Listen to Identropy's Jim McDonald and Jeff Steadman on their podcast at "Identity at the Center".

PODCAST17
 
Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
 
In this episode, Jim and Jeff talk about some of the surprising IAM things they have seen in their consulting careers.

Brought to you by identropy.com

Want to join the conversation? Leave us a message here: anchor.fm/identity-at-the-center/message or email us at questions@identityatthecenter.com .

We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!

LISTEN HERE or read the full transcript below.

*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.

 Podcast #17 Full Transcript:

Identity At The Center #17 - IAM Surprises

Jeff: Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim.

Jim: That's me right over here.

Jeff: That's you. Today’s show we will talk about surprises both good and bad that Jim and I have seen in IAM programs over the years. Before we get to the IAM stuff, Jim, let's talk about some non IAM surprises that we've come across in our many, many travels.

Jim: And we want to talk about good surprises here too, right?

Jeff: Let's keep it one safe for work and let's try to keep it positive and obviously not call any specific people or entity out if we don't have to.

Jim: I can live with those confines, especially when really what I would talk about in terms of surprises, with anything on IAM, I want to talk about snacks,  good surprises would primarily focus on food. And there was one particular client who much loves to them.

They had the best snack bar on every floor of any company they ever visited, as a full time employee or as a consultant ever.

And everything was free.  Best snacks and the best dining hall Cafeteria experience.

Jeff: And that was a legendary food at a client experience. I think it was just. I mean we're talking like not even like cheap snacks, like Hershey bars here,  I mean stuff that I gave you, everything I had a normal company to like, penny pinching and it's tough to get even like a coffee machine into the break room, a Craig or stuff like that. But then there's like, you know, candy bars. There's beer, wine. I mean, this was definitely head and shoulders over.  I think every other company that at least that I've ever seen or been a part of.

Jim: Now, the only drawback of that particular place was that the parking was not so great. But they had a policy where you could take it over to work.

And I think that were covered or something like being very generous employee benefits. I think it actually made me I've been working from home now for over 10 years and I love it. I love working from home. I love the freedom of, kind of rolling out of bed and jumping on the computer and not having to sit in rush hours. I did that for many years.

Jeff: You roll out of that and get jump on the computer. You just pop open a laptop right there.

Jim: There had been those days, believe me.

But I used to do, the normal rush hour commute like everyone else. I love working from home, with that particular client I would come into the office here.

Jeff: Just for the food and then for breakfast.

Jim: There is a snacks, Really good free lunch and then go on my speed..

Jeff: I'm going to take advantage of the free food and. And that's pretty much it.

Jim: I'd like to start working weekends as well.

Jeff: you'd like to work cafeteria hours at that, it's interesting you bring up the right thing is thinking and it's an interesting benefit for those employees. And theoretically, something that could be, a little more ecofriendly as well by having more shared, kind of credits out there. It solves the problem of the parking, but convenience, too. I think if people could take Uber or Lyft to work every day and it was, economically viable and the availability of it was there, why not?

Jim: I think there's still a culture paradigm in some organizations where everybody needs to be in the same place. And then in other organizations are much more open to it. And, my personal opinion is you get a lot done. Telecommuting. web conference calls, and I see a lot of organizations succeeding with, a large part of their work, first being remote or, in separate cities and things like that. So why couldn't you just as well do it where people are working from home? It does kind of come down to trust. And I think it's probably more appropriate for certain roles than others, but, he's been a big fan of that, and me personally. I make sure that I'm getting my work done because I know that it's a two way trust.

Jeff: That trust thing is the big thing, companies I've worked with in the past, and I worked for in the past, that's always been kind of a slow roll. It was, no, not at all. To, once a month or something like that. And then it became kind of like, well, Fridays or Friday have days like that. I agree. And I think. The majority of people will treat it correctly. There will always be kind of bad apples among the bunch that might take advantage of a policy or something like that. But, I look at it and I don't have tacos for. But like the Apple model of self-service sales, right. Where you can go into the app and buy a product than where we walk in a store, take on a shelf and walk out, they may have tightened up just a little bit here and there, but they've designed a shopping experience that meets the needs of the 98 percent of the people who will do the right thing. And they sunk less into the 2 percent that are gonna take advantage of it that they would've had lost anyway. I kind of take the same approach for working from home telecommutes. But even from an IAM perspective, don't design for the 1 percent designed for the vast majority of other users or things that are going to provide a much broader benefit rather than getting bogged down in one or two things.

Jim: Generally agreed, I definitely agree with the philosophy that particular use case where it's, people able to check out without having kind of the traditional model doesn't provide additional security. But when I go to grocery stores now, I'm finding more and more of them have self-checkout and wonder like, it could be so, I mean, I wouldn't even think of stealing something but a cross my mind that, how would they know if I had five candy bars and I only swiped three of them

 I mean, really think that actually works sometimes. I'm holding a quantity of four and I just take one of them to scan it four times and throw four in the bag.

Sometimes I won't even put it in the bag. I'll just put it on right in the cart and say, I wonder, OK, how are they how are they not losing money by doing it this way?

And I also wonder, OK, okay, so you usually somebody sitting nearby who's not really paying attention, but are they maybe profiling people and determining whether or not they look like they could be someone who would steal something? And that's where I would think you could run in to some potential legal issues if that is happening.

Jeff: That's something that pops up pretty much, I think, universally, no matter where you're at. But, the concept is it's a frustrating experience doing the self-checkout thing because scan again and scan every again, remove item from bag. I mean, it's just not a great user experience sometimes. And they have the overseer there at the employee who's kind of watching all the checkout lines and comes over and overheated, but, anyway, they're getting a little bit off track.

So we talked about food. Let's get back on track. Talk about food at one place. I want to continue that theme in that we were in Wisconsin recently and found an amazing sushi place. Ash ate there twice while I was there.

Jim: And I mean, I think Ash ate sushi for the first time, like 15 years ago and I remember thinking at the time, I'd only want to eat sushi somewhere close to the ocean. And I said my best sushi experiences in the heartland of this country, which is nowhere near the ocean. And I think that the way it operates today is that, they get that fish in, they package it in airtight containers and freeze it and ship it to wherever it's going by FedEx. And it arrives just as good a shape, whether you're 10 miles from the ocean or a thousand miles from the ocean, so, then it comes down to what is the skills, sushi chef.

Jeff: The skill, the creativity, right, how they put things together. I mean, I'm relatively new in the sushi side. It's not something that I have traditionally been involved with. But my wife got me into it. I'd say about a year ago. So I'm waiting, waiting in slowing. But I enjoyed that. Well, that that sushi place there.

Jim: Next year, you'll be eating mackerel Sushi meal and you can be a whole new world for you.

Jeff: I'm a growing boy, no longer just cheese sandwiches and peanut butter and jelly. It's been more interesting, any other non IAM surprises before we jump into IAM surprises.

Jim: Just one negative thing that I've come across recently with small airports aside, if you're planning on getting in late, try to survey the availability of Lyfts and taxis a hundred times to the extent you can.

I had two small airport experiences where I got in late. There were no taxis at the taxi stand. There was nobody available to help to ask for help. I ordered Lyft. No one picked up my ride and I had to rent a car with a limited quantity of cars available because it got in there so late and everything had been burnt to death already.

I've been a road warrior for 20 years and I ran into that before.  I ran into Times Rail. They've been running cars. I usually have them. At least I can just go grab a taxi. But you're flying into a really small airport like the one in Georgia, or central Wisconsin Airport. You get to that got me. I would say make sure you have a rental car lined up if you get in there late.

Jeff: I think I do a little recon, makes sense, you never know what you're gonna get in those little small airports. Let's shift gears. Let's talk about surprises that we've seen in the IAM Space. Let's start with something where you had a surprise, where you found a customer is doing something right.

Jim: And this is when I go back to a lot, because there was a particular client, I would say there maturity level overall wasn't really that high.

And from an IAM perspective, they were doing things very manually saw they were growing organization. They didn't have a very large workforce and a lot of partners that they worked with. So it kind of had manual processes that were good manual processes and they hadn't automated them yet. And, in terms of doing authentication, single sign on, they're using free tools like ADFS, which isn't necessarily bad in of itself, but it wasn't very progressive. But then you look at their privilege access management and I think they're using saga work and they were doing previous session management for all their servers, their password vaulting, all the other accounts that they couldn't do PSM for. And they were managing service accounts and it was like.

Guys, you're at like maturity level three or four when it comes to privilege access management and maturity level one for so many of the other areas of IAM  don't even really have an IAM. What kind of drove you to this level of investors like Alexa as well? They had a security incident. And so I say unfortunately that's what it takes so many times. When you go in and we talk to clients about privilege access management and you can attest as chef is like a lot of times the story is falling on deaf ears or somebody really cares about it, but have a hard time articulating why it's important to spend all this money to manage the access of people we trust. That's really what ends up happening, is that we usually talk to a client, they say, we've got a small group of people who have the keys to the kingdom and we trust them, more or less.

Also looking at this particular organization, they have a small group of people that they trusted with this show. Had they still had I think it was a phishing attack that somebody wound up coughing up the credentials. And so they were able to very quickly articulate what the problem was and address it. But I think in the end, they put themselves in a much better place. They reduced the attack vectors significantly and the keys to the kingdom I thought they were doing a very good job with.

Jeff: I'm rapping like a high point for an obvious high point, too. That was like one of our strengths. And we were kind of assessing the overall program. There was that was all the stuff there doing another privileged access management. There's one that I can think of recently that from a client that we're working with, it's loosely related to IAM. And it's around their I.T. service management. I thought that they had done a really good job of kind of pulling in this new technology that they were going to be moving to. They were really treating it like a product and had a clear plan for that, which, ITSM has some reaching into IAM, and you need a place to create tickets and how do you want to workflows and request the stuff like that. And I remember seeing that new product from remedy on that digital workplace project. And I was like, OK, this is interesting. I can see how this might work together.

But the team that was kind of rolling that out or just getting underway with that seemed to kind of really be on point with it.

Jim: I remember that one, too, excellent point. And, I think one thing that people will get up and cheer for is when you have an impact to the end user and you improve the end user experience.

That's why sometimes harder to justify security only projects, things that exist in the background. There's not a real end user benefit. But at the same time, I mean, you need to counter to that argument is that I think people are starting to get security a lot more.

And data breaches are front page of the Wall Street Journal on a regular basis and nobody wants to become the victim of that.

Jeff: But it does also live a numbing effect, too. It's happening everywhere all the time, it's like, OK, another breach. Who was it this time? OK. What do I need to do?, those sorts of things, and it's unfortunate it takes an event sometimes for a company to invest, that sort of thing. And sometimes it takes multiple events.  When it's not a matter of if it's a matter of when you're going to get breached so you can be proactive with it or not and see them somewhere. There is a risk calculation being made is whether or not they will invest X number of dollars to solve for whatever potential risk that those dollars would go towards mitigating.

Jim: I actually, I was just having a thought and I really is a little off topic, but I want to share because we were working with a client recently and this person is expressing some kind of frustration that she was dealing with in terms of they had a workforce where there was not much shirting, where, you know, you and I both worked in place, where there were a lot of people with 30 years or plus of tenure and, in I.T. and maybe managing applications, maybe applications still running on the same hardware from 30 years ago. And, they just they're experts at the business and they're experts in their application.

And, that can be a little intimidating.

My advice to this person was, be an expert in what you can be an expert and be able to talk intelligently about risk and about information security and trends that are happening in the cyberspace, if you will, about, security events and data breaches, that is an important part of the conversation.

You're not going to be able to have 30 years of experience or conventions personally. You knew more about their job than they do.

However, there are things that you can know and you can build your career around having expertise in another area where most people in the company really don't understand or are really able to converse with you in a very intelligent way.

Jeff: I think that's what really makes it good. IAM program manager specifically. You don't have to be the most technical person in the world, but you have to know your product.

Meaning what is that you're trying to put in place for an IAM perspective? How does it help and how are the different pieces going to play together and how do you share that message? I think having that knowledge and be able to articulate it well goes a long way. There's always maybe someone smarter than you in the room, so knowing our stuff at least. And, part of that is critical thinking is how do you apply the solutions that you have in your tool belt to the issues that the company or the business or the team is facing with, what you've got to play with.

If it's not something you have today, go research and look for something that will fit that bill.

Jim: I think so, the area of information security and identity and access management in particular is an area that is growing and there are a lot of space for people who want to dive in and a lot of knowledge out there.

And there are a lot of people who I think would like to mentor other people.

So it's a great area. I would recommend a scenario that you're just breaking into.

Do what you can to get to conferences or participate in whatever forums are available either in your area or online.

Get to know people and really just dive in. I mean, I think there's an area where you make a very good living and you can really establish some expertise and build career based on it.

Jeff: Definitely things like Identiverse, that conference is a good one, I think, to go to Gartner. Coming up, that's I think it's the right choices in a variety of methods, YouTube videos, all sorts of things.

Jim: If I have no money to get started, YouTube videos where I would have.

Jeff: YouTube is still valuable even for me looking up stuff and taking a look at what's out there and trying to research different topics and see what's out there.

Jim: We talked to a vendor today on a demo for their product, I was really impressed with what their product was for a company I had never heard of, going into the conversation and also customers and everything. But, we asked questions at the end and then you asked, do you have any questions for us? And they said, what do you think?  Where would you take it if you were us? And the feedback was like; we’ll see any major gaps in your product. It really you don't find the area of identity governance and administration is what you want to solve. You've got excellent user interface.

Everything I see here, you got role based management, etc. provisioning. You just now you need to market it on all fronts. You need to be at conferences. You need to be on YouTube.

That was one of my big feedbacks is that you're get out there on YouTube. Have a YouTube channel, do some chuck talks or whatever. I mean, there are so many good kinds of chuck talks that I find on YouTube and use them to educate myself.

And even in areas that I know, I like to add and re watch them because it just helps reinforce what you already know so to me, YouTube is really where it's at.

I think the more progressive companies have already made significant investments in their YouTube channel.

And then you see a lot of the IAM conferences, whether you're an attendee or not, you can get on YouTube and watch a lot of the presentations, so not as good as being there in person. But, you can't go to every conference.

So if you're looking for avenues for educating yourself, and Jeff, I think we have 50 years in the industry. But I mean, we can't get every conference. We use YouTube to educate ourselves.

 Jeff: I'm also more of a fan of show me versus just telling me. So anything where I can watch something, I find more one more interesting and more engaging. But if it's done correctly, can learn more about it, don't just tell me why your product is better. Show me. Bring it and let me see what it is you're trying to explain.

What about a surprise that was a real eye opener in terms of how it impacted the cloud maybe or identity access management.

Jim: The real eye opener for me or when I see something being done, Wow, that's impressive, but I don't see that every day. And so we're working with a client this year and they had they were one of Amazon’s AWS are top ten clients in the world. This such a presence in Amazon, either US cloud that they are ranked in the top 10 run. Not sure exactly where in the top 10. But, the way that they were managing their cloud instances and the level of automation that they had put together was truly impressive. And now they were engaging with us to look at IAM solutions.

And so kind of coming out of that, I came to two major conclusions.

One was, I really need to start to understand, IAM for DevOps, like what is the way to secure all these secrets that are being used by their DevOps tools to create instances and to deploy systems, so my second major light bulb, if you will, was that they needed to be able to script integration with their IAM tools.

So as a roll out new instances, they need to federate those instances back into their IDP.

There's no room for manual configuration systems. Everything needs to be automated. We're talking about a federation. It's their steps occurring on both ends. It really need to all be scriptable. So just kind of reinforce the need for API is that was a major use case for OSA, this is something where the product needs to have this can't be a roadmap item or something like that. Has to be ready to go, the vendor has to have some ability to talk about where they've really done this before. It was a real eye opener to me. It was like this is a company that is doing it at scale and scripting and automating and at a scale that I had not seen it done before.

Jeff: it was impressive that and always that was interesting when I see some of that where there like an organization is super advanced in a specific area like that and they are way behind in other areas, they have all the stuff that they're working on it from a DevOps type perspective, but they're still using, someone manually going into active directory and creating employee accounts,  it's weird how sometimes you see that out there.

Jim: It's interesting for this particular client, they've identified that cloud was their future, They need to be present in the cloud, and without revealing who they are, this is something that they said we're going to invest in. There's also a company that was full of very bright people. So they built all of this automation using open source tools, and the things at their disposal. And they were in a lot of code themselves, and we're kind of a developer type of company, so they had in their genes to make that happen.

The other thing that was something you said to one of our clients today, which I thought was really right on, and this is something that will give an opportunity to make strides.

And one particular IAM area sometimes, which is if a company is saying something like we're going to revolutionize the digital experience for maybe for a website or maybe for the retail locations or for the factory, you can piggyback in IAM investment and, making sure that IAM it doesn't become an afterthought in that process is important. But it's also a way to sometimes get things funded. And really, it's not a free for all cases. You're not going to maybe be able to move forward the maturity of all of your IAM capabilities. But maybe one area like privileged access management or authentication, something like that, you have an opportunity to really move the ball forward.

Jeff: I think the key part is, knowing, when can you pass the ball and when do you need to kind of side pass it right. You're not going to solve everything all at once. Some things may be quick wins and yeah, you can take care. And others are. You know what? Let's tackle that one down the road. The organization just isn't ready for that type of change, that was an interesting conversation and I've been through that in the past. So I kind of had some experience as far as, what they were trying to do or what we were thinking about doing, but how what kind of work in the real world. And, let's take a step back here and let's think about this from how would this actually work from a deployment standpoint? And maybe better to just let's put a pin in that one to wait and then piggyback on it when the time is right. But be ready to move forward and when that happens, What about a situation where clients using some off the shelf solutions and that's made things more challenging? Have you come across anything like that

Jim: One thing that comes to mind was a client who had a very heavy legacy investment Mainframes. And they were running those mainframes on a variety of security solutions. So there is RACF, ACF2, as well as some custom security solutions that were more file based, in other words, one of security solution I'm talking about the management of the credentials to log into the applications as well as how they manage roles and groups. And so it didn't change the overall, you know, requirement to manage my roles and to have an identity governance solution in place. But you knew there was going to be an integration challenge, because I think what you'll find a lot of times when you look at product solutions is you might be lucky to get RACF and ACF2,  you're never gonna find a, Swiss Army knife connector for mainframe systems like I'm talking about. OK. Well, how could we get a file move over there, what is the way that we're going to do that? But, more likely, you're going to find just RACF just ACF2, or maybe nothing. So, integrating into legacy environments can create a challenge. That was a one that came to mind.

Do you have any that you're thinking of?

Jeff: I'm thinking more of like an open source kind of environment where you're heavily dependent on the open source community for all of your work. And maybe that's not necessarily the sweet spot that you want to be in. So typically open source, you probably have to do a lot of extra customization configurations, maybe even funding development of things. Even though you're not paying for software, you're paying a license fee, but you're certainly paying a company or an organization, or some sort of trade group to move forward with features that you're looking for. And I think sometimes that makes it a challenge for some organizations when they get too dependent on that. And now they're maybe kind of locked in to this kind of open source hell, where it's just a combination of different things, not really designed to work together. But you've figured out a way to make it work for a few years and now it becomes this tangled web that you're trying to unweave, and I can see that being a challenge.

Jim: It's usually what happens in a place like that does that is you will want to spend the money on this and they have one hundred developers, like hey, you're not spending anything, those folks don't cost anything.

Another thing that I that I'll usually find that will make implementing software out of the box is just to one use case that always drives a lot of difficulty with out of the back solutions is delegated administration, especially in like the B2B customer IAM space being able to delegate administration to customers or to departments or anything, lot of systems that have delegated administration to kind of a very fixed structure that's in place. So know I'm always out there. If you're listening and you found the COTS package or SaaS package where you're really flexible delegating administration model. I'd love for you to bring that to my attention because I'm constantly looking for that. But in my years with Identity and Access Management, this one has been one of the toughest things to find and usually ends up with a fair amount of custom developed code.

Jeff: A lot of us do too with what the company is trying to do from a customer type of acquisition thing. What's the workflow they want to have them go through, etc...?

I mean there are some standard use cases out there, but it seems like everyone's looking to do something just a little bit different that maybe not be in a product. So that's why they start to look at that customization.

All right, why don't we start to close out and I'll ask one final question. Was there ever a client that took all of our recommendations and ran with it? And if the answer is yes, if you could think of one, why do you think that was so successful?

Jim: So I think most of our clients take some of our recommendations and most end up, not doing all of them. And I don't think it's because we didn't socialize it with them and said, usually when you get further into the road map, you take on the heart of things that winds up requiring more investment. And when it requires that you spend a lot of money, it has to go up the chain.

So there was one particular client who I can think of that really followed everything almost to a tee. They even had us come back for a second advisory on the three years later. And at that point, they had gotten through. They were a little bit delayed on the road map, but they were doing everything on the road map set and a couple of things about it. One was that I thought that the road map was really well organized, a centralized around three themes on standardization, simplification and mandating. Mandating was the top one

This was an environment where they had built kind of delegated or would you call it..

Jeff: Like a distributed type?

Jeff: Yes, it's they allowed a lot of autonomy to the application teams to determine how they want to implement security. And so they had multiple generations of security solutions. And we said, look, you’re going to come up with this investment and you're going to standardize, you're going to simplify. Now you need to make sure that everybody's going to use it. And what I think really was the kicker was that we presented this strategy to the board of directors, this organization for directors, a user, very senior people. It was in the medical community. So a lot of these people were like, doctors for 40, 50 years. I was a little intimidating because you knew these people were like 100 times smarter than you.

Jeff: you were the expert Jim.

Jim: That's right. And that's what I had to remind myself was that this was my area and I knew way more about it than they did.

And they were totally receptive to what I had to say. And that's exactly how it went. And, they really appreciated the information made. They liked the content. They understood it.

And that gave the team the ability to have the backing of the board of directors to go ahead and make the changes that they need to make. So it's really gratifying, it was one of those situations where, you know, you really feel good about the job you did.

Jeff:  those are always the good ones. I always feel kind of good. That's OK, we delivered this, and we did a great job. I feel comfortable in what was put out there. It makes sense. It's totally actionable, realistic, not just boilerplate type stuff. It can get anywhere. And it always bugs me when, that go that goes really well. And then the momentum gets lost, and they take too long to kind of get going with the plan. And even that momentum, I think you can't talk about before was, you get a couple years until momentum. Also, it continues to be sometimes a challenge. So you try and keep that going forward. I think that's always where the dangerous spot is, when we're working with our customers that tell them, coming out of advisory is a real dangerous spot. And that's something to watch out for, because you're gonna have this great plan. It's going to be a lot of, interesting and potential backing to move things forward. And then if you don't do anything with it, you run the risk of just kind of falling into the same habits, again, not get not anything done. If we wait too long, the strategy may not even be applicable anymore.

So, you know, it's something that you like to point out, like, at some point we're going to walk out of here and it could be up to you to care or continue to carry the torch. So you want to be ready to do that.

Jim: And future podcasts topic should be to talk about the roadmaps just so it's a little teaser.

We always put our roadmap see other with do now, do next and do later. So do now or things that, we leave on Thursday. You can start these things on Friday. Really, they can be employed already. And it's a mix of things that are, clean up items, things that you can get started where you don't need any budget. And then there it's mix that way. you're doing preparation, going and doing product evaluations and getting budget lined up so that when the next budget cycle hits, you're able to go ahead and purchase software or do subscription and start deploying things in the do next phase.

Jeff: You got to set the table before you can eat dinner.  I think this is probably a pretty good spot to leave it for this week. We certainly appreciate everyone who has reached out, people who are listening, or subscribing. Feel free to share with your friends, Please do, you can always find us at questions@identityatthecenter.com. And if you've got questions feel free to email us at questions@identityatthecenter.com, and with that, we're going to go ahead and close out for this week and we'll talk to you on the next one. Thanks all!

 

 

Jim McDonald & Jeff Steadman

Jim McDonald & Jeff Steadman

Jim McDonald is a professional with over 10 years leading teams through business-critical technology initiatives. Technical Strategist, Leader and Champion of Change with history of crossing organizational boundaries, cultivating strategic alliances and building consensus and alignment among diverse constituents to leverage IT as strategic asset and deliver solutions that rejuvenate and advance global business’ financial performance. Also as part of our advisory practice and with over fifteen years in the identity and access management space behind him, Jeff Steadman helps develop realistic IAM strategies and provide vendor agnostic recommendations to move the needle on IAM maturity for organizations large and small.