¶ Welcome and podcast life behind the scenes
🎵 Music
Welcome to the Identity Ephicenter Podcast. I'm Jeff and that's Jim. Hey Jim.
Hey Jeff, how are you?
Oh not so bad yourself?
Uh doing great, man. Today's been kind of the day of focusing on conferences and the show and I've been doing the scheduling. I think that's the behind the scenes part that people don't understand. I think you get it, right? You know how much work goes into the scheduling aspect of things and it's inevitable you're gonna have reschedules and things like that.
Um, I don't know how it equates to the the kind of the work that you do with the editing and all the social media, but I will tell you it it's
Yeah, I mean it it is what it is. Uh it is the hobby, the job, the five to nine as you like to put it, but it's more like Uh five to five AM Uh the opposite of what our day jobs are normally are, but I look, I like doing it. I think this is a fun and hopefully helpful resource for people. Conferences are a lot of work, but those are also fun and helpful resources.
you know, today we're gonna talk about identity management day in a in a minute here, but like stuff like that is is cool and it brings the community together. So I enjoy it. And you know, let us say today's April first, so I'm on the lookout for any uh hij jinx that might be going on. Uh we have a April first episode that was released earlier today.
Uh, by the time people hear this one, which I think will be April thirteenth, if I m if I recall, uh we'll be a couple weeks past that. So I'm hopefully people will have appreciated it and un in you know, not fallen for any hijinks, but I'm I have not seen too many, but I've also n not been like on the news yet, especially like the tech sphere, to see like what things people have put out today for April first. Yeah.
Yeah, but you know, as we're kind of working on getting ready for these uh conferences, um I what's occurring to me is like how many great organizations support the podcast.
¶ Identiverse 2026 updates and conference discount codes
Between ID Pro being the official podcast of ID Pro, Cooping or Cole with having us and you know, kind of hosting us and really taking good care of us in terms of getting ready for EIC uh as well as the Cybersecurity Alliance. getting ready for Ideniverse and what we're gonna be doing at Identiverse and I think those details are going to unfold, but um we're gonna, you know, make sure that we have a good presence and I'm of course we'll do a game show.
Uh and then our guest today, the IDSA, has been a partner with us for It's had to be more than five years, right? We've had our guests on five times t as of today. And then we had Julie. I think at one point Julie was the all time, you know most frequent guests, and I think that exceeded five. I mean, obviously the podcast hasn't been around for ten years, but we definitely have gotten a lot of support from the IDSA as well.
Yeah, it's a it's a it's a great organization. Very fortunate to be able to have, you know, these types of things available to us as an industry. So Um, yep, we got identity management day. It is tomorrow for people who are listening to this for the first time on April thirteenth. Identity management day is the fourteenth of April.
Uh we're gonna talk with Jeff Rich in a second. Uh I wanna go back to the clouds, uh to to the EIC uh conference because we have discount codes for that. You'll find them on our website, our website. I can't talk. What's going on here? Uh we've got the Identiverse conference, which is a Cyber Risk Alliance. Shout out to Shirley. She's awesome to work with over on that side. Uh we actually have an improved discount. So it is now up to 30% off.
Um, early bird I think might still be available by the time people listen to this, you know, your early bird chances may or may not have different levels. But uh we do have a thirty percent discount now on Identiverse. So definitely hope to see people there.
Like Jim mentioned, we'll be doing, you know, some sort of game show type thing uh as we seem to be uh prone to do, as well as recording episodes live from the expo hall floor and you know taking in the the sights and sounds of Vegas, which I know everyone just loves. Putting myself. Yeah. I do love it. I'm not saying that tongue in cheek. I love it, but I know that that's maybe polarizing.
It's not it it's polarizing. Um but I did want to give a shout out. You gave a shout out to Shirley, who I totally agreed, uh completely awesome, totally supports us. Uh but also Marina Kordash uh over at
Or that's yeah.
Was that I'm probably saying it wrong, yeah.
Marina's awesome. Yeah.
My German is a little, you know, a little little. Uh so yeah, awesome person supporting us as well.
All right. Why don't we get into today's kind of focus, which is identity management day. Jim, you and I are going to be doing some stuff around that, but we'll save that for a little bit later. Uh let me introduce Jeff Rich. He is the executive director of the identity defined security alliance, IDSAalliance.org.
¶ Introducing Jeff Reich, Executive Director of IDSA
It's his fifth time on the show with us. So Jim, you owe him a jacket as well. We have to start printing jackets pretty soon because we have a lot of folks.
Booney Jackets.
Welcome to the show, Jeff.
Thank you very much. Thank you. And I'm waiting for that jacket. It's uh those thank you. I'm looking forward to it. It's great to be back. You know, you mentioned here's all the organizations that support you and and you're obviously grateful for all that. There's a reason that every organization in this industry supports you. It's because uh one, you're great guys to to just be with. You're just it you're just
Fun to hang around with. Let's start with that. But you really provide a a good service, a great service with the podcast that focuses on everything that's going around identity. It's everything around you because you're at the center, right? Um great name too. That was a smart choice. And you do it in a real supportive way, so everyone wants to find a way to pay you back. So don't underestimate why that happens. It happens for a reason.
Well, that is flattery will get you everywhere in this show, as I've said before. Thank you so much for that. That was very kind. Look, we do the show that we want to do and that we think we enjoy doing and we hope others do and
Yeah, we try not to take ourselves seriously too much. You know, obviously identity's a serious conversation, but yeah, we like to have fun and try to be approachable because I think there's plenty of places to go to like technical information and like, you know, read a spec, for example. But a lot of identity happens outside of specs. And so we try to be as well rounded as possible, even even sometimes straying into like information security at large because
some of that stuff also affects how we do identity. And so yeah, I appreciate that. It's we like I said, this is a great community. It it's fun to engage with. I would encourage anybody who sees any of us at conferences or On the street or at the airport, you know, come up, say hello. Um, we're always happy to meet folks uh, you know, that are that are out there and and learn from them.
¶ Identity Management Day: structure of a 21-hour global event
Um you know, I I'm I wanna riff off one thing you just said before we get into any further. I guess I'm gonna take us there. Um the y you mentioned, you know, people and how it's always people that are making it. Um we just recently did um one of our webinars, which was an identity management day preview. And, you know, uh Identity Management Day is broken up into three regions, Oceania, Asia, um, Europe, Middle East and Africa, and the Americas.
And and we follow the sun basically, th which is why it's a twenty one hour event. It's twenty one hours of identity goodness is a term that we use. And I had representatives from each of the three co chairs, uh Identity XP in Melbourne, Australia, O Omade in De in Copenhagen, Denmark, and Savient here on the west coast in in the US.
the three co chairs for the three regions. And we talked about what makes a good conference and what to look for in each one and and I'd I'd like to we'll have an opportunity to talk about what some of the highlights coming out of each region I think this year.
And then I asked at the end, I got them all together and I said, So what's the one thing we really need to focus on maybe for the next five years that's a most important component of of identity and making it work going forward? And all three had a slightly different version of saying people. Even though AI and non-human identities and agentic identity is there, you know, I was at uh the RSA conference uh last week or a couple weeks ago when you're seeing this.
And I challenged people to find a booth that didn't have AI on the banner or agentic on the on the banner and no one could find one. So i we're there. It this is where we are now. That's good. We have to we recognize that. Even with all that, everyone that knows how to make it work is the most important part of what we need to do going forward is people. So and you helped make that really. I'm I'm not gonna try to you know butter you up anymore, but that really is the key.
Yeah, butter away, my friend. I'm slather it on. Uh look, you know, we get lost sometimes in technology. So but we forget the actual word is identity.
Identity is
It has been human for a very long time and it's now extending into other areas. But yeah, it's yeah, it's people, it's process, it's technology, it's a whole bunch of different things and you know, I we we definitely should probably like just jump right into, you know, what is identity management day? You've got some themes that are kind of set up. Before we do that though, because people might not be familiar with IDES Alliance.
Maybe just to give us like a quick thirty second on kind of what it is and and why you put on this thing.
Um happy to. So IDSA, identity defined security nights, has been around for uh seven years or so to answer your Julie question earlier. And um our our mission is to we're a nonprofit and we focus on raising the level of security and identity security awareness around identity. That's it. That means may seem like a simple mission, but it has tentacles that reach everywhere. As you already said, it's security, it's people, it's process, it's software, everything
that happens now, whether it's from a machine or not, has an identity associated with it. So we either have research papers, working groups, um educational webinars on how we're going to deal with this. And m about ninety percent of what we do is available free to the public.
You guys do a lot, but I'd say the identity management day is kind of your hallmark event. Give us an overview. You talked about the different regions, but give us the four one one of what's going to be happening during identity management day.
Uh it's a good question and thank you. That is that and our annual research paper which we publish in September, those are our two big events. Um and with Identity Management Day, you know, it started off as an eight hour event focused mainly on the Americas. And we have expanded that into the three regions.
¶ Oceania and Asia region highlights
because there were people interested and they said, Hey, can we have an identity management day two? And the answer really should have been, No, we don't need multiple ones. We need one huge one. So that's what we're left with. So identity XP in Melbourne, Australia approaches first and said, We want to do this with you.
So um what you're gonna be seeing there and they by the way ha have a hybrid event. They're the only hybrid component of what we're doing. They have an in-person event in Melbourne where they have speakers and some sponsors. And we stream all of that as part of the online twenty-one hour online event. Um so some of the speakers you're gonna get there are from uh and Australia ends up being a d a different animal for a whole bunch of reasons. You know, they're a large area.
They're not necessarily densely populated. And as a result, when there's an identity issue there, it affects almost everyone. You know, the it scale has a different meaning there. Scale hits everyone pretty quickly. So they take a slightly different approach. It's a good, healthy approach.
to what they do. But they work a lot a lot of the vendors work more closely with each other there, I think, than I seen in other regions. Although it does happen everywhere else too, because of that. And there is a certain amount of geographical isolation that's there too. I mean, certainly the internet makes everyone available, but there's a component to you're in Australia or you're in the rest of the world.
So, um I I like the approach they take and what you're gonna see coming out of that I think really focuses on what some of the regulations are gonna be there and you're also gonna talk a bit about the rest of Asia as well. what the impact of issues are and what the most recent breaches are. They um
specifically still talk about what's the latest breach we've had. If you compare that to the Americas, for instance, it that's not as big a deal for us anymore. And it's sad because it's it's just accepted. Yeah, which one happened today? Um but they're they're a little more rare, but they have a larger impact. So I think you're gonna see that focus there, along with a lot of nice young people working their way up into the industry. And I'm gonna talk even more about that in just a minute.
So that's what we have going on in Oceania Asia. As we move to AMEA with Omada um hosting that um out of Copenhagen, I really love the fact uh by the way, on that webinar they talked about, we had someone from each of the three regions. We had four unique dialects on that webinar. And that made me giddy. I'm I haven't quite figured out why, but it made me giddy like we have
¶ EMEA highlights and powerhouse panelists from Copenhagen
Okay.
People from all over the world here and they're all interested in the same thing. It's fantastic. So what you're gonna get to see out of a m out of a Mia is uh um some great headliners. Um you mentioned um um Kubinker Cole. Martin Kubinker's gonna be there. Um Simon Moffat's gonna be there speaking. Um Paul Walker's gonna be there um from Omada. Um Mr. NHI Lolite Choda is gonna be there. And Paul's gonna be not only do they have sessions, Paul's gonna be leading a panel.
with those other three, that is gonna be a powerhouse panel when you think about th those four individuals.
So so Jeff, let me just interrupt. When you say they're going to be there, you mean they're going to be on site in Denmark or virtually they're going to be there?
They're going to be online. The only oddsite component we have is in Australia. So everything else is online. They're going to be just like we are here now. And I count this as here. So um or there, depending on on your perspective.
I was gonna say if you need somebody to go to Denmark, um, Jeff and I would volunteer for that. Just keep that in mind for an Oh, it's such an awesome city. Such an awesome city.
It's'cause you get so much of the old, um, you know, old and it's still intact, um old world beauty, charm, architecture, everything else. And then you go two blocks away and you have a brand new shopping strip center with um really nice shops, but they all blend. There there is you know, it's not the one versus the other. It's and and Tivoli Gardens and everything. It's a beautiful place. I I love Copenhagen in case you Couldn't gather that. Sounds like you do as well.
But uh again, open invite if you wanna have Jeff and I travel to Copenhagen next year or to Australia. We love the people and we'd love to come and spend time with them in person.
Well hold on a second. I haven't been to either, and so I don't know if I love the people yet or not. Let's say I like the people.
Let's just say that you're willing to try.
You're you're open to it.
Yeah, I'd love to go. Either I've never been to either place, and I'll go to at least I'll go to anywhere at least once. But yeah, for sure.
I m I just made a note. I'll keep that in mind. Um, so I I talked about the powerhouse we're gonna have in EMIA. You know, uh you plus we have uh other good speakers too. I'm not trying to diminish anyone else, but those are three or four names that if you're in the identity industry and you've been in it for uh you know, a couple of years or more, you know those names. You've encountered them before, one way or another, either in what they write or
¶ Americas region and the 11th grader presenting on cybersecurity
presentation or online things. And then we moved to the Americas and we have some great speakers here as well. W without question. Um some of we have um Uh Enrique Teshera i is going to be there. A another one of those big names that if you've been doing this, you know you know who they are. We have other great speakers. There's one I'm gonna point out in particular though.
We have an eleventh grader that's gonna speak. This is the first time we dipped out into another age group, really. Although I guess you could say with me starting, anyone else is a is a different age group that's in this industry. But um we were approached um by an eleventh grader who wrote a paper on cybersecurity and neuroscience and how one really feeds the other.
And we read it and you know, so I've I've I was director of um of r operations for a research center at University of Texas San Antonio for a while and and got engaged with, you know, students and postdocs and, you know, b um Dealing with this, I judge science fairs. It's one of my favorite hobbies. And I saw this paper and said, Wow, this is It makes me feel good. I hadn't even met her yet, because wow, assuming we leave enough of the earth to to survive, it's gonna be in good hands.
Because there there are people like this that are in in eleventh grade and and she didn't just start now that are not only brilliant but can apply it and say, here's what the real world means. as opposed to either I did research or I used, you know, Chat GPT to write a paper, you know, or whatever else is going on right now, I know that we're there are people that are capable of
of uh continuing the earth in a really good way. So I'm uh to me, as much as all the other speakers are gonna be fantastic, that's the highlight I'm looking for.
Let me follow up on that because... Another organization that I forgot to mention that we partner with Heavily partner with is DIAF. And they sponsor young folks who are in their education process or right out of school, get into the identity industry through the conference exposure. And I mean, Jeff and I have met
Several of the people that they've chosen and they've played a role in these conferences and super bright people, I guess. I've kinda come away with the same um optimistic perspective that you just mentioned, Jeff.
Um yeah, it it makes me happy. It makes me feel good because whatever I've done and uh uh uh time will will be the judge of whether it's even noticed. Um I'd like to think I've done something positive. All of us want to feel that way. But what makes me feel even better is whatever state we live in, it's going to get better. So it it it's a wonderful feeling.
Yeah, and I think you you're doing a big thing with this identity management day and like I've seen the progression of it. You talked about those people who are participating, you know, maybe this becomes an official holiday one day because that's kind of the way I look at it. It's like identity management day, like I'm in identity management. I'm practitioner. This is a day to celebrate me and my ilk.
Uh, so that's for sure. Hey, one thing that we talked about, you know, in preparing for the show is that you have the theme for this year. And can you talk us to us a little bit about that theme?
Happy to talk about the theme. First of all, on the holiday, I like the idea, but because I run identity management day, I'm not gonna get the day off.
Ha ha ha.
So well's I come up with a way to do that, but in any case,
Santa Claus of Identity Management Day. Santa works on Christmas Eve and into Christmas morning. Yeah.
And if I get the rest of the year off, then I'll take it. Okay. That sounds good. The theme for Identity Management Day this year is Finding Identity, the Search for You, Me, and the Machines.
¶ Theme reveal: Finding Identity, The Search for You, Me, and the Machines
And allow me to expound on that a bit. If you think about it, especially with everything we've already talked about so far today. you can see how it makes sense because identity has been human based since the the dawn of m of humans. Right. And that's good. Carbon based identity, pretty easy to understand whether you have to go down to DNA or not. You still know what it means.
But now there's you and me, which means now we have interaction between identities, which brings up themes like authentication and authorization. How do I know that you are Jeff and Jim, other than the fact that I know the two of you and I'm still convinced AI is not yet good enough to to replicate both of you at once. There aren't enough computers to do that effectively. So um
authentication, validation of who someone is, that's a big challenge now. Um it's bigger than before because of scale in the internet. You know Me dealing with someone in Copenhagen, authentication wasn't an issue a long time ago because I could use a third party source, a lot of time elapsed between the beginning and the end of the transaction. Now they're instantaneous.
So um it it is a big deal. And then the machines come in because of what's going now with a gentic identity and non human identities and machine identities, and I actually treat all three slightly differently, even though they're all closely related. It's an identity that may or may not be associated with a person. It may be directly associated with the person.
And it may pretend to be associated with a person but really isn't. I I'll use Deep Fake as an example there that we we've already referred to once. I happened to um I was at a the Deepfake summit uh um about a month ago in Houston. And a lot of expert getting together and talking about deep fakes and how do we deal with this problem? Is it a problem? Have we solved it? What's gonna happen next? And even with all the best minds around this
When the question was asked, what are we going to do from here? Most people still stared into the group and like, I really don't know yet. So um so tie all that together, we need to find identities, not only our own, but what every identity we deal with. and find a way to get a level of trust and authentication with it so we can do things that we have confidence in.
And I I don't uh if you I don't know if you heard this, I'm gonna paraphrase it. Recently um Fed Chair uh Powell in the US uh at his con at a press conference, which would now would be a few weeks ago. um made a statement about confidence, consumer confidence. And the definition he used, and I like I'm paraphrasing, so don't I'm not quoting him, but confidence is a feeling you get right before reality hits. Um and uh I think that works.
Yeah.
Um we lack confidence in the identity industry. And that's our theme for this year. Not that we lack confidence, but we need to get around it.
Well, let's talk about AI a little bit because I you know, it's kind of permeates everything and I you know, I get it. Like we've been talking about AI for a long time, especially on this show. We joke about it being AI at the center sometimes. But it really has permeated like every single discussion, even in my day job, like you know, as a consultant in identity.
¶ AI and identity: guardrails, frameworks, and what organizations are missing
Every single client that I'm talking to is asking me about AI and permissions and access and how are we going to secure these things. You know, just from a valid use perspective, let alone when we start thinking about things like deep fakes and, you know, nefarious ways to get. identity into a a a situation that we don't want it to be in. I'm curious, like are you where do you fall right now from a um uh optimist, pessimist, somewhere in the middle? Like, how do you currently feel?
about the way AI is impacting identity.
So where I fall is right on the ground. Um but uh'cause gravity works. Um but So and I'm I'm gonna answer with what we're doing at IDSA around that, because um I'll although I don't direct I don't create all the work that comes out of our working groups as an example. But I do offer some guidance and sometimes they take and sometimes they don't. Um and it's still it's IDSA output.
And we have two working groups, one that's uh um AI and identity, pretty straightforward one would think, and we have another one that's machine and agentic identities, which um on its own seems pretty straightforward as well. We have two groups working on a framework, what they want to publish and what it's going to mean.
And we discovered they aren't uh first of all, they're not silos, but they're not even close to being silos. There is a lot of overlap. We're not merging the groups. There is enough work to do uniquely, um, create deliverables out of each. But AI ends up being across the board. So for an example, our should we focus on AI for IAM? Or should we focus on IAM for AI? There's one simple question that I can drop with those groups. That's six months work.
I don't think we can ignore either though.
No, no, and I'm not suggesting we do. It's six months' work to really get into yeah, you can find, oh, here's a tool that can do IAM for AI today, and then there's gonna be a new AI function that comes out next month, and it won't work for that.
That's why it's going to be a six month effort. And we need to be at the higher framework level rather than at the tool level. And it's something that as much as most of our members are identity vendors and I love'em, um Most of them focus on bec because they have a business to run, getting a a product out that can do that.
I look at most of what's out there today as bridge solutions for that reason. We're we're nowhere done. We're just really entered. As much as we think we're fully into AI and it's happening every day, we're still just dipping maybe our first two toes in it. We are not into it yet. So I I think what we haven't done a good job of is really take a step back and say, what is the overall architecture and structure and framework without having to get technical about it?
How do we want to make it work for ourselves? And that ends up resulting in many cases in guardrails. And I would offer, and you may find this, Jeff, in in your consulting, that when I Talk to any organization about what do your guardrails look like for your AI? Those are the people that say, How do I manage this? Well, there's the beginning of your answer without guardrails and doesn't have to be technical guardrails, but just saying, here's what I want AI to be able to do.
And you by definition, I don't ever want it to do anything else, or I want to do these three things and explore in this area, which can be very advantageous. When you set that up as your ground rules, then you have to find those tools. and implementations that can help you accomplish that. When you can't do that
What you're doing is saying, well, I'm just gonna use AI because I'm gonna save money, because it's faster, cause it's cool. All those reasons are there, but it will grow teeth, get right behind you, and bite you.
Well, I think we we know what happens when an AI runs amok, just see our April first episode and open G uh having some issues with that. You know Yeah, it's it's it's a tough question to answer right now because I don't think people really know what the answer is. I think we're trying to apply principles that we've learned across the decades of identity management and security in general to say, hey, here's how we think it should work, but we just don't know yet. This is still
links so quickly. I'm curious if you've heard anything. Like, are there themes that you're picking up from the conversations you're having with either vendors or other members of IDS Alliance or even working groups and things like that to say, hey, We we know we we don't have the full answer yet, but you mentioned guardrails as right, as an example. Like other other things like that that are starting to sort of surface maybe that might be options in how we secure identities like that.
¶ Standing privilege is crumbling in the age of ephemeral workloads
Um yeah, there's a few things I've seen come out. Um and and the one that um stands out to me, even though it you may not think of it, is standing privileges. Standing privilege is is a is a principle that uh this industry's been using for a very long time, saying here's either an individual or a process that always needs to get X number of things done and they always need to be able to get that done.
Well, standing privilege to me is beginning to crumble because the processes that are gonna be used that need that authority can be ephemeral. You could have a Kubernetes container that's gonna perform something that needs full admin authority and it only lasts one and a half seconds.
And then it's gone. It it as in it just no longer exists. That all the resources have been allocated to something else and it's now maybe in history or maybe not. Did you log it? Do you have any act do you have any control over what it was going to do and do you have any observability of what it did?
So I'd say that's the first principle that I'm seeing coming out of this is what do you do with standing privilege? That leads to my to the second observation, and this one's a personal one, not what I'm getting from members. I believe PAM or Privileged Access Management as we have been using it is obsolete. It may not feel that way everywhere yet, but the reason I feel that way is everyone and everything is now privileged, even if it's for a very narrow focus.
¶ Is traditional PAM becoming obsolete?
Typically a privileged account was, you know, you had sysadmin, you could do anything to er for every first of all, you can't even get your arms around everything right now and that environment is fluid. You know, uh the the containers is an example. It changes all the time. So privileged access now has to mean who can do the things that can really cause damage. That's how I define privilege.
That becomes virtually everyone. So I'm not saying don't manage privilege um access. I'm saying treat everyone as if they have privilege and manage the access out. So that's a personal observation of mine. Jeff, it looks like you have something to say about that.
Yeah, so interesting. I I think the standing privilege one is definitely one that, you know, we've talked about for a while and the the holy grail destination would be something along the lines of a zero standing privileges environment. makes sense, right? Don't give access unless it's needed at the time you need it and then take it away. But the realists in me is like, look, I've worked for large organizations. I work for a large organization.
to do that is just not going to happen because companies are not built, they're not automated enough from an identity infrastructure standpoint and from a business. engagement and logic standpoint to say, okay, well, what do you mean I won't have the access? Well, trust me, you're going to have it because we're going to grant it automatically because we've invested in all these tools to make that automation happen.
A lot of companies haven't. They are still, you know, they may not have invested in an IG uh identity governance tool, right? Where they're still doing like manual joiner, mover, weer functions. Or maybe they did, but they only took it to like Active Directory and that's it. They haven't connected like the 500 other applications that they need. And so while I I like the idea of it, I just don't know if it's a realistic destination for most organizations.
I'm a fan. You should be trying to get there. I just don't know if you can if it if it's realistic as a goal for most people when it comes to that.
Well that th I I think I was gonna pick up a little bit where Jeff finished off there because I was thinking the same thing which is Um, and I think you were trying to come out strong about privilege access management because if you truly have zero standing privileges, right, then traditional approaches to PAM probably don't add a whole lot on top of that.
I just saw this video the other day. Um I don't know if you guys remember the the cheating scandal on a website called Ultimate Bet. So this is like in the early two thousands. they had for the system administrators something called God Mode. And the God Mode was like you could sit at a table and see the cards that everybody had. Well one of the founders of this website is betting
had access to the God mode application. Now you start thinking like, okay, well I can think of fifteen different ways that we could have put the stop to that, right? We could have been logging how often the account was used. we could have done check in check out a password for it, uh which is like traditional privileged access management type things. Um So I was just thinking like, all right, well, if you can't get to zero standing uh
I I kinda have the overall philosophy. Don't let perfection get in the way of getting better. And I kind of feel like at least I I agree with you, the journey oughta be towards zero standing privileges. But I think kind of traditional Pam gets you better than you are today and s just staying a step ahead of Everyone else is usually like, you know, if you look at any of these safari videos in Africa, right? It's the lions always go after the slowest buffalo. Don't be the slowest buffalo.
So that's all I was thinking as you were talking about this thing.
So y you both make valid points and I don't want you to think that I was suggesting that by June first We need to have no standing privilege. I I'm not suggesting that at all. But I do think it needs to be the vision and the goal in the same way. And I'm gonna use a similar example. And we're not there yet. I've been doing this for close to fifty years, all right?
¶ Zero standing privilege and the passkey journey
And about my second year in, I remember saying, We need to kill passwords. I think passwords are finally dead. I've been hearing that for over forty years. a and it has been a goal. It's been aspirational. we are actually starting to get there. It may still be an asymptotic approach. I we may be we maybe just be cutting the distance between us and no password by half, but there's always still another half we can we could cut.
But the only way we're getting there now is through the persistence of the vision that passwords alone don't give you good security. And and we've all known that, but we never had a better solution now between pass keys and tokens. and um, you know, hardware keys and server to server authentication and other tools that we have, we can start saying you don't necessarily need to know a password.
And that's a good thing. You know, the next thing we need to get rid of maybe are SMS authentications. But that's that's another maybe another another podcast, another show. Um so by staying aspirational on Killing the password, I think we can be aspirational on killing standing privilege, and I think we'll reach it faster than the journey it took us to get rid of passwords. And we're not done with it yet.
But I think we are and actually I don't think they're ever gonna completely go away, but I think they'll become negligible.
Well, in an effort to become even more opinionated than I already am. I feel like this is another situation where We have a lot of great concepts in identity. So zero standing privilege, um, privileged access management, identity governance, continuous identity, z you know, zero trust. And now we've got, you know, AI and stuff like that. If I'm a if I'm a real organization, I'm barely keeping up with any of these things. And so passkeys are a great example of that. Nobody likes passwords.
They just nobody likes them, right? Because they're they're not a great solution. It's just what we have. And so, okay, great. We've got this thing called pass key. Let's get it start getting it rolled out. You know, FIDO Alliance has done a great job of like pulling, you know, major industry players together to get a standard in place and get adoption capability in place. That took years to get it done.
And it's still, you know, further out for a lot of other folks that just are now starting to think about it because they've been working on, you know, let's call it uh, you know, user life cycle things for the last decade because that's what they were told.
a decade ago they need to start working on. And so it it will never move as quickly as any of us want it to. And that's why I have to I I I tend to be more conservative when it comes to timelines. It's like, okay, is this the year the password dies?
Yeah, but we've been saying that, like, you know, like you said, Jeff, for like the last ten years, it seems like, right? And every year's like, Okay, this is a year that's gonna finally die. No, it's not. Pass is gonna be around for a while because we're gonna there's gonna be people who can't use pass keys, there's gonna be other authentication methods, whatever. But we are making progress. And sometimes that progress gets lost.
when we look at it from like the day-to-day view. So if you look at it every year, every two years, every three years, like, are we better at MFA than we were five years ago? Heck yeah, because we had to be because of COVID. COVID pushed a lot of companies into the MFA world because they had to be secure because all their workers were all of a suddenly doing remotely, you know, remote work.
there wasn't that, you know, punch in the face that was like, Hey, you've got to get out there and do this right now. Except for that. And so there will be other triggering events like that that I feel like will drive adoption. And, you know, maybe it's AI. We're seeing a lot of effort put into this to say, okay, how are we going to secure these things? Because we've also been designing uh identity systems and identity, you know, programs around human scale.
And that means speed of humans. AI doesn't work at human speed, right? So what it used to be is like days, weeks, months, years, now it needs to be nanoseconds, milliseconds, seconds is like the greatest, you know, scale you're doing things. So I think there's I think there is this.
idea of like well there's so many shiny things. What do I grab onto? Like is it I've been hearing zero stand privileges now for a while. I'll do that. And then now someone tells me I have to do this other thing. So I you know, it's almost like I'm a kid in a candy store and I can't pick which one yeah I want to go after.
Well well Jeff, you know, on that, if you're in a candy store, you're a kid in a candy store and you're told you can pick a candy. That doesn't solve anything except you get some candy right now and isn't that wonderful?
I'm getting my Snickers bar, man. That's what I'm picking and that's I I'll be happy with that. You're Snickers is the best candy in the world and I will come at me in in the DMs on LinkedIn. I'm I'm they are open and re
You're the nougat peanut chocolate guy. Right? Okay. I mean that's fine. I I'm I'm not judging. Uh Well, maybe I was a little. But um I don't want anyone to think that I'm a purist on this. I am not. I I know what it takes to be able to I like to think, I've seen at least what it takes to be able to make a seismic shift like this, and that's exactly what it is. But the only we're the way we're gonna get there is to just push, you know, a a a millimeter a week.
And maybe that's all it's gonna take, but we will never make the progress unless we do that push. So everything we do I think needs to at least be leaning that way. Now to your question about a small organization that starting off they're gonna be a software shop, how do I c India's not gonna be able to get all all of this. They can't be that leading edge on everything because they're not an identity shop. It's not what they do.
So rather than buying eight different pieces of software, they're gonna conflict with each other and not give them the result they really need. What they need to do and this goes back to the fundamentals of, you know, I was a programmer. Before you were a developer, you were called a programmer. Um, I was a programmer a long time ago.
¶ Getting the fundamentals right before chasing the shiny tools
And what we had to do at the very beginning was completely do, before you even do pseudocode, something else that's a foreign word now, you had to come up with a flow of what needed to happen. And it had to include what needs to be included in that and what things need to be excluded. And that may be the world needs to be excluded except for what I'm working on.
We don't do that very well anymore. And um faster computers and AI have gotten us there. And I don't want us to go back. I'm not that, oh, back in the day we did it better. No, no, no. We didn't. Because I used to have when I when I wrote code, I had one it was on cards, okay? And I had one test run a week. And if I had a J C L error that just caused it to fail at the beginning, I had to wait another week before I could test the program again.
Can you imagine a developer having to deal with that today? No, that would be stupid. You can you can run it and then run again and you find a new error and you keep finding new errors. That's great. But we are still skipping the fundamental. How do we structure it? What does it need to do? What's the regression testing? And boy, we really got off. The track from identity here, didn't we? Mm-hmm.
Yeah, but I wanted to weigh in before we completely move on. So um Jeff, we're talking about something that is Totally legitimate the zero sending privileges because Jeff and I are pragmatic by nature. We work with clients. We never identify clients, obviously, during our podcast, but we do a podcast and we work with some cutting edge clients that are doing
continuous authentication, that are doing shared signals framework, that are doing zero standing privileges, right? They're the ones who have budget. We also work with clients where you talk to them and you find out Oh my god, they have the passwords in an Excel spreadsheet. But the Excel spreadsheet is is password protected. It's like oh my good lord.
Lord.
What are we going to do? You have to be able to as a practitioner, you have to be able to adjust to this scenario, but You can't say, well, the world is we're dealing with the spreadsheet, or the world is that we're dealing with just the cutting edge.
It depends on the the where the client is, you know, the the I keep bringing it up and I I wish I knew who to attribute it to, but he talked about the the information security poverty line and there are organizations that are below the poverty line. And I see organizations like that and I've worked with some in the past and essentially like if Microsoft offers it as part of Intra, as part of their intra license, it's like now we have something we can implement, we'll do that.
Uh and I see other organizations who are, you know, like, Hey, we'll take a chance on some of this stuff because this might be the next big thing. And not only that, but we have a real world use case now that can't wait. And we're going to, you know, take a risk that this company might not be around in the year.
Here's my here's my thought on this. I think we all want to be there. Right. I and hopefully that's it's that's coming across as like, yeah, like these are all great ideas and we definitely want to get there. My problem that I have with this is that It's easy to get distracted.
It's
the new shiny thing. Oh, I've got to do that. And yet I didn't do any of the basics to get there. I'm still doing faxes for onboarding. Like what? And yet you want to do like this other crazy, you know, advanced thing over here. Get the basics done first. and then start looking at the other stuff because those shiny features Assume that you've already tackled the basis.
Like zero standard privilege is actually a great example of this. It's like, okay, the only way to get zero standing privilege is through automation. full blown comprehensive automation across all of your systems and it's rock solid and it works all the time.
If you can't if you're not doing that today, good luck with standing privilege. I mean zero standing privilege. Like that's just not going to work for you. And so that's kind of like where I I see a lot of organizations struggle. It's like, yeah, like these are all great concepts. You should be moving towards that. But get the basics done first.
And then start to think about how you're going to extend past that. Because if you get the basics done, chances are you're going to be pretty compliant with whatever you need to be client with, as long as you're doing the basics.
That's gonna get you eighty percent of the way there at least. I I completely agree with you and it still goes back to figure out what you wanna do. and stop focusing on things you that aren't core to what you're trying to do, but seem sexy. It may be it may look great, but it's going to take you away from your core and now you're going to be doing two things poorly.
I gotta tell you, we we moved away from identity management day, but this is a great conversation. I think these are the types of conversations that I think people around the world are having in their own little you know, in their own rooms, their own conferences and things like that. So It w it wouldn't surprise me that we hear some of this on identity management day. Is that fair, Jeff?
Oh, I d I think you can expect it. I could guarantee it. Because you're not just gonna see, hey, here's the greatest new identity tool. You're gonna see some of that. But um Jim, to your point, we live in gray. We live in the gray area. There there are if you're at the extreme, you're actually missing out on a lot. So you have to live in the gray area.
Speaking of gray area, what a transition. Gray area makes me think of quantum computing and cryptography and quantum computing. So We've already gone pretty long on this show, but I did not want to not ask you this question because you have some great um thoughts on this that you wanted to share. My big thing is like the
¶ Quantum computing, quantum resilience, and cryptocurrency risk
Quantum fears are s making people start worrying about whether or not Bitcoin is gonna be broken at some point, right? Is SHA two hundred fifty six? We know it's not going to You know, be the the king of the hill forever, right? Um and we're gonna need something quantum what, resistant or quantum proof?
Uh uh the term I would use would be quantum resilient. Because it it would be it's becoming somewhat cliche, but you can't you can't stop it. You you can't stop what's gonna happen. It's no different. It's an arms race, all right?
If you have a weapon and your opponent has the same weapon, you're going to want one that's a little better. And they'll want one that's a little better than yours. So that's really what's happening here, although it doesn't have to be based in evil, although in some cases it is. So you I go back to I think at one point, Jim, you and I may have talked about this. I remember when Triple Des
was the encryption standard that came out and around I think it was part of the Orange Book series uh the color rainbow series. It was the Orange Book. And triple Dez was how you needed a Secure Sing. It was the most secure thing we had. And before the ink was dry it was broken. So um and and now we have better computers to break to break it. Once quantum is truly focused on encryption in particular, and I'll talk about other components, I think.
Because uh any cryptocurrency is based on encryption. The ledger has to have faith, has to demonstrate faith that there is a unique transaction entry in there. It's it's the only one there and it was never compromised. That's done through a form of encryption. Quantum computers when you have enough computing power, cooling, and money to make it work.
We'll break that. It it it's it's software. It will break it. So you can count on that. I'm not certain it'll be in my lifetime, it may be. It may it's m more likely gonna be in yours.
And
What we need to do is not worry is not fear it and not say what's gonna happen. What we shouldn't do is just say sell everything and get gold and stuff it under your mattress, you know, although so I know someone that's done that. Um I I I actually know someone that did that. Um
They made money this year then. Last year they made money.
Th oh they they would have made money if they sold it. But if you keep the gold, you may or may not that's the whole point of a commodity, right? That what we're not gonna do is get into the psychology of of buying and selling commodities.
Yeah, forget gold. We should be investing in ram sticks. That's where the real money is right now.
Um but when you look at things like where I think quantum's gonna really help identity insecurity is if you have a connection, whether it's audio or with server to server or just data to data. When you can create with quantum quantum computing a quantum entanglement, if you've heard this term, that means you essentially have two components that are mirror images of each other. They're not the same, they're mirror images. And when something happens to one
Essentially, inverse um action happens to the other. When you have a quantum entanglement, the act of simply viewing it. Observing it breaks that entanglement because both sides now change. Now that's a it's a big concept that more and more people are gonna start seeing soon because quantum entanglement I think is gonna provide the next big level of security for us.
And it's gonna come from quantum computing. But the downside of quantum computing is everything you're counting on today will become somewhat paper thin once quantum computing becomes a bit more democratized and available.
I think um you know, I I've heard different estimates for when quantum computing would become available. And I think what I heard was that the biggest risk is really, you know, we're doing all this cryptographic exchange of messages. Someone could be Wiresharking and saving those messages off so that by the point that they're able to use a quantum computer, they could break them.
I don't even know if that's true. I don't really understand it well enough to say okay that's a realistic concern or not. Jeff, do you have any tips? Like what should people be doing right now? Is it just keeping an ear on the news and having the curiosity to kind of figure out what Is out there or or what do you tell people? I when people ask you, and I'm asking you right now, what do you advise?
Well good. I count you as a person, so that's a valid when people ask. Thank you. Um so Some of that's gonna be out of my area area of expertise, but especially when you focus on identity and when you deal with the identity associated with a crypto wallet, for instance. In fact, cryptos wallets contain identities uh very often. It's not simply cryptocurrency.
Um y you know, a digital wallet could now contain uh a a driver's license in many states in the US. A passport in the EU is gonna be in a digital wallet. That's all a form of crypto right now and encryption that we're depending on for our for our identities. They're the things I often recommend are first of all, make sure you have a backup of what you do. Different for a cryptocurrency. You can't necessarily back that up.
Um there are ways to get it done. But um when you're not actually making a transaction, get it on something removable and get it in a lead line safe. That may sound a bit overreactive, but I have one in my house. And it's um I feel very comfortable that I have availability of the things that are important. Should there be enough fire at the home or something else happened? And it's in a location that's not easily found. I'm not even gonna come close to saying right now where where it is. So
Um it would take a certain amount of torture for that to happen. But the advice I give is back up what you can, first of all, and to your point, see what's going on in the world. Watch the news stories about where a a compromise occurred. And find out why. Right now many of those compromises occur through social engineering rather than hacking per se. That's where our biggest exposure is. Hey, we just got back to people again, didn't we?
¶ Social engineering is still the biggest threat
Because social engineering focuses entirely on how could I convince you that you need to give me something? Thank you very much. Now I'm gonna compromise whatever it is you had or whatever you it is you control for someone else. So the situational awareness. Be aware what's going on. Whenever you're asked for any information, don't believe it.
It doesn't matter who it d maybe your your spouse or partner, there's a certain level of trust that probably needs to be there. But beyond that, when you're asked for something, don't believe it, find a way to validate it.
Fishing.
Fishing still works, but The reason it works is people say this looks like a valid email. I'll just click this link. Boom, you're done. It doesn't matter what you enter, you're already done. So when you get something like that, always go back to what the source should be and confirm, did you just send this to me?
It may seem like extra work. It it won't seem like extra work when you do it and someone else didn't and they lost whatever it is they had to value. So back up what you have, be aware of what's going on. And where you can put in a control, do that. If you can add another factor of authentication when you authent when you log into something. do it. I I'm I know it may seem like a pain. And people don't like brushing their teeth either, but it's better than having your teeth pulled out, right?
Brush your teeth. Find a way to do another method of authentication, especially for the things that are of value. Not everything. If you're gonna go look at sports scores, you don't need multiple ways to authenticate yourself. But if you're gonna look at your polymarket account where you're betting on those sports scores, then you might wanna have a couple different methods of making sure yet it's you that's getting in and no one else. How's that for for a current example?
Um I love it. I mean I think this might be the first time we mentioned polymarket on this show, but um it's an an interesting uh uh you know, look at how we actually have to manage all this stuff. So I'm with you on this. I I feel like we could torture you for a little bit longer and maybe get the location of that safe by making you stick around and talk with us for several more hours. But
¶ Identity Management Day theme song suggestions
Let's start to wrap things up and take it to the identity management day as like a finale. And we asked this question last week, but we're gonna do it again because we've got you here. Let's talk about theme songs for identity management day.
Okay.
I gave a couple last week. People can go back and listen to those or listen to that last five minutes of our episode. But I'm curious, Jeff, if you could pick like One or two theme songs to celebrate Identity Management Day twenty twenty six. What would you pick?
Uh well I'd start with the theme, which is finding identity. It kinda leads right into the n finding Nemo theme. Now that may not be your favorite song, but it it it it actually we were coming up with a theme.
That's the first thing I'm saying. Well it sounds like finding Nemo. Well then we need to have a tagline after it. But finding Nemo, I think, is gonna be the first one that that fits into there. Um go ahead and judge all you want. I I'm not necessarily a finding Nemo fan, but it kind of fits. Um I think any song by the searchers
Because you're searching for you, me and the machines. And th that can actually title almost any song from the fifties or sixties. I'm old, what can I say? Um, but any song by the searchers certainly fits in with the theme. And uh what's a good one that's dealing with a machine? I I mean, uh you could go rage against the machine. Tom Morrell, yeah, why why not, right?
Yeah, you take take your anger out on on some of these things. J so you haven't heard that the the up the episode we talked about it yet, but you know, I mentioned um I will survive and when the bodies hit the floor as like two options, you know, kind of tongue in cheek as as things are out there. Uh you know, a couple other ones I think they have like Master of Puppets.
And, you know, from an identity standpoint, trying to, you know, juggle all that and then Daft Punk. Harder, best or harder, better, faster, stronger, something along those lines where, you know, again, I'm thinking more of like a playful nature of What identity management day might look like.
Okay, well, so um there's gonna be a talking head song in there somewhere. Um
Once a while.
I think once in a lifetime, yeah.
Um, yeah.
Pardon? Uh well, not the theme. The theme changes every year. Last year, if you remember, it was the mouthful existential identity.
That sounds like AI.
Um that was that was actually the driving force behind that name, uh, last year. Yeah. Uh you know, just like you talked about the back office effort for getting the podcast out. It there's a lot of work around a twenty one hour event. I c I'm not lying here. But sometimes the toughest thing is coming up with we need a theme that can stick. And that is not easy.
Yeah. So twenty one hours. Why not twenty four hours?
Uh because we came up with the number of hours each region was willing to give us.
Okay. So we need each region to donate another hour next year and then we'll get to twenty four.
I'm gonna hit them up for that and I I hate you now. I y you really you want me to you want me to do this for twenty Safe.
I'm gonna keep signing you up for things you didn't ask for until I know where that crypto is, man.
Yeah.
What crypto?
Yeah, good answer.
Um yeah, hey, I used to do work where I had to answer things like that. So yeah, I'm I'm practiced at it.
All right. Well let's go ahead and leave it there for this week. Uh Yeah, Jim, I forgot. You you you didn't chime in there.
Like the perfect answer lined up, I think.
Hit me. Let's do it.
So how do you feel about Beastie Boys first?
I mean you gotta fight for your right.
Okay. So And again, Jeff, you Jeff Rich, you led right into my answer, right? Because twenty one hours used sample for the whole thing, right? So You have to be awake for at least twenty one hours. Hopefully you're taking a shower before it starts. So you're up for probably twenty four hours and it ends in the Western hemisphere of time, right? The US and South America. Anyway, which includes Brooklyn. No sleep till Brooklyn, baby.
All right, there you go.
Well Brooklyn
But yeah, I see where you're going with it.
Absolutely.
I'm just glad you didn't pick sabotage'cause like, oh boy, that that's dark.
No sleep till Brooklyn.
Yeah, so if you wanna do West Coast, Hotel California actually fits. You can check in any time you want, but you can never leave.
That's I mean, that's identity for you. There you go. I don't know how we topped that one. That's a good one. All right, let's wrap it up. Happy identity management day, Jeff, and to folks around the world and Jim as well. Um look forward to
I don't count as part of folks around the world, I guess. Yeah.
Well, you do count as a person, as Jeff has indicated, so we will include you as that. But yes. Um there's a lot of stuff going on. Check out the website. We will have links in our show notes for people to check out. Um we will be part of the festivities, uh US Uh Eastern time, uh, we'll we'll have a live episode that we're doing kind of that. So I'm looking forward to that. Uh gym to be transparent for people who are listening this.
the day before we do it, we still don't know what we're going to do, but we are doing something. So Um, you'll have to tune in and see what our episode uh is for Identity Management Day. And thanks to Jeff for inviting us to do that. So thank you so much for that.
Great to have you there.
Yeah, so I will have links in our show notes. People check out all kinds of stuff. Connect with Jeff around music choices, theme choices. Thoughts on quantum AI and everything in between. Uh, you can find us on the web, IDEC podcast dot com. That's also where we have all of our latest discount codes. So don't forget to use those. So's support for the show.
whether you're going to EIC or Ideniverse or conferences that are coming up later this year that we'll have Tittop codes for as well. So uh like, subscribe, do all that fun stuff, and we'll leave it there. Thanks everyone for watching and or listening. And we'll talk with you all in the next one.
You've been listening.
🎵 Music
We hope you've enjoyed
🎵 Music
