#376 - Understanding Device Identity in a Zero Trust Framework with Shea McGrew

This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good.

I've been working on an article and I decided to basically take the article and kind of wrap it around the name of this podcast, Identity at the Center. I'm trying to explain the concept of identity at the center. I think everyone says identity is at the center of cybersecurity. There's a couple of like catch phrases that go with that, like hackers login. They don't break in the whole idea that, you know, we're

moving towards zero trust. People who have kind of come in and are on the network can't be trusted. So it's, you know, deny, never trust kind of approach.

And I think this episode, what we're going to talk today about is that it's not just identity in terms of kind of the classical thought of a person or even a machine logging in, but it's also the device, you know, identifying that device can be part of kind of the overall representation of an identity and whether or not they should be able to access system or

data. Yeah. I guess this is sort of like where machine identity, server machine, you know, non human identity, like all that stuff is coming through. Everything has an identity at this point. And I know you and I have

disagreed in the past over the definition of identity. Can a non human have an identity? I argue yes, you argue no. Do we want to rehash that disagreement right now real quick, just so we understand each other's positions or have you have you come to my side? The good side? It's. Also my side I. Don't know that I've come. To your side. So Shay's with me on this. Let me go ahead and introduce her while So, you know, you're

like this. This strange voice came out of nowhere. Yeah, we've got Shay Mcgrew today. She's the CTO for Maricopa County in the Grand Canyon state of Arizona here in the United States. So thank you for chiming in, Shay. It sounds like we got two on one today against Jim. Go ahead, Trey. Yeah. Oh, hey, I I thought you had to, you know, convince us of otherwise. Yeah, make your case. Yeah, my case has always been that devices have accounts. They don't have identities.

Identities are reserved for people or representations of people. When I say representation of people, I think that an AI could be a representation of a person, but I've always felt that the proper term for devices and machines was accounts. How do you define identity? What do you have to have to have an identity? I think you have to have the ability to own something. I think you have to have the ability to, you know? Something like a house or own something to prove your

identity. So you just have the ability to own devices, for example. I totally wasn't prepared for this this debate. This is the best. And I'm like searching for my answer. I haven't thought about it in a little while, but I kind of think of the representation of devices as the account they authenticate as. So I I flipped the question back to you, which is what is an account?

Yeah, good point. I mean, I think we'll get into it a little bit today as we discuss device identity and why it's important and how we're how we're actually defining device identity perhaps you know here at the county as well as I'm sure other folks are as well. But I think we are headed into a space where hardware is getting more and more uniquely identifiable for that reason. So. I feel I feel like we have so much to crown to cover here.

We didn't even get to like do a proper like origin story for you. We immediately jumped into, you know, dogtile on Jim. Jim, you're wrong. They're, you know, non humans can of identities, machines can of identities. But let's start from the very beginning. So Shay, first time you've been

with us here on the show. So I know you've listened to the past. So thank you very much for for being a listener. Now you're here on the hot seats. There's no spicy wings or anything like that, but you may be some spicy machine identity conversation. Let's start with your background. So I mentioned that you're the CTO for Maricopa County in Arizona. So tell me a little about your role. How did you get to that spot and sort of what led you on your

journey to there? And do you consider yourself an identity person, a technology person, a security person? Yes to all three. Like give me your background. Yeah, I would, I would definitely say yes to all three to place a systems thinker who likes to dabble across all of the technologies, understand how they best fit together, how they support each other, where the dependencies are, where the

opportunities are. And that's kind of what started my journey in IT was just getting into and understanding systems, how we use them, how we use them for business, how we

use them for personal use. And really my IT journey started around the time that Sarbanes-Oxley started hitting IT, well, hitting organizations, right, to include IT shops and so, you know, freshly minted helpdesk administrator working with some seasoned system engineers, systems administrators, and of course, Sarbanes-Oxley kind of turned identity into a compliance later layer rather than like an IT

operations component. It became a core platform for organizations to be able to prove that they were secure, that they were compliant. And of course, during that time, a lot of organizations scrambled to rethink their IDP, reorganize Active Directory. And the beautiful PowerShell was was not quite yet out when Sarbanes-Oxley hit. So we're talking like VB scripting. And I worked with a wonderful senior systems engineer who could just manipulate Active Directory to her whims.

And of course, we have all of these audit findings from Sarbanes-Oxley. She looks at it, I look at it, I'm like, that's like hours of work. She's like, now this will take me 5 minutes. I'm like, what? And so that really sparked that love for initially Active Directory and then of course, following that, the identity path through my engineering and architecture journey to where we are now.

And I can say that I'm not completely surprised that identity is now at the center once again for the way that we we manage, operate and secure our resources. So yeah, I, I came up through the ranks. I came up on the infrastructure engineering side, got into architecture and then with the county, got into the CTO role. And now again, I get to dabble across multiple domains, which is always fun. It's like a giant puzzle putting everything together. So I love the story.

So I, I knew I liked you right away because I also kind of got started in IT in the help desk. So amazing career journey to go from like help desk analyst to CTO, right? I think there's that's very aspirational for a lot of people have. So one thing that I've never forgotten, though, is my roots. Going back to the help desk is like, OK, yeah, yet another call for printer support at 3:00 AM. Printers were my nemesis. I still hate printers. I won't. I won't do it.

Yeah. Have you tried turning it off and on, Right. That's probably the number one troubleshooting, you know, the things out there. What is something that you took from your, you know, help center days, help desk days that you've kept with you throughout this entire journey and you keep with you today as ACTO?

It's a great question. Certainly customer service and a sense of I'll call it extreme ownership looking or getting an issue in at the help desk and then being able to track its path all the way to resolution even if it's way outside of your realm, right. And I think that's really what helps accelerate my career to CTO is ensuring that I was, I was leading with curiosity and understanding why is this an issue for the user and identifying those stomach

problems, right? If I got 5 calls from a user as I was sitting on the help desk for a very similar issue, you don't just solve them and then, you know, hang up the phone and wait for the next call. You start to ask why, why is this happening? And so that's probably one of the biggest things I took away from help desk 'cause you're at the front lines there, right? You get to see really they're kind of like the bridge, the first bridge for from a business

and technology perspective. You get to understand how technology is impacting that end user and how you have to change technology to influence or change their experience. And truly, that's at the roots of being a CTO as well.

What do you find as the hardest and best parts of being a CTO? Well, the, the best parts again are definitely seeing that bridge between business and technology. So I also have a little bit of a business background MBA with an emphasis in enterprise information systems. And I went down that path for that reason, right? Because I do think that we're starting to see a change where IT is not this backroom kind of somewhat enabling supporting

technology. It is starting to become a leader and perhaps enabler, a bigger enabler of business

strategy. And so one of the most enjoyable parts for me as a CTO is being able to draw those connections for business leaders and how they can take advantage of technology and to really show them that the technology, especially the technology that we have, the capabilities that we are building within our organization, you know, can speed up, you know, a Business School that they thought would take 10 years, we could do it in maybe 5, maybe 1.

So best part is just again, applying technology and and being able to put together the right pieces to enable business. It also becomes one of the hardest parts of course, is getting into the conversations with the business and being able to articulate technical concepts in a way that makes the business excited, makes them want to adopt and partner with IT.

And so, yeah, as a, as a CTO, especially as a CTO in local government, all of the business different, the different business lines that we have, you really have to structure those conversations uniquely for, for every single one, right. It's. You don't have a a standard way to approach anything really. So where does identity fit into

your strategy at a CTO level? Obviously you're on, you know, the Identity Center podcast. I was going to say at the center, of course. OK. So right answer, first of all, so congratulations. But talk to me a little bit about, you know, realistically, right? I get it. There's so many different, you know, pieces of the puzzle that have competing priorities for time, budget, resources, you know, the political, you know, things that are happening within

any organization. How do you manage and balance? Where does identity fit with all that? Is it something that is part of like an information security strategy? Do you carve it out separately? Because I want to ask you some questions about how you know you and, and really you know the county are going after the program. Yeah, great question. And here at the county, we did carve it out separately.

And so we have been running a specific identity and access management program for a number of years. And it did really start kind of, as I stated, with recognizing an underlying problem that was occurring at the county. And I think this occurs across many orgs, you know, local, state, Gov, all of it everywhere. And that was a kind of the, the decentralization of identity.

So we had, when I started at the county, you know, I had multiple logins and I had to understand when and how to use those logins. And of course, if you go back to those help desk groups and you go talk to the help desk, they're like, this is crazy. Like password resets are in the

two hundreds per day, right? And so truly being able to recognize some of the, I'll call it operational, operational problems within identity causing significant impacts not only to IT operations, but also to the employee experience and then starting to curate solutions to those problems. And that's really where the roots of the identity and access

management program grew. So years ago we were able to collapse our our domain infrastructure, our forest infrastructure, I'll even say down to a significant less number of domains that we had to manage across the county. And we all came together and agreed that from an employee experience perspective, trying to standardize on one identity for an employee was our goal. And so those were kind of the

roots of our identity program. And over the last year here, we've expanded and gotten a little bit more specific about how we want to tackle that. So the program that we are we are running right now is separated into 3 core identity types and two kind of capability categories just to keep us in line. Cause again, you know, there's lots of problems to solve out there, lots of opportunities to tackle. So we have to know which ones come first and which ones are most valuable.

So our three core identity types that we're focused on are internal, external and device identity. And our 2 core kind of capability categories are identity management, which includes the foundational pieces like how, like what attributes are associated with what types of identities? How do we manage those attributes? Where is the identity originated

from? And then access management as the second meaning how does that identity get access to the network, get access to data, get access to other other assets that it needs access to. So kind of a, a three by two approach to how we tackle identity, kind of allowing our teams to really focus in on where where they have subject matter expertise, right. And the county still doesn't have really a centralized identity team that focuses

across any identity type. We do have kind of the classic, you have your system administrators, help desks that work on internal user identity. You have kind of the developers or the business who works with external identity and then desktop support working a lot with like or system admins working with the device identity. And we can start to really focus and utilize those teams in the in, in those areas in parallel. And the goal, of course, is to see accelerated outcomes with that model.

So you just spit out a whole bunch there and I wonder, you know, how do you get buy in and support to do this? Because this is not an overnight shift where you can say, OK, I snap my fingers and give me a bunch of money and it's done right. There's no easy button. It takes years, sometimes longer decades to to to have these seismic shifts in the way you approach really any large IT transformation. But identity typically has a lot

of moving departments. So I'd like to understand a little bit about how you kind of explained everything that you just said to somebody who is not a technology person or not an identity person. Because I think the one thing that a lot of people listening here today might be thinking is, OK, that's great. I, I get it. We know what we need to do. How do I communicate that to the rest of my organization? Yeah. And that is going to be probably somewhat unique depending on

your org. I will say at the beginning, I had some great partners in HR of all places who helped us to drive the single source of identity being an HR record for the county. And then from there we were able to, you know, explain why, why that was, why that was critical to have a single source of identity. I think. I think on that one, the business could feel that pain. So that was an easier one to

explain. Like, hey, instead of, you know, writing down all of your passwords and sticking them under your keyboard for the 50 accounts that you have, we're going to give you 1. And this is how we're going to do it. As the program is progressing, of course, the the cyberspace has has rapidly changed over the

last, you know, 5 to 10 years. As our assets became more digitalized, especially our information assets, of course, they became more targeted and the perimeter shifts and all of this great stuff, right, which kind of provided routes for the concept of zero trust and zero trust became kind of a buzzword, right. So of course a core pillar of zero trust is identity. So I did grab on to those coat

tails. And for that one, the explanation from a business perspective that we're going with is kind of like the airport analogy where, you know, you can walk into an airport and not show anybody any identity. You can wander around, you can have lunch, but if you want to say go to a different terminal, there's going to be a security checkpoint. They're going to make sure that you are safe. They're going to make sure you say who you are, who they say who you say you are.

And to do that, you have to, you know, show identity. You have to walk through a metal detector. And then even from there, if you want to get onto a plane, essentially get access to the asset, right, You have to show identity. Again, you have to show proof that you should be there. So I, I like the airport analogy because it really hits home with, Oh yeah, like, yeah, we have to show our identity all the time.

This isn't, this isn't new. We're just going to put some security checkpoints up around our, all of our buildings in a digital fashion. And, you know, your device is going to be screened through the metal detector to make sure that it's harmless. And you will show your identity, you know, in the form of a certificate essentially.

And then you get access. And in that space, of course, the the the reduction in risk, especially for like cyberattacks is a big driver for support in that space. I love that airport analogy because I use the same one and it's, it's really something I think that resonates with a lot of people because most people have gone through some sort of airline experience, right? Whether it's flying or taking some of the airport, whatever it may be, you're showing your

ticket. You know, you're going through maybe a security line, but you're not showing it just once. You're showing your credentials, your identity throughout the process. So for me, living in Asheville, our airport is currently under construction. So like half the terminal is a mess. I have to show ID three times before I get onto the plane, sometimes four, once at the security check for TSA, another

one when I board the plane. And then I go outside on the tarmac and they usually, and this is one of those smaller reports, we're actually on the tarmac where the plane is, right? So you walk out there and then there's another person who asked me for another piece of, you know, information, seat number, name, right, things like that.

And then I walk across tarmac to the stairs that go up into the plane and there's usually another person there just to make sure that nobody got lost in the entire shuffle. So it's like almost like, you know, this concept of continuous identity access management, I think it's something that kind

of works the route. There was one thing that you mentioned and you mentioned 0 trusts and you know, you kind of, I think half jokingly, but maybe not really kind of mentioned like, well, everything's zero trust now, right? And it was like the security buzzwords and those things come along. How much do those buzzwords matter? Like when you're having conversations with people who aren't IT or security or identity, they hear zero trust, like, oh, that sounds cool. Are we doing it?

Like, does does the marketing spin help at all? And then you kind of have to like correct it or or maybe you ride the coattails of it. Well, I'd say a little bit of both. And so we've definitely had that pendulum swing both ways, right, where, you know, again, it's a buzzword and, and leaders will say, I want zero trust. Can we do it next year? Well, probably not. And there's others who will say, yeah, we, we follow the zero trust framework, right? We've, yeah, we, we do all of

those things. And you say, well, what things do you do? Well, people have to authenticate, OK, not, not quite, not quite the the ZTA framework there. So it does take a lot of conversation, it does take a lot of storytelling. And truth be told, I mean, we're, we're still working through how do we best do that. We've luckily gotten a lot of great support from the business from an IT perspective, from an IT project perspective. But like that never, that never

ceases, right? We with every milestone we hit, we have to be able to craft the story of what, what did we accomplish. And one of the great things our CIO has done is create a business value report where we have a place to highlight the business impact of some of those technology investments. Because again, again especially I mean at least Americopa County are, are are are ROI calculations, it's not formalized, right?

They're not strong. We don't, we don't often report on the return on investment for RIT investments, but this gives us the opportunity to do that in a, in a story, right that business can align with. And then what that gives us is the the foundation to continue to build onto those successes as we move forward. But I wouldn't say that we've got it. We've got it down perfect, but we're working on it. Hey, nobody does. You mentioned the three work streams, right, Internal,

external and device. And I thought device was real interesting because I think everybody does it, but they don't do it all as a separate work stream. And so I'm wondering what what brought that decision for you. Why is device identity such an important concept or working area that you set it up as a separate work stream? Great. Question.

Some of that was probably resource organization and the ability to strategize within that pillar without clouding or complicating the strategy with some of the other identity components, right or identity pillars, identity types because when and we still see it even though our work streams are

separate. When you start talking about one, it's easy to start going down the path of, well, like users going to do this, this and this and this with our work streams being separate from a internal external device, We could kind of corral that back in and say, OK, that's great. Internal identity is looking about they're handling that. Let's focus on the device itself. What, what is the best outcome and what are the things that we need to do on the device? Almost absent of the user,

right? Because in a, in a true ZTA architecture or, or, or framework, it doesn't matter. Like I could log in on any device, right And you get the information from the device and you get the information from the user. You combine those and that's what creates the, the access, right, The the underlying entitlement. And so I didn't want us to think about it. Well, that's Shay's device. She's always going to use that device. We trust her. So you don't care We don't care

about her device. I wanted them to think about it and if if anybody grabs any device, what do we want to make sure that that device does or has or is in order for us to be able to trust it, right or it to be able to verify it. So it was kind of a a multi, multi reason, but mainly to be able to focus the discussion and to focus the teams into those spaces where we could build the appropriate capabilities without getting too crisscross across the other identity types.

You mentioned the zero trust architectures ETA and it feels like 0 trust. I think it's one of the most important architectural concepts in all of infrastructure. I think sometimes it gets mocked because of it. So for you, it's like you went to conferences for a while and everything was 50% more zero trust. So we made fun of it on this show at some points. But I mean, as far as like architectural principles or guidelines go, it's about as important as it gets.

I would think it's especially important in a large organization like a county government, because you have departments and agencies and folks have to move around the network and regardless of where they are, you know, kind of be that that same person using that same devices, that part of the drivers that why is zero trust what's so important? Are there other things on top of that? Yeah, I, I mean that's probably one of the strongest drivers,

right. So I mean local government shares structural similarities to like a large conglomerate. There's a lot of different like semi autonomous units, some some dependencies across those units, Jim, to your point, like users exist in the same spaces from a location perspective. And ideally like all of these things at the end of the day, work together and can synergize appropriately to provide public

services, right? And so that creates an environment where a concept like never trust, always verify starts to become very appealing because again, semi autonomous orgs, they can stand up their own systems. They, they have their own kind of regulations, their own data types, their own threat surfaces. But at the end of the day, we need a way to be able to trust each other so that we can do business, right? And like that's zero trust, right?

Those, that those are the principles of zero trust. And so I think that in any organization that doesn't have that centralized line of control, zero trust makes a lot of sense. And I think it was probably going to be kind of the way even if it didn't become the framework that it is today that large, you know, multi business line, semi autonomous to autonomous IT shops got to anyway. So, yeah, I mean, I, I think it helps to give us a, I'll say a similar vision right across all

of our different AT shops. It gives us a vocabulary that we can use and a, a justification for why are we putting all of this in place? Well, we're putting this in place because, you know, I, I run this case management system and your users are going to connect to it. And I have no control over your users. So you have to give me a guarantee that you're doing the right things and you're managing that device and you're managing that user to a, a baseline level.

So I will give you access to my data. So, yeah, I, I think that's a, that's a big driver just based on the organizational structure of the county and and potentially any local government.

And when we talk about devices, I think there are generally a few different types of devices, right? There's the managed devices that you issue from the county. But in this world of BYOD, people can bring their own devices. You can't manage those necessarily. There's IoT devices, there's OT devices, which may not be in your scope, but kind of what is

the approach for each of those? And can you come to help us for people who aren't familiar with that language that I just used, what are those different types of devices? Yeah. And this is actually been a great discussion that we've had even within the county, you know, across departments, across units, even to come to a solid definition, managed was much easier to define managed and unmanaged. I'll say BYOD was like a whole

nother animal. But so from a managed perspective, the way that I would define that is a device that you have control over, you have in your inventory you're you're getting information from, you can put configuration onto to include an identity like a certificate, right? So truly it is managed. If you wanted to turn it off, you could turn it off. If you wanted to wipe it, you could wipe it unmanaged. Of course, is the other side of that spectrum where you have no control.

You, you don't have it in inventory, there's there's no validation of health, there's no validation of configuration or patch levels. It's truly outside of your purview. And then there's BYOD, which for the county can actually fall into the managed or unmanaged definition. And so that's why this one was was a lot of fun. We're still we're still talking through how how we successfully define and manage ABYOD approach

for county resources. Now when I started at the county, we did have like a like the any device anywhere, anytime approach to doing business, right? Meaning we would have to have a good way to secure our apps and our data even in the event that an unmanaged device or BYOD device wanted access. Working through that of course, but so BYOD for us or bring your own device. Right now we have two flavors of that.

One is a BYOD approach where they sign a waiver that says, hey, Maricopa County, you can manage this device even though I own it, which kind of puts them into the BYOD managed category, meaning if they lose it, if it becomes compromised, we have the ability to wipe it, we have the ability to lock it etcetera. We also have the BYOD approach for some of our cloud services where you know you can, you can log in and you can consume that application with just your user identity.

Meaning we don't manage the device, we only manage the user identity and the data that we're allowing that device to have access to. And so that's the unmanaged BYOD approach. Of course, ITOT can also fall into both the unmanaged and managed categories. And that one's one that we're starting to tackle and working to identify what of the ITOT categories can we manage and

which ones can we not. And then how do we, it's very similar to the end user devices, how how do we like segment and control their access appropriately for their level of management? I think where the rubber really hits the road on this topic is how do you take the device identity and actually enforce access around it? So I'm thinking about kind of like how device identity and infrastructure come together to say, all right, you can go here

and you can't go there. So maybe you can talk a little bit about that for again for the identity of practitioners who are trying to figure out how does this all work, maybe give kind of our primer on that. Yeah, and that's a great question. I mean, the classic architecture

in that space is 802.1 X, right? So wired and wireless network access control using the platform such as ICE to be able to validate that that system before it connects into your network is healthy and can prove its identity. Going back to our the beginning of our conversation, right?

I mean, the hardware is coming now with like ATPM, of course, it's always had a Mac, but there's some, there's some definite considerations around Mac when you're trying to use it for any, any type of validation, but also certificate, right? So I think for device identity, especially for any type of wired or wireless network access control, it comes down to how do you validate that device's identity. For us, we we are leaning into a certificate validation.

Of course, there's some some new great technologies out there as well that use like apps on the device, right to grab device identifiers and creates truly create a device identity out of that information that's used for validation for access either onto the network or access to apps in the cloud, etcetera. I kind of think that behind the scenes here there's a level of certificates, maybe PKI infrastructure at work. Am I on the right track? How does that fit in?

Yeah, so I do think a strong certificate architecture is a foundational component for user and device identity. As stated there. There are perhaps some ways you could do it without certificates. And I don't want to say certificates are the easy button because certificates are never easy, but they are. They are something that especially in a autonomous, semi autonomous org, can span spheres of control and can create trust chains that can be shared, you know, regardless of where that

device originated, right? So leveraging something like certificates, our accounting IT shops don't all have to agree that we're going to put, you know, client X across all of our workstations and that's going to be managed by some central IT shop. They can can manage a certificate architecture that has a similar trust chain that we can then use at our security gateways. I'll liken it to you like different passports, right, to

prove identity at the airport. Everybody knows and understands what a passport is. There's, there's an official route trust agency that can validate that passport and that's what I consider the certificate in, in our architecture. Again, there's other forms of identity that can be leveraged, right? A driver's license, an ID card, you know, the list could go on

shortly. I don't know what else they accept at the airport, honestly, but to that point, everybody knows that the passport is is a proof, proof of identity and they know what to do with it when they're presented that form of identity. Again, allowing the accounting to still have the county IT agencies still have autonomous control over their device management, meaning other departments don't have to know what they're using to manage the device or anything really, right.

They, they manage that device A in a platform like Workspace One or Intune and Workspace One or Intune gets the certificate to the device and then just sends the hey, this guy's good, let him in. I validated everything appropriately and we trust that and it just gives us a an easier approach without having to all come together and agree on an external vendor, a partner platform in that space. Yeah, well, one other form of identity.

So I was flying last week and I saw a lot of people whip out their mobile driver's license. Yes. I don't have one personally. My state doesn't support it, but I'd love to get there. Come on over to Arizona. We've got them. You've got them. You guys have Waymo. I mean, we got. Everything. You really do, really do. Talk about device identity, like hopefully those autonomous waymo's they can identify them 'cause they're all over.

Exactly, exactly. So you know, the last question I wanted to ask about because I'm familiar with some framework that this has that can apply to kind of a device identity program. But leading into that, I'm just kind of thinking one thing I've seen as consultants. So Jeff and I are unfortunately we can't just podcast full time. It doesn't pay enough of the doesn't make enough of the contribution to pay the bills. But we we get to work with a lot

of clients. So we get to see in the private sector. NIST is becoming extremely popular. I know in the public sector it's extremely popular. Maybe you could talk about what

that level of influence is like, how it affects your program, and then if you can speak at all to how it might, those guidelines that exist for detect and respond work with from the NIST framework are being adopted at the county. Yeah, that's a great question. And I am seeing a lot more reference and reliance on that framework, especially in the audit space, which of course then motivates business to start

to notice and comply. For us though, the business framework really at its core, again provides a common language for us to talk and a way to structure our strategies so folks know what the desired outcome is for our projects, right? We could pick out bits and pieces of that framework and say we are, you're doing this project so that we can have these outcomes. These outcomes are aligned with the NIST framework.

And of course they have like a AZTA, they have like the access controls, they have the identity components. So it really does give us a a foundational road map for what are we trying to do and and at the end of the day, have the conversation about why it's important and to what degree it's important to the county. Now just like any framework, of course, Nists, you could go all the way to the extreme. And I don't know that there's anybody who probably can say,

Yep, we are. We adhere to every single missed guideline that is out there. So organizations have to be able to structure some level of like a maturity model. So we're not spinning our wheels, implementing things that are not providing value, especially based on the investment. And I do think the NIST framework again, helps us structure that conversation so that we can create an appropriate maturity model and we can create a an appropriate strategy for how we tackle any

aspect. I mean, of course NIST covers all sorts of things, but specifically for this conversation, something like device identity or internal identity or zero trust. So it's in the name, right, NIST framework, not NIST law. So you have to like, you know, take that into, you know, accordance with what things going on. A lot of this conversation is

focused on technology and sort of how things work and the interdependencies between all that. But a big part of this is still the people side. So I'm curious, how do you, how do you make this real, you know, from a long term perspective to say, OK, that's great. We are, you know, 100% more 0 trusts, right? Whatever that looks like, right. It requires A-Team to put that in place, not only to stand it up, but to maintain it and keep

it relevant for the future. So how do you look at that from a long term perspective to say, OK, that's great. We've got technology, but there's also people in process that needs to be part of this. Yeah, technology is always the easy part. So yeah, great question. And it's it's one I think as leaders that we we have to take into consideration, especially as we ask our teams to embark on these huge transformational projects.

If you know, zero trust or identity being being examples of very transformational projects because they they do change the underlying way that we support technology for the business.

So, I mean at the county we, we have these conversations often. So it, it, it revolves around how do we skill up our teams. So as we are deciding on solutions or platforms or systems, a good part of that conversation is your folks know this like if we pick this, how, how are we going to support it to your point, Jess. And so being able to get the training to our our technical folks at the right time with the

right context is key. Now I will say we've had a number of transformational projects where we did training say at the beginning and it was a three-year project and by, you know, year 3 it was gone, right. And so we, we had to redo the training. So really evaluating the timing and when and how to engage partners, I think is, is critical. We are very lucky to have a number of great partners in our identity program right now. And of course those partners live and breathe identity.

They can make identity decisions on the fly based on their experience. And our, our, our teams don't necessarily live and breathe identity, right? It's just one component of the work that they're responsible for. And so we have to be able to balance and, and we do ask our partners to ensure that they're having good conversations with our teams to explain why we're making the decisions that we're making, why we're implementing the things that we're implementing.

And wherever possible, let our team members drive, let them do the work to a degree, let them make some of the mistakes, right? And let them be involved there so that when it comes to operations, they understand those guts. I mean, we've had both great examples of where we've done an implementation and on the other

side folks just felt good. They were excited they could support it. And then of course the other side of that spectrum is implementations where the partner stepped away and everybody just looked at each other like don't touch it. So as we, we're in our identity journey as, as we're, as we're changing the architecture of the organization for zero trust, right or zero trust capabilities, we've changed the way our teams operate to a

degree. So our, our DCIO did create a network security and access management team, which is focused on like the security gateways that we're putting in the policy. And that's coupled, of course, with that access management or the identity component.

So those two pillars aren't separate across A-Team, right, Where there's one team that knows the identity side real good and one team that knows how to put policy in place, they're together, which of course allows us to create more robust policy, right, 'cause they understand how the identity underneath is structured. So creating new teams that canmore effectively support, especially if the solution is across domain or across team type of solution.

Also have done the same for our desktop support guys, like a, a workspace and platform support team that can support the platforms that we're putting in place with an understanding about like the devices that are connecting something like, you know, Intune. So you do, you do have to examine is our organizational structure appropriate and do we have silos that are going to impact our, our momentum or our

innovation in these spaces? And if you do have the conversations about how do you solve for that effectively the

other side of that, and I was very excited when we did this, but we started an OCM team. So an organizational change management team. It's only, it's only two great gals right now, but they make a huge impact, right?

So a lot of folks see organizational change management is almost like just a marketing team, but it's not it, it really does get to the heart of your question as we get into projects and these two gals will will ask us as leaders, can your team really support this and like force us to answer that question in order to be ready for taking on that project, which is

fantastic. So they're doing some of that organizational change management from doing assessments or interviews to some of our IT support staff on how is this going to change your job and then giving that feedback back to us. So again, we can structure the right training, the right teams, etcetera. So big, big one, especially as digital transformation and modernization. I mean, it's not slowing down,

right, especially with AI, but. So I smell a Part 2 with Shi Mcgrew coming down the road where we talk OCM specifically for these large transformational projects because it does come up quite a bit. And I think a lot of my background is operations, right? It's help desk.

And then it's, I am sort of help desk specific and I would get so tired of people just throwing things over the wall and saying, oh, well, you know, help desk will still take care of it or whoever's going to answer the phone like, no, no, no, we got a plan for that kind of stuff. So I, if you're up for it some point in the future when you're ready and we can invite those other folks on your team as well to have a conversation around OCM and what does it mean to be good at it?

Because there is bad OCM and then there's effective OCM. And I think most people want to be on that good, effective side of things. So hopefully you'll come back and we can have a conversation about that in the future. Yeah. I would love that because it is especially in IT right, a topic that I don't think we, we consider a touch on enough because it's kind of the the softer marketing side, right. It's the communication side and IT just wants to do right. Well, yeah.

What's the ROA on doing, you know, change management? It's like it's, it's most of the time it's like it's just an added cost approach. I don't know, like that is such an important part to make sure you get it right. It's, it helps you avoid mistakes of the past, mistakes that other people have had and helps you really kind of get things going. So I don't, I don't want to get too far into it now because I definitely want to do like an episode on that. We've got a few minutes left.

I want to talk real quickly about the future of device identity here specifically. So maybe not necessarily like a lightning round, but maybe kind of a more brief conversation, like where do you see this going from a device perspective? Because now we've got, you know, super disruptive things like AI. Hey, we just made it, you know, 50 minutes without mentioning AI, which is probably a record for any IT conversation right at

this point. So like, where do you see things like AI or things and frameworks like shared signals framework or behavior analytics, you know, Cape continuous access evaluation profile. Hope I got it right tool. But things like that where, you know, we're starting to use data and analytics to improve things or measure things like where do you see that specifically on the machine identity side or I'm sorry, the device identity side? Yeah.

And so I, I, I think to your point, it's going to be right in line with how we're applying AI everywhere, right? It's, it's going to be a question of what, what data do we have and how, what, what do we want to do with that data and what correlations are going to make our decisions more powerful, right, more impactful, better etcetera.

And so in the device identity space, you know, a lot of the Ed Rs are already collecting like mass amounts of data from the devices to be able to articulate relatively clearly like their health status, right? Like, hey, this hard drive is going to fail in 10 days. So we're going to see it everything from like just as the simple operational pieces,

right? As well as, and I think we're already seeing this to a degree, like just with Copilot and your ability to interact with your machine, the ability to leverage AI to troubleshoot a device problem. So for an end user, if you know their settings are off or whatever, you can pull up a a chat, have a natural like a language based conversation with whatever AI platforms out there

and fix your problem. Of course, that alleviates our poor help desk folks from a number of things, so we'll have to skill them up and have them focus on other higher value tasks. But yeah, so absolutely everything from just operational efficiencies at the end user and back end perspective to our ability to detect and respond threats more effectively. Now the flip side of that is it's also going to be used to attack more effectively, especially at the device level, right.

So it will be a balance certainly I think the correlation across multiple systems for all of the things that we can get from a device, you know, location, who's logged in, when's the last time this person logged in, where were they before? And then be able to create feedback to, you know, our security teams in regards to the level of threat that that device poses to the organization and

make decisions based on that. And this is all this isn't like super future, 'cause this, this all is capability today. We haven't quite got there yet. So it's my future, but it's not a technology future. That's, that's all a possibility today. And then where we'll go from there. I, I don't know, like I especially as devices start to, to morph, right like the smartwatches, smart glasses and how do we leverage all of those, especially from a business perspective?

Yeah, we're going to be wearing a whole bunch of identity things on us given point. Yeah, Phones, tablets, watches, right, chips, you know, brain implants, all kinds of stuff. Yes, we started off this episode ganging up on Gym, which I absolutely love. So anytime you want to come back, we can beat up on Gym a little bit is good. Jim, I want to come back to you. You had about 4550 minutes or so

to kind of think about this conversation around machine identity versus, you know, can a machine or a non human have an identity? Are you prepared to come back at us with some fire that we need to chew on? I know. I'm kind of like barking up a a tree with this one. I'm old man yelling at cloud but it's really the vocabulary of it. So here's how I've always thought about identity and

accounts. If Shay has an identity or an account in action directory and the travel system and in the accounting system, how many identities are there? Well, the caustic argument is there's one, there's one Shay, and those are accounts, right? Well, I don't see why it would be any different with anything else. And by the way, the perspective of each of those system owners was like, hey, we have all these identities.

When you talk to Active Directory administrators, they say I've got 10,000 identities in my system. And those may pair off for the most part one account to one person, but those are accounts. Those are not identities. Identities are in the HR system or in the contractor system. That's where they're originally started. And even those are probably accounts or that identity, but the identity is the person. And so you extend that. Now let's take the question of OK, devices.

Do they have an identity? Well, what's a device? Is it just something that is like a laptop, a phone, a tablet? What about a printer? What about a thermostat, thermostat that's smart and are all those identities? What about a thermostat that has multiple sensors on it? Are each one of those sensors identities like so where does where do you draw the line between they just have an account so they can authenticate to report data versus they're actually enough to say that they

have an identity. And to me it comes down to are they kind of a life form or not? That's where I think that the word identity should be used properly. And the one exception I've made in my deranged mind is that AI may get smart enough, that is doing all the characteristics of life form a human being would do and could potentially make decisions as good as a human being or better, and therefore

would qualify as an identity. But even at at this stage in the game, I would say AI would have to be considered, you know, the accountability of some human being performing the actions. And that person would be the one who decided whether or not they had access in an account to get onto your network. So that's why to me, it's like, is it an identity or an account? There's definitely Gray area, but I always kind of go back to that, an identity as a human being.

I have thoughts Shay, do you have anything you want to say before I unload? Well, so I mean, I would say, I think it still comes down to like how you're defining identity, right? So I mean, Jim, you're defining it as like somebody who is, who has a soul. That's exactly what I was thinking of. Like the existential question of like a soul.

Right. But I mean, I think you could also classify identity as like a set of characteristics, attributes or proof that make an entity unique and recognizable and hopefully trustworthy given the context, right? And in that definition, I would say certainly what we're trying to build is the capability of hardware to have those things so that we can do some level of validation of their

trustworthiness. Now, if you're getting into the yeah, the, the philosophical soul sense of identity, I would have to then lean to Jim's direction and say, OK, the maybe it's the Webster's definition of that identity is associated somewhere like this along the lines of like personality or something that makes you uniquely identifiable. That, that today a machine can't have that.

But I do think that they can have identity in the sense of recognizable characteristics that allow us to make decision. I feel like this is where context matters, like anything else. So of course we have to, you know, think about that. So I get it. But I feel like yes, a machine, a non human can have an identity. We have Mac addresses. That's how you identify a device on a network, for example. There is a unique identifier associated with it.

So I think there's that. I'm not going to answer the soul question because I think you could argue some people have souls, maybe some don't. I think now you want to, you know, portray I. Think we can agree that Nope, printer has a soul. I can I can agree. Yes, that's probably correct. But the machine does have an identity, because how else do you address it? You've given it an identity by a Mac address. You've given it an IP address to say, OK, this is where I live on

the network. Yes, it is an identity. Yes, it may have a whole bunch of sub accounts that run underneath the context of that identity. Right inside of a printer, for example, you probably have a whole bunch of microcontrollers that are controlling the principal or that are controlling the display unit that are controlling the network information coming in.

Those are all accounts that are running certain mining, you know, tiny service accounts that are running on the in the identity, in the scope of the printer. The printer certainly, you know, is not a person that it doesn't have autonomy beyond what it's directed to. Do you hope unless printers start coming alive, Right. But I still think yes, you can. Yeah. Yeah. You know, wait till the AI printer comes out, you know, then then we're all screwed.

But I still think you can have identities all over the place. And I think it is the definition. How do you define what an identity is? I just feel like, yes, you can have both identities and accounts. Identities can report to other identities. That's why we have things like org charts and, you know, family trees and all kinds of different stuff like that, right? Where, you know, even on, on my

network, right? I probably have, I don't know, 200 IoT devices, you know, that are in my house. I have a smart thermostat. It has an identity. It has remote sensors I'm OK on right now in my basement where my office is that is connected as an identity back to my thermostat that then connects to my smart, you know, home app that gives me the temperature and, you know, does all the controls around that. So I do feel like I, I don't get stuck. For me in the soul concept,

identity is identity. What is human is a different, is a is a totally different thing. Does that make sense? So if we were to get down to definition, you're saying if it has a Mac address, it has an identity? A Mac address is an identity. That's what it is. Its purpose is is a unique identifier for, in this case a network device. So if a network card has multiple Mac addresses, it has multiple identities. A network card having multiple one network card.

That would be software based probably, but it would. Run in the context of another, what if a server has seven network cards in it, 7 Mac addresses? Then you're saying that server has seven identities. Well, so in a, in a instance of like a technical identity for a person, I know the, the conversation is going to be, are those accounts or those personas or are those identities?

But my identity as a Maricopa County citizen and my identity as a Maricopa County employee are distinctly different. And how you validate those identities and how I use those identities are going to be different as well from a technical perspective, right. And possibly even from a real person perspective, the way I, you know, go to work or the way I, you know, consume county services different, right?

So I, I would consider those two different personas or I mean two different identities if I was managing them as objects in any type of store, right? Because they wouldn't, they would be uniquely identifiable apart from each other. I wouldn't smush them together necessarily. I. Totally agree SO. I can have multiple identities. And not just your head, I mean, Jim, you're not we have multiple identities, right?

I mean, a lot of people think we do the podcast full time, but I wish that doesn't that's this is what we do at nights and weekends. We have an identity as podcast people. Our day job is where identity, our identity there is well identity consultants kind of a bad you support there, but we are contact switching between those identities. I don't know if those are different identities or different personas.

Well, maybe one or another, but we, you know, we I. Would argue that the Mac is a different persona then because it's it's there to do a different operation. The reason why you'd have, say, a separate network card or a separate Mac is to separate some, some process, some service very similar to a a human identity, even very similar to the ones in your head. See, now my brain starts to explode and it's like, all right, how how far do we take this? We now like explode the Mac

address or the network card and. On those podcasts, Yeah, exactly. This is something maybe I'll include this like in a future game show as part of my majority rules like can a machine have an identity? Yes no, whatever. And let's see what the crowd comes back. So maybe I'll. Definitely as as we get into as we get deeper into non human identities that are essentially potentially reporting up through an org structure, right. And I that one is probably more

future focus. But I, I do think that that's gonna be a future at some point we will have to treat them and, and apply the same constraints as we would for human identity to a degree, right? Especially, you know, AGI type entities, robots, whatever we want to. Call these agentic AIS running around autonomously, either doing things off of a routine right that someone has set for them, or them developing their own routines correct.

And so I think it's it's a very interesting question for our time right now because Jim, I think we are hitting that inflection point of how do we define it? And how do we, and this gets into some AI ethics which is probably a whole nother show, but how do we handle device based identity for things that are doing human like work? See, now I'm really glad that we didn't, that we named the podcast what we did, identity at the center.

We didn't call it human identity at the center or non human identity at the center. It's just identity at the center. No, didn't. Call it a council center, that's for sure. Persona's at the center. Persona's at the center. Yeah, pretty soon we'll have AI at the center. That'll be our our spin off show. All right. We've gone in like over an hour and I, I know you're very busy, Shay, So I really appreciate the time. I do kind of want to wrap up on

a letter note, kind of getting to know each other before the call. One of the things that you mentioned was that you are kind of like a little bit like me. I call my, you know, a little bit of a Renaissance man where, you know, you get interested in a bunch of different topics and you kind of maybe get an inch or a foot deep and you kind of have like this, you know, wide range of knowledge. And I feel that's kind of the way I've always been interested

in things as well. And so I want to pose a question to you. If your approach to learning, which it sounds like it is, is digging those thousand different holes and maybe they're only an inch or a foot deep, right. If it was an Olympic sport, what would you call that? And then what would the medal ceremony look like? Yeah. That's a good one really start to to hit that creative side of my brain here.

I could I could go boring and just say call it a career and your paycheck is the I was kidding. Hopefully we all, we all are lifelong learners, right? Especially in IT because there's so much change there. But if it was an official Olympic sport, I'd love to have something like curiosity. Like curiosity cap. I don't know. That's kind of boring. I probably could get more creative than that if I had a little bit more time to think. But curiosity cap.

And of course, there's not necessarily a loser medal ceremony. Yeah, you get, I don't know, you get gold for see that and the curiosity and learning is a hard thing to measure. So I don't even have to think about how in the world we would measure it as an Olympic sport. Maybe the award is more questions. Right, more, more knowledge. Curiosity, right? Yeah, it's like, OK, well maybe that's the hook here, right? Is, you know, you like to learn new things.

You're always picking up new things like, oh, that's interesting. And you kind of, you know, learn that and then it it just never ends. Like that's the reward is there is no end. And you just, there is no end. You just keep on this loop. Yeah. Yeah, yeah. I mean, that's a, that's a good question. Yeah. I mean, it's, you just have to, yeah, create a gamified version where there's there's no true end and it's just always a what are you going to learn next and

next and next and next? And the award is like a bunch of different gift cards from a bunch of different stores because you can't pick just. One hopefully it's like education, right? You get credits to like go sit in on classes at Stanford or Harvard or get. Exposure stuff available. So you couldn't do it today, right? The mass was a mass education type stuff, yeah. Yeah, yeah. You get to get to sit with great minds and ask questions. And annoy them. They're they're part of it is

they have to be patient. That that is true. That is true. It's almost like, you know when you have a child, right? And everything is like why, why, why like OK, right. All right, we'll get through this. I mean, why is another good name for the the games? Why, Yeah. The Y. Games, I don't know, yeah, the Y games. I mean, you could play on that. X Games Y Games X. See. OK, see, now we're getting. Into now we're getting

somewhere, yeah. We need some OCM now to make sure that we roll this out correctly. Right, right. Jim, do you have any thoughts on on sort of that learning exercise? You mailed what I was going to say, which is never end. So it would be like you started during the Olympics and four years later it would still be going. So then it would just keep going and going. I kind of went through this and I, you know, I was having a conversation with our colleague Brian Lindstrom today.

I don't know if Brian hold on to the podcast for this long. We're already in over an hour, but we're talking about like, hey, we're in our 20s. We just like had this burning desire to learn. And for me, it was, I started learning about computers. I just love computers. I wanted to get a file from this computer to that computer. I wanted to figure out how to do it. And so I would get a book or, you know, the Internet wasn't what it is today, so I'd have to mostly use books and try and

figure it out. But I hated not knowing something. If I read a book and it's talked about TCPIP, be like, what's this TCPIP thing I need to learn about it. Oh, Mac address. What's a Mac address? Why is it formatted this way and how do I talk from one Mac address to the other? What are the commands I write? And eventually it led to me doing the Microsoft NT4 MCSE, which was like a bunch of exams.

But that was another part of the obsession was not only knowing these things, but trying to score perfectly on the exams. Like I knew every intricate detail of these things and I wonder like how many people are in their 20s today who kind of attack it that way. But I think that is how you go from kind of like your entry level job out of college to a more senior level positions. Like you have to have that, that burning desire to learn and you know what you know is never good

enough. And obviously it comes and goes as you go throughout your life. But like that time when you're first out of college, like that's when you have to just consume and build your knowledge. And I think being able to straddle the non Internet age and the Internet age learning is overwhelming now.

So it's really a exercise of focus and being able to, Jim, to your point, like really take in the subject and not get distracted by the 50 other things that are going to be in front of you as you're looking into that one thing. At least that's my my struggle right now. It's just, there's so many things I know I don't know now because you're exposed to so many things that picking the that that path gets more difficult for, for our folks

coming out of college, I think. I just think of like squirrel and then all of a sudden like there's something new. I don't want to figure what that is. Not a squirrel or whatever it is. OK, let's go ahead and wrap up. This has definitely been a

longer episode, but this has been a fantastic conversation. Shay, open door policy. When you're ready to come back, we want to talk about OCM or anything else. Let's do it. And yeah, appreciate you being on the show and set aside some time for us. We normally will put our guest LinkedIn profiles in our show notes. So hopefully, you know, that's it'll be OK. Give me a thumbs up or not.

If it is absolutely OK, cool. And people can reach out if they have questions or, you know, want to wax poetic around, you know, what is human? Maybe, you know, hit us up on comments here or on, you know. My LinkedIn inbox. It'll be, you know, along with the recruiters fam, and for me like podcast promotion experts, right? All that other stuff. So, yeah, but I appreciate you spending some time with us. And, you know, thank you all for

watching and or listening. You've stuck with us this far. And yeah, find us on the web, idacpodcast.com and we'll talk with everyone in the next one. Thank you. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.