezuela and up towards Florida, that's kind of what I, I grew together as being the

Caribbean, right? And I would say one of the, the best things about it, about it is this sense of belonging, the, the close relationships. It's more about the the person than than the job, stuff like that. The worst part is I run on Caribbean time. So what we don't fix today, we fix tomorrow if we get around it. So yeah. I would think it was. I was, I was expecting you to say flying home for Christmas, Cost of fortune. Everybody wants to be there then.

Oh yeah, yeah, but but no, it's, it's not too bad. So going back to the Caribbean, yes, it does cost a little, especially here from, from your right. But if you're smart about it, then it's not too bad. How? How often do you go back? I try to go back every other year, yeah. But, you know, COVID and all that kind of screw over those plans. Yeah, so I I was actually wondering, do you have any hidden gems? I'm planning a vacation to Dominican Republic. Bunta Canta. Bunta Cana.

I shouldn't know how. To say that. So is that a good choice to start with? And any hidden gems. You see now here's the trap, right? It's, you say hidden gems, it gets out and that's no longer a hidden. Gems. Right. Oh yeah, with our with our millions and millions. Of billions. Of billions. Yeah, no, I'm, I'm kind of relaxed whenever I go back to to the Caribbean. So it is for, for me, Trinidad and Tobago is like the home base and I'm born there.

So, so my, my heart will will always go to, towards that part of the Caribbean, right? But other than that, go, definitely go island hopping. There's so, so much to explore and, and I mean, a lot of people have been to to Jamaica and the Bahamas and stuff like that, but there's also other, other islands that has stuff that's worth seeing and, and experiencing. Yeah, sounds wonderful.

All right, well, that's pretty good. Probably spot to leave it for this this one. Jerome, great to meet you in person. Thanks for taking time here, being with us. I'll have your LinkedIn profile in our show notes so people can reach out and connect. Maybe trade war stories, maybe maybe you guys, you know, it can get maybe in a more of a hidden gem conversation. A1 to 1. So, you know, blasted on the Internet. But thank you so much for being part of this.

And yeah, we're going to leave for this week. Find us on the web at idacpodcast.com, like and subscribe and do all those fun things right. That's what gets us up to places like this. And yeah, appreciate it. So thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and

review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.