This is the identity at the center podcast. This is a show that talks about identity and access management and making sure you know who has access to what? Let's get started. Welcome to the identity of the center podcast I'm Jeff and that's Jim. Hey Jim hey Jeff, how's it going? Not so bad yourself. Elf good man. It's a sweatshirt weather. Which presents a challenge for me? Because now I have a 16 year old in the house. He's getting bigger and stealing
my clothes. And so, when I went through my, my stock of shirts and long pants, I realized there were many missing so we had a little talk and I got some of them back and yeah, I'm enjoying the crisp whether they smell. Okay, early, it's out of they smell when he got him back. Yeah, they were there were find Irvine.
And you know I'm really excited about our guest today is somebody had a chance to work with at a denture be few years back is actually one of the people I really look forward to working with you just somebody that had a lot of respect for and a lot of you know just excitement to work with is kind of a thought leader in our space. So I think our listeners are in for a real treat today. Yeah. And the biz, I think we call this a good get right as professional podcasters that.
We are, why don't we go ahead and introduce them? His name is Nishant. Kaushik. He is a CTO at Yuna Kim. He's a former ident, ra p, alumnus and all around identity Maven. Welcome to the show and Sean. Thanks, thanks for having me. Thanks for the kind words. Thanks for taking the time to sit with us here. Virtually. You know, I was trying to think about what our conversation
today was going to be about. We usually try to have kind of like a theme and I'm looking over kind of like the notes and kind of things that we were thinking about and it's really today's Eames. We don't really have a theme other than it's just a bunch of. I am related topics and questions for you and maybe hit towards the end, get to some predictions since we're getting towards the end of the air and that's kind of the hot thing, right? Do predictions for the next year.
Hopefully, it would be better for all, but maybe we can get to that. But before we get to that, why don't we start with you and your background? I'm curious as to, how did you get into I am? Is it something that you chose or did it choose you? I think it Would be fair to say that I fell into it, right?
So whether it shows me or not, I don't know, it may be regretting those choices now but I definitely didn't set out to be in. I am, I was basically this goes all the way back to 2000 and I was at a startup that was About
to go kablooey. So I was looking in the market looking for a job and found a senior developer posting for start-up in downtown Manhattan that I applied to went and did the interview and they had an office in the World, Trade Center on the 87th floor, and my reason for joining, besides the cool cat, who interviewed me, who was British and A friend of mine John, I seen besides that was the fact that on the 87th floor. It was a really cool View and I was like, hey, it was fun to work here.
So that's basically what let me do. Join them and we were working on active directory, and managing active directory accounts. And, you know, like I said, didn't really know. It was, I am in any way, shape, or form for a long time. As we just started going through the Journey of working on the product and just continue through that. And I think organically grown. You into what any defeat has ended up being a long career in the IND industry? The shock?
Could you maybe give us kind of, some of the I'm really excited because I think I know your background, right? But I think for our listeners may be some of the companies you worked at along the way, including identity, which is probably the greatest one say for eunuch in, okay? But when you give us a little bit of a background of some of the, the companies you work for maybe some of the things you did
at those places. Sure so when I joined poor Technologies which is the company I was referring to just now we were basically building a tool that started out with active directory but essentially became one of the main provisioning products in the industry. For a long time, we were competing against company. You may have heard of called we've set and we had a really
strong rivalry against that. And so that was a good five years of my life, build some really solid knowledge, they're rising up through like they said, starting out as a senior developer but then transitioning to becoming product. Architect as I led the building of the product from purely provisioning to getting into things like access governance at, you know, the start of what became is now known as identity governance and building some of the recertification features and
things like that. And that led us to achieving some pretty good Market traction. Did some good work with large financial institutions that basically ended up with us getting acquired by Oracle in 2005. And so I then spent the next I want to say seven years of my life, really getting into identity management across all its Dimensions.
Looking at the whole portfolio of all the products that Oracle had and then some because they acquired son, Of course, towards the end of my tenure, there will be actually had two of every product. And that was a big part of what I was working on is how to reconcile the portfolio.
But, you know, towards my, the end of my tenure there, that was when there was a lot of interest in the shift towards SAS and what's a cement for identity, both from the perspective of how identity fits into the SAS Enterprise model, as well as what it meant for us. In terms of delivering identity as a sand and worked, a little bit on trying to come up with a strategy for what that meant for Oracle, which wasn't really
going anywhere. And that's when I was approached by our old colleagues Frank and Ranjit to join this little phone call I'd entropy that had this idea of, hey, there's we have all these really good practices that we've deployed over and over again in solving the identity management problem. If he took those best practices and encapsulate that into SAS product. And so that led me to joining. I did pee and trying to build little, I'd a solution that you
know, we had a good ride. It was we were I think you were on our way to building something, really interesting and really good. But, you know, it wasn't to be because we actually got snatched up by CA Technologies and the product became the basis for what would be their second income, you know, second It version of an eye Dash product that they tried to bring to Market. So that led me to say it again, or you could let my tenure there wasn't nearly, as long as it was at Oracle.
I lost it there a year before I jumped out to spend a little bit of time working on a Consulting on a Consulting basis while I try to figure out what I want to do next. And then that's when I joined eunuch and where I am CTO right now, running our G vision and product Direction. The Sean has got to be a bit of validation for you that, you know, I remember so many of the ideas that you had around all the product being called squid life cycle.
When it was with identity, be that you and the team kind of built from from the ground up, but kind of with the vision of it, being a true software's identity as a as a service, you know. Is a service offering an API approach. It's got to be validating to you. Now that you see that the market really is all about that today, right? Oh, absolutely, I think you know I think we had the right idea.
We definitely had the right approach, maybe it was just timing or whatever you want to call it. But you know, it definitely feels like we Were on the right path and the market. As you said, has definitely shifted towards that between the growth of SAS between the emergence of really usable strong standards in this space. It really has helped us go beyond where we were back when we started the project which was yes, ass is great for identity.
If you're thinking about authentication, going anything beyond that, you know, is it really a good idea and fast? Vaulting was sort of state of the art. And obviously, now we are way way beyond that and, you know, you've got great companies in the space doing really well on that front with driven by apis and standards. Yeah. It's, I think you bought a timing and I think, you know, there's always the idea of the first mover Advantage being a great thing.
But if you're too early, That can also be a disadvantage. And also I think when you're starting something up like that, maybe a little bit of luck would help. They always say in baseball better to be lucky than to be good, right? No doubt about that. Yeah. Yeah.
No doubt. So now your eunuch in your the CTO there, can you tell us a little bit about what eunuch in is what problem eunuch in the solving one of the challenges that I saw in the identity industry through that entire Journey. But I just Client was, we're really good at understanding technology and how to, and coming up with technology oriented Solutions.
But there's this disconnect between the great technology and standards that we come up with, and whether it's actually solving the business problem that customers have I, but, you know, 20 years later, we're still struggling with some of the basics, right? Organizations are still struggling with the basics. We still have passwords provisioning is still a nightmare. Governance is still a huge Challenge and integration.
Projects take forever. So that was, you know, a big part of my learning over the over the over the course of the years. And you know, I've started veering towards looking for how can we simplify how can we make things better? And one of the things that attracted me to unicorn was that rather than being very technology or it was really focused on its mission statement. Right, it's missions.
Our mission statement is that we make connecting safe, simple and scalable for digital first businesses and it's a measure of mission statement. Around a purpose and as opposed to a technology. And so that's really what attracted me to join the company. And when I joined the company, we had two really interesting core piece of innovation that the original Founders said
created but it was narrow. And what we've seen over the last few years, what we've been able to do is really expand and enhance that poor to build the real ID security platform, which
is our core product set. Its the, you know, it's a zero trust security platform for the digital first business, and what that means is we really look at how to take businesses that are consumer facing and help them create a secure interaction, model, that allows insecure customer Journeys, and engagements end-to-end across their omni-channel engagement. With customers, right? So every business that is now digital for digital. Every business is a digital
business at this point, right? And you have so many different channels. You know, mobile is the fastest-growing one, but where we still obviously the dominant, and you now have new channels, whether you still have the old ones like the in-person channel, you know, you know, still have branches. Well, not in the age of Coburn, maybe but you still have branches and stuff.
But you also now have new channels like the call center, you have smart home assistance etcetera, As a digital business you need to make sure all of those channels are available to you know engage with your customers and you need them to have consistent security across all of that, whether it's security authentication. All those pieces need to be done in the same fashion and it needs to be done with an idea on user
experience. And so that's really what we set out to solve is how can we provide a platform that enables businesses to engage with customers safely and securely across all their channels? And we That's what we've been working on with that focus on delivering, Amazing Security with a phenomenal customer experience. So, with that customer experience. I know you also are part of several different groups, that kind of talk through inclusion and diversity and things like
that. Especially, I am space things like women, and identity, and better identity Coalition. Talk to me about both of those organizations. What, what is actually your involvement with each of them? Sure. So, There's so it's interesting in terms of how we because like I said we're not Technologies at the center of our mission. Our mission is actually around the customer. It's actually led us to all these different aspects of identity, identity.
One of the reasons why I'm in a daily or maybe I stuck around and identity is because it's such a fascinating space and there's so many different facets are aspects to, right? So on the technology front, you know, you NE can is a member of Fido Alliance so, you know, quite Alliance Y'all know. So I'm not going to spend too much time on that and I know I'm sure you've covered that in previous podcasts as well. But there's other aspects to Identity that go beyond
technology. So one of that, one of those is the fact that identity touches so many aspects of business that it needs to be designed for equity and inclusion. And you can't design for equity and inclusion, unless the teams that are building it themselves are designed with equity and
inclusion. So you need to have a diverse set of individuals that are helping build digital identity solutions for everybody and really that's what the mission statement for women and identity is women identity. Basically is focused on multiple initiatives that are sort of targeted at making sure that the digital identities 3.
Digital identity industry is more diverse, has a more diverse Workforce is able to bring in different people with different Viewpoints that can therefore influence the technology, we building to make sure that it caters to those different individuals and diverse groups. So it's an ex and, you know, amazing organization with an amazing leadership team.
They do a lot of really good work, whether it's highlighting people, whether it's highlighting areas of identity that we don't necessarily focus on or talk about too much. They've been very vocal For example, on the topic of how, by Metrics has bias built into it and what we need to do as technology vendors and practitioners to eliminate that bias, because it has very real world consequences amongst other
things, right? So they're really good at highlighting these issues and you know, creating the discussion that is needed. So we've been, you know, member of the group since the very Inception when it was being created at, I think The identifiers conference, the founders were sitting and planning out what the organization is going to look like. And at unit, can we sponsored them? Because we believe in that statement, right? We add that eunuch and we are actually involved in projects
all across the world. Not only how do we have implementations going on in the us, but we have it in Central America, in Africa, southeast Asia, and the issues of equity inclusion, Etc. Show up in many different fashions. Ian's in those different regions. So, this is a topic that's very important to us. Not just for me personally but also from a corporate perspective, we care about that very much because we see the impact that has on our
customers. That's very important topic and it sounds like you guys are doing great work there. We added a member of our team. She actually was on the podcast with his last week, might have Gonzales somebody with 15 years of experience in the space. And honestly, You know, we would have hired hired her irregardless of, you know, the inclusion angle because yours the best candidate qualified.
But one of the things I think is important is for those kind of entry level positions to try to attract women into the, I am industry. So, you know, I would encourage any of our listeners out there who are, you know, in those positions where they can, you know, bring Talent into this industry to give consideration to that. I mean, You know, I got into identity and access management back in 2003 definitely was a male-dominated industry. Probably just some extent that's true today as well.
I definitely seeing more women in the I am space since then but I think it's not something that you know we want to drop the ball on or not put a focus on yet today and into the future. Absolutely. Evening. And the other thing you the other organization you mentioned was better, identical alishan. So, as I mentioned identity being multipass, has a better identity Coalition, looks at identity from the policy and regulations and sort of public-private partnership angle.
So the better identity Coalition is sort of medicine initiative, out of a non-profit. And the objective of the membership is to actually influence policy makers. It on the hill. It's very u.s. Centric, though. It does look at things globally, but its focus is on the US market and its really focused on influencing policy initiatives that are happening. Because they understand, we understand that what happens in identity influences, businesses of all nature, right?
Whether its Financial, whether it's health care, whether it's government, like in terms of, Says that Citizens need from the government identity is critical to all of that and it can't be done without policies being in place that help it. So the bike ride any questions really focused on that. You know public-private partnership aspect of it
influencing policy. For example they've been very influential in one of in with engagement that has led to HR 8 to 15 which is a new bipartisan bill that has been In the house by representative Bill Foster called, the improving, digital identity Act of 2020. And its really focused on addressing shortcomings, in America's digital identity Fabric, and creating better ways for Americans to be able to do
business securely online. I know that you and I are both members of ID Pro, which is another, I am focused organization, and you mentioned identify verse, I did you did do it. A identifiers talked earlier this year that was around Mission Impossible, which I thought was great. Way I guess. We're how do you see organizations? Like I be Pro fitting into that kind of I guess the world of I
am organizations, right? There's women and identity, there's better yet, better identity Coalition, there's ID Pro. There is no fight Alliance and seems like there is some sort of group or Coalition, or whatever. It may, be four very different areas of I am. And that there's a lot of It easy for people to kind of pick and choose, maybe even specific or multiple groups that they would like to contribute to. Absolutely. So yeah. So I've been a member of ID Pro
since the beginning as well. Don't really have a choice. I think Ian was onstage. Staying straight at me saying you need to sign up and I was like, okay, so goes back to the origin stories, right? Like we as we, you know, as it sounds like you ask everybody about their origin story and it's kind of the same, right? We all know buddy, set out to be in. I am All kind of fell into. I am in some way, shape, or form or got drawn into I am from
sideways sideways. And that's because I identity is not something that people set out to be. Unlike other pillars, like security, like privacy identity has lacked that professional aspect of it. And that leads that is hand in had time to how the industry will evolve, right? We talked about the lack of talent or the lack of focus, Most of the folks in the industry learned about identity by working on a product by being professional and Technical product.
Like, I mentioned mine was, I had to learn how to integrate and manage active directory so it was very focused on active directory and Microsoft Technologies and it's just through the building of our product that I started to get exposed to more and more and sort of grew my knowledge over time and it grew organically which is great. I mean it's your folded me a lot of Amazing opportunities in my life but it takes a long time to feel like, you know, what you're
doing. And you know what you're talking about. It actually then start making a difference and given how important identity is we just can't afford that kind of lag in development of talent. And that's what I recall is trying to address, right? So, like I said, you know, it's its identity at the center as your podcast is called, you know, Means that it there's it has a 360-degree view that you have to care about.
So whether it's people, whether its policy, whether its technology, all of those aspects need to be addressed. And as you said, there's an organization for what? Each one of those many organizations for each one of those. So it can be a little bit, it can be a little bit on thing and we're going to have Ian on here and I'll come and show hopefully the next few weeks. So I don't want to spoil his Thunder but Ida Pro recently did a skill survey and you know, Of the questions that gets asked.
And that is, how long did it take before? You felt proficient in? I am, I think, the most common answer was somewhere between like, I think it was 5 and 10, or maybe it's 10 and 15 years. But there was, it was, when I say common answer really wasn't that much different than other answers to. So I think there's a lot of discrepancy and variation between. Well, what is, what is cot, you know, comfortable mean from an I am perspective, I feel good on an Ops perspective.
That's how I grew up. It's funny. I had an opposite experiences gym when I joined I am kind of officially for the first time I joined a group of ID administrators and I was the only guy on the team. It was all it was all women on the team. So I learned, you know, I am from from those folks and kind of grew up on the operation side.
So that's where I'm most comfortable and I would say, still am because that's worth had the most experience in you start branching out and you realize that I am as so many other facets to it, that are both Technical and On Technical. And it can take a quite a while before you get the exposure to all of that. Where, you know, now I feel like, okay, yeah, I've got a, I've got a pretty good handle and I am stuff but there's always something new to learn,
right? There's some new technology, some new framework, or some other thing, right? The kind of comes along, and it's like, okay, let's think let's rethink this and think about how this should work going forward. And, and, you know, put the past behind us and how should it work versus well? It's just the way we've always done and that's one of the things that I thought was interesting about your
identifiers talk. It was themed Around Mission Impossible and one of the things that I pulled out of it was you had a statement around Biometrics as convenience versus security and I thought that was only interested in maybe in kind of summarize and tease it because I'm going to have a link to that in our show notes Here for people to check out. But make, I talk about what you meant by that real briefly.
Sure. So the reason so that mission impossible, The PM that allows me to inject some humor and some sort of Interest into the talk, but they the actual objective of my talk was to actually address some of the myths that exist in
identity management. Some common myths that exist and it was really born out of my frustration from having been, like I said, in trying to solve problems for businesses, constantly running up against the brick wall of these nets and how they really skew the discussion or prevent organizations from Doing the right thing in many cases and one of the one of those is there's a lot of myths and Biometrics right and how they fit into the equation.
And the common thing that you would hear over and over again, is Biometrics are not good for security and they are, but they're a good convenience factor and it's really rooted in this idea that Biometrics are being, you know, being used to make it easy for users to login so that they don't have to type in a password on a in a in a poor the not if having to type the password passcode into their device and the biometric is
easy. And for sure, it is from a user experience perspective really useful. Because the data backs that up, right before the introduction of things like touch ID and Android fingerprints. The number of devices on which Pascal was enabled was really low and it tripled after Touch ID, and enter fingerprint were introduced simply because users were sick and tired of having to type their pass codes in all the time. And it just make became a super easy experience for them.
But that led to this idea that is about convenience and security aspects of it are weaker and what I'm trying to address in the talk. Is no, you have to understand what the security characteristics of Biometrics are apply them properly and if you apply them properly, they actually are better for security in. You just have to make sure that it fits into your overall threat models and, and things like that.
So having that's one of the reasons why if you look at what Fido has done in their work, Fido leverages on device Biometrics significantly as part of its recommendations not required. Obviously, You can use a yubikey and yubikey, even though your bikini just came up with the biometric reader on their yubikey, you Vicki doesn't
require a biometric. So it's not like Biometrics is a required part of fight, the fight of protocol but every everything you see and hear from the five Alliance, they talk about the significant benefit of using on device Biometrics. And so I think that fighting that misconception, Is pretty critical. As we start looking at, how can we make the landscape of security and authentication better not introduced passwords their passwords and not existed
before? Get rid of pastures, where passwords are in existential threat and issue to the security officers services today. Biometrics can be hugely helpful but it has to be done the right way. And unless you, even unless you start looking at the security aspects of it, you're not going to know how to deploy the right way. So does Sean on the on the Fido
topic? I did want to point out that we had on episode number 56 for anybody who's interested and Russia key are who's the executive director for Fido. So you want to go back and kind of learn more about 50 and kind of what they're all about. That's an excellent way to do it. I think we'd be remiss though.
In a while we have you here to not bring up the topic of the pandemic and how it's change life for all of us and in some ways, created New Opportunities. I mean one of the greatest opportunities for me is a lot less Hotel. Nice. This is this year but it's also created opportunities for the bad guys. You know, it's commit fraud and I'm wondering, you know, kind of
with your work. What are you seeing as some of the things that have opened up or the fraud that has gotten potentially worse given the current situation? Sure, it's Pretty obvious. I think if you were to start looking around, you'll see the data that. What the shut, what covid resulted in with the increased work from home. Environment is sort of an escalation of attacks that already existed, but basically got suped up and went into turbo mode, right?
So if the shift of employees going from in office to working from home, I meant that the Lacs security practices that were in place. Kind of got exposed the attack surface basically got increased, right? You had way more people that are now available for you to leverage as an attacker as part of your campaign, right?
So if you look at, for example, whether it's fishing or wishing or which is voice phishing campaigns those increased dramatically after, The increase in remote remote work and the reason for that is, you know, had a lot had a larger population of users that you could try to trick into divulging passwords and system. Access and fishing is a numbers game, right? It's the more people you can try to attack. There's a certain percentage that are going to fall fall fall for it.
So the more number of people you have that you can attack the higher the chances of getting in and the Shift to work from home, really expose that and it really exposed how our sort of security models were not designed for it, right? We had models that were designed for a 30% work from home.
Work force, working remotely, but when shifted from, 30% to 95% all of a sudden, those security models didn't work you now had Organizations. Having to deal with employees that were working from home on their personal computers on their home, unsecured and open wi-fi with other devices from in, from their family members on the same Wi-Fi.
And so the security model that organizations had completely falls apart and you're exposed and it just really has resulted in Dramatic increase in phishing attacks voice phishing attacks. We saw this TV show The Voice spear phishing campaign.
That actually resulted in all those high profile, all those high profile, Twitter accounts, all of a sudden promoting Bitcoin. That was the result of a voice phishing attack on Twitter employees that had that were working from home and had sensitive credentials include sensitive access to internal systems. We've seen the impact Tan Citizen Services, right? So for example, we saw with unemployment benefits not being ready for the huge, number of claims that we're going to get
filed. We've seen a large number of fraud cases, against the system. I think Illinois reported that they had more than 120, 1,000 instances of unemployment fraud, because the benefit system wasn't designed to do proper identity proofing. And so on. So it did, it's exposing the weaknesses in our end-to-end security model, whether it's identity proofing, whether it's strong authentication, whether it's channel security, this is this is at the core of what I was talking about, in our zero
trust model. Where we look at not just we're not just looking a strong authentication, but we actually combined strong authentication with things like network security and channel security, device, security posture. And Identity, proofing, and verification for onboarding.
Those things have to be put together into a single security platform in order for you to get that defense and back necessary to attack to protect against this new threat model new attack surface environment that organizations are dealing with. So Sean one thing that I want to just throw out there like you've
been in this industry. Now I think for like the full cycle of what the industry is really from starting with or going to Circle back into the Consulting space, or I think you're more on the product development space, but then going to see a, you've kind of seen the all the different vendors come onto the magic quadrant, if you will.
And and some of them move down to less relevance, and what I'm getting at is, you know, primarily at one point in the game it was like see a Oracle and IBM were the most relevant and kind of the the only options for large Enterprises in terms of I am they've lost a lot of relevance to these days and other companies have had the opportunity to kind of eat their lunch. I wonder if you agree with that statement and kind of what are the trends that you think.
LED that to happen. I mean first off I want to throw out there that I think I am is just an industry that gives opportunities for startups with great ideas to you know blow up and become relevant. Even not overnight but definitely within a short period of time and it puts some of the larger players that are disadvantaged if they're not kind of staying on that Cutting Edge and if they're their strategy is just to Kind of acquire their way to relevance.
I think they have a harder push but, you know, putting that out there. I wonder how much of that you agree with and kind of what do you think led to what I'll call. I'll use the term the kind of the demise of Oracle and see a as kind of being the most relevant. I am players, I think it's called. It's what you described that I am. Is such a constantly evolving space.
That unless you're staying on top of it, you're being agile, you being Nimble and you're in continuously investing and innovating, and building your Solutions. You are going to fall behind because the solution identity is so critical to organizations today. Whether it's from a security perspective, whether it's from a compliance perspective, whether it's from a customer experience was like that that you just cannot afford to have sub.
Our identity practices and technology in your portfolio. So organizations so vendors that have not focused on identity and continue to invest in involving it with the times, you run the risk of you know, the technology becoming stale and therefore it
relevant to many organizations. And I think That's one of the things that I think happened with some of the larger organizations is that identity wasn't core to what they want to do. They had different centers of gravity that made them make certain choices that in the large scheme of things for women.
Organization's perspective may not have been the wrong thing, but specifically for the ride, I do business in the sense that it wasn't necessarily the right thing to keep them competitive in the market and open the opened opened and opportunity. The four other vendors to come in and be more Innovative be more agile and also take advantage of New Frontiers that were opening up that the old technology wasn't ready for whether it's the emergence of SAS.
Well, as the emergence of API based methodology as opposed to UI based methodology is that it's whether it's the, the arrival of standards that could actually be deployed in a Practical fashion and had gone through the ringer of going from being theoretical and academic to becoming more practical and realistic in actual production. Deployments I think I am identity as an industry moves so fast and involves so much that it requires a lot of care and attention.
So unless as a vendor you're doing that, you're not going to be able to keep up with the evolution. Do I think what Under that deserves to be highlighted here as Microsoft. Right? Microsoft has been the technology giant since we've been in it and they never really were the much of an I am. Vendor, if you will, they always had active directory, but they never really got into the access management space and they had some offerings, but they're never kind of leaders.
But boy oh boy, I think at this point they put themselves in the pole position where I think what I hear a lot of people say and I agree with this comment is if they want to go after your space watch out they'll take it over and I think a couple things happened right? I think they made the the shift to the cloud Office 365 which had massive adoption and then
they bundle of allowed there. I am services in with that offering which Really position them well for customer adoption but also you know from a product offering perspective they made the shift toward open standard so now you have a cloud base open standard that you're more or less giving the product to the customers who are buying other services and they fit right in with those services. But then also support, open standard. So you have the, The Wider
connectivity. I just feel like they probably have done. Best job in terms of, you know, going from irrelevance to relevance especially considering their large Enterprise it provider. Yeah, I mean, it's it's not just what you mentioned but it's also the fact that they made the investment, they recognize the importance of identity and they made the investment.
Both in terms of bringing absolute rock stars to their team, folks like them dingo, if you if you care about metrics, And what is happening in the real world regarding at Microsoft, you need to follow Alex, why?
Not? Because he regularly publishes them the amount of data that Microsoft sees in Azure from a Leonard, every perspective is staggering and so what he can teach you about, what's happening in the real world respected threats at events activities that you need to be aware of is mind-boggling and they're being very open about it. That's the other thing that they're giving back to the community. So I think the investment in the technology, the investment in
standards. The investment in people, Making identity of focus area as part of a xerocon Services. It's that's it's because they understood the importance of identity and invest in. If that's what's allowed them to be, sort of go from where they were, which is yeah, they're always. There Haiti was always there.
But this has been positioned at the center of, you know what's going on with SAS and identity within SAS with what they're doing with those your because when a big change, you know when they Brought in Saudi and out Nadella you know, to head things up. You started to see the shift and it took them a little while to make changes to the organization and where they wanted to be. And sometimes I think it put organizations that a disadvantage, we're from an axle. It's let's take access
management. For example, you know Azure ad wasn't all that great for a couple of years because it took them some time to get it up and running and kind of where they wanted it to be. So if you look at, you know, previous Gartner magic quadrant Since which are not the end, all be all, but you know, an industry Benchmark of kind of where things are at, you know, they were not a leader. And for a couple years, I think they maybe even dropped off and
then bang the most recent one. Now, they're not there in the top position, you know, part of that probably has to do with their installed base and having such a massive footprint is Office 365, but I give them a lot of credit for making the pivot of the cloud and being available and being seen as more than just, you know, Windows, right? It's officer 65, it's Azure. It's SAS Services.
Its, you know, Max not being a second-class citizen compared to Windows counterpart on services and things like that.
So is a perfect, no. You know, but I think they've done a really good job of kind of pivoting into being more of a services company, and you're starting to see apple to do that as well, to some extent with their, you know, their iCloud and other other features and functionality where that's really where they're kind of pitting their businesses to be more services and less dependent on. You know some of the Legacy stuff like Windows it'll still
be a big thing always. But you know having services available I think is a much a much bigger Revenue generator for them over time. Yeah. It's Jim earlier in the discussions, mentioned that sometimes you need a little luck. In the case of Microsoft, they didn't need the luck. They were big enough and they had the base. What they needed was to keep the faith and they kept the faith, right? So it being continuing to recognize the importance of identity and Keeping the Faith.
Faith that the plan was going to pan out. Allow them to get through that rough patch and come out on the other end stronger which is something that not all big organizations are able to do. I can tell you that from experience a lot of money solves, a lot of problems. A lot of patients especially if you know you've got to support the movement and understand there will be some short-term some pain to get to the end. But yeah, absolutely.
Shot. You been you know really just the timing know we're coming up kind of close to here too when I get things wrapped up. But before we do that, you know, it is end of 2020. Hopefully and one of the things that I want to touch on are some of the predictions may be around some of the things for 2021 and kind of want to go through kind of like a rapid-fire list of things and making give me your quick thoughts on a few different things. How does that sound? Sure, I hate the prediction
game. Honestly, it's one of those things where I'm like, I hope hope nobody goes that reads my old blog post because oh man, I made some really bad predictions in the past. So I stopped doing it every year. Somebody would come to me and say, hey are you writing a prediction blog post this year and eventually somebody's like no I'm not doing that anymore. Well don't worry. This is only going to be on the internet forever so it's all right but just imagine if you
get it right right? How much of a prognosticator you'll end up being the Nostradamus of I am I think is a good title to add. Yeah. All right, let me go through my list here. How will covid affect the way people think?
Kate, are, we going to see less physical event ocation versus maybe something Wireless. You know, trying to avoid touching payment terminals, for example, using more Apple pay and Google pay and Samsung pay things like that or other types of Plyometrics, maybe visual, you know things like that.
How do you see covid effect in the way people have found a Kate in 2021. So I think 2021 is going to show and Specially in payments contactless payments obviously your we were already down that part but this is the going to Turbo charge it, for sure. And you're going to see the big players really focus on that as well.
I think authentication itself we're gonna see authentication continue the path is on right now which is an ink we are going to have a slow but steady March towards password less which means you numb, less number of passwords which is obviously what we all want. Bye. Trick is going to continue to increase.
In fact, I think there's Regional aspects to that, that are going to play in a lot because different jurisdictions in different geographies that different tolerances for Biometrics. So we've already Biometrics is already. Well, accepted in, for example, huge parts of Asia and I think it's just going to continue to increase and so with that, they will also be an increased focus on the Privacy aspects of that and the implications.
So, It's going to be a really fun interesting ride next year, because I think we're going to see a lot of activity on physical Biometrics by her, in the sense of things like facial recognition, facial authentication, I should say, as opposed to facial recognition and increased focus on the distinction between, facial recognition and facial identification. But with masks probably being a
continued part of her life. Hopefully we'll see, you know, Our forms of Biometrics come into the picture as well, just because I don't think what people have done with respect to trying to figure out how to do facial recognition while mass or on is sustainable. So you know, let's see how that goes. So I think Biometrics will definitely continue to be the case, but it has to be touchless. So I think that means that
fingerprint readers at stores. For example, that is not so common for us in the US, for example, but is far more Common in other parts of the world, I think fingerprint readers at stores friends. Banks Etc are going to start to get replaced by mobile based solutions that rely on QR codes for NFC in order to make it contactless, right?
So we're going to see some of that happening quite a bit, so if a sign of K to your personal device and then somehow the device becomes the, the FED exactly at the negated exactly mobile devices. And mobile devices are just going to become Central to a lot of our activity. Because the person you don't have to give them up to somebody. So you it promotes the contact disaster and so that leads me to a couple of follow up ahead around. So here's what it's the only
talk. Let's talk about iPhone real quick. Sure iPhone has gone away from fingerprint and touch ID over the last couple years we've turned to face ID. Now, we're wearing masks and that doesn't work so well. The newest iPad though has a fingerprint or touch ID built into the power button. Here's an off-the-wall question, do you think the next iPhone is going to Of touch ID in a similar matter.
I would love to say yes. I was actually hoping it would be this year where they would have a fingerprint reader within the screen or at least on the back of the phone. Which I don't know how that would work with the fact that I cannot survive without a case on my phone. But yes, I do think fingerprint readers. We will basically. Well, I don't know if 2021 is the right time, but definitely by 2022.
I do it at this fate that iPhones will have both facial recognition as well as Singapore readers, both and Just because as you said it's like we need it. There is no way to get around that. I hope you're right too. And for the record I am a I am violently opposed to fingerprint readers on the backs of phones because I like to put the phone down and if I have to authenticate and pick up the phone to then put my finger on the back that just that's I just hate that.
I know Google. Does that not a fan of it? Sorry Google. But at least you have the touch ID or that you have the fingerprint authentication. All right. What about things like web off then and Fido to I kind of think that we're going to see a little more adoption of it. What do you see for 2021? Now that pretty much all the major players have adopted the web often standard so it's fragmented I think the web
attend standard is excellent. One of the big Focus areas for us this year eunuch and was building our fighter compliant. Federal compliance into our solution and building and support for web attend in it. But really, what will be the impediment. For about 10 just taking over because all things being equal. I think we're both kind of would take over easily is the user experience. I think right now, the user experience is still problematic.
When you have web attend support in mobile browsers on device, mobile devices that have Fido built into it, like on the Android Android devices and on ION iPhone IOS. Those are fine. Those will work. Great. Eight. But the user experience for registering a yubikey or even your Touch ID on your MacBook Pro on desktop is still very clunky, very problematic and is a big turn-off for me for
consumers, right? So, I think that is going to be a significant hindrance into about and really taking off the way it needs to. I know this is an area that is the Amount of work happening right now to try and standardize that user experience, Because unless you stand as that user experience, a you can work out the Kinks and make it better, but be an Onsen experience is an invitation for attackers to exploit it. And so that's going to be.
I think the thing that holds it back in 2021, hopefully by 2022 that hindrances gone and in 2022 without the really takes off. But given the state where things are today, I don't I think we're quite ready for with end. Do you know Shoot To The Moon right now? Okay, what about Sovereign identity and blockchain? I've been here about that for I feel like the last couple of years.
They seem to have gone a little bit quiet more recently, where do you see the both of those kind of related things, you know, by the end of 2020. One, let's say next question, next question. Okay, how about 0 f? It is? It is too problematic.
So zero trust. When I was just getting what we do, like it's a tongue that I quite frankly, tried not to use because it a is so overused now and B is so fuzzy defined that everybody was able to like you should have been at RSA conference walking the floor and you would see more than half the companies have zero trust in their in their banners.
So, I think as a if we step back from the marketing stuff and actually look at what it is, is in terms of an architectural methodology, I think zero trust is absolutely something that every organization needs to invest in, you know, it's basically defense in that it's about multi layered defenses defenses. That you need to put in place and you can't just focus on one piece.
One of the things that in, for all the years that we've been doing authentication and strong authentication, we do not think about the security of it. So we always assume the security. Yeah, we're doing strong, authentication tokens are going fine back and forth and you Passwords usernames. Passwords are being sent over the wire. Yeah, this TST Ellis takes care of the security of it. Oh, I have a token stored on the
device. Yeah, that's somehow secure and I don't have to worry about it. Unfortunately, we have worried about it because, as we start moving to device based security models, as you start moving to places, where two scenarios where we now are increasingly leveraging Fido, which means you have a private key saved on the device. And yes, it's stored in the secure element on the device. Attackers are going to start looking at exploits at the
device. Level to figure out how to attack that, how to steal Keys, how to intercept Keys, how to leverage. So you're going to see an increase in, how malware attacks, the security of these, these new security methodology and so unless you have a 0600 trust architecture Quarry which is I'm not you just going to look at strong authentication but I'm actually going to look at the entire threat model and look at all of these layers.
You're going to leave yourself just as vulnerable even in a, you know, Fido security model to attacks that just like we've had with passwords with passwords. Passwords are fine. If you have a strong password and nobody can guess it. But that doesn't mean that fishing doesn't compromise the strongest password, right? So I think, I think the understanding of the architectural approach is
continuing to grow and increase. And I think it's definitely here to stay and become a core part of how organizations. Ian's think about their security architectures. Alright, my last one is around defects. When do you think we'll see deep fakes? Really presenting authentication and fraud challenges for folks in the industry, let's say, kind of, let's get a little bit broad, you know, I think right now.
It's still a little bit difficult to pull off a convincing, deep fake, whether it's audio or video, Video. But the tools are getting better all the time. Yep. And how do you see? Deep fakes affecting authentication. And I am in general in 2021 so while they fix continue to evolve and get better and better, so does the capability from the biometric vendors, right? So it's, it's, it is to some extent, a race.
It is an is an arm's battle, but What makes biometric then this goes back to what we were discussing earlier about you know myths about Biometrics. What makes Biometrics good from a security standpoint is that biometric is instantly about looking at a face and matching a patent and identifying who the person is you also have other aspects to Biometrics that make it good. From a security technology
perspective. Specifically things like liveness detection, you have to have lightness detection in order for Biometrics to work securely and liveness detection will in from a technology perspective continue to evolve just like defect Technologies continue to evolve. And I anticipate that the liveness detection technology will continue to keep Pace with our defect technology is
evolving. Such that defect technology will not necessarily be able to convince a well-defined a well-designed biometric system with proper liveness detection in it. To get tricked right now. That goes back to you have to deploy Biometrics properly. If you, if you're doing something where you're incorporating biometric technology Into Your solution, you need to make sure that your biometric technology has good line inspection. What is its presentation attack
detection capability? What is the levels of certification? Is it has achieved and things like that. So as organizations deploying biometrics, And as device vendors like Apple and Google that are important parameters in the technology liveness detection, is a critical part that they have to stay on top of and convey love. And I think it will happen that will continue to evolve. Those are all aware of this and the underlying componentry weather is machine learning.
Whether this, the sensors and the quality of the cameras on the devices. And now with the new iPhone, you have not just, you know, white light, but you have lighter. All of those will start to get incorporated into the biometric. Geez that enable you to do better liveness detection.
Such that I think at least for 2020 if you're going back to the predictions model it will stay a step ahead of the thick technology consignee thing about defect technology continued to promote this information and misinformation across the world but at least from an authentication system standpoint. I don't think is 20/20 level
threat. I feel like I agree with everything you just said, I think where I'm most concerned about defects is when it comes to misinformation, which we've already seen but Social engineering when it comes to, you know, my favorite thing to do is turn on the potato filter on the camera and, you know, be the potato what, you know, at some point there's going to be a filter that's going to be easy enough to edit where I can appear as anybody.
A one up here is and I can make a zoom call or whoever it may be and fake a bad connection write and tell someone to do something that they probably shouldn't be doing. I feel like that's probably the quickest attack route when it comes to deep fakes, but that's just the way that I'm thinking about it right now. I To use it for the memes. Exactly. Exactly that.
And let's hope it stays there. That's exactly where we want to keep it bottled up. All right, well, I know we've gone pretty long today but really appreciate the time. Before we get things wrapped up in a shot, is there anything that you'd like to throw out there as any words of wisdoms or maybe other final predictions? For what you think 2021 might bring upon us. Just as you as anybody's in identity, like I said, there's so many Aspects to it.
Figure out the aspect that will help you and your organization or your project get better, right? If it means you as an individual, and as your teams joining Ida Pro, absolutely join Ida Pro. There's a wealth of information and there's about this amazing discussions happening, join women and identity. Even if you're a man even if you're, you know, not in the u.s. it's a global organization, diversity doesn't mean women even into women is in the title. It's about diversity Joy.
That and learn how to make create a more diverse team and inclusive team and keep an eye on things that are happening on the regulatory front, there's going to be a lot of stuff happening on the Privacy front. That's going to be happening from a regulatory perspective. That is going to really significantly impact a lot of the work that we do and that's getting really ratcheted up. So that that actually is one of the predictions of 2021 2021 is we're going to see a whole bunch
of privacy. Patients come out that I'm going to significantly impact the work that we're doing. Yeah. I think it's a really good point. You bring up the globe at the globe ality if that's a word of my day and access management and you know, the different organizations. You know, this show for example is has a pretty good following internationally. We've seen a lot of growth actually in the London area, which is fantastic.
And I'm a little bit this point, because I'm supposed to be in London earlier this year to watch the Cubs and Cardinals, and obviously, that didn't happen. So I'm looking forward to my trip.
Our next time, but all these organizations, you know, are at least the ones that I am aware of things like Ida Pro, would love to have more International representation and, you know, it's a good time to join any of these organizations that you think that might be helpful either for yourself in your career or, you know, just you're interested in Jim. Any last thoughts from yourself? Yeah, I've encouraged everybody to get out there and, and watch the shots.
I didn't reverse talk, he's a fantastic. Presenter, I think, you know, just learning to present, he doesn't such a cool style. So see we can take away from that. May be incorporated, some of that into your own talks, I think, you know, presenting a such an important part of kind of growing your career, whether your and identity management or anything else. And then the other thing is just building your network. So I know, Jeff and I are heavy users of LinkedIn.
Please feel free to send Send us a connection. Get linked in with us there. Sean. How can folks follow you or connect with you from the social perspective? My most active social media. Presence is Twitter. I you know put it isn't what it used to be but I still leverage it quite a bit and there's still a lot of fuss identity folks. Who are there? Having really fun? Interesting conversation. If you join Ida Pro, then you pull slack. Channel is a fun place to talk as well.
There's plenty of means that as well. So it's a fun place to have really interesting discussion and identity. But yeah, Twitter on LinkedIn, you know, and as well, but not as active there. Yeah, that's it. That's about it. And I'll have links to to you on LinkedIn or I'll put your Twitter handle as well in the show notes, your your identifiers chat. We're gonna have a whole bunch of links in the show notes for this one.
So right, and as a whole bunch of stuff on my on my website as well in the Takashi got calmer and you go to my blog. My talking identity.com blog, there's a bunch of stuff, they're all my previous talks out there as well. There's gonna be a lot of a lot of follow-up things for people to check out. Absolutely, absolutely. All right. Well, I think that's a pretty good spot to leave it for for this episode. Appreciate everyone listening to us.
You can always visit our show at identity at the center.com. You can follow us on Twitter at idac podcast. Like I mentioned, will have links to a whole bunch of stuff for this in the show notes. So feel free to check those out and wherever you're reading or listening to the podcast here, you'll find them there and with that we'll go ahead and close it out for this week. Thanks for listening, and we'll talk with you all in the next one.
You've been listening to the identity at the center podcast, if you like what you heard, don't forget to subscribe and visit us on the web at identity at the center.com. You've been listening to the identity at the center podcast, if you like what you heard, don't forget to subscribe and visit us on the web at identity at the center.com.