#389 - Sponsor Spotlight - Aembit - podcast episode cover

#389 - Sponsor Spotlight - Aembit

Identity at the Center
Dec 03, 202554 minEp. 389
--:--
--:--
Listen in podcast apps:
Apple Podcasts
Spotify
Download
YouTube
Overcast
Pocket Casts
Episodes.fm
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

This episode is sponsored by Aembit. Visit aembit.io/idac to learn more.

Jeff and Jim welcome David Goldschlag, CEO and Co-founder of Aembit, to discuss the rapidly evolving world of non-human access and workload identity. With the rise of AI agents in the enterprise, organizations face a critical challenge: how to secure software-to-software connections without relying on static, shared credentials.

David shares his unique background, ranging from working on The Onion Router (Tor) at the Naval Research Lab to the DIVX rental system, and explains how those experiences inform his approach to identity today. The conversation covers the distinction between human and non-human access, the risks of using user credentials for AI agents, and why we must shift from managing secrets to managing access policies.

This episode explores real-world use cases for AI agents in financial services and retail, the concept of hybrid versus autonomous agents, and practical advice for identity practitioners looking to get ahead of the agentic AI wave.


Visit Aembit: https://aembit.io/idac

Connect with David: https://www.linkedin.com/in/davidgoldschlag


Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at idacpodcast.com


Timestamps

00:00 - Intro00:51 - Pronunciation of Aembit and the extra 'E'01:56 - David's background: From NSA to Enterprise Security04:58 - The meaning behind the name Aembit06:00 - David's history with The Onion Router (Tor)10:00 - Differentiating Non-Human Access from Workforce IAM11:39 - The security risks of AI Agents using human credentials14:15 - Manage Access, Not Secrets16:00 - Use Cases: Financial Analysts and Retail24:00 - Hybrid Agents vs. Autonomous Agents30:38 - Will we have agentic versions of ourselves?36:45 - How Identity Practitioners can handle the AI wave38:33 - Measuring success and ROI for workload identity43:20 - A blast from the past: DIVX and Circuit City52:15 - Closing


Keywords

IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Aembit, David Goldschlag, Non-human access, Workload Identity, AI Agents, Machine Identity, Cybersecurity, IAM, InfoSec, Tor, DIVX, Zero Trust, Secrets Management, Authentication, Authorization

Transcript

This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself. Doing great. We got a awesome episode lined up for today with a special sponsor we're recording and we're going to drop this episode less than a week before Gartner I Am Summit in Grapevine. Our guest is going to be there. I think this is a perfect entry point to go into Gartner I Am Summit.

With Yeah, we've got a lot of things to cover today. So let me go ahead and introduce our our guest today. So just make it clear, right? This is a sponsored episode. Our friend David Goldschwag, who is the CEO and Co founder at Ambit is joining us today. So welcome, David. Thank you, Jeff. Thank you, Jim. It's really great to be with you. Yeah, so let me get the website out because I've heard this name pronounced a couple different ways. So it's Ambit and it's a E MB IT dot IO slash IDAC.

So that's a lot of letters. It will be in our show notes and it will be in this YouTube description, all that so and the sort of things. So let me ask what I'm going to assume is the source of this is, is it ambit? I've also heard it pronounced as Aimbit, which is the correct way? OK, so it is ambit just like the word A MB, IT would be spelled would be sounded out OK. Of course because of trademark and other people with websites, we added an E in OK, that E is meant to be skipped over.

OK, so it's still ambit and it's ambit dot IO. I'm adding the Ian had the advantage of moving us up alphabetically. Okay, so that's an advantage too. Okay, and I give all the credit to my cofounder, Kevin Sapp. He's picked all the names of the companies that you know, we've been built together. Okay, and he's really good at it.

So this is one of those rare companies where, you know, you, you see a lot of like, you know, Silicon Valley where they're trying to get rid of all the vowels because all those things are taken. You guys went and added one for differentiation. I love it. That's novel and and and from what I've seen. Hi, you know, we're we're East Coast. What can you do? OK, so. Tell us a little bit about Ambit and tell us a little bit about

your background. How did you get into the space of digital identity and identity and access management, and how did that culminate into Ambit coming around? OK. So Kevin and I have been doing companies together for about 20 years, all security companies and almost all till Ambit were focused on securing user access to applications. So it's all enterprise security.

And so for instance, we did an MDM company that was supposed to be users on a mobile device getting e-mail and other services, OK. Then we did the ZTNA company, OK that was became Netsco Private Access. The company name was New Edge Labs. That was you're on your laptop, you're trying to get to behind the firewall applications. How do you do that with something as a service instead of AVPN and but all of those were, how do you secure access from a user to an app, OK.

They were all both about identity, but about something else in addition to identity, right? The mobile or you can get me past the firewall, etcetera. OK, When we were ready to start Ambit, we said we've been in this user space for a long time. O let's talk about nonhuman access, right? Software accessing other services. That's turned out to be a big deal, and we'll talk about that for the rest of the episode, OK?

But what we also said is all of these questions about firewalls and VPNs and all this were not the core problem. The core problem was identity, OK? If you're trying to access a service on the Internet, OK, this is not a network reachability problem. This is purely an identity problem. So over the course of 20 years of doing enterprise security, we landed at the core problem and everybody knows identity is the new perimeter. Turns out it's the new perimeter

for things, right? As well as people, OK. I'm glad you had that caveat because every time I hear identity is a new perimeter, I just kind of want to yell into the screen. No, it's not. It's been that way forever. I guess not forever, but at least for the last decade I feel like identity has been really one of the main perimeters to defend against. And, and, and one of the things that we have, one of the advantages we have at Ambit is everybody's familiar with that,

right? They know how you log in with an IM system, OK? So we can take advantage of lots of analogies of how do people, employees at an enterprise, you know, authenticate, login. And then we say, well, what happens if it's an AI agent? What happens if it's a Python app, OK, how do you help that log into the service? And the answer is this. It's the same, but different. OK. And that's how tech is many times. So I gotta ask, does ambit mean anything? Like what's the story behind the

name? I, I get the extra E in there now, but like, what does ambit mean? Like how did you come up with the name of the company? I guess you know, how did your cofounders come up with it? Yeah. So ambit means scope or boundary, OK. And a particular use case that we're focused on is where access crosses A boundary, OK. So let's say you have an AI agent, right, running in your enterprise that needs to do work in Salesforce.

OK. So this is no longer accessing resources as within your AWS account, rather it's crossing a boundary and going to a third party that's Salesforce. And the same thing applies for any most accesses within the enterprise. You're going to a database, it could be Oracle database in your network, but it could also be Snowflake or data bricks which lives someplace else.

And so this cross boundary authentication problem is hard, OK and it's not solved by the cloud providers and that's where Ambit. Shines. So I find it somewhat interesting that you're working with an identity company now, but we were getting into each other here before we hit record. And you mentioned that you worked on Tor, the Onion router a long time ago, which is probably the furthest thing possible that I can think of that where you'd want to have an identity.

So tell me, what about your Tor background and I guess what what caused you to do the 180? OK, so so it was wonderful, but back in the mid 90s, I was working at Naval Research lab. I had left in National Security Agency and I was working with two colleagues there, Paul Cyberson and Michael Reed. And we had this idea OK, right, which is wouldn't it be good to be able to do anonymous browsing on the Internet, OK, And there that there's there's lots of stories about how why the Navy

funded OK, right. And all this, OK, but it did become really important, OK, this ability to visit something on the web, right, Without, without somebody being able to attribute it to you using the IP addresses or whatnot were really important. And my background at NSA made it clear to me that this was important because NSA both tries to understand the traffic of what's going on, right? What are people talking about? But more importantly, it's who's

talking to whom, OK? And there's lots of data. Justin, who's talking to him call records at a phone company, you know, if we go back to Oldham times, OK, we're also who was talking to him, OK? So, so so Tor onion routing at the time was trying to solve this problem of saying, let's make sure that we can communicate, but that the act of communication does not give away who's talking to him. Now, that doesn't mean that you can't say who's talking to him within the connection. OK?

So we call this anonymous connections rather than needing to be anonymous, right, when you're doing a transaction, OK, right. So that's what we did. OK. Now, of course, commercially, OK, you need to be able to authenticate, OK, right. And so, so, so in in the real world, right, you may want anonymous connections, but even within that connection, you do

want to authenticate. Because if I'm talking to you, Jaffer to Jim, you should be able to know then who, who I am, OK, Even if it's not observable to the rest of the world, OK. And like you said, right, this is 1995, right? So that's going on 30 years, OK. So identity has been pretty important for a very long time, OK. Yeah, no kidding. And you know, I think it's, it's interesting to see where Tor has evolved over time and how it's

being used. I Did you ever imagine that people would be using Tor the way that they are today? So, so it's hard to imagine any technology that's still in play, right, 30 years later, OK. That's pretty rare, OK. What we did know, OK, was another colleague of ours coined this term. Anonymity loves company, OK? If only the government were using Tor, you'd know when they're searching for public source, open source intelligence about Iran, that it was the government looking for Iran.

OK. So you need all sorts of other traffic to be noise to cover that traffic. OK. So the design of the system said we can either generate our own noise, right, or we can leverage the rest of the world. So we opened up the system. And I think that that's that's created, you know, kind of an interesting play over these years, right? I think interesting is is a very light, easy way to put it. Let me get back to ambit though. So, you know, let me put my CSO

hat on, right? And I think we've got just so many products in this space. So my question that I ask every vendor that I talk to is what makes you guys special? Like what is it that you think sets yourself apart from, you know, competitors in the market or contemporaries or things like that? Help me understand that and educate our audience as well. OK. Yeah. So like you said, there's lots of identity companies out there, major companies, right?

So Okta, right. And Microsoft Antra are the IAM dominant IAM players for human access workforce login to services. We don't do that. Ambit does not do that. Ambit is login for software logging into services where that software could be AI agents, OK, or other client applications trying to reach services. This is in the enterprise OK. So the first distinction between what we do and what other people do OK is we're not focused on

human access. We're focused on what people are now calling non human access OK. And that's that's a big difference against the the existing large players OK. The thing that's different about us than other newer players, OK, is we, we aim to solve the, the, the enforcement side, the runtime side of this problem, OK, So just like Okta helps you log into a service, OK, And if Okta doesn't let you log in, you

can't access the service. Ambit is the thing that lets the AI agent where the I am that lets the AI agent log into Salesforce or Snowflake or whatever service it's trying to do. And without Ambit being in runtime and authorizing the connection and issuing A credential and logging it OK, we the the that access cannot happen. So we're critical to the infrastructure and we're fundamental to the operation of the of the environment. So David, everyone's creating AI

agents now. I'm creating them, Jeff's creating them. People we work with are creating AI agents, and I guess the default mode that people tend to tend to use is when they need to make a machine to machine connection, they're using their own personal credentials. I got to imagine that's not what we want, right? Yeah, that, that's absolutely true, okay. But we're seeing that happening in lots and lots of places, right? The obvious way to solve this

problem, okay. The obvious way to make things just work, okay, because that's what we will just want to do, right, is you're running an agent, goes to Salesforce, you're going to give it your credentials, your username and password, and the agent will do it. And then that just is easy, OK? And it's not unlike how people would've been securing machine to machine access for a long time. You had a username and a password for a service account, right?

Maybe if you were diligent, it was a different service account, right? But it was still the username and password. And the irony here is this, this has a bunch of cascading effects. One is is you probably have to shut off MFA at Salesforce, OK, right. Because your username and password, right, wouldn't generally be enough for a user.

So you're trying to do it easy. And then you put the username and password in. Incidentally, you shared your username and password and we've been teaching people not to share usernames and passwords. And then you shut off MFA and all of a sudden the bar on compliant access has been lowered, OK, right. So you have these in just, you have these enterprise thresholds, right, for secure access that you've trained your employees and all of your systems to work on for now for 10 years, OK.

And now you're weakening those controls. Now why is it bad to weaken those controls? OK, well, one is is username and passwords can be stolen, right? So phishing, right? And now the bad guy can use that. And notice that would be true, Jim, even if it wasn't your username and password, let's say it was just a username and password for that agent. OK, that's not enough because we know that phishing is a problem.

And now the bad guy could reuse the static Long live credentials, OK, Another problem is attribution. If you're sharing your credentials with an agent now when the access happens, we don't know if the agent did that access or you did that access or you and the agent did that access together, OK? And we should keep coming back to attribution, right? As we're talking for the next

few minutes, OK? Because attribution and audit is sort of fundamental, OK, To be able to run your enterprise responsibly, OK. And we're where that brings us is in the ambit solution, OK? We want to make it easy to do it the right way because why are people taking shortcuts? Because it's easy. We just want to say you should manage access in and by managing access policies instead of managing secrets. That's what's on my shirt.

Manage access, not secrets, OK? And the idea there is, is replace this whole notion that you enable access by sharing their credential, OK, saying you're enable access by sending a policy, OK. And then you can do what IAM and zero trust have done for user access, which is you can move to identity based policies, you can do strong access control. You can move away from from long lived secrets, usernames and passwords to short lived credentials. And you can add conditional access.

All of the things that we've learned that work well when strengthening user access. OK, so all that said, Jim, you're building these agents because they're useful, OK? So our ultimate job is to make it easy for the developers, The people are building these things to do things the right one. So it's even worse than I thought, but I, you know, I grabbed a great line to use their manage access, not

secrets. And I think you did a great job of kind of laying out the base problem with what you just said there. What I'd like to know is, I mean, you got to be working with a lot of customers. I'd like to hear about what are the kind of use cases that your customers are running into on this topic. OK. So I think it's good to start. Let's even ignore identity, let's just talk about things like you said, you're building agents, OK?

So for instance, we have one customer, they're a financial company, OK, Financial services company, They have lots of analysts who are responsible for various accounts from their customers, OK? And one of the things they need to do is the analysts need to do portfolio reviews on a periodic

basis, OK? And that portfolio review is a high level job, OK, Where the data in the portfolio is mixed with data from third party sources and public sources and proprietary information to be able to understand the portfolio. So this this company is using LLMS, right, agents and LLMS in order to routinize some of that analysis, right and make the analyst job easier.

And So what happens is is you set up this LLM with prompts against whatever you set up the agent with pumps against whatever LLM it's using, but it needs to access these SAS applications that have the data or the in the on network applications that have the portfolio information or other third party proprietary information. And that login is fundamental here, right? Do you want that LLM, the agent to be logging in as its own

identity, OK? Or should it do take the shortcut right and login as whoever that analyst is? And the answer is, is they wanted to log in with some of the analyst's rights, but its own identity. Does that does that make sense? Right. Because the analyst has a certain rights that it's allowed to do. But that doesn't mean that you should give the analysts identity to that agent because that's too much rights. And then you couldn't distinguish between the agent and the analyst himself.

OK, so that's an example of A use case and the problem that they're trying to solve and and it solves that problem. Yeah, that's really interesting and I'd like to hear more. I mean what are these customers pain points? So I mean what's bothering them? What makes them pick up the phone in the 1st place? Probably not the phone, write an e-mail or the go to your website, but what's causing them to do that in the 1st place, David?

Yeah, so, so we, we have another customer, a large a large retailer, OK. And their their motivation here was the business wants to innovate and take advantage of agentic AI. And just stepping back for a minute is really amazing, right? How much perceived and actual value, right enterprises are saying right. The revenue and the, and the, the, the use of agentic AI, right is really very real in the enterprise, OK, for all the complaining about hallucinations and all this, OK, these things

are really very useful, OK? So there the CSO called us and the CSO said is my enterprise wants to innovate with agentic AI and in order to innovate those need to access various sensitive data sources in the enterprise. We talked about Salesforce, we talked about Snowflake, you could talk about ServiceNow, OK. And the problem is, is he is responsible for compliant access to those enterprise data sets. And now these agents need access.

And the question is, is how do you provide access, OK, with a bar that's similar to the levels of of access control that you have for user access? Because you don't want a personnel agent, right, To get enterprise OPS data, OK? You don't want an HR agent to get mental health information, OK, Right. And how do you assign those rights, OK. And you can see if things go sideways there, right? You can actually create lots of

problems for yourself, OK? But for me, and I've always liked this, when we build companies, we're trying to build security companies that enable things, OK? And here authentication is enabling the enterprise to do in a responsible way the things that it wants to do. That'll help it be more effective. You know, you made a statement like people in the enterprise and enterprises are building these agents.

And I kind of feel like this is one of those IT trends that even though we saw it coming, I feel like it almost caught me by surprise where I went from not having seen agents in many organizations, client organizations, my own organization to I'm building a just like 6 months later. And now this is, this is really an identity issue. And I'm comparing that to certain other areas of identity like decentralized identity. I feel like I've been talking

about decentralized identity. We've had guests on, but I haven't had my hands on it, right? But like this AI agent thing is very real in my world. And when anything moves with that velocity, I think like the whole organization has got to be on its toes, right? Including the audit function. And I wanted to ask you about the audit function because I've got to believe that this is like becoming like in their wheelhouse overnight. Yeah, yeah. So audit and attribution, right,

are fundamental here, right? You want to be able to know what's happening, OK, Both to know, you know, accountability and responsibility and also when things go wrong, you got to undo it. And then things go wrong in soft ways, just operations. So audit helps you there too. But what's really interesting, Jim, is you talked about the change here, right? That's quite astounding.

I think we can all look back a couple of decades, the change that's like this adoption of AI, it's akin to the change that happened with cloud or before that was say the adoption of the iPhone. OK, do you know what I'm saying? And it's very likely that this will change businesses in even a stronger way than those previous, OK, than those previous things because the adoption is just, is just so beneficial, right to the enterprise. And we all know, right? We all remember when, when 30

years ago, what? No. When was it in? In 1990, Seven. Right when the iPhone came out was No, 2007 when the iPhone came out, people said you can't have a device without a keyboard, right? OK. But you know how wrong they were, how long they were, right? You also point out here, Jim, is that this development of agents is occurring, right, sort of organically within the enterprise, OK? People are just innovating, OK? And that's something we should encourage, right?

Because if you want people to help their organizations work better. Well, I think if whether you encourage or not, it's going to happen. So why not make sure that you put the proper guard rails around it. And I think what I'm hearing from you, David, is you don't think AI is a fad and it's going to be around for a while. No AI is useful and we're using it right. You probably use it in your personal life instead of Google search.

OK, right. In the enterprise, it's it's accelerating the ability to do things coders, right? It's all moving. So and I I like the word guardrails, right? And So what we're trying to do here is we're trying to give a platform and I am platform for agents and other pieces of software where it lets developers do less work because authentic is hard, right? You were saying, right, Jim, let's put our usernames and passwords. So let's avoid that whole

problem. Let's authentication be part of the platform so developers can focus on the parts of the code that matter, OK. And incidentally, it happens compliant with company access policies. So we've been kind of talking about AI and agents specifically, almost like it's a generic term, an agent, but there are multiple types of agents that are out there, right? So can you explain, you know, maybe like what are some of the different types of agents and

why is it important? I, I don't know, maybe is it important to have different guardrails for different types of agents? Or maybe it's the same or similar guardrails. Talk to me about that. O So all agents are pieces of software, OK. And you might give that column an application or call them a workload, right? And in this sense, they're a client workload, right? They're the thing that's accessing something else. We're seeing three kinds of

agents in the enterprise, OK? We're seeing the use case I described to the financial analyst. Those agents are what we call hybrid agents. They're working. The user works with an agent to do some tasks, OK? We also see autonomous agents, right? Where the agent is doing something on its own that a user or somebody else, some other machine may have done, OK. And those two are different

scenarios, right? Because the autonomous agent, the agent needs an identity, OK, and it needs access rights, and you need to be able to attribute any action that it does, whether it's data access or tool set access or changing something in the infrastructure, OK, to that agent. The hybrid agents need that sort of blended identity that we

talked about, OK? The effective rights for that agent is some combination of what the agents entitled to do and what the controlling user is entitled to do. We should work through some examples there, OK? But even when you do have sort of entitlement, you need to know when it was the agent operating and when the user was operating. And when the agent operates, you need to know what's operating on

behalf of that user. Now there's another use case job where it's agent to agent kind of chained agents, OK? And that one is sort of an expansion of that hybrid agent, right? Because instead of the agent being called by a user, the agents called by an agent, which may be autonomous or may itself be a hybrid agent, OK? And in all of those cases, the attribution for upstream context

is really very important. So wouldn't it just be simpler to just say, OK, well, I've got an identity for an agent and an identity for a human, rather than try to do like an inference of, well, this agent has some subset of me as the, you know, the assignable actionable person for that agent, whatever that looks like, right? I'm accountable for it does. Why not just have two different identities? Or, or maybe that's what you're talking about.

I'm just trying to understand, you know, why, Why would we make a differentiation there? So, so we, we believe entirely, Justin, every entity should have its own unique identity, OK? So a human who is using the agent, the agent should have an auditable identity. The human should have the auditable identity, and the transaction that happened should be attributed a little to both of them, OK, Where the agent did the work on behalf of the human, OK.

But the real question is, is what's the rights the agent has, right? It's not the identity, it's the access rights that it has. So take an example. Let's say an HR person is using an agent to get HR information from ServiceNow OK. That agent should have permission to the HR information in ServiceNow OK. And an IT person accessing service now through that agent should have permission to that IT to the IT asset information.

And so you see it's this blending, right, where it's the rights of what the ServiceNow agent can do. Maybe it's only allowed to read the data, OK, right. And then the data set in this case, right, depends upon what user it is, OK. And so it's not that the identities are sort of are sort of combined, is that their access rights, right, are combined.

I mean, what you described there almost sounds a little bit like a privileged access management use case where you've got this agent that is going and accessing, you know, a certain resource, whether it's, you know, direct on behalf of a delegate or some sort of inference of of whatever. I mean, it seems to me like is the right way to have each person has their own agentic version of themselves? Or is it? I have a shared, you know, maybe it is an HR agent that a bunch of HR people share.

And based on whoever's invoking that agent at that, at that runtime, it's saying, OK, well, because Jeff invoked it, whatever Jeff has access to, I now have access to for this time limit. Or if I'm in iti have a different scope of permissions or whatever maybe? Right, so, so I think what's what's quite beautiful about everything we're talking about are the analogies OK, right.

So people should be able to draw on the concepts of IAM or Pam, right, in order to start to talk about what this should look like, OK, right. And, and it does it does start to smell right, like fine grain control, right, that you would want to do in Pam. But the difference is OK is whether you have an agent for a particular person or agent that's shared among people, OK, The user may get the effective rights, OK, of that agent, maybe not only the on behalf rights of

the user. OK, Let's take a very trivial toy example, OK? In that ServiceNow use case, if the agent operated on behalf of the user, then the agent could read the user's calendar. OK, that's not what you want, right? The agent is a ServiceNow agent. You're smiling, but that's, that's sort of a toy example. So the on behalf of relationship is not sufficient, right, Because you don't want the agent to do everything that that user

could do, OK, right. The agent should do what that user could do within the scope of what the agent is allowed to do, OK. And we call this notion sort of a blended identity, OK, right. Where what you're doing is you're blending the access rights that are entitled to the user and the agent in order to figure out what the effective rights of the agent are. I think there's a few people listening who would love to have an agent read and respond to all

their e-mail for them. Maybe they're brave right now to do that right to. I think eventually, you know, we get to that spot. But it's probably different agent than the ServiceNow agent, right? You would certainly hope so. That that's right, right. And I, you know, we'd all like that, OK, right. But but I think again, it's these the agents will have a task, right? And then the task that it's doing will get right based on the user that's invoking it.

So let me ask you a, a future looking question is, and we're, I think we're all familiar with like birthright provisioning, right? Things like that. And I kind of joked about an agentic version of myself. How long do you think it is that it would be where as a standard birthright role or birthright provisioning, not only am I getting my account, I'm getting an agentic version of myself.

Is this a one year, three-year, five year, 10 year out that you think you'll start to see agentic Jeff being provisioned at the same time as real Jeff? So, so, so I think that that it'll be more the tooling, the the tooling that we talked about that they'll be things out there, right, that will do specific tasks, OK, more than somebody that'll operate, you know, sort of as as as my clone. OK, there's there's lots of ways, right, that I think you want probably a little bit

shorter leash. OK, right then, then and then the agent being able to do everything on your own. On the other hand, we all said right, this is moving very, very fast, okay, right. And the fact that we can entertain questions like that shows just how close, right? It's actually possible. Okay, right. So, yeah, we we were some friends and ours were talking, you know, it's will agents sort of be your persona, right? Do do you know what I'm saying? Right.

I'm not sure how I get the experience right from the agent being, you know, being my persona. But that's treading on philosophy and science fiction, so. I loved a lot of the questions that Jeff asked. Like I kept thinking in my mind about if you had a humanoid robot, would you want him or her or it to be able to do anything that you can do? The answer might be yes. I don't know. I'm just got to give that one some thought.

But David, what I really like about Jeff's questions is that he kind of started to help me understand a little bit more about how ambit works. And the question I have for you is like, who uses ambit? Is it me and Jeff as agent developers? Is the IM group like the identity practitioner, the the the administrator of the system is that who uses NBIT? Both of us? How's that work? OK. Yeah. So generally we have two

stakeholders in the enterprise. We have the security function, OK, whose job it is to make sure that resources in the enterprise, whether they're data or systems or tools, are only accessed by authorized users or agents, OK. And then there's the developers who build those agents, OK? And for them, our job is to make being compliant with policies and make access OK, authentication, authorization easy, OK. And we have an aspect of our

stuff which is no code. OK, So people can include our stuff in the agent and they don't have to modify their code. And what would have been the stops of authenticate the agent in the hybrid case, authenticate the user, then check and access policy and then issue a credential and use that credential. That all gets taken care of, OK by our stuff without the developer needing to write any code. And then of course everything is logged, both successful attempts and not and and and denied

attempts. OK. So the two stakeholders? You know, David, I, I heard you say in one of our conversation, I wrote it down. Identity helps folks on the front end. And now that I've got you here for the interview, I wanted to ask you what you meant by that. OK. Yeah. So so there's there's two places where identity, well, there's three places where identity happens, OK, there's policies, right? This agent can access ServiceNow, OK.

There's how ServiceNow enforces those policies and identity or an access token comes in and ServiceNow knows that it can go to HR data, right, and not IT data. But then the question is on the left hand side of the picture, how does the agent get that access token so that it can use that? OK. And that's the part of the problem that and it solves. And it says set a policy and we can authenticate the agent and the user and then deliver a token that that agent can use.

And the interpretation of that token is left to the system you're accessing, OK? Now, if you think about it, that's exactly what happens with Microsoft Antra or Okta, right? They're not trying to give sales force a fine grained authorization mechanism, OK? They have sales force's job. The job of Okta is to deliver to the user, right?

The sales person, the token that maps them to a certain set of rights, OK. And that's what I meant by the left side of the picture, the guy doing the access, rather than the right side where the resource is. Very cool. You know, I, I think the whole AI agent wave feels a lot like the cloud platform wave. Remember, organizations started standing up Amazon Web Services accounts and they just have development servers at first.

Then you check back in a year later and there were like 30 accounts and all kinds of production applications and it moved so quickly just became a thing that made sense for the business. And we identity practitioners, we were I think in many cases late to react, right. We didn't get ahead of it and we couldn't hold back the business from, you know, taking on this great technology.

Just like today you're seeing probably in my organization, there are probably thousands of agents that have already been built. So I, I think the, that maybe not because of just the size of the wave this time, but maybe on how quickly it came on. I think it caught a lot of identity practitioners, probably flat footed, I guess. What's the advice you have for them now? If you're an organization, you've got thousands of agents, you know, how do you get your arms around this beast?

Yeah, so, so I think that's, that's a good question, but I think you want to look that even if there's thousands of agents, it's relatively Greenfield, OK? Right. So let's look at 3 examples, OK? Right. We've spent probably a dozen years getting control over user access, right? By introducing IM systems and multi factor and conditional access and a path to zero trust.

OK, Machine access, however, is still stuck in the world sick secrets management management, okay, right, So most service accounts that machines log into are API keys or username passwords for those service accounts. And that's where you have Jim, like you said, lots and lots of years and years, right? Of of of of debt, okay to clean up, okay. On the other hand, agents are relatively nascent, OK. And what we're hearing from the enterprise is it's this combination of push pull.

We need to innovate, but we need to create the platforms, right that prevent us from getting into this problem that we're in with machine access, right? Where it's just credential sprawl and Long live credentials, right? Doing all the things the way you wouldn't do for users, OK, right. But you didn't because you didn't have the plumbing along the way. And so now what we're hearing for agents, it's the time to start in doing doing it better, OK, using modern authentication.

And that's what Amit does. We're IAM for agentic care. So you've made a compelling case and now I think I'm OK. Well, I need to do something about the identity and the access for my agents. What are some of the things that, as I put my jaded Siso hat on again, is that right? It's going to cost me money, right? So how do I, you know, how do I make the case to the board or the CIO or whoever, right to get the budget?

How do I measure success with ambit and then say, OK, this is what the return is looking like that. Do you have any any metrics that you typically are seeing from your customers or things like that, that can help me make the case as somebody who's interested in delving into this more? Yeah. So we're seeing metrics 1 is, is a hard metric, right? How much, how hard is it for developers, right? How much time do they say by not having to code up all OK.

The second metric that's that's also a hard metric is if you did it the way Tim you said, right, with usernames and passwords or dedicated usernames and counts. We all know the overhead associated with rotating credentials and all that, right? So there's, there's there's just hard cost associated with that. And then of course, there's just compliance, OK, Right.

You can't say that I have, you know, Snowflake available to every user through Okta, OK, in a controlled, gated way, OK, But my agents can get to Snowflake, right? With username, password, OK, Right. That just that doesn't withstand board scrutiny either, OK. So I think it's a combination of dev work, OK, the the management of the hygiene of the environment, OK, Now we don't manage secrets, you manage policy.

And the third one is, is we should do this the right way, OK. And with agents, we're finding Jeff, you'll like this, right? Since people sort of think of agents as people, it's easy for them to imagine that the agents should have authentic care authentication characteristics like we do for people, OK? But then you ask yourself the obvious question, OK, is I have MFA for people. I text A4 digit code to my phone, right?

I can't do that OK, to an agent because even you, we didn't ask that we should give your proxy agent proxy a a a an iPhone, OK, right. So how do you do strong off right dynamic policies, ephemeral delivery, just in time, just in time, deliver ephemeral credentials, OK for these agents like you would for people, OK. So what does it look like? Get started with this? Is this you know code that I insert as a developer into my agent? You know, workflow, is it some

sort of UI that's going out? And just like, tell me like how I get started down this journey. Yeah. So our our system is, is a SaaS based policy console, OK. So that's where you set access policies.

This agent with this user can access service now in this way, OK And in order to make that live, then you need to be able to establish trust relationship so that service now we can issue credentials to service now that would be just like you would do with Octa. And then the idea is of course is that then you need to integrate it into the agents, OK? And for the most part, our deployments are code free, OK right.

The agent is configured to use Ambit, but the developer doesn't have to do anything, anything extra, OK. We always recommend that people start small, OK, You know what I'm saying? Never or mandate something new across the whole organization right away, OK, Here you're starting on use cases, OK, And that use case can either be app by app, right? You're choosing to secure access to Salesforce or Snowflakers, right?

Or service now or it can be with the the agent developers, right who are using particular services and then you start there and that becomes patterns for other people to deploy, OK. I mean, we all know developers love to be told what to do and how to do it. So, you know, guardrails. Guardrails so so coding up off is hard, OK coding up off well is harder, OK, right. And you can either, you know, code it up yourself, right, or you can get it for free, OK, and

you know. Where do you want to spend? Your time. Building the cool app? Or is it doing the things and solving problems that have already been solved elsewhere? And it is actually amazing job that off is still a application level function, OK, right. It's so fundamental that it should just be part of the platform, OK. And that's what Emma tries to do. That's great. So we started the conversation with onions and onion routing.

We went to Identity for Agents and I was looking through your background as we kind of close out the conversation here today. You did work on Divx and I had to explain before I hit record with Jim to Jim, like what Divx was. And I think it was like late 90s. And so, you know, we've got a lot of, you know, folks in our generation who might be familiar with it. But talk to me a little bit about Divx itself, what it is or what it was. I guess I'm not even sure if it

still exists. Maybe you can help me with that. And then talk to me about some of the identity components maybe that went into Divx, because that was really one of the first maybe Internet of Things, things that people kind of might be familiar with at that point in structure. Yeah, So Divx was really very cool business. OK, so we're all going to date ourselves here, OK? Right. So Divx existed when Blockbuster existed, OK, Right. And how did you rent a movie? It was Avhs tape. OK, Right.

And you'd go to Blockbuster and there'd be all these movies and the popular ones were gone, of course, right, Because they weren't available. And then you'd pick the movie that you wanted, OK. And then you'd bring it home and then you'd watch it and then you'd return it probably late and pay a late fee. Okay, right. And a lot of the revenue was from those late fees. Okay, so you made two trips, okay, paid a rental fee and late fee. Okay, So Divx, not the Divx

codec. Okay, that was the name was sold to after it closed OK, but Divx was when DVDs were coming out OK, the the founders of Divx, which was owned by Circuit City, another blast from the past OK right, So today they were competitor to Best Buy OK, I feel. So much white coming in into all of our beards as we're talking about. This if like amazing, OK, right.

And so, so, so, so DVDs were coming out and, and the, the founders of Divx said one, wouldn't it be cool if we can sell you a DVD instead of for $25, whatever it would cost you? We could sell you a DVD for the price of a rental $3, OK. And more importantly, that DVD could be available at a retailer instead of a store that knew how to rent and process a return. OK, because that was complicated.

So imagine you're at the checkout aisle in your grocery store, in the top 20 movies are there, and they cost 3 bucks apiece. And you buy it, and then you go home and you watch the movie, OK? And then you can put it on your shelf and watch it again and be charged another $3, but you don't have to return it, OK? No more late fees, OK? Right. So this was really a very cool idea. And for all of the young people on the call, this is before Netflix had streaming, OK? Right.

You know, Netflix actually had a DVD rental business by mail when they first started, right? So dad had the same plumbing problem, right? It had to work directions. So this is an identity problem. OK, Right. How do you know who the rental renter is? How do you know what DVD player is playing it? OK, and how do you know what disc you're playing? OK, And that knowing which disc you're playing, I don't mean which which movie you're playing, right?

Remember when you paid $3? That first play was free. So how did you know that a disc was played only the first time and the second time you would charge for it? So what what Divx did is DVDs are all clones OK right there stamped OK. But post stamping they would etch a serial number into the DVD that could be read by the machine. And the first time ADVD serial number showed up that consumed the purchase price, the rent,

the the built in rental price. And if you played it again a month later, OK, then you would be charged again, OK. And so this is very interesting because you were giving at at a large scale an identity to a DVD, OK. And it flowed through the whole system. And there were the other identities that we talked about in watermarking and all this stuff. A really cool business, OK, They had deals with all the studios, almost all the studios. And then then they shut it down.

And that's a story for a conversation over a beer. OK, so. I think we just said Circuit City for the first time ever on this podcast, 380 some episodes and for the first time in that combination, in that sequence, Circuit City just came up. So, David, that's a blast in the past. It's great, OK, And it was cool to be talking and you you recognizing that that's like the coolest thing. OK, so. I'm a nerd, what can I say? That's fine. Jim, do you remember Divx at all?

Does any of this ring a bell for you? Like, you know, back back in the days of your. So I do remember the Divx codec. Now one of the things I would do is take DVDs and you know, copy them to other DVDs and you basically had to reverse out the Divx codec and save this MP4 file, etcetera. So I think I just admitted to a federal crime, but. Statute of limitations. Well, nobody's going to come after me. I think the statute of limitations has gone by.

I do remember one thing, my grandfather used to rent movies and record them and then like the whole family would come over and he was like the Blockbuster video like. But there was no late fee and no rental fee. He just borrowed Terminator 2 and keep it for a week. This is the good old days. The good old days, right? And, and you're lucky you had a grandfather like that, OK?

Because he did the work to make it free, OK, But for most people, if it was 3 bucks, OK, you know, it was all right, you know, so. Well, we're just this the way that the industry has evolved over time, right? So we had, you know, Blockbuster Video, you know, you'd go pick up your video. For me it was pick up video games, Super Nintendo, Nintendo, whatever it may be, right? Get that stuff. And then you had things like this DVD, Divx type approach, Netflix when it was, you know,

mail order. And I think Red Box was around for a little while at some point as well. It's kind of another idea. And then it became subscription based. It was like, OK, now it's a buffet because people I think got sick and tired of being sort of nickeled and dimed, right. So it had like the iTunes stores, like, OK, $0.99 for a song, and then it was, you know, $1.99 I think, to rent a movie. And then people started wanting to own the digital media themselves.

And now we're in this era of subscription, you know, hell, so to speak, where you've got a subscription for like 8 different services and you don't actually own anything. But you have the right to consume as much of this as you want. And I consume, you know, quite a bit of it, just like I'm sure everyone else does. But now we're seeing those subscription prices go so crazy that now it's like people want to actually buy the thing and

put it on a shelf. So now you have things, you know, people are buying DVDs and, you know, trying to think of other ways to archive their media so that they don't have to keep paying subscriptions and things. Like that? Just think about this chef in your 20s. Did you have more than or less than 100 C DS? I had more than 100 and then I undertook. I had hundreds of C DS at one point I undertook that the challenge of digitizing them all, turning them into MP threes.

And I think the highest codec at that point or bit rate would have been 128, maybe 192 bits. And now you've got things like lossless and you know, 320 and variable bit rates. And you know, I had so many DVDs and CDs that were burnt that turned into trash because the buffer overflow or buffer under on, I can't remember which it was. It was. It was a real mess, man. Yeah, but The funny thing is though, you felt like you own. Right. You own that music in the CDs,

right? But ultimately now you have Apple Music or Spotify or something like that. And aren't you happier? Don't. Isn't it better? It's like, oh, you heard this new song and it's like, I want to hear that song 15 times today. You can do it. Well, define better. I think the convenience is certainly there. I'm perfectly willing.

I mean I have been for years at this point to pay some certain amount of money, typically somewhere between 13 and $18.00 a month, right, For a media service of some sort. I feel like you get the value out of it. I am not interested in having my background be all these different, you know, C DS and things like that I used to have. But you've got people who are now interested in collecting vinyl. They want to go back to that old school kind of fidelity of the audio itself.

And you know, there I think there is something a little bit, you know, romanticized about having the album right, and the album cover and the artwork and the lyrics and all that stuff. You don't get that in the digital world. And so I can kind of see it both ways. Yeah, you're right. I'm going to isolate that you just said I was right. And that's just how it went over and over again, right? All right, we're going to go ahead and wrap it up for this week.

David, thank you so much for taking time with us. I definitely want to get people out there to visit Ambit and I'll spell it out here a E MB IT dot IO slash IDAC. We'll have a link in our show notes. I'll put a link to your LinkedIn profile as well for people to kind of reach out there either to, you know, ask questions about Ambit or maybe just reminisce about Divx or, you know, whatever it may be. And yeah, we'll leave it there for this week. We are on the web, IDC

podcast.com. Thank you David again for sponsoring this episode. And yeah, do all the things like, like and subscribe, share with all your friends and let people know the gospel who I am. So thanks everybody for watching and or listening and we'll talk with y'all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime. Hit the website at identity at the center dot.

Com see you next time on identity at the center.

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android