#371 - Sponsor Spotlight - Axonius

This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? I'm good. I see that sly smile on your face. It's just I'm very excited for this episode. We've got a great innovator in our space here today and I want to jump right into it. What about you? Yeah, today is a sponsored

episode. So thanks to our friends over at Exonius and Exonius X. Maybe we'll we'll kind of figure out what that means here in a second. But today is all about Exonius and kind of learning what they come through. These are sponsored episodes that we do from time to time just to, you know, have be a little bit more vendor, less vendor neutral than we normally

are in our normal episodes. So, so with that, we've got Exonius. You can find them on the web, exonius.com/I DACAXONI, us.com and we've got we've got Omir Ofek. He's the CEO at Exonius X.

So welcome to the show, Omir. Thanks, Jeff. Thanks, Jim. Great to be here. Yeah, thanks for taking the time. So I, I, I have a couple questions I want to ask you. I, I'm going to ask you about your background 1st and then we're going to get into some other things.

So tell us a little bit about how you got into the identity access management space. Is it something that you chose or did it choose you? Oh, well, I would say it definitely chose me kind of. So I, I started my career in, in cybersecurity way back in the 8200. There's many Israelis. I didn't did a shift to the IT world. I'm an IT engineer by profession and kind of a long career in IT and then came back to

cybersecurity. I was working as ACEO of a few startups and four years ago I, I joined Axonius to establish Axonius X and we can speak about that in a bit. And the first product we actually brought to market was

around SAS management. And during that we actually encountered a lot of IAM teams that were challenged with managing SAS, SSPM and so on. And they actually told us and again, we can go into more details later, they told us, look, you're already doing all those great things and, and great value that you bring around SAS applications. Why don't you actually drive it also with identities?

And that's what kind of got us excited about the, the identity management domain and we started thinking whether we can actually create the product in that space. So that's that's how I got into identities. So you're kind of preaching the choir here, right? This is identity at the center. So you know, we're talking

identity. I want to know more about Exonius. And then I mentioned Exonius X. What is the difference and what is the X signify I guess? Yeah. So Exonis has been around for eight years. It's a it's one of the the leading unicorns in the cybersecurity space. The company was founded by Dean Ofreen Avidor over 8 years ago with the premise of being really a data first company dealing

with data, analyzing data. The first area that the company ventured into was the asset management space, A category that there was called Chasm. We didn't kill this category today is kind of part of C Tam, but really in the asset

management space. And as the as the company evolved the founders and mainly Dean kind of thought through a vision of bringing a platform in and he was thinking how is the best way of of actually doing it by one way could be through acquisitions and bringing kind of M&A etcetera. And the other way we could be actually through kind of internal growth, that's more or less the time where I sold the company I was CEO of to Rapid 7 and Dean and I knew each other

very well. And he kind of made the right assumption. I'm not going to stay in the enterprise world and and kind of do another gig in startup. And that's kind of when he reached out and said, why don't we find the structure that can work together doing innovation from within Exonius. It took us a few days to think about it and we quickly came to kind of this very innovative, I, I must say, model of Axonius X, which is really an incubator

from an existing startup. Now back then Axonius was already kind of growth startup, but still a startup. And to build kind of an incubation from within is something that is not trivial. So I joined together with my Co founders of Axonius X with Rory and Hen and we established this unique model where we constantly on the lookout for new products, new areas that we can evolve that Sony's platform into.

And that's kind of what we what we work on. 1st product was in the SAS management space and our second product is in identity management. So you mentioned sort of like asset inventory and we just did an episode where we talked about attack surface management and identity being part of those things you need to manage in inventory as well. Is that the genesis, you know, for this I guess kind of turn

towards things? I mean it seems kind of logical to me. It's like, OK, we you can only protect what you know about and sure, laptops hardware, right? That makes sense. But identities are something you should know about as well, right? Is that is that really kind of how this started or was there something else that drove you to kind of build this solution?

No, this, this is very much it. Now it came from customers, not from us. So I would say asset, the moment you, you speak about asset, asset can be various aspects. So you're right, like they they need a default and asset is a device, it's a laptop, it's a server, it's a workload and so on. But four years ago when we started thinking about our first product in Exonia 6 customers told us, look, we now have new assets called SAS applications.

We want to treat them. They're kind of beyond our perimeter. They're not right in our control. This is something we need to manage. We need to treat it like another asset from configuration perspective, usage perspective, users perspective and so on. And that's kind of what got us into dealing with SAS as another asset. And then customers told us, wait, you're already dealing

with SAS. Now there is another asset exactly like you said, Jeff, which is identities, which is becoming more and more important. We need to treat our identities as another asset inventory that we have in the company. We need to have full visibility on all of the identities that we have, whether they're non human, whether they're human, whether they're on Prem, whether they're

SAS, whether they're on cloud. And we need to treat them as if there were another asset that is important to manage, important to see the usage of and so on. So absolutely, the way we see identity is yet another asset that the company needs to manage and that's what customers told us and that's what we are doing. So I'm always fascinated by the naming of companies, and Exonius is pretty unique. Tell me about how you know, what does the name mean? Does it doesn't mean anything?

How did you come up with the name Exonius for the company? Yeah, so, so I did not come up with the name. It's the founders that came up with the name. And actually Exonius is well, they thought of of a name that starts with a. So that was one of the one of the first parameters and then they thought of a certain section. Actually, as you can see in the logo is actually a practical in the neuro system that connects between different areas of the neuro system axiom.

So this is actually kind of the connection of the first axioms. So that's how the name and that's what we do in Exonius. We actually connect data, we connect information, we connect information from multiple sources to become this kind of nervous system sort of speak of the organization. I love that that's such a good little like Easter egg for people who aren't familiar, like neurons. And. Stuff like that. Yeah, that's a great way to like, you know, put it.

So you're in this space that Gartner is calling IVIP or make sure I get it right. Identity visibility infrastructure platform. So tell me about this intelligence. Identity visibility intelligence. OK, intelligence. So thank you for correcting me. It's new, new to me. I had not heard about this until, you know, just recently. So IVIP identity visibility intelligence platform.

What is that space? And then I guess you know, the, the, the $1,000,000 question is what is it that makes you guys different in that space? Or maybe some other vendors that might be playing in the same area? Absolutely. So it is brand new. It just came up in the very recent I digital identity hype cycle that Gartner released in in July. So it's very, very new. And this new category I guess is is some of a symptom that we see today in general in the in the

identity or IGA space. So over the last, I would say year or two, we we started seeing a lot of bespoke categories that are kind of breaking the traditional IGA. We start seeing NHI as a new category, we start seeing ITVR as a separate category. We start seeing ISPN as another category. And I think that actually demonstrate the fact that the IGA world is now going through some disruption or some transformation.

The area that Gartner identified as Ivy is really around bringing visibility and intelligence into identity. So it's clear today that identity resides in many, many silos in many, many areas of the organization. It's no longer a monolithic environment that you can have all of your identities managed on your single AD or your single SAP. And that's why visibility is becoming so much more important because identities, permissions, entitlements, today they reside everywhere.

And unless you have very profound, very broad visibility of the entire organization, the entire pockets of where identity resides, you, you're always missing out on something. And then if you don't see, you cannot actually manage it. And that's why the visibility part is important. But what Gartner actually very wisely did is they aligned it with what they call intelligence, which is the visibility by itself is not. It's good, but it's only a first step. You need to make sense of what

you're seeing. You need to make sense of the context of those permissions. For example, you need to make sense of how a single permission is connected to another one, how you can cluster them together, how you can do a much more profound role mining, how you can come with much more a smart analytics and, and maybe kind of use of AI in terms of recommending, of roles of recommending, of functionality. And that's exactly what we do in Exonia.

So as I mentioned in Exonia's, we're all about data. First we bring the identity data into one single place creating one visibility. But then we are able to actually go to the granularity of this data and drive analysis and smart recommendations, mark actions from what we are gathering in order to make sense of your entire identity life cycle. Unlike other maybe players in this category, we also evolved from IVIP into proper IGA.

So we don't see kind of IGA as a as a kind of a separate area. We think that through visibility you can actually manage much better your IGA program, your IGA capabilities. And within our product, we also have like the bread and butter or the core functionality of IGA, like access reviews, like a role mining, like identity life cycle management and so on. So Amir, I'd like to get into the products a little bit.

And first thing I'd like to understand is kind of the why. So why do organizations find themselves leading the Exonius products? What is the problem that they're trying to solve? I think I think the first problem that we saw actually I would say two the first problem that we saw is, is around this visibility and the fact that today there is all of those silos of identity in the

organization. The more organizations are becoming complex from cloud deployment, from SAS deployment, even sometimes even just with on Prem multiple ADS that are sprawling M And as that companies are doing, all of a sudden there is identity that resides in so many different places, entitlements that are spreading around non human identities that are becoming more and more and more important. And organizations are losing track or or losing ability to capture all of the identity that

they have. So the first really challenge that we come to solve is creating that single visibility from any source that you have identity residing in. And that's kind of what we know how to do in Exonics. Exonics we know to connect to any data source. We have today over 1200 off the shelf integrations, we call them adapters. We know how to correlate them, to duplicate them, align them into what we call this adapter network under a single data model.

And then you get basically a single identity store where you can start driving analysis and actions from. So the first challenge is really this visibility challenge of aggregating all of the identity into one place. The second one which is slightly tied to that is the time to value. We see with traditional IGA solutions out there time to value is something that these is really mind boggling today. You know an IGA program can run 12 months, 18 months, 30. I heard you know even 36 months

as being very, very common. We want to narrow that down. We want to enable an IM practitioner to be able to drive strong solid recommendations on what should be, it's a birthright rules on what should be the mover rules on the lever side of things, on assigning gay owners to non human accounts and so on within a matter of weeks, not within a matter of months. And our ability to narrow down that timeline is driven first

because of those integrations. So we, we don't need to spend month and month of building customized integrations and and connections etcetera. We already have them available. We already correlate them and align them in single data place that narrows down by a lot. And the second thing is by applying smart AI that can come actually with very solid recommendations upfront. And by that we we actually reduced substantially the time to value.

That second part about the time to value is that's an awesome selling plate. But I got to tell you as a identity practitioner, the first point that you brought up was really to me like what resonates? You need to have one place to go to know who has access to what. I think you're looking at it from a unique perspective, which is really hyper fixating on these, on the data. And so maybe you could dive into that a little bit further. What what is it that you keep talking about data being so

important? Help us understand why. Why is that the perspective? Yeah, I think at the end of the day, there's maybe in high level two ways of looking at the IGA. 1 can be more of a process oriented way of putting in place kind of a procedures and processes in the in the organization. The other one is is data-driven.

The reason I think data is the more important one is because at the end of the day you can collect a lot of you can drive a lot of processes around the identity policies and so on. But if you don't collect the right information, the right data, for example, to the level of resource level, granularity of permissions and entitlement, whether Jim has a permission to access a GitHub repo that Jeff is not allowed to to access.

This level of granularity of of access, of entitlement, of permission is very important to first have a comprehensive view of it. So you need to know of all of the permissions, all the entitlements that exist in the organization. And secondly, you need to make sense out of it in in the right context.

So you need to make sure that the permissions are being aligned, entitlements are being aligned and it all stems from from a data perspective and not so much from whether you have the right kind of, I don't know, policy in the organization to give the employees access at the moment they join the company. The other aspect is that with a lot of companies, we find a lot of historical information that that resides.

So companies accumulate throughout the years a lot of rules and policies, a lot of garbage groups in ADA, lot of, you know, provisions that are not even in use in the company. So in order to drive something that I, I think is a lot, a lot kind of forgotten a lot to drive identity hygiene, you need to have proper data and, and you need to constantly make sure that the data is, is, is in good hygiene mode.

And this is something a lot of IAM teams are neglecting, unfortunately, because it's a very kind of maintain task to just go over all of the groups constantly and clean them up and make sure that the roles are right size and, and so on. But if you accumulate all of that dust or garbage over time, then you, you don't see what you really need to see. You don't see the real roles that you need to manage. You don't see the real permissions that are faulty.

And I think that you can only achieve when you get the data right? No, that really resonates with me. I mean, we've always said garbage in, garbage out. I know that identity practitioners are doing their best if they need to have the tools to make it so that it's scalable.

Because the the issue that you're bringing up is that there's just too much to do bottom line, that if you don't have the automation, you don't have the tools, how can you be expected to succeed That you earlier brought up something else that you know, a lot of different things are happening within the industry and people are trying to bring different flavours. You've run up the non human identity part of the story, which really resonates me and Jeff, we've talked about it a lot.

You know, non human identities is not really a brand new story. And you know, we started in this industry over 20 years ago. We're still dealing with non human identities, but now it's gotten to the point that it's expanding so much. You mentioned workloads, devices, everything's got identities now, so it's a bigger problem. And these non human identities are often harder to secure with like multi factor authentication, things like

that. That's a big lead in for a very simple question, which is, from your focus, what kind of accounts does this visibility matter the most for? Is it the humans, is it the non humans, or is it really both? Or should they be looked at almost equally? It's both. I I I think that there should not be discrimination in general between humans. So I think there's also should not be discrimination between

humans and non humans. If we look at the organization down the road, let's say let's take kind of a leap of faith 20 years down the road, at the end of the day, you'll have a lot of AIAI agents roaming around. You'll have a lot of service accounts. Everything will be in service accounts in my mind. And you'll have some humans, but they will all need to be treated more or less the same way.

Of course, they will have different traits and different behavior and so on. But from an identity perspective, if you look at the company. The identities in the company will be those agents, they will behave like employees. You know, they, they will drive decisions, they will drive automation, they will drive maybe a lot of the functionality of the, you know, of the service

that the company provide. You will have, of course, humans, sprinkle of humans and, and you'll have and you'll have non human identities, service accounts that they all of those humans will be managing and so on. So you cannot really kind of discriminate between 1:00 or another. At the end of the day, all of

those are identities. And the shift we're seeing by the way, today of security to be kind of identity first is all driven by that because at the end of the day, to protect the organization, you need to protect the people or the machines that have access to data and you need to treat them

the same way. So that's why our philosophy is that you need to aggregate all data, whether it is of a service account and making sure that you know who's the owner of that service account and what permission this service account has, whether it is a human information, which is easily maybe getting information from your IDP.

Yeah, MFA is very much kind of relevant source of information, source of a of a mean to manage human accounts and all the way to maybe a gentic AI and how those kind of sprawl around. You need to bring all of that information one single place. And of course for each one try to drive different actions and different maybe automation on on kind of monitoring or protecting, but it all needs to be treated from from same perspective. You cannot say you're going to

silo that. So that's a great overview on why Axonius was built, why customers might want to use this tool in their environment. Just talk about how so identity,

visibility and intelligence. How does Axonius make the visibility piece happen? Yeah. So from our perspective, it's relatively straightforward. The first thing that you do with Axonius is that you connect to sources of data. Axonius is not about deploying another scanner or another agent or another kind of a tool that they will drive kind of an additional, additional discovery proactively. The way we do the discovery is actually leveraging already the investment that was made in

other tools. So we would connect to your AD, we would connect to your Octa, we would connect to your AWS, your GCP, your Azure, your sales force, your success factor, your you name it. Any application that has some aspect of identity to it, we drive those connectors through what we call adapters. Most of them already we have

out-of-the-box. So it's basically just putting in place the integration with API and you get, you get that in and from the moment you connect those adapters, you already have in our database, in our data model, all of the information within kind of a matter of a fetch cycle. So it could be as short as 15 minutes or 24 hours depending on the on the fetch time. And from that point onwards you can actually start driving decisions.

You can first see any kind of anomalies that you see in terms of maybe administrative permissions that should not be having access. So like excessive permissions that they were given to some of your admins. You can see for example, anomalies say entitlements that were given compared to different groups. You can start driving decisions by right sizing the roles that you have in the company. You can actually drive this hygiene factor that I mentioned in terms of removing of sale

accounts. You can make sure that you have ownership to all of those non human accounts. A very common use case, and that is, is now maybe top of the of the hour given the Cyber Ark acquisition by by Palo Alto is, is pen making your pen actually much more up to date. We can help you do that. We can help you make sure that all of your privileged accounts are the right ones.

All of them are actually configured in your Pam and we can make sure that the Pam doesn't have any noise of accounts that are no longer privileged or no longer existing in the company. So we can make sure your Pam is always up to date. We have those various use cases that you can actually start driving that's kind of more from a visibility perspective and hygiene perspective.

Once you have the hygiene part kind of I wouldn't say sorted out because it's a never ending task, but in a good, good stage, then you can actually go to the next layer of driving in my mind, kind of proper IGA coming with recommendation, leveraging our machine learning AI, recommending which rules you need to apply in the company in terms of birthright rules, in terms of lever rules, in terms of mover rules and so on. So we can come with our recommendation.

You can actually start doing it by your own IM team that they will start managing the identity life cycle there. And you can constantly monitor that you don't have any gaps in terms of like potential misbehavior, let's say of a of a non human accounts or human accounts. So we have constantly tracking of detection of, of, of the behavior of the, of identities to highlight any kind of malicious activity or abnormal activities. So that's kind of the ongoing monitoring of things.

Yeah. And that aspect, just, I get excited about that the, it almost sounds like user behavior analytics, which I think I have this moment in the sun. There were some implementation challenges with it, but to me, it always made a lot of sense, especially now with the advances we're seeing in AI and machine learning. Talk to us a little bit about what XO News brings to the table in terms of like spotting the abnormal behavior.

Yeah. So we have our own beta scientist team that developed a few algorithms around machine learning and we have a few areas in the product that we apply them. So one kind of the most trivial one, as I mentioned is around role mining, for example, which is relatively simple case. It's all about having the right data before you apply the ML. So if you don't have like cleans data and the aligned data doesn't matter how good your, your ML algorithm is it, it will just fail.

Second one is really by applying kind of recommendation of rules and policies. And that's again something that we do both using kind of ML and as well as also using a bedrock for kind of the LLM part of it. And that's kind of more in the recommendation of policies. And the last piece is really kind of monitoring the behavior. So you're right that the user behavior is something that is not new.

I believe that today the technology and the tools that exist out there enable it to be much more, I guess effective in terms of the balance between the amount of data that you need to collect versus the analysis that drive some meaningful analysis. And I think today we, we reach some sort of a balance that you don't need to collect endless infinite amount of data in order

for the results to make sense. You can actually drive the baseline relatively straightforward in a, in a sense of, I would say a few weeks of, of data consumption driving some references or kind of referring from traits that you're seeing in as to what the baseline should look like. So there's a lot of inferring of data to kind of almost predict what kind of the the baseline looks like. And then based on that, you can start kind of highlighting,

highlighting abnormal behavior. And of course, you need to constantly kind of train the model that that it can can learn that it's on the right path or wrong path or wrong path. And the models today really know how to train themselves much more effectively and much better than I guess they did a decade

ago. So I think from that perspective, you're reaching kind of a point where the amount of data that you need to collect versus the output that is precise and not just creating noise is becoming effective and efficient that that that was not the case many years.

Ago. Oh, yeah, it's like you read my mind because that's really what I was talking about when it came to challenges was in the past, it seemed to me like use of behavior just required tons of data to the point of almost for some organizations being unrealistic, the amount of data.

So it sounds to me like if I heard you right, it's well we need, I think you said a couple of weeks, maybe a month of data and then it's about having the precision of the data, right, not just getting data for the sake of having data. Exactly, exactly. I think what we know what to do very well in Exonius, but I think it's it's also general today is to collect the right data points that can infer of of patterns. OK.

So it's not like in the past that you collected barrages of data and then kind of start applying a lot of cleansing on it and so on. Today you really know how to choose what are the data points within the logs, within maybe the permission attributes, within the user attributes, What are the data points that are actually going to be most significant to infer what is that kind of state status or like the the baseline state. And from that derive what, what's kind of the anomalous behavior.

So it's it's much less logs, much less data that you need to actually. Pick. Yeah, I do want to clarify that. So when you talk about data, you're talking about log data, right? You're you're talking about collecting logs. What are the the typical kind of systems that you're grabbing the logs from? Yeah. So it's not only logs, not only logs, it's a mixture of.

So if we speak about logs for behavior usage, it would be like your Octa logs, your GCP logs, your Google Workspace logs and so your entralogs and so on. But it's not only logs, it's also the actual information on permission data that you get. So like permission data from GitHub or permission data from Salesforce or permission data from Monday. Those are actually very, very valid points.

It's not just to see the the logs in terms of the usage. Even seeing kind of a permission was changed over time X amount of times or a permission was changed or elevated or de elevated. That's also a very good source of information. It's not just the fact that Jim now did the login or, or another login or another login. Yeah, yeah. That's important. So I think you explained why somebody would want to exit is what is the business problem that they're trying to solve.

You talked about how the system works and identifying that it looks like Jeff's account is doing something that normally doesn't do. So I assume at that point you're doing some kind of alerting, like what is the output of the XMU system? Very, very good question. So I think what we realized that Exonius over the years is that

visibility, observability is actually great. So observability, the way we define universal visibility is like not just doing the visibility layer, but also recommending of what it should look like. OK, so that's kind of observability, but you cannot really stop there. You need to drive then to action and this is something that they we've invested a lot over the last couple of years in Axonis in general in the platform of

driving more actions and building our action repository sort of speak. So today we have over 400 out-of-the-box actions that we can drive from the platform. Again, there are actions that are in the targeted systems that we connect to. So for example, an action can be decommissioning an account in Office 365 and an action can be a revoking and a token extension and action can be open an alert in your Splunk and so on and so on.

So there is various kind of types I would say between just the e-mail alert and all the way to a kind of a more forceful enforcement that you can drive in an in an application. All of that are a set of actions that you can actually trigger with workflows in Axonis. So let's take an example, a very

common one is non human accounts ownership. That's probably the most common use case that we come across with customers. They want to make sure that every non human account has an owner 100% of the times. So if Jeff now has five service accounts that he is responsible for tomorrow morning Jeff is moving to another section of the of the company and now no longer he's responsible for any service accounts. What do you do? You have those like headless service accounts that are

spinning around. Nobody's is is taking ownership. You want to make sure that the immediately at that point of time there is an assigned ownership to somebody else. Let's say gym is the is the the the kind of super Uber admin in the company. And maybe by default, every time there is an admin that is moving that those service accounts

immediately roll over to gym. You can have an easy workflow that that constantly monitors for anyone leaving, changing de assigned, etcetera from specific service account in AWS. And the moment it happens, this account is automatically assigned to GM. We drive the action in AWS that now the new admin of that service account is going to be GM. That's a very, very kind of easy example, but it can get more complicated than that.

It can be kind of workflows that are around movers, for example. So people moving from one department to another, revoking all of their permissions by default or actually giving a grace time of not revoking the permissions and waiting and maybe raising a ticket or opening kind of an alert to the manager and so. On Mayor, I'm imagining that our listeners or people checking this out on YouTube, it's a lot to absorb because it seems like Axonia's really does.

It's almost like a Smithsonian. Like you've got the intelligence, you get the visibility and the intelligence. You've got traditional IGA schools to manage your environment, but on top of that, you have this detective functionality to see when accounts have potentially been compromised and start to take action on that. How many how many years does it take for a client to roll out

Axonius? Yeah. So, so actually use the very common we we hear the Swiss Army knife every time and and we didn't speak about it even when we prepared for the for this. So Swiss Army knife is something that we keep hearing again and again from customers because like you said, I think the breadth of functionality that exists index on his platform is really unbelievable. Now to some extent, we actually want to make sure that it's a

very, let's say, easy to use Swiss Army knife, OK? So it would be very intuitive for a customer to know which like a wine screw bottle to open and which a specific knife to pull out of this Swiss knife and not not be puzzled by too much functionality and too much richness.

And the way we do it is first, we're now applying AI within the platform, OK, of kind of recommending, so kind of more this agentic AI concept of asking a question and getting kind of the result and helping you navigate through. Plus also, we have a very, I would say, relatively intuitive and simplistic UI and UX ability that we applied especially in IGA. I think it's super important.

And when we looked around to the existing IGA products out there, existing IGA tools out there, I must say, a lot of the UX that we found was very choppy, very kind of convoluted and and very not intuitive. And that's why we put ourselves as a, as kind of as a, a mission to make sure that it's very easy to use. So you can become an expert on

Axonius, of course, endlessly. There's always more room to learn and more room to to do. And especially if you connect more data, then of course, each new data source has new aspects that it adds to the, it adds to the mix, you know, so as the more information that flows into XRM is, the richer it gets. So that's why you know you, it's almost endless how much you can

become an expert. But I would say that with most of our customers, first we have our own kind of technical account managers that support customers during the onboarding and make sure that they are acquainted. We have also a lot of partners that they run very kind of rigorous training and the certification programs. But as a user, I believe within a matter usually of a of a month, a couple of months, you can easily kind of be a self-sufficient kind of expert sort of speak.

And the moment you want to do something more complex or of course, we, we more than welcome the moment you see kind of a gap that we need to, to address, we, we actually welcome that input to work in there and achieve that with our customers. Right. So it seems like kind of getting off the block you can do relatively quickly.

I'm wondering with your clients or your customers, how you know where do they normally start? So Jeff and I have been consultants for a long time. In this identity phase, we often use the term don't boil the ocean, right? Correct. You know, don't try to actually use the Swiss Army knife, but you don't need to learn how. Yeah, yeah, yeah. If you need to open a wine bottle, use the Corkscrew and leave the other things till you know phase two or whatever. Where do your clients?

How do they usually start? So, so I think actually going back to this new category that Dartner created called IVIP, I think that's, that's actually a very, very good place to to start with Exonia. So creating this kind of visibility intelligence, making sure that you have the initial

data sources connected. So kind of a maybe a dozen or 20 initial data sources that are the most important ones for the organization connected, creating that first initial visibility, unified visibility within their compensation and start driving intelligence there. I would say that's probably where I would start most likely in the identity hygiene side of

things. I think that's where you will start kind of driving very immediate value out of, you know off the shelf kind of within the first two months you will achieve identity hygiene that would have taken you years to achieve without something like a Sonius. And from there actually start kind of defining your own kind of road map into areas that are important for you.

For example, you want to tackle non human accounts because that's kind of the new danger that they or the new risk that you associated in the company or you want to drive. As I mentioned before this Pam enhancement, we see that very common actually with with customers these days.

So you can start there. You want to drive it more on kind of compliance perspective because you're you now need to have just the other day we had a prospect saying I need to meet my socks in December and I must have a basic IGA program running by December. Yeah. So that's kind of a good, a good compelling event to drive kind of compliance. Make sure you have your access reviews. That may be the first thing that you so it really differs from one area to another.

And I think that's kind of the value of Axon use. That doesn't matter what's kind of the immediate use case that you want to achieve. The moment you get this visibility intelligence in place, you can then start navigating for your own need within your own organization as to what's the next step and the following step that you want that you want to take forward. How do your? Customers measure the value they get out of your solution.

So one very easy area that they, we've heard from a lot of customers is by reducing the amount of cost that they need to have on their identity on, on their IAM program. So the amount of hours that they some, some are measuring, for example, by the amount of tickets that they that they need to manage the IAM tickets and that reduces significantly. Another one can be by the, the amount of time that it takes to

to drive an audit A compliance. So our ability, for example, to drive very, very efficient access reviews, recommending actually managers what to what to approve, what to disapprove and so on. That actually makes it much more efficient and reduces the time for an audit. Another, another aspect of course is just by the fact that some companies need to have and IGA as as robust as, as can be IGA programming place and with Axonius they can achieve that in

a matter of months. We, we just kind of had a customer out of out of Georgia, you mentioned Georgia before, so out of Georgia that they actually had to put an IGA program in place. They were managing their IGA manually for many years, like trying to do a lot of open source and scripts and so on. And they outgrown as a company. They already scaled up and they outgrown that.

And their KPI was to get to an IGA program by the end of the year, make sure that they have a full identity, life cycle and so on. And I'm proud to say that with Exonucy, it didn't take a year. It took like 1/4 in order to in order to achieve that. So that that was a very kind of strong KPI they they were able to make to meet. So you're tapping one of the hardest parts of anything in identity, which is that visibility part, right?

Collecting, correlating and saying OK, here's Jeff and all the X number of accounts, no pun intended, that I have, you know, across the environment. Where does it go from here?

Because you mentioned things like IGA and I've always thought of IGA as sort of the center of the universe when it comes to I am right. It's the thing that typically would collect here is Jeff, and then here are all the systems that are connected to it off the different spokes. Where do you see Exonius going from here?

Is it being that sort of source of truth for maybe not just identity but other assets and other things that your platform consumes as well or how do you see that taking place? Yes. Absolutely. So Axonius at the end of the day is a system of records. You know, we are a data company. What you can drive is a Nirvana of a data company is really to be a system of record and the source of truth for the organization.

So we've already in many organizations are currently the source of truth in the kind of traditional asset world and they go to us as their source of truth for all of their physical assets, cloud assets and so on. In many organizations where the source of truth for anything to do with SAS in terms of configurations etcetera and absolutely also in identities. That's what we want to achieve. We want to be the source of truth, the system of records for for many others.

One of our advisors when, when we were starting to think about identities, he was actually an advisor for us also on the SSPN side of things. And when we told him that, look, we, we are actually exploring identities, etcetera. And he said, are you really sure you want to do that? That's very, very hard to do. And we asked him why. Why do you think it's? He said, because you will become you. You need to take upon yourself to become the source of truth for identities.

It's like that's a very kind of challenging task to take. And but then he continued in saying, but if there's any company I believe can do that, you already kind of prove that to me that you can do it in the, in the asset management set space and now in the SSPM space. So if there is a place you know that you should go to is that, but be prepared. It's going to be very, very hard and we like doing hard things.

So so we we took the challenge. Well, you know, I ask that my question every all the time, like why am I an identity? And you're totally right, because it's always something that comes along. That source of truth is such an important part. But that's really only like half the equation in my mind. So that's great to collect all those data. A lot of companies collect data. The question after that is like, well, what do we do with it, right? Is there automation?

Are there insights we can drive? Right? AI is kind of, you know, taking the forefront here of being that thing, but how do you look at automation of that data? Because it's one thing to discover. It's another thing to. Absolutely, absolutely. So as I mentioned before, visibility and observability is just kind of the first step driving action ability, that's kind of the end game. And the driving action ability in identities is, is probably the most important thing.

You want to make sure that you have as much as automation as possible that you can rely on, of course, but as much automation as possible to drive your identity lifecycle management, as much automation as possible to drive your access

reviews. For example, one of the ideas that that we heard from a customer is saying forget of all of those access you need, you need to have like self approve access reviews and you need to rely on employees in the company that will self approve their their own access. You then need maybe to have automation that will certify that their own self approval was actually the right one and there was no kind of segregation of duty, you know, bridges that

happened. But if you can drive automation that constantly monitors that, that constantly check, you can actually save a lot of time. So the more automation that you drive, the better. And I think that at the end of the day, we also developed like a core workflow engine. The real key essence is by the amount of actions that that workflow engine can drive. And actions in our mind is the amount of actions you can drive in systems themselves. So we don't need to recreate actions.

We believe today in every tool, in every product that exists in the organization, there is enough actions that can be taken there. We just need to be able to trigger them and and leverage them in the best manner. And there will be new actions that come up based on new data types and all that stuff, right? Absolutely, absolutely.

And and again, I, I think going back to MLAI that that's kind of where where AI actually plays a very, very good role in terms of driving smart actions and simple actions that constantly pop up and, and, and can be addressed immediately. So. We're going to have more information, you know, in our show notes for people to check out exonius.com/IDAC. What can people expect when they get to that web page? Like what is, you know, something that if I'm listening to this, I'm like, all right,

sounds interesting. Let me go check this out. Can you give us a little bit teaser of of what people will find there? Sure. You'll see there are a lot of use cases that we discussed here around, for example, NHI monitoring around our concept that we didn't go into here of moving from roles to rules. So the industry has ever been in kind of the role management chasing the tail type of exercise of constantly managing

the roles. We believe that there should be a shift from roles to rule management. And you'll get to see some of our philosophy around there. You'll get to see some of the use cases such as Pam augmentation and so on, how we leverage a machine learning for role mining capabilities and many other kind of the use cases

that that we discussed here. Are you guys going to be at any conferences coming up and when this airs, it'll be in September, but I imagine maybe things like Gartner or maybe Ideniverse or things like that. Yeah, absolutely. So we are, we are very much looking forward to being in Gartner Grapevine in the Identity and Access Management Summit. It's going to be our second one. So you know, we're we're newbies to the community.

So it's a it's really, really and actually we didn't mention that at the beginning, but I think it's very humbling experience to be part of this identity community. I'm coming from cyberspace for many years to RSA and others and and cyber has become kind of a bit of a jungle to be honest. Whereas identity, the identity community still has this very unique tight community feel to it. I've seen it in, in Gartner Grapevine last year. I've seen it in Gartner in London last year.

I've seen it in identity verse in Las Vegas. It's like people know each other. People really feel for each other. People have been in the trenches together and there's a lot of knowledge sharing and much less kind of, I would say competition or kind of much less kind of a wall building. So I, I really, really, I've enjoyed, you know, almost every practitioner I've I've met so far.

So it's really, really nice to be part of this kind of cozy community, if I may say so. So yeah, definitely we're, we're going to be again in a, in Gartner in Grapevine. And I would welcome anyone that wants to have more time with us and we're gonna be their full team to kind of learn more about the product and what we've experienced and and also give us suggestions of what else we should be doing with this kind

of data first approach. And of course, later of the year, you know, in in Gartner London and identity verse again. Absolutely. Well, Jim and I are going to be a Gartner, so we'll make it a point to stop by and say hello and give you the official fist bump of gratitude for the Identity Center podcast. I want to wrap up the

conversation with a little bit sort of non I am kind of talk here. We were talking as we kind of got prepped for the session, that you got into skiing and you also have some kids. And I'm wondering, do your kids ski? First of all, that's the first question. Do your kids ski yet? Yes, so both of my daughters ski. I have a four year old daughter and a 7 1/2 year old daughter. The four year old daughter started skiing last year. So for somebody from Israel, that's not, not normal.

We don't have a lot of snow in Israel. So, but yeah, I, I made it as a kind of, as a, as a mission to make sure that my, my passion and hobby I can enjoy with my daughters. I like enjoying stuff with them and, and having the experience with them. Speaking about identity, I like kind of see how their identity is being built, you know, over the years. And for me, skiing is part of my identity.

And I, I'm still waiting for the, you know, for the time where I can be on the slopes together just with the two of them. And, but it's, it's great to see how they, they first, they love the snow, which was like the first fear. I didn't know how they will they will take. And secondly, they actually kind of enjoyed the challenge of learning something new that is not very common. And it's like they're they're a thing. So that's that's a very, very

nice thing to see. So I've never been skiing and I feel like I would probably be on the four year old's level of teach me how to ski. Like what is what is a pro tip for people out there that are either like me, never been skiing before or have, you know, younger children? What is, was there like a tip or something that you can give people say hey, here's how I would start.

I think the first thing is like forget about, like most people fear about kind of the moment you're on the skis and you don't have the regular control that you have over your feet, you need to just go with the flow. OK, So don't be afraid to fall. Actually falling is great. The earlier you fall, the better because then you know what it is. So like I encourage my daughters to fall actually, because the month they fall and they know how to get up.

That's, that's good. You know, it's, it's kind of like in, in, you know, in innovation, you need to fail fast. So I would, I would say that that's probably the best advice to fail fast. So to fall early and kind of that removes the the fear away and then just go with the flow like your legs will will let you will will take you on, Don't worry. Is there a dream skiing trip that you'd like to take with your kids? Oh, absolutely.

Yeah. So the place I I enjoyed most skiing in, which is like phenomenal, I advise any ski lover to go, is in Hokkaido in Japan. You ski on a volcano. You have powder snow almost all year round, like all season round, beautiful views. You know, it's not as high, but beautiful, beautiful views. Then at the end of the day, you end in an on sand, which is a hot spring, which is another experience.

And I love Japanese food. So you have best Japanese food that you can dream of. So yeah, my, my dream is really taking my daughter. And I actually we went with our daughters to Japan last year and they love Japan. My my young girl the other day was at camp and she did the cupcake and that she came back and said, see that? You see what, What did I draw here? I told her it's a mountain. She said, no, it's not the mountain, it's Mount Fuji. I want to be back there.

So yeah, they love Japan. So definitely going skiing in Japan, in Hokkaido with my daughters, that's that. That will be a dream come true. That sounds great. I mean, obviously it made an impression if they're drawing mountain, you know, drawing pictures of mountains of that I've. Only been to Japanese airports. They keep talking about Japan every almost every other day. That's a bucket list spot for me, Jim. Have you been skiing? Jim, I think I might have asked

you this before. Yeah, yeah, I've skied a few times, but I can I consider myself a beginner or someone who sucks at it. So at this I can really give you tips. First off, I think I'm yours, right? You're going to fall. Just wear a lot of padding. I don't try to go skiing in like blue jeans and like you got to get ski pants because otherwise you end up wet and cold and then it's just like a bad experience.

So if you're going to do it, I say get, you know, make the investment, get good ski pants, a good ski jacket so you're not cold the whole time. And then so my #1 tip would be take a lesson. Even if you're in your 50s or even older, it might be kind of embarrassing to be there with Amir's 4 year old but or she even she might fly by you as you are taking your lesson. Who cares? Just suck up your ego and do the lesson. Not at all. That, that that's exactly what

my, my wife did a few years ago. So when we got married, I told her, too bad you have to learn skiing. That's what we're going to do every winter. And actually, yeah, she she took a lesson and, you know, she was already old. She took a lesson. And actually, she started at the beginning she was cursing me. But now, now she's starting to get the hang of it. And she she loves it. Yeah. Yeah, you're going to have to edit that out because Amir just called his wife old on and it's good.

This episode is going to live on the Internet forever and I don't want the poor guy to get in trouble. So you're absolutely. Right. Maybe we'll use AI to like, you know, over dub it with like, you know, experienced or something like that, right yeah wise, right. Something that's like that. Those are good tips. And the other thing I like I think I like about skiing is you can be totally anonymous if you

want to do it right. So if you are sort of and you know that self-conscious, you can throw on a ski goggles and a pad and you'll go to, you know, I would put on like the old Groucho Marx glasses with the fake mustache, the big nose, just to be, you know, clear, you know, that kind of thing.

And and but so Jim, you mentioned the wearing the ski pants as a Chicagoan and that for my almost my entire life, you know, I'm thinking like shorts and like, you know, you know, a hoodie, right, something like that. Like that's the official winter gear of a of a true Chicagoan, I feel like. Yeah, but a true Chicago is not falling in in the snow every 5 minutes, so you do what you want. All right, let's go ahead and leave it there for this week. Amira, thank you so much for

spending time with us and getting us up to speed on Exponia. So we're going to have a bunch of links in our show notes for people to check out. We'll have a link to your LinkedIn profile so people can reach out with either questions about that or skiing or whatever it may be. You can visit them on the web, axonious.com/idac. There'll be some more information right there. Again, that'll be a link in our show notes. And yeah, I think that'll do it for us. Visit us on the web

idacpodcast.com. Show support. Like subscribe, do all those fun things to share out with people so we can get great guests like a mirror to come back and share more stories with us. So with that, we'll leave it for this week. Thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and

review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.