#385 - Sponsor Spotlight - Nexis

This is Identity at the Center. Hi, welcome to the Identity at the Center podcast. I'm your host, Jim McDonald. Unfortunately, Jeff Steadman had other activities going today and wasn't able to make this episode. This is a sponsor spotlight with a company called Nexus. They're at nexus-secure.com and I hope you have an opportunity to check them out at nexus-secure.com/idac. Again, this is a sponsored episode, so it's a little bit different than our regular episodes.

We're going to be joined by Doctor Heiko Klarl, who is the CEO over at Nexus. And that's NEXIS, in case you're wondering. And Doctor Klarl's going to kind of give us what they do and how they help solve the identity and access management practitioner problems that we all kind of fight with on a daily basis. So walk through the show, Doctor Heiko. Yeah. Thanks, Jim. It's a pleasure.

Well, really glad to have you here, the pleasure of all ours and we really want to learn about Nexus and what you, what you guys do and what it is that you bring to the market. So, but of course this is your first time on the Identity at Center podcast. So maybe you can kind of give us

your background how you got into Identity? Did Identity choose you or did you choose it? Yeah, that, that's a good question. So I would say I've chosen identity.

So back back in time, more than 20 years ago, I started computer science and at the end I had to kind of make my diploma thesis and all the kind of security thingies have been super excited for me. And basically I did research on service oriented architectures and business process modelling and how to apply some security things with an example of BA

equilogic security. So the listeners experienced in a longer time in the market probably remember still BA Yeah, this was my step into the kind of identity and access management business and and community. And after that, I did my PhD also in, in identity and access management and was researching on how to apply access policies

into business process modelling. So you probably remember back in time, but the service oriented architectures, everyone had the hope that business people, business departments can model their processes and so on. And then what's the question on how to keep it secure? Can we model it in an, in an model language like BPMN and kind of having an an, an process to create a model driven approach to create all the models that finally are needed to end up into a policy for

commercial of the Chef products? Yeah, the rest is history. And the rest is history. So now you're part of the

industry and you are the CEO of Nexus. And I'm wondering, you know, what would, you know? Give us the elevator pitch. What does Nexus do? Yeah, Nexus takes care about authorization governance. So we're taking care about helping large enterprises, regulated customers such as insurances and, and and banks to do a proper role mining, role management and role life cycle

management. Or in a wider sense, going away from a kind of static authorizations also covering the dynamic part like attribute based access control, policy driven based access control and this kind of stuff. And we see that especially in regulated challenges, it's quite cumbersome to really ensure that everyone is allowed to do what they should do and not, not more. And so all the kind of access review things are quite

complicated. And looking back those 20 years in the industry, basically I started my career with Sun Identity Manager 20 years ago. Things are still not super great. So business managers are still struggling when they have to recertify and review access for the employees. And this is where Nexus comes in into a Better Together story, sitting on top of large IGA products such as say .1 Identity, Savient, Oracle, IBM Open Text, you name it, in A Better Together story.

And that's the most important thing. So we are bringing those capabilities that clients are missing and kind of ensuring happy customers. Yeah, I I love that Better Together story. So you, you mentioned a lot there. We'll get to dive into all of it.

One of the things that I kind of took away from what you're talking about was creating this visibility over the authorizations. And I think that's such a key. It's one of the things that practitioners struggle with is how do you get visibility to everything, all these identity systems, identity silos that exists within your organization, and how do you make sense of it all? So does that resonate with you? AB Absolutely.

So the, the whole visibility part in getting rid of this of silos is something the whole industry is, is struggling. There are so many large enterprise customers out there. They have at least one most likely 2 or even more kind of AGIGA focused systems, an old one and a new one and with an M and a merger a a third one that will have some Pam systems and probably a couple of access management systems.

And despite every, everyone is moving into a kind of consolidated identity and access management landscape. It just takes ages. So recently I was talking to a big bank here in in Europe with roughly 2 1/2 thousand applications. They have just managed to onboard 500 so far into their new IGA solution.

And so basically they have 500 there, 2000 there, which makes you as a manager, which makes you as a CSO and finally as ACEO a completely blind whether you can really fulfill your compliance obligations and building the umbrella on top of the systems is really that what helps.

So getting the visibility across all kinds of IM vendors and products and across all kinds of identity. And not only the visibility, I think and very, very important part is not just to create a task list of things that are not looking good, but also to provide a proper remediation in the sense helping helping IM teams and helping business departments to clean up things kind of immediately with automated remediations. Yeah. I mean, ultimately that's a big part of the why, right?

Like how can you manage what you don't, what you can't see? You have to be able to see it to have the ability to manage it. And maybe you just answered my next question already, but I've got to think a lot of identity practitioners start with the question of I've got an IGA system, I've got a Pam system, why can't I just do what I need with them? Why do I need Nexus? Do you hear that much? It depends to whom we are speaking, but but we hear this

question. So I would say to those identity practitioners that are experienced and that who have done it before or kind of who have progressed and basically left the honeymoon face with the IGA tool. Most likely they have experienced. It's not everything polished and shiny like they have probably expected and then they get quite quick. Oh, that's the problem Nexus solving and this is the solution we are providing. OK, make sense, give us a demo. And then their understanding is quite there.

When you're in early stage, so you're starting on a Greenfield

approach or having something very, very old, old school, then people hope for sure that all the new products, their Magic Quadrant leaders, that they completely fulfill what they're expecting and, and to be fair, the large players do a good job

as well. They have mature of the products, but when you are a regulated industry, you have so many additional add-ons like maintaining a proper segregation of duty implementation across a variety of system really do a proper access refuse and recertifications whether it's often direct assignment, but any policy has to be recertified at a certain point in time. And this is often a little bit 2

technology focused. So it might be doable for an IM practitioner, but it might will both be doable for an senior consultant in finance, for an HR manager and this sort of non IT folks out there in the companies. So our mutual friend Rebecca Becky Archambault from Gartner posted recently about this IVIP space and her research that was recently published about IVIPI noticed that you are one of the first person to reply to that post and comment on that post.

So I guess my question is, is IVIP the space that you see yourself in and you know, even before that, like do you feel like the boundaries of IVIP make sense to the practitioner?

Absolutely. I, I would say so. So I really appreciate that this, this term, this box was coined by Becky and and the Gartner team and that discussion within the community started. Is it a platform? Is it not a platform? Is it just a bunch of

capabilities or or? So I think what's really important is that there is an understanding, there is a kind of software, a kind of product out there that are building this umbrella function in order to fulfill this Better Together story and bring additional capabilities in.

Some products are are missing and missing for often very good reasons cause larger players have to focus on on other areas and not going super deep for specific industries or for specific use cases and everything, every technology or every area of technology that has a name is far easier to to

discuss. So when you do an industry comparison, when you do a tool selection, it's far easier if you have a label, if you have a name for it and say, OK, this kind of technology, I want to understand better, I want to make a deep dive. And so this helps at the end of the day, everyone is you have a clear label, you can do a proper comparison and you have an answer in the sense of of a

legal brick. So to say that you put on top in your enterprise architecture and say exactly this IVIP category is taking care about this in my enterprise, yeah. What I take from what you said is that Nexus works with your existing investment in identity technology, which I think very few companies make these investments and want to walk away from them every few years. So buying tools that can kind of enhance the functionality seems to make a lot of sense.

And I think that's a lot of what the IVIP space is about, right? Increasing visibility, increasing intelligence and adding on to the capabilities. And I'm wondering, there seems to be like a lot of companies that kind of their solutions fall into the space. How do you how does Nexus differentiate from the pack? Yeah, that's, that's a good

question as well. First and foremost, I think you're absolutely right and that that hits the nail that IVIP or IVIP as others are saying, ensures and saves existing investments into technology. When you have rolled out an IGA tool, an integrated 1 1/2 thousand or 2000 application, nobody is really willing to RIP it out three years after and say, OK, we start completely from from scratch and are now bringing in another, another tool that's just a slightly

better. Because at the end all the human related processes, all the integration processes, are they the cumbersome work and the work that really is creating a lot of effort for for integrators, for consultants, for IMM teams. So basically having some something there that's well integrated that works, where provisioning works is super fine. And then there are just a few capabilities missing. It's far, far smarter to sit

something on on top. And coming from the enterprise engine, you have IGA systems and let's just PEM systems for example. You want to ensure SOD, you can figure out on how to do it or you say OK, SOD is done by Lexus in their IVAP space building an umbrella between IGA system and the PEM system and you can ensure that no one really conflicts with your SOD segregation of duty policies. What's the difference between all the vendors that that are there? I think IVIP or IVIP is at the

very beginning. So it's kind of in the finding phase what's really included and what's really not included. My point is that the visibility part is a very important part of figuring out across all types of identities and across all different systems of IM building this umbrella and bringing visibility to the business side. That's number one. Number two is visibility is not enough observability.

Like for example, Martin Kupinger, who was also a guest in the IDSC podcast in in the past says is important. I do say it's remediation. Basically we have the same understanding, not just creating a list of findings because everyone knows his mailbox or his large To Do List. So basically this doesn't make sense.

Having an automated remediation for at least the most important findings or the kind of standard routines makes absolutely sense in order to get get rid, RIP off a task list list that that's just law at the end of the day. Yeah. I mean, you know, I think Martin has his finger on the pulse of, you know, he's got this identity fabric concept that talks about a lot in his presentations and to me, a spot on.

It's like, you know, enterprises that are complex, you have tools all over the place, but when it comes to something like visibility, having tools all over the place, it's, it's not the solution, right? You need something to be able to aggregate all of that. You brought up the idea of segregation of duties. To me that's the perfect example. It's like how does somebody's access relate across the enterprise and all these different identity systems that give access to business systems

and do those capabilities? Or do you know, within your sets of authorizations, do you have the ability to, you know, maybe it's not commit fraud in the accounting sense, but do things that you're not supposed to be able to do? How would you even have the visibility to that given, you know, a spattering of different tools in different places, or tools that really just don't show the full scope of all the access? App app app absolutely. And this, this is the, is the big challenge.

And when you have the visibility, you're sitting on all the identity related data. And then the next place starting we, we recently released ISPN identity security posture management for IGA 'cause when you have all this historic data and then you have the current data and when you will be aware about the future data, you can find out is there something on going on that's smelly? Is there some deviation from

what this could look like? Let's say Jim McDonald is an engineer and you have been an engineer in your company the last 10 years and out of a sudden on a Sunday you get high risk HR privileges. That seems not to be OK and I can immediately make a proper remediation. Some people might say, OK, that's now a corner case and cyber attacker is preparing Jim's account and probably it is, but see it from an from another angle.

You're assigning some authorization, some some roles or policies to a new employee as as a manager. And there are, you know, in the US, in Europe and everywhere around the world, there are this very, very common names. So you have this John Smith and there are probably at large companies 20 or 30 John Smith and 10 of them are working in IT and probably in the same, same department but not in the same team. So the likelihood that you just picked the wrong is quite, quite high.

Or giving you another example, the movers process and process that's quite common. You're moving from Department A to Department B and most of the time you have some obligations to fulfill for your former team at least for the next month, two months or for the next next quarter. And this is a friendly collaboration. So what happens? You're getting the new policies, the new authorization, the new roles for your new department

and you will keep the old one. Does somebody really take care about that you're getting getting removed from this policies? Most likely not.

So the old manager doesn't probably really care 'cause he has you all the time and probably he can approach you 5-5 months in the future and ask for help and the new manager will probably forget it. So if you figure out, OK, that's an, that's a move and I apply some dynamic policies on it and I probably give them an, an, an end date and the rows are automatically disappearing or before disappearing. I'm asking you, hey, Jim, are you really using those

authorizations anymore? Do you need them in the future? Then I can have an automated clean up across the company. And this sums up in a really, really large work reduction where managers don't have to refuse some things and confirm some things. They don't have a clue. And when I'm talking to customers or when I'm speaking on a conference, I always laughed. The example what's when you're a manager, what's the best thing to do when you have an access review?

It's always saying yes. And I can tell you, I can tell you why. The moment you say no, you take something away from somebody. So you always risk that your team is not working properly anymore. And then you are the bad guy who kind of messed up the company or messed up the process or probably messed up an important delivery when you're just saying yes, that's not good from a security perspective and that's really bad from an IM

perspective. But the likelihood that you are the guilty guy who has said yes yesterday and the company will be attacked tomorrow and basically you are the the guilty one is super, super low. So most likely the kind of best individual strategy is just saying, yes, you have less, less work, you don't have to think and everyone is up and running

again. And from this kind of very human behaviour, you have to get away from and provide systems that are kind of incorporating the security and the safety mechanisms that the company is secured without kind of human interaction, so to say. Yeah, So interesting that, you know, you brought up so many different use cases that resonate with me. And I was trying to think of what is the the, the Uber use case.

And I thought obviously large global organizations where there's some level of decentralization happening and identity systems are just by nature a little bit all over the place. But then I was thinking, imagine the private equity scenario where you have a a portfolio of companies and maybe you're doing some level of shared service or you have some people who have access across multiple companies and you're pulling that data back.

I don't know. It just struck me as something that would be an interesting use case for this type of technology. One thing that you you also mentioned that I, you know, just I want to pick on that term platform for a minute and you guys you have a platform, right?

You have multiple capabilities within the platform. And I was wondering if you kind of enumerate those for us so that we have a better understanding of what is the total product offering from Nexus? Yeah. So yes, we do have a platform, but I know also that some people don't like the platform term cause platform can be gigantic, platform can be a a bit smaller, a platform can be in, in, in between.

So whether it's a platform or not, I would say it's an it's a great collection of capabilities that are playing together and creating value for customers. From an pure Nexus perspective, I would say it's a platform as a software product. From an enterprise architecture point of view, referring to the identity fabrics, I would say we are covering a lot of capabilities within the identity fabrics and then you draw the line around then this is this is our platform.

So we, we've been talking about the role in authorization governance and the analytics piece where we help you to handle access refuse, probably where we incorporate AI for access administration, but also kind of role mining and role discovery in order to help businesses to kind of clean up the space. We, we have a very cool health check format that's like going to the doctor, giving them a bit of your blood and you get an examination later on an

examination report. And we're telling you what's good, what's bad, and how you can improve within on a on a written road map and strategy to get better. That's really interesting. Can you tell me, let's hone in

on that health check, then we'll get back to my I'm sorry to, to pull you all over the place, but I, you brought up the health check and that sounds like, OK, there's something actionable that people can do. Tell us more about the health check. Absolutely. And This is why I really love the the health, health tech.

So you're a big company and normally you are having a bit of a feeling that your role and authorization landscape isn't looking that good, but you don't have really a clue to convince your management to get additional budget.

Your pain is probably not documented well enough to move on. And this is where the health check comes in. You get a Nexus subscription for a short term of four to 8, four to 8 weeks either on SAS or as in a container for on Prem, which makes it sometimes a bit easier as you don't have to handle all the data protection thingies as everything stays in in in your company, especially for European companies. And then we help you to load in

a copy of your production. So nobody in the company has to be afraid that the production environment will be messed up. It's then a kind of a read only snapshot and then we do the investigation and after we've done the investigation, there are two potential outcomes. Option 1, you have done an excellent job. Then you can't get off and certificate from us on how you create your authorization landscape. Looks like you can go to your boss and say, hey, I'm I'm the man, I'm your man.

What about a pay raise or something like that? Unfortunately, that's very unlikely that that's very unlikely. So that far more likely cases that we have some findings, but this is good for you as well as an IM team or an IM practitioner manager whatsoever 'cause you have this documented findings. OK, we have found your IM landscapes looks like this. This amount of rows, this amount

of direct assignments. Most of the time it's kind of quite messy to be honest, but we are not just finger pointing to those things that are not looking well. We give you also a road map on how to remediate things and how to improve things with a kind of effort estimation and how you can do it in a tool. So you're not going a bit bad news to your management and saying, OK, that's that's the bad news because nobody wants to hear bad news. You can go to them with a solution.

You can say we found out that and we have now the proof that we have really to take action on in order to make a proper security within our company. And this is my plan, this is my strategic road map on how to get rid of it. And this is a very, very good starting point to have really this data and fact based discussion, discussion within the team and not a feeling where some probably have a good feeling and some don't have a good feeling. The cool thing is you can decide on your own.

So basically whether you go ahead with us or not, the health check is a value on its own 'cause you have all the examination results there, you have an road map there, what you can improve. So you can use this, this all this information for improving your, your landscape. Enemy. I, I always compare it to real doctor. So you go to the real doctor and they take your blood and they examine your body and probably they will say, Haiko, you're a little bit too heavy for your

size. You can probably eat a little bit less fat and do a little bit more better nutrition, what whatsoever. But after that, I can decide on my own. Do I change my behaviour? Will I increase my sport activities? Will I change what I'm eating, something like that? Or am I fine with it? So I'm not forced with the results from the doctor nor our customers with the results from our health check. OK, so you might have said it

but I and maybe I missed it. What is the charge to do the health check? How much do I have to get approved to pay you for this? That that's a good question. So it depends on the number of identities and the company size. Basically it's an always an individual offer. But let me say this, for most of the companies, it's it's something which can go either directly below a procurement level or short, short above. So it's ideally for the end of the year. Now it's November.

So if you're looking for a last term activity, the Nexus hedge check that hits the nail. OK, that's good to know. That's something that I think everybody should look into it again, kind of go to nexus-secure.com/I DACI think the information on the health check will be there. Heiko, you, I so rudely interrupted you as you were kind of describing the platform. I want to give you an

opportunity to pick up where you left off. And I'm sitting here thinking you had mentioned the ISPMPS earlier. I know you're going to save the best for last, right? That's something I'm very interested in hearing about as well. So yeah, I, I already elaborated a bit on on ISPN. What I really love within the ISPN is the license killer, which is probably something you don't expect with an IM. Why did we come to the license killer?

So we, we've started with ISPN that the one thing is assigning you, whether it's dynamic or static policies for things you are allowed to do that's good. But when you're not using things, you should lose it. So use it or lose it as the saying saying goes. And from that we said, OK, it makes absolutely sense to figure out is an identity using the authorizations the identity has been given. Course, when not I can reduce it.

And then basically I'm following the principle of least privilege on the one hand and reduce my security exposure out out there. For a couple of systems, this works very well. That's Microsoft, enter ID governance. That's SAP in the cloud as well as all three and all those systems that provide us the data directly or whether with an access to the scene. There are applications out there to be honest that just don't have information who's actually

using what in my application. But given that you can provide us the data, we can ensure that we kind of cut down your privileges, cut down your authorizations to the number you're really using, which makes it easier. And the less direct assignments you have, the better it is for everyone. And then they come to the to thinking, what does it mean if it goes down to zero? You're not using the system at all. And imagine a large enterprise with 100K or 200K employees.

How many employees have subscribed for this cloud service, for this Microsoft add on for this kind of stuff and this kind of stuff and not using it, but also not giving it back. So have you ever heard someone approaching an IT team and saying oh I have too much software, I have too much privileges, please, please take it back. So having is better than needing and this is the principle most

most employees are are working. So when we figure out there is nothing left, we can remove you at all from the application, which means we can give a license back. And when you trusted the math with 100K or 200K headcount company and we have just a fraction of those people that are not using a certain SAS service Salesforce license or something like that, it sums up in an into enormous amount.

And so this is really cool. And then we presented it to our customers and also where we have this kind of discussions with them when in the, during the signing phase, we've learnt that so many IM teams are approached by license management. So can you tell us about how people are using the software your IM, you're giving all this kind of access thing is, can you tell us more? And most of the time they have been suffering and at the end they have to say, oh, no, sorry,

we can't. And you're now kind of kind of covering this, this white spot and helping customers to follow the principle of these privileges on the one hand and on the other hand, saving costs at the same time.

I think he gave a really good overview in like the why of Nexus and kind of like how you get the value. Now I'm going to talk about the how in terms of like how it actually worked, because you talked a little bit about how it sits on top of an IGA system. It sounds to me like it leverages a lot of the data that's in the IGA system. The idea is then to provide managers with the information they need so they can make good decisions during an access

review campaign, for example. I'm also wondering, is there some kind of, so you're pulling data from the IGA system? Are you pushing data back into the IGA system? Going to talk to me a little bit about how that whole process works. Absolutely. You described it very well. So we're sitting on top on those IM systems, a lot of IHIGH systems where we have very, very mature connectors, certified connectors reading the data

route and writing the data back. So when we are changing something, we can write it back at the same time, which is important because otherwise you can't do any improvements or remediations then you are trust on kind of read only system. So, so to say the advantage is that companies save their investment, they have kind of rolled out say .1 identity or so

then all the integration. So it doesn't make sense to do it again with Texas. So when we are sitting top of them reading out the data and kind of providing it back is quicker for us, a shorter time to value for the customer and saving a lot of integration, integration efforts when rolling out new applications. It's always the question, so how do we do onboard now an application into my IGA system?

And this is where our application onboarding comes into play where we have this kind of very, very structured process to collect all this data that's needed for doing a proper integration into say .1 Identity, Savient, you name it. Why? Why is that important when you're talking to IGA practitioners and you have probably done it so many times in the past, they are suffering all with speed of application onboarding and with costs.

Coming back to a very, very simple example, doing the math, you have two and a half thousand applications and you want to onboard this 2 1/2 thousand applications. And it takes just one day for doing a bit of conversation with the application owner, sending him documentation, asking for documentation back for some technical settings, but also for

business settings. In Europe, for example, there is an finance regulation called Dora, the Digital Operations Resilience Act, which requires regulated companies such as banks and insurance companies to do a proper documentation about SOD recertification cycles and this kind of stuff. So it's a lot of things you have to collect and incorporate somehow. And we've glued that into a

product. And now imagine you're doing this 2 1/2 thousand time one day and you apply a Trulia consultant and for the sake of simplicity, just let's say it's $1000 a day, that the math is easy. Then we're ending up with two and a half, $1,000,000. A Trulia consultant is just asking people in the enterprise, hey, can you give me this information? And probably they won't react. They're giving you kind of information in the format of choice, but not in the format

you can can really eat. And our streamlined process helps exactly to to go there and kind of reduce the workload. And at the end of the day, you have this kind of collected set of information in order to either use the IGA soft IGA software application onboarding tool that does all the kind of connect the configuration or when you're working with an SI or a managed services provider, they have often built their own procedures on how do those to do those things very, very quickly.

You can use all the data you have collected with us, throw it into these tools and kind of doing quicker on onboarding with the sake of speeding up enormously.

One of the things that you've done throughout this episode is really done a good job of kind of sprinkling examples throughout. And one of the questions we always like to ask our sponsors is how do customers show value or how do they measure the value they're getting from the Nexus solution so they can communicate upward. You know, hey, this is the difference it's making. This is why it's worth the investment.

Maybe you can kind of answer that question and again kind of give some examples where you've seen your clients be able to do that. Yeah, it's. It's very manifold and very specific for the use case of what a success look like and also a bit related to the customer for sure. But let me pick the example of excess refuse or policy refuse for recertification by for regulated companies that have, this is a is a thing that you have to do regularly, whether you like it or dislike it.

And most of the time this is one of the, let's say, Halloween month or horror month for the IGA teams. They have to prepare everything. They're reaching out to the business departments and everyone has to give feedback within 3 or 4 weeks to kind of finish your initiative. And so one very important KPI for them is have things kind of speed up and especially has the number of manual assignments

being reduced significantly. So when you can assign a lot of authorizations via birthrights, via dynamic policies, I had earlier the example that your assignments run out automatically after 1/4 for example, or after you changed your organizational unit, something like that, You don't need that many certifications anymore recertifications anymore. So the workload is significantly reduced. And this is some KPI to measure.

Another thing is we had a customer also of finance institute, they wanted to put everything into business roles. So no individual assignment of entitlements or so. And they had a big initiative and basically they succeeded to do it that that way. And all those things you can put on your KPIs and really measure whether you have been successful or not. As my last example, I was talking about application on boarding or the authorization

concept. And this is exactly the way imagine for the authorization concept where you have to a written documentation about your policies about refuse cycles and so on. And you have to do this for 2 1/2 thousand, 1000 or even just 500 applications. And you know, the tool of choice for so many people is Microsoft Word and Microsoft Microsoft Excel. It's a super flexible tool. You can do everything, but you have boundaries quite, quite early.

So you're starting and at the moment you're you're ready, your documents are outdated because your system landscape has changed. Back in time 20 years ago when everyone was doing waterfall and then there was probably 4 releases or three releases a year, you might have been able to kind of align updating your documentation with that release. Now everyone works in an HR mode.

HR teams are continuously releasing and every basically everyday something is changing in an enterprise IT landscape. And so it's an never ending story and it's a nightmare. Imagine you have now a system that basically gives you an audit when a non compliant situation pops up. So you can measure this documentation is not compliant anymore. You get a red traffic light.

You can work on it and kind of move back into a compliance mode and reduce the time of being not able to have your proper proof of audits that you have to show up to the to the auditor, for example. Yeah, of course. So I want to shift the conversation a little bit. And we always have one question. I I feel like if we finish this episode and I don't ask a question, I'll be I'll feel like I missed out. So how did you come up with the name Nexus? And it's NEXIS.

Yeah, so I didn't came up. So the founder of Nexus and my successor Ludwig Ludwig folks who did also his PhD by the way, at the same university in in Regensburg, which is Munich metropolitan area. And I started the business and had to look for a company name. And this is at least what he, he, he told me all the the scientists and they do have a

research project. They are inventing this funny names, approvating some things and sometimes the approvation is a match and sometimes it's not a match. And so basically it was Next Generation Information Security Systems and now you get it. There is no Qi in Nexus. But anyway, that's some kind of scientific work play. Originally it was Next Generation Information Security Systems, now it's Nexus and as I said, NEXIS. I love it. That's great.

So you mentioned also Munich, is that in Germany where you are headquartered? So we were headquartered in Regensburg, which is an old medieval city going back to the to the Romans, which is 100 kilometers north of Munich where I'm living. So it's Munich metropolitan region from AUS perspective. Perspective, it's just a suburb

of Munich, so to say. You know, as you're talking about the solution today and kept thinking to myself like this is needed by pretty much every organization that is of any kind of that is sizable. Is the solution focused on the European Union or is it applicable? Do you basically market your product to the United States and Canada or what are the limitations in terms of what geographies should cover today? So basically it fits for

customers around the globe. That's the important message. And then I started back at Nexus beginning of the year, I did a lot of travelling, meeting a lot of people also in the US attended various conferences, was talking to customers, was talking to systems integrators also to get my own perspective on what they are, are, are are saying. And it's absolutely clear, as you said, it's, it's a match for US customers, for North American customers, for Europeans and for

APG customers. So for customers around the world, our our roots have been determined Truman speaking region as Nexus was and this is probably a story that's different to so many of your guests here in the podcast. Nexus was not an NBC based company.

It was bootstrapped without any money and kind of running up and by Ludwig, Michael Matthias and and and the team, which is a great success story being there 15 years and the market and having done you think becoming mentioned that Gardner without getting a big load of money where you can invest in the product. On the other side when you do so, you don't have this really big sums for GTM for sales and marketing to kind of pop offices around the globe.

This was not done in the past, but the team started two years before forever starting three years to kind of professionalize all all this scale or to prepare the scale up phase, so to say hiring, marketing, hiring sales and approaching the global market. And now we've get probably an extra traction on on on top of it scaling across Europe and talking to US customers as well, those who are listening and

those who will be attending. Gardner, I am in Dallas. Michael and I will be there as well. And we're more than happy to meet or having a coffee without any sales talk, but just from an identity enthusiast perspective. So it's always great to talk to identity people. Yeah, I saw that you had that on your LinkedIn bio or your title identity enthusiast, and I'd love that.

You know, I, I put on their identity practitioner because that's how I see what I do professionally as like I'm writing the game with folks who are doing it on a day-to-day basis. And I am as well from a consulting perspective. But I just look at us as we're all fighting the same battle. You mentioned conferences. You and I spent some time together at Eici think that's a fantastic conference. I did want to bring up the

Gartner conference. So if people want to reach out to you to meet you at any of these conferences, what's the best way to do that? What's the best way to do so? Either drop me on a message on LinkedIn. I'm the only haiku cloud out there, so I'm quite easy to to to to find. We can put the schedule link or a contact link on nexusminusck.com/idic as well, so that's probably the easiest way to to reach out to me.

Yeah, that's fantastic. And I know you're somebody who is like a kind of an open network or so anybody who's kind of in our industry, if they connect to you on LinkedIn, you're always open to those kind of conversations. The one thing that we like to do kind of our tradition around here is to always end on a lighter note.

And I've been to Germany a few Times Now. I've been to Frankfurt and I've been to Berlin. I've never been to Munich, but putting all that aside, I want to know from you, what is the thing in Germany or the place in Germany that people should visit? I would say that's for sure Nexus headquarter, Reddis Bone at the Danube River and and Munich and I can tell tell you tell you why. So Munich is a great, great, great city, the right size, very international.

We do host Oktoberfest, which is a great event for so many people out there and it has the right location within Germany, so it's a short way to the Alps, to the mountains for those who like hiking. It's not that far to Italy, where you can go either to the sea or enjoy the mountains as

well. It's a little bit more up into the north to the North Sea and Baltic Sea, but it's a very lovely place and why it's Ratisbone, Ringsburg, our our headquarter, not just because it's it's Nexus head headquarter, but you're more than welcome to visit us in case you are you're doing some tourist stuff stuff there. It's an old mediable city going back to the Roman times.

That was my my friend Andrea Rossi from your mount visitors us just a few weeks ago during our customer custom event and the summertime as well. And it's feels like an Italian city and all the things that are looking like they are old, 506 hundred years, they are really old.

So for especially for Americans that know very very new and modern city with with a great skyline, Ringsburg is probably the opposite, being there in an in a time machine experiencing an old medada diversity that was not destroyed during the war. Yeah, that sounds really great. So Andrea visited it sounds like right around Oktoberfest, right? I mean, that's the time to come to Munich and well, I think that's it's either the time to come or the time to avoid What what do you say?

So I like Oktoberfest very much. So I would would say it's the right time to to come back. Prices are are high for for example, and you have to take care to kind of adopt your drinking to Oktoberfest style in the sense the beer is larger and the beer is stronger. So most likely you can't drink as you're used at home and have to slow down a bit to be fit for the next day of Oktoberfest as well.

But if Oktoberfest doesn't work out, then Oktoberfest is at the end of day of September, which is off my voice friend and a trap. The summertime is is really nice. So in end of September it's getting already cold, but in July, August the temperatures are quite high and nice and it's not as hot as in other places where you can't go out without any AC or so.

This is a great time for visiting both Leesburg and and Munich. You know, it sounds like very wise advice and hopefully we all get an opportunity to take you

up on that and come over and visit. Was there anything else FICO that you'd like to leave as kind of like parting advice or parting words for the identity practitioners who are just learning about Nexus and what you do? So there is a new report out there fresh from the press from Martin, not from Martin Kupinger, but from Copinger Coal analysts, from the analyst literature and executive view on Nexus.

We'll put it up to the Nexus minor seeker.com slash idic website as well, which is a great read. Basically what we've been talking about today written from the analyst perspective in three to four pages. So it's a quick read when you're commuting or when you have just a free, a couple of free minutes to to work through. I think that's that's really great. Otherwise, I said I'm regularly attending a variety of conferences. I'm attending identity as well.

And Enrique, our joint friend is organizing one very, very likely for Gartner. I am as as well. So be there if you see me, if you recognize us, say hello, hello. And I'm more than happy to have and and chat, whether it's about identity or any other topic you're interested in. I'll definitely be there. So add me to the list and if you get a chance, if you're out of Gartner, please come out and meet us. Thank you so much for doing this, Haiko.

One more time for everybody's Nexus Dash secure slash idac. You'll have that paper from Cooper Cole there for folks to get a copy of, which I think is fantastic. Those papers that Cooper and Cole puts out are always top notch. That's going to wrap up the show for this time. Find us on the web at idacpodcast.com. Find us on YouTube by just going to idacpodcast.tv. And we'll talk to you all on the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show.

Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.