#369 - A Practitioner’s View on Identity with Anthony Viggiano

This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? I am fantastic. How are you? I'm doing good, but guess what? I got an awesome for you today. I got something for you. I mean, you didn't ask me why I was fantastic that it. I normally say not so bad, but I was kind of hoping you'd ask why I'm fantastic. Why are you? Why is it fantastic, Jeff?

Well, I have a major announcement to make regarding this podcast and you're going to be here with me as I do this live. You can see my mouse and I am clicking. What did I just do, Jim? Did you change the color in your background? Nope, that's. I mean I do, but not this time. I don't know what you did that was a million subscribers. I wish a million subscribers, but you're very close. We just crossed 1,000,000 downloads for the podcast.

So I just posted to LinkedIn that we are officially crossed over into a million download territory. So big shout out to everyone who supported us along the way. Very humbling, very exciting. Never would have thought this, you know, 6 plus years ago when we started this, but yeah, here we are. Yeah, man, you're going to get the raw emotions. I can't believe that we. I mean, I knew it was coming, but man, it's really hit me.

I, I just want to say thank you to everybody who supported us along the way, All of our sponsors, all of our listeners, hardcore listeners, people who just pick it up for a few episodes. I mean, we appreciate it all. Yeah, super cool, monumental and yeah, I guess on for the next million. But you know, I guess a plea for those out there, if you haven't checked us out or you're not subscribed, you just kind of listen to one off check us, you know, subscribe, hit that like button.

It is, you know, get us on YouTube or Spotify or Apple or wherever you want to do it. But that definitely helps kind of, you know, show that we've got people out there. But a million downloads? That is absolutely crazy for an identity and access management podcast with 0 advertising, all word of mouth and that's it. Yeah, The funny thing is, like it probably. How many years did it take to reach 100,000? It's a failure.

It's just picked up steam over the last couple years and so, you know, all of our friends, but our friends over at IT Pro, you know, being the official podcast of IT Pro, it certainly didn't hurt. No, it's, it's super cool. And you know what, birds of a feather flock together or, or something like that. But yeah, super cool. So I just want to take a moment. I was, I'm going to steal the banter from you. I figured and said, hey, I've got something, you know, hit me up first.

Yeah, I mean you. You. I'm glad you did. I'm glad you did. So now on to our normal broadcasting. Regular schedule broadcast. We've got a bunch of different

events. I just told you before I hit record that I'm on the road like every week starting next week through October for a bunch of different things between like my real job, you know, consulting day job and then the podcast. But we've got cybersecurity summits taking place in Chicago and Philadelphia. Those are both in September.

I will be at both of those. We've got discount code CSS25 dash, IDAC free pass share it would love, I'd love to see a bunch of people in Chicago and Philadelphia. I know more, I know way more people in Chicago than I do in Philadelphia. But it'll be cool to meet up with people in bulk locations, so people will check that out.

The new one that we just kind of figured out this week is Authenticate 2025. So we are coming back again and we have some exciting things planned with Megan and Adrian and Andrew and crew for this next year. So we have a discount code for that one as well. That one is in October and that's the one that's in Carlsbad, CA, one of my favorite conferences. But if you enter the code IDAC 2025, you get 20% off. So I'll have that in our show notes. We actually have all these in our show notes.

We'll check out. So another conference that's in October and then we've got yeah, go ahead. Well, what I was going to say is like authenticate some people might think to themselves like, oh, that's a little intimidating or that's not in my lane. Or they might be looking at some of the other conferences that you mentioned that are, you know, big umbrella cyber and thinking, well, my lane is identity. I'd be intimidated to go to

those conferences. But I think what you see as a trend in this identity industry is that the tent is expanding, the umbrella is expanding, and you need to know cyber, you need to plug into it. You should be opening your mind to what's going on with Fido and Pass keys and just the pastoralist revolution because that's where everything is heading. So even if you think, well, this hasn't been in my lane, First off, they're fantastic

conferences. And 2nd off, like you should be learning things that are outside of your lane. That's how you're going to become the better practitioner of tomorrow, yeah. A a good identity professional is well-rounded. They don't know just identity. They're able to talk through other parts of security to understand how those parts contribute to identity. So yeah, even though some of these might be, you know, cybersecurity conferences, guess what? Identity is part of cybersecurity.

So you're probably going to learn something or be able to share ideas or, or things like that with kind of, you know, other folks, but definitely encourage people to come out and check it out. So, yeah, so we've got, let's see, cybersecurity summits. We've got the Authenticate conference, then we've got the Identiverse Washington DC event coming up in November. Of course, we have a discount code for that one as well. IDV 2, five dash, IDAC 25 gets

you some percentage off. I forgot to write it down, but it is our on our website, 25, I'm going to guess 25, but you never know, it could be the year, who knows. And then after that, we've got the Gartner conference, the IAM Summit in Texas in December and we'll have a discount code for that coming in October. So be on the lookout for that. Again, everything will be on our our web page, IDC podcast.com.

Just Scroll down on that main page and you'll see everything that we've that we've currently got active. So hopefully people are able to take advantage of that. Definitely supports the show, shows that we can bring people to the conference and and have some fun with it too. Absolutely. You know, and, and Speaking of which, This is why conferences are especially important.

Like you've always said, the best part is the hallway conversations and the people you get to bump into and the people that you meet for the first time. Our guest today is somebody we met for the first time at a conference this year, and he's somebody that he's got some really big ideas in the identity space, and that's why you and I were both so excited to get him on to the show today.

Yeah. Let's go ahead and introduce our guest. His name is Anthony Viggiano. He's one of the iron weeders in our space. He's a member of the Identity Underground. He's a member of ID Pro. I met him at Identibeer at the Identiverse Conference in Vegas earlier this year. And yeah, welcome to the show, Anthony. Hey, thanks, Jeff. Jim, this is really an honor to be on your podcast talking about my one of my passions, identity and access management. Really thank you.

And also want to thank the broader industry, the identity and access management industry. Yeah. You know, go into these conferences, you show up, you're like, OK, am I going to be able to contribute? Am I going to meet anybody? What's it going to be like? And all the conferences that I've been to RSA, you know, Identiverse, people want to meet, people want to talk, people want to share their own passions about what they do and they want to build relationships.

And then best of all, what I found out is people want to help. I've been on the hunt for my next identity actors, management, leadership role. And everybody that I talked to, when I kind of mentioned that they're like, oh, I know of an opportunity or I know this company is doing something and people have been getting me connected. I've been applying to roles and I'd, I would reach out to my network and I'd say, hey, do you know anybody at this company? And they say, yeah, let me shoot

the hired manager an e-mail. I'm so thankful to to Jim, you, you, Jim and Jeff for for helping out with that And and just the community more in general. And I just wanted to say thank you. But also at Identi Beer, thanks to my wife, because if it wasn't for her, I don't think we we would have met because I probably would have shown up. Who here loves going to these big open, you know, social events where you don't know

anybody? And when I'm walking towards those events and I hear everybody talking, I'm going up the stairs like my feet feel like lead. I don't want to climb that next step. I'm like thinking to myself, man, all I have to do is go back to my hotel room. I can watch a movie, I go watch 2 movies. I can go to bed early. Anything is better than, you know, walking into a social event. But she came to Vegas with us.

She was there. She was like, no, let's go do it. And she supported me and helped me. And she helped, you know, start the conversations. And she's a kindergarten teacher, so she is just as good at talking with her little kindergarten students. Oh, you got a new toy at McDonald's? That's amazing. Or, oh, you're AC. So for a large company, that's amazing. Tell me more. And she could just hold the conversation with anybody. But she makes me feel like I can do anything.

And so I just really appreciate her. I'd be in there with me. Yeah, that's super cool. I remember meeting her and we were, I, I think I asked her more questions about kindergarten than I asked you like stuff. But the whole point was to, you know, get to know each other and stuff like that.

But yeah, super cool. And look, that's a great part of identity, right, Is it's a big tent as sort of, you know, Jim mentioned earlier in previous episode, as well as there's a lot going on, a lot of really good people. And that is one of the strengths of the identity community at large. You get groups like Identity Underground, you get groups like Identity ID Pro, right, for example. Like that's just cool, man. I mean, no other articulate way to put it other than just it's

super cool. So let's talk a little bit about

that journey into identity. You've been kind of doing this for a while now. Tell us, how did you get to the identity space? Is it something that you chose or did it choose you? Yeah. So it's 2019 and it was a little bit of both. So we, the company I was a part of just acquired another large

organization. We were combining and there was org changes and my managers were moving to a new team and nobody really knew what was going on. And so somehow I had this opportunity where where I was asked, what do you want to do? Where do you want to go? And I said, I want to go with my manager. I really liked what he did. He was very supportive of my career. And I said, I choose choose this role. Little did I know that that meant identity and access

management. And so it was the very first week my, one of our auditors sat me in his office and said, we haven't been able to do these access reviews. And you've got two months before our next audit. Here's what you've got to do. And, you know, try to explain what an access review was. And, and all these things. All I remember is I have no idea what you're talking about, but we'll figure it out. And we did.

And, and I'm happy to kind of share, you know, that that journey and, and how do you be successful at the identity governance and, and different things like that? But, but I chose it and, and even if I knew what I was getting into, I think I still would have chosen it because it's been an awesome last six years. That's super cool. I mean, there's so much that that kind of happens in this space, in your time in identity.

What's something that you see is like a real fundamental challenge today that you know, all of us are facing in our different roles? Data, I think data is one of the biggest challenges because if you don't have the data, let's say for example in whatever IGA platform that you're using, how can you perform the controls? That you need to perform. If you need to run an access review, but you don't know who has access to what, you can't run an access review.

If you have the access review and you send it out to their managers, but the descriptions aren't that great, we're hardly going to know whether or not they should say keep a revoke. And, and so I think that's the biggest challenge. And then how do you solve that challenge is, is through data integration and being able to get those applications the source of truth that who has access to what into your platforms. And, and same thing with

privileged access management. If you've got that automated rotation, then it works. Then then you're getting the value there. But if those passwords aren't being automatically rotated, then the, you know, the privileged access management, the, the value isn't there as much. So it's that data integration, the application integration, I think that's a building block that's going to continue to be very important. Such an interesting answer. I think it's, it's a very

receptive answer. It's obviously somebody who's tackled the these challenges in the real world.

I'll tell you what, Anthony, I thought you were going to say non human identities because where I met you first was that Identiverse in the NHI workshop NHR standing for non human identities. And it was a full day workshop. I mean the the topic is white hot right now and I'd love to hear your insight on why you think it's so hot at the moment. Sure. Yeah, I think, I think it's hot right now at the moment because it's been a problem for a very

long time. The the surface accounts, as we used to call them, have been been around for 1020 years. So it's not a new problem. But what's making it more urgent, as I think we all know of AI is you've got the same problem then now you're going to plant on top of that, you know, these this new technology, you can't solve the AI problem, the agentic AI problem with the way we do things today.

So I think the questions that we're trying to answer and what we talked about at that panel was one, how do you build a new foundation? How do you kind of clean up the problems that you have now? And then how do you start fresh so you can build on top of that for the new technologies and capabilities that are coming down the road? Yeah, I mean, agentic AI definite plays into it.

I kind of feel like this they used to happen so to me and like you had enterprise IT where you had the service accounts and the application accounts. Then you opened up cloud and platform and it's like it bursts on this scene with a whole bunch more non human identities workloads. And now AI is going to be the next frontier. I feel like 1. I feel like practitioners have struggled to say, how do I solve this with my existing tool set? Or do I need to go out and buy something new?

I mean, that's a whole thing that organizations are struggling through right now. I mean, do you have a perspective on that? Yeah. So I think first you can solve the problem or at least get a solid start without new tools. So I think, I think anybody can start any big large enterprise can start right now with the tools that you have. If you want to automate and kind of streamline those capabilities and really make it more scalable, then you're probably going to want to invest in some

tools. But start start fresh. And and that is really just your old good old fashioned Excel spreadsheet is you run reports out of your source of truth, which is, you know, can be Active Directory, it can be your windows machines, it can be, you know, the the Linux machines anywhere where those non human identities live.

Run those reports, discover what exists, figure out what they have access to. Are they administrative accounts on these servers or do they have just really basic access to to, you know, run, you know, run a report on a daily basis or something because, you know, there's all, all kinds of different use cases. Prioritize them and then figure out, OK, what ones do we still need and which ones we do? We not. And there's a lot of manual work

that goes in into play there. It's now you've got the data. You let's say you have 50,000 non human identities. Well, now we got to figure out who owns them. We got to figure out what they do. We got to figure out if they're still used. And that's, you know, that's a huge thing is I'd, I would bet a lot of those accounts that you're going to discover aren't

even used anymore. And wouldn't it be great to eliminate those and reduce your attack surface instead of just letting them sit around saying, I'm a little nervous to terminate them because I don't know what they do. And I don't want to, you know, break, break a system. So, you know, there's a real balance there. But that's how I need an example of what you can do now without any new technology. It's a pretty pragmatic

approach. I think if I was to summarize it, because I was thinking this as you're going, yeah, don't let the don't let perfection be the enemy of better, right? Like if you can get better, if you can solve. And I think the other elements, like we've been talking about this in the beginning for so long, it's like having a good inventory, having good visibility and that data element, like do you understand what these accounts, where the accounts are? And then what do they do?

And some people get mad because they use the term accounts, but I don't really care. But here, So here's a question.

So just I will say you read the most memorable statement from my perspective in like dinner verse 2025, which is you said access reviews are security theater. And I was like, holy cow, who goes to an identity conference, goes on stage and says that that takes some guts. But I, I kind of wonder, like, OK, you know, we have all this data now we know what is going on with the data. Don't you have to involve the

user? So what is your perspective in terms of access reviews and what's their security theater? Yeah, No, thanks. I do believe that. Yeah, at scale, at large organizations, it's going to be more theatre than it is actually reducing risk. And yeah, you know, I kind of say that to get a little bit of attention and looks like it worked. So thanks for pointing that out, Jim. But, but let me explain that to your point.

Let me unpack that a little bit. So just think about how much a company spends on performing an access review. Let's just say, you know, they have a team maybe cost $2,000,000 per year for that team to run. That just focuses on access reviews. OK, so 2,000,000 per year. And then you've got, let's say for, you know, an organization with 100,000 users, you've got 10 1000 managers now that on a quarterly basis have to go into and perform these access reviews.

So let's just say it takes them an hour. You know what, what's the value of somebody's time? Multiply that by by 10,000 four times per year. That's millions of dollars per year than an organization is spending on performing exact these access reviews. And so that's, that's the, you know, that's the the cost aspect. Now let's look at the return

aspect. So if you don't have all that, you know, life cycle management, all that and stuff that we talked about a minute ago in terms of not great descriptions, you don't really know what this access does. How many managers are going to take the risk and say, yeah, I don't think he needs us anymore. So let me just revoke it. Well, then your, your team doesn't can't do their job anymore. So often times, and you can just look at your data, you know, what is the revoke rate for your

access reviews? Is it just a couple percent per per cycle? So you've got a, you know, 3,000,000 lines and and only, you know, a few, you know, a couple percent points of that was revoked. Is that really providing the risk reduction that you're looking for? Maybe it should be 10%, maybe

should be 20%. I don't really know what that that threshold should be, but I know it's probably not one or 2%. So that's where, you know, I say take a look, is the investment, is the money that you're putting into these access reviews, is it giving you the return, the risk reduction that you're looking for? Now, on the other side, we can't forget about audit and compliance. That is important. Yes, we want to make the investment. We need to be compliant. We need to pack, pass our access

reviews, our audits. And so that's an important thing. So I would never say, oh, forget it, you know, don't do it. We don't need to do it anymore. But in terms of risk reduction, yeah, if we think these access reviews are truly reducing risk in some cases, I I would double check that. Yeah, Sante, you're, you're targeting the the whole idea behind it. It's the how's it actually approached? How's it actually done? Is it being done in an effective

way? So given that I think you are in favor of identity governance and, and by the way, I'm just calling, I'm, I'm linking identity governance and access reviews. They are kind of linked. For. Sure, but it's not like the whole thing about identity coverage. Where do you take identity governance? How do you make it more effective? Fair. Yes, I love identity governance. That was really the focus of of my job and why I'm so passionate

about the access reviews. So one, let me let's kind of like think about a, a whole new approach to access reviews. Again, not saying we stop what we're doing, but if we want to reduce risk, who is better to to know what access I need to do my job than me? Nobody I know when I need to do my job. And yes, maybe, maybe again, the descriptions aren't as great and different things, but I'm going to know more than my manager's going to know in terms of most

in most cases what I need. So how do we one do a self-service access review? Doesn't have to be audited, doesn't have to, you know, be an artificial control, but then incentivize these employees to actually reduce the, the, the, the entitlements because then it'll be the same thing. We'll just rubber stamp everything. So you got to provide that incentive. And this was an idea of one of the, my team members on my team. She thought, you know, we were like talking about it.

And she's like, oh, well, you know, get them to do it, give them an incentive. So you've got points, you know, some companies have these, you know, points systems. Give them 10 points for entitlement that they revoke

her. If you could do cash, do cash, $5 for every entitlement and I bet you're going to have people that have been at the company a long, a long time that can go out and buy a brand new TV just by eliminating some of these these entitlements and now you are truly reducing the attack surface. So if one of those accounts gets fished, that attacker has less access than they would have before you had did that exercise.

This idea of gamification is something that I've, I've been a, a fan of for a very long time. I remember when I was first rolling out self-service password reset a few decades ago at this point, and we were not getting the, you know, the, the number of enrollments and registrations that we wanted. It was kind of languishing despite us doing, you know, communications and emails and stuff like that. And this would have been like

late 2000s, I would say. And so I don't remember who came up with it, but you know, we had a team and it was like, all right, let's give away an iPad. So this is when iPads first came out. Yeah, I think at that point there were $400.00 or whatever it was, right? So I was like, all right, let's give away an iPad and anybody who is registered in our self-service password system basically has an entry in the system and would be raveled off.

And we went from something like 30% enrollment and we gave it 1/4 just to kind of get the message out there and get people rolling. And by the end of a 1/4, we had gotten up over like 90% enrollments just for $400.00 iPad. The best money that we spent in $1,000,000 IAM program was a $400.00 iPad to drive awareness and incentivize people to like to do it. So yeah, you're totally right. You know, there's lots of points

system stuff like that. I mean, my mom used to give us points when we're growing up. I don't know when I'm going to be able to cash those in, but I must have a zillion points at this point. Jeff forgot to mention that and it's a great iPad. He still has it. If you know me, you know that I, I, I I enjoy the finer things in life and tend to rotate my equipment on a yearly basis. But I think. And I know you and I know you wouldn't do that and take the the integrity out of it.

I was actually wondering, Anthony. So let's stay in this identity governance lane and one of the other areas that gets talked about in terms of being ripe for revolution. And by the way, I love your idea. Not only on the giveaway, but having people or the gingification, but having people do their own reviews. And it kind of like flies in the face of or it, it's like a revolutionary idea and like why can't we have kind of these big ideas?

The industry's having a big idea right now, which is that maybe RBAC isn't all it's cracked up to be. And I'm wondering, where do you stand on our back? Yeah, No, I, I definitely have some thoughts on that before we go there though. And if I can go back to access reviews because I want to share a little bit more about how do

we make access reviews successful? Because yes, maybe they're a little bit of theater and and maybe we have some other approaches that we can kind of take care of reducing risk other ways, but still got to do an

access review. How do you make a successful and, and early in the days when and I was kind of talking about my first experience, we really struggled and one people weren't even completing the reviews is, you know, you go in, you send out the emails, you get what, 70% response, 50% response. So if you're struggling with that, your is a really fun trick that we learned and is it's people's human nature when you give them a due date to wait until that due date to take the

action. So we would send the e-mail, we'd say you've got 30 days to perform this access review. We'd give them the 30 days and then guess what? How many people do you think completed those access reviews in those 30 days? Very few people, they waited and then you got to the deadline and then oops, I ran out of time. I got other priorities, not going to do it. And then you know, and it was a little bit messy.

So our approach was a couple of different things #1 as soon as possible, no deadline, do not give people a deadline when it's urgent. And it's important is say this has to be done as soon as possible. And then we'd set, we drill them with e-mail, we do three different emails every other day and they would get those, those, those emails. So it within one week. Now we went from, you know, not great response in 30 days to now 90% responsiveness within the first one week.

So that was a huge, huge transition. And then number 2 is on the second week. That's when we start escalating and we'll copy people's manager. And now the manager will say, oh, OK, yeah, maybe, you know, the person's out of the office. Maybe they, you know, really are doing it for their priorities, you know, whatever. It doesn't matter what what the issue is. And now the managers out motivate their their team members. But it's, you know, tiny subset.

It's 10% of of of the total population. And then by the time we get to that 10 day mark, we're at 99%. And then, yeah, you know, we're just going to, you know, message, direct message people, you know, figure out people are reassigned, different things like that, get that last 1%. But that was that was a big thing for us. And then really improving the communications is giving them

the right information. So, you know, instead of getting this kind of cryptic e-mail, I get all the instructions. I get one click, boom, I'm in and I see the instructions in the e-mail. Very simple to understand. Do that communication to leadership. So now they can get reports on a daily basis to say to track, you know, their team, you know, by leader who you know, who on my team is getting it done and who's not getting it done.

They're really just data key performance indicators and communication was was what made it made our transitions from not so successful access reviews to very successful access reviews. All right. Now, Jim, to get to your question on role based access controls. Let me button there for a second though, because please, Jeff, one of the things that I think a lot of people struggle with is access reviews and getting a response.

So I, I have to imagine, you know, myself included, we've all tried sending a bunch of emails and saying do this and then they don't do it or they rubber stamp it and it's like not an effective, you know, it's security theatre at that point. Kind of to your point, right, how you have to have some sort of carrot and, or stick or maybe both for that e-mail to be taken seriously. What is some tips or guidance to, you know, to get that? Because I think a lot of people

struggle with this. You know, myself included when I was doing this was like, I can send as many emails as I want, but short of me walking over their desk, getting them in a headlock and make them sit at their computer and make a decision, yeah, people just don't do it. Or they find other reasons or excuses not to do it. Or worse, they rubber stand it. Which is a real problem, yeah, yeah, I've done all those things minus the head headlock. So. But I thought that would be just

as effective, aggressive. Negotiations is what I will tell you about. That's better. Yeah. So the for us, it was making the the e-mail very clear, helping people understand what's in it for me or why is this important and kind of building that on the culture. So we made it very clear you are responsible for the enterprise's security, you are responsible for the enterprise's audit and compliance. And here's how you can help. And then so we communicate that.

And then we just try to really communicate how we hear people like, yes, we know this is not the greatest experience. We hear you. Here's the changes that we make or hey, we have bi weekly or twice per week lunch and learns where you get this e-mail. And if you don't understand what you're doing, click this Webex at this time and boom, you'll join and you'll we'll help you. We'll walk you through it. So it's really more support, more hands on approach where

people can come for the help. So they're not just kind of frustrated where they're going in, they're trying to figure it out, can't figure it out and don't know what to do. And then now to your point, it's you have to go track them down. We're giving them the avenue, the communication, the channel to come find us and remake it easy, easier and easier for them to find us. But then to, you know, more importantly, just to be able to get it done on on the first try.

For example, investing a lot in improving our descriptions. And that's time intensive. You have to go to the application team, you have to ask them what it does. You say, no, that's not a great description. Let's make it a little bit more user friendly. Doing all those things that that takes time, but that really pays dividends because now as a manager, you see, Oh yeah, I know what this does. Easy, easy decision. Yes or no versus I have no idea what this does.

Rubber stamp. So now my RBAC question.

OK, yeah, let's let's get to RBAC. So RBAC very just like a lot of governance is complex. And when you start small and you're like, Oh yeah, this should be simple. Let's let's do this. Let's you know, for example, give anybody the ability to request a role. Sounds like it won't be a big

deal. But then a few years later you've got 15,000 rolls and some of those roles have the same entitlements, some of those roles have only one or two entitlements and you've just got a mess on your hands that the people that requested them are long gone. So it's a life cycle management problem there. And, and, and that's not scalable. So opening it up like that and kind of letting it be just no standards, you know, no, you know, anybody can do what they want. That's not going to work.

And, and we, you know, discovered that the hard way. So what can you do instead if you want to do roles? Because you know, the question is, what's the value of roles? Well, going to access reviews, if I could review, you know, 5 roles versus 100 individual entitlements, that's going to be a lot quicker. So there's value there.

And if I'm being on boarded and I only need to request a couple different roles and instead of, you know, again, hundreds of entitlements, there's value there, you know, that the person can do their job much quicker. So there is definitely value in roles, but now we want to choose, OK, how do we simplify it and choosing just a good structure and it could be anything. For example, you could choose the structure at the senior leadership level.

You probably don't want to get down to the individual manager level because you know, if it's a large enterprise, again, you're going to have the same problem. But maybe at the senior leadership level, OK, the senior leader for all his team gets, gets this role. And yes, it's not going to be everything for everyone, but it might solve some basic problems. Or you could do it at the project level. This is going to be a three-year

project. This is everything in the project that you need the, you know, different shared folders and such. Anybody who joins that project, it's the role and, and that's pretty simple. Or you could do it at the application level. Instead of having to request 5 different entitlements or global groups for an application. You're this job, you need to do this function, you get the, you know, get this role.

And, and so that is how I would recommend implementing it and keeping it much more simple and laid back and not trying to give everybody everything they need. Just enrolls. You're going to have to still go outside of roles, but if you can kind of do the mass and then ROLS, I think you can find the

nice balance of value there. Yeah, it seems like you're you're applying like a pragmatism to it as well, which is why I love having practitioners on the show, because it's taking the theory and then taking the reality and mushing them together and figuring out what works. But I mean there, there are advances in the technology and when those advances come along, I think it's our job to kind of consider them and how can we work them in.

What do you think of kind of some of the newer approaches like P back and not really new, but a back like where, how do you fit those into an enterprise identity governance program?

Yeah, I think, I think you could, you could kind of pick and choose which approach you want to take or you can kind of do a hybrid model. Yeah, that attribute based access control. I really like that. And I think some of the new identity governance tools are trying to build on that and, and I think that has a lot of potential. And you know, the use case there is based on all the attributes that I come into a company with location, team manager, job title, all kinds of different

attributes. Based on those attributes, I'm going to automatically get the access that I need to do my job. Now here's the question, just like RBAC that requires rules. So who is going to manage the rules that that automates that those settings and and who's going to be responsible for that? So I think at scale, again, if you, if you try to, you know, complicate it and just say, Oh yeah, everybody's going to get everything they need

automatically everywhere. Don't know if that's going to be scalable or if you're going to be able to implement that and maintain the life cycle of that on a large enterprise. So I think you'll kind of see similar issues. So I am on record as not being a fan of RBAC. I think it's a big quagmire that a lot of companies struggle with. I am a big fan however, of attribute based and policy based because I feel like those are

easier to start with. But it goes back to almost the first topic you talked about, which was data. You have to have good data to do any of this, but it is especially important for attribute and policy based access controls which rely on data to make those decisions. So what happens if I don't have data? Am I stuck or can I use at least what I have and and hope that

it's good? Like where would you start if you were just joining an organization and you're like, OK, how do we, how do we fix authorizations and try to get them managed from a, from a life cycle standpoint? Yeah, no, it starts with the data and and you know, integration and understanding the data. So let's start with provisioning as an example. You can use that should be based, you can use RBAC.

But if those applications aren't fully integrated and you have people, humans that are getting a ticket from your request system and then you're waiting 10 days and then that person gets the ticket and then they go and they provision that access. There's going to be problems. They're going to maybe accidentally, you know, provision the wrong thing, you know, the baby, they'll forget, they'll miss the ticket. Maybe when somebody's terminated, that ticket won't

get processed in time. And now you've got, you know, access that that is, is there for too long. We need to integrate those applications and we need to get those data that that automate that provisioning and that termination process. And then Jeff, that kind of gets to your, your question on where do we start? Well, now if you have all these provisioners that no longer need to do provisioning, now you've got a army of people that can go

after the data. And I think that's where we can kind of make that transition is 1 integrate systems so that we're getting the data feeds #2 leverage those people to improve

the quality of that data. And then now you've got the, the two things that you need in place, the automation and integration and the data quality to implement any of these rules that you want to implement, whether it's a back R back, you know, authorization, just in time authorization, all kinds of different capabilities that rely on the data and automation. Now you've got that that problem solved. So when are you done with roles? Can you be done with roles or

when do you call it done? Is it 80% of my access is a role or an attribute based bundle or some sort? Is it 50% 'cause I'll give you my my hot take is I don't think you're ever done and I don't know if 100% is actually

realistic. Right, Yeah. And I think you can apply that same thought process to just about any identity governance approach is you are never going to be done 'cause as long as there's people coming in and out of your company and you've got new owners for non human identities or for roles or for entitlements, you've got new applications coming in. It is never going to be done. You're always going to be making changes.

So that's why having the foundation of a life cycle process, a system in place that's going to manage all of your identity assets, everything this, you know, very similar process for all of these things where it's easy for if I leave the company who who's going to, you know, take ownership of that? All that stuff is very easy, very well communicated, automated. So yeah, Jeff, you're right, it's never done.

You're always going to be changing things and but you can build life cycle and process that. That can really simplify it. You know, I've seen the term roles choose to mean so many different things at different organizations all the way from, you know, very vendor specific definitions to just talk about director groups, you call them roles or applications calling their specific entitlements

roles. So I think that's one of the things that as an industry, you know, we that term gets turned around to me in so many different things. But one of the, the things that, what I found a lot is that a lot of organizations strive to get to 1 roll per person. And then essentially what you wind up having is if you have 2500 employees, you have 2500 rolls. It's like, what's the point? No point. There's no point, right? But we have roles. Right, yes. So there you go.

We we have roles and we're like access. Reviews. We could say we got it.

So I want to kind of string along this part of the conversation and get into more of the authoritative source things because they think this is kind of important for anything that we're going to do around authorizations and life cycle is how do we know where the data is coming from? What is the authoritative source for humans? And then when you talk about humans or we talk about employees or we talking about non employees like contractors

or vendors. Or. Customers or patients or XYZ, right? There's a whole bunch of personas out there. I think generally speaking most companies do a pretty good job of managing their people. We're still a lot stumble, but I think it is getting better is the non employees of an organization typically are not as well managed. They may not be in the same system, they may not be in a system at all. They might just live in an ad hoc spreadsheet. I've kind of seen it all at this

point. Where do you come down on this? This one of the holy wars we've had for a very long time, especially in the IGA world, is what is the authoritative source for all of our humans? Should it be the HR platform? Should it be a a neutral platform? Should it be like maybe the identity government's system? Maybe that's the source? Like where do you fall into sort of that human versus or sorry, not human employee versus non

employee? And then the extension of that question obviously gets into, OK, so now we've got non human identities. Where do we source those from? Yeah, yeah, a couple, couple layers there.

First, that is important because you know, employees, you know, most companies are going to vet the people, the identity proofing themselves and they probably have a really good system And so they can rely on I'm hiring Jim McDonald and, and I know that when you're comes comes to contractors, often times we're relying on third parties to do that background check and that vetting. And haven't we seen a growth in laptop farms where we've got people from North Korea that are

actually getting jobs in U.S. companies and their laptops are, are somewhere physically in the US, but the person is actually not who we, we think that they are. That's happening in real life. And so that is, that's a real scary thing because now, now they have access and, and they're acting like a normal employee. It's really hard to detect. After that, So yes, So what your question is very important because of that as one one

example as an attack factor. So in my opinion, I like one source for all of people and you know, some sort of like a work day platform or, you know, whatever kind of platform that you want to use. And you can have different points of entry though, for example.

So you know, for work day, you've got, you know, you can have your employees coming in and then for contractors, you can have them coming in through requested through a completely different platform, but they're going to live in in the same source of truth and and that will get fed into your identity governance platform with different attributes. So you can kind of tell, tell the difference. And then I want to build on that when it comes to, you know, we

talked about source of truth. Applications are your source of truth when it comes to who has access to what, Because now that's important because if you know, you need to make a decision, well, who has access to this application or who has administrative access, you know, the only way you're going to know who has the risky access, you know, where the, you know, you want to make that investment of what you want to protect, the access you want to protect and the people and the accounts that

you want to protect is you need to know what they have access to. So that starts with the source of truth, which is the application or Active Directory or the servers. And then I kind of differentiate, maybe we could use different terms, the authoritative source, which is really where you aggregate all that information. And I want my identity governance platform to be an authoritative source.

And in order for that to happen, that means I need to have good data feeds, good integration in into there. And I'll just give you one example. What what we've done is a lot of you know, like is the first thing you want is you want integration, you want automation there. But if you can't do that, or maybe you can't do that right away, is you can build an ETL, which is basically you get a flat file from the source of truth, the application. It's it's a, a standard format.

It follows a template and then it gets dropped in some sort of shared location. And then your identity governance tool consumes that data, that standardized data. And now you've got that. And let's say you do that on a weekly basis, that's almost as good as an automated feed. So those are some, some things, some solutions where, OK, I can't build out integration because I got this legacy platform, but you still can build some level of integration.

And now you've got your authoritative sources talking to your, your sources of truth talking to your authoritative sources. And you have everything on that one, one identity governance platform. So I'm glad you made that distinction between source of truth and authoritative source, because I think that is very important to highlight here. Data comes from sources. The collation of that data and the aggregation and the correlation of that data is where your authoritative source

lives. So maybe that is the IJ platform, for example, maybe it's a privileged access management platform for like non human identities, right? Things like that. What I find happened quite a bit is that IT solves the problem on their own without involving the business or having the business be accountable for non employee identity. It's well, it's left up to the managers and they kind of figure it out.

And we all know managers are great at doing you know what they've been asked because they do access certification so well. So. You know what happens when there isn't a process and IT has to kind of figure it out And maybe if the IM team kind of has to figure it out and all of a sudden IT or the IM team or some combination in there owns the population of non employees, what happens in that scenario? How do we get back on track for that?

Sure. So what I've kind of learned or the approach I like to take is centralization. So when you have fragmentation for pretty much, I wouldn't say any system, but for, you know, let's say governance, identity governance is you've got different teams doing different things or nothing at all. So I would rather centralized a system and a life cycle and say I'm going to be in charge of this life cycle and this process, but here is your

responsibility. And then kind of distribute that out to the business, to our technology partners and make it super easy. So for example, non human identity management, life cycle management, I'm going to say this is the source of truth. They're going to live in our identity governance tool. Maybe they live in our Pam tool and everything's going to be in there. And here's how you get it in there. Here's how you register it. And then you're going to

maintain that. So every year you're going to change the password, you're going to make sure it's automatically rotated in, in the privileged access management tool. It's going to have a, a compliant password, not just, you know, password 123 or you know, different things like that. And but that's going to be centrally managed.

And then we're going to distribute that and we're going to know who owns it and we're going to communicate to them and say, here's your responsibility and we're going to simplify that. That's the other aspect of it is if it takes me a month to create a new non human identity for the application that I was supposed to stand up two weeks ago and I can't because I don't have my account yet, who do you think is going to want to go through that process again?

They're going to the next application, they stand up, they're going to say, well, I got a surface account that works. I'm just going to use that all over again. And it's used over again and over and over. And now you need to reset that password because it was compromised or you, you know, want to keep it rotated and now nobody knows knows where it

lives. So Jeff, to answer your question, centralized system process and management and then very clear communication to the owners with a life cycle management. And then great communication to leaders saying you own these accounts. You're the accounts that are in compliance under your ownership. And here's the ones that are not. And we're communicating to your teams 9060 thirty days out when the password needs to be rotated or when something needs to

change. And here's how easy we're making it for you to follow the standards.

Yeah, I wanted to ask you a question about, you know, what is your advice to practitioners to future proof their identity program. And I don't think you can future proof it, but I think you can approach it with the framework.

So we brought up, you know, how enterprise IT was done in the past and, and we brought in the cloud and became like a big issue for identity people because I did see this trend coming in a lot of cases and didn't prepare for it and said, I'm going to continue doing what I'm doing. And then this thing came along and became half of the

enterprise. The next thing you can see coming is AI. Like if you're not thinking through these problems and seeing where the industry's going, it's going to sneak up on you. So for me, like it's it's almost like I'm destroying my own question. I don't think there is a way to future prove it. But what kind of tips do you have for your fellow practitioners in terms of building a program that doesn't get blindsided?

Yeah, that's really hard. I mean, that's finding the balance between managing your technical debt, which is, you know, those passwords that you're, those accounts that you don't know who owns the passwords aren't rotated, you know, the, the large attack surface and being able to do, to do the new technology. Because yes, if we're, you know, a company and you're not looking at AI right now, you're probably

going to get left behind. But at the same time, if you're not also investing and cleaning up and managing the life cycle and, and reducing the technical debt, then by the time you're ready to implement AI, are you going to be able to, because it doesn't have the data it needs to do its job or, or different things like that? Somebody, Jim, it's going to be hard, but I think we try to have to, you know, make a balanced

approach and try to do both. Well, no one always said identity and access manager was easy. That's why we've all been doing it for decades at this point.

So I want to kind of wrap up the conversation here. I and I have a professional Segway I talked to earlier about climbing the mountain to 1,000,000 downloads. And so I want to come down that mountain on a mountain bike. I know that you are a mountain biker. I have never been, but I live in an area where it's very popular, Asheville, NC area. So lots of trails, lots of stuff to do that. I think the last time I rode a

bike was probably 10 years ago. So I could probably test out that, you know, that theory that you never forget how to ride a bike, and that would probably be pretty ridiculous. But how often? I mean, I know you're a mountain bike. How often do you go? Tell me about this. And for a newbie like me, how do I get started? Sure. Well, I see mountain biking as kind of a metaphor to life.

You're, you feel like you're going uphill most of the time and it's hard and it's a slog and sometimes you don't feel like you're ever going to get there. But then you get to the flat where even better the downhill and you just get into this flow state and you're just having the time of your life. And so that's, that's one of the things I love about mountain biking, but even more is teaching youth mountain biking. My son who's 15, he mountain

bikes. My daughter who's 11, she mountain bikes and she just did a race and got third place up in Vermont this past weekend. And it's just, it really brings a tear to my eye to watch these little kids doing just that, climbing up these hills, sometimes having to get off their bike and pushed up the hill, but doing it because they want to, doing it because they know they'll they'll make it up

and doing it because it's fun. And and I want to instill that, you know, that kind of thing in in the kids lives. And so so I'm passionate about that. But how do you get into it? Yeah, I think Jeff, just hop on that bike, find some easy trails and I can I can send you some some links to to those. But yeah, start on the road and just really have a good time. I'll tell you the E bikes they make these days are pretty awesome.

I haven't tried 1 yet, but I think they make mountain biking more accessible to anybody who wants to try it. And it definitely makes going uphill even easier. So that's that's the life I want to live where it's like I'm I'm on AE bike all the time and and going up hills no problem. OK, so you stole my next question because I was going to ask if using an E bike is cheating because then I'm then I'm all in. If I can use an E bike. That sounds a little more recreational, you know, for me

is there. OK so let's say I want to get an E bike. Like how much easier is it to use an E bike versus like a normal bike? Yeah. Is it I think still easier? Yeah. It's, I think the, the great thing is the technology's pretty good. So it doesn't feel that much different in terms of just the, the riding dynamics because they're still pretty light. Yeah, maybe they weigh, you know, an extra £20, but that's not going to make too much of a difference.

So the riding experience is going to be about the same. But it's, it's really the going at pills and maybe if you're riding with a group trying to keep up that that's where, where it really helps. And I think it's worth it, especially if you're you're new or you really want to to try right out. I I love the idea of E bikes. I have to imagine they're probably split out as a separate like class of bike or something. When you're doing races right, it's E bikes only versus no E bikes.

Yes, they do. They do. And those those E bikes go pretty quick. They they shave a few minutes off every lap. I was just looking at that for that for the recent race. I was like, oh, how much faster did they go than me? They went a lot faster. I can absolutely do that because I was in Amsterdam over the summer break for while we were at EICI spent the week there and there were bikes plenty, which I

thought was very cool. And then I, and then there was a few people on E bikes and boy, were they moving on some of those streets and some of the park pass that that we were kind of traversing and it seemed a lot easier to me. And so I was kind of a fan of that. I think so I have actually thought about getting an E bike

because I, I, I do enjoy biking. I just don't have like the, I don't know the, the, the, the gumption to get out there and, you know, get my Huffy Sigma out, which is the, you know, the bike that I grew up on with electron sort of, you know, covers, you know, stuff like that. But E bikes interest me, Jim. Have you ever have you ever ridden on an E bike, Jim? Never on an E bike, no. I mean that is about the speed that I'm at now though.

I used to trail run and everybody's like, who has not into running is like, why would you do that to yourself? But what they don't realize is once you get into a level of fitness where it doesn't hurt, your heart's not pumping out of your chest. You're, you know, maybe you're breathing heavy, but you're used to it. So it's not that bad. It's a great way to, you know, it's, it's almost like like meditating while you're running.

But I was going to say I did give mountain biking a chance when I was like college age and I really liked it. But here's my tip for anybody. If you think you can go to Walmart and buy what looks like a mountain bike for $99.00 and ride that, you're going to be sorry. And here's what I mean. So I had one of those bikes since I won, I didn't have any money and I wanted to do this

thing. And so there was like a flight of steps that it's obviously not in the mountain, but it was on the campus and I rode down the flight of steps and it bent my rims and became like Oval shaped. And I'm like, what the heck is going on here? So now I can see why somebody would pay $400.00 per rim because if you don't, the last thing you want to do is like go up all the way up the mountain, start going down and then you can't ride down. You got to carry your bike out.

And I had a friend who said, and she said if you ain't hiking, you ain't biking. So that was when Anthony was talking about carrying that bike out. And that's what I was thinking with the E bike. I'm wondering, are those things like 10 times heavier than a regular mountain bike? It's not too bad. They're not too bad. OK. So maybe you can carry those? Yeah, if you need to, but they'll they'll push you up just about any, any angle that's not and the heavy. Part is what?

The battery probably, right? Yeah. Is the battery the heavest part? Yep, OK, I I. I've toyed with it. I have to explore it. I think it's super interesting. I've thought about, well, maybe E bike. Well, I don't just get like a, you know, electric motorcycle or something like that, which is probably the next step. Jim, I know you used to have a bike. Do you sell a bike? Motorcycle, No. I sold it when I moved because I did want to move it across country.

But Denise has a Harley and I'm going to get something. It won't be a Harley, it'll probably be an Indian. I think there's a really sharp looking or I might get something custom or something electric. I really haven't decided yet. I would be very impressed if you got an electric bike. That would frankly shock me, but I think it would be super cool. I think it would be cool, Yeah. No, I mean, why not?

I mean, I drive electric cars and they're super fast and super quick and I that's what I like about them. I can't imagine an electric motorcycle I would instantly be in the hospital just by looking at it. I bought electric dirt bikes for my kids when they were real little and they used to just zoom around the house. And the thing was, they're cheap and they broke all the times. But that wasn't because they were electric. That was because they're cheap. OK, well, shout out to any E

bike makers. If you want to sponsor an episode, come on, we'll make an exception for Yeah, for for non identity sponsors and stuff like that. I'll, I'll, I'll take an E bike. That's fine. Absolutely. All right, Anthony, it's been a

great catching up with you again. It was great meeting you at Identifer. Say hello to your wife and hopefully she's got this new school year probably coming up here in the next few weeks, if she doesn't start already. Yeah. And hopefully we'll see you at some of these conferences coming up and we'll see you in the ID pro channels and I'm sure Identity Underground and all that kind of stuff. But yeah, thank you for spending time with us.

I'll have you get our show notes for your LinkedIn profile so people can reach out and either ping you with IM questions or mountain biking or whatever. Yeah. No, to my earlier point, I really want to support the community. So please reach out if there's anything you think I can help out with. I, I want to help. So, so, so reach out and also

shout out to my, my team. A lot of the stuff that I talked about, they're the ones who are in the trenches doing the work and have all the ideas that kind of got us to where, where we had the last six years. I just want to say thanks to them and all their hard work because they're they're doing the hard part. I am heroes left and right all over the place. But the one thing I will caution is heroism is not a strategy. I had a call last night with

some folks. Heroism is great, but it is not a strategy. So shout out to all that I am heroes out there, you know, with the sheer force of will making their organizations work. So with that, we'll go and close out for this week. Find us on the web, idacpodcast.com. Congrats, Jim, to you and me for a million downloads. Here's to the next million. Like subscribe, share with a friend, share with an enemy. I don't care as long as people are liking and subscribing,

that's all matters. And we'll go ahead and leave it for this week. Thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.