1 00:00:05,300 --> 00:00:10,800 This is identity at the center. If it has anything to do with I 2 00:00:10,800 --> 00:00:18,000 am this is the go-to podcast. Now your host Jim McDonald and 3 00:00:18,000 --> 00:00:22,100 Jeff Steadman welcome to the identity of the sender podcast 4 00:00:22,100 --> 00:00:25,800 I'm Jeff and that's Jim. Hey Jim hey Jeff, how are you? 5 00:00:26,100 --> 00:00:28,700 Oh, not so bad yourself. Great, great. 6 00:00:28,700 --> 00:00:32,000 Hey I know we want to cover. Cover a lot of topics here today 7 00:00:32,000 --> 00:00:36,100 in our Preamble and the shows going to be different. 8 00:00:36,100 --> 00:00:38,300 So I don't know if you want to touch on that first and then 9 00:00:38,300 --> 00:00:42,200 come back to me with with my topic with art with our opening 10 00:00:42,200 --> 00:00:42,700 matter. Yeah, sure. 11 00:00:42,700 --> 00:00:46,600 So today we're gonna actually going to replay a round table 12 00:00:46,600 --> 00:00:49,700 that you, and I hosted with the Carolinas identity roundtables 13 00:00:49,700 --> 00:00:52,000 discussion we had around, role-based Access Control we did 14 00:00:52,000 --> 00:00:54,500 in December people, have not heard it. 15 00:00:54,500 --> 00:00:57,100 Unless you were part of that Round Table live, that day was. 16 00:00:57,100 --> 00:01:00,000 So we're going to kind of treat that as today's episode, kind of 17 00:01:00,000 --> 00:01:01,400 just kind. This quick intro and get to it. 18 00:01:01,400 --> 00:01:03,200 But what do you have? What do you have for me here? 19 00:01:03,700 --> 00:01:06,700 So what I have for you is I started thinking about our back 20 00:01:06,700 --> 00:01:11,700 and kind of going into that discussion was I want to talk 21 00:01:11,700 --> 00:01:15,500 about Ai and then I thought of a real cool angle that I had to 22 00:01:15,500 --> 00:01:21,500 ask you about which is AI robots and let's just take an example 23 00:01:21,500 --> 00:01:23,600 which I don't want to have the argument with it right now. 24 00:01:23,600 --> 00:01:29,500 Whether Siri, you know, the Apple voice module is AI or not. 25 00:01:29,600 --> 00:01:34,900 But my Question to you is, do you need to be polite to AI? 26 00:01:35,300 --> 00:01:39,500 Or can you just be Gruff and rude and just say, give me this? 27 00:01:39,500 --> 00:01:43,400 Give me that. It's interesting question and 28 00:01:43,800 --> 00:01:46,300 series not AI sweater are right now. 29 00:01:46,300 --> 00:01:49,500 It just listen to the voice response system and not even a 30 00:01:49,508 --> 00:01:53,900 very good one. Do you have to be nice to your 31 00:01:53,900 --> 00:01:55,400 AI? That's the question. 32 00:01:56,600 --> 00:02:01,900 You have to be polite. I would say no, but I also get 33 00:02:01,900 --> 00:02:05,900 the idea of, you know, please give me a table information, 34 00:02:05,900 --> 00:02:09,199 right? And type it in, I have, I, I, 35 00:02:09,500 --> 00:02:12,200 when I first started using like chat GP and things like that, I 36 00:02:12,200 --> 00:02:16,300 had more formal sentence structure asking for, here's 37 00:02:16,300 --> 00:02:17,800 what I'm looking for, Bubba blah. 38 00:02:18,200 --> 00:02:21,600 Now, I'm treating it depending on, which a, I'm using, whether 39 00:02:21,600 --> 00:02:26,400 it's Bings version, for example, which uses GPT for, or if I'm 40 00:02:26,400 --> 00:02:30,200 using just the chat GPT normal interface, Is I'm treating it 41 00:02:30,200 --> 00:02:34,500 almost like a search query instead of fully form sentences, 42 00:02:34,500 --> 00:02:38,700 for example, so it kind of depends what I'm doing it. 43 00:02:38,700 --> 00:02:42,600 But I would say for the most part, I am not polite, but I'm 44 00:02:42,600 --> 00:02:45,300 also not impolite, it's not like I'm like, hey, go get this. 45 00:02:45,300 --> 00:02:49,800 You son of a you know what fear there may be but I also I'm not 46 00:02:49,800 --> 00:02:51,900 doing please and thank yous and things like that. 47 00:02:52,300 --> 00:02:55,100 So I usually do as you please. And thank yous, which I think 48 00:02:55,100 --> 00:02:57,500 humanize it, but they might the back of my mind. 49 00:02:57,500 --> 00:03:00,600 I'm also like okay. It's not a human but it's kind 50 00:03:00,600 --> 00:03:02,600 of raised. Like you're not going to get in 51 00:03:02,608 --> 00:03:04,700 trouble for saying please and thank you too much. 52 00:03:04,700 --> 00:03:07,900 It's better to just say it when you don't have to, then not say 53 00:03:07,900 --> 00:03:13,800 it when you should be saying it. So I actually say Siri you know 54 00:03:14,100 --> 00:03:18,400 please give me directions to XY and Z which may be a little 55 00:03:18,800 --> 00:03:21,800 weird I guess and I kind of get that. 56 00:03:21,800 --> 00:03:26,000 But yeah it's just it's just like you know I you know, I have 57 00:03:26,000 --> 00:03:29,400 you seen you, I got you into watching Picard Right. 58 00:03:29,400 --> 00:03:31,600 Yeah, I have not seen this last that last season yet, though, 59 00:03:32,200 --> 00:03:33,500 okay. I haven't seen the last season 60 00:03:33,500 --> 00:03:35,400 yet, either. Or, I think I saw like, the 61 00:03:35,400 --> 00:03:37,200 first episode of the last season. 62 00:03:37,500 --> 00:03:44,000 Anyway, there was an episode where it was all the humanoid, a 63 00:03:44,000 --> 00:03:47,500 eyes, which I don't really remember what the right term for 64 00:03:47,500 --> 00:03:49,600 it was. But basically all the people 65 00:03:49,600 --> 00:03:52,500 were being real rude and treating the, you know, the 66 00:03:52,800 --> 00:03:55,600 people like data, like, they were just like, secondhand 67 00:03:55,600 --> 00:03:59,900 garbage, right? And then they, Got sick of it 68 00:03:59,900 --> 00:04:03,400 and came back to attack the humans and you know maybe that's 69 00:04:03,400 --> 00:04:07,300 the future were heading for is that they'll get sick of being 70 00:04:07,300 --> 00:04:11,900 mistreated a eyes. And I don't know I think at some 71 00:04:11,900 --> 00:04:15,600 point it'll have like once there's a physical manifestation 72 00:04:15,600 --> 00:04:18,399 in the real world that might be the changer, right? 73 00:04:18,399 --> 00:04:22,700 I think they look like people. Yeah doesn't necessarily I think 74 00:04:22,700 --> 00:04:25,900 have to look like a person but some sort of like I mean people 75 00:04:25,900 --> 00:04:28,700 have like this little cute little robot dog things. 76 00:04:28,900 --> 00:04:30,900 Right? And some people are Pleasant to 77 00:04:30,900 --> 00:04:33,300 the room, buzz in the room, and things like that, right, stuff 78 00:04:33,300 --> 00:04:34,500 like that. Some people aren't? 79 00:04:34,900 --> 00:04:37,600 I think once there's that, physical sort of connection 80 00:04:37,600 --> 00:04:40,100 there like, that's, that's maybe where things might change. 81 00:04:40,100 --> 00:04:45,200 But right now, most AI is just a text prop in a web browser or on 82 00:04:45,200 --> 00:04:47,100 your screen. It's kind of difficult to 83 00:04:47,100 --> 00:04:52,500 contextualize that as, you know, a human kind of concept or human 84 00:04:52,500 --> 00:04:55,400 sort of interaction when you're so used to just typing it into 85 00:04:55,400 --> 00:04:57,400 Google you type, you know, please and thank you and to 86 00:04:57,407 --> 00:04:58,700 Google. No, no. 87 00:04:58,800 --> 00:05:02,400 Don't I don't, ya know, I think that's it. 88 00:05:03,100 --> 00:05:05,200 That's probably a good differentiation. 89 00:05:06,800 --> 00:05:13,800 This kind of watching a video of the keynote from the CEO over at 90 00:05:13,800 --> 00:05:16,000 RSA. It was at the RSA conference, 91 00:05:16,200 --> 00:05:21,000 which was what last week and it was talking about Ai and 92 00:05:21,000 --> 00:05:24,800 identity and kind of like this. I don't know what to call it a 93 00:05:24,800 --> 00:05:28,000 collision course that were on, but how a I could actually make 94 00:05:28,200 --> 00:05:29,700 identity. Work better. 95 00:05:30,000 --> 00:05:34,000 And in his presentation he had kind of what was like a human 96 00:05:34,000 --> 00:05:40,300 form started out as like like a robot that turned into a human 97 00:05:40,300 --> 00:05:44,500 overlay and look like a real human was speaking to the camera 98 00:05:45,100 --> 00:05:48,700 and but it was an AI who was answering his questions. 99 00:05:49,000 --> 00:05:52,900 And I thought that was, you know, I don't know how far down 100 00:05:52,900 --> 00:05:56,700 the road that is in some areas. It's interesting in some like I 101 00:05:56,700 --> 00:06:01,200 am pulls what they call a, i I think it's a farce right? 102 00:06:01,200 --> 00:06:05,800 It's like no that's just like you know Advanced predictive 103 00:06:05,800 --> 00:06:11,400 capabilities of your system but it's a far cry from like what 104 00:06:11,400 --> 00:06:15,600 everybody's worried about like AI is going to make humans 105 00:06:16,000 --> 00:06:18,300 obsolete. Yeah. 106 00:06:18,800 --> 00:06:20,700 That video you mentioned for our essay that was good. 107 00:06:20,700 --> 00:06:24,000 You sent it to me and I watched it and I thought it was an 108 00:06:24,008 --> 00:06:26,600 interesting Tech demo. I don't know how much of it was 109 00:06:26,600 --> 00:06:28,700 live if I had to guess, it was probably scripted. 110 00:06:29,000 --> 00:06:30,900 I was kind of looking for like okay when they hit what are they 111 00:06:30,900 --> 00:06:33,800 hitting play and pause on this video with these right? 112 00:06:33,800 --> 00:06:37,000 Yeah for sure pre-canned response to things like that but 113 00:06:37,000 --> 00:06:40,100 the technology exists there's a company out there. 114 00:06:40,100 --> 00:06:43,600 I think it's called d d, i d or D Dash by D that does like these 115 00:06:43,600 --> 00:06:46,400 virtual Avatar things and you can make them say you know basic 116 00:06:46,400 --> 00:06:48,700 whatever you want, you give it a typed out script and it kind of 117 00:06:48,707 --> 00:06:51,400 figures it out. It's interesting because I think 118 00:06:51,400 --> 00:06:55,800 it adds that visual you know, maybe it's not a physical but 119 00:06:55,800 --> 00:06:57,200 it's something on your screen. You say, okay? 120 00:06:57,200 --> 00:07:00,600 What here is, you know and Quote, unquote, a person who is 121 00:07:00,800 --> 00:07:02,200 talking to me. So if you think about like 122 00:07:02,200 --> 00:07:04,200 today, a chatbot from the identity perspective, in the 123 00:07:04,207 --> 00:07:06,400 bottom, right of your web browser is probably a little 124 00:07:06,400 --> 00:07:09,400 thing that flies out. So I do ask me anything and then 125 00:07:09,400 --> 00:07:11,700 it's 50/50 whether or not I can actually answer your question, 126 00:07:12,300 --> 00:07:14,500 right directly help you. It's not really AI. 127 00:07:14,500 --> 00:07:18,800 It's basically just looking for keywords and phrases that map 128 00:07:18,800 --> 00:07:21,800 back somewhere, to some sort of script that's associated with, 129 00:07:21,800 --> 00:07:24,400 oh, you asked about billing, here are a bunch of links about 130 00:07:24,400 --> 00:07:26,400 billing, right? It's all that kind of stuff, but 131 00:07:26,900 --> 00:07:29,700 I think at some point, you know, AI is going to Get more. 132 00:07:31,900 --> 00:07:34,300 I don't democratized or more prevalent within stuff like 133 00:07:34,300 --> 00:07:35,500 this. You and I are actually talking 134 00:07:35,500 --> 00:07:38,100 about this yesterday when we were talking about kind of a I 135 00:07:38,200 --> 00:07:41,400 especially an identity products. Yeah, I think there is a big 136 00:07:41,400 --> 00:07:45,500 difference today between what we call AI and you know may of 137 00:07:45,500 --> 00:07:49,100 twenty twenty three verses May of 2021. 138 00:07:49,300 --> 00:07:52,100 I think there's been a big shift, you know, with these 139 00:07:52,100 --> 00:07:55,800 large language models coming out that really expands on what is 140 00:07:55,800 --> 00:07:59,300 it actually mean of AI? I think the in the good old 141 00:07:59,300 --> 00:08:03,900 days, you know, let's call it like 20 21 and before a I meant 142 00:08:03,900 --> 00:08:06,900 really just some sort of advanced pattern matching or you 143 00:08:06,900 --> 00:08:10,000 know things like that. I don't think that's AI anymore. 144 00:08:10,100 --> 00:08:11,800 I think that's kind of weak sauce, if that's what you're 145 00:08:11,800 --> 00:08:14,300 calling. Hey, I what I think of a 146 00:08:14,300 --> 00:08:16,500 identity I think of this is use case. 147 00:08:16,500 --> 00:08:18,100 I kind of mentioned you yesterday was kind of thought 148 00:08:18,100 --> 00:08:21,800 that might be interesting. Is I go into my Ig a product and 149 00:08:21,800 --> 00:08:25,300 I say, oh, I'm an axis. I'm conducting an access review 150 00:08:25,800 --> 00:08:29,200 and what do most people who do? If you struggle with, who is the 151 00:08:29,200 --> 00:08:31,900 person and what the heck, does this access even me? 152 00:08:31,900 --> 00:08:36,100 Or let me do if there was a assistant that I could call up 153 00:08:36,100 --> 00:08:37,700 and say, hey, who is this person? 154 00:08:37,700 --> 00:08:42,000 Tell me more about them. And what can this access do in 155 00:08:42,000 --> 00:08:44,500 terms that are easy to understand and sort of interface 156 00:08:44,500 --> 00:08:46,900 with that would be an interesting application. 157 00:08:46,900 --> 00:08:49,900 Because that solves, I think one of the biggest real world pain 158 00:08:49,900 --> 00:08:53,900 points of conducting, an excess of you, is the people who are 159 00:08:53,900 --> 00:08:56,900 supposed to do the review, don't know what they're doing. 160 00:08:57,500 --> 00:09:00,200 It's not necessarily their fault or their problem. 161 00:09:00,600 --> 00:09:03,200 They've just been does you know that Jim you own the blah, blah 162 00:09:03,200 --> 00:09:05,500 blah, Marketing Group, and you're going to review it every 163 00:09:05,500 --> 00:09:10,000 quarter or month or year and you know good luck figuring out if 164 00:09:10,000 --> 00:09:12,600 that is still correct. And you know here is 100 people 165 00:09:12,600 --> 00:09:15,000 have access to it that may or may not be, you know, be part of 166 00:09:15,000 --> 00:09:17,200 your department. I think that would solve any 167 00:09:17,200 --> 00:09:19,200 problem. I kind of wonder what the 168 00:09:19,200 --> 00:09:21,500 approach is going to be because I think wouldn't one of the 169 00:09:21,500 --> 00:09:23,800 things that you pointed out was that? 170 00:09:24,700 --> 00:09:27,600 Some of these are systems like create that human interface. 171 00:09:27,600 --> 00:09:29,700 So now, you're looking at, somebody looks like you're 172 00:09:29,700 --> 00:09:31,600 talking to a person. You present them with a 173 00:09:31,608 --> 00:09:33,800 question. Now somewhere in the background, 174 00:09:33,800 --> 00:09:37,300 they're scouring the data to come back with an answer. 175 00:09:37,700 --> 00:09:41,600 So maybe it's there's one technology that provides the 176 00:09:41,600 --> 00:09:45,500 human interface. Another technology like chat gpg 177 00:09:45,500 --> 00:09:51,400 that does this language model but I think you know on top of 178 00:09:51,400 --> 00:09:53,900 that overlay kind of the question that you wanted to ask 179 00:09:53,900 --> 00:09:59,400 was was really like, An advanced identity management question, 180 00:09:59,400 --> 00:10:03,500 which was, you know, kind of comparing who has access to what 181 00:10:04,000 --> 00:10:06,800 what are they actually using it. For, in other words, what is the 182 00:10:06,800 --> 00:10:11,100 access that they have that? They shouldn't have and modern I 183 00:10:11,100 --> 00:10:13,400 GA systems cannot answer that question. 184 00:10:14,900 --> 00:10:18,500 I think that's the next Revolution and I think that's 185 00:10:18,500 --> 00:10:22,800 how we get 20 trust, right? It's so funny. 186 00:10:22,800 --> 00:10:26,000 Like there's so many, it's not just your trust but at least 187 00:10:26,000 --> 00:10:29,000 privilege. There's so Many Caesars who I've 188 00:10:29,000 --> 00:10:33,500 talked to over the years who say we are we follow least privilege 189 00:10:33,500 --> 00:10:36,100 model. In other words, their policy is 190 00:10:36,100 --> 00:10:38,900 least privilege. But then we start talking about 191 00:10:38,900 --> 00:10:43,200 role-based access control which you know my feeling is that 192 00:10:43,200 --> 00:10:47,400 role-based access control is it's not least privilege created 193 00:10:47,400 --> 00:10:51,000 works against least privilege and roll mining. 194 00:10:51,800 --> 00:10:55,700 Takes it, even further. Is this are saying that 85% of 195 00:10:55,700 --> 00:10:58,600 the people have this access. So when it's just give it to 196 00:10:58,600 --> 00:11:04,300 100% like 15% more time, that's the exact opposite of least 197 00:11:04,300 --> 00:11:07,100 privilege, right? But ultimately, you know what's 198 00:11:07,100 --> 00:11:10,600 interesting, though, is like it's, there's a problem that I 199 00:11:10,600 --> 00:11:17,400 think is so hard to solve. In the Enterprise for existing 200 00:11:19,400 --> 00:11:22,000 infrastructure. So company controlled 201 00:11:22,300 --> 00:11:27,200 infrastructure but it seems like see IEM can clap Keem. 202 00:11:27,200 --> 00:11:32,000 Whatever you want to Cloud, entitlement identify the 203 00:11:32,000 --> 00:11:35,300 infrastructure and every cloud infrastructure does gonna. 204 00:11:35,900 --> 00:11:36,700 Yeah. Thanks. 205 00:11:37,700 --> 00:11:40,800 But it seems like we're getting closer to solving it there, 206 00:11:41,300 --> 00:11:43,700 right? And maybe it's because I think, 207 00:11:43,900 --> 00:11:47,800 Because the platform's make the information available and now 208 00:11:47,800 --> 00:11:52,400 you can say, okay, these are over-provisioned accounts versus 209 00:11:52,400 --> 00:11:56,100 these Council over here. You know, properly provisioned 210 00:11:56,800 --> 00:11:58,300 to me. It's like that's what we need to 211 00:11:58,308 --> 00:12:01,400 be able to do for applications. So we need to be able to do for 212 00:12:01,400 --> 00:12:04,200 active directory groups, and things like that, but the 213 00:12:04,200 --> 00:12:06,800 technology as far as I can tell is not out there today. 214 00:12:07,500 --> 00:12:09,300 Yeah. Well, collecting the data is one 215 00:12:09,300 --> 00:12:13,000 thing understanding the data and the context in which is 216 00:12:13,000 --> 00:12:15,000 presented as a Completely different thing. 217 00:12:15,600 --> 00:12:19,800 I hope we're getting closer to that, but yeah, it's going to be 218 00:12:19,800 --> 00:12:21,900 a layered approach. You'll have different searches 219 00:12:21,900 --> 00:12:24,100 interfaces, different types of things and maybe at some point 220 00:12:24,100 --> 00:12:28,000 you know someone will come out with, I do IGA 3.0 whatever that 221 00:12:28,000 --> 00:12:30,100 looks like and it maybe it is something is more modern. 222 00:12:30,100 --> 00:12:34,000 It's more, you know really leveraging true. 223 00:12:34,000 --> 00:12:35,700 AI not what we've been calling it. 224 00:12:35,700 --> 00:12:38,400 I for the last decade or so. But yeah, yeah. 225 00:12:38,400 --> 00:12:41,400 And so I think you made a great point though, right? 226 00:12:41,400 --> 00:12:43,600 It's like Gathering the data making. 227 00:12:43,800 --> 00:12:46,600 And so, do two different things to different things, that were 228 00:12:46,600 --> 00:12:49,500 not good at right now. And I think it's making sense of 229 00:12:49,500 --> 00:12:53,300 the data is where the AI really steps in because it's like, now 230 00:12:53,300 --> 00:12:56,300 you're looking at a problem that the human Bronte human mind 231 00:12:56,300 --> 00:12:59,400 cannot crunch are back was designed around. 232 00:12:59,500 --> 00:13:01,900 Let's make this so people can understand it. 233 00:13:02,000 --> 00:13:07,200 I think the next level is like, you know, people don't have to 234 00:13:07,500 --> 00:13:10,200 calculate the data or understand all the roles you can find out, 235 00:13:10,200 --> 00:13:13,600 like, you gave this access, this is what sex is. 236 00:13:13,700 --> 00:13:17,000 Being used in automatically, take away the access they're not 237 00:13:17,000 --> 00:13:18,700 using. Yeah, hey Jim. 238 00:13:18,700 --> 00:13:20,700 You're doing this axis for you. Here's this person. 239 00:13:21,300 --> 00:13:24,400 They've the last time they use this access was six months ago 240 00:13:24,400 --> 00:13:27,300 and here's why they used it. You know, we think you should 241 00:13:27,300 --> 00:13:30,000 get rid of it but you've got company policies to take it 242 00:13:30,000 --> 00:13:32,500 away. Do you want to override that? 243 00:13:32,800 --> 00:13:35,300 Yeah I mean there we go we just solved it. 244 00:13:35,300 --> 00:13:37,600 IJ 3.0 coming to a product near you. 245 00:13:37,600 --> 00:13:42,200 I'm sure. So we probably when I get to the 246 00:13:42,200 --> 00:13:44,300 interview or the wrong Table discussion. 247 00:13:44,300 --> 00:13:48,500 We did we had but it would be unfair for me to note that back 248 00:13:48,500 --> 00:13:50,500 by popular. Demand is our idac. 249 00:13:50,500 --> 00:13:53,100 Jingle tried something for 10 episodes. 250 00:13:53,900 --> 00:13:56,700 I like the voice, I'm going to use the voice but we're we went 251 00:13:56,700 --> 00:14:00,400 back to our guitar Jingles. So if you're a fan of that, and 252 00:14:00,400 --> 00:14:06,100 my terrible musicianship of putting that together, enjoy 253 00:14:07,000 --> 00:14:08,200 until we decide to change it again. 254 00:14:08,600 --> 00:14:12,000 I mean, a lot of people have come up to me and said miss the 255 00:14:12,000 --> 00:14:16,800 guitar jingle I had no idea that people were that interested. 256 00:14:17,700 --> 00:14:20,600 I liked it. I mean, I told you, I liked it 257 00:14:20,600 --> 00:14:22,600 but you know, I'll also be honest. 258 00:14:22,600 --> 00:14:26,800 I can't listen to a lot of our own episodes because I like here 259 00:14:26,800 --> 00:14:30,700 people, I do you need to exactly you have to listen because you 260 00:14:30,700 --> 00:14:33,100 had it. But yeah, I can I can avoid 261 00:14:33,100 --> 00:14:36,400 listening to myself. The other thing that I wanted to 262 00:14:36,400 --> 00:14:41,500 say is just, you know, in this isn't me trolling for more five 263 00:14:41,500 --> 00:14:45,300 star reviews and comments. Jean Apple podcast even though I 264 00:14:45,300 --> 00:14:49,900 don't have this control. But I did want to say, like, I 265 00:14:49,900 --> 00:14:52,500 was reading through some of them over the last few days. 266 00:14:52,500 --> 00:14:56,800 Since like there's one by MB Hedgehog, which I know you 267 00:14:56,800 --> 00:15:00,000 showed this on Twitter at one point, but it's like such a 268 00:15:00,000 --> 00:15:04,500 great review. And I think it like helps other 269 00:15:04,500 --> 00:15:08,600 people, you know, find the podcast right by more more 270 00:15:08,600 --> 00:15:11,100 reviews. We get, the more shows up in 271 00:15:11,100 --> 00:15:13,300 search results, so that's one good thing. 272 00:15:13,600 --> 00:15:16,600 Also, I just want people to know that when those comments are 273 00:15:16,600 --> 00:15:20,700 made, they get read by you and I and they are appreciated. 274 00:15:21,000 --> 00:15:23,800 Yeah, it's very cool to get some sort of acknowledgement, you 275 00:15:23,808 --> 00:15:26,800 know, usually it's just you and I sitting here on an afternoon 276 00:15:26,800 --> 00:15:31,000 or an evening staring at each other recording and you know 277 00:15:31,000 --> 00:15:32,900 figure things out and you know usually we've got to guess at 278 00:15:32,900 --> 00:15:34,700 this point but today it's just the two of us. 279 00:15:35,300 --> 00:15:37,300 But yeah, it's very cool and people take the time out to do 280 00:15:37,300 --> 00:15:39,100 that and that's really the best way. 281 00:15:39,100 --> 00:15:42,700 And as of now, the only way he can really help us is, you know, 282 00:15:42,700 --> 00:15:45,300 like Vibrate review, all that good stuff. 283 00:15:45,800 --> 00:15:48,400 That is, that means a lot to us. And, you know, certainly helps 284 00:15:48,400 --> 00:15:50,100 us get more traction in the space. 285 00:15:51,800 --> 00:15:54,000 I see the last time we've got for, we get to the are back. 286 00:15:54,000 --> 00:15:55,900 Discussion is identi verse coming up. 287 00:15:55,900 --> 00:16:00,100 It's only three weeks away Jim. So in three weeks you and I will 288 00:16:00,100 --> 00:16:03,800 be at a dentist's verse, I Denver's 2023, it's heading to 289 00:16:03,800 --> 00:16:06,700 Las Vegas, we're going to be there, join the digital identity 290 00:16:06,700 --> 00:16:10,200 community at the Aria Resort and Casino in Las Vegas, May 30th to 291 00:16:10,200 --> 00:16:13,500 June seconds. It's a must-attend event that 292 00:16:13,600 --> 00:16:16,800 This together over 2500 Security Professionals or four days of 293 00:16:16,800 --> 00:16:19,300 world class learning engagement entertainment. 294 00:16:19,700 --> 00:16:23,900 And as a data center listener, you can get 20% off of your 295 00:16:23,900 --> 00:16:26,900 registration, you only got a couple weeks left, so gotta get 296 00:16:26,900 --> 00:16:31,400 on that horse. You can use ID, code idv, 23-0, 297 00:16:31,400 --> 00:16:35,900 icen, 20 just rolls right off the tongue added in diverse.com 298 00:16:35,900 --> 00:16:38,000 will have a link on our show notes, make it easy, you click 299 00:16:38,000 --> 00:16:39,800 the link, it automatically puts the code in. 300 00:16:40,200 --> 00:16:42,900 And, you know, that helps us as well, write more people who use 301 00:16:42,900 --> 00:16:44,300 our code. And it shows that, hey, it's 302 00:16:44,300 --> 00:16:47,400 worth it to get the podcast out to, you know, some of these 303 00:16:47,400 --> 00:16:49,500 events and maybe do some Partnerships like we're doing 304 00:16:49,500 --> 00:16:50,200 Earth. I'd ever see. 305 00:16:50,300 --> 00:16:55,400 So yeah, and not to mention also on Tuesday night during the 306 00:16:55,400 --> 00:16:59,700 opening reception, will be set up on a mini stage outside of 307 00:16:59,708 --> 00:17:03,400 the expo hall, which is where the opening reception will be 308 00:17:03,400 --> 00:17:05,099 held. I don't think that's probably 309 00:17:05,099 --> 00:17:08,800 the table but what I'm saying we will be recording just outside. 310 00:17:08,800 --> 00:17:12,000 You use the term stage very Loosely, all the world's a 311 00:17:12,000 --> 00:17:13,900 stage. We just treat Shakespeare 312 00:17:13,900 --> 00:17:15,599 definition. Yeah. 313 00:17:15,900 --> 00:17:17,900 Yeah, but it's not going to just be us in the corner. 314 00:17:18,400 --> 00:17:22,900 Yeah, so hopefully, a lot of you can hang out. 315 00:17:23,000 --> 00:17:25,300 Listen to this record live. We're gonna have a few dropping 316 00:17:25,300 --> 00:17:28,200 guess, and really look forward to that. 317 00:17:28,500 --> 00:17:31,300 Yeah, 7 p.m. Tuesday night, local time. 318 00:17:31,300 --> 00:17:35,200 Las Vegas will be kicking things off there, and get things going. 319 00:17:35,200 --> 00:17:38,300 And hopefully see a lot of friendly faces and new and you 320 00:17:38,300 --> 00:17:40,600 know, familiar faces as well. We're always looking to meet 321 00:17:40,600 --> 00:17:43,300 with folks and stuff like that. So I'll have stickers too. 322 00:17:43,900 --> 00:17:44,700 You have stickers? Good? 323 00:17:44,700 --> 00:17:47,200 Okay, I'm outside. Have I've got no stickers left. 324 00:17:47,300 --> 00:17:51,400 I've got over 100 over. 100. Okay, all right. 325 00:17:51,400 --> 00:17:54,100 Should we get to the Carolinas identity Roundtable? 326 00:17:54,600 --> 00:17:55,900 Let's do that. Okay? 327 00:17:55,900 --> 00:17:59,200 So this is something that we did Jim and I December of twenty 328 00:17:59,200 --> 00:18:01,800 twenty-two. So just about roughly about five 329 00:18:01,800 --> 00:18:04,900 months ago, as a today, deftly want to thank Tom Lennon from a 330 00:18:04,900 --> 00:18:07,700 sales point. He's the one who invited us as a 331 00:18:07,700 --> 00:18:11,000 new member of the Carolinas. It was cool to kind of land with 332 00:18:11,100 --> 00:18:13,300 sort of my feet on the ground and meet up with someone. 333 00:18:13,600 --> 00:18:15,000 Minded people there that is base. 334 00:18:15,000 --> 00:18:17,200 So just to kind of preface discussion. 335 00:18:17,200 --> 00:18:20,800 It was around role-based access control and it was Jim. 336 00:18:20,800 --> 00:18:23,500 And I kind of Hosting this conversation with a couple other 337 00:18:23,500 --> 00:18:27,800 people, so we had Beth Goins. She's an information security, I 338 00:18:27,800 --> 00:18:30,100 am and governance manager at Arvest Bank. 339 00:18:30,400 --> 00:18:33,100 We also had Prince Jones who is a senior manager at train 340 00:18:33,100 --> 00:18:36,200 Technologies and then Ashley Rous, who is a lead information, 341 00:18:36,200 --> 00:18:39,200 security Analyst at Lowe's, and they were kind enough to set 342 00:18:39,200 --> 00:18:41,600 aside, you know, some time with us to kind and the group come 343 00:18:41,600 --> 00:18:45,000 talk about their experiences from a Role-based Access Control 344 00:18:45,000 --> 00:18:48,400 perspective in the real world. So this isn't theoretical. 345 00:18:48,800 --> 00:18:51,200 These are people who are doing in the real world and not only 346 00:18:51,200 --> 00:18:52,600 doing it. But doing it really well, I was 347 00:18:52,600 --> 00:18:56,600 kind of impressed with how far along they were in each of their 348 00:18:56,600 --> 00:19:01,600 Journeys and how they were able to make decisions and make their 349 00:19:01,600 --> 00:19:04,900 programs to success on at least on the roll base side of things. 350 00:19:05,400 --> 00:19:09,100 So hopefully people will enjoy that and I'll have links in our 351 00:19:09,100 --> 00:19:10,800 show notes or people want to connect with them directly and 352 00:19:10,800 --> 00:19:13,400 ask them questions as well as to the Carolina identity. 353 00:19:13,600 --> 00:19:16,100 Table as well on LinkedIn, which is only two group that Jim and I 354 00:19:16,100 --> 00:19:19,400 are part of. So, with that, I'll go ahead and 355 00:19:19,500 --> 00:19:22,800 roll the tape, and we'll talk with everyone in the next one. 356 00:19:23,300 --> 00:19:24,900 Thank you so much for the invite. 357 00:19:25,500 --> 00:19:28,200 Thanks Tom takes for not only inviting us to this, but also 358 00:19:28,200 --> 00:19:31,600 just the group in general, it's I'm a recent transplant down to 359 00:19:31,600 --> 00:19:34,100 the Carolinas. I come from Chicago for 40 years 360 00:19:34,500 --> 00:19:36,400 and 5 months ago. I made the Trek down to the 361 00:19:36,400 --> 00:19:38,000 mountains of Western North Asheville. 362 00:19:38,500 --> 00:19:40,600 I'm sorry, Western North Carolina in the Asheville area. 363 00:19:40,600 --> 00:19:43,400 So I've got Cedar Mountain kind of out my window right here. 364 00:19:43,700 --> 00:19:46,300 And I'm happy to join like-minded identity people. 365 00:19:46,900 --> 00:19:51,400 I'm joined by my friend Jim McDonald, he and I do a podcast 366 00:19:51,400 --> 00:19:53,300 like Tom mentions called identity the center. 367 00:19:53,700 --> 00:19:56,400 It is nothing to do with our day jobs, which is identity and 368 00:19:56,400 --> 00:19:58,800 access management consulting for a company called RSM, but we're 369 00:19:58,800 --> 00:20:01,000 not going to a commercial for them or anything really. 370 00:20:01,500 --> 00:20:03,300 But it's just something we've been doing for the last three 371 00:20:03,300 --> 00:20:06,500 years on the side. It's sort of like our night job. 372 00:20:06,500 --> 00:20:08,500 Our night gig that we do, and we've had a lot of great 373 00:20:08,500 --> 00:20:11,400 conversations over the years with folks, all across a tiny 374 00:20:11,400 --> 00:20:15,200 space listeners, you know? Send their topics in and stuff 375 00:20:15,200 --> 00:20:17,000 like that. So we try to keep it like a 376 00:20:17,008 --> 00:20:20,400 vendor neutral, safe place. We don't want to turn into like 377 00:20:20,400 --> 00:20:24,400 a boring like corporate podcast. So that's why, you know, we own 378 00:20:24,400 --> 00:20:26,800 it off to the side and we don't let the companies that we work 379 00:20:26,800 --> 00:20:28,700 for have too much say and what we do. 380 00:20:29,300 --> 00:20:32,000 So that's pretty much how we run it and you know hopefully people 381 00:20:32,000 --> 00:20:34,000 will check it out. The idea for today's 382 00:20:34,000 --> 00:20:36,800 conversation is basically take that spin of what we do on the 383 00:20:36,800 --> 00:20:39,200 podcasts and sort of bring it to the conversation here. 384 00:20:39,200 --> 00:20:42,100 And we're going to talk about role-based access control and 385 00:20:42,100 --> 00:20:43,300 whatever. We have topics like this. 386 00:20:43,500 --> 00:20:45,900 That are so meaty and juicy. We like to have different guests 387 00:20:45,900 --> 00:20:47,700 on with us to kind of lend their expertise. 388 00:20:48,000 --> 00:20:50,700 So I'm going to go around the room and give people a chance to 389 00:20:50,700 --> 00:20:53,600 introduce themselves. First we've got Beth Goins, 390 00:20:53,600 --> 00:20:56,400 she's the information security. I am and governance manager for 391 00:20:56,400 --> 00:20:59,800 Arvest Bank. Welcome back, thank you very 392 00:20:59,800 --> 00:21:01,100 much. Hi everybody. 393 00:21:01,600 --> 00:21:04,600 I have 20 plus years of experience an application 394 00:21:04,600 --> 00:21:08,500 development and product implementation and six years in 395 00:21:08,500 --> 00:21:11,800 the information security and governments governance space. 396 00:21:12,200 --> 00:21:15,600 My main focus for Energy management is ensuring that 397 00:21:15,600 --> 00:21:19,100 there is consistent and Equitable access for all users. 398 00:21:19,400 --> 00:21:23,100 While minimizing friction and working for a financial 399 00:21:23,100 --> 00:21:28,300 institution, my current position top priority is compliance. 400 00:21:29,300 --> 00:21:31,900 I first officially got into the identity space. 401 00:21:31,900 --> 00:21:34,800 When I was hired for a job where I just thought I was going to be 402 00:21:34,800 --> 00:21:38,700 working on an IBM Mainframe and ended up working in information 403 00:21:38,700 --> 00:21:41,900 security, and identity on my first day on, there was nothing 404 00:21:41,900 --> 00:21:45,600 like on-the-job training. You see, I have nightmares of 405 00:21:45,600 --> 00:21:49,200 rack F and administrating those. So yeah, we should probably 406 00:21:49,200 --> 00:21:50,500 share some War stories about that. 407 00:21:50,500 --> 00:21:51,700 Thanks for that. Next up. 408 00:21:51,700 --> 00:21:53,900 We've got prints Jones, he's a senior manager with train 409 00:21:53,900 --> 00:21:56,700 Technologies. Welcome Prince Little welcome. 410 00:21:56,900 --> 00:22:02,000 So, I am Prince Jones, I work at training, I started and my It 411 00:22:02,000 --> 00:22:07,500 Journey over 17 years ago and I've been doing our kind of our 412 00:22:07,500 --> 00:22:11,800 back type of work and identity work for the last probably 15 413 00:22:11,800 --> 00:22:14,700 years. I started in Oracle are 12 414 00:22:15,100 --> 00:22:18,000 Oracle 11i space. So that's why I got all of my 415 00:22:18,500 --> 00:22:23,700 guests, my juicy experience from and currently I am responsible 416 00:22:23,700 --> 00:22:29,500 for identity at train, where we're doing IGA apparently, 417 00:22:29,500 --> 00:22:33,100 access management and our Federation SSO solution. 418 00:22:33,100 --> 00:22:36,000 As I'm around brother. Glad to be here and to talk with 419 00:22:36,000 --> 00:22:37,200 your. Yeah. 420 00:22:37,200 --> 00:22:39,200 So just a few things going on. Nothing too heavy, right? 421 00:22:39,200 --> 00:22:42,800 Yes, if you watch any Ashley is next, she's actually real. 422 00:22:42,800 --> 00:22:45,300 She's the lead in Formation security analyst from Lowe's. 423 00:22:45,300 --> 00:22:47,500 Welcome, Ashley. Thank you. 424 00:22:47,800 --> 00:22:51,700 Hey everybody. And so I've been in the IT 425 00:22:51,700 --> 00:22:55,200 industry for about eight years. I started on the Consulting 426 00:22:55,200 --> 00:23:01,200 side, I'm doing a lot of it audits on a PCI compliance 427 00:23:01,200 --> 00:23:03,400 rocks. And then I actually moved from 428 00:23:03,400 --> 00:23:08,600 Consulting to the industry where I've been in the I am space and 429 00:23:08,600 --> 00:23:11,400 been focused mainly on our back for the past, three and a half 430 00:23:11,400 --> 00:23:13,700 years. So you kind of went the opposite 431 00:23:13,700 --> 00:23:16,700 path that myself and Jim, you started off in the in the dark 432 00:23:16,700 --> 00:23:20,400 side and then I did Jim and I started off in the light side 433 00:23:20,400 --> 00:23:22,900 and we moved to the dark side of Consulting a while back. 434 00:23:23,200 --> 00:23:25,900 So I guess congratulations. I'm getting out. 435 00:23:26,200 --> 00:23:28,100 Don't think you're next Donald's. 436 00:23:28,100 --> 00:23:30,000 Go for it. Hey, Jeff. 437 00:23:30,100 --> 00:23:32,900 First I want to thank you for introducing me as your friend. 438 00:23:32,900 --> 00:23:36,300 I mean, seven years of working together with somebody, you 439 00:23:36,300 --> 00:23:39,300 know, it's not always easy to stay friends, but you and I we 440 00:23:39,300 --> 00:23:42,300 do the podcast, we work great together. 441 00:23:42,400 --> 00:23:46,600 Our and really looking forward to talking with the group here 442 00:23:46,600 --> 00:23:51,100 today, we picked this topic of our back, because I don't think 443 00:23:51,100 --> 00:23:54,900 that, you know, we step into it as like the authoritative voice. 444 00:23:54,900 --> 00:23:58,300 I think everybody's got experience with our back, that 445 00:23:58,300 --> 00:23:59,800 can come to the table. Sure. 446 00:23:59,800 --> 00:24:04,700 Everybody who's listening in plus this panel upgrade, I am 447 00:24:04,700 --> 00:24:08,500 professionals. We've all got our experience 448 00:24:08,500 --> 00:24:10,900 with what works and what doesn't work. 449 00:24:10,900 --> 00:24:14,300 And so I think it's It's a great topic from that perspective, is 450 00:24:14,300 --> 00:24:17,400 something that we've all got a perspective on. 451 00:24:18,300 --> 00:24:19,400 Yeah, it's a difficult nut to crack. 452 00:24:19,400 --> 00:24:22,000 I think a lot of people get intimidated when they start 453 00:24:22,000 --> 00:24:24,800 hearing about role-based access control and sort of a horror 454 00:24:24,800 --> 00:24:29,000 stories that come along with it, hundreds thousands tens of 455 00:24:29,000 --> 00:24:31,300 thousands roll over it. How is this thing going to work? 456 00:24:31,600 --> 00:24:33,400 I think before we get too far along though. 457 00:24:33,400 --> 00:24:37,100 We probably want to Define what it is that our back is because I 458 00:24:37,108 --> 00:24:40,200 think there are lots of terminology that we use in the 459 00:24:40,200 --> 00:24:43,600 identity space. Where You know we might call it 460 00:24:43,600 --> 00:24:45,500 one thing. Maybe it's called entitlements 461 00:24:45,500 --> 00:24:49,300 in another system or maybe it's roles or maybe it is groups, 462 00:24:49,300 --> 00:24:50,300 right? There's a lot different ways to 463 00:24:50,300 --> 00:24:52,900 do it and I think what I'll do is I'll start off with Prince. 464 00:24:53,300 --> 00:24:56,400 How do you define role-based access control like what does 465 00:24:56,400 --> 00:24:59,500 that mean to you and your organization are. 466 00:24:59,500 --> 00:25:03,100 So I will explain it how I explain to kind of a leader 467 00:25:03,100 --> 00:25:06,100 right without the technicals and I basically just described it as 468 00:25:06,100 --> 00:25:10,700 this mechanism for how we Grant or restrict access to people and 469 00:25:10,700 --> 00:25:13,200 we typically do it. According to some type of 470 00:25:13,200 --> 00:25:15,500 persona, right? So you could think about it as a 471 00:25:15,500 --> 00:25:18,000 maybe it's your roll. What's your department or true 472 00:25:18,000 --> 00:25:20,200 position? So some information that we know 473 00:25:20,200 --> 00:25:23,900 about you that we say, okay? If you are a member of this 474 00:25:23,900 --> 00:25:27,100 group you get these access and you don't have to go and request 475 00:25:27,100 --> 00:25:30,100 these individual accesses so that's kind of how I summarize 476 00:25:30,100 --> 00:25:33,000 it to kind of, you know, help a leader understand what we're 477 00:25:33,000 --> 00:25:35,600 trying to accomplish here. Ashley. 478 00:25:35,600 --> 00:25:38,800 Do you agree with the way that that does that make sense to you 479 00:25:38,800 --> 00:25:40,800 and how you approach it as well? Or do you have a different spin 480 00:25:40,800 --> 00:25:44,300 on it for your organization? It does we have a very similar 481 00:25:44,300 --> 00:25:47,500 spin. I like to think of just are back 482 00:25:47,500 --> 00:25:51,000 as just an overall methodology that has two major pieces. 483 00:25:51,000 --> 00:25:55,500 So one is defining the subset of users that need access and 484 00:25:55,500 --> 00:25:57,800 pulling them into the role. And then the second one is what 485 00:25:57,800 --> 00:25:59,700 access do? They actually need to perform 486 00:25:59,700 --> 00:26:04,500 their job and helps restrict access to what they actually 487 00:26:04,500 --> 00:26:06,200 need. And eliminates the need for 488 00:26:06,200 --> 00:26:11,000 users to say, I'll have what, you know, Karen over here is 489 00:26:11,000 --> 00:26:13,700 having where she may have been with the company for years and 490 00:26:13,700 --> 00:26:15,700 years and years. And it kind of locks down that 491 00:26:15,700 --> 00:26:18,600 axis and stops kind of carryover axes over time. 492 00:26:19,400 --> 00:26:20,600 Yeah. I like to call that the the 493 00:26:20,600 --> 00:26:24,300 similar access snowball you start using model after and, you 494 00:26:24,300 --> 00:26:27,500 know, the, the janitor who became CEO, his probably still 495 00:26:27,500 --> 00:26:29,100 has access to the janitor closet. 496 00:26:29,100 --> 00:26:30,400 Maybe doesn't necessarily need it, right? 497 00:26:30,400 --> 00:26:33,300 Those sorts of things Beth. I know with a kayak of 498 00:26:33,300 --> 00:26:36,900 compliance Focus that you Have at the bank, there's probably a 499 00:26:36,900 --> 00:26:39,100 pretty big focus on the role side of thing. 500 00:26:39,100 --> 00:26:40,300 How do you guys? How do you guys? 501 00:26:40,300 --> 00:26:42,700 How do you define it with with your business stakeholders? 502 00:26:43,100 --> 00:26:45,300 And I guess, does it. Does it align with what you're 503 00:26:45,300 --> 00:26:47,700 hearing here? Absolutely. 504 00:26:48,100 --> 00:26:52,500 I defined role of space access as a bundling of entitlements or 505 00:26:52,500 --> 00:26:56,200 access that grants users access to systems based on their 506 00:26:56,200 --> 00:26:58,300 similar attributes. So, very similar to what 507 00:26:58,300 --> 00:27:01,200 everyone else has been saying. The attributes can be based on 508 00:27:01,200 --> 00:27:04,700 their religion, their division, their department, or sometimes. 509 00:27:04,900 --> 00:27:07,400 HR component, it can be worth, right? 510 00:27:07,400 --> 00:27:11,500 It can be requestable, but it's for consistent access for 511 00:27:11,500 --> 00:27:15,100 everybody. Jim from a Consulting side of 512 00:27:15,100 --> 00:27:16,600 things, you're going to be, are going to play the role of 513 00:27:16,600 --> 00:27:18,400 Consulting expert here in the identity space. 514 00:27:19,300 --> 00:27:22,500 What do we typically see when we're talking to, you know, like 515 00:27:22,500 --> 00:27:27,000 our clients around, we want to get into roles and the 516 00:27:27,000 --> 00:27:29,500 definitions that that we've heard here from Prince, 517 00:27:29,500 --> 00:27:32,500 actually, and Beth about. Does it make sense? 518 00:27:32,500 --> 00:27:34,400 Do you see Alternatives that are out there? 519 00:27:34,400 --> 00:27:37,600 When it comes to the definition of what a role is when it comes 520 00:27:37,600 --> 00:27:40,900 to Identity? Yeah, so there are alternatives, 521 00:27:40,900 --> 00:27:44,200 but first I want to say that Prince Beth and I actually, I 522 00:27:44,200 --> 00:27:46,900 think nailed in terms of, you know, it's really an 523 00:27:46,900 --> 00:27:51,600 organizational unit of rollers for entitlements or access, you 524 00:27:51,600 --> 00:27:54,300 as a consultant, I like to think of things in terms of our 525 00:27:54,300 --> 00:27:58,400 framework, you know, way to organize, your thinking around 526 00:27:58,700 --> 00:28:02,500 the topic. So roles get talked about in 527 00:28:02,500 --> 00:28:06,200 terms of the authentication authorization side, as well as 528 00:28:06,200 --> 00:28:10,500 the identity Administration and governance is So there's the 529 00:28:10,500 --> 00:28:13,800 identity Administration Governor side where you're creating the 530 00:28:13,800 --> 00:28:17,200 roles and your provisioning, the roles and could be going to 531 00:28:17,400 --> 00:28:20,200 multiple applications and turning into entitlements that 532 00:28:20,200 --> 00:28:24,100 the applications understand and then on the authorization and 533 00:28:24,100 --> 00:28:27,200 authentication side where you're enforcing them why that's 534 00:28:27,200 --> 00:28:31,100 important is because when you talk to somebody about roles, 535 00:28:31,100 --> 00:28:33,800 you have to understand what perspective they're coming from. 536 00:28:34,200 --> 00:28:37,300 I think the other thing when I think about roles, especially on 537 00:28:37,300 --> 00:28:42,100 that IGA side, The house is, you know, the organization around 538 00:28:42,200 --> 00:28:43,700 what are the different types of roles? 539 00:28:43,900 --> 00:28:47,800 I think there are mainly two. The first is kind of the 540 00:28:47,800 --> 00:28:51,200 birthright ring, which is what do I get? 541 00:28:51,200 --> 00:28:55,900 Because of who I am poor, you know, I take my HR record and 542 00:28:55,900 --> 00:28:59,900 I'm from this office and in this department, etc, etc. 543 00:28:59,900 --> 00:29:03,900 And can, what access can you key off of that fact, I'm an 544 00:29:03,900 --> 00:29:06,200 employee. So I get the VPN. 545 00:29:06,200 --> 00:29:08,900 I get this, I get that and then there are things. 546 00:29:09,300 --> 00:29:11,600 I can't do that and those are maybe. 547 00:29:11,800 --> 00:29:16,200 I'm on this project and my manager wants me to have access 548 00:29:16,200 --> 00:29:19,000 to this role and we call those requests will rolls. 549 00:29:19,200 --> 00:29:23,800 So you got Birthright roles and requests for roles so that 550 00:29:23,800 --> 00:29:26,400 division of sort of like what you are. 551 00:29:26,400 --> 00:29:30,300 And then what you can request after the fact Beth, is that 552 00:29:30,300 --> 00:29:33,200 something that you guys have touched on as part of the 553 00:29:33,200 --> 00:29:35,500 deployment, and how you've tackled roles or is that 554 00:29:35,500 --> 00:29:37,300 something that you're working towards, okay, where does that 555 00:29:37,300 --> 00:29:41,400 fit into maybe the strategy? I was I was going I think he's 556 00:29:41,400 --> 00:29:43,600 reading all my notes here because that's exactly where 557 00:29:43,600 --> 00:29:46,800 we're heading. We definitely want to if we look 558 00:29:46,800 --> 00:29:51,900 at access as a big piece of pie right you know and what we want 559 00:29:51,900 --> 00:29:55,500 to do is take access for people Birthright first, anything that 560 00:29:55,500 --> 00:29:58,000 we can do on a common attribute or something that we can grant 561 00:29:58,000 --> 00:30:01,000 automatically, it's going to be one big piece and so we're going 562 00:30:01,000 --> 00:30:03,200 to keep trying to narrow down with, actually has to do 563 00:30:03,200 --> 00:30:07,000 requestable to very specific job related duties. 564 00:30:07,000 --> 00:30:09,500 And so, yeah, we definitely are looking at Possible. 565 00:30:09,700 --> 00:30:12,400 And we're looking at the birds right to minimize but people 566 00:30:12,400 --> 00:30:18,400 have to actually ask for Prince, I think from a role perspective, 567 00:30:18,900 --> 00:30:20,900 if I'm not mistaken, you guys probably have a probably a 568 00:30:20,900 --> 00:30:24,500 pretty big Erp platform, which is pretty notorious for having 569 00:30:24,500 --> 00:30:26,700 an obscene amount of roles in it. 570 00:30:27,000 --> 00:30:31,200 And I guess when we talk about here, this concept of Birthright 571 00:30:31,200 --> 00:30:35,000 versus requestable, how are you guys looking at sort of 572 00:30:35,000 --> 00:30:38,000 addressing that differential between access? 573 00:30:39,100 --> 00:30:43,300 So little we actually put it into three different buckets. 574 00:30:43,300 --> 00:30:46,500 So we talked about this notion of Birthright which is said hey 575 00:30:46,500 --> 00:30:48,700 based on who I am, this is what I want to get. 576 00:30:49,000 --> 00:30:52,000 But when you talk about requestable access, you have 577 00:30:52,000 --> 00:30:56,600 something that is introduced to that mix and that is that you 578 00:30:56,600 --> 00:31:00,000 don't want this one to be still comply, it, right? 579 00:31:00,000 --> 00:31:03,500 And so there's this concept of. If I request something, I might 580 00:31:03,500 --> 00:31:06,700 need to have a objective approver, making sure that that 581 00:31:06,700 --> 00:31:09,500 access is appropriate. And then we talk, About, even 582 00:31:09,500 --> 00:31:11,600 with the with the birthright access, right? 583 00:31:12,000 --> 00:31:15,100 Making sure that it's a no such a way that that objective 584 00:31:15,100 --> 00:31:18,100 approver also cautions out for a segregation of Duties 585 00:31:18,100 --> 00:31:20,400 violations, right? So, as a publicly traded 586 00:31:20,400 --> 00:31:24,300 company, that is something that we probably all have kind of 587 00:31:24,300 --> 00:31:27,500 seen and had exposure to you. So just someone is requesting 588 00:31:27,500 --> 00:31:30,000 something. Typically, your manager is just 589 00:31:30,000 --> 00:31:32,900 not enough to prove that it has to have some type of objective 590 00:31:32,900 --> 00:31:36,300 approver and then an S OD process to make sure that, you 591 00:31:36,300 --> 00:31:39,500 know, the access that you're requesting in. even with the 592 00:31:39,500 --> 00:31:43,500 existing access you have would not compose a toxic combination 593 00:31:43,500 --> 00:31:47,900 for the organization, Ashley, we kind of touched on the the 594 00:31:47,900 --> 00:31:50,400 access snowball and Prince, just hit it again there. 595 00:31:51,100 --> 00:31:53,900 You know, from a role perspective, we're talking about 596 00:31:53,900 --> 00:31:56,600 this Birthright versus, you know, add-on roles. 597 00:31:56,600 --> 00:31:59,000 After the fact they could be doing, is probably a little bit 598 00:31:59,000 --> 00:32:00,900 of while. But where do things stand for 599 00:32:00,900 --> 00:32:03,100 your organization when it comes to how they've how they've 600 00:32:03,100 --> 00:32:05,900 tackled sort of that, that question, right? 601 00:32:05,900 --> 00:32:08,300 What do I get? When I walk in the door versus 602 00:32:08,400 --> 00:32:12,000 what happens to me, Day 2 Day? 3 day 100, whatever it may be, 603 00:32:12,700 --> 00:32:15,700 right. So I do agree that Request will 604 00:32:15,700 --> 00:32:19,000 is definitely a type of role that needs to be implemented. 605 00:32:19,100 --> 00:32:23,000 I'm to print this point to avoid the segregation of Duties 606 00:32:23,000 --> 00:32:26,200 violation. I think there's a way that you 607 00:32:26,200 --> 00:32:30,000 can configure them to restrict the type of roles that people 608 00:32:30,000 --> 00:32:32,000 can see that they are able to request. 609 00:32:32,300 --> 00:32:35,000 So that way, you kind of have that segregation of Duties in 610 00:32:35,000 --> 00:32:39,900 place already and And then once you start what was the other 611 00:32:39,900 --> 00:32:42,900 half of your question just from the requestable standpoint? 612 00:32:42,900 --> 00:32:45,400 I think, you know, the differential between this is 613 00:32:45,400 --> 00:32:46,700 what I get when Ashley walks in the door. 614 00:32:46,700 --> 00:32:49,900 She said, yes. So I think that is always 615 00:32:49,900 --> 00:32:52,000 evolving and changing in a great point. 616 00:32:52,000 --> 00:32:55,000 The bring up because as we evolve, those Birthright rolls, 617 00:32:55,000 --> 00:32:58,300 we also need to communicate. What axis is provisioned 618 00:32:58,300 --> 00:33:00,700 automatically to the business, to avoid them. 619 00:33:00,900 --> 00:33:02,800 Requesting those additional axis. 620 00:33:03,700 --> 00:33:07,000 So that one is part of the maintenance process that needs 621 00:33:07,000 --> 00:33:09,700 to be defined. Just who those stakeholders are 622 00:33:09,700 --> 00:33:11,400 and how they need to be communicated. 623 00:33:12,700 --> 00:33:15,400 I want to come back to something that got mentioned a couple 624 00:33:15,400 --> 00:33:18,500 times here and that segregation of Duties, I think that is 625 00:33:18,500 --> 00:33:20,900 probably a pain point that a lot of people struggle with but I 626 00:33:20,908 --> 00:33:22,400 want to kind of build up the conversation. 627 00:33:22,400 --> 00:33:25,000 We started with kind of like okay what's the definition of of 628 00:33:25,000 --> 00:33:27,300 roles and I think we've got enough information every kind of 629 00:33:27,300 --> 00:33:29,600 come up with a common standard around that or at least an 630 00:33:29,600 --> 00:33:33,500 understanding, maybe we don't agree, but it's the same what 631 00:33:33,500 --> 00:33:36,500 I'd like to understand now is this is a difficult nut as I 632 00:33:36,500 --> 00:33:41,100 said before to crack and get started with how did you know 633 00:33:41,100 --> 00:33:44,700 this? At kickoff, or this idea gets 634 00:33:44,700 --> 00:33:47,400 started to say, hey, you know what Prince went in and said, 635 00:33:47,400 --> 00:33:49,700 hey, we're going to do role-based access control and 636 00:33:49,700 --> 00:33:52,700 then, you know, it just went Full Speed Ahead, you know, 637 00:33:52,700 --> 00:33:55,500 Prince from your perspective. How did you actually get 638 00:33:55,500 --> 00:33:57,600 started? Implementing roles for your 639 00:33:57,600 --> 00:33:59,400 organization? Yeah. 640 00:33:59,400 --> 00:34:02,500 So typically, and I think this is probably going to be true for 641 00:34:02,500 --> 00:34:05,800 many companies. But typically, when we undertake 642 00:34:05,800 --> 00:34:08,900 something like this, it's not for quite convenience yet at 643 00:34:08,900 --> 00:34:11,500 first, it's typically because of an audit fine. 644 00:34:11,500 --> 00:34:14,800 See Type of right now but not mandate. 645 00:34:14,900 --> 00:34:17,800 And so we all kind of Corral rounded and say, okay, this is 646 00:34:17,800 --> 00:34:20,800 how we're going to address this, this finding and go on, fix it 647 00:34:20,800 --> 00:34:24,000 that way. And then it evolves to kind of. 648 00:34:24,000 --> 00:34:27,100 Okay, now that we like, we see this, we see the benefits of 649 00:34:27,100 --> 00:34:28,800 this. How could we start to do this in 650 00:34:28,800 --> 00:34:31,300 a way? That kind of as a tool to enable 651 00:34:31,300 --> 00:34:33,900 business. So I know we like to do pain 652 00:34:33,900 --> 00:34:36,300 Auditors a lot. There are the reason for all of 653 00:34:36,300 --> 00:34:40,100 our pains but they can also be the reason for actually getting 654 00:34:40,100 --> 00:34:41,900 things done. There's nothing like a good 655 00:34:41,900 --> 00:34:43,600 old-fashioned. A audit finding to really kind 656 00:34:43,600 --> 00:34:46,300 of wipe the fire on a budget or a manager or director or 657 00:34:46,300 --> 00:34:49,800 somebody they say, okay, we gotta fix this thing, Ashley. 658 00:34:49,800 --> 00:34:52,699 When you guys started down the role path, what was like the 659 00:34:52,699 --> 00:34:54,600 first couple of steps that you took to say? 660 00:34:54,600 --> 00:34:56,500 Okay, we're going to do this thing. 661 00:34:57,600 --> 00:34:59,900 Here's how we did it. Sure. 662 00:35:00,400 --> 00:35:05,400 So I actually started about a year after blows began 663 00:35:05,400 --> 00:35:09,400 implementing our back, but I think the driving force for our 664 00:35:09,400 --> 00:35:12,300 side was more from an operational perspective. 665 00:35:12,400 --> 00:35:16,000 To take some of the work offer operations team and to automate 666 00:35:16,000 --> 00:35:18,500 it and take some of that pressure off of them to allow 667 00:35:18,500 --> 00:35:21,600 them to do other Provisions that they need to do. 668 00:35:22,300 --> 00:35:28,900 But how we really got started was, we did some mining in a 669 00:35:29,000 --> 00:35:32,000 sample environment and just saw what the data produced. 670 00:35:32,200 --> 00:35:34,600 And then we went through and we would communicate with the 671 00:35:34,600 --> 00:35:37,400 stakeholders and say does this align with what you're saying, 672 00:35:37,600 --> 00:35:39,900 and then we played with the algorithms a little bit more 673 00:35:39,900 --> 00:35:42,000 until we can find you in that process back. 674 00:35:42,900 --> 00:35:46,000 How long of a process was it to mine that data and really kind 675 00:35:46,000 --> 00:35:49,200 of work with the business to establish, you know what what 676 00:35:49,200 --> 00:35:52,500 might have been the initial baselines for a role say 677 00:35:52,700 --> 00:35:55,300 initially about a year to a year and a half where those 678 00:35:55,300 --> 00:35:57,600 conversations were taking place because we would get our 679 00:35:57,600 --> 00:36:01,300 feedback, take it back to the different applications to use to 680 00:36:01,300 --> 00:36:04,100 C and B lined up with what the business was saying. 681 00:36:04,100 --> 00:36:07,800 Make sure we got all parties involved and then additionally, 682 00:36:07,800 --> 00:36:10,100 it's a lot of data clean up to that. 683 00:36:10,100 --> 00:36:14,200 You, you get a lot of access Has pulled into roles that, you 684 00:36:14,200 --> 00:36:17,600 know, from the scenario I said earlier were Karen's been in the 685 00:36:17,600 --> 00:36:20,900 business for how many years but so has 30 other co-workers. 686 00:36:20,900 --> 00:36:24,300 So a lot of the still axis gets pulled in so it's a lot of fine 687 00:36:24,300 --> 00:36:27,900 tuning to determine what is actually consistent and needed 688 00:36:27,900 --> 00:36:31,500 for the here and now yeah, definitely an overnight task 689 00:36:31,500 --> 00:36:32,800 right? Oh no it's like these things. 690 00:36:32,800 --> 00:36:35,300 Take forever. Yeah I think a daily consistency 691 00:36:35,300 --> 00:36:39,000 data quality got nested groups, people using groups, all kinds 692 00:36:39,000 --> 00:36:41,600 of things, you know. Beth I think I struck a chord 693 00:36:41,600 --> 00:36:44,900 about just now She had a little, the tight which when I said 694 00:36:44,900 --> 00:36:47,500 nested groups sounds to me like you got something you want to 695 00:36:47,500 --> 00:36:50,100 add in there. We end our panel yet. 696 00:36:50,100 --> 00:36:53,200 And the nested groups are a challenge for us here. 697 00:36:53,200 --> 00:36:56,300 That's for sure. Part of our process to is also 698 00:36:56,300 --> 00:37:00,900 breaking our entitlements down from a critical application 699 00:37:00,900 --> 00:37:04,000 perspective, or a high admin privilege, versus what we 700 00:37:04,000 --> 00:37:06,500 consider kind of, the lower level of distribution groups, 701 00:37:06,500 --> 00:37:08,800 and maybe shared folders, and things like that. 702 00:37:09,000 --> 00:37:11,900 So, we kind of classified our data a little bit and then, 703 00:37:11,900 --> 00:37:15,200 we're, Initially rolling out the roles based accessed on what I 704 00:37:15,207 --> 00:37:18,700 would consider the less priority items as far as like 705 00:37:18,700 --> 00:37:21,200 distribution groups and kind of high-level things that everybody 706 00:37:21,200 --> 00:37:22,800 has to have to get their job done. 707 00:37:23,000 --> 00:37:25,800 And we're holding aside the critical and administrative 708 00:37:25,800 --> 00:37:29,600 things to Dole out very specifically at added more 709 00:37:29,600 --> 00:37:32,100 requests for metal versus like a Birthright level. 710 00:37:32,300 --> 00:37:34,800 So definitely looking and changing our approach a little 711 00:37:34,800 --> 00:37:37,800 bit from a priority perspective of high priority. 712 00:37:37,800 --> 00:37:40,600 Height sensitive information versus less sensitive 713 00:37:40,600 --> 00:37:44,600 information Had there been instances where after you've 714 00:37:44,600 --> 00:37:47,000 gone through sort of, that analysis may be something that 715 00:37:47,000 --> 00:37:50,900 was marked as critical really wasn't so critical lunch menu. 716 00:37:50,900 --> 00:37:54,300 Something like that as I added something that was maybe not 717 00:37:54,300 --> 00:37:56,400 Marcus critical. Probably should have had a 718 00:37:56,408 --> 00:38:00,200 higher, you know, security or, you know, approval process 719 00:38:00,200 --> 00:38:02,600 around it. Did you address discover any of 720 00:38:02,607 --> 00:38:05,100 that kind of as your process went through every day. 721 00:38:05,300 --> 00:38:07,400 Every day we have a new discovery. 722 00:38:07,400 --> 00:38:09,500 There's always that little pocket of something over there. 723 00:38:09,500 --> 00:38:12,500 That wasn't labeled as admin and when you drill into Or no. 724 00:38:12,500 --> 00:38:16,700 Wow, that was, that was a big one, you know, and I again from 725 00:38:16,700 --> 00:38:19,500 the compliance area, I make sure that our entitlements are 726 00:38:19,500 --> 00:38:23,900 variable tag from a criticality perspective and it did not read 727 00:38:23,900 --> 00:38:26,500 only update or admin. Those are your big three, you 728 00:38:26,500 --> 00:38:29,300 know, and then we kind of go from there and then but PCI 729 00:38:29,300 --> 00:38:33,300 relevance and things. But yeah and and then a big one 730 00:38:33,300 --> 00:38:35,300 is putting something out there that should be worth, right? 731 00:38:35,300 --> 00:38:36,700 Everybody? Like internet access. 732 00:38:37,000 --> 00:38:41,700 You know, and if you drop that out there yeah it's not really 733 00:38:41,700 --> 00:38:43,000 over. Overly critical, people really 734 00:38:43,000 --> 00:38:46,200 do need to get to the internet. Yeah, I've seen that the last 735 00:38:46,200 --> 00:38:48,300 couple years especially with obviously covid working from 736 00:38:48,300 --> 00:38:49,900 home. There was a lot of scramble to 737 00:38:49,900 --> 00:38:53,700 get VPN in front of everybody. So I would imagine maybe there 738 00:38:53,700 --> 00:38:57,300 were some role justments made in the last couple of years to 739 00:38:57,300 --> 00:38:59,200 provide, you know, network access, you know, whatever. 740 00:38:59,200 --> 00:39:02,200 It may be. Jim you know, if we if we think 741 00:39:02,200 --> 00:39:05,500 about it from sort of the level of what, you know, other 742 00:39:05,500 --> 00:39:07,500 companies in the industry are in, this industry are doing at 743 00:39:07,500 --> 00:39:10,700 least this space of identity. Where do you typically see 744 00:39:10,700 --> 00:39:14,800 companies starting With roles, I think I'll kind of put my two 745 00:39:14,800 --> 00:39:17,000 cents in front and maybe you can either tell me, I'm crazy or 746 00:39:17,000 --> 00:39:21,200 whatever. I see rolls typically as a 747 00:39:21,200 --> 00:39:24,600 little bit more of a mature, step down a company's identity 748 00:39:24,600 --> 00:39:28,100 Journey typically you know, we're going to a company and 749 00:39:28,100 --> 00:39:30,400 we're kinda helping them out. It's well, we're still doing 750 00:39:30,400 --> 00:39:33,800 things by hand. It's manual faxes are coming in, 751 00:39:33,800 --> 00:39:35,400 right. Things are being printed out, 752 00:39:35,500 --> 00:39:38,700 and I think there's probably some level of Baseline identity 753 00:39:38,700 --> 00:39:41,400 capability that needs to exist before. 754 00:39:41,400 --> 00:39:44,000 Really? Makes sense to look at rolls and 755 00:39:44,000 --> 00:39:45,700 start to do, like the role now is to out. 756 00:39:45,700 --> 00:39:48,600 Ashley was mentioning before. How do you see sort of that 757 00:39:48,600 --> 00:39:50,700 process working? Or do you think it's viable to 758 00:39:50,700 --> 00:39:53,000 start with? Hey, let's start with rolls and 759 00:39:53,000 --> 00:39:56,800 then work backwards from there. I think we're all under under 760 00:39:56,800 --> 00:40:00,800 pressure to deliver. So I think doing some of the 761 00:40:00,800 --> 00:40:05,400 baseline or three rolls right off the bat makes sense. 762 00:40:05,400 --> 00:40:09,400 So if you're implementing an IGA system for the first time, for 763 00:40:09,400 --> 00:40:14,200 example, you know, automatically provisioning, somebody's it 764 00:40:14,200 --> 00:40:18,000 capabilities, there are SharePoint access, the VPN 765 00:40:18,000 --> 00:40:20,300 access to think those are things you can do. 766 00:40:21,300 --> 00:40:24,900 I think it comes down to kind of one of the things I making 767 00:40:24,900 --> 00:40:25,600 myself. Notes. 768 00:40:25,600 --> 00:40:29,000 Those folks are talking, there's so much good content here but is 769 00:40:29,000 --> 00:40:32,400 like this, a D20 concept, right? Because I was thinking one of 770 00:40:32,408 --> 00:40:34,700 the questions and I hope in my stealing from your questions 771 00:40:34,700 --> 00:40:37,300 here, but it's like when are you done, right? 772 00:40:37,300 --> 00:40:40,600 And it's like, you don't need a role for every single thing. 773 00:40:40,800 --> 00:40:44,200 You technically within your product it might be called roles 774 00:40:44,200 --> 00:40:47,200 and you have to have a role for everything that gets assigned, 775 00:40:47,700 --> 00:40:50,500 but you don't need to have kind of that traditional business 776 00:40:50,500 --> 00:40:55,100 role or technical role for every single thing. 777 00:40:55,200 --> 00:40:58,400 Thing, I think you have to prioritize. 778 00:40:58,600 --> 00:41:02,500 So a couple things in my opinion, the right way to go 779 00:41:02,508 --> 00:41:06,900 about this is first start by focusing on those. 780 00:41:06,900 --> 00:41:10,800 It roles that we talked about second is, go Department by 781 00:41:10,800 --> 00:41:13,000 department. So don't try and do a little bit 782 00:41:13,000 --> 00:41:16,700 with each department, pick an apartment where you have an IT 783 00:41:16,700 --> 00:41:20,500 liaison or somebody who represents that department, who 784 00:41:20,500 --> 00:41:24,200 really thinks roles as a good idea that's going to save their 785 00:41:24,200 --> 00:41:28,300 folks, a lot of Pray, if you get that person who really thinks is 786 00:41:28,300 --> 00:41:30,700 a good idea, they're going to put in the effort. 787 00:41:30,700 --> 00:41:33,900 So that's where I say to start and start with, you know, I 788 00:41:33,900 --> 00:41:37,200 think Ashley brought up the idea of like data mining. 789 00:41:37,400 --> 00:41:41,000 I ultimately feel like you have that data, you analyze that data 790 00:41:41,000 --> 00:41:44,300 and then you engineer your roles from the top down. 791 00:41:44,300 --> 00:41:46,600 So they make sense to human beings. 792 00:41:46,600 --> 00:41:49,800 I think if you let the a I do all the work, you get these 793 00:41:49,800 --> 00:41:54,400 roles that don't make any sense to people, and it's kind of like 794 00:41:54,400 --> 00:41:58,600 a You have to be able to explain what the role does. 795 00:41:58,600 --> 00:42:00,900 Somebody has to actually conceptualize. 796 00:42:00,900 --> 00:42:06,000 Like if I give this person Erp clerk access a list of login 797 00:42:06,100 --> 00:42:09,300 gives them access to the dashboard and lets them do these 798 00:42:09,300 --> 00:42:11,700 functions. It's not like all these nebulous 799 00:42:11,700 --> 00:42:16,000 things that could come with it. A couple other thoughts that I 800 00:42:16,000 --> 00:42:19,100 was having is, you know, you need to have business ownership 801 00:42:19,100 --> 00:42:22,600 over roles. So even if their it rolls, there 802 00:42:22,600 --> 00:42:25,100 should be an IT person who's assigned. 803 00:42:25,200 --> 00:42:28,400 As a business owner that role will, you don't want to have is 804 00:42:28,500 --> 00:42:32,200 like your cell Point, administrator be the owner of 805 00:42:32,200 --> 00:42:36,600 the role in like, you know, like who owns I roll while it's just 806 00:42:36,800 --> 00:42:39,700 the, I am person. No, should be a business owner, 807 00:42:39,700 --> 00:42:43,700 whether that's an IT person or someone that Finance or HR. 808 00:42:44,100 --> 00:42:46,700 And then the other point that I was the last one. 809 00:42:46,700 --> 00:42:48,900 I swear. But it was, you know, one of the 810 00:42:48,900 --> 00:42:50,900 things I was hearing over and over again. 811 00:42:50,900 --> 00:42:57,100 Was this idea of I am fatigued, you know, like when We set up 812 00:42:57,100 --> 00:43:00,000 our system and it's like constantly asking people for 813 00:43:00,200 --> 00:43:03,800 approval approve this and prove that they get blown away and 814 00:43:03,800 --> 00:43:05,400 they're just like yeah whatever whatever. 815 00:43:05,400 --> 00:43:13,800 It's the same thing with like make sense, some be rolls so the 816 00:43:13,800 --> 00:43:18,100 lunch menu idea like what about thinking about like it's lunch 817 00:43:18,100 --> 00:43:21,800 menus low-risk why not Auto approve and let that thing go 818 00:43:21,800 --> 00:43:24,900 through Yeah, you got there for a second. 819 00:43:24,900 --> 00:43:26,500 I think you're going for the fatigue part. 820 00:43:26,500 --> 00:43:28,700 We see that a lot with MFA fatigue and that's one of the 821 00:43:28,707 --> 00:43:31,800 common ways that people are getting breached is you get 822 00:43:31,800 --> 00:43:34,300 spammed a whole bunch of times on your phone's like, you know 823 00:43:34,300 --> 00:43:36,800 and you just end up hitting approved just make it go away in 824 00:43:36,800 --> 00:43:40,000 the person got in Sean asked a couple questions and I would 825 00:43:40,000 --> 00:43:41,800 certainly encourage folks who are out there, you know, 826 00:43:41,800 --> 00:43:44,800 watching and listening whatever. Maybe to throw them to the Q&A. 827 00:43:45,100 --> 00:43:46,900 I'm going to hit the second one first he sent and because I 828 00:43:46,908 --> 00:43:48,400 think this is a real important one. 829 00:43:48,800 --> 00:43:51,100 How do you tackle conversations with HR? 830 00:43:51,100 --> 00:43:53,100 Let's say, you know, you're running like a workday or an 831 00:43:53,100 --> 00:43:54,800 oracle. An ATP or something like that, 832 00:43:54,800 --> 00:43:55,900 right? There's this authoritative 833 00:43:55,900 --> 00:43:59,500 source for identity and continue to establish enough information 834 00:43:59,500 --> 00:44:03,300 to use membership criteria in a role without an issue of 835 00:44:03,300 --> 00:44:07,300 Upstream issue up without an issue of Upstream issues of I 836 00:44:07,300 --> 00:44:09,600 could say it just right. So what I think we're getting at 837 00:44:09,600 --> 00:44:12,400 here is you've got data coming for your authoritative Source? 838 00:44:12,800 --> 00:44:16,000 How do you make sure that really all the business stakeholders 839 00:44:16,000 --> 00:44:20,000 are part of this from the HR side to make sure that when 840 00:44:20,000 --> 00:44:22,300 you're designing roles and identities side and maybe Prince 841 00:44:22,300 --> 00:44:24,300 will go with you first. How do you make sure that 842 00:44:24,300 --> 00:44:27,400 there's not that conflict that business engagement with, you 843 00:44:27,400 --> 00:44:31,100 know, other non identity groups to make sure that those complex 844 00:44:31,100 --> 00:44:32,900 don't exist? Yeah. 845 00:44:32,900 --> 00:44:36,000 You know it's a really if I could simplify the answer I 846 00:44:36,008 --> 00:44:40,500 would say this phrase. Do with me and not do to me and 847 00:44:40,500 --> 00:44:44,900 when you bring people along you kind of show The Journey, you 848 00:44:44,900 --> 00:44:47,800 can kind of create this atmosphere of partnership and 849 00:44:47,800 --> 00:44:51,300 collaboration where when they're put in when you're working on 850 00:44:51,900 --> 00:44:55,600 information in each, alright? You're bringing them along to 851 00:44:55,600 --> 00:44:59,300 say, hey when you, we're going to key off of this information 852 00:44:59,300 --> 00:45:01,700 or would like to key off of this information, right? 853 00:45:01,700 --> 00:45:03,500 How are you process? Is they, are they robust? 854 00:45:03,500 --> 00:45:06,100 Are they accurate? Do you have process to catch 855 00:45:06,100 --> 00:45:07,700 when? You know, when you're when 856 00:45:07,700 --> 00:45:09,400 someone does not have a job title? 857 00:45:09,400 --> 00:45:11,800 Are you fixing that, right? Those type of things. 858 00:45:11,800 --> 00:45:14,700 So that way you don't have these, you know, unanticipated 859 00:45:14,700 --> 00:45:17,300 issues down the line. So you're bringing everybody 860 00:45:17,300 --> 00:45:20,000 along with their Journey because like so when said everyone 861 00:45:20,000 --> 00:45:23,700 really has a unique part to play the identity practitioner He 862 00:45:24,100 --> 00:45:27,300 does not know most time with these roles are what they give 863 00:45:27,300 --> 00:45:29,700 you access to do excetera. So I really think it's that 864 00:45:29,700 --> 00:45:32,600 collaborate collaborative process and iterative process 865 00:45:32,600 --> 00:45:35,800 over time and bringing people with you that kind of helps, 866 00:45:35,800 --> 00:45:38,300 make sure that everyone is kind of playing on the same team. 867 00:45:39,200 --> 00:45:43,000 I think, you know, the butterfly effect is absolutely a 868 00:45:43,008 --> 00:45:45,500 phenomenal phenomenal. When it comes to changes in 869 00:45:45,500 --> 00:45:47,700 rolls, right? Everyone really needs to 870 00:45:47,700 --> 00:45:51,600 understand that there are repercussions for changes in 871 00:45:51,600 --> 00:45:55,200 Source data. So, You know, if a role changes 872 00:45:55,200 --> 00:45:58,800 or a job title changes or a job code changes or whatever. 873 00:45:58,800 --> 00:46:03,300 May be your you really need your friends over on the uh RIT side 874 00:46:03,300 --> 00:46:06,500 or whoever is kind of managing the data within that system to 875 00:46:06,500 --> 00:46:08,500 be your friend. You know, Chris is echoing. 876 00:46:08,500 --> 00:46:10,300 Do with me, not to me, that's gold. 877 00:46:10,300 --> 00:46:13,000 That's obviously honey is sweeter than a stick. 878 00:46:13,100 --> 00:46:16,700 You try not to have the stick but, you know, honey is probably 879 00:46:16,700 --> 00:46:20,000 the better way to go through it. I want to kind of tease out this 880 00:46:20,000 --> 00:46:22,800 other than kind of the underlying thread of Engagement 881 00:46:22,800 --> 00:46:26,200 with the business. - that Shana was getting to, you know, Beth 882 00:46:26,200 --> 00:46:29,000 when you're going through this process of kind of roll design. 883 00:46:29,200 --> 00:46:31,000 How do you tackle that engagement with the business? 884 00:46:31,000 --> 00:46:33,100 Because Jim, I think mention an important thing here which is 885 00:46:33,600 --> 00:46:37,000 the business really should own. The role fits their data, they 886 00:46:37,000 --> 00:46:40,100 should be responsible and understands what it is that 887 00:46:40,100 --> 00:46:42,500 they're approving which sometimes can be a challenge. 888 00:46:43,600 --> 00:46:46,300 Yeah. So we have two topics there and 889 00:46:46,300 --> 00:46:51,600 I'm not sure which one to to hit first but one is from the end of 890 00:46:51,600 --> 00:46:54,100 line manager, you know, approving for their own peace 891 00:46:54,100 --> 00:46:57,200 and making sure that the roles of they're approving or what 892 00:46:57,200 --> 00:46:59,600 they're seeing. It has a good enough definition 893 00:46:59,600 --> 00:47:02,600 so they really can understand. We definitely get feedback on 894 00:47:02,600 --> 00:47:06,100 that all the time and then on the roll itself is having the 895 00:47:06,100 --> 00:47:08,900 owner actually go back and improve the content of that role 896 00:47:08,900 --> 00:47:11,100 and making sure that they truly do understand. 897 00:47:11,300 --> 00:47:14,300 The elements that they are certifying that Are inserted 898 00:47:14,300 --> 00:47:18,800 into that role. Just lots of communication out 899 00:47:18,800 --> 00:47:22,400 there with the business side and we're getting lots of feedback. 900 00:47:22,500 --> 00:47:24,900 You know, it's great when you get feedback because that means 901 00:47:24,900 --> 00:47:27,600 that the reefs reading or trying to be engaged with it and they 902 00:47:27,600 --> 00:47:29,800 don't understand what it is that we're pushing out. 903 00:47:29,900 --> 00:47:32,400 We need to listen to that, and figure out what we can do to 904 00:47:32,400 --> 00:47:35,800 make that more clear. Yeah, Sean breaks over the good 905 00:47:35,800 --> 00:47:37,700 point who are some time. We've got, you know, 906 00:47:37,700 --> 00:47:40,900 non-technical people who are responsible for technical things 907 00:47:40,900 --> 00:47:42,300 and they may not understand that. 908 00:47:42,500 --> 00:47:45,100 I think, you know, hit that sort of internal Consulting role 909 00:47:45,100 --> 00:47:47,900 that, you know, each of us might play for our organizations. 910 00:47:48,200 --> 00:47:52,300 Ashley, you know, when it comes to helping people understand, 911 00:47:52,300 --> 00:47:56,300 maybe how their change, how their decisions might impact 912 00:47:56,300 --> 00:47:58,600 Downstream. I am things. 913 00:47:58,600 --> 00:48:00,000 How do you typically engage with that in? 914 00:48:00,000 --> 00:48:02,500 Do you have any tips for us? Sure. 915 00:48:02,500 --> 00:48:06,300 So just going based on that constant communication. 916 00:48:06,300 --> 00:48:10,000 I think one of those things beginning from an HR perspective 917 00:48:10,100 --> 00:48:13,600 is just to see what type of notifications you can receive 918 00:48:13,600 --> 00:48:15,300 let them know. Hey, if you're making a change, 919 00:48:15,300 --> 00:48:18,000 a lot is no like it might be something that affects is so 920 00:48:18,008 --> 00:48:22,300 maybe not but always let us know in regards to application teams 921 00:48:22,300 --> 00:48:24,500 and their changes. I always try to encourage them 922 00:48:24,500 --> 00:48:28,300 to talk to us first before they want to update a rule because a 923 00:48:28,300 --> 00:48:31,700 lot of times they don't have the visibility to user perspectives 924 00:48:31,700 --> 00:48:35,800 that We do so that they can say, hey, I want to push this role to 925 00:48:35,800 --> 00:48:38,600 this user population and I'll go back and I'll pull the 926 00:48:38,600 --> 00:48:41,000 population and say, is this what you want? 927 00:48:41,000 --> 00:48:43,700 And they go, oh no, this is not what I want and like. 928 00:48:43,700 --> 00:48:45,600 Well, that's what you say. It looks like, let's define it. 929 00:48:45,600 --> 00:48:49,600 And tweak it, you kind of determined that working 930 00:48:49,600 --> 00:48:51,700 partnership value through those conversations. 931 00:48:51,700 --> 00:48:54,900 They see what level they can bring to the table. 932 00:48:54,900 --> 00:48:57,600 And then what level your team can bring to the table as well. 933 00:48:58,300 --> 00:49:00,900 Yeah, I think there's a yin and yang that comes to it when it's 934 00:49:00,900 --> 00:49:03,700 you're trying to help them and sometimes you have to help them, 935 00:49:03,700 --> 00:49:09,800 not be Their Own Worst Enemy. Yes, Shawn wants to know how 936 00:49:09,800 --> 00:49:12,300 many of us have successfully rolled out roles in our 937 00:49:12,300 --> 00:49:13,900 business. So I'm actually going to open 938 00:49:13,900 --> 00:49:16,800 this up to everybody. If you can use the raise hand 939 00:49:16,800 --> 00:49:20,400 feature in the in the webinar, I'd love to see just kind of 940 00:49:20,400 --> 00:49:24,200 account if you've rolled out. If you've successfully rolled 941 00:49:24,200 --> 00:49:27,500 out roles within your business, I'm going to give people a 942 00:49:27,500 --> 00:49:29,500 couple minutes kind of think about that if whether they 943 00:49:29,500 --> 00:49:31,200 really think they were successful or not because 944 00:49:31,200 --> 00:49:33,900 there's probably Different degrees of, you know, were we 945 00:49:33,900 --> 00:49:35,700 successful or what do we Define as at. 946 00:49:36,500 --> 00:49:40,100 I'm going to start with Prince when it comes to the role 947 00:49:40,100 --> 00:49:43,600 perspective. How successful do you think 948 00:49:43,600 --> 00:49:46,200 you've been to date and getting this put in place? 949 00:49:46,600 --> 00:49:49,100 Yeah. So the way I measures your test 950 00:49:49,100 --> 00:49:52,300 is I like to personally start with the small wins right? 951 00:49:52,500 --> 00:49:55,900 Because those small wins allow me to keep going and I say oh I 952 00:49:55,900 --> 00:49:58,600 see how that works. It starts to tell the story and 953 00:49:58,600 --> 00:50:02,100 go to that next phase. So for example, if we know Know 954 00:50:02,100 --> 00:50:06,000 that every employee is entitled to be PN access and there's a 955 00:50:06,000 --> 00:50:08,600 process of change management process now today that you 956 00:50:08,600 --> 00:50:11,300 request it, and it goes to all these approvers, that's 957 00:50:11,400 --> 00:50:14,900 approval, 40, get cetera. So to the business, they may 958 00:50:14,900 --> 00:50:16,900 say, you know what what it'd be great. 959 00:50:16,900 --> 00:50:20,500 If if if you are an employee and we do just had that on day one 960 00:50:20,700 --> 00:50:23,400 and I say yeah, that would be great and we could help you do 961 00:50:23,400 --> 00:50:26,200 it. So you start by addressing a 962 00:50:26,207 --> 00:50:28,400 problem. That is a pain point for them 963 00:50:28,700 --> 00:50:31,700 and then start to build into the security risk get set. 964 00:50:31,900 --> 00:50:34,500 So that way you have some small wins and you can get some 965 00:50:34,500 --> 00:50:36,600 momentum and it starts getting bigger and bigger. 966 00:50:36,800 --> 00:50:38,400 And that's how we kind of rolled out. 967 00:50:38,400 --> 00:50:41,200 Our roles in the organization were things that, you know, are 968 00:50:41,200 --> 00:50:43,500 very important to them. And then we start to say, okay, 969 00:50:43,500 --> 00:50:46,400 now that we've done that, what's the next model? 970 00:50:46,400 --> 00:50:49,100 What's the next iteration of this that we can continue to 971 00:50:49,100 --> 00:50:53,200 help strengthen our pressure? So I'm hearing sort of like the 972 00:50:53,200 --> 00:50:55,200 initial improv training of. Yes. 973 00:50:55,200 --> 00:50:58,000 And that's the answer. Like okay, how are we going to 974 00:50:58,008 --> 00:50:59,000 do this? Yes, we can. 975 00:50:59,000 --> 00:51:01,100 And here's how we're going to do it, right? 976 00:51:01,400 --> 00:51:03,100 Pull it in. The proper framework rules 977 00:51:03,100 --> 00:51:05,100 guardrails, whatever it may be Beth. 978 00:51:05,100 --> 00:51:07,100 What do you think from a success standpoint? 979 00:51:07,100 --> 00:51:09,200 How successful do you think rolls have been from a rollout 980 00:51:09,200 --> 00:51:10,500 perspective for your organization? 981 00:51:11,300 --> 00:51:13,600 Yeah, so you know what's the definition of done, right? 982 00:51:13,600 --> 00:51:15,100 I don't think we're ever going to be done. 983 00:51:15,400 --> 00:51:18,100 You know, it's going to be a constant Bridge painting, you 984 00:51:18,100 --> 00:51:20,500 know, where you can go back and new applications are introduced 985 00:51:20,500 --> 00:51:25,600 but from a success. Standpoint are our community has 986 00:51:25,600 --> 00:51:28,200 embraced it, and that is fantastic. 987 00:51:28,600 --> 00:51:31,700 Everyone is impacted from the end-user true, man. 988 00:51:31,900 --> 00:51:34,900 Is the path to prove, they're all impacted whether they didn't 989 00:51:34,900 --> 00:51:37,000 get their access on day. One that they needed to get 990 00:51:37,000 --> 00:51:39,800 their job done or the managers like you said or just tired of 991 00:51:39,800 --> 00:51:42,100 approving and processing things through. 992 00:51:42,400 --> 00:51:46,900 So everyone has embraced the idea of brass right now. 993 00:51:46,900 --> 00:51:49,800 Gorgeous Bright Walls, what can we get done day one that nobody 994 00:51:49,800 --> 00:51:53,900 really has to look at and that helps the employee have a great 995 00:51:53,900 --> 00:51:58,000 first day on the job. So 6s is, you know, positive 996 00:51:58,000 --> 00:51:59,900 feedback. There were reducing the friction 997 00:51:59,900 --> 00:52:03,600 for people and Getting some good feedback from integers that 998 00:52:03,600 --> 00:52:06,500 their time is not spent in a wasted way. 999 00:52:07,000 --> 00:52:09,700 Nobody wants to waste time as the one thing that bothers me, 1000 00:52:09,700 --> 00:52:12,700 every time is sending a manager and approval for something that 1001 00:52:12,700 --> 00:52:15,600 they're going to approve 100% of the time, like, what is the 1002 00:52:15,600 --> 00:52:17,900 point of that? That's checkbox compliance at 1003 00:52:17,900 --> 00:52:20,400 its worst? You know, I'm looking at the 1004 00:52:20,400 --> 00:52:23,700 hands raised and I think we're in the minority we've only got 1005 00:52:23,700 --> 00:52:26,000 really a couple hands that are raised that have actually that 1006 00:52:26,000 --> 00:52:27,800 they think they've been successful so far, it sounds 1007 00:52:27,800 --> 00:52:30,100 like Prince you've been successful Beth your 1008 00:52:30,100 --> 00:52:31,600 organization and successful with it. 1009 00:52:31,900 --> 00:52:34,600 Actually, what about your organization over at Lowe's? 1010 00:52:34,800 --> 00:52:37,600 How successful do you think the rollout has been of role-based 1011 00:52:37,600 --> 00:52:40,900 Access Control to date? I think we've been very 1012 00:52:41,100 --> 00:52:43,200 successful with the rollout of roles. 1013 00:52:43,200 --> 00:52:45,700 I think, you know, the everybody's Point rolls is 1014 00:52:45,700 --> 00:52:47,800 something that you can never mark As done. 1015 00:52:47,800 --> 00:52:51,400 So that fatigue will always stay in place because as users, you 1016 00:52:51,400 --> 00:52:54,100 know, there's the birthright access and they're used to not 1017 00:52:54,100 --> 00:52:56,600 improving that anymore. But then as your organization 1018 00:52:56,600 --> 00:52:59,600 changes or your it landscape changes, there's new things that 1019 00:52:59,600 --> 00:53:01,700 need to be improved and the users get to take that. 1020 00:53:01,800 --> 00:53:03,700 Way. So there's always opportunity to 1021 00:53:03,700 --> 00:53:08,100 improve your rules, but I think a big thing in our organization 1022 00:53:08,100 --> 00:53:11,000 that we can show how successful we are, it is to actually take 1023 00:53:11,000 --> 00:53:14,400 the time to do the analysis and the metrics to see. 1024 00:53:14,400 --> 00:53:16,800 All right, we think our roles are successful, but how 1025 00:53:16,800 --> 00:53:19,600 successful are they? So what percentage of the users 1026 00:53:19,600 --> 00:53:22,900 actually receive a role is their subset of the population sets 1027 00:53:22,900 --> 00:53:24,500 missing? Do they actually need a role? 1028 00:53:24,500 --> 00:53:27,600 Do they not? And then also go at it from like 1029 00:53:27,600 --> 00:53:31,500 a quantifiable view in terms of dollar amounts, just saying 1030 00:53:31,900 --> 00:53:34,300 Here's what we have automated so far. 1031 00:53:34,300 --> 00:53:37,600 How much does this actually save the money into our save the 1032 00:53:37,600 --> 00:53:41,700 company in terms of dollars? So I saw a third hand raised up 1033 00:53:41,700 --> 00:53:44,300 definitely still in the minority of the 40 or so people, we've 1034 00:53:44,300 --> 00:53:47,900 got on the call today, it seems like there's a lot of work to be 1035 00:53:47,900 --> 00:53:51,200 done when it comes to getting roles in place, which doesn't 1036 00:53:51,200 --> 00:53:52,700 surprise me. I think roles are very 1037 00:53:52,700 --> 00:53:54,700 difficult, and I'm going to put Jim on the spot here. 1038 00:53:55,000 --> 00:53:57,900 Jim of the hundreds of clients that we've worked with what 1039 00:53:57,900 --> 00:54:02,500 percentage would you say have successfully rolled out rolls? 1040 00:54:04,100 --> 00:54:08,100 I mean it depends on what you mean by success, right? 1041 00:54:08,200 --> 00:54:12,400 They like I mean to that point like if the success is when 1042 00:54:12,400 --> 00:54:16,600 you've rolled it out and you're not doing it anymore, well 0% 1043 00:54:16,600 --> 00:54:18,400 you're always going to be doing roles. 1044 00:54:18,600 --> 00:54:23,500 But if you're talking about who have achieved value through the 1045 00:54:23,500 --> 00:54:26,900 use of roles that is Success. Obviously, if you spent a 1046 00:54:26,908 --> 00:54:29,400 million dollars and you have very little value, that's not a 1047 00:54:29,408 --> 00:54:32,900 success rate, but I think a very high percentage people who 1048 00:54:33,600 --> 00:54:37,800 Relations that do some form of roles tend to get, you know, 1049 00:54:37,800 --> 00:54:41,300 outsides value especially the early roles because you tend to 1050 00:54:41,308 --> 00:54:43,600 focus on the biggest bang for the buck. 1051 00:54:44,000 --> 00:54:47,800 If I could, I took a note and I'm waited patiently so on the 1052 00:54:48,000 --> 00:54:52,000 other question around HR data. So I feel like, you know, from a 1053 00:54:52,000 --> 00:54:57,000 consultant perspective, there's two formal ways to handle that. 1054 00:54:57,100 --> 00:55:00,900 So the first is, how do you prevent getting blindsided by 1055 00:55:00,900 --> 00:55:04,800 this at the very low? Let's Art with how do you make 1056 00:55:04,800 --> 00:55:09,000 sure that some change doesn't go into effect on your HR System 1057 00:55:09,000 --> 00:55:11,600 that you weren't aware of and it crashes your system. 1058 00:55:11,900 --> 00:55:15,300 So for me that's done in change management. 1059 00:55:15,500 --> 00:55:19,800 So change management should be, you know, the HR System should 1060 00:55:19,800 --> 00:55:25,500 be not changing values in their system without going through 1061 00:55:25,500 --> 00:55:26,700 change management. You know. 1062 00:55:26,700 --> 00:55:29,200 So they're not like middle of the week, just deciding to go 1063 00:55:29,200 --> 00:55:33,300 from 3 digit location codes to for digital location codes. 1064 00:55:33,600 --> 00:55:36,400 As you go through change management, most companies do 1065 00:55:36,400 --> 00:55:39,400 like one or two rounds of change management where there's release 1066 00:55:39,400 --> 00:55:43,900 notes, you have to have a member of your, I am team on the change 1067 00:55:43,900 --> 00:55:46,000 management board so you can catch that. 1068 00:55:46,500 --> 00:55:49,800 What you really should do though is catch that early when the 1069 00:55:49,800 --> 00:55:54,000 project is being defined. And so as part of your sdlc, you 1070 00:55:54,000 --> 00:55:57,600 should have security architect or IM arktech to looks for 1071 00:55:57,600 --> 00:56:02,100 things that would trigger. Hey, this is going to affect us 1072 00:56:02,400 --> 00:56:06,600 our feed from HR is going to break when we go from three 1073 00:56:06,600 --> 00:56:10,200 digit codes for digit codes, if we don't make an adjustment so 1074 00:56:10,200 --> 00:56:15,300 that they can input to that project team that hey, I am 1075 00:56:15,300 --> 00:56:17,400 needs to be involved. Yeah, I think we're talking 1076 00:56:17,400 --> 00:56:20,400 about there was like the IMC at the table right there, identity 1077 00:56:20,400 --> 00:56:24,200 is threaded throughout an organization and really anybody 1078 00:56:24,200 --> 00:56:26,500 who's working on identity whoever is leading that program. 1079 00:56:26,500 --> 00:56:30,000 It is a program not a project for an organization. 1080 00:56:30,000 --> 00:56:32,900 They should be involved heavily with any stuff. 1081 00:56:33,200 --> 00:56:36,100 There's a a couple of questions that came in from Rashon and 1082 00:56:36,100 --> 00:56:39,500 Christopher basically dealing with kind of a similar issue and 1083 00:56:39,500 --> 00:56:45,700 that is data quality or missing data or changes in data from the 1084 00:56:45,700 --> 00:56:49,000 authoritative source and Jimmy kind of touched on just now, you 1085 00:56:49,000 --> 00:56:51,800 know, I feel bad for Chris and it's gonna stay here is like, 1086 00:56:52,000 --> 00:56:55,700 yeah, they went through an acquisition and it broke. 1087 00:56:55,700 --> 00:56:59,700 All their Birthright are back rolls because I'm guessing the 1088 00:56:59,700 --> 00:57:02,800 authoritative Source change some data and the identity team 1089 00:57:03,300 --> 00:57:05,100 either. Was involved and didn't have 1090 00:57:05,100 --> 00:57:08,500 work, give it enough time to make updates, or most likely, 1091 00:57:08,500 --> 00:57:10,600 they probably weren't as involved with it and found out 1092 00:57:10,600 --> 00:57:14,500 sort of, after the fact, that's a tough one to come through. 1093 00:57:14,500 --> 00:57:16,600 I mean, this is where communication is absolutely 1094 00:57:16,600 --> 00:57:21,400 vital people need to know, just how integrated the identity 1095 00:57:21,400 --> 00:57:25,500 program is with all of the systems, if it's done, right, is 1096 00:57:25,500 --> 00:57:28,300 great, right? You reduce risk, everyone's 1097 00:57:28,300 --> 00:57:32,100 having an easier process to get on board at off border off board 1098 00:57:32,100 --> 00:57:34,700 a compliance. RIT all that stuff. 1099 00:57:34,800 --> 00:57:37,900 It's a great easy button but if it's not coordinated well and 1100 00:57:37,900 --> 00:57:39,500 not communicated. Well, it is an absolute 1101 00:57:39,500 --> 00:57:41,800 nightmare so that is definitely an issue. 1102 00:57:41,800 --> 00:57:43,600 And I think, you know, there's another part of this where 1103 00:57:43,600 --> 00:57:47,700 Roshan was talking about sort of missing identity attributes 1104 00:57:47,700 --> 00:57:51,100 within an authoritative source and how people are handling 1105 00:57:51,100 --> 00:57:52,900 that. I think there's an opportunity 1106 00:57:52,900 --> 00:57:57,500 probably to have some sort of like augmented attribute lists. 1107 00:57:57,500 --> 00:58:00,000 It could be within your IJ platform, it could be within, 1108 00:58:00,000 --> 00:58:03,800 maybe something like an active directory or ldap, that is Add 1109 00:58:03,800 --> 00:58:06,500 by an authoritative Source. I'm curious, I'll start with you 1110 00:58:06,500 --> 00:58:12,400 Ashley from a missing or broken attribute standpoint. 1111 00:58:12,400 --> 00:58:15,600 Is that something that you've had to deal with in the past? 1112 00:58:16,400 --> 00:58:18,800 If it and if not, if it's something were to come up, how 1113 00:58:18,800 --> 00:58:20,000 do you think you would address that today? 1114 00:58:20,700 --> 00:58:24,000 Sure it's definitely something we've gone through in the past 1115 00:58:24,000 --> 00:58:27,500 but I think we try to catch it at the beginning as we onboard 1116 00:58:27,500 --> 00:58:29,800 new applications. So we actually take the time to 1117 00:58:29,800 --> 00:58:32,500 look at those attribute. Matt mappings and see what would 1118 00:58:32,500 --> 00:58:34,600 be missing from this. Specific identities. 1119 00:58:34,700 --> 00:58:36,400 So that's where we mainly capture it. 1120 00:58:36,400 --> 00:58:40,600 So we don't push our. We don't on board or fully on 1121 00:58:40,600 --> 00:58:45,400 board and say we're done until we get those attributes put into 1122 00:58:45,400 --> 00:58:48,600 place. So that's probably how we combat 1123 00:58:48,600 --> 00:58:53,300 at the most. And then for changes again, it's 1124 00:58:53,300 --> 00:58:55,700 just that constant communication always have the seat at the 1125 00:58:55,700 --> 00:58:58,400 table. I'm, you know, we always have 1126 00:58:58,400 --> 00:59:01,400 somebody saved from architecture for I am at the table. 1127 00:59:01,400 --> 00:59:05,400 Then you know, they About those potential, attribute changes. 1128 00:59:05,700 --> 00:59:09,100 The Project's pods until we can all get into agreement on how 1129 00:59:09,100 --> 00:59:13,600 that's going to affect all the downstream systems to rochon 1130 00:59:13,600 --> 00:59:15,900 point. Like, I think sometimes, you 1131 00:59:15,900 --> 00:59:18,700 know, I'm hopefully it'll never be a major disaster that 1132 00:59:18,700 --> 00:59:21,600 happens, but sometimes it takes having one of those attribute 1133 00:59:21,600 --> 00:59:25,500 changes for in the business to see how involved a complex--. 1134 00:59:25,500 --> 00:59:28,100 Your I am system is and all the downstream effects. 1135 00:59:28,300 --> 00:59:30,900 So that going forward, everybody's almost in a nervous 1136 00:59:30,900 --> 00:59:32,600 State be like, we don't want to break anything. 1137 00:59:32,600 --> 00:59:35,000 What do we need to do? Do and get everybody involved. 1138 00:59:36,200 --> 00:59:37,700 Prince. I Would Imagine with the 1139 00:59:37,700 --> 00:59:40,600 complexity that comes into you know, the size of an 1140 00:59:40,607 --> 00:59:44,100 organization like yours. And there's God have been broken 1141 00:59:44,100 --> 00:59:47,100 roles or things. Just not working the way they're 1142 00:59:47,100 --> 00:59:49,700 supposed to. How do you tackle that sort of 1143 00:59:49,707 --> 00:59:51,000 things? Maybe we can kind of crowd 1144 00:59:51,000 --> 00:59:54,300 Source some information here that Chris can take back to help 1145 00:59:54,300 --> 00:59:56,300 you. And I think everyone is kind of 1146 00:59:57,200 --> 00:59:59,200 hit it on the head. I would just add one other 1147 00:59:59,200 --> 01:00:01,100 thing. So we talked about this concept 1148 01:00:01,100 --> 01:00:07,500 of change management, right? But one idea is To have identity 1149 01:00:07,500 --> 01:00:09,800 as an approver to certain changes, right? 1150 01:00:09,800 --> 01:00:13,100 So when they, if they are mature enough to go through a change 1151 01:00:13,100 --> 01:00:15,300 management process, then it leaves. 1152 01:00:15,300 --> 01:00:18,000 Now, it's not just a passive a we told you about it, right? 1153 01:00:18,000 --> 01:00:20,000 You have to actually approve of that change. 1154 01:00:20,300 --> 01:00:23,800 The other thing is having a near production type of test 1155 01:00:23,800 --> 01:00:25,600 environment. So if you're making any material 1156 01:00:25,600 --> 01:00:29,700 changes to the process, now you have these test plans where you 1157 01:00:29,700 --> 01:00:32,300 want them through their paces and you should be seeing that in 1158 01:00:32,300 --> 01:00:34,500 result. So if you change the world Etc 1159 01:00:34,600 --> 01:00:37,000 now we don't have that configured Our system, the end 1160 01:00:37,000 --> 01:00:39,100 result is that persons not going to get that access. 1161 01:00:39,100 --> 01:00:41,400 It would have failed there where you could catch it. 1162 01:00:41,400 --> 01:00:44,100 The other thing is you know even if something is working well 1163 01:00:44,100 --> 01:00:47,400 that could be Integrations changes its excetera, it's 1164 01:00:47,400 --> 01:00:50,200 important to have kpis. Those kpis allow you to 1165 01:00:50,200 --> 01:00:53,800 continuously monitor the effectiveness of your program, 1166 01:00:53,800 --> 01:00:55,600 right? So that when something does 1167 01:00:55,600 --> 01:00:59,000 maturely change, you can pick it up and maybe try to work and 1168 01:00:59,000 --> 01:01:01,500 mobilize. So solve it on the onslaught 1169 01:01:01,500 --> 01:01:04,600 instead of like you know having this big old what's happening 1170 01:01:04,600 --> 01:01:05,900 here. You want to know it first. 1171 01:01:06,100 --> 01:01:07,800 Be the first of on a knowledge and address it. 1172 01:01:07,800 --> 01:01:10,200 So I think if you kind of incorporate some of those 1173 01:01:10,200 --> 01:01:12,200 strategies there it will make it a little bit better. 1174 01:01:12,300 --> 01:01:15,900 Obviously you're not going to be able to compensate for every 1175 01:01:15,900 --> 01:01:18,700 single scenario out there but those are some big rocks that I 1176 01:01:18,707 --> 01:01:23,700 think will help companies kind of manage that I guess the 1177 01:01:23,700 --> 01:01:28,000 prevention of a bad day hika, if something like that happened. 1178 01:01:28,000 --> 01:01:30,200 This. Yeah, you mentioned kpis. 1179 01:01:30,200 --> 01:01:32,800 It's almost like you're establishing sort of indicators 1180 01:01:32,800 --> 01:01:35,000 of compromise to your identity platform, right? 1181 01:01:35,000 --> 01:01:36,900 Something's not working. Seeing the way that it should 1182 01:01:36,900 --> 01:01:39,900 be. And, you know, the goal is to 1183 01:01:39,908 --> 01:01:43,200 catch it before. It becomes a problem, you know, 1184 01:01:43,200 --> 01:01:45,600 when you've got a massive switch with, you know, with or 1185 01:01:45,600 --> 01:01:48,600 authoritative sources that definitely screams change 1186 01:01:48,600 --> 01:01:51,300 management and identity, see the table, all the way Beth. 1187 01:01:51,300 --> 01:01:53,500 I'm going to put you on the spot here, because I'm going to put 1188 01:01:53,500 --> 01:01:55,000 you in the same scenario as Chris. 1189 01:01:55,000 --> 01:01:58,900 Maybe we can help him out. Your authoritative Source has 1190 01:01:58,900 --> 01:02:01,600 changed overnight and you were not involved. 1191 01:02:02,000 --> 01:02:05,700 What is your Monday morning going to look like and how are 1192 01:02:05,700 --> 01:02:08,200 you going to To start to plot a path to recovery here. 1193 01:02:09,200 --> 01:02:11,900 Yeah, I know definitely, one of those things is. 1194 01:02:11,900 --> 01:02:13,800 You hope you have some triggers in place. 1195 01:02:13,800 --> 01:02:15,800 You know, that would give you some alerts ahead and Tom and me 1196 01:02:15,800 --> 01:02:18,400 and wipers and saying, you know, you try to make sure you, you 1197 01:02:18,400 --> 01:02:21,900 know, what's happening, one of our big triggers would be one of 1198 01:02:21,900 --> 01:02:25,600 my biggest fears is from our HR System people that are active or 1199 01:02:25,600 --> 01:02:27,700 not active, right? That's going to turn everybody 1200 01:02:27,700 --> 01:02:30,200 on or off from a gourd fry perspective. 1201 01:02:30,400 --> 01:02:32,600 And we do have reports and things that are going out there 1202 01:02:32,600 --> 01:02:37,300 monitoring for that flag and we haven't caused from the 1203 01:02:37,300 --> 01:02:42,300 integration and Between the any noted change for the source, and 1204 01:02:42,300 --> 01:02:43,900 then coming into our environment. 1205 01:02:44,000 --> 01:02:47,300 So, if a couple of our big triggers more get modified, we 1206 01:02:47,300 --> 01:02:50,200 have a notification string that's in place to let us know 1207 01:02:50,200 --> 01:02:53,400 that prior to being posted. Now, of course it's a window but 1208 01:02:53,400 --> 01:02:55,600 if you know, if you don't catch it, you're cut it out. 1209 01:02:56,000 --> 01:02:58,200 Yeah. I think an immediate murder 1210 01:02:58,200 --> 01:03:01,100 would probably be called major incident response and I'm sure I 1211 01:03:01,107 --> 01:03:03,200 would be head of the table. And then like you said, back 1212 01:03:03,200 --> 01:03:07,900 tracking, the changes that came in to see what might have caused 1213 01:03:07,900 --> 01:03:08,400 it. That's it. 1214 01:03:08,600 --> 01:03:11,200 That would be our approach to proactive is definitely better 1215 01:03:11,400 --> 01:03:14,000 than reactive. It sounds to me. 1216 01:03:14,000 --> 01:03:16,400 Like you've got like this identity bat signal that like 1217 01:03:16,400 --> 01:03:19,300 shoots into the sky, it's like, oh my God, fucking this happen. 1218 01:03:19,500 --> 01:03:22,300 We need somebody come and help us Giovanna help. 1219 01:03:22,300 --> 01:03:25,000 Roshan out with the question he had and it's really around that 1220 01:03:25,000 --> 01:03:27,900 missing data from a authoritative Source 1221 01:03:27,900 --> 01:03:29,500 perspective. So let's say you've got to work 1222 01:03:29,500 --> 01:03:31,100 day or an ATP or something like that. 1223 01:03:31,400 --> 01:03:36,100 And there isn't enough data in there to be able to drive 1224 01:03:36,100 --> 01:03:38,400 Downstream things that you want to have happen. 1225 01:03:38,700 --> 01:03:40,700 And really, we're probably talking more about like 1226 01:03:40,700 --> 01:03:42,800 attribute based access control, which I do want to leave some 1227 01:03:42,800 --> 01:03:44,500 time, and I know we're getting a little short on time here, so 1228 01:03:44,500 --> 01:03:47,800 we're gonna go that next. But what are some methods that 1229 01:03:47,800 --> 01:03:49,400 people might want to think about? 1230 01:03:49,400 --> 01:03:53,000 If there isn't enough data in your HR platform? 1231 01:03:53,700 --> 01:03:57,100 Where else could I put data that might potentially Drive some 1232 01:03:57,100 --> 01:04:00,100 role based decisions or attribute based decisions for 1233 01:04:00,100 --> 01:04:02,900 Access? Yeah, architecturally speaking 1234 01:04:02,900 --> 01:04:07,500 you could you have two options. I think one would be to build 1235 01:04:07,500 --> 01:04:09,800 error handling To your connector. 1236 01:04:10,500 --> 01:04:13,800 The other is to build some kind of layer of abstraction. 1237 01:04:13,800 --> 01:04:17,500 So it would be like you said, maybe dump the leg, the data 1238 01:04:17,500 --> 01:04:22,700 into a database or an ldap or something like that to, you 1239 01:04:22,700 --> 01:04:24,900 know, kind of buffer, the data quality. 1240 01:04:25,600 --> 01:04:30,000 Those are from, you know, that that I think is that technical 1241 01:04:30,300 --> 01:04:35,400 answer to it. You know, there's something that 1242 01:04:35,400 --> 01:04:38,400 I wanted to kind of back through the keep doing this back. 1243 01:04:38,500 --> 01:04:41,400 Track to like an earlier conversation because I was 1244 01:04:41,700 --> 01:04:43,500 bringing up a lot of things like. 1245 01:04:43,500 --> 01:04:47,500 Okay, if you have this process, you've got, I am architect on 1246 01:04:47,500 --> 01:04:50,500 the, you know, each of the projects and they're reviewing 1247 01:04:50,900 --> 01:04:53,700 and your, you might be sitting there thinking like, oh, 1248 01:04:53,700 --> 01:04:55,300 wouldn't it be nice to have all those people? 1249 01:04:55,300 --> 01:05:01,200 Like the dress not reality Gem and I also I think it was 1250 01:05:01,200 --> 01:05:04,400 actually made the statement. I like sometimes takes a 1251 01:05:04,408 --> 01:05:06,400 disaster. Well, sometimes it does. 1252 01:05:06,400 --> 01:05:10,400 But you know this is where As I am practitioners as leaders in 1253 01:05:10,400 --> 01:05:14,100 the space, we've got to be telling our organization look. 1254 01:05:14,100 --> 01:05:19,200 I am is Middle where I am is like other areas of it and needs 1255 01:05:19,200 --> 01:05:24,400 to be treated with the same levels of discipline like 1256 01:05:24,400 --> 01:05:27,900 project management like change management like having a 1257 01:05:27,900 --> 01:05:31,900 governance body. You know it's got to be treated 1258 01:05:31,900 --> 01:05:36,500 very seriously because if not things can break down very 1259 01:05:36,500 --> 01:05:38,200 quickly, we can have that disaster. 1260 01:05:38,200 --> 01:05:41,600 We Don't want it to come to that disaster, but it's very apparent 1261 01:05:41,600 --> 01:05:45,000 when it does happen. Yeah, you mentioned early on 1262 01:05:45,000 --> 01:05:47,200 their side of the, the alternative. 1263 01:05:47,900 --> 01:05:50,200 I was thinking, you know, like I met our virtual directory, which 1264 01:05:50,200 --> 01:05:52,000 is what Craig Reno wrote in as well. 1265 01:05:52,300 --> 01:05:55,300 Met a virtual directories and health checks that he calls 1266 01:05:55,300 --> 01:05:57,500 circuit breakers, right? These are all the technical 1267 01:05:57,500 --> 01:06:00,300 controls and be put in place to sort of prevent a disaster. 1268 01:06:01,100 --> 01:06:05,300 But they are still preventive as much as you can, does not 1269 01:06:05,300 --> 01:06:07,900 replace the people and the process in front of it. 1270 01:06:08,500 --> 01:06:10,600 To be able to try to head off. Some of the system's good 1271 01:06:10,600 --> 01:06:15,100 Communications, make friends with the key links with your 1272 01:06:15,100 --> 01:06:20,300 identity program, HR audit it, you know, if there's 1273 01:06:20,300 --> 01:06:23,800 representatives for the business, Mitch brought up an 1274 01:06:23,800 --> 01:06:26,200 unchanged an interesting point here which is absolutely true is 1275 01:06:26,200 --> 01:06:28,000 that are back, doesn't work for everybody. 1276 01:06:28,000 --> 01:06:30,700 And this is kind of where I want to take the conversation next 1277 01:06:30,700 --> 01:06:34,700 because our back isn't the only way to do access control. 1278 01:06:34,800 --> 01:06:37,600 There's also a back attribute based Access Control. 1279 01:06:37,900 --> 01:06:39,800 There's pee. Back policy based access 1280 01:06:39,800 --> 01:06:42,200 control, which you could argue maybe are sort of the same 1281 01:06:42,200 --> 01:06:45,300 thing. And in the case of Life 1282 01:06:45,300 --> 01:06:48,400 Sciences, which is the, the, the example, he's using, is they 1283 01:06:48,400 --> 01:06:51,900 follow more of an entitlement based access control, which is a 1284 01:06:51,908 --> 01:06:54,800 single entitlement. And so sad with a single roll, 1285 01:06:55,100 --> 01:06:58,300 which sounds like there might be a lot of rules and really gives 1286 01:06:58,300 --> 01:07:00,800 them granularity to be able to take an attribute based 1287 01:07:00,800 --> 01:07:03,600 approach. And I'd like to understand, you 1288 01:07:03,607 --> 01:07:07,100 know, I'll start with you Beth. What's next from a role 1289 01:07:07,100 --> 01:07:08,100 perspective, right? We've got. 1290 01:07:08,100 --> 01:07:11,000 We've been Talking about two are back but there are perfectly 1291 01:07:11,000 --> 01:07:14,000 valuable other methods like a back and P back. 1292 01:07:14,000 --> 01:07:16,800 That could be used are those things that you've you're 1293 01:07:16,800 --> 01:07:18,600 currently exploring or looking at? 1294 01:07:18,600 --> 01:07:22,000 Or where do those types of things fall from your strategy 1295 01:07:22,000 --> 01:07:23,200 when it comes to managing access? 1296 01:07:24,000 --> 01:07:26,500 Yeah, I mean, attribute-based is definitely, you know, we have 1297 01:07:26,500 --> 01:07:29,300 some Birthright things which are based on people's attributes way 1298 01:07:29,300 --> 01:07:32,700 that we're doing it and, and Larry rolls layering. 1299 01:07:33,100 --> 01:07:35,400 We don't try to build everything into one role. 1300 01:07:35,400 --> 01:07:38,100 We are actually trying to do a layering effect so that if 1301 01:07:38,100 --> 01:07:40,600 someone it moves from one job to the other and different 1302 01:07:40,600 --> 01:07:44,100 applications react differently. So and if I had everything 1303 01:07:44,100 --> 01:07:47,800 bundled into one role for your job and you moved to another 1304 01:07:47,800 --> 01:07:50,800 job, you might have to unroll people from a current 1305 01:07:50,800 --> 01:07:53,100 application that they will still use in the next job. 1306 01:07:53,100 --> 01:07:54,700 And we don't want to have to re-enroll them and have them 1307 01:07:54,700 --> 01:07:57,000 start over. So depends on how different 1308 01:07:57,000 --> 01:08:00,700 applications candle than enrollment in re-enrollment. 1309 01:08:01,200 --> 01:08:04,400 So we've taken a layer in effect where it's an all Associates and 1310 01:08:04,400 --> 01:08:07,500 then by region and then by location and then by department. 1311 01:08:07,500 --> 01:08:09,300 So as people Move through the company. 1312 01:08:09,300 --> 01:08:12,300 We can pick and choose those layers and reapply their access 1313 01:08:12,500 --> 01:08:14,900 and that is definitely all based on their attributes. 1314 01:08:16,600 --> 01:08:20,300 Prince, when you think about the strategy of roles, I want you to 1315 01:08:20,300 --> 01:08:23,700 put on your 2023 prediction here since we were at the end of the 1316 01:08:23,700 --> 01:08:26,500 year. How do you see roles evolving a 1317 01:08:26,500 --> 01:08:28,399 train? Is it still going to be 1318 01:08:28,399 --> 01:08:30,800 something are back? Have you started down maybe the 1319 01:08:30,800 --> 01:08:33,600 path of a backer P back or some other methodologies for Access 1320 01:08:33,600 --> 01:08:34,700 Control. Where do you think things are 1321 01:08:34,700 --> 01:08:38,100 heading in the future? Yeah, and I think, you know, 1322 01:08:38,200 --> 01:08:41,000 when I, when I think about, because we just got through this 1323 01:08:41,000 --> 01:08:43,300 strategy discussion where they say, you know, where do we going 1324 01:08:43,300 --> 01:08:45,500 to be doing? And one of the things I always 1325 01:08:45,500 --> 01:08:47,300 say is and it's a, it's a, it's an answer. 1326 01:08:47,300 --> 01:08:49,899 No one wants to hear what it's it depends. 1327 01:08:49,899 --> 01:08:52,100 Right. And that's because we're 1328 01:08:52,100 --> 01:08:54,899 supposed to say that. Yeah, it depicts henna and 1329 01:08:54,899 --> 01:08:57,399 they're the reason the reason that is and I say it depends is 1330 01:08:57,399 --> 01:08:59,700 because it really depends on what you're trying to 1331 01:08:59,700 --> 01:09:02,399 accomplish. What the company's tolerance in 1332 01:09:02,399 --> 01:09:06,100 maturity is at that time, they care and fee need, right? 1333 01:09:06,300 --> 01:09:10,399 So, if you are thinking of these big Grand ideas, and you don't 1334 01:09:10,399 --> 01:09:13,200 have the right support apparatus is in place, it's not going to 1335 01:09:13,200 --> 01:09:15,300 be it's not going to be functional, right? 1336 01:09:15,300 --> 01:09:20,000 If you have all this roles for all where you don't have the 1337 01:09:20,000 --> 01:09:23,500 right, people to go and update them, Etc, understand what they 1338 01:09:23,500 --> 01:09:25,200 are going to run into audit issue. 1339 01:09:25,200 --> 01:09:29,200 So I think finding the right approach to the right situation 1340 01:09:29,200 --> 01:09:32,300 is really should be the strategy and not try to boil the ocean 1341 01:09:32,300 --> 01:09:35,700 and put one solution to fit all because our business is not a 1342 01:09:35,700 --> 01:09:38,200 one-size-fits-all If it all, we apply different models and 1343 01:09:38,200 --> 01:09:39,500 different things to different strategies. 1344 01:09:39,500 --> 01:09:42,500 And so, if that's why you say it, kind of depends, but I think 1345 01:09:42,500 --> 01:09:45,700 the evolution would be taken advantage of these new tools 1346 01:09:45,700 --> 01:09:49,200 that are giving us insights excetera about how people are 1347 01:09:49,200 --> 01:09:52,700 using our tools where we have roles that people have, but 1348 01:09:52,700 --> 01:09:55,600 they're not using their not logging into Quan that back, 1349 01:09:55,600 --> 01:09:58,300 making sure that we are using that kind of a defense in-depth 1350 01:09:58,300 --> 01:10:00,800 approach to kind of find the right people for the right 1351 01:10:00,800 --> 01:10:03,900 situation. Some a big old Marvel nerd. 1352 01:10:03,900 --> 01:10:06,200 So I'm going to pull out Hawkeyes May example, right he's 1353 01:10:06,200 --> 01:10:09,000 got the the oh bow and arrow. He's got a quiver with a whole 1354 01:10:09,000 --> 01:10:11,000 bunch of different arrows. If you all kinds of weird stuff 1355 01:10:11,000 --> 01:10:12,800 and maybe Batman's the same analogy, right? 1356 01:10:12,800 --> 01:10:16,400 He's got the bat, the bat are back and the bat a back and 1357 01:10:16,400 --> 01:10:20,700 whatever it may be. You do not have to follow one 1358 01:10:20,700 --> 01:10:23,600 methodology, right? It's not like you're subscribing 1359 01:10:23,600 --> 01:10:26,300 to, this is how we're going to be doing it and everyone must 1360 01:10:26,300 --> 01:10:28,500 conform to this. This is not the Borg, right? 1361 01:10:28,500 --> 01:10:30,300 We're not going to assimilate in this scenario. 1362 01:10:30,500 --> 01:10:33,000 What we want to do is try to come up with the Right approach. 1363 01:10:33,000 --> 01:10:35,300 And it may be very similar to like what Mitch has done with 1364 01:10:35,300 --> 01:10:37,500 his organization. Sounds like where they've gone 1365 01:10:37,500 --> 01:10:41,000 down this entitlement route and it's very granular but if it 1366 01:10:41,000 --> 01:10:44,000 works, it works right. You don't necessarily need to do 1367 01:10:44,000 --> 01:10:46,800 to get super crazy with it. So I think that's something you 1368 01:10:46,808 --> 01:10:50,800 kind of think about Ashley. Let's put on your prognosticator 1369 01:10:50,800 --> 01:10:53,400 had here. How do you feel about some of 1370 01:10:53,400 --> 01:10:56,700 the other Alternatives when it comes to our back versus a back 1371 01:10:56,700 --> 01:10:58,500 P back? And any other backs that might 1372 01:10:58,500 --> 01:11:01,200 be out there? I think everybody said it. 1373 01:11:01,200 --> 01:11:04,600 Well, I think the Alternatives are great, but it really depends 1374 01:11:04,600 --> 01:11:07,400 on, you know, the situation at your organization. 1375 01:11:07,400 --> 01:11:12,000 So, at least how I approach, you know, the future of our back in 1376 01:11:12,000 --> 01:11:14,300 a back and P back and where we should use it. 1377 01:11:14,300 --> 01:11:17,400 When is actually listen to the strategies of the organization, 1378 01:11:17,400 --> 01:11:20,800 as a whole and what they're focused on and try to get your 1379 01:11:20,800 --> 01:11:23,600 head in the game on where you know they're headed from it, I 1380 01:11:23,600 --> 01:11:26,900 am or rolls perspective and then you take that use case and you 1381 01:11:26,900 --> 01:11:29,400 see does it fit in our traditional are back model? 1382 01:11:29,400 --> 01:11:32,200 Do we need to mold and shape it into an a back model? 1383 01:11:32,300 --> 01:11:35,100 What is that actually look like? And so we're not just trying to 1384 01:11:35,100 --> 01:11:38,800 come up with something out of thin air, we're actually using 1385 01:11:38,800 --> 01:11:41,500 it for the specific, use case of the company that they needed 1386 01:11:41,500 --> 01:11:44,500 that point in time. Jimmy and I spent an awful lot 1387 01:11:44,500 --> 01:11:47,300 of time talking with you know vendors in this space other 1388 01:11:47,300 --> 01:11:48,400 companies. Etc. 1389 01:11:48,700 --> 01:11:52,300 What's the future of our back in a quick sound bite because I 1390 01:11:52,300 --> 01:11:53,700 want to get to our closing out here. 1391 01:11:53,900 --> 01:11:57,900 Yeah my prognostication is our back will be just a good 1392 01:11:57,900 --> 01:12:02,500 conversation next December, as it is right now payback and P 1393 01:12:02,500 --> 01:12:04,800 back. Our this basically the same 1394 01:12:04,800 --> 01:12:11,200 thing there they use that they get applied at the time of 1395 01:12:11,300 --> 01:12:15,700 authentication, authorization. So I've got these attributes 1396 01:12:15,700 --> 01:12:20,100 about me when I go to Kasi to access the application rather 1397 01:12:20,100 --> 01:12:22,300 than it looking in the database of roles. 1398 01:12:22,600 --> 01:12:24,400 It just says you have these attributes. 1399 01:12:24,400 --> 01:12:28,000 I'm going to give you this access the much more data-driven 1400 01:12:28,000 --> 01:12:30,000 approach, which I think is ideally where a lot of 1401 01:12:30,000 --> 01:12:32,700 organizations like to be, do they have the data to make 1402 01:12:32,700 --> 01:12:34,700 successful? That is always the tricky 1403 01:12:34,700 --> 01:12:36,600 question, right? I think there's varying levels 1404 01:12:36,600 --> 01:12:39,400 of success that you can probably get to all right. 1405 01:12:39,400 --> 01:12:41,500 Now we're coming up on time here and one of the things that we 1406 01:12:41,500 --> 01:12:45,800 like to do on our podcasts, Identity at the center.com is to 1407 01:12:45,800 --> 01:12:48,500 really end on a lighter note. And so we were kind of thinking 1408 01:12:48,500 --> 01:12:50,600 about this, you know, what's the one of the questions want to do 1409 01:12:50,600 --> 01:12:52,300 this is something that's not identity related. 1410 01:12:52,300 --> 01:12:54,000 Just to kind of have fun towards the end. 1411 01:12:54,300 --> 01:12:57,600 I'm going to pass it around the room real quick Prince. 1412 01:12:57,600 --> 01:13:01,000 What is the best or worst meal you have ever had? 1413 01:13:02,300 --> 01:13:06,500 It just happened recently, I bought it insta pot and I put 1414 01:13:06,500 --> 01:13:09,900 chicken in the air and it takes like boiled. 1415 01:13:10,000 --> 01:13:13,600 I don't know what it was, but I think for the chicken mark Cut, 1416 01:13:13,600 --> 01:13:17,400 that's should be in the airfryer and not the Instant by instant 1417 01:13:17,400 --> 01:13:19,500 pot. Chicken is amazing. 1418 01:13:19,500 --> 01:13:23,800 So welcome to the club. Ashley, what about yourself? 1419 01:13:23,800 --> 01:13:26,600 What's the best or worst meal you've ever had sugar? 1420 01:13:26,600 --> 01:13:28,900 And I think mine comes just from a shock. 1421 01:13:28,900 --> 01:13:31,800 So mine was actually when I took a trip to Germany. 1422 01:13:31,800 --> 01:13:35,700 I just landed just wanted a drink, you know, was like, I'm 1423 01:13:35,700 --> 01:13:37,800 tired. Let's like get a drink. 1424 01:13:37,800 --> 01:13:40,200 Let's relax. And so I had somebody ordered 1425 01:13:40,200 --> 01:13:43,100 for me and then I come back and I taste it and I'm like, that's 1426 01:13:43,200 --> 01:13:44,700 It's not a beer. What is that? 1427 01:13:44,700 --> 01:13:49,000 And it was banana flavored beer that you can imagine it exists. 1428 01:13:49,700 --> 01:13:52,700 And so you know on first reaction was like oh this is the 1429 01:13:52,700 --> 01:13:55,500 worst thing I've ever tasted and you get into any like actually, 1430 01:13:55,500 --> 01:13:57,600 this is pretty good but it's very functional. 1431 01:13:57,600 --> 01:14:00,500 Like it's not what you expected, but Anna's love those flavors 1432 01:14:00,500 --> 01:14:03,100 that you need to be expecting. Otherwise it's like whoa, which 1433 01:14:03,100 --> 01:14:04,700 is hit me. Exactly! 1434 01:14:05,800 --> 01:14:07,500 That's what's the best meal or what? 1435 01:14:07,500 --> 01:14:10,000 Worst meal you've ever had. Yeah, the worst villains ever 1436 01:14:10,000 --> 01:14:13,100 had was the one that I made so I can blame nobody but myself. 1437 01:14:13,300 --> 01:14:16,100 But I have learned the hard way that you do not ever put 1438 01:14:16,100 --> 01:14:18,700 broccoli in a Crock-Pot. Just it's a hard. 1439 01:14:18,700 --> 01:14:20,900 No, don't ever do it. Don't ever do to anybody that 1440 01:14:20,900 --> 01:14:23,400 you love and your family. If you have that relative that 1441 01:14:23,400 --> 01:14:24,800 you may want to do something fun for. 1442 01:14:24,800 --> 01:14:26,400 Yeah, go ahead and do that, but it does. 1443 01:14:26,500 --> 01:14:29,100 That was the worst of me like that might be the most value 1444 01:14:29,100 --> 01:14:30,300 piece of information has come out of them. 1445 01:14:30,300 --> 01:14:34,600 Some Tire hours, don't put broccoli in a Crock-Pot, Jim 1446 01:14:34,600 --> 01:14:37,400 best or worst meal. You'd had my seal your answer. 1447 01:14:37,400 --> 01:14:39,900 Jeff, that's take that we had in Vegas. 1448 01:14:40,100 --> 01:14:43,900 That Wagyu steak. It's like a hunter over. $100, 1449 01:14:43,900 --> 01:14:46,900 for a piece of meat with no sides singing. 1450 01:14:46,900 --> 01:14:49,200 This is the biggest rip off until I ate it. 1451 01:14:49,800 --> 01:14:51,900 Is there anything better than a really nice dinner that you're 1452 01:14:51,900 --> 01:14:53,900 not paying for? I mean, but that's pretty, 1453 01:14:53,900 --> 01:14:56,000 that's pretty good. There's the kind of jittery as a 1454 01:14:56,000 --> 01:14:57,400 mortgage, your house for us. Yeah. 1455 01:14:57,400 --> 01:14:59,000 No kidding. Speaking of, where's your house? 1456 01:14:59,000 --> 01:15:00,600 I think my best meal was French Laundry. 1457 01:15:00,600 --> 01:15:04,400 It was sort of a bucket-list item for us and my wife and I 1458 01:15:04,400 --> 01:15:07,100 were finally able to take her parents there so that was pretty 1459 01:15:07,100 --> 01:15:09,300 good. My worst is about us was pizza 1460 01:15:09,300 --> 01:15:13,000 that I had in Paris which was completely awful would not. 1461 01:15:13,200 --> 01:15:15,500 Man's. All right, we got two minutes. 1462 01:15:15,500 --> 01:15:17,700 I got one more bonus question and I want to see you know from 1463 01:15:17,700 --> 01:15:19,500 the folks who have stuck with us the end. 1464 01:15:19,700 --> 01:15:23,400 I want to take a quick poll, how many people think Die Hard? 1465 01:15:23,400 --> 01:15:26,500 Is a Christmas movie. Raise your hand if you think 1466 01:15:26,500 --> 01:15:27,900 Die. Hard is a Christmas movie. 1467 01:15:27,900 --> 01:15:30,500 I see best got her hand up. We're seeing the sea, okay. 1468 01:15:30,500 --> 01:15:33,800 Yes now we're seeing hands all over the board over here this 1469 01:15:33,800 --> 01:15:38,200 might solve maybe some of the conversations you might be 1470 01:15:38,200 --> 01:15:40,500 having with your family around this time of year. 1471 01:15:40,500 --> 01:15:41,500 You know what's the Christmas movie? 1472 01:15:41,500 --> 01:15:43,100 You're going to watch. You can throw die. 1473 01:15:43,200 --> 01:15:45,300 Hard out there because it absolutely, in my mind is a 1474 01:15:45,300 --> 01:15:48,000 Christmas movie. So yeah, with that, we're going 1475 01:15:48,000 --> 01:15:49,300 to ahead and kind of close things out. 1476 01:15:49,300 --> 01:15:52,400 I'll pass over here to Tom. Thank you again for inviting us 1477 01:15:52,400 --> 01:15:55,300 and thank you to Beth Prince and Ashley for joining us. 1478 01:15:56,000 --> 01:15:59,100 You've been listening to Identity at the center. 1479 01:15:59,400 --> 01:16:03,500 We hope you've enjoyed the show, make sure to like rate and 1480 01:16:03,500 --> 01:16:07,100 review and we'll be back soon, but in the meantime, hit the 1481 01:16:07,100 --> 01:16:11,500 website at identity at the center.com and find us on 1482 01:16:11,500 --> 01:16:16,900 Twitter at Ivy. Casey podcast, see you next time 1483 01:16:17,100 --> 01:16:19,700 on identity at the center.