This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. I'm doing great. I'm really excited about today's episode. Not too often that we find a company that's been in I am longer than we have, but I think we have one of those today. Also we have a fantastic guest from that company.
Some we we met at Identverse DC. So I'm telling you, that Identverse DC conference was well worth our time. Yeah, it was a lot of fun and I, and I don't have it in front of me right now, but I do have a Rivera Security IDAC custom Tumblr or mug, whatever it is. So I definitely appreciate that. But yeah, let's get into it today.
This is a sponsor spotlight episode, so this is where we find out, you know, perspectives and opinions on the identity space from the people who make this podcast possible. So we definitely appreciate that today we've got Rivera Security. You can find more. Find out more about them at riverasecurity.com/I DAC. That's BRAVURA security.com/I DAC and I want to Welcome to the show Bart Allen. He's a general manager with Rivera. Welcome to the show, Bart. Thanks, Jeff.
Great to be here. Excited to kind of see the inside of how this is all made and comes together. Yeah. So you're seeing the remote version. I think you probably saw us doing some live episodes at the identifiers DC there, sort of the tail end of 2025. So you can see the sausage being made, the the chaos slash mess that is happening, but for whatever reason, people tune into that. Let's find out more about your background.
My first question anytime that I meet some of the first time on the podcast is really kind of learn more about their background in identity and security. So let's start there. Bart, how did you get into the identity space? Yeah. I mean, it's been a little bit over a decade since I started my
journey in identity. Before that, I was in kind of an adjacent space, enterprise content management, controlling who has access to what and surfacing the right information, but really from a different angle. So I actually started at almost 11 years ago in our consulting space helping customers solve identity problems and, you know, figuring out how to improve their security posture.
And then, you know, through the years, kind of grew into more of a leadership role, spent a lot of time trying to figure out how we can make identity an easier problem to solve. So many, you know, difficult projects, long implementations, et cetera. And I think, you know, that's something that I've really brought to the leadership role as well as, you know, paying attention to our customers, prospects in the industry. But it's also what anchors me
here. I think I love the fact that this is a space where the problem I was solving yesterday is different than the problem I'm going to be solving tomorrow. I mean, we've seen it in the past, you know, 12 months with the evolution of agentic identities. And I'm sure we're going to see another evolution here shortly. So, you know, that's, that's what got me into it. I don't necessarily know that it was a path I chose or if it chose me, but I'm here.
I do enjoy it and look forward to talking more about it. Yeah, I feel like I Denny's one of those things like just when you've got it figured out, oh, here comes something new and interesting and you kind of have to restart and kind of figure things out and tap that background to try and say, OK, how do we address this problem? So I'm with you totally on that.
For people who are not familiar with Brivera, why don't you give a sort of like the the rundown on, on who you guys are because you actually go way back, even before it was called Brivera, right? Yeah. So we were founded in 92. Back in the day, we really focused just on password management. I think our first product launched in 1997, which was just a self-service password reset tool. We've been through a number of different acquisitions and
rebrands. So in the 20 tens we became part of Hitachi. A lot of people will know us as Hitachi ID systems. And then in twenty 20s and 2022 specifically, we took on the name Rivera Security. So you know who we are and what we do. I mean we've been around for so long that password management actually started to evolve into identity management. We're managing, you know, passwords on Active Directory, unique systems, mainframes, AS4, hundreds, you name it.
And at some point somebody thought, well, could we also start to create accounts? Could we start to deprovision accounts? Could we start to handle the identity life cycle? And so we started to do that. We were probably one of the first vendors in the space. I don't think, you know, it was something that we, it wasn't a space that existed at the time I guess.
And then similarly fell into the problem of privileged access management had a couple of customers who were already using our password solution to reset passwords programmatically on a scheduled basis to secure privilege and so started to develop a solution around that. And that's evolved into kind of the company we are today. I describe ourselves as like an end to end identity security provider.
We're one of the only players in the industry with a native platform and I think it gives us a unique advantage. Plus, these three decades of experience definitely can't hurt. So talk about tapping at history just to make sure you're doing right by the future. I almost curious how names of companies come to be. So tell me about the name Rivera. How did you and the rest of the people there kind of come up with the name Rivera for the organization?
Yeah. So you know in 22, we knew that an acquisition was kind of nearing. We took the opportunity to do a bit of a product rebrand in advance of the company rebrand because we knew that was going to be very quick leaving the Hitachi ecosystem that we had to leave that name behind as well, which is, you know, a very trusted brand. It revolves around, you know, quality and everything like that.
So when we're thinking about it, you know, one of the things that came to light is our deep technical expertise. We have people who are still here today, who've been here for almost 25 years. 25 years ago, the identity space didn't really exist. So it really comes from the root of, you know, a word that describes technical brilliance or expertise in a specific space. And we thought it was kind of fitting, differentiates us from some of the others so. I love hearing stories like
that. It's like, all right, it's already interesting. So that's like an Easter egg. If somebody reaches out to Bart, it's like, hey, I know where the name Rivera came from. Now that was the friendly question. Now I'm going to put my jaded CSO hat on because I feel like there's so many different products in this space and, and, and identity at large just has, you know, hundreds, if not thousands of products. So I'm going to ask you the question like, what is it that
you think makes Provera unique? Like what do you bring to the table that people should be thinking about? It's like, oh, maybe I haven't quite seen that before. Or what do you think is like that special sauce? You know, our special sauce is the fact that we built this up natively across 3 decades. So that means we have a unified set of connectors for identity privilege pass or password reset and we can do things that require a lot of integration in
other scenarios, right? You might pick a best of breed identity tool and a best privileged access tool. And then you're posed with the question, well, where does privilege identity management happen? Does it happen in the identity tool? Does it happen in the privilege tool? And then if we want to go certify those things or, you know, do deeper analysis, you know, where does all of that
happen? And often times we find customers say, well, it happens in, you know, service now or some other platform where, you know, we're not truly managing these things. So that's really, you know, the core of the secret sauce. I think, you know, what we're going to talk a little bit about today is, is again, another one of those solutions that arises from having this native suite, right? We can, you know, not only manage password resets, but we can maybe shift the paradigm on
that as well. So. I'm going to steal Jeff's jaded C so hat I'm going to put it on backwards and I'm going to ask you this question. I mean, I'll be honest with you most of the episode, we've had way more episodes about the password dying and going away than we've had about how to manage passwords better, how to have a a tool and a methodology and approach. So one, I want to ask you, you know, why is there still a need
for a password manager? And then #2 I guess I'm going to help you out a little bit with this one, which is, look, as much as we might want to say the password is dead. And I think the first person to declare that, or at least the one that we've made fun of the most, that Bill Gates said it in like 2006, the password is dead. And like I think he was before even the Crest of the importance of the password, right? That probably happened a few years later at least.
But you know, it's 2025 or 2026, it's 2025 and previous years. It's like breach after breach tied back to passwords, either fish passwords or socially engineered passwords or password spraying. I mean, it keeps coming back to passwords, right? So I guess that's my my question is like, why is a password manager important now? And then why does this keep happening? Yeah, I mean, I think password manager alone is important, but talking about like, why passwords?
You know, I, I think the uncomfortable truth about passwords, in my opinion, is we've been trying to get rid of them for the better part of a decade, probably even closer to a decade and 1/2 through one way or another. And we love talking about all of the things that are going to replace passwords. But I feel like that story continues to change and evolve, which is good.
The industry does too. But I think we often ignore all of the things that are going to use passwords for the next decade or maybe even longer, right? There's legacy systems, there's platforms that don't support single sign on flows or don't support standards based single sign on at least. And you know, when we talked to organizations, a lot of them might get 80% of the way there,
right. You know, 80% of their systems are newer, modern enough to support some sort of single sign on flow or standard, which is great. Then you can eliminate the passwords there. But then what about the 20%? And I think where organizations get stuck is in this last 20% where you don't really reap the benefit of being password less and being, you know, breach
proof. If you can even say that until you actually eliminate the user in the password flow or in the credential flow, which is what you know, pass keys and password lists are really aiming to do. I think it aims to solve the problem of humans are bad at forgetting passwords, setting passwords and remembering to reset them when they need to. So you know, our on that is really well, there's multiple
ways to solve that problem. And so if we think about using a password manager that's connected to your other systems and can automatically have passwords distributed that are very similar to how we would tackle privileged access management, then you're removing the user from that journey. They don't have to reset it, they don't have to set it initially and they're not going to set a bad one that can be breached. So. Yeah, I think that's a really good answer.
I mean, I use the password manager because even though I have passkeys available for certain applications that I use throughout through applications that don't have passkeys, they still rely on passwords, right? So I don't know my to do this passwords writing down the notepad or just reset my password every time. Obviously we haven't the password is not dead. Even if we've beaten it to a bloody pulp, it's not dead, right?
So that makes sense to me. You know, I'm just kind of like thinking back through my experience. And I think the password manager I have, I've always thought of termed as like a personal password manager. And then there's enterprise password managers. I'm wondering if you could for audience explain the difference between the two and then tell us what Pervora's solution is.
Yeah. I mean, for me, the difference between a personal password manager and enterprise password managers really the paradigm of who has control over what's in that. You know, I think a lot of employees, staff contractors are using personal password managers for their business passwords, which creates an additional
layer of business risk. And so an enterprise password managers, really just one that is geared towards an enterprise where they want to be able to maintain control of the credentials that are in that vault, even after that employee may have left and be assured that, you know, they're not getting leaked and have some ability to audit and see where they're used, what they're for. You know, I, I like to think of it as like the last mile to password list, right?
So you, you hit this 80% adoption and you're like, OK, great. So what are we going to do with the rest of this 20%? And I think a lot of companies go down this complex digital transformation journey where all these systems are going to have to be upgraded or modified at some point, which is great, but that takes time. What they can do today is start to put those in a password
vault. And then what our solution does that is a bit unique in the market as far as we can tell is from our lineage in managing self-service password reset, integrating with hundreds of different applications including legacy mainframes, etcetera. We can actually treat these credentials like we treated in privileged access management and we can rotate them nightly, every week, every 6090 days and
we get to set them. So it gives IT the control of the password back and they no longer have to really be worried. The other thing that comes up a lot is, you know, we get in these scenarios where a company has a breach and they have to go reset hundreds or thousands of passwords. And that's really hard to do. It's a lot easier to do when you can do it programmatically and then you have a mechanism for distribution.
Because while you might be able to write, you know, a PowerShell script or whatever that goes and resets all the passwords and enter ID, then you have the problem of, OK, well, how do I get Jeff and Jim their passwords? You know, how do I make sure that they are actually who they say they are and I'm not just letting bad actors back into the
system. So. You know what you kind of described there is almost like a quasi password less type approach where you know you're letting you're letting the the wallet, the vault, whatever you want to call it, right? Manage that for you and me as a
user. I don't have to know that, but I guess the, there's a little bit of a, of a, of a split here though, because a lot of organizations are spending and, and rightly so, money and time to get on to things like single sign on, you know, get MFA, get identity platforms in place, right, things like that. So the idea is like, hey, let's get everything centralized. Let's use one strong credential.
But you talk there about sort of that last mile and I think that's where a lot of the operational reality still comes into it. Can you talk a bit more about what that breakdown is like? OK, great. We got 80%. What about the other 20%? Like that's, that's still the key part of it that you're looking to address, right? Yeah, exactly. I mean, I think you know again I'll, I'll kind of reassert the passwords not gone until you're not using it anywhere.
We talked to an organization recently, I think had a identifiers DC who was doing exactly this and they took a different approach to it, which was they required people to reset their password in order to get access to their password, which is not super user friendly. But when when you talk about kind of the breakdown of systems, right, there's a lot of legacy technology. I mean, you know, there's still mainframes in existence.
There probably will be for, you know, God knows how long until IBM stops manufacturing them perhaps and selling them. But you know, that's not going away as quickly as we need to address the security problem, right? And so I think this is like a pragmatic approach to, okay, well, look, we're still going to go on this path and this journey, which by the way, we believe in as well, right? Which is you want to eliminate passwords, you want to eliminate
the human in them. But you know, what do we do in
the meantime, right. So in the meantime, while we have a secure way to deal with them, the other piece of that breakdown that enterprises really don't think about is, OK, I've got these 150 applications in my ecosystem that I'm going to manage access to. Well, what about the 150 to 500 applications that your staff are using for business purposes or otherwise where they're still setting bad passwords because those systems haven't evolved to use pass keys or the users
aren't comfortable with them? You know, I think about, we talked about Identiversity C, right? All these events you go to, you create an account on some platform, be it like, you know, Cvent or something else. And it's just the proliferation of more and more accounts. I think the last time I checked in my vault for work, I have about, you know, 11:50 managed credentials, ID things that are like really truly owned by the business.
But I have over 300 items in my vault that are work related. And you know, I might be in a unique role, but those roles exist everywhere, you know, marketing or people who are in consulting with access to customer systems, etcetera. So I think there's a lot more to it than what we actually see at the surface. Yeah, that's what I was thinking too. As you were talking. I'm thinking like, OK, talk about like your GitHub password
and things like that. That's in that 300 where the work related with their personal accounts, if you will, that I think an enterprise identity person might say here might be the challenge that you would get. It's like, well, we've got tools we've got, I'm going to pick on Octa even though I'm not picking on Octa. It can save these passwords, It can store the password. Is that enough storing the password?
You know, I would say no, because you're not taking the human element out of creation, right? And what do I mean by that? Right. We look at passwords and we look at the password dumps and we look at all the spreadsheets that people store their passwords in. And what you inevitably find is a pattern. You know, it's not uncommon to see like my dog's name, 2026 or, you know, 78 because it's the 78th password they've set in their lifetime at that company.
And so I think. One of the issues is that we use these passwords, and we use these patterns as humans because they're easy to remember. But we don't just use them at work. We use them in other platforms. And those other platforms occasionally get breached and, you know, password hashes get dumped in places. But once we can figure out what somebody's pattern might be, it's not all that hard to run a very targeted, you know, stuffing attempt to say, OK, great.
I know that, you know, this person uses the password and it's their dog's name, Fluffy. And, you know, they've probably been there for, you know, 50 password change cycles. So let's try everything from 25 to 75, right? It creates a very targeted way to attack individuals. And so I think active management is really the only way to address that. So when you can reset it and also actively manage it, that's kind of the Nirvana I think. Yeah, that's the same part I think is pretty important.
So that's what you had mentioned earlier that kind of triggered me was so you have the ability to go in and manage the password, reset the password on a periodic basis, things like that. Is that what I'm hearing? Exactly. Yeah. I mean, we treat it basically like you would treat it in privileged access management. So you talk about passwords being breached and you know, I think social engineering is another way that people get into accounts.
You know, service does have issues with validating colors, right? All kinds of stuff like that. And what I go back my, my background and identity is I am operations taking phone calls from people on January 1st, well probably January 2nd. We forgot their passwords over the holiday break, right? And you're trying to really get them in. And you know, back then it really wasn't security. It was just like a process you followed and it was like customer service versus a
security control. And I'm curious, do you still see that taking place today and what are your thoughts and sort of that approach? You know, I think help desks are evolving, but they're evolving out of pure necessity and based on what's happening in the market, right? It feels like 50% of the attacks, and this is not an actual statistic, are helped desk social engineering related.
In kind of the ones that I've investigated or looked at, you know, thinking of like Caesars and MGM, that was help desk engineering. There was another one, you know, locally here that was also help desk social engineering. Again, it's kind of like, you know, the human element is the
risk, right? And so if you give, you know, admin rights, even delegated admin rights to your help desk to be able to go reset passwords, I mean that again, they're following a process with the best of intention.
But if there's nothing in the middle kind of enforcing that, you know, we actually validated through like an IDV, for example, which is identity verification software that you know, this person is who they say they are or like a simple push notification or something like that, then helped us are going to continually fall fall to kind of those attempts.
And so, you know, again, thinking about the solution, right, if we can have a situation where users no longer have to forget their password because it's just stored somewhere for them, which is probably what they should be doing anyways, is using a password manager. But if we can get them there, then, you know, a lot of the help desk problem goes away. Not all of it.
I mean, you're still going to have first login scenarios and other situations where, hey, you know, I, I lost my phone on a beach in Hawaii and I no longer have access to anything, you know, my MFA devices swept into the ocean. But, you know, if you can kind of put controls in place that technically, you know, validate that the user is who they say they are before distributing access to their vault or their
credential. And I think you can eliminate a lot of that social engineering issue that we're seeing. Right. And so it really comes down to removing the human from the problem, you know? Yeah. Yeah, Yeah, I think so. I'm writing a book, by the way, and one of it's a book of short stories about identity practitioners in the trenches, right. And so one of the stories is about a scatter spider type breach, right, where they call the help desk and more or less socially engineer the help desk
person. And the, the moral of the story is that they, the identity verification or the process wasn't designed to kind of think about that type of scenario where the person on the other end of the phone is saying, look, if I don't get access, I'm going to be fired. I, I think from a governance standpoint, we need to think like that. It's almost like putting together a disaster recovery plan.
Like nobody wants to think about like these awful disasters taking place and taking out your infrastructure. But, you know, it's part of what we're paid to do, frankly. But I think, you know, in a scenario like that, you know, having a password management tool seems like it could make a lot of sense. Yeah, I mean, even just kind of thinking of more basic scenarios, right?
Maybe your phone doesn't get swept away in the ocean, but it came up on its two year term and you traded it in for a new phone without thinking about, you know, Oh my, my MFA authenticator is on there, which is something we see a lot of. I think you can see it in the data patterns in the cycles. But yeah, I mean, having a password manager in those cases, I think really addresses not only, you know, forgotten passwords, but password strength.
The other aspect of that you talk about scattered spider, right? And I mean, these things are always maybe not always hopefully one day not going to happen, but that seems kind of unlikely. So if we accept that we're going to, you know, have to deal with these. I think you talked about building resilience and thinking about this as like a disaster recovery plan. I think when you engineer your help desk processes, you need to be able to accommodate for the
what ifs, right? It's hey, you know, I can't authenticate them by push. I can't authenticate them by, you know, XY or Z, you know, what are the fall back options? And we see a lot of companies now looking at identity verification as one technique for that, you know, doing, you know, driver's license or passport recognition with liveliness checks, which I think is generally a good practice. TBD on whether AI allows us to break that.
But it seems like, you know, those two are evolving in tandem, sort of, you know, one step ahead of each other perhaps. At least until AI has driving license, driver's licenses, and then and then we've got problems, maybe driverless cars, I don't know. That's, that's a whole different probably topic. I want to go back to what you said earlier about password vaults. And I'm thinking, and I'm sitting here and I'm like, OK, I've got a password vault.
Jim, you mentioned you've got a password vault. I'm sure Bart, you've got one. But I feel like we're still in the minority. Like for whatever reason, a lot of people don't use password vaults. Why do you think that is? Like is it, is it like a user experience thing? Like how do we, how do we educate people say, hey, you really should be using a password vault and here's why And what is how do we, how do we help communicate that out there, I guess is what I'm saying.
Yeah. I mean, I think part of it is education. Part of it is, you know, people do what they're used to. And you, you know, you saw this a lot like 20 years ago in terms of how people would manage their like, personal PCs at home very differently than how they did things at work. But, you know, as things evolved, it was more common for like home users to have any
virus. And so I think, you know, one of the approaches really is enterprise password managers are not all that common across enterprises either. I think there's still kind of a slow adoption there as practitioners. I think recommending that or looking at, you know, how that can plug a gap is 1 important piece. I think also just dispelling the myth that it makes things harder, right? Like I can't think of a world where I don't have a password
manager on every device. Like, you know, remembering that I used some unique thing for this website, maybe some pseudo algorithm to figure out a a solid password, Just yeah, I don't think I could ever do that. So I think some of it is awareness, others is, you know, adoption. I think once we see adoption in enterprise and it becomes a more common day-to-day use case for
people, then it becomes easier. The other thing we're seeing as kind of a, a side effect of doing what we're talking about and taking your entry ID, your ACTA or your AD credential and actively managing it is that we're building a habit. We're building the habit that you'd never know your your password and you're constantly going to your safe to get it. And then, you know, people naturally start to put other things in there because they get used to that workflow.
So I think a lot of it is familiarity. I mean, as with anything changes a scary topic for people talking about, you know, we're going to change the way people log in. I think you know when password list was opt in, a lot of people opted out until they realized that it made their lives easier and they could just scan their fingerprint or look at their camera, right? Jeff, I think I have the answer for you. So if politics comes up the Thanksgiving dinner table, bring up password management.
You will never see the divide get worse, right? Of course it's the identity people who care about good password hygiene and good practices. But everybody else? You really. I'm so sick of changing my password. If there's something that ruins lives, it's having to keep up with passwords. And you'll meet total strangers and they will unload on you when they find out what you do. Yeah, you're the reason why I have to change my password.
That's what I get from like my Barber and other people say, what do you do? Yeah, sorry about that, but we're trying to make it better, I swear. We're trying to make it better. That's the the best answer you can give Bart, help me out with my book here, man. So I'm I'm trying to put myself in the mindset of that operations team, right? And Joe from the health desk unfortunately just potentially gave out the password to the
scatter spiker people, right? So we we now know like, hey, we may have a compromise credential on our hands. Hopefully he didn't give like the domain administrator away or something like that, but he just coughed up a credential. Talk to us about this first few hours. What is happening? Yeah. I mean, I describe it as like the fog of war sets in and then you just all of a sudden lose sight of a lot of things.
But I think a lot of teams get bogged down in the first couple of hours simply because they have a lack of visibility. And to your point earlier, they've never done this. They don't have a process for this. They don't even know, you know, whether they should disable all accounts, a specific few, because hopefully they have some visibility tools or whether they should reset them or you know
what, where to start, I guess. And so I think a large part of that is, you know, making sure that you have tools which allow you to actually have good visibility into your environment. Understanding that, you know, user X was potentially compromised. Yes, they have logged in using that new password. Yeah, it does look like they're logging in from, you know, X country instead of, you know, Canada or the United States where they're they usually reside.
But then also being able to understand what that person has access to. You said, you know, hopefully not a domain administrator account, but I'll play devil's advocate. What if it was because I think in one of the scenarios that I was thinking of in my head, it, it wasn't immediate access to a domain administrator account, but it was access to an IAM practitioner account, which didn't directly have domain admin, but they weren't far off. And that's what they ended up getting.
But so when you get into that situation and you need to, you know, potentially disable or reset those hundreds or thousands of accounts and in your directory, I mean, then what? Right. A lot of companies we see you get to that point and then they're like, OK, well, you know, we can reset them. That's maybe the easy part. I said this earlier, right? You can write the PowerShell script. It's probably only a few lines if you do it efficiently.
But then what? What is the rest of the process look like? You know, if you're at a, you know, fifty person organization and you're in person, yeah, OK, fine. You know, hand it out on hopefully not sticky notes, but you know what I mean, right? It's easier to distribute it because you're going to have that personal relationship and you can vet that everybody is
who they say they are. But even if you're a small organization that's remote, how do you know that, you know, somebody from finance is actually who they say they are and Oh yeah, they need to reset their password because we reset everybody's password. So what we think of is actually kind of closing that again. You know, the last mile metaphor to breach recovery as well is something that you can do with
this kind of unique combination. We can look at, you know, resetting hundreds or thousands of accounts, not only on a scheduled basis, but on like an event by event basis. You, you have a breach. OK, great. Go reset all of the accounts you know and make sure that they no longer have potential breach credentials or that you're at least trying to walk out threat actors.
But I'm kind of coming to the conclusion hearing you talk that we might be going and pitching a solution for password lists where pass keys cross the enterprise, but we're still going to have that final mile for the 20%, let's call it 20%. It might be more or less depending on your situation, but there's it's going to be something where you can't do that. And I what, what, where do we stand then? Like do we put forward a
solution then? Is password manager really like the only viable option at that point? I mean, you can take different approaches. Like I said, there was one organization who was forcing their users to go to like their password reset tool and reset their password, you know, every couple of days when they needed access to those 20% of systems that actually required a password for a login. That sounds terrible, yeah. I agree you could build your own.
I talked to another business who built their own. I mean it, if it were me, I wouldn't really want to build my own because it's kind of sensitive and you know, how to how do I know that it's actually been built properly and so. You're not trying to jam this down anyone's throat, but basically the answer is like, this is the only sensible solution, right? I think it's the only solution on the market right now that tackles the entire problem.
You can bring in a password manager, and there's a lot of good password managers on the market and you can encourage credential hygiene. But I think until you can actually, you know, control user behavior or push user behavior in a certain direction, that's really where those solutions lack, right? You're never going to get 100% of adoption of a password manager solution unless you force the user to go into the password manager to get their
password. I mean, we did this two years ago now, and I have no idea what any of my passwords are, and I haven't for a long time. And, you know, it took us a while to get everybody on board, but immediately we saw adoption of the pastor management tool really uptick quite quickly. So, yeah, I think it's a good solution to a problem that the alternative is to wait years, maybe another decade, until everything universally supports pass keys or Fido or some good
appropriate standard. And by the way, I mean, pastor managers solve another problem with pass keys, which is portability, right? And so I think whether we see them now in the enterprise OR in five years in the enterprise, I think they're still coming. And it's a necessity. But it might be from a different angle of, you know, a pass key manager rather than a password manager.
I'm glad you brought that up because, you know, I think it was probably five years ago, I didn't see a future for password managers because it's like, oh, password was here, we're not going to need that. But you're absolutely right. Like you need to be able to have a cross-platform sort of vendor neutral wallet of some sort, vault, whatever you want to call it, right? It's all kind of the same thing.
And that's where pass keys are really powerful was if you can sync it from 1 device to another and still retain control from a management standpoint, right? Because obviously you don't want to sync work credentials with private credentials and you know that mess. But if you've got a way to solve for that, there is absolutely a place I see for, you know, bolts and wallets and managers and things like that to be able to do that pass key synchronization and and that portability.
So I'm glad you brought that up. Yeah, yeah. I mean, I think it's like A, it's a, you know, I hope passwords go away in the next decade, but I think the reality in the data shows that they probably won't. I think I looked at a report earlier today that said we're only at 20% adoption of pass keys and that's probably mostly B to C applications, not within the enterprise.
It's probably much lower. So I think we're going to have passwords around for a while, but we can still encourage users to do the most secure thing, and I think that's ultimately what we want to do. So let's talk about deployment here if we can for a second, because you've got a lot of experience in this space. I think you've highlighted some of the usability challenges around this.
There's people probably think of it as like, yeah, I'd love to to roll out a password vault, you know, for my users. What are some tips or some guidance to make life easier for for us to to help with that? Yeah. You know, I think part of it is, you know, not trying to do this perfectly. And probably I scared a lot of practitioners off saying, oh, my God, but it's got to be seamless. It's got to work for everybody
all the time. But I think, you know, setting a benchmark to improve your governance through that deployment is, you know, Step 1. So getting by and from a stakeholder in terms of practical implementation, start small. Start with the teams that are probably already using a password manager, but it's probably their personal one, right? So, yeah, I'm talking about people like us, the identity practitioners, the folks that are in cybersecurity or the folks that are in IT more broadly.
Start with those folks who probably want this anyways, and then move into some of the departments where there's solid use case, right? So we see, you know, a lot of use cases in marketing. They've got access to, you know, way more tools than the average knowledge worker does a lot of times. And many of those platforms go unintegrated because, you know, it's only 1% or less of the organization's employees who are accessing those tools. So marketing is good second stop.
And, you know, creating a good education program, we saw one organization who actually started to gamify it. So gamification is always a good option. It'll definitely accelerate your early adopters and kind of that middle pack. And then you know, eventually you're going to get to those people who are slow to change. Those people take a little bit more work, a little bit more coaching. Sometimes they need the stick,
right? And one of the tools that this gives you, not saying you should always use it as once you start to put managed credentials in the safe and actually start to actively rotate them, then you create a need, a necessity for people to start to use it. But the nice part I think about this is that you can go on this kind of journey of maturity and meet people where they're at for the most part until you get to
the very end. That last, you know, 5 to 10% can always be tricky, but I think it's just, it's really as with any project in the identity space, you know, change management is a critical part of it. Training people on how to use it, helping them understand why it's going to make their job easier so. So how do you measure success for something like this? Because I think I was like, is it like number of vaults
deployed actively being used? Is it number of credentials being managed by the password manager? Like what are some of the ways that you've seen people sort of measure like, yes, hey, we made an investment in Rivera and we're getting, you know what, what we what we hoped out of it. Yeah. OK. So when we're coming at this from like a, you're an organization is on this password, this journey, we've got 80%, but we're missing this 20%. We'll always look at OK, well, what are those 20%?
Right. And that's one of the key measurements we look at for success is to say, OK, you know, by the end of this six month journey, there's not a whole lot of project work that goes into it. But at the end of this 6 to 12 month journey, you should have, you know, 100% of your applications either covered by a password list sign on mechanism or they should be managed by a tool like ours where you know, the users aren't having to set the passwords, reset the passwords, etcetera.
There's a bunch of other metrics you can look at as well. I mean, this goes back to traditional like self-service password metrics, which is like look at your help desk call volume. How many password resets are they processing on a daily basis? You know, survey on like lockouts, how many people actually forgot their password and locked themselves out?
So there's a lot of metrics that you can use, but I think really, you know, the core ones from a cybersecurity standpoint are really, you know, are you getting 100% coverage? The other nicety that you get with even just a house for manager, regardless of managing credentials is you can get insight into what else people are logging into. It's kind of the whole shadow IT problem. And then you can start to address those as well slowly.
Maybe it's, you know, that one team in finance is using some tax solution nobody's ever heard of, and you had no idea that, you know, you've got 500 people in that department using that system, so can also help with that. And that can be another metric for success. That never happens. People using tools that aren't the IT standard. Come on, Bart, you're crazy. Yeah. Never right?
This has been a pretty fascinating conversation and and you know, my mind has shifted on this quite a bit over the years. You know, I, I mentioned like I just didn't see a future for this type of space because you know, web auth N and and password list was going to solve all the problems. Here we are. And now something like this is absolutely vital to making sure that I have a good experience
just as an end user. So if this gives me capability as AI am leader or security leader, say hey, now I can manage these credentials in a more secure but a a win from a usability standpoint, I think it it makes a lot of sense to look at. For sure agreed. So let's end the conversation here on a lighter note. You talked a little bit about risk management and it was kind of getting to know you before we hit record. And I'll kick down the 4th wall a little bit.
Carolyn was on the call. We're kind of talking about you're being very modest about some of the risks that you've taken. And you mentioned that you like climbing mountain, you know, mountain climbing, skiing. You're up in the Calgary area, so you've got access to plenty
of that stuff. I'm curious if you have any harrowing stories or things that are like, you know, for the, for, for someone like me who's an indoor cat, I'm not about going outdoors and climbing and and doing all that kind of stuff. Scare the heck out of me. Like, what's something that's like, Oh my gosh, can't believe. Like, you're here to tell that story, Bart. Yeah, I mean, I'm definitely an outdoor cat. I think like it comes naturally living in Calgary.
We have, I like to say we have two seasons, We have summer that lasts about two months, and then we have winter. So if you can't get outside during the winter and actually enjoy everything that we have around us, I mean, we're just 45 minutes from bands from like Louise, the Rockies, etcetera, then I think you're going to be very bored living in Gagri. So yeah, I do all the fun things that involve a lot of risk management because I apparently don't get enough of that during
the day. One of those stories. So we were up in the Rogers Pass Beautiful place. There's a cabin up. It's like 2100 meters above sea level. For those of the viewers that are going to be in US, you'll have to convert that into feet. I don't do the conversion, but I think it's somewhere around 8000 feet. And on the way into this cabin we were skiing in an area that's lovingly referred to as the most
trap. And that's because there's a bunch of these different slopes that all funnel into this kind of Creek bed. And it's somewhat dangerous to be in there in the winter. But it, it's a risk management exercise. So you, you know, do all the right things and you space each other apart.
You you have the training, you have the gear, etcetera going in one year we actually had a situation where one of my skiing partners was actually behind me. I think I was in the lead and we had we call them like tree bombs. So basically just want a tree branch gets heavy enough with snow usually cuz it's melting and a piece of snow comes off of it. And I triggered this like little mini avalanche. It wasn't huge, but it was big enough to bring my partner up to his neck.
And I heard all sorts of screaming behind me and I look back and I did not see my ski partner is like, oh, that's a problem. And then I quickly spotted him kind of breed next to a tree head above. But no no injuries. Everybody was fine. We all continued on and enjoyed the weekend but definitely a moment that had my heart palpating or racing a little bit faster than normal so. Mine's going a little bit now.
Just hearing you describe that. I can't think of anything worse than be like being on the side of a mountain in the cold and being buried under the snow. Even if it's, you know, if I don't care, if it's just up to my knees, like I'm good, you say to your neck. It's like, OK, so like, how quickly does that event occur? Like I can, I can understand snow coming off the, you know, off the branch, but then how much time does it take to that turn into your friend, you know,
buried neck deep in snow? Curious how quick that was. Yeah, it's so quick. I mean, if you look at like any footage of avalanches, the speed at which they move is astonishing. It's kind of like it's described like a, a mattress on like steel rollers. It just like slides without friction basically. So yeah, probably all told from, you know, the time little bit of snow dropped off the tree branch to the time that I look back was
probably 1015 seconds at most. But, you know, then you have the training and the instincts kick in, and I don't think I've ever skied backwards so fast in my life to get back and unpack my shovel and start digging him out. And I mean, all was good. So happy to talk about the story and reflect on it. But yeah, yeah. We probably wouldn't bring it up on on a podcast if things turned out they wouldn't. Be a Ledger note. Right. Yeah, exactly.
Jim, you're, I know you're a little bit of outdoorsy guy. You've done some cool stuff. Any heroin stories? I had my day. Yeah. So we started talking about this. I thought of a time whereas backpacking and Yosemite. So there's this area called Tuolumne Creek. It's like 15 miles from the Yosemite Valley, which is what everybody thinks of, but it was like a 15 mile hike. But it's there's so much up and down and you're, you started
like a 10,000 foot elevation. I think the high point might be 12,000. It's really high. There's not a lot of not the same level of oxygen up there, let's put it that way. And anyway, so you you hike about halfway and then you backpack or you set up camp somewhere. So we set up camp is in the woods. And it was like everything was bone dry. I mean, is what I would call like, I think the term tinderbox would fit this appropriately, right? Like there was no outdoor like
no setting up a campfire. You have to be real careful with how you cooked everything like that. And so anyway, sun goes down, we're in our tent, and it's just like static electricity everywhere. Like you move your arm and like, you see these giant sparks arcing across the tent. And I'm like, I've never seen anything like this. And it was not raining, but there's a lightning storm all around us. I don't know. Usually now I see why people get
struck by lightning. I'm not worried about bears attacking anymore. I'm worried about getting struck by lightning or this whole place going up in flames and us being in like, not a good place. So fortunately, none of that happened. That's why I can talk about it later. But yeah, it was really scary. But you guys have sufficiently not convinced me to go outside for either of these types of activities. Jimmy, you talked about like cooking and not be able to like
have a fire. I mean the answer to that is simple. Just DoorDash something out into the OH. Yeah, sure, that would have worked perfectly. All right, let's go ahead and wrap up this conversation. Bart, it's been great getting to know you here and and what Provera brings to the table. Any final words you want to put out there for the audience that's listening? Yeah. I mean, I think as practitioners we often look for like the
perfect silver bullet solution. I think a lot of the real world operational implementation is a lot less than a silver bullet, maybe a few. And so I'd really kind of encourage folks who are maybe on the password this journey to think, you know, OK, well what problem are we actually trying to solve? And, you know, there's multiple ways to slice and dice it and to still get the same net effect where you're increasing your, you know, cybersecurity posture.
So I think that's what I'd leave them with. Don't be. Perfect. Yeah, meaning it's OK to get smarter, it's OK to get better. Doesn't have to be all in one jump. I'll have links in our show notes for people to connect with you on linkedincanfindoutmoreaboutriverathereyoucanalsofindoutmoreaboutrivera@riverasecurity.com/I
DAC. Again, BRAVURA security.com/idac, reach out to Bart on LinkedIn, make the connection, you know, maybe share mousetrap stories from Rogers Pass. I think I got that right, you know, or, you know, commiserate with Jim and his static electricity stories or me, as you know, an indoor person who is probably by the fire with strong Wi-Fi and, or air conditioning. So we'll go ahead and leave it there for this week. I want to thank everyone for
watching, listening. Thanks to Rivera for sponsoring this episode. Find us on the web, IDC podcast.com and we'll leave it there. So thanks everyone for watching and listening, and we'll talk to you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com.