This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? So bad yourself. I'm great. You know, I sent you a text message on Friday. I think you ignored it, but it was about this idea of attack pass, identity attack pass, which really is just blown up as like a, you're looking at your text messages to see if I actually said it. I did or I sent it to somebody
else who resembles you. And I said, this is a topic we need to dive into in the podcast. And lo and behold, we've got a guest today who's going to help us understand attack pass, identity attack pass, whatever you want to call them. It's a hot. It's a hot topic. Yeah, I'd say so. I mean, I think identity has taken on so many new forms now. It used to be humans and then we got non humans and AKA I gentic and a bunch of other stuff that's been going on.
So sure, why not? That's what we're supposed to be doing, right? Identity security. That's kind of like the point. And I don't remember this text either, by the way. So I I ignore a lot of your text. That one. I specifically do you remember? Do not remember ignoring. OK, so when you ignore them, it's an intentional thing. Right. Yeah, that's it. Let's see. Yeah, go ahead. No, we've got a bunch of conferences.
Probably exactly what you were going to say is that we got a bunch of conferences coming up and discount codes galore. I mean, if you haven't planned for, if you haven't thought about going to conferences this summer, I'm not sure if it's too late. But if you haven't, if you haven't booked anything yet, definitely jump on those conference codes. Yeah, save some money. Yeah, save some money. And that's on the website idacpodcast.com. Just Scroll down.
I have the few listed there. I think we've got Ideniverse and EIC listed. Let's see, by the time people hear this one, I think it'll be February 23rd and I might be in New York later that week if my dates are right. I'm trying to think, remember the dates we have, but I'll be in New York for the Cyber Risk Alliance, the Ideniver, not Idiverse, but it's like a cybersecurity summit there. I'm monitoring a panel, and then I'm in Chicago the week after
that too. So if you're interested in attending New York or Chicago, let me know. I can pass you along a a discount code via LinkedIn so. Yeah. So identity security, we're going to talk about it today. We've got our guest. He's been with us before, Simon Moffett. You probably already know him as the founder and analyst of the Cyber Hut. He's also a fellow. I am podcaster for the Analyst Brief podcasts. And welcome back to the show, Simon.
You can hear that we're actually having a fire alarm just just as we start the podcast, we are having a fire alarm going off. So I don't know how whether that's real or not real, I guess we'll see how that evolves. But it's it's great to be back for as long as I can. I can be here for certainly. Well, I love the fact that the alarm went off because we are talking identity security and you know what better way to make an intro assignment. I think you planned this.
It was literally the word security appeared there, just it started doing the thing. So let's give it a few seconds and hopefully it might disappear and the security situation may have resolved, but it's great to be back and great to be talking about something which I think is hugely important and hugely involved as well. Yeah, so there's a lot going on in the space. And, you know, safety is paramount here. So if if we detect heat in your
area, feel free to drop. But we'll keep going on until until either you're charged to a crisp or decide to vacate the premises. Why don't we start with our last conversation? Because you were with us back in episode 347 and you were working on a book. How did that book go? And for people who aren't familiar with that conversation, go back and check it out. But maybe give a quick plug for what the book's about and how it went. Yeah, absolutely.
I might have one here actually looking in colour on there. So this was this was my second book actually. So this was IAM at 2035. So the idea was to look at where's identity heading to 10 years from now, a decade from now, which is a long, a long time in any technology field. Technology is changing hugely with the advent of AI. So a decade seems a long, long time.
And the idea of the book was to really try and not just give some pithy predictions around what may happen, but sort of educate not just identity practitioners, but all of the non identity world as well. So data, cyber, business owners, application owners, developers, all of these other stakeholders who are now really interested in what identity is, where it's been, what problems we have and obviously what technologies and solutions are going to exist 10 years from now.
So that was a release. But yeah, about the sort of early part of 2025 which was, which was actually super. And as always, these things never a long burn. You know, the idea of, of any book is my, my first book was looking at consumer identity sort of five or six years ago. And I'm thinking, oh, that's, that was ages ago. People are interested in consumer identity. Obviously they are, it's still a huge, huge thing. So books tend to stick around for a long, long time.
I'm very, very grateful for people who have bought it, people who are using it and, and getting in touch and, and thankfully saying very nice things about it. So it's, it is a, it's a labour of love at the time, but it's good to see see stuff out there and people using it and people getting in touch and commenting languages which is great. The books are kind of like a time capsule, right?
Kind of was kind of like this podcast and I'm sure you know the podcast you do it day, Arthur and David, they will live forever. And you know, people are going to look back on this time and think, wow, what Neanderthals these people were when it came to identity Nexus management. But this is what we're this is what we're living right now. We can only kind of work around that.
I think writing a book is interesting and maybe you and Jim can share some notes because Jim is working, you know, on one as well. But do you have other books sort of in progress or ideas like what's next? Oh. You always have ideas. I'm writing all obviously all the time is not list you writing reports and articles and sort of short form content. I haven't got any immediate plans for a third book, albeit sort of James Bond Never Say Never Again sort of saying it's
not on the horizon right now. But it's that's not to say, you know, it seems change. There's sort of three or four years between book 1 and book 2. So I think you need a little bit of, of, of time off. And as I said in books, they do
last a long time. So it's not a case of doing well, then you forget it. You're sort of like a musician really, sort of you do an album, then you have to then sort of tour the album, not maybe metaphorically is a book or two, but you're sort of talking about it and using it in constantly as part of your sort of narrative. So it's still very much fresh in sort of what I'm doing, I guess, day-to-day. But as you know, maybe ask me a year of a team's time.
I've not, I've not got the I've not got the writing book just yet to to sit and do another sort of big, a big stint book. But you never know. There's plenty of plenty of great topics out there to to tackle. We've referenced the podcast a couple times, the analyst brief and like I said, you do that with our friend David Mahdi who's who's awesome and typically see him at on a conference tour and things like that.
Tell us a little bit about the podcast, how's it going and anything new that we should be looking forward to? It's no, it's great. We love it. It's not as it's not as you know, glamorous is is identity, the sensor. Of course, you guys have got that got that monster. But no, we do.
We do, though. I think it's, you know, we try and tackle there's, there's so much happening, I think in identity and, and, and by that, you know, we're looking at things like mergers, acquisitions may be acquired next new topics emerging like a Gen. take. And we literally recorded the podcasts yesterday looking at a couple of acquisitions that happened in the identity resilience space. That's a new area which has emerged the last two or three years.
So we are trying to try to look at those sort of contemporary events and acquisitions and the vendor sort of changes that are constantly happening there. So that is that's sort of where we say which we try and do it 2-3, four times a month. So it's, it is, it is good for we do, we do meander in lots of directions, mainly because there's there's so much we do try and try and cover as much as that as we can.
Yeah. You guys are also both big thinkers, which I think kind of contributes to it. We could talk about one topic all day for sure, but kind of shifting into a lot of what you're working on now. I think of the the root level of what I see is that you're talking about how identity is shifted from more or less a back office function to a strategic priority. I'd like you to kind of expand on that a little bit.
Yeah, 100%. And again, it's like one of these sort of 15 year overnight successes. I think there's been a perfect storm of change around identity. I think if you go back maybe 10-15 years, you have the, the sort of the technical change of cloud, which I think altered entirely how identity was delivered, how it was integrated, how it was measured and how it was really used from
that perspective. But then simultaneously we had things like zero trust, you know, again, zero trust being around for a long, long time, yet organisations are still trying to to get there. So you have this on network change and that's it's a technical change, the budget change, how people develop and buy networks. You don't necessarily have offices anymore and routers. You have more of a software defined view to that endpoint.
Security's changed, data security's changed and all of those technical pillars are hugely reliant upon identity being successful and identity being available, identity integrating effectively. So suddenly it's gone from being the the elder guy in the corner. And I was, I was the elder guy doing the valve 25 years ago and nobody cared about that stuff really unless it was not working effectively. And then nobody can log in. Where's the LDAP guy get this
fixed? Whereas now it's actually, well, customer identity is, is really important and fraud and zero trust. And then we have data security. So there's all of these other areas which are massively reliance on identity being effective. So it's suddenly has changed from being tactical and reactionary to being strategic and an enabling technology that helps revenue, helps productivity, it helps staff gain access to the right things, helps with supply chains.
So it just has more tentacles, I guess to it. And I think that's surreal. That's really exciting for those guys who all love identity. But I think it brings different responsibilities, different budget, different different stakeholders as well, different, different people involved in what is this identity stuff, you know, is it working effectively? What what can it do for me essentially? I think I know that's where that has changed. And but I guess to answer your question, it isn't just one
single thing. I think there's a there's a set of forces happening which have essentially moved it to being this big sort of Super Bowl half time singer instead of being just the guy doing a few songs in a pub. It's like this. It's the massive attention on identity now which is brings brings some challenges I think. Yeah, I think that you've said identity as an enabler, and that to me is at the core of it being strategic.
There's also the balance of a lot of companies to stay compliant, and in some companies it seems like that's all there is. What do you think the mistake is that they're making? Again, this is multi multifaceted. I think, you know, it's again, it's often back to the case of not really knowing what identity is doing, I think. And that's quite, that's quite a complicated question to try and unpick.
And, and by that I mean, if you are say a retail bank pick something relatively benign, I suppose, how is identity helping and hindering that bank? Is it helping the staff do their job? Is it helping them being productive? Is it helping them sell more retail bank services to customers? So you sort of work out where identity is working and not
working. And I think unless you do that, you end up with just these reactionary technical choices and technical investments, the same as, you know, used to buy, I don't know, something like daily basis maybe 25 years ago, you look for the cheapest one or the one that could store the most or it was often quite a small technical commodity sale. And I think if identity is sort of seen as just this infrastructure thing that we invest upon and then every 6-8
years we'll redesign. I think that that is, is, is that sort of legacy mindset. I think we're not really seeing the benefits a successful identity program can, can develop. You end up being quite reactionary sort of constant reacting to cyber threats or reacting to business requirements or you're not really strategic in, in what identity trying to achieve. And that that can be quite, quite difficult to unpick, I
think. Yeah. This idea of strategic identity, I mean, I think it's, it makes it really jumps off the page when you're talking about customer identity. So you know, creating a, an experience that is fully integrated based on the identity and kind of just knows what the person needs to access and kind of pulls it all together on the back end. The company can kind of see like what is this identity's full relationship with our organization. I'd like to bounce it back to you.
What are some of the other things that strategic identity stand for? That's a really good, that's a really good concept there because you absolutely spot on because in, in, in that customer world, we were all customers, you see, and that's the quite interesting things. We all have opinions around interacting in a shop, buying something, customer service. If you like a product or a, or a experience, you tell your friends. If you don't like it, you also tell your friends.
So you're going to be doing the sort of the recommendation sort of thing there. So we're all familiar with, with customers and consumers and even government services really. And identity in that ecosystem is quite, it's quite transparent if it's working or not working. You know, if you're trying to buy something online and you have that shopping cart experience, but then you're just about to pay and it asks you all this stuff about who you are and your favorite colour and your
dog and your cat and your dress. And it's like, whoa, whoa, I just want to buy a pair of shoes or something. So identity in that instance is, is really transparent and it's really obvious if it's working or not working, you know, to the end user at least. And I think some of those ideas of transparency, I think, have now been placed into other parts
of the sort of tech ecosystem. So you then think it is an employee, OK, what's helping and hindering me from a technical perspective to log into my laptop, gain access to the systems I need, work with my colleagues, complete my job. And suddenly again, you sort of look for that, that transparency. Where's identity helping or hindering? Is it Oh God, you know, I've got 10 different passwords because I don't have single sign on. Or maybe you are using passwords, which is terrible.
You should be using pass keys or whatever MFA. So you suddenly you start to see that that transparency where identity is either frictionless and in the background or it's suddenly I've got to do a big access request form because I can't get access to this whatever SharePoint site. Chinese do my job and I think the customer world is it is it is allowing identity to sort of periphery to the top.
And I think some of those ideas are now applicable in the sort of beta we and sort of supply chain area as well. And that I think again it amplifies and places greater attention on those identity journeys and what they are. Are they helping? Are they hindering? Yeah, just it puts more light on to what identity can achieve, I think. So we hear this term out thrown a lot identity security and I'm curious how you define it.
Is it identities? Is it access, is it behaviour like what is it specifically that we are, you know, securing when you hear identity security? All, all of that, all of that, I'm more, I'm more, I think this it's a really good question. I think, I think we, we side who we talk about, I think it's about 80 plus vendors who we all talk about identity security in some in some part of their description or narrative or whatever. An interesting part being not all of those vendors are competitive.
So that's, that's quite interesting. So it means that I mean, the definition is too broad or there's some pretty odd marketing stuff going on around
what it is and what it's not. And I guess my, my position would be if you think about the sort of core pillars, A specifically B to E workforce identity, but so 5 or 6 big building blocks that we have is like identity verification, identity provider and sort of strong authentication, IGA governance and administration, Pam privileged access, probably some sort of storage directory saying probably some sort of access control authorization aspect in there as well.
You have these sort of 5 or 6 core pillars and some of those are more mature than others, but they're often historically quite siloed, quite independent, quite isolated, different vendors, different standards, maybe a lack of standards in some. And organizations often invest in all of these technologies,
yet they still get breached. And I think there's probably maybe 456 years ago there was this trend of, well, we've done MFA and we've we've got privileged access management pick on the vendors who deliver all this stuff isn't necessarily the vendors fault. And it's like, well, we still got breached and we've had a data breach, we've had insider threats or we've had some sort of automated cyber cry or a
nation state attack. And when you unpick what those attacks look like, somewhere in there was identity a credential breach. Sessions had been tampered with, access control hadn't been enforced correctly, access permissions, ghost accounts, privileged abuse. So all of the, I guess attack methodology was centring on identity. And it became quite clear that even if you have these core pillars in place, you you need
more, need extra. And I think the identity security thing is it's a bit like zero trust in the sense it's not a product. It's again, it's a concept in a process. And looking at that end to end view of all of your identity flaws, your journeys, customers, employees, NHI Agentic, all of the different identity types we have are looking at the identity data side, the runtime and behaviour side. And just looking at that holistically across your IGA cross authorization, across Pam.
Because all of these sort of pillars like you have and just essentially making sure there are no cracks in between them, which I think is ultimately often the problem. And I think identity security is going to say it's a bit of a change in thinking, definitely changing in investment in extra products, different products, but joining together I think some of those what have historically been quite isolated
product stocks. So I think it brings up an interesting point here around products and but having the the mere presence of a product for identity security does not provide you a divine shield that absolves you from the risk that's out there. It's things will get through and just having a product isn't the solution, right? You have to have people, process and technology and you have to
have layers. And even if you have everything in place, there is still a chance, maybe reduced, but there is still a chance that someone will get through. Is that fair? 100% fair. It's a process, it's a concept. I think absolute products help and you will need to invest in in products that can look at runtime behaviour monitoring or can look at improving verification services. Account takeover absolutely will
need software, no question. But I think as well it's understanding the importance of identity and thinking about identity more of an end to end information flow. And again they do. The way to think about this is how how would an attacker think about this? You know, they don't care that you've invested in a really top notch privileged access management system or a nice governance system. You highly compliant. They just care. Well, I want to go from here to
there. I don't really care which identities and accounts I use. I don't care whether there are, you know, whether it belongs to Simon, Jim, Jeff, the admin. I just need to get that data and I'm going to get to that data irregardless. And I think that those sort of a more flexible information flow ways of thinking like an attacker is not something identity has been familiar with. You know, the join and move a legal process. It wasn't built for security, It was built for productivity.
It was built for automation, built to improve staff, getting access to downstream systems. So it wasn't built with that security mindset in play. And I think now because identity has become more important, more of this enabling tech, it's just absolutely natural evolution that the bad guys are just going to target identity because it's the effort reward ratio is massive. You know why?
Why target a single database when I can target the directory in the directory contains whatever 50,000 identities and stuff like this. So I think as identity has become more important by design, it's going to attract adversarial activity, both insider and external adversarial activity. And I think that's where you suddenly start to need those different approaches. And one final thing allowed is, you know, it's we do have to explain what it is and how it works.
But I think if you look back in time, but things like networks, you then have network security. If you look at endpoint management, you then have endpoint security. You look at data and data storage. You then had a huge multi $1,000,000 industry for securing Oracle databases and other. So it was all that tiered database security on top. I think it's this evolution now that we have this identity stuff which was infrastructure
originally. So you need to protect it and now you have an identity security problem we need to need to deal with. So a lot of people, well, people may or may not know, Jim, that you and I actually do consulting during the day. And a lot of stuff that we focus on has been like strategy and sort of assessment. And I'm curious, Simon, what you know, what is a clear signal that you see that makes you question an organization's identity posture? Because I certainly have
thoughts on this. And Jim, I'm sure you do too as well. But it's like, OK, what's something that like jumps out like, oh, OK, we definitely have concerns here. Is there a few, I think there's a few, a few sort of meta ones if you zoom out a little bit and one's just back to that reactionary angle around
identity management. Not not necessarily IEM, but the management of the identity infrastructure if it ends up being quite, quite short term tactical, it's not necessarily in line with an In Sync with what the business is trying to achieve. I think is 1 quite big red flag because it shows that identity isn't seen either as being valuable or important or it's not being measured effectively. So people don't really know what identity is doing.
And I think that those two are quite, sort of metal, quite quite high level and not necessarily security centric.
But if, if the business doesn't know what identity does, it's probably quite unlikely it's going to have the correct levels of protection against it. And then if you then sort of look at the day-to-day management of the identity world, if it is being quite reactionary and quite, you know, it is responding to to things in that short term basis, I think that that is equally quite a, quite a big, a big giveaway.
But you know, you want to be looking really at the end to end flow of identity where, where do identities start, where they've been stored? How are they being used? What systems do they access? What systems have been integrated to the identity world? So it's a lot of a lot of sort of mind mapping. You feel like I'm planning out what the identity landscape looks like, which is it is going to be infrastructural components, but also the systems involved on where identity is is
working and not working. I think being able to just have those types of discussions, they're really good indicators around how identity is seen within the organization and how how it's working effectively. And is there a sort of strategic view around protecting it and making it, making it have a
level of security it needs? You know, you brought up attack paths and the attack life cycle, but you're not going to pull me away because I do want to ask a question about identity security, which is I think we're starting to design as practitioners our strategic plan, our investments around identity security tools, and we need a way to show the metrics that is actually making things better.
So my question to you is, you know, what should that be and are there often overlooked areas where we're not showing that ROI? Yes, unfortunately I think so. We built something at the side about two years ago I guess called the identity security scorecard. And it's, it's about 50-60 different sort of data points where we sort of go through and it's part of its
self-assessment. So the organization or whoever the admin can go through and they can fill in some some responses that are around basically how well do they understand their identity security posture. And this is looking at things around visibility, you know, do you understand where your identities are located? Can you tell me your high risk identities as well? First of all, what's a high risk identity?
And so there's lots of little nuance in there around visibility, understanding the where identities located, how they've been used, what systems are being interacted with. Then there's areas around protection, you know, how do you protect your core identity world and that's looking at all the standard sort of best practices that so we guys know around strong MFA, these privilege, removal of ghost accounts, all the stuff which is sort of good, good practice there.
But then you start looking at detection. You can, you detect malicious behaviour, whether it's end users doing bad stuff, whether it's administration misconfiguration. So you don't want to try and detect things. Then there's a whole set of areas looking at response. If you do find something which looks unusual. Maybe it's a misaligned policy, maybe it's Simon who's authenticated correctly, but I'm certainly doing something strange at 10:00 at night on
Salesforce or whatever. Can you, if can you detect it? And if you can, what can you do about it? Can you change my access? Can you flag and raise a ticket? Can you flag my account? Can you direct me to a honeypot and, you know, feed me fake information? So there's all of that nuance around being able to protect stuff. Can you detect anomalies? If you can, can you respond? And then you have this, then the feedback loop around, OK, you found some bad stuff.
Can you change policy? Can you update your security policies and procedures and controls to make sure that those and identity vulnerabilities are not going to get exposed again in the future? So I think to answer your question is, again, it's that broad sort of set of areas to look at. You're looking at that level of both technical and process understanding. And I think with metrics, it is always good to not use them in a scary way, but use them to identify where risk is in the
business. Is it risk in technology? Is it risk around a lack of coverage in visibility? Is it lack of coverage with multi factor authentication? Is it you have a poor understanding of your non human identities? So it's it's not trying to understand what you don't know. I think is is is actually quite an important part of that and that there's no shame in that. I think that's part of that risk risk analysis process and it's it's part of that. OK, this is what we know.
This is stuff we don't know. That to me is a risk. And then you can obviously go and sort of manage that and do something I. Feel like it's important that we don't end up with this FUD factor right there. I've heard this in the boardroom where it's like other they're afraid of that you're just throwing FUD at them. Like you talk about things like we're going to talk about in a minute the attack life cycle and potential negative outputs that
come along with that. How do you avoid it being looked at as just fun? As far look, you have to realize that that any, any technology is going to be competing with other technologies around spend and budget And and you know, the data security world and the Network World and the identity world. They're all trying to, I guess, take a take a slice of the AI world, which is now emerging around how we can protect that and the data team to say, oh, we
can protect that. So there's always that competition for budget and attention in the strategic technological narrative in there. So you actually spawn about foot around the fear factor around, you know, authentication is the biggest problem, or maybe it's post quantum cryptos, the biggest problem or not clouds the problem. So there's always going to be
that that competition. But I think when it comes to identity, I always sort of bring it back into a couple of things is, you know what, what, what can identity not allow the business to do today? No. Where's it stopping the business from doing stuff? And it could be supply chain, it could be staff gaining access to the right systems, being able to share data with the correct
people. It could be digital teams being unable to launch mobile applications fast enough, so they're losing competitive positioning in the market. So where's identity not doing the right stuff? And then if you have a strategic change and say, well, if we do zero trust and we do this identity security stuff and we do a bit of B to C external identity, what will that allow the business to achieve? And that's back to that enabling technology. So you start to have like this
is what we're stuck with here. This is what we're limited. But actually, if we do this cool stuff that allows the business to go on this sort of time progress adoption curve and do different things, maybe we can sell more, maybe we can keep our staff happier, maybe we can make our staff more productive, maybe we can make our supply chain more efficient. So I think it's really important to try and again, always get it back to where's identity working, where's it a
bottleneck? What can we do in the future if if it's working effectively. And I think if you get on to that sort of vision, you can then you sort of become self sort of self fulfilling because you can then enable and tell the business and they go, wow, we can do that. You know, we can, we can sell more, do more, We can remove all of these inefficiencies and then suddenly that opens a lot of doors, I think. I started out talking about identity attack path. You call it identity attack life
cycle. I think they're one of the same. Tell me if they're different or tell me you know what they are. And then also you talk about the importance of stopping an attack in his tracks, right? So maybe just continue on a little bit with that. Yeah, yeah, for sure. So yeah, I don't need to attack life cycles.
It's interesting stuff. So I think you're back to what was saying earlier around as the importance of identity is increased, the bad guys know that so that they they home in on that by the effort versus award ratio is the highest. And the the attack you've got to think of the attack coming from both internal staff. Unfortunately that does happen inside a threat fraud so on as also the external adversary.
And that could be anything from the automated sort of script kiddy stuff, right the way through to nation state 0, to exploits and advanced persistent threats and the like. So soon as identity becomes this target, you need to think about what does that really mean? And if you look at things like MITRE attack, which is the sort of general cyber way of thinking about that cyber attack life circle, you apply that to the identity world. It's exactly very similar sort
of concept. It's going to have a start. There's going to be a dwell time. There's going to be some sort of privilege abuse or privilege escalation, multiple different credential thefts or stealings within that particular flow. Then there's going to be some sort of data exfiltration or some sort of execution of something would be a ransomware or the stealing of data. And obviously, hopefully the bad guys are caught and found and
they disappear. Now, historically that life cycle has often been focused upon logs. Now, the reason I say that is that people, you know, but once it's in the logs, ultimately the stuff has already happened. The bad guys have done that bad stuff. It's in, it's in Splunk or whatever your logging system, syslog, all this carry on. If it's in the logs, stuff already happened. And I think we're sort of conditioned to think about stuff post event.
Retrospective attacks happened, ransomware has happened, we've had a daily breach, customer records have been stolen. You're looking at forensics, you're looking at retrospective analysis. So stuff's happened. How can we find out what happened and maybe change it for next time? Well, we can't. We can't live like that all the time. We can't, we can't wait till this stuff's happened and then, you know, try and fix it for next time. Attacks are happening all the time continually.
And I think the idea of the as a life cycle is in OK, but where can identity help here? Maybe it's through identity hygiene, best practice of, of cleaning up permissions policies, ghost accounts, orphaned accounts, all of this sort of carry on, which is quite preventative is trying to prevent something from happening. But obviously that isn't enough. Something's going to get through
the through the net there. So then we start needs looking at runtime and behaviours and the intent of identity or the account itself. And I guess the idea with the attack life cycle is trying to say, look, let's try and identify the bad stuff before it gets to the end, before it gets
into the logs. And can we do something just before it completes really, and trying to say look with our detection engineering, with our ability to look at runtime, can we find suspicious activity, malicious things, use composite risk scoring and try and find that actually that looks dodgy. So let's do something about it. Let's remove the session entirely. I'll reduce the session
lifetime. Maybe if I had read and write access would just give me read access because whatever may be on a strange network or a strange device or something. So it is just trying to find those little small that triggers it of information and then being able to do something about just before I've sort of run off with the bag of digital swag and disappeared into the sunset. So I think we're getting there.
And by this I mean we have we have so much information now from a digital perspective around networks, devices, behaviours, identities, what I'm trying to access, what I've done in the past, comparing myself to to other colleagues and peers and all this sort of stuff. So I think we're we are building this mindset of, of being able to try and prevent stuff.
That's brilliant. But if we do need to look at the runtime, having the weaponry to say actually there's something strange happening, let's respond and hopefully respond before the attack happens. So I think that's, I think that's maturing I think for sure. What I'm hearing like we are building the mindset. Totally agree with that. It feels like it there are some, like we probably have the data questions.
Do we have the tools that can interpret the data to take action to prevent an attack in his tracks or stop an attack in his tracks? In your view, what are some of the promising tools? I mean, we've talked a lot about like continuous identity, shared signals, framework, things like that on the show. I think there's a lot of promise there. It seems like it's more than just one tool to kind of solve this problem holistically when the approach has got to be that it's multi pronged.
You're looking not only at authentication logs, but you're looking at other things as well for your thoughts. Yes, but on yeah, no, I couldn't agree more that I think the cap and this signaling is a really, really important part of this. I think that's a really good example of saying first of all we need non identity data signals here. It isn't just about the identity world as important as it is obviously, but we we need to introduce other factors or the
other data points to this. It could be configuration management systems to give you visibility of your application world. It could be ServiceNow or Jira or ticketing systems to give you information about what what are people requesting and why and how and what context does that have, Endpoint management systems, threat intelligence systems. And there's lots of different
non identity parts. And I think to me it's a little bit like this sort of asymmetric information problem around trying to navigate through a maze in the dark and you're not quite sure which, which of those rooms are good rooms, bad rooms. You've got a small torch and you're sort of just trying to build a picture of what's happening. And the more information you have, the more Intel you have, just the more informed you become.
So I think, I think that the cap thing is a good example, but you're absolutely right in the sense that's just one aspect to it. So apply that concept to your identity data world and start saying, well, OK, I understand about ghost accounts and access permissions, but, and honestly, those aren't new concepts. That's stuff that's been around 25 years yet organizations still haven't fixed the problem. So how can you help fixing the problem?
How can how can you identify excessive permissions or accounts that aren't being used or mis correlated accounts? What other data might you need? So again, thinking, OK, how can I expand my sort of data net and look at instead of looking at permissions that's been assigned, look at maybe the permissions that have been used or look at HR information coupled with ticketing information coupled with laptop
usage information. So you just start to cover it and pull in different information points. So I think it's just important to broaden those data signals at all parts of that identity life cycle from identity verification, authentication, authorization, governance, and obviously that runtime sort of stuff as well. And it's just spreading that that concept of saying we need more information to help us become better informed.
Yeah. And it also feels like organizationally speaking, I am in the past have been treated more like, you know, an efficiency driver. I mean, yes, there was a security angle to it all along, but it was kind of an administrative feature on, you know, back end administration who gets access to what single sign on more or less was treated as like just that single sign on, not defense against being attacked.
And that's what identity security is all about is you're being attacked and how do you use identity? So now it becomes a 24 by 7 operations activity. Can you talk a little bit about how you see that manifesting and does that mean there are additional stakeholders in the identity world? Yeah, yes, in short, absolutely spot on. It does become, it does become more omnipresent constantly on and and not just from the security side as well, constantly on because it's going
to be constantly changing. So administrative functions need to be constantly on. And by this I mean not just 24/7, but being able to make changes from a, a whole host of different sources, you know, API command line, you know, policies, code, infrastructures, code, all of that sort of automation needs to be always on as well. I think the security blanket absolutely. And and this brings some interesting challenges, I think because, you know, spot on, the identity wasn't seen as as
security enabling. It was it was 9 till 5 join, move a lever productivity. But now it has to take on the some of the constructs of the security world, namely, you know, can you discover and have visibility of all of your identity stuff. And you sort of, it's quite interesting when you sort of often speak to see. So as they go working, I just press the discovery button on the identity thing. You just tell me where all your identities are and it will. Yeah, not really because we've
got directories everywhere. They're not connected. You have different identity providers not connected. You probably have accounts and identities embedded within core systems that are just not even managed entirely. So you know, it's inherent to things like network technology that you have discovery and that's how networks work. You know, reading protocols, open shorts, path first, all this sort of stuff. It's all discovery.
LED identity is not like that. It was process and structure and waterfall and it's a different, different sort of mindset. So you're absolutely right. It is 24/7 and I think it does introduce security operations. It looks at not only responding to security incidents and how you can fix identity as part of that. But obviously as I was saying earlier, what can we do during the attack, you know who's going
to be involved in that? It is going to be that security focused layer and again, security architecture, how can identity help with the confidentiality, integrity availability? So I'll try out as well. So different stakeholders, they're all going to have slightly different needs. I think that's positive. I think it helps identity become more much fit if you like more much fit for the modern world and be more adaptive and responsive and integratable and things like this.
OK, so let's pivot to the AI at thecenter.com question. We joke awful lot about AI and yes, that's a real URL. And yes, it will point you to this podcast where it's I guess with agentic AI, right? This has been sort of the the hot button thing for probably for a while, but I think really sort of in the consciousness of identity for probably the sick last six months or so. What does that mean for identity strategy, identity security and and other similar terms?
Yeah, it's, it's a great one. It's just like this huge nuclear explosion if if stuff like that's come along and just sort of detonated upon all of our ways of, of working, our ways of thinking about tech and and certainly security for sure. I think it's the the best way I think I could describe it is we, we haven't fixed the human stuff really from from an identity
point of view. And by that I mean, we, we're still plagued with some of the core problems of, I don't know, our back ghost accounts, excess permissions, nobody does MFA properly and all these sorts of things. And then three or four years ago, we had the the more bit of a more focus on machine identity service accounts, looking at sort of APIs and workloads and a bit of privileged access stuff in there as well. And machine to machine cons.
That wasn't let me fix that either because that's got this big hockey stick curve of numbers and huge issues with the credential rotation and there's there's no HR system for workloads and non human identities. So we've got these two problems which we haven't solved. And then you've got cloud to deal with and then suddenly someone drops this agentic EI sort of Megatron on everything else. It's like, wow, OK, it's the
worst of both worlds. And by this I mean there's a huge scale problem in the sense of agentic EI. The adoptions can be huge, 50-60 hundred times the number of human identities, for example. But then it also has issues around it isn't deterministic like workloads and basic API to API cons, the nice Jason payload and it's this big and it works between 9:00 to 5:00 and it has a job that used to authenticate.
It's quite predictable in what it does, whereas the agentic world is actually non terministic. It's very, it's geared towards optimization. So what it does, it's actually going to be quite unusual and how it behaves. And often that's quite legitimate because it's there to optimize and improve and learn and everything else. So it's generating requirements that we haven't even solved for, for human and non human. And then certainly we've got a deeper agentic.
So there's a whole host of different ways to to to deal with that. I think absolutely it's, it looks like it's going to get characterized as a, as a different identity type. So it's neither human nor non human. First of all, I think that's a nice, quite a nice concept to consider. And also the sort of paradigm that's emerging is to treat it
like a digital employee. Now that that is subtly quite interesting because you wouldn't, well, maybe you would trust your colleagues with your passkey and your credentials and your Active Directory logins I've posted, you probably
wouldn't. But suddenly when this mindset of we're having to sort of trust and give all of our credentials and permissioning and everything else to these agents who perhaps don't have accountability, you don't have behaviour monitoring, aren't necessarily using strong authentication and just in time permissions and and all this sort of carry on. So it's it's a hugely interesting space.
I think one final sort of comment, there will be the innovation adoption of AI and the genetic AI is absolutely off the scale, whereas the adoption and innovation of identity and security is, is quite flat still. So we're ending up with this sort of gap between this hockey stick curve adoption of AI and security and identity sort of plowing along. And yeah, it's doing some good stuff and it's improving all the time.
But there's this big massive gap, security gap around, well, how do we do just in time permissioning for agents? How we do, do we do strong off? How do we do process at the station? How do we do compensation computing with these agents who are operating as ephemeral things which come and go within a few seconds. So it generates some huge non non functional functional challenges really which we're not not quite there yet.
I think we think end to end it needs a whole host of data security, identity security and governance to to get that stuff right, I think. So I think I heard you describe that there might be this 3rd type of identity, right, agentic versus human versus machine. And I don't know. I mean, I think a lot of the problems you described that, I'll call it that identity chaos that happens, right?
Yes, you're right, right. API to API, it's a very predictable transmission and you know what it's doing. But humans don't do that. Humans today are interacting with accounts in any variety of number of ways, standard and non standard. That's why we have things like conditional access, right? And rules and things like that.
Now I understand the scalability is the big challenge right, when it comes to agentic identity, but the behaviors of an identic identity are much more similar to a human identity than they are to a machine identity. So do we really need a third classification to, to further muddy the waters, which I think is what I am is really good at, is creating new acronyms for
things. If it's truly needed, great, but I'm not sure yet if it really is like a subset of something, or if it really is strong enough to stand on its own as a type. I guess, I guess the counterpoint is we're still struggling with solving those human problems, aren't we? I think, I think if we'd solved them and we had a really good sort of a mature way of saying actually, yeah, it is just a subset of what we do and it's fine, I think because that isn't
the case. It's almost like a cascading problem. So you have a a ghost account in the human world multiplied by a long lived credential in the NHI rule that cascades into a much bigger thing. And I think the agentic, the big agentic question mark at the minute is all about accountability and traceability and and directing that back to a some sort of carbon life form.
And I think because we haven't been great at solving these problems for other areas, it's like, do you know what, I think we need to have a really grown up conversation. How do we do manage this? Because you're going to need different tools. You're going to need different architectural patterns because the architectural patterns we've had in the past, even the sort of PDPPEP just in time, serious
time and privileges. We're not, we're not quite there yet because if we were, a lot of these issues in that tack life cycle stuff would would probably disappear. And I'm an advocate for saying we should. I'm just based on observations around, you know, how, how this sort of industry is heading there. And I think we need some real conversations around who who needs to be involved in protecting AI.
And it's isn't just tech, It's going to be governance, it's going to be ethics, it's going to be legal data security and data, the data science people that have a really good point to make in there as well. And I just think there's, there's a, there's a lot of unanswered questions currently around what protection angle looks like. And yeah, there's, there's a newest different startups trying to provide some guidance there. So it's, I think it's, it is
moving very fast. It's early days though, I think. What needs to change from an identity standpoint to address the explosion of agentic identity? Because I feel like, you know, we've we've spent decades trying to solve for humans, but now the problem is that scale, right? For everyone human, there are 10101 thousand, 1,000,000 gentic identities that are spawning and they're spawning their own
agents, right to do things. So what is it that you see over the next maybe like three to five years where it's like, OK, we really need to think about the way we are addressing identity and access management as a whole to counter that? There are some positives though. I sort of painted a big gloomy picture. I think it was some huge positives. I think the first, the first one is, is actually use AI to fix some of those human problems
I've been describing. So using AI in a much more focused and condensed way to say actually, you know what our identity and access management world is good.
It's growing, it's incrementally improving, but we could use AI to actually fix a lot of the governance issues, fix a lot of the broken groups in active direction, don't have descriptions, fix all of the access requests, access review compliance issues we've had for decades and decades because nobody does that properly and it's ineffective. And use use AI to sort of let me fix and tighten up that human centric stuff, make that match fit.
I think by doing that, that actually frees us up as industry experts to say actually, you know, what conceptually we can then start to apply some of this stuff to to how we do strong authentication just in time, you know, runtime policy enforcement for agents. So I think I think the concepts are there. I think there's, there's definitely a bit of issue around technically what that looks like, which I think it honestly is, it's probably quite an easy
thing to fix. But I think currently the big issue is that the discovery visibility, ownership thing, you know what's happening with AI in my organization, where's it being used, why is it being used? What's the value? And then look at the doing that sort of security on that. And hopefully you mentioned three or five years, think maybe hopefully five years from now. It's a much more proactive thing. And it isn't just a case of sort of wrapping security on stuff
afterwards. It's more about adding in those core concepts every time you build an agent or deploy an agent. And it has struggled. Process attestation trusted work environment doesn't have access permissions or you can identify when it does. So I think the concepts we we all know, I think the concepts exist. I think it's just applying them in a in a slightly different different sort of environment I think. I mean, I've when you've released your book, I am in 2035, I just was like, this
guy's got guts, he's got guts. So I've always kind of had the the base premise that identity follows the technology. And I'll give you another premise that I think I've I'm coming to, which is that we're constantly head faked by what can AI do today? And then there's some assumption that it's going to be a while before us. But yeah, that's not what we've experienced. We had the ChatGPT moment, right? And look at where we are now, where it's like it's blowing it
away already. And if the real futurist, of which I don't consider myself one, are right, we reach kind of the singularity moment in the near future, Singularity for people who don't listen to this garbage all the time. It's when the AIS are as smart as the people, right? Generally speaking, that's the term. And, and Jeff's nodding no, so he can correct me. But that was my understanding anyway.
What I'm getting through with this is, you know, I, it feels like it shakes the core of what enterprise IT might be 3 to five years from now. In fact, it might shake the core of what an enterprise is 3 to five years from now, right. We have this assumption that all these thousands of people are going to come to work for a company when the futurists are saying 50% of the white collar workforce is going to be
eliminated. And when you think about a lot of enterprise IT applications, let's just call them SAS. You know, I'm thinking I'm oversimplifying. Doesn't really matter what the delivery model is. They're mostly built around people doing a job, right? And if you're talking about agents doing a job, do they need these tools? Do they need an HR system? Do they need ACRM system external to the large language model itself? To a pick that Jim Mccrakey, I think nobody knows where it's heading.
I do think that's a little bit scary as well. I think, I'm not necessarily saying it's all, all doom and gloom, but I think the potential is unknown. And I think that itself is quite, quite scary thing. I think it, I think it will transform lots and lots of lots and lots of jobs will, will change and alter, absolutely. But I do think there's also that that more fundamental change and shift around how we do business, how we work, how we interact
with people, how we do things. I'm not quite sure anybody knows what that quite looks like yet, but I think a lot of it is going to be based on trust. Can you trust this thing, whatever it may be to, you know, be a friend, do something, act on your behalf. Maybe you're interacting with it on with this whatever combined set of agents and then trust is a huge part of that. And to get trust to work, you need to have identity in there, both physical and digital
identity for that to work. So I think identity has a real fundamental part to play, irregardless of what that looks like. I don't think it's going to look like the identity of right now with the stuff we have. But I think the concepts, the physical concepts that we have as people, how we interact with each other, how we trust each other, how we respect and listen and interact, somehow you'd have to try and translate that to the digital world. And I have no idea what that looks like.
I mean, it sounds a little bit scary, but I think it is coming very rapidly. I think that's probably the only thing we can predict that it's coming quickly, too quickly, and we probably won't be fully prepared and we'll have to do what humans always do and that's adapt and figure it out. Yeah, I mean, I'm, I'm, I'm always an eternal optimist.
I, I hope, I don't think it'll ends up in, in sort of robot wars, but one thing I will add actually is that maybe AI is the only thing that can secure AI. If you think about where that singularity goes to and the way you design and define systems and maybe isn't a human that has to be able to do that. It may be an AI system is the only thing which can operate on the same frequency. I guess to to be able to protect
that. So that that'd be my not my prediction If I was going to ever write another book. I didn't see a 2055. If we're all here, then who knows? Well, it worked for the Matrix, so I'm trying to work, you know, for real life. So we're good with that. I always learned so much, Simon,
when when we talk. And, you know, I want to wrap up this conversation with maybe learning a little bit more on the conference side of things because Jim and I are headed to EIC in Berlin in May. And then we've got another conference in Las Vegas with Ideniverse. And you know, last year was my first time going to Berlin and really enjoyed it. And I hit Amsterdam after that,
really enjoyed that as well. And I'm curious if you have any tips for Jim and I, our second time going to Berlin and maybe parts unknown throughout EU. What should we be thinking about as we head out this summer? Enjoy it. Europe is fabulous. Europe is it's, it's, it's very small in some respects. And by that I mean within sort of two hours, you can, you can have a multitude of different cultural experiences, languages, drinking and other.
And it's, I think that is this the absolute beauty of of being living in Europe and in the UK obviously, but Europe is, is a real big part of of my view and vision of the world and it's
multiple, multiple things. I would take every opportunity that you counted and sample all of that culture because it is fabulous, fabulous history of Europe and it's it's good in Germany, Berlin, yeah, there's some great, great bars in Berlin. You know, there's some, there's some good, good bars in Berlin. I'm sure we can do that offline. But yeah, it's embrace it all. It's brilliant.
Well, give me something specific, like what's a hidden gem that you want to promote or let people be aware of? Like, hey, this place is great. And, you know, maybe not a lot of people know about it. I mean, we have people all over the world who listen and, you know, maybe maybe they're familiar with it or maybe they're getting ideas like, oh, next time I'm in that area, Simon said. We got to go here. If I'm I'm not going to be AICI
hasten to have this year. So I guess my if it is in Berlin this year, is it? It's in Berlin. A German Keller beer or a wheat beer is, is will be my, my gun gun hunt out a really good vice beer in a, in a German cellar bar. So it's got to be an underground bar. It's got it can't be on on paper
level underground. I'm not going to give a particular name, but there are, there are some some that exist with and they'll have little candles on the tables and they'll be very small and they'll be open from about 5:00 PM onwards in the afternoon and. They're the best places.
They're the best ones. German, German vice beer in underground bar with a bit of that's not old fashioned techno music going on on the speakers that that to me will be you'll probably find me somewhere in one of the somewhere share your little bar like and that'll be my end of conference day. I think that'd be like not be like tip. Sounds a little bit similar to a place that I went.
So shout out to John and Matthias who I went out with and it was a bar, you know, pub type place underneath the train tracks. And you know, we had wheat fears twice is typically what if I'm going to drink a beer? Typically this could be like a vice, stuff like that. And then pretzel and sausages and just kind of sat in this pub and just hung out and relaxed. And it was. Was it an underground pub? It wasn't.
It wasn't underground, but it was directly underneath the train tracks in Alexander Plots kind of area. I don't remember the name of it, but it was it was a similar type vibe. Not directly underground obviously, but. I'm but that's good. It is close. That's a good. That's a good starting point. That's a good starting point, yeah. OK, so that's like the newbie version of that. To progress to the underground and then you would have ticked all of the, all of.
The I think if you drink too much you might progress too far underground and then you got a different problem. That's tomorrow's problem, though. Jim, you want anything to weigh on here? I mean, I would just say that, you know, I'm thinking about our trip to Europe and I'm thinking the culture and the lifestyle. I mean, they've got it in spades. I think our trip to Vegas is going to be very different. Vegas and the Berlin scene are very different, but I enjoy them
both. I find Vegas relaxing and I don't know if that's because I'm weird or something else. I like the people watching. I've given up a lot of the vices that make Vegas a problem for most people. Don't gamble and but it is a good time. But it's super expensive there. Yeah, I'm, I'm probably going to try to make it this sphere again. They've got Wizard of Oz playing, which might sound a little bit nerdy, but I'm looking forward to it. At the sphere, I mean, you can see anything.
You can watch paint dry at the sphere and I'm sure it'll be interesting. Would make it, yeah. All right, let's go ahead and wrap it up there for this episode. Simon, thank you so much for joining us as always, it's a pleasure. We'll have links in our show notes for people to check out. So we'll have a link to you in LinkedIn so people can reach out with either recommendations for underground bars or, you know, AI tomfoolery or whatever it may be how we want to work for that.
I'll have a link to the Analyst Brief podcast as well in our show notes, be able to check that out that so that you and David continue to do a great job with that one. And yeah, we'll have links to us. Well, so reach out to Jim and I. We're always looking for ideas for shows and questions, comments, concerns and all that good stuff. So IDAC, podcast.com, don't forget our discount codes. And yeah, that's it.
So leave it there. Thanks everyone for watching and or listening and we'll talk with you all on the next one. Guys, thank you. Talk to you soon. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.