Artwork for podcast 401 Access Denied
401 Access Denied Podcast Ep. 114 | The Rise and Future of Identity with Ian Glazer
Episode 1144th September 2024 • 401 Access Denied • Delinea
00:00:00 00:48:10

Share Episode

Shownotes

Join Joseph Carson and digital identity expert Ian Glazer as they dive into the complex world of identity management. Discover the evolving tech expectations, the rise of non-human identities, and why visibility and automation are crucial for incident response. They’ll explore the future of identity management, including AI’s role in detection and policy enforcement. Tune in to understand the shift towards dynamic access, the limitations of role-based access, and how event time data can enhance control models. Don’t miss this deep dive into achieving zero-standing privilege and the future of identity and access management!

Connect with Delinea:

Delinea Website: https://delinea.com/

Delinea LinkedIn: https://www.linkedin.com/company/delinea/

Delinea X: https://x.com/delineainc

Delinea Facebook: https://www.facebook.com/delineainc

Delinea YouTube: https://www.youtube.com/c/delinea

Transcripts

Joseph Carson:

Hello everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host of the show, Joe Carson, and I'm always really excited to bring amazing guests onto the show to share their experiences and knowledge in order to help you with your strategies and best practices, and also to learn something new and get new ideas to help you in your business organizations, even in your personal life. Welcome to the show today. I've got the most amazing person, and this person, I'm always learning from every time I speak to. I always come back a smarter person, I hope. Welcome to the show, Ian. Ian, tell us a bit about yourself, background and what you do.

Ian Glazer:

Sure. Well, thanks for having me. It's a blast. I've been looking forward to this, and I know we've had to reschedule a couple of times, so I'm stoked that I get to do it today. I'm Ian Glazer. Right now I'm president of Weave Identity, which is just me, and in my advisory business, but prior to that I was running product management for Salesforce's Identity products and services in the platform division. Before that, I was running Gartner's research for privacy and identity by way of the Burton Group acquisition. Along the way, I created the IDPro, the Professional Association for Digital Identity Management and the Digital Identity Advancement Foundation, which is a nonprofit focused on removing financial barriers to participation in our industry and do some other things on the side, but that's the gist of it.

Joseph Carson:

Fantastic. You've been in this space a long time. I think most of your career has been identity, hasn't it?

Ian Glazer:

Yes, so the way to say it is I've been in it most of my career. My career is an unknown length, but yeah, I've been doing it for a while, and I've played almost every position I think you can around a product. I started as a sales engineer and moved into some consulting, but also field marketing, a little bit of support, a light amount of development. Then moved into product management, was an analyst, moved back into product management. Yeah, so I've done a lot of different roles around technology, primarily from the technology provider side. And sort of my time as an analyst really gave me a window into the life of a practitioner, the problems of a practitioner from the enterprise perspective, and that one's been incredibly educating.

Joseph Carson:

You're learning about it from many different sources about what challenges they want to solve and some of the ideas and thoughts are around it. You do have a very well-rounded kind of knowledge, and that comes through. When you're speaking at events and sharing your experience, all of that breadth of knowledge definitely shines through.

Ian Glazer:

Oh, thank you.

Joseph Carson:

It's always enlightening to hear the different kind of ideas and backgrounds that you've experienced.

Ian Glazer:

Well, the thing that I've learned is that in identity technology, no matter whose it is, causes people problems. Now it's meant to solve some of those problems, for sure, but it also causes them. And so having the empathy to understand, hey, this is going to ameliorate this pain, but it does mean that someone has to shovel coal into the boiler to make it work. How do we make that task easier and better and safer? And so getting that perspective has always helped because then I always tell my product management teams, your job is to squeeze empathy into ones and zeros. Just remember, if someone is seeing this admin interface, they are likely having a crappy day, and how do we make that simpler for them? How do we take burden off of them and achieve the outcome, whatever those things are?

Joseph Carson:

How do we make their life better?

Ian Glazer:

Right, exactly. As opposed to being like, "Oh god, I've got to go do that again," whatever the that is. And that's a constant challenge. And the interesting thing about it is that from a design perspective, the expectations of what technology should feel like to interact with constantly evolves, and frankly, constantly gets better and then takes steps backwards. But because so much of our user experience expectations are influenced from the consumer side of the world, and you have top leading design firms and brains thinking about these things from mobile operating systems to mobile apps, it bleeds back, and it raises the bar about what does usability mean? What is that even experience like? And what are the modalities that you can actually have that in? And that's super fun from a product management product design perspective.

Joseph Carson:

And it does be a bit more easier from the consumer side because they tend to adopt things much faster, much earlier. Organizations and enterprises tend to have a lot of legacy that they have to also manage. So it's hard to just all of a sudden switch from something you've been using to something shiny and new when you've got different complexities. You mentioned complexity is one of the most challenging things in our world. You've got legacy hardware that may not support the new technology. You've got people who need to learn how to do it a different way. So it's the educational awareness side. So I do see, it's great to always look at the consumer side and a lot of those providers of how quickly they're coming up and adopting new technology, new capabilities.

And really, that's what's happening is that new generation is bringing it and wanting it in the workplace as well. They want to have that same experience. For you, what's some of the most pinnacle times in history from identity over the years, and it's been around ever since I've started in my career back in the early '90s. For me it was basically identity was your ID badge and the key to the room and a password and username. That's what identity was. It was very basic, very simple, but it wasn't sufficient enough to keep things secure or keep things private. What's some of the significant events that you've experienced over the years that is most memorable for you?

Ian Glazer:

I think, for me, one of the most memorable was realizing the breadth of the domain that is identity management. I got my first first start with identity was Oracle Directory Server because I was a sales engineer. And one of my colleagues said, "Hey, I had a client who wanted me to get it up and running for them. It's the only software that's ever made me cry." I'm like, "Ooh, challenge accepted." I worked at Oracle at the time, mind you. So I wrestled with this thing and finally got it running and then went, "What do I do with it?" So I had stood up and all that directory and went, "I don't know what to do with this thing." Okay, flash forward like a year or two, and I'm at Access 360 using a provisioning company. And it took a couple of years to realize, "Oh, I see how those two things are connected. And then at the time, password management in the original form was very much the market, good old MTEC, Corian, some of these things. I was like, "Okay, so how does that relate to what we're doing in provisioning?"

And then enter the Oblixes of the world and the Integrities of the world. You're like, "Okay, so what does WAM do? And starting to realize how big this domain really is for me was really important because I think practitioners of, let's say our generation, learned a product and then another product and then sort of realized, "Oh, wait a minute, there's a larger thing in play here." I think that's a little different, or at least I hope it's a little different for the way people are entering into identity now. So that was one, just understanding how broad this is.

Joseph Carson:

Absolutely.

Ian Glazer:

I think the second one was probably around SSO becoming a ubiquitous and assumed thing, kind of hand in hand with, and that doesn't necessarily mean that active directory is the thing that underpins it, or for that matter NDS or any other directory for that classic sort of directory. And now we're in this really crazy era of change, and there's so many dimensions to that change right now that it's actually hard to say there's a singular thing happened. There's actually a bunch of things happening all at the same time.

Joseph Carson:

Absolutely. And one of the thing, I mean, I've been based in Estonia over the years, and I've seen that evolution in the country. I've seen organizations also looking at different aspects of things. And it really gets into, for me, it used to be much simpler many years ago because you had basically sometimes one person, one device, one application, and that simply was it, and you needed to provision for that.

Over the years, as we get into more the bring your own device, we get into cloud computing, and we get into virtualization and machines even working on their own, basically compute and automation, so forth, it's just to your point, it's got so complex. I think cloud probably really, one, is it made it much easier to do things like single sign off, but it also made it more complex about getting visibility. So for me, definitely today, to your point, there's so many domains, there's so many moving parts, there's so many things. And how to bring them all together, how to make it interoperability and how to make them all work seamless. To your point, I think it's what we're doing is we're making it as easy as we possibly can for the people who's experiencing using it. But in the back end, it's so complex. It's so basically held together with scripts and tools-

Ian Glazer:

I think there's an analogy here that to the automotive world where if you look at the efficiency of gas powered engines, the original Mercedes-Benz engine was about 20 to 25 miles per gallon. That hasn't really changed a lot in decades. But partially the reason why it hasn't changed is because we are layering all these other things that are now powered off the engine. There's an infotainment system, and there's the anti-lock braking system. There's all these other things.

So for the identity world, it's like we did really well at a couple of things simplistically, and we've been able to scale that, but the rate of change going on around what we're doing is like 10X. And so yeah, we're pretty good at doing SSO and provisioning and all these other things, but the number of things now over which one wants to control access has grown so exponentially that it almost looks like we're standing still in moments. And I think that realization is one of the market dynamics that's playing out right now, at least in the enterprise side of things.

Joseph Carson:

Absolutely. I think you're absolutely spot on. That's what I've seen is that where it used to be just managing user accounts and people, to your point, is that we're doing it for so many things today, even just code has its own basically identity, runtime execution has its own identity. So what's your view as we get into, there's always this confusion over digital identity. Is it humans?

Ian Glazer:

We're not going to do a definition thing. We don't want to just bore the pants off of every listener that you have. That's not a good idea.

Joseph Carson:

And getting into machines, the definition sometimes is machines themselves have identity. What's your view around the difference between those two, into when it gets into human side and also machines?

Ian Glazer:

Honestly, part of this, I have a minor in English and literature, and I remember sitting in class and talking about naming, and I do a talk about this around the first sentence of Moby Dick, "Call me Ishmael." And the really important thing about it is not the identifier, Ishmael, it's the act of identification, call me. There's examples of this in Peter Pan and a bunch of other really famous books of the power to name is the power to control. And we've been good at naming human actors and their digital representations. We've been mediocre at naming the devices that they use, identifying them, and then all pandemonium breaks out. The certificate associated with the device associated to the person. The passkey has an identifier to it, let alone getting all the way to like, well, we can sign the code and then the artifact and then identify the workload that's executing, and that's all traced back to the human. We actually can do that. That's amazing. But it's also a two orders of magnitude more complex.

And so one of the other market dynamics, and you brought this up, what I think used to be called workload identity. Now more I think non-human identity becoming a thing and is discrete from identity of things where you have connected devices and IOT type related use cases, factory automation, all of the componentry that goes into the shop floor. There's a whole discipline around this.

But this NHI stuff, this non-human stuff is really interesting because it spans everything from can I identify this workload? Is this workload meant to be executing? Who controls the pipelines that gets it there? All the way to API tokens and secrets to certificates. And so what's amazing to me is we're having this massive wave of deja vu where we're standing up the basic building blocks to build identity systems for non-humans now, akin to where we were 25 years ago for humans. We don't really have what's the centralized directory for your NHI? What is your governance tools? What's the access control models? How do we ensure that a workload can act in the context of the caller, but only that, for the data subject with these rights and not leak information about all of this? We're just starting to tackle some of these problems. There's really smart people doing good work on it, but in some regards, it's a brand new day and a whole nother neighborhood inside of identity land.

Joseph Carson:

It's a whole new concept that's just basically surfacing up that is complex. And I think even when you get into the multi-cloud, hybrid cloud scenario, that's where it starts becoming, it's trying to just get an understanding of that now. Doing it within one single cloud infrastructure is a challenge by itself, but then if you've got basically different components of workloads communicating across SaaS providers to different cloud providers, the complexity just becomes a huge challenge for the industry.

Ian Glazer:

Absolutely. And the just, just he says euphemistically, the problem of naming a multi-cloud workload consistently, and visibility into that, let alone the provenance of all of that, just that problem space is massive. And in a world where we're worried about things like supply chain attack, in a world where we are being obligated to create software bill of materials and actually have assurance that we're running the code we think we're supposed to be running, and we have all of that, that in and of itself is a mammoth problem. And to be honest, I was talking to some folks about this a couple of years ago before multi-cloud was a more common thing. The biggest of enterprises might do it, but they would do it through sheer bodies. We throw labor at this problem.

Joseph Carson:

There's people and resources as much as possible, consultants and multiple companies.

Ian Glazer:

Yeah, exactly. But I was talking to folks back then, and I didn't appreciate the richness of the problem. And at the time, it was was fairly limited to workload identity, very specifically identifying what is running in this Kubernetes container and how does this relate to which substream provenance. But the more you look at it, the richer it gets. All of the work around tokens, token rotation, secrets management, that is... We're seeing it's a huge business given IBM and HashiCorp, just as an example. But I would assert that secrets are a business for identity. And it's really an interesting problem when you start thinking about the ways in which humans interact with secrets versus non-human entities act around or interact around secrets where the problems live, and a lot of them live in the intersection of the two, and so that's really neat.

Joseph Carson:

Absolutely. I've seen one of the big things at some of the conferences and the trends I've seen in the past years around the API side is even just making sure that the APIs have the right secrets that are not persistent or not publicly available in different repositories and just keeping that visibility as well. So what's some of the best practices? What is the industry looking to in order to try and solve some of these problems? What do you see, what organizations should be thinking around about to best practices, or what's the future? What's some of the future technologies that will help make this much easier for them? Where's the vision side? Where do you think this is going to go to making it an easier place?

Ian Glazer:

I think right now in this moment, we're in the visibility phase of things, which is like, can we catalog, can we name, can we understand provenance? And just get a map of what is the territory that we're operating here? And that's a necessary stage because without that really affecting controls is an impossibility because you don't know what you're operating within. Then putting in controls feels like, "Well, I'm just going to pull this lever in the dark and hope something happens." We're in that phase right now. I think there are bite-sized pieces that people have experienced in the past that need to be connected to a larger whole when it comes to controls. Things like mTLS certificate rotation. It's pretty mundane until two components can't talk to each other, and you have an outage. You're like, "It's just certificate rotation. Haven't we been doing this for mumble mumble decades?" How many of these things-

Joseph Carson:

People have it on their calendar schedule of what...

Ian Glazer:

Yeah, right.

Joseph Carson:

It's a month before we need to rotate, and this is-

Ian Glazer:

We got to get ready. Do the live animal sacrifice, whatever the things are that we do to rotate certificates around this joint. And so I think what we'll start to see is more and more automation around the building block tasks, certificate rotation, token, secret rotation, token rotation, token policy management. And then start to get into how do we ensure this identified workload, and only this identified workload, can act appropriately within the context of the application and the caller, so the work that's going on around transaction tokens, things happening around Whimsy. There's a lot of really interesting work happening right now, but we're in the sort of name and map phase, which is super important because if you have an incident, when you have an incident, without that, you don't know where to start looking. And it becomes a bunch of separate teams all dealing with an outage, but not really having a shared view of the landscape to understand, "All right, you guys, look here. I'll look here. You look here." And it's inefficient if nothing else, when it comes to an incident.

That's where we are, and I think that's where we're going in the near term. And some of this is going to seem really super familiar. It's going to be like, "We did this, right? Didn't we do this. Why are we doing this again?"

Joseph Carson:

I mean, I remember doing all the root cause analysis for outages for many years, and we always looked at, you look through the events, you find the problem, you find what caused it, and then you try to automate either the remediation, so when it identifies that, it will fix itself again quickly so you don't have to intervene. So you take the human resources out of it, and you have it automate repair itself, or you just fix the original problem so it doesn't happen again, and you get into that root cause. And I think one of the things I've seen is I've been doing a lot of digital forensics and its response for many years now, and I think the challenge they've got, what I do in response and digital forensics in a traditional type of environment, it's not always great, but you have logs. You've got information.

Ian Glazer:

You have what you need.

Joseph Carson:

You have what you need to find the RCA. You can go and identify what was the original problem. When you get into cloud, that events and log data is not always there, and it's not always in one location.

Ian Glazer:

You can't just say it's DNS, throw up your hands and go home?

Joseph Carson:

You can. Just basically just blame it on DNS and move on.

Ian Glazer:

Well, we're out. Thanks.

Joseph Carson:

But I think it's getting to the point, absolutely, you need to be able to understand about when incidents to occur, what was that root cause analysis. And so we need to start basically making sure we have the evidence gathering and the attributes and the resources and understanding about when things do happen, what was that cause, and how can we make sure we can automate it in the future? Because you can't do it without having the knowledge of what you have in the first place.

Ian Glazer:

And I don't want to paint an overly optimistic picture because, guess what, we still struggle to do this in the human identity world. The relationship between an identity team, the data it produces, their technology produces, and a CSIRT team, I was talking to a friend of mine who runs CSIRT for a major SaaS company, and I'm like, "What do you want from identity teams? What do you really want?" She said, "Just want the logs." I'm like, "Oh, come on, give me a better answer." I want to know privilege escalation, lateral movement, and then give me enough log materials so I can walk this back. And to me, that's a massive opportunity. That's a massive opportunity to say, can we do better? Can't we be in a position where we can provide exploratory forensic tools that have already done that work so it's not Groundhog Day every time we have an incident, and we're like, Oh, go get the log." Come on. Can't we do better than that? And so what we're talking about on the machine side, let's not forget, we don't rock at that as an industry when it comes to the human side.

Joseph Carson:

That was one of the things I had, absolutely, one of the things I have end up doing a lot of times is that as I'm going through a lot of that evidence gathering and trying to identify where the problems are, and you end up finding these anomalies. You document those, and you then move them in, and you create an algorithm that will help go and run that across as many systems as possible to try and find the similar patterns as much as possible.

Ian Glazer:

Right.

Joseph Carson:

And it really means that, for me, it's almost like I'm becoming now train the algorithm. That's what I've become is rather than just being the one resource that goes and does it on a one-to-one case, now I train the algorithm, and the algorithm can do that for me. It can go and look through lots of events, lots of logs, lots of environments, and take that attack path that I've taught the algorithm about what to look for, and they can identify that very quickly. So you can bring a lot of those anomalies and all of those potential incidents that might be surfacing to the visibility.

Ian Glazer:

So let me challenge that because what that sounds like to me is not so much algorithmic education as signature identification, because you're saying it's A to B to C, go find instances of A to B to C. Where I think will be interesting is can AI-related tools help you figure out, oh, it is A to B to C. Here's three signatures that are coming out of this thing that are worth going and exploring. Now we can go automate and run those things because, and I don't have a strong opinion in this, but where the places where AI are going to help are, I think, some of those things, the summarization and discovery aspect of these tools is really compelling potentially. I still think we're not in a place where it can be unobserved learning. I still think people have got to provide feedback on these things, but there's a lot of opportunity here both in the detection and incidence side of things, but also just in the policy sides of things like, tell me all the ways that Ian could have access to this system. Show me those paths. Show me the policy policies.

Joseph Carson:

Yeah, it's what's configured to what Ian is actually doing. How is Ian actually accessing these, and then ultimately, should Ian be accessing it this way? So the governance side of it as well.

Ian Glazer:

For sure.

Joseph Carson:

So this is this really where it starts getting, once you get that type of visibility, it really allows you to create that baseline and then show you when there's anomalies that happens, and should those anomalies be investigated.

So this is really where you start having the intelligence of understanding about what is the norm, what is your... And also the problem we've always done in the past is we've done it on, we treat everybody under the roles. Everyone ends up having very similar roles and then trying to differentiate between the personalization of the users or machines within those roles, and that's where we always have the challenge is that everyone does things slightly different. It's not exactly the same. And it's how to map that, to your point, is what is the map for that? And then identifying when you're doing it a different way than when you're in the past and why you're doing that.

It might be simple. It's as simple as you're accessing from a country where you've never accessed in the past, or you're accessing from a browser that you've never used. Maybe you've been using Chrome all the time, and you've all of a sudden started using Firefox or Safari or something else. Time of days, even to the point of how fast you're doing things. You can also do it by timing, that the speed of processing, this is unusual. It looks like it might be automated in such a way that somebody's doing some type of automated tool.

So it's really getting into all those different possibilities and then trying to identify when something needs to be investigated. I think where AI and algorithms and agents and large language models can really help us bring these things to the surface much faster so that we can focus on the things that really matter that we can look into.

Ian Glazer:

I want to believe in that, but I think the thing that that's predicated on is the observation at first. Things like roles are not a very nuanced mechanism, and in fact, I would say any sort of admin time control is not a particularly nuanced mechanism. And so the thing that will make the statement you just made become true is that if I can take admin time data and runtime data and event time data and bring those things together and reason across all of it, then those things, especially event time data, brings nuance back into our control models so that we can actually look at it and be like, "Well, yeah, Ian does have this birthright role and these two other things, and he got it through an access request process. It was all very valid."

But if I look at the way he created that session, and now I look at the way the telemetry that's coming out of that session, something's not right. So the thing about a lot of these problems is adding that nuance back in. And we are now at a place technology-wise where we can do this in high velocity and high volume. And so talking about event time controls isn't a magical conversation. It's actually one of we actually can start to do this. What does that add to the conversation? What does that add to the ability to apply more autonomous controls to the matter? That's a really amazing moment to be in.

Joseph Carson:

Absolutely. And that's really, we've been moving along that path for many years. We've went from role-based access to attribute-based access policy and to really, where we're right now is probably looking at the dynamic side of things is where we're really looking at different sources, different types of activities. Does that person have a service desk ticket open, a change request for this? And looking at it from basically, not from the role, but from the action of the activity that's actually happening.

Ian Glazer:

The context, yeah.

Joseph Carson:

The context itself. And then determining that is all of the things that should be in place in place for that to be approved and authorized. And maybe a simple thing would be is that if there's any type of potential risk, you might just level up the authentication level. You might just say, "We're not quite sure. Let's just do an MFA request."

Ian Glazer:

Sure.

Joseph Carson:

Or let's do a peer review, or let's just turn on recording of the activity, and we can have more evidence gathering. So that person, if they are doing something malicious, they can't hide the evidence. They can't. In a lot of cases, what the attackers will do is they'll delete the logs, they'll hide the evidence of what they're doing and even force that it's not possible for them to do that because it's now being filtered off the machine. It makes them tend to be a bit more cautious about what they're doing and might actually even just decide that it's not worth their time because they're going to be detected much earlier. Maybe just look for a different target.

Ian Glazer:

Yeah, and I think the place that we're headed to, I hope is one where we can increasingly get to zero standing privilege, that we can be far more dynamic intrasession about what you can and can't do. And then if that context change happens, and it's significant, let's say, then you're radically going to have less privilege within that session. You may still have a session because in fact, I do want to keep you on the phone. I want to continue to get telemetry from this thing, but I want to also minimize the blast radius to all the way to, nope, kill the session, move on. And so things like shared signals framework and RISC and CAPE start to represent mechanisms by which we can do event time controls. And that's a very powerful thing.

Joseph Carson:

Absolutely.

Ian Glazer:

A lot of promise that people are just dipping their toes in.

Joseph Carson:

Yeah, it's been a challenge in the past to get there, but I think we're really at the moment where technology is really providing that capability of doing principle of least privilege. I sometimes refer to, I come from a lot of virtualization backgrounds, so I usually refer to zero persistent privilege. So I get to the point where I just had my birthright privilege, and everything else is just elevated on demand. Either I'm elevated as the user, or the task is elevated, the application's elevated, or the session's elevated. But what's not is my access is not persistent. I'm not having different accounts to do different tasks, admin tasks to my day-to-day operation tasks. I've just got one.

Ian Glazer:

May the day come when people don't have username_SA as their second account. And kidding aside, I think that day is actually sadly far away, that practice of having the secondary service account or a system admin account. It's endemic.

Joseph Carson:

Yeah, it is pandemic. I think it's a cultural thing as well. I think it's just that that's what is, people don't want to give up privilege, but what they have to realize is that you can get it when you need it. You don't have to have it sitting there all the time where an attacker can simply, if you're not managing it, you're not basically rotating it, or keeping updated, it becomes a dormant account. Then attackers will find it. That's what they're really good at. They're good at finding those and leveraging it.

So we have to getting to the point where it becomes named persistent to where are we going to easily identify it. And I think that goes back to your original problem is that when we stop having these multiple accounts that are just there for different operations that, and we get it down to where it's basically fewer accounts that can be modified on demand to do the task, that reduces the landscape down quite significantly.

Ian Glazer:

It does.

Joseph Carson:

It has less opportunities for attackers to abuse.

Ian Glazer:

Yeah, for sure. Totally agree.

Joseph Carson:

So what's the big thing that you see coming? We've had these, you're an analyst, so you're familiar with all the hype side of things. We've had the hype of the blockchain side of things and self-server identity, and there's been all of these big thing areas over the years. What do you see as the next area? I mean, we're in the middle of the AI hype trend, of course.

Ian Glazer:

Yeah, I was going to say help may be optimistic. Hype, definitely. Maybe.

Joseph Carson:

But what do you see is the next big thing coming? What's on the surface? What are you researching into now, or what are you looking to get an idea of?

Ian Glazer:

So I think we're in a moment where our previous definitions and boundaries of markets are starting to fail. They don't describe the capabilities well, and they also don't describe what they can help with particularly well. So I think we're outgrowing definitions. And why that's interesting to me is because it then opens a moment that says, "How should we think about the capabilities that we have with our existing technology? How do we bring those to bear in an orchestrated way? And where are the gaps in our ability to affect controls at the moments we want to?"

And so I've been doing a little writing about thinking about policy orchestration, execution and data, and I'll be writing it about this and talking about this against then what does that mean in a runtime context, in an admin time context and an event time context. How do we start to think about the problem?

So I think there's some interesting realignment going on inside of the market to market concepts. And I think that's powerful because, again, names have power, and so we'll say like, "Oh, this is access management, and that includes everything from SSO to authorization to a bunch of stuff in between." And you're like, "That brush is way too broad." Too lax nuance.

So that's happening. Now against that backdrop, there's a real thought about how do we do zero standing privilege and things like this for all entities, human or non-human identities, how do we do this in an efficient way without ripping out everything we have because it's not an option in this day and age. Replacement cycles for major components and identity systems, 8 to 10 years.

Joseph Carson:

Yeah, I've seen seven years plus is right now where I'm looking at. It used to be five years.

Ian Glazer:

It's not, not anymore.

Joseph Carson:

Organizations that really want to squeeze how the life cycle of what they're using as much as they can.

Ian Glazer:

Yeah, and that makes sense. The thing is though, the needs that we have and the challenges our adversaries present us don't stick to that cycle. So that means you've got to augment what you've got with other things. How does that work? How does it all work together? How do you not go insane trying to manage all this stuff?

So this is, again, all backdrop to then these sort of large cycle things where, we joked about this back in Berlin when we met up, which was like, "Oh, there's all this Wallet loves you stuff going on, and what do we do about that?" And is it going to work this time? I remember EI-1, I remember Stork. So you tell me how VT is going to go, hopefully different, to hey, what is the implications of that? If that happens on the individual side, on the citizen side, what is the implications inside of enterprise, and what does that mean? What opportunities does that open up? What challenges does that present? So there's certainly that.

And I think there is a real feel that we have got to get our arms around this exploding complexity that we're forced into. The number of things that can be controlled, that over which you can write a control, keeps growing exponentially. You look at your IaaS infrastructure. You're like, "Oh my gosh, the number of buttons and levers that I have here is preposterous. It's crazy." How do I make sense of all this? And I think the only way we make sense of all this is where we start to infuse systems that can translate what all this controlled language looks like into my native language, can make suggestions, can help me say, this is mostly what the description of this role is, however, let me tell you what people actually do with it.

Joseph Carson:

It's almost like the reverse of natural language processing and understanding to, okay, I just don't want to talk to computers in my natural language and then get computer response back. I want that actually to translate it back as well into something that I can understand.

Ian Glazer:

We make these crazy assumptions that people, that the identity operator, the person on an access management team, or what have you, is suddenly going to understand what does this cryptic role definition from SAP mean? How is that going to work? Not to pick on SAP, but they got some really lovely role names like, wow, that's special. I should talk. Salesforce does the same thing.

But these complex controls environments, these complex authorization environments, people need help understanding which end is up. And I think there is a lot of promise in LLMs to actually go do that. So we've got all these ingredients in the pot right now. What I think will come out of it is there isn't going to be one singular path and one singular modality to do all of these things, but I think what we'll see is far better orchestrated capabilities so along the lines of this fabric notion, we'll see how that plays out, that allows you to squeeze more out of the major components of your identity infrastructure while augmenting them and innovating with smaller pieces that add an enormous amount of value.

Joseph Carson:

Absolutely. So what's some of the resources you'd point people to get help in this area? Where's the best place? Where do you go for information, and what can people do in order to better understand all of this complexity?

Ian Glazer:

All of it. Right.

Joseph Carson:

Not everything but into some of the best places that you find.

Ian Glazer:

Yeah, so first and foremost, IDPro, the Body of Knowledge, that's freely available to members and non-members alike for personal use. Bok.idpro.org has wonderful articles on a myriad of topics from some of the basics, the basics of user provisioning, the basics of SIAM to more advanced use cases of how do you think about help desk and recovery use cases when you've got consumers calling in and asking to be reconnected to their accounts. Really a very broad topic. It includes some business use cases, includes privacy considerations. So there's some great stuff there.

If you're so inclined, and you want to be able to interact with peers, joining IDPro gets you access to a really amazing community of people that are trying to muddle through it just like you are and are willing to help. And so you get questions of everything from super nuanced standards questions to how the hell do you do this thing in Untra? And then does it work the same way in Okta, or do I have to do something else? Very pragmatic.

Joseph Carson:

So unlocks the community too.

Ian Glazer:

Yeah, yeah. That opportunity to realize like, "Oh, holy crap, I had no idea so-and-so is just 10 kilometers down the road, and they just hooked me up with this great answer. We can go get a beer. We go hang out at IdentiBeer the next one." So the community aspect of it's hugely powerful.

And I think there is a golden age right now of people willing to share information. And so your podcasts and others are examples of that. Those of us who have been doing it for a while are like, "Well, I really hope no one has to do what I had to do to get here, so let me talk about it. Let me teach about it. Let me write this stuff down. Let me get this in my blog. Let me put this in my pod."

And that's a huge resource. Now there's a lot of it, and you can kind of drown in it, but I think the thing, especially when thinking about podcasts and blogs and things like that, it's like find someone who you like to listen to, and we're not all going to agree, it's all right, but notionally, we're pointing all in the same direction in a lot of ways when it comes to especially the foundational things.

Joseph Carson:

I think we all have the same destination that we want to get to.

Ian Glazer:

Heck yeah.

Joseph Carson:

How we get there, we might decide to take different paths or different ways, or sometimes we might even join across the same path for a certain journey, but ultimately, we all do have the same vision. We want to make this as easy as possible, and ultimately to make the world a safer place that everyone can enjoy the benefits of and to do things faster, better, and reduce waste of time and spend more time doing the things you want to do.

Ian Glazer:

Heck yeah.

Joseph Carson:

And that's ultimately the thing. We all have that same goal, but we all might take different paths.

Ian Glazer:

Absolutely.

Joseph Carson:

And sometimes we agree, and sometimes we don't. And it's all okay.

Ian Glazer:

And it's all okay. And I think that's the important part is if you have the opportunity to go to one of the larger identity-related events, I think one of the things that makes our industry very, very different is a sense of community. It's very common to see direct competitors in the enterprise world sitting down having a coffee because the problems are shared, and everybody's going to have a bad day, everyone's going to have an issue.

Joseph Carson:

Absolutely.

Ian Glazer:

And there's real willingness, at least I've observed, I think you have as well, of people saying, there's no secrets here. This is how we deal with this stuff, and maybe I have a different flavor of the problem or a different flavor of the technology, but the general pattern holds, and the response holds. So I'm happy to teach you this one because it sucked, and I don't ever want to go through it again, and I don't want anyone else to go through it again. So here you go. And that makes, I think, our industry very unique and awesome.

Joseph Carson:

Absolutely. And for me, it was quite a few years ago now because I was always a very security-centric background. But being in Estonia, I've always been exposed to the Estonian version of the digital identity journey. But a few years ago, can I get then involved in the identity side. And for me it almost, it was relieving, it was exciting because rather than talking about the scary stuff that happens in the security side, we started talking about more the efficiencies and the benefits and the how to make people's lives easier to access things. So for me, that whole side of the community was exciting to become more involved into.

And you're absolutely right is that it's getting everyone in the same place that might be all competitors and vendors and consultants and professionals and even consumers and businesses out there all working together to share knowledge and lessons learned to make sure that people don't fall down the same cliff and make it better for everybody. So it's great to see that.

And definitely, in the identity conferences around the world, they make that community possible.

Ian Glazer:

Yeah, for sure. For sure.

Joseph Carson:

So how would people contact you if they have questions, or they want to follow up, or what's the best way for people to reach out?

Ian Glazer:

Easiest thing is probably go to Weaveidentity.com and hit Contact Us or hit me up in LinkedIn. I'm a reasonably findable person out there, so throw out the Bat Signal, and I'll land on your roof.

Joseph Carson:

Fantastic. We'll make sure that all of those links are in the show notes as well.

Ian Glazer:

Cool. Thank you, man.

Joseph Carson:

And it's one of the things you're well known for the socks side of things.

Ian Glazer:

True, yes. So I added a line in my bio years and years ago, it ends the bio with basically, and a well-known photographer of his own socks. And I put it in there just to see if someone would push back and be like, "What? No, we're not putting this on the bio page of our speakers." No one's pushed back yet. But the funny thing is, I'm in Washington D.C. It's 95 degrees Fahrenheit out. I don't really wear socks around the house. So when people ask me, "What kind of socks are you wearing?" I'm like, "None. It's a billion degrees outside." Yeah, no, that's not a thing. So it's usually just at conferences and when I leave the home. So sorry to disappoint the listeners on that one.

Joseph Carson:

No problem. But they will be watching out now for the sock photos that you will be posting.

Ian Glazer:

That's true. That's true. It happens. It's a true story.

Joseph Carson:

As always, for me, it's always fantastic talking to you and listening to your insights and knowledge. I always learn something, and I really appreciate that. I appreciate everything that you've, ever since we met probably about, I think it's eight years ago now.

Ian Glazer:

Every bit of that. Yeah, for sure.

Joseph Carson:

For me, you've been a mentor to me in this industry.

Ian Glazer:

Oh, thank you.

Joseph Carson:

I always appreciate everything you do, and what you're doing in the identity space is always impressive, especially around the community and bringing people together. So we thank you for that and so appreciate all the-

Ian Glazer:

Happy to do it. Happy to have this opportunity to be here and talk to you. It's been a little while and so-

Joseph Carson:

It has been.

Ian Glazer:

Thank you so much. This was awesome.

Joseph Carson:

No problem. So for everyone, this is the 401 Access Denied. Hopefully, this has been very valuable for you all. We'll make sure that all the information we talked about, we get links in the show notes. And for everyone out there, tune in every two weeks, and we'll be bringing guests on. We'll talk about thought leaderships and different ideas in order to help you in your career and make the world a safer place.

So again, Ian, many thanks. And for everyone out there, stay safe. Take care. Until the next time.

Ian Glazer:

Thanks, everybody.

Links

Chapters

Video

More from YouTube