1 00:00:00,040 --> 00:00:04,040 Tell me the top 50 people in my organization that have the most 2 00:00:04,040 --> 00:00:07,760 privilege and you can almost guarantee, and I'm, I'm sure 3 00:00:07,760 --> 00:00:10,760 you've had experience in this is in most organizations which they 4 00:00:10,760 --> 00:00:13,320 just ask that question. Tell me the top 50 people or the 5 00:00:13,320 --> 00:00:15,120 top 100 people that have the most privilege. 6 00:00:15,400 --> 00:00:19,120 The answer when you see that is like, holy cow, who gave them 7 00:00:19,120 --> 00:00:23,560 all that access? And, and so the nice thing about 8 00:00:23,880 --> 00:00:27,240 a scaled solution as opposed to one of these more traditional 9 00:00:27,240 --> 00:00:30,440 solutions that's just kind of in a people review, doing things in 10 00:00:30,440 --> 00:00:33,600 spreadsheets or going through AGRC tour or going through 11 00:00:33,800 --> 00:00:37,800 something that's like human reviewing other humans accesses. 12 00:00:38,200 --> 00:00:41,600 You need to be able to ask these questions like who's got this 13 00:00:41,600 --> 00:00:43,680 privilege? Who's got the most access? 14 00:00:44,040 --> 00:00:47,720 If this credential is compromised, what's the chain of 15 00:00:47,720 --> 00:00:51,720 attacks through the the identity graph that could result on an 16 00:00:51,720 --> 00:00:55,120 action on a critical resource, all of that kind of stuff. 17 00:00:55,120 --> 00:00:57,120 I mean, one of the things that's fascinating and then you know, 18 00:00:57,120 --> 00:01:00,840 Tarun knows this as much as anybody is every to be use case 19 00:01:00,840 --> 00:01:03,560 of the Vaser. It's like every customer almost 20 00:01:03,560 --> 00:01:06,880 invents their new set of questions that are peculiar to 21 00:01:06,880 --> 00:01:11,440 their risks that other customers can learn from in terms of, wow, 22 00:01:11,440 --> 00:01:14,040 that's a really interesting way of getting to the most risk and 23 00:01:14,040 --> 00:01:15,480 figuring out how to reduce their risk. 24 00:01:15,600 --> 00:01:21,880 The time, time is here for us to really, you know, not just lift 25 00:01:21,880 --> 00:01:24,160 one boat and there's something I, you know, shared with you and 26 00:01:24,160 --> 00:01:27,000 our teams. Let's not shift the boat, move 27 00:01:27,000 --> 00:01:30,000 the boat of visibility or move the boat of intelligence. 28 00:01:31,200 --> 00:01:33,840 You know, let's try to build something which can, we can lift 29 00:01:33,840 --> 00:01:36,000 all the boats together at a, at a singular time. 30 00:01:36,000 --> 00:01:39,440 So whether it be IGA, whether it be Pam, whether it be NHI, we 31 00:01:39,440 --> 00:01:43,800 believe the fundamental of that is rooted in just completely 32 00:01:43,800 --> 00:01:45,480 rethinking identity from the scratch. 33 00:01:50,880 --> 00:01:56,000 This is identity at the centre if it has anything to do with 34 00:01:56,040 --> 00:02:00,640 IAM. This is the go to podcast now 35 00:02:00,640 --> 00:02:04,520 your hosts Jim McDonald and Jeff Steadman. 36 00:02:10,639 --> 00:02:12,400 Welcome to the Identity at the Center podcast. 37 00:02:12,400 --> 00:02:13,720 I'm Jeff, and that's Jim. Hey, Jim. 38 00:02:14,720 --> 00:02:17,440 Hey, Jeff, how are you? Oh, not so bad yourself. 39 00:02:18,600 --> 00:02:20,960 I'm doing great. You know, I'm super excited. 40 00:02:20,960 --> 00:02:25,760 We've got two of the top gurus in the identity security area 41 00:02:26,000 --> 00:02:29,120 today on the podcast. I'm ready to get into it. 42 00:02:29,480 --> 00:02:32,560 Yeah, Why don't we get into it? No, no whole no use. 43 00:02:32,560 --> 00:02:34,520 Like, you know, trying to wait and figure it out. 44 00:02:34,520 --> 00:02:36,120 If people read the title, they already know what they're in 45 00:02:36,120 --> 00:02:37,640 for. But again, to make it very 46 00:02:37,640 --> 00:02:39,360 clear, right, this is a sponsored episode. 47 00:02:39,760 --> 00:02:42,760 This is what gives us access to people like Tarun and Phil and 48 00:02:42,760 --> 00:02:45,360 others to really kind of dive deep into those technology 49 00:02:45,360 --> 00:02:47,480 conversations, especially when we start getting into products. 50 00:02:47,480 --> 00:02:51,160 So they have generously, you know, spending their time with 51 00:02:51,160 --> 00:02:53,320 us and educate us on a few different things, but why we go 52 00:02:53,320 --> 00:02:54,760 ahead and get some introductions. 53 00:02:54,760 --> 00:02:58,920 So today we're sponsored by Vesa BEZA or the Identity Security 54 00:02:58,920 --> 00:03:00,800 Company totally stole that from their website. 55 00:03:00,840 --> 00:03:02,400 And we're going to hear more about what that means. 56 00:03:02,800 --> 00:03:08,680 But if you go to the website, veza.com/I DAC, vasa.com/I DAC, 57 00:03:08,920 --> 00:03:10,600 we'll have some more information for you there. 58 00:03:10,600 --> 00:03:13,560 So with that, let me go ahead and introduce both of our 59 00:03:13,560 --> 00:03:15,800 guests. Today we've got Tarun Thakar, 60 00:03:15,800 --> 00:03:18,120 he's the Co founder and CEO of Vasa. 61 00:03:18,160 --> 00:03:21,440 Welcome to the show, Tarun. Very nice to be here. 62 00:03:21,440 --> 00:03:23,000 Thank you, Jeff and Jim, Appreciate. 63 00:03:23,080 --> 00:03:25,240 Appreciate the opportunity. Yeah, thanks for taking the 64 00:03:25,240 --> 00:03:26,800 time. And then he's joined by Phil 65 00:03:26,800 --> 00:03:28,320 Venables. He's a strategic security 66 00:03:28,320 --> 00:03:31,240 Advisor with Google, and he's also a Board Director for VASA. 67 00:03:31,240 --> 00:03:34,120 So welcome to the show, Phil. Yeah, great to be here, looking 68 00:03:34,120 --> 00:03:36,600 forward to. It so we have tradition around 69 00:03:36,600 --> 00:03:38,920 here that when someone joins us the first time is we like to 70 00:03:38,920 --> 00:03:40,800 find a little bit about their identity backgrounds and how 71 00:03:40,800 --> 00:03:43,120 they got in the space. Tyrone, I'm going to start with 72 00:03:43,120 --> 00:03:45,360 you and Phil. Just get ready because you'll be 73 00:03:45,360 --> 00:03:48,360 Next up in the wings. How you know, Tyrone, how did 74 00:03:48,360 --> 00:03:51,840 you get into the identity space? Is it something that you chose 75 00:03:51,840 --> 00:03:53,800 or did it choose you? Yeah. 76 00:03:53,800 --> 00:03:56,360 No, Jeff, it's, it's, you know, I remember talking about this 77 00:03:56,360 --> 00:03:59,040 question with you before when we when we met at Gartner. 78 00:03:59,040 --> 00:04:00,520 I am. It's definitely the latter. 79 00:04:01,240 --> 00:04:04,320 You know, I, I, I don't come from the, come from the, from 80 00:04:04,320 --> 00:04:08,480 the identity backgrounds. You know, I've grown up in, in a 81 00:04:08,480 --> 00:04:11,800 systems distributed systems background and, and, and, you 82 00:04:11,800 --> 00:04:14,520 know, spent the past 20 years of my career building distributed 83 00:04:14,520 --> 00:04:17,200 systems at scale. So, you know, my, my background 84 00:04:17,200 --> 00:04:19,240 is definitely how to build systems at scale and how to 85 00:04:19,240 --> 00:04:23,440 think about, you know, all the way from, I remember my first 86 00:04:23,440 --> 00:04:26,320 job was writing assembly language code to building 87 00:04:26,320 --> 00:04:28,480 globally distributed file systems and then globally 88 00:04:28,480 --> 00:04:31,320 distributed databases. So is definitely the latter. 89 00:04:31,320 --> 00:04:34,280 But, but I would say, you know, fascinated by this space, five 90 00:04:34,280 --> 00:04:38,920 years in, I, I feel like identity has so much to be done 91 00:04:39,520 --> 00:04:41,640 that, that you're just barely scratching the surface. 92 00:04:41,640 --> 00:04:44,600 But thanks for asking. Yeah, there's so much to do and 93 00:04:44,600 --> 00:04:47,560 and learn in this space. I feel like I'm never, I'm never 94 00:04:47,560 --> 00:04:49,680 going to get caught up. And I think that's a great 95 00:04:49,680 --> 00:04:51,720 thing, because then it doesn't get stale. 96 00:04:52,200 --> 00:04:53,200 Yeah. And also it feels like, you 97 00:04:53,200 --> 00:04:55,360 know, identity is very much it's own island. 98 00:04:55,360 --> 00:04:58,360 You know, it's, it's, it's so critical, but yet, you know, 99 00:04:58,560 --> 00:05:02,520 when you get into that space, it has its own, you know, weird 100 00:05:02,520 --> 00:05:04,040 nuances. Maybe that's true for network 101 00:05:04,040 --> 00:05:05,400 security. Phil will probably know, and 102 00:05:05,400 --> 00:05:07,520 maybe that's true for endpoint security. 103 00:05:07,520 --> 00:05:11,120 But Identity definitely has lots of, you know, lots of threads 104 00:05:11,120 --> 00:05:13,680 here. So I'm going to ask you about 105 00:05:13,680 --> 00:05:15,400 basically here in a second, but I want to get to know Phil. 106 00:05:15,400 --> 00:05:17,200 Phil is the first time that we've met. 107 00:05:17,200 --> 00:05:19,320 I feel like we've been at a lot of conferences together. 108 00:05:19,320 --> 00:05:22,440 I've seen you speak, so I kind of feel like I know you a little 109 00:05:22,440 --> 00:05:25,040 bit, but at a distance. But now's my chance. 110 00:05:25,400 --> 00:05:27,080 Phil, tell me about your background. 111 00:05:27,080 --> 00:05:28,640 How did you get into that? Any space? 112 00:05:28,640 --> 00:05:31,040 Is it something that you chose or did it choose you as well? 113 00:05:32,640 --> 00:05:38,760 Well, it's, I've been a CSO for companies, for major global 114 00:05:38,760 --> 00:05:41,600 organizations over about 30 years. 115 00:05:41,600 --> 00:05:45,320 I'm I'm giving away my kind of my, my generation there. 116 00:05:45,680 --> 00:05:48,640 And if every one of those CSO roles as, as most people in 117 00:05:48,640 --> 00:05:51,360 security teams can imagine, it's, it's hard to avoid 118 00:05:51,800 --> 00:05:54,920 thinking about identity and access and access management is 119 00:05:54,920 --> 00:05:57,440 CNR, as I'm sure we're going to talk about today, it's one of 120 00:05:57,440 --> 00:06:01,600 the, the calls to security. But over many of those roles, 121 00:06:01,600 --> 00:06:06,440 over over many years, it, it became, you know, a significant 122 00:06:06,440 --> 00:06:11,120 part of being able to just ask and answer the question, what 123 00:06:11,120 --> 00:06:13,080 are all the identities I should care about? 124 00:06:13,520 --> 00:06:15,480 What are all the things they can access? 125 00:06:15,840 --> 00:06:19,480 Is that access appropriate? And if not, what can we do about 126 00:06:19,480 --> 00:06:21,240 it? And then to do that, that 127 00:06:21,240 --> 00:06:24,000 massive scale. And so, and you know, and Tyrone 128 00:06:24,000 --> 00:06:27,880 knows this story because this is kind of how we first met is, you 129 00:06:27,880 --> 00:06:30,800 know, one of my prior organizations, I was really 130 00:06:30,800 --> 00:06:33,960 struggling to, this is like a decade ago, really struggling to 131 00:06:33,960 --> 00:06:37,960 find any solutions that could help me solve this problem at 132 00:06:37,960 --> 00:06:39,840 scale. So we ended up building 133 00:06:39,840 --> 00:06:44,640 something and we, we built it wrong first, learned from how 134 00:06:45,080 --> 00:06:49,320 not to build things at scale and then built it at scale with a 135 00:06:49,320 --> 00:06:52,760 very similar architecture to what Vaser has, although it had 136 00:06:52,760 --> 00:06:55,640 none of the sophistication, none of the bells and whistles. 137 00:06:55,640 --> 00:06:58,920 And you know, if I'd have been around, you know, if Vaser had 138 00:06:58,920 --> 00:07:01,840 been around, then I'd have bought that solution because it 139 00:07:01,840 --> 00:07:05,320 was all of a scale problem. And so I've been immersed in 140 00:07:05,320 --> 00:07:08,000 this at the sharp end for, for decades, decades. 141 00:07:08,000 --> 00:07:11,640 And it's, you know, it's so good to be partnering with Vaser on, 142 00:07:11,800 --> 00:07:14,880 on their journey and just figuring out how to solve this 143 00:07:14,880 --> 00:07:17,640 in the right way. So I have to imagine it was 144 00:07:17,640 --> 00:07:21,600 probably equal parts validating and frustrating that someone 145 00:07:21,600 --> 00:07:24,560 built what you built and it's like, Oh yeah, that's oh wait, 146 00:07:24,560 --> 00:07:29,000 that's maybe better. You know, I remember this, Jeff, 147 00:07:29,000 --> 00:07:31,320 this is 2021. I got introduced to Phil. 148 00:07:31,680 --> 00:07:34,480 This is like, you know, we're only like 12/14/16 months old 149 00:07:35,200 --> 00:07:38,320 and we just had very rough sketch MVP kind of ideas. 150 00:07:38,320 --> 00:07:41,080 And, and you know, we started sharing with Phil that, you 151 00:07:41,080 --> 00:07:43,200 know, hey, here is what you're thinking, here is a graph, here 152 00:07:43,200 --> 00:07:46,440 is, here is here is access permissions, Here is how you 153 00:07:46,440 --> 00:07:48,800 bring it together. And, and Phil looked at it. 154 00:07:48,800 --> 00:07:50,920 It was a 30 minute introductory call. 155 00:07:51,440 --> 00:07:53,520 And that call, I don't know Phil, if you remember, it ended 156 00:07:53,520 --> 00:07:57,040 up being a 2 hour call and, and you know, we talked about lots 157 00:07:57,040 --> 00:08:00,320 of challenges and Phil is like, OK, let's see if you, you know, 158 00:08:00,760 --> 00:08:03,640 we put our head down for two years and, and we, you know, had 159 00:08:03,640 --> 00:08:05,000 the opportunity to meet Phil again. 160 00:08:05,000 --> 00:08:09,240 And I remember 2023 and just so, so lucky and so fortunate, so 161 00:08:09,240 --> 00:08:13,640 privileged to have Phil on our board and and guide us pretty 162 00:08:13,640 --> 00:08:16,800 much on a weekly basis. So this is probably a good segue 163 00:08:16,800 --> 00:08:18,680 for people who aren't familiar with Visa. 164 00:08:18,960 --> 00:08:21,040 Tell us something about the company, You know, what is it 165 00:08:21,040 --> 00:08:22,520 that you guys bring into the market? 166 00:08:23,560 --> 00:08:25,920 And then most importantly, and I'm going to put my jaded Cecil 167 00:08:25,920 --> 00:08:27,400 hat on, is why are you guys different? 168 00:08:27,440 --> 00:08:29,520 Why are you guys, you know, setting yourself apart? 169 00:08:29,520 --> 00:08:31,520 How do you set yourself apart from from your competitors and, 170 00:08:31,520 --> 00:08:33,919 and things like that? No, I think there are three 171 00:08:33,919 --> 00:08:36,320 questions packed in Jeff. There's something to go fast, I 172 00:08:36,320 --> 00:08:38,000 think. I think look with ways of what 173 00:08:38,000 --> 00:08:40,799 you're building is really, you know what we call internally the 174 00:08:40,799 --> 00:08:42,480 next generation identity platform. 175 00:08:42,760 --> 00:08:46,640 You know, we, we, we came to this conclusion back to your 176 00:08:46,640 --> 00:08:50,840 question of, you know, identity, definitely choose us or me 177 00:08:50,840 --> 00:08:53,760 specifically. And, and I think the, you know, 178 00:08:53,760 --> 00:08:57,120 the observation that we made on why we started this company, the 179 00:08:57,120 --> 00:09:00,560 insight and the intuition was, you know, we were simply just 180 00:09:00,560 --> 00:09:04,280 asking questions, what I call the -1 journey of a startup 181 00:09:04,280 --> 00:09:08,120 before you actually found the company, which is what's top of 182 00:09:08,120 --> 00:09:10,120 mind. You, you said a seesaw, what's 183 00:09:10,120 --> 00:09:13,560 top of mind when it comes to securing the biggest asset in 184 00:09:13,560 --> 00:09:15,280 your organization, which is your data, right? 185 00:09:15,280 --> 00:09:18,280 At the end of the day, if you're buying any tool with buying to 186 00:09:18,280 --> 00:09:22,480 really secure that asset and, and you know, the feedback was 187 00:09:22,920 --> 00:09:25,200 that, hey, look, we've, we've solved lots of problems from 188 00:09:25,200 --> 00:09:29,240 endpoint to network to securing multi factor, but we really 189 00:09:29,240 --> 00:09:31,640 haven't solved the hardest problem in identity, which was 190 00:09:31,640 --> 00:09:34,600 principle of least privilege. And and so, you know, 191 00:09:34,600 --> 00:09:37,240 essentially with these are what S S Phil noted, you know, we 192 00:09:37,240 --> 00:09:41,280 started the company in 2025 years old, really have taken 193 00:09:41,280 --> 00:09:44,560 that mission to heart on on helping organizations really 194 00:09:44,560 --> 00:09:47,000 thrive towards the principle of least privilege, which is in 195 00:09:47,000 --> 00:09:50,480 simple words, who's Jim and what can he delete in snowflake or, 196 00:09:50,480 --> 00:09:52,880 or who's Jeff and what can he delete in article table? 197 00:09:53,440 --> 00:09:55,840 And so that's essentially what, what what Wiza started with, 198 00:09:55,840 --> 00:09:59,520 what we want to go build is a, you know, our long term vision 199 00:09:59,520 --> 00:10:03,040 or act one, act two, Act 3 is really rooted in how can we 200 00:10:03,040 --> 00:10:07,040 build that next generation identity platform, which takes 201 00:10:07,040 --> 00:10:10,120 me to your question of differentiation, you know, which 202 00:10:10,120 --> 00:10:14,320 was as we started digging into principle of least privilege, 203 00:10:15,200 --> 00:10:17,760 you know, what became very clear to us is the world believes 204 00:10:18,400 --> 00:10:22,120 directories and identity and, and how fallacy that that that 205 00:10:22,120 --> 00:10:24,960 thought is because that's not the truth. 206 00:10:24,960 --> 00:10:28,880 The truth is, you know, the purest form of access is 207 00:10:28,880 --> 00:10:30,400 actually permissions and entitlements. 208 00:10:30,720 --> 00:10:33,600 And so we said, you know, look to back to your differentiation, 209 00:10:34,080 --> 00:10:37,360 the way we speak with CIOs and Csos and Ctos is like, look, 210 00:10:37,600 --> 00:10:40,440 identity has to go beyond a directory service. 211 00:10:40,840 --> 00:10:43,760 We believe the purest form of identity is in permissions and 212 00:10:43,760 --> 00:10:46,240 entitlements. We have built this beautiful, 213 00:10:46,240 --> 00:10:49,960 what we call a durable data model and and data model, which 214 00:10:49,960 --> 00:10:53,360 is realized as access graph really to help understand who 215 00:10:53,360 --> 00:10:56,440 are the humans and the non humans or even third party 216 00:10:56,440 --> 00:10:59,840 identities and what can what action can they perform on 217 00:10:59,840 --> 00:11:03,480 critical systems, whether it be SAS, whether it be data systems, 218 00:11:03,480 --> 00:11:06,080 whether it be cloud systems and now agenda AI apps. 219 00:11:06,840 --> 00:11:09,760 And so essentially our differentiation, Jeff, is really 220 00:11:09,760 --> 00:11:14,680 in that data model, we call it the access graph, which really 221 00:11:14,680 --> 00:11:19,200 brings the entitlements for that individual into this beautiful 222 00:11:20,320 --> 00:11:22,880 data structure, for lack of a better word on which you have 223 00:11:22,880 --> 00:11:24,200 built. Lots and lots of apps. 224 00:11:24,480 --> 00:11:27,520 Visibility, intelligence, access, reviews, we have built 225 00:11:27,520 --> 00:11:30,760 these apps on top of that data model to really again go solve 226 00:11:30,760 --> 00:11:32,400 business use cases and business problems. 227 00:11:33,720 --> 00:11:37,040 So the other thing that is you guys are making some news today, 228 00:11:37,120 --> 00:11:38,720 you know, when this episode releases. 229 00:11:38,720 --> 00:11:40,360 Tell us a little bit about what's happening in the world of 230 00:11:40,360 --> 00:11:41,320 Asia. Yeah. 231 00:11:41,320 --> 00:11:44,440 No, look, we, we, as I noted, we've been very hard at work for 232 00:11:44,440 --> 00:11:46,800 the last five years. You know, you know, as Phil 233 00:11:46,800 --> 00:11:50,640 noted, we have, we have had the Fortune opportunity to partner 234 00:11:50,640 --> 00:11:54,480 with some very large Fortune 100, Fortune 10 organizations. 235 00:11:54,480 --> 00:11:58,160 It's become very clear, you know, after partnering with such 236 00:11:58,280 --> 00:12:01,520 organizations across both enterprise and commercial that 237 00:12:01,520 --> 00:12:05,000 we truly are solving a critical, critical problem in, in, in 238 00:12:05,000 --> 00:12:07,280 cyber at large, right. Again, principle of free 239 00:12:07,280 --> 00:12:10,880 privilege. So, you know, the time had come 240 00:12:10,880 --> 00:12:12,640 for us to really double down, triple down. 241 00:12:12,960 --> 00:12:15,320 You know, we start-ups are all about product market fit. 242 00:12:15,320 --> 00:12:17,360 We feel like we have a great product market fit. 243 00:12:18,880 --> 00:12:21,360 And so, you know, we're announcing today our CDSD 244 00:12:21,360 --> 00:12:24,360 investment of $108 million financing which you know, double 245 00:12:24,360 --> 00:12:28,280 s our valuation from from the last time we did our CDC. 246 00:12:29,440 --> 00:12:32,640 And, and really this investment is, is, you know, a very 247 00:12:32,640 --> 00:12:35,600 grateful to the to the new investors, NEA and Aaron 248 00:12:35,600 --> 00:12:38,480 Jacobson and Hillary from, from the NEA team to, to sort of 249 00:12:38,480 --> 00:12:41,360 believe in the mission and the vision of the team, but also to 250 00:12:41,360 --> 00:12:44,840 sort of double down and triple down what could be what we 251 00:12:44,840 --> 00:12:46,920 believe could be a very, very long lasting company. 252 00:12:48,360 --> 00:12:53,000 Tarun, congratulations on that and I'm glad you're finally on 253 00:12:53,320 --> 00:12:56,120 the podcast. We've had Rich Dandelaker on a 254 00:12:56,400 --> 00:12:59,400 couple of times. Those have been some of our best 255 00:12:59,400 --> 00:13:02,200 episodes. And you mentioned how we bumped 256 00:13:02,200 --> 00:13:06,680 into each other at Gartner. And I've got to say, your booth, 257 00:13:07,160 --> 00:13:09,600 there are probably two companies that made the most noise of 258 00:13:09,600 --> 00:13:12,120 Gartner and, and Basil was one of them. 259 00:13:12,480 --> 00:13:15,960 And your booth just constantly had people there. 260 00:13:16,280 --> 00:13:21,160 I mean, First off, your, your logos, even on your website were 261 00:13:21,400 --> 00:13:23,560 out of this world, but I knew a lot of the people who were 262 00:13:23,560 --> 00:13:26,520 coming to your booth and it was like super impressive. 263 00:13:26,520 --> 00:13:31,680 So congratulations big time. I think it's, you know, you're 264 00:13:31,800 --> 00:13:33,840 on to the right thing at the right time. 265 00:13:33,880 --> 00:13:37,520 Now, what do I mean by that? The identity security company, 266 00:13:37,520 --> 00:13:40,120 right? And so that this is the time for 267 00:13:40,120 --> 00:13:41,680 that. That's what everyone's talking 268 00:13:41,680 --> 00:13:44,280 about and there's good reason for that. 269 00:13:45,520 --> 00:13:48,880 And I'm going to actually turn this into a question for Phil. 270 00:13:49,040 --> 00:13:53,240 So identity security, it's like identity is front and center 271 00:13:53,240 --> 00:13:58,480 when it comes to security. And Phil, I wonder if why is it 272 00:13:58,480 --> 00:14:01,200 that now this is hitting so hard? 273 00:14:02,680 --> 00:14:05,760 But yeah, I mean, I think it's it's really to do with just the 274 00:14:06,280 --> 00:14:10,960 breadth of what identities and missions and access and 275 00:14:10,960 --> 00:14:13,520 entitlements companies have to deal with. 276 00:14:13,520 --> 00:14:17,120 So they've got their traditional on premise environment, they've 277 00:14:17,120 --> 00:14:19,640 most often got multiple cloud environments. 278 00:14:19,640 --> 00:14:22,680 They've got multiple SAS services, some of which are big 279 00:14:22,680 --> 00:14:26,880 data warehouse services. There's a whole array of things 280 00:14:26,880 --> 00:14:33,200 now and coming with AI that has a whole series of human and non 281 00:14:33,200 --> 00:14:36,560 human identities. So when you take a step back and 282 00:14:36,560 --> 00:14:40,000 you think about this problem, there's a set of human and non 283 00:14:40,000 --> 00:14:44,360 human identities that have access to various resources and 284 00:14:44,360 --> 00:14:48,200 organisations just need to answer the the relatively simple 285 00:14:48,200 --> 00:14:52,440 question of of what, you know, what or who has got access to 286 00:14:52,440 --> 00:14:56,280 war and is that appropriate? And is that actually implemented 287 00:14:56,280 --> 00:15:00,640 according to the intent that we have now, all of us and probably 288 00:15:00,640 --> 00:15:03,360 a lot of the audience today have, you know, been in this 289 00:15:03,520 --> 00:15:06,600 battlefield of identity security for long enough to know that. 290 00:15:06,920 --> 00:15:10,080 Yeah, just stating the problem quite simply like that. 291 00:15:10,400 --> 00:15:14,720 When you put that against the backdrop of the scale that even 292 00:15:14,720 --> 00:15:18,240 small to medium enterprises have to deal with in terms of their 293 00:15:18,680 --> 00:15:21,760 number of systems that contain access and privilege and 294 00:15:21,760 --> 00:15:25,080 identity and all of the external services that you then need to 295 00:15:25,080 --> 00:15:29,880 just handle that scale in a way that doesn't require manual 296 00:15:29,880 --> 00:15:34,200 reviews or tedious updates. You just kind of manage this and 297 00:15:34,800 --> 00:15:38,800 automated systematic way and to what Taroom was saying before. 298 00:15:38,800 --> 00:15:42,400 Ultimately, and this is where a lot of organizations have failed 299 00:15:42,400 --> 00:15:47,400 in the past, if you don't architect this for the scale of 300 00:15:47,480 --> 00:15:51,400 trillions of combinations of accesses that can only be 301 00:15:51,400 --> 00:15:55,160 encoded in like an access graph like they have, then you're 302 00:15:55,160 --> 00:15:58,040 ultimately, even if you've got a great little system for dealing 303 00:15:58,040 --> 00:16:00,680 with a small number of privileges, ultimately is going 304 00:16:00,680 --> 00:16:02,600 to fail. If you can't scale that kind of 305 00:16:03,000 --> 00:16:07,360 graph scale processing of of the massive amount of combinations 306 00:16:07,360 --> 00:16:12,360 of accesses that you have to monitor adherence to, even in 307 00:16:12,360 --> 00:16:13,920 just the smallest of enterprises. 308 00:16:13,920 --> 00:16:16,800 And that's really, I think what what everybody's dealing with. 309 00:16:16,800 --> 00:16:20,600 And I think why to your point, people are flocking to the Boo 310 00:16:20,600 --> 00:16:23,520 that things like Gardner is they've tried solutions that 311 00:16:23,520 --> 00:16:26,920 don't scale and they just need a solution that scales to cover 312 00:16:26,920 --> 00:16:28,960 all of their identity and access requirements. 313 00:16:28,960 --> 00:16:30,480 And that comes down to the data model. 314 00:16:31,440 --> 00:16:33,480 Yeah, I definitely have sent the data model. 315 00:16:33,480 --> 00:16:36,200 But you know what I really love with you said there, and this is 316 00:16:36,200 --> 00:16:40,200 what I I love about you, Phil, is that you can take these big 317 00:16:40,640 --> 00:16:43,800 difficult concepts and put it down to something simple, right 318 00:16:44,080 --> 00:16:45,280 And and. So true. 319 00:16:46,040 --> 00:16:48,600 Yeah, yeah. So that, that is super cool. 320 00:16:50,320 --> 00:16:52,720 That's true. What what might you add to what 321 00:16:52,720 --> 00:16:55,320 Phil just said? If you can add anything. 322 00:16:55,600 --> 00:16:57,600 Yeah, no, no, no, I think, I think Phil is actually spot on. 323 00:16:57,600 --> 00:17:00,680 You know, this this whole gem, maybe I can just share a couple 324 00:17:00,680 --> 00:17:04,800 of examples from, from organizations that that we work 325 00:17:04,800 --> 00:17:07,480 with, you know, just sort of give some examples. 326 00:17:08,200 --> 00:17:12,400 You know, we, we, we see sort of, you know, to me, you know, 327 00:17:12,400 --> 00:17:14,599 for lack of better or these sort of use cases, right. 328 00:17:16,200 --> 00:17:20,319 Who has access to what and what can they do with that access is 329 00:17:20,319 --> 00:17:23,359 like #1 in your any organization, like whether it's 330 00:17:23,359 --> 00:17:26,880 a Fortune 500, Global 2000 or a commercial organization, right? 331 00:17:28,480 --> 00:17:31,600 So we see, you know, use cases sort of in the following order, 332 00:17:31,600 --> 00:17:34,120 Jim, just to give you some couple of practical examples, 333 00:17:34,640 --> 00:17:37,080 working with a very, very large financial organization and their 334 00:17:37,080 --> 00:17:40,000 entire use cases about identity hygiene. 335 00:17:40,560 --> 00:17:43,040 And they're like, look, we have these users, users about part of 336 00:17:43,040 --> 00:17:46,920 groups and groups have roles, as Phil noted below before. 337 00:17:47,440 --> 00:17:49,200 And you know, roles are embedded within roles. 338 00:17:49,520 --> 00:17:52,360 Can somebody just, you know, demystify this and give us a 339 00:17:52,360 --> 00:17:56,720 very simplistic view on, on who has access to what role in, 340 00:17:56,720 --> 00:17:59,480 let's say a system like Salesforce, right Second. 341 00:17:59,480 --> 00:18:05,520 So 1 is very high hygiene, identity, hygiene, AD hygiene #2 342 00:18:05,760 --> 00:18:08,200 you know, an example of, of an organization like a Blackstone, 343 00:18:08,200 --> 00:18:11,400 right? There were a large Fortune 500 344 00:18:11,400 --> 00:18:13,440 organization where they were doing all their access 345 00:18:13,440 --> 00:18:16,880 governance, their identity governance on, on, on 346 00:18:16,880 --> 00:18:18,440 spreadsheets. You know, as, as Phil noted, 347 00:18:18,440 --> 00:18:20,560 there are, there are not many people have cracked this 348 00:18:20,560 --> 00:18:23,040 problem. And so people are either living 349 00:18:23,040 --> 00:18:26,800 in, in, in, in PowerShell scripts or they're living in 350 00:18:26,800 --> 00:18:29,320 Excel spreadsheets, or they're architecting their own solutions 351 00:18:29,320 --> 00:18:31,080 for organizations that can, that can do that. 352 00:18:31,080 --> 00:18:34,080 And so Blackstone had architected a solution clues 353 00:18:34,080 --> 00:18:37,560 together in ServiceNow and we've completely transformed them in 354 00:18:37,560 --> 00:18:40,200 three years here. There were about 5 to 500 apps. 355 00:18:41,120 --> 00:18:44,000 Think of a Fortune 500 organization configured on Visa 356 00:18:44,000 --> 00:18:46,880 for things like access reviews, things like access provisioning, 357 00:18:46,880 --> 00:18:50,800 deprovisioning, give you another example of a large organization. 358 00:18:52,840 --> 00:18:56,880 You know, think of an Intuit like they are are first of the 359 00:18:56,880 --> 00:18:59,280 10 customers, 1st 10 customers for us. 360 00:19:00,000 --> 00:19:02,920 And they're like, look, we love this access graph you have, We 361 00:19:02,920 --> 00:19:06,360 love this data model. Can you go and apply this to us 362 00:19:06,360 --> 00:19:09,880 to help us secure our GitHub? And we're like, why, Why do you 363 00:19:09,880 --> 00:19:12,560 want to us to apply this to GitHub? 364 00:19:12,560 --> 00:19:15,440 And they're like, look, it's the biggest asset we have in the 365 00:19:15,440 --> 00:19:18,600 organization. All our cord is in GitHub And so 366 00:19:18,600 --> 00:19:21,600 all our IP is in GitHub. We, we cannot let it get into 367 00:19:21,600 --> 00:19:24,240 bad hands. And so we want to, you know, we 368 00:19:24,240 --> 00:19:27,360 want to measure the permissions and the entitlements who has 369 00:19:27,360 --> 00:19:29,920 access to it. And we want to keep driving what 370 00:19:29,920 --> 00:19:32,240 they're called as over permissioning access score. 371 00:19:32,840 --> 00:19:35,040 We need to keep driving that access score of over 372 00:19:35,040 --> 00:19:38,560 permissioning down to 10%. So just a few examples to to Jim 373 00:19:38,560 --> 00:19:42,520 to to add to work fill share. So I, you know, this, this 374 00:19:42,520 --> 00:19:45,680 concept of least privilege sounds simple, but it is 375 00:19:45,680 --> 00:19:47,480 actually pretty hard to do in the real world. 376 00:19:47,720 --> 00:19:49,440 And this is how I know we got serious. 377 00:19:49,440 --> 00:19:52,040 Jim Tarun took off his glasses. It's like now we're really 378 00:19:52,040 --> 00:19:53,920 getting into like the deep end of it. 379 00:19:55,200 --> 00:19:58,040 Tarun, this is such a hot spot right now. 380 00:19:58,040 --> 00:20:00,560 Is this whole concept of identity security right? 381 00:20:00,560 --> 00:20:02,080 And obviously we're big fans of it here. 382 00:20:02,520 --> 00:20:05,080 You mentioned some of the issues that you typically see and Phil, 383 00:20:05,080 --> 00:20:06,800 you mentioned some as well. It's kind of like why we're 384 00:20:06,800 --> 00:20:11,120 having this moment in the sun. But I'm curious, what do you see 385 00:20:11,120 --> 00:20:14,080 as like the biggest identity challenge today that you're 386 00:20:14,080 --> 00:20:16,440 seeing in organizations Immediately? 387 00:20:16,440 --> 00:20:19,080 I think of things that are coming up this year that are 388 00:20:19,160 --> 00:20:22,160 also having moments on like NHI, non human identity. 389 00:20:22,160 --> 00:20:24,040 It seems like it's the buzzword at every conference. 390 00:20:24,600 --> 00:20:26,120 It's like everyone's kind of talking about. 391 00:20:26,520 --> 00:20:28,920 But I also think about it from a less technical standpoint of 392 00:20:28,920 --> 00:20:31,840 just the fragmented ownership of the way that organizations may 393 00:20:31,840 --> 00:20:34,480 typically be structured from like a governance perspective. 394 00:20:35,240 --> 00:20:37,400 You know, you'd be surprised how many organizations go into and 395 00:20:37,400 --> 00:20:39,040 say, so who's responsible for identity? 396 00:20:39,960 --> 00:20:41,920 And, and people don't know, right? 397 00:20:41,920 --> 00:20:44,720 Or it's fragmented and this person's responsible for this 398 00:20:44,720 --> 00:20:46,960 part of it and that person's responsible for that part of it. 399 00:20:47,320 --> 00:20:49,760 I'm curious if those examples make sense. 400 00:20:49,760 --> 00:20:53,040 Do you see additional challenges that are out there and, and what 401 00:20:53,040 --> 00:20:56,240 should you know people be aware of and cognizant of say, OK, 402 00:20:56,240 --> 00:20:58,200 these are some of the challenges that that other people are 403 00:20:58,200 --> 00:21:00,240 seeing as well? Phil, you want to take that for 404 00:21:00,240 --> 00:21:01,280 us? Yeah, Yeah. 405 00:21:01,360 --> 00:21:04,040 I, I mean, I think you know what's, what's fascinating is, 406 00:21:04,240 --> 00:21:08,560 is again, it's this combinatoric explosion of all of the possible 407 00:21:08,560 --> 00:21:12,440 accesses. So I mean, every time a new 408 00:21:12,440 --> 00:21:17,600 system is brought online, the new SAS provider is signed up, a 409 00:21:17,600 --> 00:21:22,360 new cloud provider is signed up to a new device is added, or 410 00:21:22,480 --> 00:21:24,800 it's just another set of identities. 411 00:21:24,800 --> 00:21:27,960 If they're not human identities, they're the non human identities 412 00:21:27,960 --> 00:21:32,280 you bring up and then you add that and then all of those 413 00:21:32,280 --> 00:21:35,040 things, they connect to the human or the other non human 414 00:21:35,040 --> 00:21:38,080 identities. All of them connect to resources 415 00:21:38,080 --> 00:21:41,960 that have emission various degrees of permissions, often to 416 00:21:41,960 --> 00:21:45,360 Tyrone's point before that are nested very, very quickly. 417 00:21:45,480 --> 00:21:50,600 This just explodes and the ability to encode all this in a, 418 00:21:51,080 --> 00:21:54,760 in a, a data structure like a grass, it doesn't just give you 419 00:21:54,760 --> 00:21:58,480 the ability to think about whether that is conforming at 420 00:21:58,480 --> 00:22:00,880 the scale of what any reasonable enterprise is. 421 00:22:01,160 --> 00:22:03,760 It lets you kind of pivot up and down the questions. 422 00:22:03,960 --> 00:22:07,240 So like, for example, you can say, you know, is this 423 00:22:07,240 --> 00:22:11,440 particular access appropriate? Or you could actually invert the 424 00:22:11,440 --> 00:22:16,080 problem and say, tell me the top 50 people in my organization 425 00:22:16,080 --> 00:22:19,520 that have the most privilege. And you can almost guarantee, 426 00:22:19,560 --> 00:22:22,720 and I'm, I'm sure you've had experience of this is in most 427 00:22:22,720 --> 00:22:25,480 organizations, if they just ask that question, tell me the top 428 00:22:25,480 --> 00:22:28,040 50 people or the top 100 people that have the most privilege. 429 00:22:28,320 --> 00:22:32,040 The answer when you see that is like, holy cow, who gave them 430 00:22:32,040 --> 00:22:36,480 all access? And and so the nice thing about 431 00:22:36,800 --> 00:22:40,160 a scaled solution as opposed to one of these more traditional 432 00:22:40,160 --> 00:22:43,000 solutions, that's just kind of, you know, people reviewing 433 00:22:43,000 --> 00:22:46,280 things in spreadsheets or going through AGRC tour or going 434 00:22:46,280 --> 00:22:49,880 through something that's like human reviewing other humans 435 00:22:49,880 --> 00:22:52,440 accesses. You need to be able to ask these 436 00:22:52,440 --> 00:22:55,080 questions like who's got this privilege? 437 00:22:55,080 --> 00:22:58,440 Who's got the most access? If this credential is 438 00:22:58,440 --> 00:23:01,240 compromised? What's the chain of attacks 439 00:23:01,240 --> 00:23:05,080 through the the identity graph that could result on an action 440 00:23:05,080 --> 00:23:08,040 on a critical resource? All of that kind of stuff. 441 00:23:08,040 --> 00:23:10,400 I mean, one of the things that's fascinating and you know, Tarun 442 00:23:10,400 --> 00:23:13,760 knows this as much as anybody, is every customer use case 443 00:23:13,760 --> 00:23:17,760 advasor it's like every customer almost invents their new set of 444 00:23:17,760 --> 00:23:22,640 questions that are peculiar to their risks that other customers 445 00:23:22,640 --> 00:23:25,480 can learn from in terms of why that's a really interesting way 446 00:23:25,480 --> 00:23:28,040 of getting to the most risk and figuring out how to reduce their 447 00:23:28,040 --> 00:23:30,280 risk. No, absolutely. 448 00:23:30,320 --> 00:23:33,120 And, and Jeff, if it's OK with you, just to add, add to what 449 00:23:33,120 --> 00:23:36,080 Phil just shared, you know, you're absolutely right. 450 00:23:36,080 --> 00:23:39,840 First of all, non human identity is definitely top of mind #1 #2 451 00:23:41,480 --> 00:23:43,520 you know, I'm here in Seattle meeting some of some of the, 452 00:23:43,560 --> 00:23:47,680 some of the large organizations and, and you know, just just 453 00:23:47,680 --> 00:23:50,320 today, just finishing a few discussions, you know, it was 454 00:23:52,560 --> 00:23:56,560 the four use cases, you know, that come out every day that we 455 00:23:56,560 --> 00:23:58,880 hear. Number one, there is no 456 00:23:58,880 --> 00:24:01,640 centralized non non human identity store. 457 00:24:01,640 --> 00:24:04,520 So can you please help us just understand the access tokens and 458 00:24:04,520 --> 00:24:07,800 the service principles and the service accounts and even things 459 00:24:07,800 --> 00:24:13,080 like local users who gave, for example, Jim in local user in 460 00:24:13,080 --> 00:24:16,640 GitHub, like who did that right? And and finding that for So 461 00:24:16,640 --> 00:24:19,240 that's number one. Number two that we're hearing on 462 00:24:19,240 --> 00:24:22,600 non human is, is age, age of a age of a non human. 463 00:24:22,960 --> 00:24:27,360 When was the last time we we rotated the key and and and the 464 00:24:27,360 --> 00:24:29,840 third one is, you know, association of human to non 465 00:24:29,840 --> 00:24:32,120 human, right? It's a very hard problem 466 00:24:32,120 --> 00:24:35,080 actually too, because non human is many times, if not majority 467 00:24:35,080 --> 00:24:36,600 of the times, efferminal in nature. 468 00:24:37,320 --> 00:24:40,280 And so you know, Jim, for example, is is in Active 469 00:24:40,280 --> 00:24:42,720 Directory. He spins up an EC2 instance, 470 00:24:43,080 --> 00:24:45,760 logs into a cube instance and and wants to go access 471 00:24:45,760 --> 00:24:48,000 something. You know, if you if you think of 472 00:24:48,000 --> 00:24:51,840 again to the first point of that chain of chain of attack, you 473 00:24:51,840 --> 00:24:54,480 know, which is which is what is top of mind of customers is like 474 00:24:54,480 --> 00:24:58,000 look who who actually owns this non human, because we need to go 475 00:24:58,000 --> 00:25:01,240 and and clean that relationship and and figure out how do we get 476 00:25:01,240 --> 00:25:03,040 back to least privilege. Yeah. 477 00:25:03,200 --> 00:25:06,040 And actually that's fascinating because This is why I think it's 478 00:25:06,040 --> 00:25:11,960 important for identity solutions to deal with human and non human 479 00:25:11,960 --> 00:25:14,560 identities together. One of the things you get if you 480 00:25:14,560 --> 00:25:18,080 go back a few years, you they they were often somehow and 481 00:25:18,360 --> 00:25:20,880 maybe still out today, different product sets. 482 00:25:21,320 --> 00:25:24,240 And one of the things I think Vase has done that's interesting 483 00:25:24,240 --> 00:25:28,280 is bring this together because often when, as Truman points 484 00:25:28,280 --> 00:25:31,560 out, when you're reasoning about a non human identity, you're 485 00:25:31,560 --> 00:25:35,760 connecting it often to a human identity that has the control 486 00:25:35,760 --> 00:25:40,440 and ownership over a set of resources that are accessed by 487 00:25:40,440 --> 00:25:41,400 the NHIS. And I. 488 00:25:41,920 --> 00:25:45,200 And I think it's it's it's they have to be managed to get and 489 00:25:45,200 --> 00:25:49,120 that's going to be even more important in a world of AI 490 00:25:49,120 --> 00:25:55,040 agents where the humans are delegating privilege to agents 491 00:25:55,040 --> 00:25:58,240 that will act on their behalf, that will in turn interact with 492 00:25:58,240 --> 00:26:03,160 other non human identities to fulfill goals on resources. 493 00:26:03,520 --> 00:26:06,320 And so this is going to be even more important to make sure it's 494 00:26:06,680 --> 00:26:10,880 a holistic management of identity and access, governance 495 00:26:10,880 --> 00:26:15,560 and security. So, Tarun, you know me. 496 00:26:16,520 --> 00:26:18,760 You trust me with standing privileges, right? 497 00:26:19,920 --> 00:26:22,840 I'm trustworthy. No, we don't want to hear about 498 00:26:22,840 --> 00:26:24,840 the Zero Trust. No, we hear it. 499 00:26:24,880 --> 00:26:27,080 You know, we, we heard two things right on those words. 500 00:26:27,520 --> 00:26:30,160 Zero trust is incomplete without principle of least privilege. 501 00:26:30,160 --> 00:26:33,080 And you know, my, my deepest thanks to Phil. 502 00:26:33,080 --> 00:26:35,520 You know, he's the one who helped us think through this 503 00:26:35,520 --> 00:26:37,960 very clearly. As you said, Jimmy's. 504 00:26:38,440 --> 00:26:40,200 That's the pleasure of partnering with Phil. 505 00:26:40,200 --> 00:26:44,560 He says things in such a simple way #2 the residual access and 506 00:26:44,560 --> 00:26:48,400 persistent access needs to go away to to your point. 507 00:26:49,080 --> 00:26:51,560 That's right. It's, it's what you just said 508 00:26:51,560 --> 00:26:53,080 there. And then when you think about 509 00:26:53,080 --> 00:26:58,200 the non human identities and then look as as a practitioner, 510 00:26:58,200 --> 00:27:02,840 I've been a practitioner for over 20 years, you think, well, 511 00:27:02,840 --> 00:27:07,480 well, I've got a toolbox. It's got XYZ tools in it. 512 00:27:07,480 --> 00:27:11,920 I'm going to choose from my tools to solve this problem, but 513 00:27:11,920 --> 00:27:15,320 the problem is different than what your tools were built to 514 00:27:15,320 --> 00:27:21,040 solve, right? And so when I look at NHIS, not 515 00:27:21,040 --> 00:27:24,400 literally, but I think about it, I'm like, OK, that seems the 516 00:27:24,400 --> 00:27:26,640 most like privileged access management. 517 00:27:27,160 --> 00:27:29,640 So maybe can I just throw a privileged access management 518 00:27:29,640 --> 00:27:32,160 tool at it? But I, so I have a question for 519 00:27:32,160 --> 00:27:35,160 Phil because I think for a practitioner perspective, just 520 00:27:35,160 --> 00:27:37,120 think about privileged access management. 521 00:27:37,320 --> 00:27:41,760 It seems like the landscape is changing, or maybe it's not. 522 00:27:41,760 --> 00:27:45,600 Maybe I'm thinking about it wrong, but it's always been 523 00:27:45,600 --> 00:27:50,480 notoriously hard to solve privilege access management. 524 00:27:50,480 --> 00:27:54,440 So I wanted to get your perspective on why is that so 525 00:27:54,440 --> 00:27:57,680 hard to do, especially at scale. Like why do why do the wheels 526 00:27:57,680 --> 00:28:01,480 come off when you try and do privilege access management in a 527 00:28:01,480 --> 00:28:04,280 large enterprise? Well, well, it, it's 528 00:28:04,280 --> 00:28:06,920 interesting, it kind of touches on where we were going before, 529 00:28:06,920 --> 00:28:10,160 which is it's hard to unpick these identities these days. 530 00:28:10,160 --> 00:28:13,720 So like, you know, if you go back, I don't know, 10 years ago 531 00:28:13,720 --> 00:28:17,240 when you talk about Pam, really what you're talking about is 532 00:28:17,240 --> 00:28:22,760 managing say root access on unit on Linux servers, managing 533 00:28:23,440 --> 00:28:27,280 significant privileged accounts on Windows infrastructure or 534 00:28:27,280 --> 00:28:31,640 managing SSH, you know, credentials for significant 535 00:28:31,640 --> 00:28:34,080 privileged access. And I think the interesting 536 00:28:34,080 --> 00:28:38,600 thing now is when you look at how all of those privileges have 537 00:28:38,600 --> 00:28:43,160 been broken up into service account keys and machine 538 00:28:43,160 --> 00:28:47,360 credentials and all of this other environment, it's hard to 539 00:28:47,360 --> 00:28:51,240 distinguish between what's Pam and isn't Pam because, you know, 540 00:28:51,240 --> 00:28:53,120 sort of beauty is in the eye of the beholder. 541 00:28:53,120 --> 00:28:55,760 It's like you could have something that's classically not 542 00:28:55,760 --> 00:29:00,040 Pam that suddenly becomes a very highly privileged account 543 00:29:00,040 --> 00:29:03,080 because the way you've overloaded the privileges onto 544 00:29:03,080 --> 00:29:05,200 it. And therefore it just almost 545 00:29:05,200 --> 00:29:09,560 makes no sense anymore to have like a patent solution and a non 546 00:29:09,560 --> 00:29:12,800 human solution and a human solution and this solution. 547 00:29:13,120 --> 00:29:15,440 You've got to deal with it all together because at any one 548 00:29:15,440 --> 00:29:20,320 moment a historically non privileged account could become 549 00:29:20,320 --> 00:29:23,640 a civilly privileged account. And unless you're picking that 550 00:29:23,640 --> 00:29:28,080 up and controlling that as part of the whole identity graph, you 551 00:29:28,080 --> 00:29:30,120 know, it's hard to stay ahead of that. 552 00:29:30,120 --> 00:29:33,960 And I think ultimately we just got to think about identity and 553 00:29:33,960 --> 00:29:37,600 access security is this, it's the whole environment. 554 00:29:38,040 --> 00:29:42,280 And you ask some questions of the identity graphs that you've 555 00:29:42,280 --> 00:29:45,760 built up to let you control the whole thing, because otherwise 556 00:29:45,760 --> 00:29:48,440 you just curve to living in silos. 557 00:29:48,760 --> 00:29:52,680 And as we all know from brutal experience, sometimes personal 558 00:29:52,680 --> 00:29:57,080 experience, the attacks come in the seams between the silos, not 559 00:29:57,080 --> 00:29:58,840 full from all onto your controls. 560 00:29:59,040 --> 00:30:02,480 And so having this evasive view of everything is just absolutely 561 00:30:02,480 --> 00:30:05,360 critical. Yeah, through the seams. 562 00:30:05,360 --> 00:30:09,160 I, I like to use the analogy as the attacks are like water. 563 00:30:09,240 --> 00:30:12,440 They find the cracks. They they, they find their way 564 00:30:12,440 --> 00:30:15,040 in and then of course, if you're in a cold environment, they get 565 00:30:15,040 --> 00:30:18,160 in and then they freeze and break up your foundation. 566 00:30:19,560 --> 00:30:22,000 And I think you're right. And I, I, I think back to some 567 00:30:22,000 --> 00:30:25,160 of the early days with Pam where we, you start getting into, 568 00:30:25,160 --> 00:30:29,960 well, are you DVR style recording your sessions? 569 00:30:29,960 --> 00:30:31,760 It's like. Who cares? 570 00:30:32,160 --> 00:30:35,360 Right, that's like. Yeah. 571 00:30:35,360 --> 00:30:35,800 No, we. We. 572 00:30:36,400 --> 00:30:37,480 Term. What do you add to that? 573 00:30:37,480 --> 00:30:40,040 Yeah, No, no, I was, I was going to take that word of recording. 574 00:30:40,040 --> 00:30:42,240 You know, we, we, you know, we live used to live 10 years ago, 575 00:30:42,240 --> 00:30:45,640 maybe 15 now. You know, we used to live in the 576 00:30:45,640 --> 00:30:48,480 world of or we still probably live in the world of session 577 00:30:48,480 --> 00:30:50,000 recording and session management. 578 00:30:50,640 --> 00:30:52,680 But you go back to those customers and have those 579 00:30:52,680 --> 00:30:56,120 discussions with them as like for work, right. 580 00:30:56,560 --> 00:31:00,440 And, and this architecture of going back to the, you know, we 581 00:31:00,440 --> 00:31:03,800 have this point of view that at the end of the architecture will 582 00:31:03,800 --> 00:31:07,560 sort of win at the end, which is, you know, take an example of 583 00:31:07,560 --> 00:31:09,560 Snowflake, take an example of data breaks. 584 00:31:10,160 --> 00:31:14,080 You cannot go deploy an agent in a cloud native system like a 585 00:31:14,080 --> 00:31:17,200 Google big Query, right? And so who's going to do session 586 00:31:17,200 --> 00:31:18,600 management and session recording? 587 00:31:18,600 --> 00:31:22,360 My point I guess is a gym privilege access in the cloud or 588 00:31:22,360 --> 00:31:27,640 Pam in the cloud or Pam for SAS or Pam for a gentek is not going 589 00:31:27,640 --> 00:31:29,360 to have the architecture that we had before. 590 00:31:29,360 --> 00:31:31,680 I'm going to deploy a proxy in an Oracle server. 591 00:31:32,000 --> 00:31:34,240 It's going to record every action that I'm performing. 592 00:31:34,320 --> 00:31:37,440 That world is not going to be going forward. 593 00:31:38,560 --> 00:31:40,080 That's right. No, I mean, I think I think 594 00:31:40,080 --> 00:31:43,240 you're right on that because you know, we all know the immutable 595 00:31:43,240 --> 00:31:48,360 infrastructure patterns and the need for declarative controls of 596 00:31:48,360 --> 00:31:51,600 code policies, code infrastructures, code 1 of the 597 00:31:51,600 --> 00:31:55,960 things I think, well, there's still use cases for session 598 00:31:55,960 --> 00:31:59,520 recording and other things. They're typically seen in legacy 599 00:31:59,520 --> 00:32:03,880 environments where organizations are for whatever reason, not 600 00:32:03,880 --> 00:32:06,560 been able to adopt these kind of immutable infrastructure 601 00:32:06,560 --> 00:32:09,320 patterns. And then when you've got those 602 00:32:09,320 --> 00:32:12,080 immutable infrastructure patterns, it even further 603 00:32:12,080 --> 00:32:15,840 highlights not just the need but also the opportunity for least 604 00:32:15,840 --> 00:32:17,960 privilege. Because then you you're making 605 00:32:17,960 --> 00:32:21,840 sure that the slight reliability engineers, the cloud 606 00:32:21,840 --> 00:32:24,320 orchestration engineers, the development engineers, the 607 00:32:24,320 --> 00:32:26,640 security engineers are all working on the same page to 608 00:32:26,640 --> 00:32:29,960 actually minimize the privilege that drives not just improvement 609 00:32:29,960 --> 00:32:33,880 in security, but also consequent improvement in reliability. 610 00:32:34,160 --> 00:32:36,760 Because you're then minimizing privilege to force people 611 00:32:36,760 --> 00:32:38,960 through the immutability infrastructure patent as well. 612 00:32:39,520 --> 00:32:41,920 Correct, correct. And, and Jim, I'll just say last 613 00:32:41,920 --> 00:32:43,840 thing quickly there. You know, the same customers we 614 00:32:43,840 --> 00:32:48,080 speak to, they're like, look, you know, we're buying a Pam 615 00:32:48,080 --> 00:32:52,720 solution because it says so in, in a, in a NIST playbook or some 616 00:32:52,720 --> 00:32:56,120 form of a playbook. But, but nowhere it says you 617 00:32:56,120 --> 00:32:58,000 need to do so, you must do session recording. 618 00:32:58,080 --> 00:33:00,160 Nowhere it says you must do session management. 619 00:33:01,040 --> 00:33:02,880 You know, it just says you must do privilege access. 620 00:33:02,880 --> 00:33:05,200 Well, that doesn't mean you have to do session recording. 621 00:33:05,440 --> 00:33:07,680 It could be simply Ganesh or Vartic, right? 622 00:33:07,680 --> 00:33:12,040 So, so it's just, it's I think that that world of just back to 623 00:33:12,080 --> 00:33:14,440 identity, you know, evolving very fast pace. 624 00:33:14,440 --> 00:33:16,800 Similarly, the world of privilege access is evolving at 625 00:33:16,800 --> 00:33:19,600 a very fast pace. I'd like to get a little bit 626 00:33:19,600 --> 00:33:22,080 about axis graph because as I mentioned a couple times here, 627 00:33:22,080 --> 00:33:24,760 it's obviously secret sauce. I think maybe a little bit for 628 00:33:24,760 --> 00:33:28,520 how this works. Tell me a bit about axis graph. 629 00:33:28,520 --> 00:33:32,360 What makes it unique? What can I see with it? 630 00:33:32,360 --> 00:33:35,480 What can I do with it? And then the bonus part of that 631 00:33:35,480 --> 00:33:39,360 question is you mentioned least privileged earlier, so how do I 632 00:33:39,360 --> 00:33:41,880 use access graph to get to least privilege? 633 00:33:42,640 --> 00:33:44,280 Yeah, I know. I think those, you know, thank 634 00:33:44,280 --> 00:33:45,600 you. Thank you Jeff for, for, for 635 00:33:45,600 --> 00:33:47,200 asking. So, so I think look, first, 636 00:33:47,200 --> 00:33:49,560 first with the access graph as, as you know, Phil, I had noted 637 00:33:49,560 --> 00:33:54,120 earlier, you know, access graph is a manifestation of a data 638 00:33:54,120 --> 00:33:55,560 model of the data structure, right? 639 00:33:55,560 --> 00:33:57,920 So, so just to zoom back and then we'll zoom in. 640 00:33:58,560 --> 00:34:02,800 You have entitlements everywhere you know, Phil has access to 30 641 00:34:02,800 --> 00:34:05,600 different systems, let's say so Phil has entitlements to 30 642 00:34:05,600 --> 00:34:08,880 different systems. And so you know, applying a 643 00:34:08,880 --> 00:34:12,639 first principles thinking, if we are truly want to ask the answer 644 00:34:12,639 --> 00:34:15,360 the question who can perform what action on what data? 645 00:34:17,000 --> 00:34:18,960 You just start breaking their problem down in first 646 00:34:18,960 --> 00:34:21,040 principles. Who comes from your identity 647 00:34:21,040 --> 00:34:25,400 systems like an Active Directory or an Octa or a ping or a duo 648 00:34:26,320 --> 00:34:28,800 or, or pick your, pick your critical identity systems. 649 00:34:29,480 --> 00:34:32,960 And wherever Phil has access to, he has, he belongs to certain 650 00:34:32,960 --> 00:34:34,679 roles. We used to have this framework 651 00:34:34,679 --> 00:34:36,080 called role based access control. 652 00:34:36,080 --> 00:34:39,280 That paper, the Seminole paper was written in 1982. 653 00:34:39,280 --> 00:34:43,360 I think of, you know, if anybody needs access to a system, you go 654 00:34:43,360 --> 00:34:45,040 through what is called role based access control. 655 00:34:45,040 --> 00:34:49,120 So, you know, we, we said, OK, if you want to take who can take 656 00:34:49,120 --> 00:34:52,239 what action on what data, apply first principles. 657 00:34:53,400 --> 00:34:55,000 And, and that became the data model. 658 00:34:55,159 --> 00:34:56,719 And, and we called the data model. 659 00:34:57,040 --> 00:34:58,840 Not many people can understand data model. 660 00:34:58,840 --> 00:35:00,760 So we ended up calling it an access graph. 661 00:35:01,400 --> 00:35:04,280 But but think of access graph under the horde is, is a data 662 00:35:04,280 --> 00:35:08,720 structure, a normalized, A canonical data model, which 663 00:35:08,720 --> 00:35:12,520 takes entitlements from 10 different unique systems and 664 00:35:12,520 --> 00:35:15,640 brings it down to a normalized data structure, right? 665 00:35:16,760 --> 00:35:18,640 So that's what an access graph is. 666 00:35:18,640 --> 00:35:22,360 Now you can imagine the, the, the art of innovation, the, the, 667 00:35:22,520 --> 00:35:26,440 the IP and, and the Seminole innovation is, you know, as as 668 00:35:26,440 --> 00:35:28,600 fully used the word combinatrix, right? 669 00:35:30,080 --> 00:35:33,240 A user belongs to a group. Well, you could belong to 10s of 670 00:35:33,240 --> 00:35:35,920 groups. You have access to hundreds of 671 00:35:35,920 --> 00:35:38,000 systems. Every system could have 10 or 672 00:35:38,000 --> 00:35:41,200 different roles. Each role may give you M number 673 00:35:41,200 --> 00:35:44,680 of entitlements to perform to N number of resources, right. 674 00:35:44,680 --> 00:35:47,560 So if you think about in a in a classical computer science, 675 00:35:47,560 --> 00:35:50,920 you're, you're, you're thinking about a data structure where 676 00:35:50,920 --> 00:35:54,400 every element is to the log of scale, right? 677 00:35:54,880 --> 00:35:57,760 And so you're thinking about NP hard problems, you're thinking 678 00:35:57,760 --> 00:36:04,200 about, you know, computational problems, which are at a log or 679 00:36:04,200 --> 00:36:07,840 an exponential scale, right? So, so that's where that's where 680 00:36:07,840 --> 00:36:09,920 our, our, our so-called the secret sauce. 681 00:36:09,920 --> 00:36:13,400 And see is the word is, you know, how do you, how do you 682 00:36:13,400 --> 00:36:15,400 stream the data? How do you parse it? 683 00:36:15,720 --> 00:36:18,440 How do you store it in a, in a data store? 684 00:36:18,800 --> 00:36:21,080 And how do you query it in near real time? 685 00:36:21,880 --> 00:36:24,040 Imagine that data set, right? I'll give you an example. 686 00:36:24,680 --> 00:36:28,760 Our access graph only up to 18 months ago, Jeff, was 200 687 00:36:28,760 --> 00:36:33,240 million nodes and edges, 200 million nodes and edges. 688 00:36:33,840 --> 00:36:37,760 Today our access graph has 16 billion nodes and edges. 689 00:36:38,800 --> 00:36:41,680 And and you know something Phil and I talk about all the time, 690 00:36:42,880 --> 00:36:45,880 you know, the pace that we're going will have 100 billion 691 00:36:45,880 --> 00:36:47,560 nodes and edges in less than two years. 692 00:36:48,600 --> 00:36:52,280 So, so that you know, that problem is of cardinality is the 693 00:36:52,280 --> 00:36:57,120 word we use the the problem is of very intelligent algorithms, 694 00:36:58,080 --> 00:37:01,400 graph traversal algorithms, and the intelligence is how to 695 00:37:01,440 --> 00:37:03,000 define the scheme of the data model. 696 00:37:03,000 --> 00:37:06,560 So that's where our core of the IP and and we believe, you know, 697 00:37:07,600 --> 00:37:09,680 speaking very humbly, we believe it's industry first. 698 00:37:10,560 --> 00:37:14,760 You know something Jim said earlier, you know, back to NHIS, 699 00:37:14,760 --> 00:37:18,520 if I can bring it here in this, this, this, this security leader 700 00:37:18,520 --> 00:37:22,200 said it in a very beautiful words that on real problem and I 701 00:37:22,200 --> 00:37:24,000 have no tool that can solve that problem. 702 00:37:24,960 --> 00:37:27,400 And this is like Fortune 100 actually Fortune 10. 703 00:37:28,600 --> 00:37:30,320 I want to know where my NHIS are. 704 00:37:30,320 --> 00:37:34,440 I have every tool in my toolbox, the Pam solutions, the IGA 705 00:37:34,440 --> 00:37:38,680 solutions, the IAM solutions, the and I have no tool and 706 00:37:38,680 --> 00:37:40,160 therein lies the opportunity, right? 707 00:37:40,160 --> 00:37:45,760 Taking that graph and applying it and sorry, what was your 708 00:37:45,760 --> 00:37:48,600 second question, Jeff? I got, I got fashioned about. 709 00:37:48,840 --> 00:37:50,720 I think you covered, I think you covered all of it. 710 00:37:50,720 --> 00:37:52,520 I was curious like what is this thing? 711 00:37:52,520 --> 00:37:53,480 How does it work? And. 712 00:37:53,840 --> 00:37:54,680 Oh, sorry. Yeah, I remember. 713 00:37:54,960 --> 00:37:56,360 I remember your question. Sorry. 714 00:37:56,360 --> 00:37:57,840 Yeah, I got your question of how to release. 715 00:37:57,840 --> 00:38:00,440 So, you know, once you have that baseline of who has access to 716 00:38:00,440 --> 00:38:01,760 work. And again, there's something, 717 00:38:02,560 --> 00:38:04,240 you know, Phyllis coaching, I said, you know, once you have 718 00:38:04,240 --> 00:38:06,680 their baseline is not enough Phyllis on our board. 719 00:38:06,680 --> 00:38:09,000 And and so the other board members are like, you have to 720 00:38:09,000 --> 00:38:10,720 get into actionability very quickly. 721 00:38:11,160 --> 00:38:15,160 And so our phase are Act one, you know, very classical startup 722 00:38:15,160 --> 00:38:18,240 language or Act 1 was visibility intelligence is working very 723 00:38:18,240 --> 00:38:20,680 well for us. And our Act 2, which we started 724 00:38:20,680 --> 00:38:24,640 about 18 months ago is about actionability access reviews. 725 00:38:24,640 --> 00:38:28,800 You define a baseline, you define a policy and you monitor 726 00:38:28,800 --> 00:38:33,800 the deviation or a drift or a creep and and you and you do 727 00:38:33,800 --> 00:38:35,920 active operationalization on it, right. 728 00:38:35,920 --> 00:38:39,520 Could be a service, not ticket, could be AG re ticket, could be 729 00:38:39,640 --> 00:38:43,640 a solar platform orchestration. So that's how we're we're we're 730 00:38:43,640 --> 00:38:45,640 in the process of sort of pruning the over permissioning 731 00:38:45,640 --> 00:38:48,560 access. You know, I'm so interested in 732 00:38:48,560 --> 00:38:51,160 this topic of identity security. So if I can pull the 733 00:38:51,160 --> 00:38:55,280 conversation back to that and ask Phil, you know, kind of from 734 00:38:55,600 --> 00:38:59,960 from what he's seeing in his own organization, talking to his 735 00:38:59,960 --> 00:39:03,400 peers, you know, I'm, I'm thinking about identity security 736 00:39:03,400 --> 00:39:06,560 and OK, I'm going to start with my extra credit question. 737 00:39:06,560 --> 00:39:10,640 Phil, my extra credit question is, is it the identity 738 00:39:10,640 --> 00:39:16,200 practitioner who needs to change, adapt, learn new skills 739 00:39:16,200 --> 00:39:21,160 to do identity security or is it folks in other areas of 740 00:39:22,040 --> 00:39:25,200 cybersecurity who need to learn identity? 741 00:39:26,880 --> 00:39:30,520 The, the other question is, OK, when you start to put together a 742 00:39:30,520 --> 00:39:33,960 program around identity security, like what are you, 743 00:39:34,520 --> 00:39:39,520 what are you driving toward in terms of key metrics, OK, Rs 744 00:39:40,080 --> 00:39:44,600 KPIs like what, what is it that you want to show the 745 00:39:44,600 --> 00:39:48,280 organization that hey, I talked to you about we're going to do 746 00:39:48,280 --> 00:39:50,400 identity security, assuming that's how you have the 747 00:39:50,400 --> 00:39:53,640 conversation and we're going to send a couple of $1,000,000. 748 00:39:53,680 --> 00:39:55,240 What? What do we get for that money? 749 00:39:56,360 --> 00:39:57,640 Yeah. I mean, I think what's 750 00:39:57,640 --> 00:40:03,080 interesting about this problem is identity is in many 751 00:40:03,080 --> 00:40:07,440 organisations is kind of split up across various teams and 752 00:40:07,440 --> 00:40:11,960 there's often, no, very rarely is there consistent organization 753 00:40:11,960 --> 00:40:13,800 on that. So you may turn up at a bank and 754 00:40:13,800 --> 00:40:17,640 they've got like an identity security team inside the CSO 755 00:40:17,640 --> 00:40:19,680 function. You then go to a different bank 756 00:40:19,680 --> 00:40:23,440 and they've got it in the. DTO or the support function, 757 00:40:23,440 --> 00:40:26,240 then you go to a pharma company and they've got in a different 758 00:40:26,240 --> 00:40:28,840 team. I think the main thing we're 759 00:40:28,840 --> 00:40:31,520 seeing though is for most organizations since they 760 00:40:31,520 --> 00:40:36,560 recognize this has become such a challenge or they did recognize 761 00:40:36,560 --> 00:40:38,120 that and then they're solving it. 762 00:40:38,480 --> 00:40:41,240 And essentially what they're doing is they're building this 763 00:40:41,240 --> 00:40:44,840 into their environment rather than bolting it on after the 764 00:40:44,840 --> 00:40:48,560 fact. And so a combination of the CSO 765 00:40:48,560 --> 00:40:53,360 and the CTO or CIO are driving an integrated identity and 766 00:40:53,360 --> 00:40:57,320 access governance process that's treating this as an enterprise 767 00:40:57,320 --> 00:41:01,600 wide risk management problem that not only manages security 768 00:41:01,600 --> 00:41:04,400 risk, but it delivers transformational efficiency 769 00:41:04,400 --> 00:41:06,920 gains. Because often in getting this 770 00:41:06,920 --> 00:41:12,280 right, they're reducing the need for Dublin, if not hundreds and 771 00:41:12,280 --> 00:41:14,840 in some cases the thousands identity and access 772 00:41:14,840 --> 00:41:16,920 administrators that are doing all this manually. 773 00:41:16,920 --> 00:41:21,280 And so this is one of those beautiful spaces compared to 774 00:41:21,280 --> 00:41:24,320 some other spaces in security where you can do security 775 00:41:24,720 --> 00:41:30,160 productivity efficiency and save money all in one go rather than 776 00:41:30,160 --> 00:41:32,920 having to just increase all of them when doing security. 777 00:41:33,520 --> 00:41:36,960 And I think to your question about the metrics, So one of the 778 00:41:36,960 --> 00:41:39,640 risks though with this is, you know, as I'm sure everybody 779 00:41:39,640 --> 00:41:44,720 knows, it's easy to drown in hundreds of different metrics on 780 00:41:44,720 --> 00:41:47,280 these things. And I, I, I like to kind of 781 00:41:47,600 --> 00:41:50,040 elevate this up. And now you do have to get to 782 00:41:50,040 --> 00:41:52,400 the detail. But the simple level though, 783 00:41:52,960 --> 00:41:57,360 success or failure for me of identity programs in, you know, 784 00:41:57,600 --> 00:42:00,880 small, medium and, and especially large organisations, 785 00:42:00,960 --> 00:42:05,200 it's really about three things. It's like 1 is coverage, but 786 00:42:05,480 --> 00:42:10,960 what percentage of your universe of identities do you have under 787 00:42:10,960 --> 00:42:16,000 central management or at least central visibility in a tool 788 00:42:16,000 --> 00:42:18,320 like Vaser or, or something else? 789 00:42:19,000 --> 00:42:21,720 So that's coverage. And, and as you know, if you 790 00:42:21,800 --> 00:42:24,280 know, you could probably kill yourself nearly trying to get to 791 00:42:24,280 --> 00:42:27,480 like 100% coverage. So many of these things may not 792 00:42:27,520 --> 00:42:30,880 the goal may not be 100%. It may be 100% of your most 793 00:42:30,880 --> 00:42:34,520 critical systems, 70% of these other systems, then a long tail 794 00:42:34,520 --> 00:42:37,680 of other things to pick up. But it's important to understand 795 00:42:38,000 --> 00:42:40,480 where you're at on, on the percentage of coverage. 796 00:42:40,880 --> 00:42:43,440 Then once you understand the percentage of coverage, it's 797 00:42:43,920 --> 00:42:47,880 what's your percentage of adherence to enterprise 798 00:42:47,880 --> 00:42:50,320 policies. These could be least privileged 799 00:42:50,320 --> 00:42:54,800 policies, it could be privileged scoping policies, it could be 800 00:42:55,120 --> 00:42:57,320 our back, a back separation of duties. 801 00:42:57,520 --> 00:43:00,320 But basically once you've got all your coverage, you need to 802 00:43:00,320 --> 00:43:04,440 know what of those identities and access conforms to your 803 00:43:04,440 --> 00:43:08,280 enterprise policies. Now the third and final thing is 804 00:43:08,520 --> 00:43:12,240 what you might call accuracy, which is Harlow's enterprise 805 00:43:12,240 --> 00:43:15,760 policies that you're driving adherence to, do they actually 806 00:43:15,920 --> 00:43:18,680 represent what your business risks are? 807 00:43:18,920 --> 00:43:22,480 So like for example, you could have everything under control, 808 00:43:22,480 --> 00:43:25,440 everything under access management and it looks great, 809 00:43:25,480 --> 00:43:28,360 but everybody's massively over permissioned because we didn't 810 00:43:28,360 --> 00:43:30,880 express your business rule according to your actual risk. 811 00:43:31,240 --> 00:43:34,040 But I think ultimately, if you an organization just really 812 00:43:34,040 --> 00:43:38,280 understand where they're at percentage wise on that journey 813 00:43:38,280 --> 00:43:44,080 to full coverage, full adherence and then an accurate statement 814 00:43:44,080 --> 00:43:47,040 of whether your policies conform to your business risks. 815 00:43:47,920 --> 00:43:50,040 I mean, that's that's a decade worth of work there. 816 00:43:50,040 --> 00:43:54,680 But hopefully Vaser makes that like 18 months or two years 817 00:43:54,680 --> 00:43:58,280 rather than a decade. And and Tarun, I'll follow up 818 00:43:58,280 --> 00:44:01,000 with you and we got to make a quick answer here because if we 819 00:44:01,000 --> 00:44:04,680 don't get this next question in, Jeff might up and quit because I 820 00:44:04,680 --> 00:44:10,200 know he wants to talk about AI, but can Visa basically provide 821 00:44:10,200 --> 00:44:12,640 the information that Phil just went over in terms of? 822 00:44:12,760 --> 00:44:15,360 Coverage absolutely no. We, we you know, we have taken, 823 00:44:15,360 --> 00:44:19,040 we've taken that construct of access policy and a set of 824 00:44:19,040 --> 00:44:20,920 access policies and we have codified. 825 00:44:20,920 --> 00:44:24,440 So you know, meaning the user journey to to to simple answer 826 00:44:24,440 --> 00:44:28,120 to your question, the user journey that we aspire to give 827 00:44:28,120 --> 00:44:30,960 as you connect wizard to your 5 or 10 critical systems. 828 00:44:31,440 --> 00:44:34,800 And we want to give you very quickly those access policy 829 00:44:34,800 --> 00:44:38,440 risks, right? And they are baselined against a 830 00:44:38,440 --> 00:44:41,560 least privilege risk and over permission risk in on human 831 00:44:41,560 --> 00:44:45,000 identity risk, a global admin risk that you can then go act 832 00:44:45,000 --> 00:44:47,080 very quickly, Jeff to your point of least privilege. 833 00:44:48,120 --> 00:44:49,840 OK. So I'm glad Jim is giving me 834 00:44:49,880 --> 00:44:51,720 just a minute to ask an AI question. 835 00:44:51,720 --> 00:44:55,480 And so I want to turn to you because I, I'm curious what you 836 00:44:55,480 --> 00:44:59,440 think is going to be the biggest impact that AI and specifically 837 00:44:59,440 --> 00:45:02,400 maybe generative AI is going to have on an identity security 838 00:45:02,400 --> 00:45:04,280 practice. What should I, what should 839 00:45:04,280 --> 00:45:08,520 people be listening for when it comes to these are impacts we 840 00:45:08,520 --> 00:45:11,080 should be aware of? Well, I think it's, it's, it's 841 00:45:11,080 --> 00:45:13,920 two things, it's opportunities and risk, just like with most 842 00:45:13,920 --> 00:45:17,720 things to do with AI. So first, on the the opportunity 843 00:45:17,720 --> 00:45:23,040 side, I mean, I think the the use of AI tooling to analyze 844 00:45:23,200 --> 00:45:28,080 large amounts of data to be able to translate human express 845 00:45:28,120 --> 00:45:33,880 expressible policies into machine readable code that can 846 00:45:33,880 --> 00:45:36,240 help you manage your access policies. 847 00:45:36,280 --> 00:45:38,520 We're just seeing that all the time. 848 00:45:39,120 --> 00:45:41,680 And it may not even just be things like large language 849 00:45:41,680 --> 00:45:44,280 models to help with that. One of the nice things about 850 00:45:44,280 --> 00:45:47,920 having an access graph data model is this technology like 851 00:45:47,920 --> 00:45:52,560 graphs, neural networks that let you look for anomalies of access 852 00:45:52,560 --> 00:45:56,680 and clustering of privilege that may be anomalous at graph scale. 853 00:45:57,000 --> 00:46:00,200 And so there's a lot of opportunities to apply AI to 854 00:46:00,200 --> 00:46:04,640 help people productivity productively manage the risks 855 00:46:04,920 --> 00:46:08,200 associated with, with all of their complex privileges. 856 00:46:09,200 --> 00:46:12,200 On the flip side, though, one of the things we're seeing, and I'm 857 00:46:12,200 --> 00:46:15,640 sure everybody's starting to kind of project this forward in 858 00:46:15,640 --> 00:46:22,200 a world of, of AI agents acting on behalf of people or behalf of 859 00:46:22,200 --> 00:46:24,920 systems. We're going to see an even 860 00:46:25,200 --> 00:46:29,400 bigger amount of non human identities, identities 861 00:46:29,400 --> 00:46:32,800 associated with with agents, identities associated with back 862 00:46:32,800 --> 00:46:35,520 end systems. And we're again just about to 863 00:46:35,520 --> 00:46:39,720 see an explosion over this year and the coming years on the 864 00:46:39,720 --> 00:46:42,920 amount of AI agents that individuals have, that companies 865 00:46:42,920 --> 00:46:46,560 have, that systems have. And it's again, things like the, 866 00:46:47,000 --> 00:46:50,280 the model context protocol standards that that, that that 867 00:46:50,280 --> 00:46:54,000 came out late last year from Anthropics that many companies 868 00:46:54,000 --> 00:46:59,600 are adopting provides this standard layer by which services 869 00:46:59,600 --> 00:47:03,880 can implement accessibility and connectivity from AI agents is 870 00:47:03,880 --> 00:47:05,720 going to even further add to that. 871 00:47:05,920 --> 00:47:08,280 One of the things that's going to be fascinating is on things 872 00:47:08,280 --> 00:47:10,520 like MCP, the model context protocol. 873 00:47:10,840 --> 00:47:15,000 There's much work still to be done on identity access and 874 00:47:15,000 --> 00:47:19,160 authentication in that layer. And I think that's where a lot 875 00:47:19,160 --> 00:47:20,760 of solutions are going to be needed. 876 00:47:20,760 --> 00:47:24,280 And again, like we talked about before, you can't really think 877 00:47:24,280 --> 00:47:28,280 about that as a unique solution just to manage AI identities. 878 00:47:28,520 --> 00:47:30,720 And it's so intrinsically embedded. 879 00:47:30,720 --> 00:47:34,960 For example, if you have an NCP server that's going to connect 880 00:47:34,960 --> 00:47:40,040 to a tools API gateway, that's a bunch of non human identities, 881 00:47:40,360 --> 00:47:43,720 you can't all of a sudden have an AI, you know, privilege 882 00:47:43,720 --> 00:47:46,720 management system that has no concept of all the other non 883 00:47:46,720 --> 00:47:49,080 human identities. It just, it would be yet another 884 00:47:49,080 --> 00:47:50,800 silo like we talked about before. 885 00:47:50,800 --> 00:47:53,680 And so positioning an environment where you've already 886 00:47:53,680 --> 00:47:57,320 got your your human identities, your non human identities to add 887 00:47:57,320 --> 00:48:01,000 into the mix, your AI agent identities that act as delegated 888 00:48:01,000 --> 00:48:04,640 permissions from your human identities or your system non 889 00:48:04,640 --> 00:48:07,120 human identities. Having that in the mix and the 890 00:48:07,120 --> 00:48:11,040 graph is going to be important. And if you can't scale that, the 891 00:48:11,040 --> 00:48:14,920 scale of AI agents is just going to be, you know, off the charts 892 00:48:14,920 --> 00:48:16,960 even compared to where we're at today. 893 00:48:17,600 --> 00:48:19,520 And I don't think there's many solutions out there, 894 00:48:19,520 --> 00:48:22,160 particularly the ones that haven't built for this scalable 895 00:48:22,160 --> 00:48:24,120 grass that are going to be able to cope with that. 896 00:48:25,280 --> 00:48:29,000 So I think that MCP or model context protocol is one of the 897 00:48:29,000 --> 00:48:32,720 more important developments to come along because otherwise we 898 00:48:32,720 --> 00:48:35,840 run into the risk of data silos again, which is kind of where 899 00:48:35,840 --> 00:48:37,600 we've been. It's almost like, you know, that 900 00:48:37,600 --> 00:48:40,080 group and I'm going to simplify it for my fetal brain and we're 901 00:48:40,080 --> 00:48:41,880 going to have to do a whole separate episode on this. 902 00:48:41,880 --> 00:48:44,440 But it's, it's almost like you're developing a standard for 903 00:48:44,640 --> 00:48:47,440 how should these AI's talk to each other? 904 00:48:47,440 --> 00:48:48,520 Can they speak the same language? 905 00:48:48,520 --> 00:48:52,280 It's, it's like USB, everybody uses a USB port or, you know, 906 00:48:52,280 --> 00:48:54,440 it's like Olaf or SAML or something like that, right. 907 00:48:54,440 --> 00:48:57,400 Where there is a, there is a common way to talk to each 908 00:48:57,400 --> 00:48:59,160 other, which I think is hugely important to be able to share 909 00:48:59,160 --> 00:49:03,080 information back and forth. So I am totally all into having 910 00:49:03,080 --> 00:49:06,440 a, a conversation about that. But I want to pitch the last 911 00:49:06,440 --> 00:49:09,880 question to Tyrone and this is my, my AI at the center 912 00:49:10,240 --> 00:49:14,000 question. Where is Ibiza at from AAI 913 00:49:14,000 --> 00:49:16,040 perspective? How are you guys leveraging it? 914 00:49:16,040 --> 00:49:19,440 What is your overall look forward on on how you see this 915 00:49:19,440 --> 00:49:21,680 impacting your organization and your product? 916 00:49:22,000 --> 00:49:23,120 Yeah, Well, thank you. Thank you, Jeff. 917 00:49:23,160 --> 00:49:25,560 I, I will try to again keep it, keep it quick. 918 00:49:25,560 --> 00:49:29,600 You know, again, having having somebody like Phil on the board 919 00:49:30,280 --> 00:49:33,080 sort of helping us think through N + 2 N +3. 920 00:49:33,760 --> 00:49:36,280 You know, we launched a brand new product called Access AI. 921 00:49:38,240 --> 00:49:40,680 You know, Phil is a big proponent for for me and my Co 922 00:49:40,680 --> 00:49:42,680 founders to be thinking about those things very early. 923 00:49:42,680 --> 00:49:46,760 So we launched Jeff to to your question, we launched Access AI, 924 00:49:47,640 --> 00:49:50,200 which is which is our generative AI solution. 925 00:49:50,880 --> 00:49:53,720 You know, again, if you go back to the fundamental question that 926 00:49:53,720 --> 00:49:56,720 you're trying to answer, who can take what action on what data, 927 00:49:57,440 --> 00:49:59,080 you know, imagine that as natural language. 928 00:49:59,280 --> 00:50:02,480 Imagine that what you do on ChatGPT and prompt engineering 929 00:50:02,480 --> 00:50:05,520 based, right? So, so we launched a new 930 00:50:05,520 --> 00:50:08,000 product. It was geared, the first app 931 00:50:08,400 --> 00:50:10,720 that we built on Access AI is for search. 932 00:50:10,720 --> 00:50:12,520 So now you can come and ask a question. 933 00:50:13,000 --> 00:50:17,520 My AD user whose location code is in China, can they access 934 00:50:17,520 --> 00:50:21,120 data in Salesforce? Access AI allows you to ask 935 00:50:22,120 --> 00:50:23,840 those data sovereignty questions, right? 936 00:50:25,400 --> 00:50:28,040 And, and so the next, you know, the, so we're building apps on 937 00:50:28,040 --> 00:50:30,560 top of access AI. It's, you know, built on top of 938 00:50:30,560 --> 00:50:32,160 bedrock. You can, you can imagine all 939 00:50:32,160 --> 00:50:34,920 the, all the good things that enterprises care about. 940 00:50:35,840 --> 00:50:38,400 The next app you're thinking, of course, is, you know, we are now 941 00:50:38,400 --> 00:50:41,440 customers saying that look, you've done so much for access 942 00:50:41,440 --> 00:50:45,080 reviews, you know, approve and reject. 943 00:50:45,120 --> 00:50:47,600 I belong, you know, I have access to something and did 944 00:50:47,600 --> 00:50:50,840 approve my access or not. And they're like, can you apply 945 00:50:50,840 --> 00:50:55,160 access AI where if I get a quarterly access review, I hit 946 00:50:55,160 --> 00:50:59,520 the access AI button, it tells me from the 100 entitlement 947 00:50:59,520 --> 00:51:01,480 reviews I have to do, I only have to pay attention to the 948 00:51:01,480 --> 00:51:05,320 five, you know, again, filter for, you know, signal and noise. 949 00:51:05,320 --> 00:51:08,680 So it's a really good product. It's a new beginning for us. 950 00:51:08,680 --> 00:51:11,760 And now if you think of the agentic AI Jeff, with, with 951 00:51:11,760 --> 00:51:16,880 what, what Phil was sharing earlier, you know, now we're 952 00:51:16,880 --> 00:51:19,040 going into the world, we get a notification. 953 00:51:19,680 --> 00:51:23,160 Now we can respond to it, right, with the agents versus just a 954 00:51:23,160 --> 00:51:26,040 notification that you're running late for a meeting. 955 00:51:26,360 --> 00:51:29,200 Now you can start to talk to it. And if those two agents, the 956 00:51:29,240 --> 00:51:33,640 only common entity, the only common attribute is actually 957 00:51:33,640 --> 00:51:35,840 permissions of entitlement. So we're actually very 958 00:51:35,840 --> 00:51:40,960 fascinated, You know, I'll even spill some beans, you know, just 959 00:51:40,960 --> 00:51:45,120 just three weeks ago, 4 weeks ago when we met with Phil, you 960 00:51:45,120 --> 00:51:47,920 know, he encouraged that, look, this is going to be such a 961 00:51:47,920 --> 00:51:52,240 transformational Seminole force that you should perhaps think 962 00:51:52,240 --> 00:51:55,960 about, you know, setting up subsidiary and just heads down 963 00:51:55,960 --> 00:51:59,280 focusing on on access here. That's the focus that will be 964 00:51:59,280 --> 00:52:01,280 needed. So there's something on that. 965 00:52:01,280 --> 00:52:04,800 Maybe the future, you know how much we're going to embrace, you 966 00:52:04,800 --> 00:52:07,480 know, by by by by putting our focus and team around it. 967 00:52:08,360 --> 00:52:10,760 It's clear that there is so much more room for innovation at this 968 00:52:10,760 --> 00:52:12,080 point. And I love what you guys are 969 00:52:12,080 --> 00:52:14,400 doing. And I'm a big fan of the AI 970 00:52:14,400 --> 00:52:17,280 stuff. So things that make our lives 971 00:52:17,320 --> 00:52:19,520 easier are things that I'm interested in. 972 00:52:20,080 --> 00:52:23,480 And there are so many people out there that are still spending 973 00:52:23,480 --> 00:52:25,800 their time pouring over spreadsheets. 974 00:52:26,280 --> 00:52:30,160 Phil, here's a list of 500 people who have access to this 975 00:52:30,320 --> 00:52:34,040 weirdly named Active Directory group that nobody knows what it 976 00:52:34,040 --> 00:52:35,600 does. And it's nested in underneath 977 00:52:35,600 --> 00:52:38,400 four other different things. Hey, Phil, does that look right 978 00:52:38,400 --> 00:52:40,240 to you? And Phil, you know, no offense 979 00:52:40,240 --> 00:52:42,920 to you, you don't know what you're looking at, right? 980 00:52:43,200 --> 00:52:47,560 So I think there's a a huge opportunity to humanize the way 981 00:52:47,560 --> 00:52:48,840 identity's done. And I love what you guys are 982 00:52:48,840 --> 00:52:50,720 working on. So it's super cool. 983 00:52:50,720 --> 00:52:52,840 I know we're running out of time, but I want to give Tarun 984 00:52:52,840 --> 00:52:56,080 and Phil one last chance here. Any final thoughts you want to 985 00:52:56,080 --> 00:52:57,520 take with Tarun? I'll start with you and then 986 00:52:57,520 --> 00:52:59,840 we'll end with Phil. No, Jeff and Jim, thank you so 987 00:52:59,840 --> 00:53:02,480 much. You know, been wanting to be to 988 00:53:02,480 --> 00:53:04,840 do this together and it came together very well with Phil. 989 00:53:05,400 --> 00:53:07,520 Thanks for thanks for really an exciting conversation. 990 00:53:07,520 --> 00:53:14,680 And you know, I would say, you know, the time time is here for 991 00:53:14,680 --> 00:53:18,720 us to really, you know, not just lift one boat. 992 00:53:18,720 --> 00:53:20,400 And there's something I, you know, shared with you and our 993 00:53:20,400 --> 00:53:23,160 teams. Let's not shift the boat, move 994 00:53:23,160 --> 00:53:26,200 the boat of visibility or move the boat of intelligence. 995 00:53:27,400 --> 00:53:30,000 You know, let's try to build something which can we can lift 996 00:53:30,000 --> 00:53:32,160 all the boats together at A at a single time. 997 00:53:32,160 --> 00:53:35,640 So whether it be IGA, whether it be Pam, whether it be NHI, we 998 00:53:35,640 --> 00:53:39,960 believe the fundamental of that is rooted in just completely 999 00:53:39,960 --> 00:53:41,600 rethinking identity from the scratch. 1000 00:53:41,600 --> 00:53:45,320 So again, very happy for the very grateful for the 1001 00:53:45,320 --> 00:53:48,800 opportunity and I'll give the baton to Phil to to help close. 1002 00:53:49,720 --> 00:53:51,320 Yeah. I mean, it just just to build on 1003 00:53:51,320 --> 00:53:53,240 that, I mean, I think we've covered a lot of this since 1004 00:53:53,240 --> 00:53:55,680 we've gone through the session today, but just really 1005 00:53:56,240 --> 00:54:00,440 encouraging everybody to just think about this problem more 1006 00:54:00,440 --> 00:54:05,600 simply and in bigger terms. Like thinking of it as a simple 1007 00:54:05,600 --> 00:54:08,960 way of, do you know where all your identities are? 1008 00:54:09,400 --> 00:54:12,240 You understand all of the resources they can access? 1009 00:54:12,560 --> 00:54:14,680 Do you have a record of all of that? 1010 00:54:15,160 --> 00:54:18,160 And everybody of course knows they should be doing that. 1011 00:54:18,200 --> 00:54:20,640 And then when you look at the reasons they've not done that, 1012 00:54:20,640 --> 00:54:24,320 it's because of complexity, it's because of scale, it's because 1013 00:54:24,760 --> 00:54:27,120 certain systems couldn't be brought together. 1014 00:54:27,360 --> 00:54:29,520 And one of the things that I think, you know, the laser team 1015 00:54:29,520 --> 00:54:33,400 have done such a great job on is figuring out the technology and 1016 00:54:33,400 --> 00:54:37,560 the secret source that had to bring all of that together so 1017 00:54:37,560 --> 00:54:40,840 that all different types of identity problems and access 1018 00:54:40,840 --> 00:54:43,800 problems and management problems can be solved from the same 1019 00:54:43,800 --> 00:54:46,640 structure. And that's why I'm, I'm very 1020 00:54:46,640 --> 00:54:51,840 optimistic about the challenges of managing the even bigger set 1021 00:54:51,840 --> 00:54:57,280 of AI identities and connecting them to the axis graph is going 1022 00:54:57,280 --> 00:55:00,080 to be so critical. Fundamentally, this is the, this 1023 00:55:00,080 --> 00:55:01,920 is the, this is the scale problem. 1024 00:55:01,920 --> 00:55:06,120 Then being able to interrogate that access and understand the 1025 00:55:06,120 --> 00:55:09,640 adherence and the policy conformance at the scale 1026 00:55:09,640 --> 00:55:13,920 organizations actually work, as opposed to the Gale of some old 1027 00:55:13,920 --> 00:55:16,680 legacy system that could only deal with like a hundredths of 1028 00:55:16,680 --> 00:55:19,600 it. Now is the time, as Tarun was 1029 00:55:19,600 --> 00:55:21,760 saying. So with that, I thank you guys 1030 00:55:21,760 --> 00:55:24,160 for spending some time with us and we'll have links in our show 1031 00:55:24,160 --> 00:55:27,000 notes for people to check out, both for both your LinkedIn, but 1032 00:55:27,000 --> 00:55:33,440 as well as to learn more about vasavasa.com/I DACVEZA and Phil. 1033 00:55:33,440 --> 00:55:35,720 I'll put a link to your blog as well 'cause you're a prolific 1034 00:55:36,080 --> 00:55:38,840 contributor to the body of knowledge that that we have in 1035 00:55:38,840 --> 00:55:39,520 the identity. Space. 1036 00:55:39,520 --> 00:55:41,800 All of us wait on Sunday morning to read Phil's blog. 1037 00:55:41,920 --> 00:55:46,400 At least I do. All right, so with that, we'll 1038 00:55:46,400 --> 00:55:47,600 go ahead and leave it for this week. 1039 00:55:47,720 --> 00:55:49,400 Thanks everybody for watching and or listening. 1040 00:55:49,400 --> 00:55:53,000 You can find us on the web, IDC podcast.com and you'll share 1041 00:55:53,000 --> 00:55:55,960 this with your friends, like and subscribe to all that fun stuff 1042 00:55:56,280 --> 00:55:58,080 and we'll talk with everybody in the next one. 1043 00:55:58,560 --> 00:56:02,640 Jeff, thank you so much. You've been listening to 1044 00:56:02,720 --> 00:56:06,600 Identity at the Center. We hope you've enjoyed the show. 1045 00:56:06,800 --> 00:56:10,920 Make sure to like, rate and review, and we'll be back soon. 1046 00:56:11,160 --> 00:56:13,440 But in the meantime, hit the website at 1047 00:56:13,440 --> 00:56:19,800 identity@thecenter.com. See you next time on Identity at 1048 00:56:19,800 --> 00:56:20,720 the Center.