#372 - Exploring the Evolution of Identity Management with Darren Rolls

This is identity at the center. Welcome to the Identity of the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good.

Hey, I've been reading the recently released Leadership Compass from Cooper and Cole on identity fabrics. It's, you know, as most analysts reports, there's a lot there. You're a real nerd, man. Well, that has nothing to do with this, but yes, it's also true.

But that's totally unrelated. But yeah, I've been reading this thing and you know, it's kind of like I'm still trying to wrap my brain around identity fabrics a little bit to think that there's a leadership compass that lists vendors and kind of says, OK, these are the vendors that do identity fabrics the best. Because I I always kind of think of identity fabric as kind of product to agnostic or vendor agnostic vendor non specific.

It's kind of like saying there's a leadership compass for zero trust. I mean, zero trust is kind of a concept that a product can kind of emulate, but there's not a product to go in do zero trust with, right? Yeah. But this, this is our desire as human nature to rank things, right? We have to have a list for everything. So, you know, Identifrabic is just one of those things that we

rank. And I still think it's a, it's a concept constantly under definition and maybe redefinition as we're kind of figuring it out. I had a really fun conversation with Eric, my friend Eric from Gartner, actually. So this was at, I think it, where was at Ideniverse, I think. And he was kind of explained some things to me and I was like, OK, I can kind of understand how that goes. So yeah, I it's, it's an interesting space for sure.

But I love the fact that we have like, you know, rankings to help me understand, OK, where do things fit together? Because there's just, there's just too many products, man. I can't keep up with all of them. Yeah, but I, you know, I really got big on the identity fabric concept to EIC last year. I'm hoping that, you know, and obviously Kufringer Cole is the the firm that puts on that conference. So the ones who released the leadership compo. So they are kind of driving this

concept. I want to keep learning more about it. The reason I brought it up was mostly just to mention everybody, if you want to get a copy of this thing, here's the freeway to do it, which is, you know, go out to I'm not, I'm not, this is not a product pitch, but go out to Cyberx website. They've got it there. It's a free download. Yeah, you got to give a little bit of information, but you can go ahead and get a copy of that report and read it for yourself.

Exchange your e-mail for information. That's pretty much how that works. It's true they got to get a little something. I'm sure they paid Cooper Cole to have it on their website. But anyway, as a listeners, like I'm all about, you know, telling people how to get some free stuff without breaking the law. Yeah, without breaking a law. That's the, that's the key part here. You know, don't, don't and don't turn to us for legal advice. We're not lawyers.

We're just a bunch of identity nerds on this show. Yeah, exactly. So anyway, hopefully you can go out and check that out. Yeah.

So other things people can check out are smorgasbord of conferences that we have coming up and other things that you and I and some combination of one or both of us will be there. We've got things like the official cybersecurity summit in, let's see that is in Chicago and Philly. I'm trying to think when this, when this episode comes out, hopefully those will still be there. The authenticate conference with Fido, yes, Fido feud Round 2 is

coming back. Jim is going to try to topple Megan from her championship post. It's a, it's a definite thing. I mean, let me just say it here. This is the first time I've gotten braggadocious. But First off, we kind of got cheated a little bit last year. I mean, the, the, the ranking system, the point system, there were some problems this year. We're going to win. My team is going to win. The gauntlet has been thrown

down. I'm sure we'll see more stuff on social media that we've been kind of planning out to kind of tease that up to it. But that was exciting time. So looking forward to that. Let's see. That's in October. And then we've also got Infosec World 2025, that's also in October. So first time that you and I have been at that conference, more of a general cybersecurity conference. So we'll be there with our friends from RSM and some

others. Identities at the center of cybersecurity, though, So what the heck. Yep. That a name 6 plus years that is still relevant today. Let's see then we got Ideniverse in November in Washington DC and then we've got the Gartner conference at the end of the year in Grapevine, TX with yet another game show plan for that one different than what we've done before. So lots of. Stuff. Talk to a few other folks that are putting on, like putting on conferences of one sort or

another. Go into the website. That's definitely the place to go. I mean, we get them up there as soon as possible, sometimes only a couple weeks before the conference date. Yeah, I have like 6, I think maybe 7 different discount codes all at the same time. And rather than read them off and nobody's going to write them down anyway as I'm talking here, just go to our website, idacpodcast.com.

Scroll down just a little bit and you'll see everything we've got active there with, you know, more kind of constantly being added as we as we firm up some of those partnerships with those conferences. But that's the way you can show support for the show. Use our conference stuff, you know, doesn't cost you anything. We don't get anything out of it other than just a week show. We can bring a crowd.

And you know, hopefully, you know, that helps get us great guests like we have today with Mr. Dan Rolls, who I am shocked to say has been five years since he's been on this show way back in July of 2020. And, you know, I introduced him a long time ago as an identity dude. He was here, you know, one of the OG guests that we've ever had on the show. So let me go ahead and introduce Mr. Darren Rolls, You know, identity dude at large, maybe independent identity dude, something like that.

There you go, something like that. Still here, still here, still doing it so. We've got a couple things we've, you know, we've kind of UPS, UPS the game a little bit around here. You were here before a couple of our traditions. One of our first traditions that we kind of started was how did people get into identity? And so you were with us with Episode 53 and that was probably, you know, way, way, way before we even started out of question.

And that's something now we ask all of our guests. Now, since we didn't get a chance to ask you that last time, I'm going to ask you for the first time on your second appearance. How did you get into identity and access management? Is it something that you chose

or did it choose you? It definitely chose me way, way, way back in the early 90s before I came to the US actually I was working on CORBA distributed frameworks and for about banking in in the UK and we were using CORBA framework to do distributed user and schema management for CI Sam databases.

And so we were basically packaging up schema and user changes and then pushing them out to multiple endpoints in in front end trading ecosystem and Tivoli systems at that time saw what we were doing, we were actually using the Tivoli M dis distribution framework. We're doing that and they were like they were trying to, you know, we're building out assisted management framework and they wanted to do user and

schema management. And so they basically acquired the group that I was working with. And of course it wasn't called, it wasn't called any management then it wasn't really even called user management. But that was the the technology in the framework that became the first user management framework within. And that's what shipped me to the US.

So I didn't know what I was working on at the time, but I was, you know, I was kind of geeking out on, I was an Oracle database administrator and, you know, C programmer and geeking out on, on corporate frameworks and distribution at the early times. That's what dragged me into it really. But but yeah, so Gee, that was many years ago, nearly 30 years ago. And I've pretty much stayed with that ever since.

We, we were actively as the user administration framework in Tivoli and and then less typically with a small gang of folks and went to wave set technologies, which was very early in that cycle that was becoming identity management. It was provisioning at the time and we were acquired by Sun Microsystems in 2004. And so that became the Sun

identity manager. And so throughout that whole cycle, obviously I'm, I'm moving through from being fundamentally just the, you know, programming engineer through to being director of technology and through to CTO. And then we left Waveset and created sale point technologies at the time where I stayed for 12 years.

And of course, it's absolutely, I don't imagine at that point, and I think, you know, we would some of the first people to actually write governance down as a, you know, IGA, if you like, as it was phrased. And so I can say I've been in it for my entire career. That's a long, I mean, that's. Such a long time, decades, right?

So what is the most significant development that you've seen in your career in Identity? Is there something you can point back and say it's like, I don't know, like SAML was a thing or you know, the invention of XY or Z or whatever that is? Like, what's the something that's like what really changed

the game? I think standards obviously a big part of that and I sort of came into it with that first Samuel Wando specification, worked on that TC and then I, I was the editor of the SPML specification, the first service provisioning markup language spec itself. So I think standards were a big piece of it.

It was evident at that point that standardization was going to have to happen because there was an industry building around it. I think maybe the largest thing I would say that's happened in and around us is, is the fact that it stayed the same. Well, this seems like a strange thing to say. You know, it's like everything's changed, but everything's remained the same. I can honestly look back and say the things, the, the, the tenets of what we were trying to do back then.

And I had this thing, the 10 tenets of identity day. It's completely relevant and almost the same now. So maybe the thing, the biggest thing that's happened is it's remained consistent in what it's trying to achieve and what it is. And I know that IGA has certainly had a bit of a tough rapping in news and media of late, but I think the principles that it stands for us still,

still hold water. So I think identity in the centre is is maybe something to have captured early like you did, because it's still very true. So is that consistency good or bad? Because consistency is I can, I can interpret that a couple ways, right? It's OK. Yeah, we're still doing the same thing. It's great. But same time are we evolving the the way we need to from an identity perspective.

I, I think we are, I mean, the underlying technology is continually moving and that's, I think the underlying principles, tenants and laws, if you like the, you know, you know, if, if Kim Cameron was still with us, I'm sure there would be more laws developing right now to, to sit on top of the ones that we

have. But I think that the it's good in one respect because it says that the principles that we're trying to achieve of knowing, you know, knowing who has access concretely understanding entitlement independent of the system that it's in or the technology stack that it sits on. I think those things are still relevant. And that has to, if you like, a solid set of intent that has to sit on top of an ever changing set of underlying technology because it has changed, right?

I mean, look what we can now do with AII mean it is phenomenal and it is changing what we do. So it's good and bad. I think, you know, we just got to keep, we just got to keep reinventing ourselves to some degree. Hey, Darren, first I want to just start by just thanking you for coming on the show, but even more grateful for coming on the show back in 2020 when really nobody was listening and we're

like, Oh my gosh, Darren rolled. I said the same thing with Eve mailers, like you guys were willing to give us a shot when nobody was listening. Obviously now people are listening, so all the better. But really do appreciate you giving your time to us, but also to the community. And the first question I wanted to ask you is kind of related to that, which is around who are the people in the industry that really have an impact on you that you look up to?

They're your identity heroes. So you're probably the identity hero for some people, maybe one in the past and a couple of people one or two for that are current people in the industry or, you know, still local. Yeah, I think, you know, there are so many in some respects, you know, I've having seen this space sort of evolve through the standard side first if we look there. I agree.

I mean, I've always loved the, you know, she's such a such a thoughtful, hard working, considered person and had the bravery to get out there on some of the initiatives where she's kind of stood alone for a long period of time. And that takes that takes stamina and determination and things. So, you know, I think even Ian Glaser, Ian's always, you know, worked with Ian many, many

years. And Larry Robinson at the time when they were both prior to Gardner, when they were at Burton Group, they were the first really, I remember a little, little stack of us at Waste at sitting at the back of the room. When they mentioned their name. It was like they mentioned their name. It was this like kind of thing because they were really at the forefront of looking at what we were trying to do and others were trying to do and pull it out and make it relevant to the

customer. So you know, people like that are they're eloquent, understand the technology, but understand the market forces. I'd say coming back to some of my brethren Wakeset activity, Sell Point or wakeset and Sell Point, both Mark McClain and and Kevin Cunningham, who were our founder and president at Sale Point had a huge impact on my life. I mean, I worked for Kevin for 25 years. In fact, when I came over to the US, he was my hiring manager at Italy.

And so that view of product to market I think trained A discipline within myself and many people within the organization that I think was directly accounted for the successor of Sale Point. So I think that, you know, I'm pretty much all of the team, very fortunate there to have just worked with really good people, good people, smart money

make success, right? Those folks that you just mentioned and what you guys did at sell point and obviously sell points to incumbent now, but it wasn't always that way. There's a time where the sale point was the upstart banging the pots and pans. And you know what I mean by that is like making noise, like upsetting the apple cart. And now, you know, now South Point, the incumbent, right, that that vision kind of took hold. Yeah, very much so. I remember us fighting for

recognition. It was a number of us Access 360 and a bunch of other little companies around here at the time. And really we're bashing against the, against IBM and against Oracle as as many were. And, and I think many of the, the new upstarts now feel like, and, and I'm, I do a bunch of advisory work with, with a, with a, a lot of those guys and it's, it's so interesting to watch. It's like, I think it's all reversed.

You know, it's like I'm now advising them about what we used to do, about how, you know, you, you, you better win Better Together is the way that you compete with an incumbent. And it sounds like strange you, you augment their infrastructure, you know, now, now we're going to beat them.

You add to their value. You know, the best thing you do in the company is have them resell you, you know, so find a value proposition with it, which is added to it and then slowly move sideways until you eat their lunch. You know, and that's kind of what we did with Oracle at the time. And and I see others, you know, attempting to do that now with, you know, with cell point and Noctur and and cyber Ark and others. So really interesting cycle. Just just seeing it almost third

generation. Have you thought about it from the other side, where if you're the in the incumbent position, what do you have to do to bend off the upstarts? You want to eat your lunch? Yeah, it is. And I'm fascinated by this. And I'm sure there's a book to be written about this curve, this perpetual curve that goes on. I think as an incumbent, it becomes very hard to remain the innovator because it's all about

market acceptance. You're coming down the other side of the of the bell curve and and you're pushing our product as fast as you possibly can. Your challenges are, are more about market fulfilment than they are market innovation. The market doesn't look to you to be an innovator and so you tend not to.

And so it's very challenging to remain innovative, particularly, you know, if you're a large company, things move slower, you have you're publicly traded, you, you have all kinds of additional pressure on you to do so. So I think it's a very special type of company that that still pushes the envelope, still innovates. And and to be honest with you, I mean, I think all innovation is plagiarism to some degree. I mean, what do the best of us do is go, Jim, that's a great idea.

Did you hear what Jim just said? Let's go do that. And then you'll get around. You're right on the right board. And then the crazy people go invent it and they go build it or anyone else's needed fought with it. And that's pure plagiarism. So, you know, I think it's just how it worked. Yeah, right. And sometimes ideas take a while to I was having a conversation with somebody at the other day and they talked about authorization companies. They, they're early.

And actually, I think it might have been you. The early authorization companies had the great, the great ideas that are more relevant now than ever, but they had them 20 years too soon. Yeah, I mean, literally 20 years and that's kind of scary. You know, all this grey. I think it comes from something, you know, it's like, yeah,

exactly that. I mean, I've always been a big fan of externalized authorization because as a as a governance thinker, I think that the authorization model is the authorization is so much more interested in authentication. The, you know, that binary decision, I think we talked about, there's the binary decision is sort of, you know, less interesting than authorization and externalizing. That is surely the way to go. But who wanted to rewrite the app? Who wanted to restart?

And you, you know that, who did it? You know, Boeing did it, Disney did it. You know, axiomatics were, were literally 15 years ahead of their time. The time is now, right? I mean, every dog has its day. And, and I now I'm a big fan of externalising the youth model and sitting on top of the data graph. And there's, you know, some vendors that we know that are doing very well in, in bringing

that architecture to market. Jeff and I have the pleasure of sitting around and talking to folks like you, and you do too. Are you talking to other bright people in the space we're talking about? What's the next generation of I am Hold and we've talked to guests in the past, like I wish I could remember he said this, but there's the IM or the information security poverty line and there's companies that

live below the the poverty line. I mean, I see it sometimes with organizations where they've just under invested in identity for so long and they they're still pushing spreadsheets and and things like that. Where what is the state of identity? What's the state of the Union are, you know, the I think sometimes the problem is sometimes companies think we're doing all right. We're pushing paper and things, but we're doing right. We're emailing spreadsheets around.

But it's not that bad. It it does seem to me like it is that bad, but I'm wondering what your thoughts are. Well, I think it's there's that phrase the desert of the real, right? You know, it's sort of, you know, the, yeah, well, you're out there in the rear, right. You know, the, the, the real world is just much harder than we as Avengers and I, you know, we as ex vendors, as I'm no longer a vendor, still think that way.

Obviously come to realise. And I think being real life CISO for the last four years of my tenure at Sail point was a real life. I had enough feeling it being it and being a security guy in a security company is a pretty tough place to be. I mean, it's a job I would never have again because it's just just too hard. But I think to answer your question is that the desert of the real is just so much harder than we think it is. So when you come out then look, look around, you're sort of like

you're still doing that. Surely not, You know, pushing. I think Ian Glaser once had that phrase. He said the most comprehensive technical element in identity today is the is the comma. You know, it's the CSV, you know, like this holy comma, yet this holy comma presentation, which I thought was great. But yeah, that's the reality of the world, that most people, and this is one of these fundamental underlying tenets of truth, is that legacy just doesn't go away. It's still there.

And so most people are still trying to chase down things that we said 15 years ago, right? I mean, and it's easy as a vendor to kind of assume that everybody's moved, right, and they're over here. No, you know, I think it was my friend and said mentor Kevin Cunningham said when you're sick of saying it, everybody else is just hearing it. And that's so true. And I think when you're sick of deploying it, everybody else is just deploying it to some degree. You know, it's the, the, the

long tail is, is significant. I, I think the state of the union out there is still pretty bleak in lots of environments. I think we've, we've continue to over focus on what I would refer to as the known known, you know, the things that the compliance

team said would they would fund. Here's the 32 apps we want them soup to nuts under 32 go. And you know, and some people five years in are still doing it 3264, whatever the number of apps it might be, you know, they're they're still working their way down that old line of thought, if you as it were. And so I think, you know, it's, it's challenging and something has to come in to challenge people to think about that differently and from a different angle.

I think it's so true what you're just saying there of like you're tired of talking about it and somebody else is like brand new to them. Jeff and I have been doing this strategy road map development with our clients for a decade or more now and I I still have slides. I'm just like, nobody wants to talk about that anymore.

But it's like, it's the thing. It's like Square dead on and they're still companies that are innovating and new start-ups in the IGA space, even though IGA has been around forever. And like at some point we'd like to just say, OK, well, we're going to focus on the new stuff, but it's that basic blocking, tackling, it's not going to go away.

Yeah, I agree. And I think this idea, and I've heard it from several CIOs in this realm, that that, that for the first time I hear it. It's almost like to hell with the past. You know, I, I'm every day I get further from the future and the, the curve of exponential curve of technology that we now see that future is coming faster and faster and the threats from it are larger and larger.

And so some people now sort of go, you know what, I'm going to pause the past, the legacy, the old way of thinking. And I'm just going to, I'm going to try and get my real time, just in time policy based contextual access sorted. And I'll come back to the old world after. Because they could never catch up, you know, So they're a factor reality, I think. And but but within that you still have to say, you know, the old stuff never goes away.

We create today, you know today. We create tomorrow's legacy everyday. It's so true that plumbing needs to be there. And I think a lot of people try to build a house without, you know, water, electricity, a door, like things like that. Are we in I am I Well, so from a

generational standpoint, you mentioned kind of the different generations in ABA, we're on Gen. 3 and maybe that's specific to IGA, but you did share a concept with Jim and I earlier around this concept of IMV 3. Is that because of AI? Is that something else that is driving in? I mean, I'm assuming AI drives a ton of different.

I'm assuming IAI does drive a lot of things when it comes to an identity standpoint because now we're talking about things like agents and you know, non human, which is the new term for machine or you know, server account, you know, server cervix accounts, things like that. Tell me about this concept of IMV 3 and kind of help help our audience understand your thinking around that. Yeah, I see. And and the the question I usually get if I mention that V3

is like where's it come from? And is it, is it V3 in terms of Web 3 or wherever it come? I use it just to sort of say dot next. Really, it's much easier than saying identity dot next. The, the I do think now there's a need to rethink prioritisation, if nothing else. And it really, and everyone says, show me the architecture. And I said, well, I can show you patterns of excitation if you like, in the ether that that represent products, if you like, but don't even think of it that way.

I think some of it comes down to recognising a changing priority. And it sort of comes back to the, you know, I'm a big advocate right now for the fact that folks need to rethink the drivers, particularly for a classic enterprise IEM project. But who's paying for it and where does it come from? And it's still very much comes from a, the known, known, as I would put it, from sets of large enterprise applications that we consider sloppy administration is our biggest enemy.

Well, we now know that the adversary who is, as you rightly now say, Jeff is a, is an agent. I mean the This is the Future isn't a hacker. The future is agentry. That's going to be all over the enterprise, all over everything. But they're not just adversaries, they're also your allies in some cases, right? Because you're going to have agents on both sides. This is like the Matrix. We've got AI programs on both the good and bad side kind of

fighting each other. And I've kind of joked before and said, all right, well, UA as fight and then let me know what you decide as the human. Yeah, and and and it is an interesting, terrifying and intellectually challenging thing to think about. But yeah, I mean, how good can be how bad? Just like we said, you know, campaigns on this many years in the past, you know, the biggest problem is your best employee kind of thing making a mistake

or or being being fished. But the same thing is going to happen for agents, right? I mean, we know how to spoof agents. We know how to spoof, you know, many things. And now with so much movement and it come in so quickly, you know, one of my greatest, you know, it's the old, it's the OG thing. It's like, have we learnt nothing?

That, you know, the recurring pattern of what we're doing with NCP right now and what we're doing with tooling and how quickly we're putting these scaffoldings together for these new things. Are we sure we've got it right? I, I can't believe why would we get it right this time? You know, we got it right every other time. History shows us and so I think V3 for me is a bit like, OK, stop for a second and let's think about where these projects

come from. And. And I've got this nice little chart where I sort of visualise every resource that an enterprise might have be they large, small, whatever and. And you've got sort of how important the business thinks it is and how instrumented it is in the infrastructure running on the other axis. And what we tend to do, the truth is the, the vulnerability is across the whole spectrum, right?

Little tiny Java apps sitting on the edge that Bob created and threw out there and forgot about massive things in the cloud. The which we're hopefully managing the entire before that's spread across this, this matrix. And what we tend to do is choose things in the first phases of our projects that suit our funding and suit our capability in the infrastructure. And they tend to be large apps that we have when you go to your vendor, you say, do you support?

And they go, yes, So you start there. And, and that's very much whereas I think this notion in a phrase that that I've used many times in the past is, you know, time to visibility and time to understanding is maybe the prime visibility because the adversary knows that we train the agent to do that. The agent, the adversary agent now looks for things that that look for low management.

That's, you know, if you're managing it, you'll notice what's going on. So I think V3 is a little bit about timing of course there if that makes sense, you know timing and and funding and thinking about scope. Are we getting fast, smarter, faster? So I look at AI, right? And it's just, you know, every day there's some breathtaking new use case for it, and it just keeps getting better and better. But I'm also seeing that there's a lot more coordination with some of these vendors.

So things like for example, MCP and A to AI kind of think of those as sort of like SAML and Oauth. But it took many years to get to the point for SAML and Oauth. And here we are only, let's call it one to two years into the kind of the next Gen. or the generative AI kind of world that we're all living in now. So I feel like we have learned

some things in the past. Now is never going to be as fast as you want to know, but is are are we getting smarter faster when it comes to developing standards and integrating all of these different technologies in a way that you know hopefully is secure and has the appropriate controls and things like that in place? But maybe I am a big fan, you might say, because I'm a I'm a sidelines fan.

I haven't contributed anything to SSF the, the, the framework or to Cape or any of the standards that sit on top of it. But I do think an ontology of method, an ontology of typing, of people, of things, of entitlement, of classes of risk. I'm a big ontology fan. I kind of always have been the semantic web. When I saw it, you know, Barnsley and the crew came out, I was like, this is the future. This is how we're going to solve everything.

Because without a knowledge of a type, how can you interact with it in an automated fashion? So I think there's a lot of hope there. And, and so I do think in my 3.0 architecture, I would have a shared signals framework. I would put a lot of faith there, but unfortunately, there's not a lot of agreement capability. There's some simple things like we're finally going to do global sign out. Amazing.

You know, after all this time. You know, we're going to do it with with SSI for a while, you know, but OK, so we've got that. But there's much potential there for much more interesting things. And it could come from from operational telemetry as well. This idea to create ontologies of things that are well described that understand things like what an entitlement is and and how you can grade it.

I think that's super interesting because then we can attach machine intelligence to to that typing and that that reference model and do do do more interesting things with it. Big fan there. Darren, one of the things I

want, I want to bring this back to this AI conversation because here's what I think. I think practitioners throughout time, and this is one of the reasons I think that organizations under invest in I am because there's always something better out there just on the cusp. And now it's AI and it's like why you've been invest in I am right now when this AI thing is going to come and it's going to be way better than what I have now.

I guess to turn that into a question for you would be, are my current investments just going to become like worthless junk in a couple of years when the whole enterprise goes AI? Is that even a reality or will some of these things still be is identity and access? Is it going to look something like it does now, you know, a few years down the road where maybe we're not 100% AI, maybe that's just a pipe dream, but AI

is definitely having a major impact and replacing applications and our organizations are starting to build agent based applications rather than the traditional coding model of client server applications or web-based applications the way they are today. Well, let's face it, right? I'll say, geez, here we can say everything that we come up with today is going to completely change everything we've done before, right?

This is what we do, right? Because we're all fascinated by it. You know, we're all like little scientists who who love the new thing and we wouldn't be here if we didn't, right? So there's a certain element of that. I do think the composition of the stack changes and, and, and time to implementation should shorten in every sense. Even in the AI that we add to our legacy IAM stack, it's focused on faster deployment,

faster type of value. So I think there's a certain, a certain amount of that that is definitely tangible.

I do think the way, so, so the way we're going to implement these things is changing. And, and the, I mean, let's face it, what you can now do with a simple ChatGPT session is remarkable, whichever foundation model you tend to to work with. But let's just stop for a second and go. All that does is accelerate us to the same place, right? We've still got an entity, be it human or more human than human, which is, I'm a bit of a Blade Runner fan.

You're still going to make an access decision, right? And, and what we've done is we've made the Matrix even worse, right? Because we've now got an agent that is owned by somebody operating on behalf of somebody using a proxy account to get hold of some legacy data. So we've now got 3 pins, if you like, of of exponential variable to apply, but we've got to make the same decision who has access to what, when and why And then when they did, was that

appropriate and can I prove it? I don't see how this is my point earlier. I don't that fundamental tenant doesn't change. It's just got harder and it's going to happen faster without people knowing about it. So. Then reading about and learning about and I don't know why I haven't put any into action yet,

but this whole idea of vibe coding. And so I'm not sure if you've given it a try, but I keep hearing about how, you know, development as it's done today is not going to happen much longer. Consulting isn't going to, you're not going to need consultants pretty soon. So I don't know what the heck any of us are going to do. The AI is going to be doing everything for us, you know, podcasts, and we're going to have to wash our clothes because the robots aren't there yet.

Well I hate to say it but there's already AI doing podcasts so yeah, it is washing clothes. Yeah, I don't know what the rest of us are going to do, and maybe we'll have to do some kind of manual work, which I know Jeff and I are both allergic to, but I don't know, vibe coding. Have you gotten into it at all? Where you kind of like tell the AI the LLM? Here's what I'm trying to achieve, then we'll write the code for you. Absolutely. I'm a bit of a hack, you know, a

bit of a hacker. You know, you can usually look at somebody's coding preferences and decide where they are. I like Pearl straightaway. Soon as I move, I move from sea to Pearl straight away because I like something, you know, I'm, I'm piping even more so low declaration. There's no better intuitive declaration language and speaking to a computer, right? And so, yeah, I have a little bit. So my daughter's a type 1

diabetic. And so I'm sort of, I'm always interested in how I can create utilities that could help more right when you look at panel information. So I've sat myself down and said, hey, I'm going to create, I want to create a system that will take in blood panel data, do it securely. Don't want it in the cloud. Want to do the edge rag list and blah, blah, blah. I just blurb it out to the thing. I mean it gives me a. Package.

It gives me a complete package and then I've got a primary, my partner in store and it tells me how to fix it. It's like holy mackerel. And you know what? I now get a little UI and go pop. It pops up and it says, do you want to download your stuff in your Apple profile? And I go, yes. And it just does it. And I say, pull in this spreadsheet and it gives me the normative curves for it and then points to a whole bunch of medical research that I mean, holy mackerel. Yeah.

No, it's not perfect. It's a hack. But I mean, but you weren't able to just like, knock that out in that amount of time before. Oh goodness. I think, you know, one of the cool things about having you here, Darren, like we have like some rough notes that we want, but I'm just like, I got this guy here, I'm going to pick his brain. You know, one of the other

things that kind of a shift that I'm seeing in our identity industry is more of a shift toward when you look at like the new. And I shouldn't say it's a shift toward, but it's like a lot of the new products are spinning up and, you know, a big thing is about monitoring what's going on. So rather than managing and controlling the access being the focus of the new product, the new product says, all right, here's your environment, put our

tool in your environment. We're going to watch what's going on. We're going to monitor what the identities and access is doing, and we're going to tell you when things are wrong. I mean, I was talking about it at a very high level. They all have their own different approaches to do that, but that seems to be a big shift. How do you feel about that?

I think it's inevitable and it's good and it's right, and we should castaway some of the historical legacy preference that we have in order to make that work. And let me explain what I mean by that. So one of the companies that I work quite closely with Orkid, they have an orchestrator, an end point, and I don't want to make this about them, but it's indicative of the class.

That's why I'm bringing it up. They have, if you like, an OS telemetry, OS level telemetry, dissolvable agent that is like the smartest identity guy you've ever met. And it sits there and it goes, oh, there's a port over there. What's going on over there? Oh, there's a port connected to some code. Wow, let's have to go see where that code is. Let's reverse engineer that code. Oh, that code.

Wait, there's an AD group call coming on here and it reverse engineers you down to a registerable connector for an IGA platform, for example. And you go, holy mackerel, it can do that. And yes, it can. And it's fundamentally hotel, right? It's operational telemetry mixed with a whole bunch of other tech. And you look at it and you say, well, but it's a, you know, identity is agent nurse and you go, well, maybe in the future it's not. It's self aware. And I think one of the things

that coming out of Cell Point in 2020, I was sort of very keen on this idea that we had to stop identity from being a centralised management funded process. That's kind of what we've been talking about to being this disseminated thing. And I don't mean distributed in terms of, you know, self sovereign identity, maybe, but I mean in terms of it just being there, being present and being self operating. It's sort of unable to understand what that means and integrate it for you.

And that future is a real potential. It's that technology, you see, it's enabled by AI and it's enabled by, you know, thinking in a new stack. And, and, and so I, I do think that has a big chance to change the game a little. When we're fighting an automated adversary, obviously we have to defend it with an automated ecosystem and that's one of them. So I think there's a lot there. And I think also, again, I'll

come back to that ontology. I think one of the things that I'd like to see in, in the hotel standards and others is this firm view of what things are. Because if I say to you guys, I mean, we're really anointed, right? I say what an entitlement is. We've all got a different view of what it means and we say what a risk factor is or what a, you know, a Commission is. And And so, yeah, patterning that stuff down in the underlying infrastructure would be a very, very small thing to do.

And this is the worst it is ever going to be right for AI in some of these tools, right? It's it can just continue gets better and better and better. Or I should say maybe better is not the right word. More capable is probably more appropriate word because we don't know yet if it's kind of bad and it's going to be used for both.

But this leads me to one thing that you've mentioned in the past somewhere that I saw was that laws might be better than architecture. And so I'd like to understand a little bit more. First of all, did I get that right? And if so, you know what? What is the the thought process behind that? Yeah, I think a lot of it coming down to some of the things we we've touched on recurring theme, right, is that the architecture will continue to change.

Like for example, you're doing this speaking to companies yourselves. And, you know, I think the legacy is part of that architecture and we tend to not think of it. And and that's almost a law unto itself is to say that you, you, you can't flush stuff it, it just doesn't work like that. You know, the long tail of these technologies remain in place for some considerable time. And so that what does that mean in in practical terms? It doesn't mean it doesn't boil down to a specification.

It boils down to a principle that says, you know, come into this understanding that the integration of the new and the old is a prime directive because that's what you're going to have to do. And I think things like, you know, I've always used this term model based. We used to talk about it in the birth point of governance where it was, oh, it's model based and being guilty there of that ontology. What the Hell's a model there? And well, a model is a conceptual understanding of

something. And again, the law we've learnt here is, is that we have to make our desired state model based. And whether that does it, when I say model, is that our back? Well, it wasn't one time. It's probably not now, is it? You know, Mike over at glue talks about T back, you know, you know, token based access control and I think we're going

to keep inventing things. But a law rather than an architecture for me would be make sure that you can codify the thing that represents the rule for you in a way that it can be governed, that it can be understood. Because, you know, we we're not doing a great job of that right now, even in the new red red that we're putting in terms of the policy languages, just the ability to test the policy and see what it means. That should be a law of the

model, the model. You should be able to express it and you should be able to say prove yourself, prove yourself, prove yourself. And that means show me who would have. Oh, Jim, Darren and Jeff, that's the answer to my evaluation of the policy as a speculative evaluation. So God, sorry, that's a huge diatribe to get to a point of saying that's a good example of a model of a law. The law should be the law of models for access, regardless of what they are.

Does that make sense? Yeah. Yeah, it. Totally makes sense and leads them to this next question I'm going to ask because I think that the IAM practitioner is the ultimate pragmatist. I think sometimes people believe that consultants live in the ivory tower and some do. But for the most part, we're kind of probably get this too, because we have all these great concepts and everything that the industry's trying to do.

If we work with clients who they got a problem now, like we need to fix this problem now, not worry about down the road. And I think you know, the, the clients, the, OR what I'll just call the IM practitioners of the world, they're the ones living with this problem. They got 1 foot in the past and have to support legacy systems, but they have to have one foot

in the future. They have to be thinking about the next thing or else it happens and they don't have a solution for it. I think this piece around shared signals it to me is like the right solution for the right time. At the same time, folks are trying to solve from the current problems and they might not know how to articulate that business value of kind of investing in something that is more future facing, especially if they're not like a technology company or cutting edge company.

Taking all that context, I would like to ask you to help those that practitioner put together their sales pitch or their their way of thinking about something like that to make the case, you know, and I call this that identity version three, you know the kind of next generation. How do they think about that and then make that business case in their in the boardroom of their company? Yeah, always hard. I mean that, you know, making that business case is is so

hard, right. I think IGA did a very good job of that by by professing automation. We can get you what you need, pastor, don't wait for your account. There were real things that made that business case pointy and, and resulted in it sort of being lead project directive from, from for many, many years. I, I, I still, I could sort of come back again to that underlying thought that we as practitioners have to live in a world of reality, which involves the past, the current and the

future. And so I think a meta architecture, you might say for that is one that says, I think we're still going to be doing static profile based legacy systems administration, administration time stuff. I just don't see how that's going to go away. Those systems are still going to be there. So the, the pitch is we, we, we have to manage that. We do still have to manage profiles in static applications to be the on premier in the cloud, traditional governance

administration you might say. But now we've got to think much more critically about runtime, real time context right in session, if you like, which is where externalised authorisation and and some of the things that the likes of Signal talk about in that bucket there, they've obviously got our brethren and others that that do the same where it's much more about the context making decision in the session. You've got to do that as well. Now it's unfortunate that, but

yeah, that's not. And then we've got to look over on the right hand side of that, almost like to a third pillar and say, well, what am I going to do about these agents? I mean, it would be foolish now not to consider that. And, and, and, and I think there's, you know, some things we touched on about NCP and how you're going to put, you know, gateways in front of NCP and now some of the things that you can do there, but it has to be in the diagram at once.

So I think the mature thing for us to do now is to, is to sort of fess up a little bit and say, look, this stuff is moving faster than any brain can manage. So let's accept that we have a past, the present and the future and let's try and find commonality there.

Let's try and find things that could leverage all three, all three tiers of the that sort of legacy static admin time, that current state in the loop just in time, whatever enables you're going to call it, right decision making, right. And this edgy future, which is still not baked. Let's face it, is that an easier to sell to a SIFO? No, but I think we're going to see a new, I honestly believe we're going to see a new extent of vulnerability coming out.

This is not just going to be about ransomware and being popped. It's going to be like opening a can and it being festering with insects. We're going to find big. A friend of mine was dealing with last night said, imagine a scenario where somebody gets in and trades all of your stock, you're a pension fund, trades all of your stuff. It's all gone. It's all traded and gone. What are you going to do? Billions of dollars and you open that count up and it's full of

that future is coming. And maybe that will change us because I think we've got to become a bit like, Oh yeah, I got parked. Oh, well, everyone else did too, so no problem. Yeah, I think maybe that will flush us to me. You know, we, we make us a bit more conscious. Well, congratulations Darren. Now I'm thoroughly disgusted, but just the visual of a festering, you know, pot of bugs, not my jam.

I know we only have a few minutes left and I want to make sure that I'm cognitive time because I do want to ask you about kite surfing. But before I get to that, give me one. What's 1 prediction that you'll make around I am and let's say sometime in the next three to five years. So sort of near term, like what's the what's something that you think will surprise people

for an I am perspective? I think people will be surprised what we can do with next generation infrastructure that is layered on top of the legacy, that's layered on top that's quite the legacy, the current, the current operate. If we're able to keep moving forward on the operate, I think people will be amazed just like I am today when I want to write something, how intuitive the machine can be. I don't believe it will ever be sentient, truly sentient.

I don't believe it will be conscious. We can get into that for a whole podcast that boy, is it going to be smart. And, and, and, and that's no news for anybody, right? So I would temper that by just saying, and you know what, you're going to have all the old stuff. I'm less disgusted, so that's good. Let's shift here to a little bit of a lighter note before we wrap things up.

You mentioned before we hit record here that you're into kite surfing, and that's one of the things that we've we've also started since the first time you joined us way back five years ago. As we end shows on sort of, you know, something non identity related, We get kind of neck deep sometimes into identity or if we're talking to the clouds, sky high in our heads, right, things like that.

And so we like to kind of find out what people do in their spare times or just kind of fun conversations. So that's sort of like the genesis of this. And you mentioned kite surfing. Now I've never been kite surfing. And so you're going to be by Obi Wan and you're going to explain to me, first of all, how you know? First of all, what is it for people who aren't familiar? I think I'm familiar with it, but maybe people aren't out there.

And if I wanted to get started, what is the easiest way for me to get started with kite surfing? Right. And I guess I what I do know is kite foiling. So basically I ride a hydrofoil, which is basically an aeroplane wing under a surfboard. Tiny little one with a kite in the air to drive it forward. So it's incredible. Really low drag coefficient, so it's very efficient on the water, very fast. You can jump, move around. I've always been interested in

ring sports. I was a windsurfer for many years. Came to the US as a windsurfer, stayed in Austin because it was like, you could, you could. You don't need a wet suit with you. It's amazing. Now I'm just picturing you like, you know, windsurfing all the way from into the United States off the off the water. Pretty much. I mean, I came here, like I said, you know, if it's windy in England, the weather's crummy here in Austin, we had good.

So I came here as a windsurfer and then progressed to kite surfing. So you're on this little tiny surfboard with a, with a hydrofoil and a plane wing underneath you and a kite dragging you around. It's extremely exhilarating. It's outdoors, It's it's in the environment. And I think I'm drawn to it because it's kind of an in the moment thing. I'm very, we live very cerebral lives. We, you know, I'm fascinated. I'm a bit of a researchy. I'm fascinated by by brain at the moment.

I've been fascinated by geology. I'm always sort of this is something. No, you shut it down, you're on the water, you've got this giant powerful thing above you covered in lines that cut your head off. Boy, you better be present. So it's very here and now. So I love that from it.

If you want to start with it, you have to dedicate some time to it and you just have to go to a great resort where there's a nice beach so you can learn how to fly a kite because ultimately you're flying a kite, just a kite in the sky and and you have to it's not something you can just go try, go try. It's not like riding a bike. You know, anyone can mount a bike, right? Not everyone can kite surf.

And I think that's one of the things he got found a good kite school in a great location in South Padre in Texas or I have a place in the Columbia River now in I'm actually at Washington State just in Hood River is one of the founding places for it. So go somewhere like Hood River, find a good kite school and you know, go for it because it's always exhilarate. How how fast do you get doing that?

Because I met and obviously it's, you know, wind probably plays a big factor in that, but how fast can you get going? You can go faster than the wind, which is very interesting. So it's physics from physics perspective, it's very interesting. So you can go anywhere from 25 to 40 knots, so, you know, anywhere from 30 to 45 miles an hour, depending on the foil that you're using and, and where you are. And you can jump. And that's the way I like about it.

So for an old, you know, I'm 58 now, you really shouldn't be doing any of this. But I like to jump. You can hear a wave. And we've now got all these devices that will tell us our GPS locations. I'm on a thing called surfer and I can, so I can jump 40 feet in the air. So you can boost up a wave and go 40 feet in the air and feel and, and in Hood River, there's the manhood there and it looks like you're jumping over it. It's just a nominal. And so you know, that's quite a

rush. So you can go fast, you can jump high, so. That sounds amazing. So I guess you could probably get carried away by the wind as well, right? How do you control coming back down? If you're if you get caught up in in a strong wind, I imagine you're going to go quite a distance. It has happened. People get picked up, thrown around. I've been thrown on the floor. In fact, I remember going to a, an identity event in new in on the East Coast.

It was maybe when the Gardner events on, on the Sunday, I got picked up and slapped on the floor. And yeah, I, I, that wasn't a lot of fun. I could barely walk and I still made it. In fact, in 2008, I think I broke my leg actually windsurfing and I, I actually went to a conference to use a conference on crutches from it. So yeah, I can be. You've got to be careful, but I think without risk, you know. That's what adds the spice, right?

That's part of the the sport, I guess of it too, right? Is it is a physical activity. So there's, you know, inevitably some chance of injury. At first I was thinking, OK, well, you're over the water and like you've got water to break your fall. But if you hit the water going, you know, $3045.00 an hour, that can cause some, some damage.

Oh, big time. Particularly if you if you get the kite wrong, it can swing you like a, you know, like a pendulum and slap you down on the ground if you're unlucky. Don't go near the ground, but on the water. Yeah. I don't want to make it sound like it's big radical there. I now like to cruise around. I'm an OG definitely. I like to cruise around and jump. But it is fun when you, when you can jump over those young kids that take that really hard.

They're like that old man just jumped over me. What the heck? Jim, have you ever been kite surfing or windsurfing? No, you know what? But I've seen it so many times, and it looks so much fun. So I was just sitting here enjoying hearing Darren, and then when he said, well, you know, you got to have some risk or something, I was just thinking, he's spent his career building systems and building around the business proposition of reducing risk. And here he is inserting risk

into his life. I just find it a little ironic. But yeah, sounds super fun. I would love to try it. How about you? Yeah, I've, I'm not much for water sports. I think the one time that I tried to water ski, I got dragged behind a boat. I forgot to let go of the rope. And so I was kind of going face 1st and through the lake for a while. I was like, oh, I should probably let go of this thing now. And that was my one and only attempt at, you know, standing up on skis.

So I, Darren, you're I know you're laughing at me, but that's a true story. And that was 30 plus years ago. That's the thing, you know, be prepared for a little humility, right? Because, you know, it happens to everybody. I pulled up at the beach the other day and there was a little work on the peanut gallery. There's a little gang of them all people.

I know that. And right in front of everybody got it wrong, got slapped down in the water like a newbie, and everyone cheers and waves their arms in the air. You know, it's kind of like generally a good crowd with that. But yeah, you know, hey, we're all human. That's what happens. Again, if it was easy, you know probably wouldn't want to do it. That's true. And we're, and you know, it's probably a rite of passage, right, to, to eat the water, so to speak. Most definitely.

Like I said, I've been dragged behind that same boat.

Well, Darren, I appreciate you coming back. I I can't believe it's been five years. Let's not make it so long next time, I hope you'll come back and share some more of your insights. It's always great when we get to talk to just, you know, O GS in the space and people have such an influence on it.

So, and I echo Jim early on saying, yeah, thanks for thanks for joining us so early on, like I said, nobody was listening and you know, to to get Someone Like You on was really validating for us and it still is so. Thank you for being I I think you guys are doing an awesome job and you back it up with practical real experience in the field and and you know, you're at the events and so I'd love to come. I'm going to go. I didn't know about the using the code. I'll absolutely do that.

And next event, let's make sure we sit down, have a soda. Together, that is a deal for sure. All right, I'm going to put your LinkedIn in our show notes as well as some other links for people that I didn't check out. So, you know, that's it. I think that's all we got for for this week. You know, we're on the web, IDC, podcast.com, do all those fun things like like and subscribe helps us get great guests like Darren and yeah, don't forget our discount codes on the website as well.

So hopefully we'll see a lot of friendly faces at our different conferences we'll be at. And yeah, that's it. So thanks for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.