Listen to Identropy's Jim McDonald and Jeff Steadman on their podcast at "Identity at the Center".

PODCAST19
 
Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
 
In this episode, Jim and Jeff return to their respective home bases for a "normal" episode where they talk about recent trends in IGA products they are seeing.

Brought to you by identropy.com

Want to join the conversation? Leave us a message here: anchor.fm/identity-at-the-center/message or email us at questions@identityatthecenter.com .

We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!

LISTEN HERE or read the full transcript below.

*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.

 Podcast #19 Full Transcript:

Identity at The Center #19 - IGA Product Trends

Jeff: Welcome to another episode of the Identity at the Center podcast.

We are back to a normal show in quotation marks that you cannot see . We took our talents to Clearwater Beach a couple of weeks ago for our annual company meeting and recorded a live episode, which was a lot of fun down there with the Identropy team.

We played an IAM themed version of Family Feud, Jim.

Jim: It was a good time. The funny thing was we're down there taking our talents to Clearwater Beach. We spent a fair amount of time outside. I came back to Georgia this week and I got sunburned. I don't get it.

Jeff: I went from Florida to Mexico and then back to Chicago area. So I went from like 80 degrees to 30 degrees and snow, which is the wrong direction.

Jim: Jeff, can you imagine how many people are listening to our podcast right now feeling sorry for us? Clearwater Beach and Mexico, come on.

Jeff: Exactly.

These are all clearly first world problems and not complaining, just making an observation, that's all, the Family Feud episode was definitely a good one, had a good time hosting it. And you're running kind of bored. And it's episode number nineteen identityatthecenter.com or wherever you get your podcast, whether it's Spotify or Apple or something else. But definitely encourage folks to check it out and let us know what they thought about it. Cares to see what people think about that kind of change of pace from what we normally do. We can work out and I always encourage that feedback at questions@identityatthecenter.com. Some see what people think and hopefully they enjoy that. So it definitely was something different, a lot of kind of fun than what we normally would do.

Jim: Well, Jeff, don't forget, we are social. We're also on Twitter, also Instagram. We're just social blowflies of the world.

Jeff: I'm terrible on the social media.

I typically do the Instagram stuff, if I can remember to do it every other week or so. But yeah, that's not our strong at least not my strong game. We'll have to figure out.

Jim: I've found that for this industry, for people who are maybe new to the industry, if you're trying to figure out which social platform you're in to get the most value out of. I think it's Twitter. I mean, there are several folks out there who really are very active on Twitter.

And obviously they mix in some personal and some political and all that stuff. But I mean, you can find a lot of good links to news events that are taking place, roadmaps, and things like that. And I use it personally for that reason. It's just, find out what's going on, find out what is breaking white papers release things like that, and that's kind of feed my brain.

 Jeff: Yeah, Twitter, I think is up there, isn't it like considered social at this point.

Jim:  I'm not sure how to answer that question.

It seems like a platform for folks to hit you up with new job offers or job opportunities which...

Jeff: Don't let up whatsoever with whatever you're already working on, right?

Jim: Wouldn't you like getting in to construction project management, Jeff?

Jeff: Yeah, I think that would be a great fit for someone who's never done it, but has the keywords of project and management and the destruction, somewhere in my profile.

Jim: Constructed an E-commerce web site.

Jeff: Well, clearly you're if you're new in the building, things, I don't think we're here to talk about jobs in this space. At least that's a day. I think what we have focused on today was really around different product trends that we're seeing and the Identity Governance Administration space. We know that Gartner just released their Magic Quadrant Friday two weeks ago and we did an episode on that. I think we will take the opportunity to kind of take a look. And we talk about what we're seeing as trends coming up in the future and at a society where we stand. But where are things going? And it’s kind of throwing the conversation back and forth to the two of us. Why don't we start with A.I, Jim? Is that just a fad or is that something that's going to keep growing?

Jim: I think, I'll just say about what is A.I means, in the context of Identity Governance Administration, I really think it's about looking at a user and kind of predicting the access they might need. So if I was a user doing kind of self service, for example, I went to the IGA platform and, it knew I was it might say, hey, you might be this access is almost kind of like that shopping cart idea that the Amazon uses or a lot of e-commerce sites choose where you pop one thing into a shopping cart. They say users like you have also purchased these items, just the idea that, and I kind of feel like. There's a place for A.I, but I'm not sure that that's right. I don't feel like I want my identity system recommending. Hey, you may want to purchase some additional access because to me I start with the basis of least privilege. And I don't really want people to have access that they shouldn't have or that they shouldn't have, but that they don't need. They don't need the access to do their job. I don't want to try to convince them or market to them that they should have the access.

Jeff: Yes, I agree with that, I think if you're of the least privileged fan club, which I think we both are having AI recommend additional access. It runs counter to that, maybe it is accurate, maybe it isn't. I just don't really see that as a primary use case. I think of A.I more as on the analytic side being able to spot trends, right. People logging in weird times, accessing resources maybe they aren't normally and using it more of a detective control to try and spot some sort of identity incident or incidents that might be taking place. They’re good at. The robots are good at sorting out kind of patterns and things like that and being able to kind of bring that stuff up to the top. That would normally get lost. So when I think of A.I., I'm right on with you around like the Axis Quest. I don't know if that makes sense, but I could certainly see the value on it from an analytics perspective and trying to detect things and then do something with it.

Jim: Yes, and maybe it's a convergence of the space because I think we you talked about there. I agree there's tremendous value with big data, seeing trends or pulling in big data in terms of actual usage patterns, detecting the patterns, figuring out the trends and then spotting anomalies and being able to take action on those is just I don't think it those within the district space of Identity Governance. I definitely think they're within the realm of what the Identity and Access Management team should be responsible for. And of course, that depends on organization, organization, but I think there is a space today called User Behavior Analytics. And to me, that's kind of where that form of artificial intelligence really belongs or exists.

Jeff: I think that make sense. I think the one part where I think AI can be helpful on the actual court request side is maybe around bots and not necessarily in suggesting access that would be appropriate, but helping people find what they're already looking for from a request perspective.

I know Microsoft has done some work in this space, with chatbots and stuff like that. And I think it's I don't know if it's Saviynt or SailPoint. One of them has started to look at bots as well. And, this was an idea I had internally here on our site a couple of years ago, how maybe we might be able to leverage bots to kind of modernize the access request process, I thought would be kind of a cool idea to have some sort of like IAM bot where you could say, hey, I'm looking for this type of access, how can I find it and kind of maybe replace the traditional kind of web based approach or maybe supplement it. So I think A.I could probably be helpful there, but it's more on the understanding component, right? What is the person typing and was their intent? And try to match it up with something somewhere in a catalog or a database to say, hey, OK, I think this is what you looking for, is that right?  and then helping with the process of requesting access.

Jim: That's right. And, that's where my kids want to find something today. They say, hey, Siri, what is this? And then they expect Siri to figure it out, which rarely is she able to figure it out, if she can even make sense of what they're saying, the answer is usually this Web site might help you. But yeah, I could imagine exactly a scenario like you're talking about where if you go into the chatbots and say, I need to give Jane access like John has, and then the system might come back with a question saying, what? What does John have access to the Jane? Oh, it's just mainframe application that I could say John had the right level of security. John has this role to that mainframe application, perfect vessel. And now I can go through and request that role for Jane and then we'll go through the standard approval for us. So you said trying to understand. I think I'll be a fantastic use of AI.

Jeff: All right, take that example and even take it a stretch further. What if that was the request process? Right, so you're talking to the chatbots or whatever it is, you find out what access you open for,  and then all of a sudden the chatbots reaches out to you as the approve of that access. Hey, Jeff is requesting an access. Is that OK? And you just type yes or no, right? I think that would be pretty cool, Pretty modern way to do it. I think it would take some work to get it set up, but I think it's something that would be an interesting use case, going forward.

Jim: So this is this kind of a subject a little bit. But since he's kind of come up, I just wanted to throw something out there. So we've got a lot of customers over time where we go in and they say, the way access typically gets requested here is model after or that's what we call we're kind of IAM nervous, but it's, John is going to do the job that Jane was doing, said John, up like Jane. And you go in to and see what they're doing current state as they go in and somebody gives John everything that Jane has. The problem is that Jane may have been there 20 years, moved to different roles and accumulated a lot more access. And then John really should have. And so one of the ways that I've seen clients takes care of this problem is that the problem really still exists. If you take away that feature or that ability to model after, then you're just leaving to the business user in a lurch and they don't know what to request, but if you make it available to them. They can see what Jane had access to. Nothing going individually requests those items for John. That's a way to kind of address that model after a requirement. It's not actually just me get a copy and paste, but because they can at least have visibility to what the person was that they weren't a model after.

Jeff: I chalk up that, make me like someone else. As one of two things, either it's too hard to make the request as it should be or I don't know what I'm supposed be asking for. And I think having information upfront makes a lot of sense, especially since most modern IGA solutions will be able to tell you who has access to what.

And you know that snowball of access that I like to call it when someone's moved around an organization has been there for a while.

 And they accumulate all this access. And most companies are really good about giving access and not so great that taking it away. That's definitely a threat that comes up when you use the model after type approach.

But I think if we could do maybe some sort of hybrid where it's I know I want to make, Jane look like John. But let me pick the things that Jane has.

Then know that would probably be a more accurate way to do it. Maybe a little bit easier, if you're not using a role, for example. So I think a lot of guys want to go to rolls, but it's a lot harder than it really is.

Jim: I think you brought a hidden point there, which about the two reasons why people do the model after in the first one was it's too much work. Sometimes you have to find the right balance or you don't want to have it. So it's like, oh my gosh, managing access is such a nightmare. So many steps that jump through hoops, but at the same time, everything can't be easy button is a way you said was all right, we're here to solve the model after problem we're going to do a gym set, which is we're going to show Jane's access and she just checkbox for each one that she wants to give to John. And then just said submit. Now, it's so easy that read thing through it. I'm just going to check everything and submit right now. I really put any thought into and I worked for the client not too long ago or they showed me their access review process. And it's a little painful. They really were a lot of things that the manager had to look at in a day.

My thought was, there’s security implication like it's the manager's job to know what their employee has access to and to approve it. And so, yes, we have to take an approach to tweak and make it a little bit easier. But the idea isn't just that it's an easy. But they can go in in five minutes and review everybody's access once a year. I mean, think about if you're a manager of people at a company and you review.

You do employee reviews, like how were you as an employee? Did you meet your goals, set the beginning of the year? That's a process. You have to put hours of work into that if you're a manager and if you have 20 employees, it's put hours of work into each one of those 20 employees. And I think, information security doesn't have to be quite that painful. But I think there should be an expectation that there's some level of effort that needs to go into it because it is important.

Jeff: It should be a conscious choice, I think; we have to consider what is the alternative and? Why did people have you?

That is because people who've run your organization and maybe they don't have roles and they do flex between different positions. And it comes up is, this person is taking a new role, but we need them to work in their old role for two weeks, two months or whatever it may be.

And then it becomes OK. Well, now you had this person kind of straddling two different roles. If everything was binary and data quality was perfect coming from H.R. system and, everything coming and you had cases that you could automate based off of that, I think we'd see far fewer problems. But we all live in the real world where things get messy and there are decisions to be made around that as far as, what role should someone be in and extensions of access, because they're moving from one team to another. Incorrect data coming from HR at H. data isn't as timely as it should be, there's just a lot of things that can kind of go wrong. So it comes down to, typically the manager making the decision. And I feel like anything we can do to help that person make a good decision is beneficial for everybody involved, helps everybody helps a request process move along quicker and makes spreads accountability throughout the organization and not just, some arbitrary IAM team or security or someone else making a decision of what's appropriate or not.

Jim:  We would like artificial intelligence. And yes, it was used in the right way.

Jeff: It is used right way, right?  Yeah, exactly, is there a role for A.I with Things like role mining?

Jim: So I'm going to start out with just a statement, which is that I've never liked role mining, I never could get on board with its value.

Jeff: It's a hot take Jim.

Jim: It's a hot take I'm just going to throw it out there is I've never thought it was good.

Jeff: You're going to make a lot of IGA vendors very unhappy because they always hang their hat on that. And I agree with you, by the way.

I don't think it's a very high hanging fruit. It is something that most companies never even get to or should even consider.

Jim: I feel like roles have to make sense to people. And I feel a role Mining goes out there and tries to figure out these access potters and say, you know, because we're seeing a pattern here, you should turn this into a role.

 If it so happened that that came back and it made sense to bundle that into a role, that's fine. But I think what roles are better used as is something that makes sense to business people.

He's an employee or she is a contractor. He works in accounting or she works in the Detroit office, give me some examples, but those make sense to people, now, what makes up what those roles can do now could role mining help with that?

I think any source of information could potentially be helpful, but I think taking a top down approach to look at what people in Detroit actually need. What is the common theme for people in truth? Maybe it's they just need access to a certain SharePoint for the Detroit office emergency calendar. Maybe they need access to the parking system in that Detroit office. I don't know, if you're an I.T., maybe you need certain systems. It's gonna make sense to human beings because human beings are the ones who have to make the decision on whether or not to allocate that role to somebody to provision their roles, somebody.

And if it ever gets away from that, then where does the accountability come down to in terms of someone had access to it? They shouldn't be used appropriately. What are we going to do?

Fire the machine?

Jeff:  A Siri, another mistake.

Jim:  if you're doing the best you can. Siri, it’s OK.

But I also, dunking with role minding that I don't like is OK.

So what I've seen a lot of IGA vendors do is that, they see a compilation of, say you define a role and you say a role includes these three entitlements. Now, if someone out there gets those three entitlements maybe through different mechanism, either through other roles or individual entitlements, the IGA system souring to say that person's in the role, too. I don't like that. I don't think somebody should be put into a role. Because they just happen to qualify for the role, because they had the entitlements that build up the role. And I've actually seen their client. I thought those one of the coolest things was that when they built the roles, they would put an artificial entitlement in so that somebody didn't end up in the role, by way of accidentally accumulating the entitlements that make up their role. So when they went and did an access for you to a manager who had to approve the role, they didn't see others person has the accounting role and you shouldn't have the accounting role. You're an accountant to take you out of that role. So I don't like that approach. And then the third thing that I don't like is I don't like a system that would say and I know that there are the ability to kind of change the variables, but I wouldn't like a system to say, Ninety five percent of the people in this department have this role. So why not give it to 100 percent?

Well, because the least privilege.

Jeff: Right. Yeah,  our first point.

Jim: You know the thing we're talking about today, that if those five percent of people don't need that access, why? Why in the world would you give it to them? Because they work in that department, to me, that's crazy.

Jeff: Yeah, I think I follow along with you pretty much the entire way. I think the only part. Right would maybe diverge a little bit might be more of a macro role. And maybe it's not even a role. I consider it more like an attribute based access control where, maybe it's the concept of all employees should have access to the SharePoint site because it's for benefits as long as it's very specific and is not trying to do too much. I think there's a benefit there for some sort of, automation to kind of self-correct. Maybe, the system was down and didn't do it from an automation perspective or maybe, human error gotten involve, etc. I could see something like that being helpful or maybe even collecting accounts that were created out of band and assigning some sort of, group to them so that they filter out into some sort of report that people can review and say, hey, where the count comes from to kick off the proper process. But I think those are very, very specific use cases and not really what IGA vendors are going for when they talk about, oh, we have, a role mining capability and they get more of a very specific, very narrow, targeted use case that you don't like in those scenarios I described helps self-correct where needed.

Jim: And I think more information is better, there's the classic example of, they have DNA testing now.

And so the question becomes, if you have a predisposed to a certain type of cancer, do you want to know it? And be personally, I do want to know, I might be able to make lifestyle changes.

some people look at is like, well, then I'm going to live my life thinking to die when I'm 30 and that doesn't happen,  But for me, I'd rather have the information.

So I think more information is good.

So if 98 percent of the people have this role or 98 percent of people in this role have this other entitlement, maybe the 2 percent of people didn't get it because of whatever reason, something like you said or maybe they were in the system before that role is built or I'm not coming up with a good example there, but I'm not opposed to more information, I guess, it's tremendously valuable, people can get access to things that they need access to. They're going to say, I need access to this.

Jeff: I think the data is important. I think the suggestion of adding it just based on some sort of arbitrary.

Maybe it's a step too far, at least for me right now.

What's another trend that we've seen? What about API? I think this is a very important one, especially if things are moving around into the cloud and other areas where you're not doing maybe an on premise access automation or even a governance cycle, haven't been able to pull things back from an eight pack respected and wrap it into whatever interface you want.

There is a good trend. What do you think?

Jim: I think the API is now planning the way everything's going. I think that, let’s say, number one, I don't think all the IGA systems have the greatest user interface. I don't think most companies are like 99 percent of the companies are going to write a new user interfaces because they want one to look better for their internal population.

But if the IGA system was, for example, being used for an external use case, wrapping it in your own user interface is definitely something we do, a lot of the ITSM systems where, I think this the biggest trend is ITSM systems being the front end toward IGA back end, for an I.T. manager, they just want one place for people to go. I've seen some ITSM end that blows away anything I've seen in the IGA space. And usually it's because IGA just has so many different options to choose from and things like that it's very easy for you to get complex pretty quickly, but, I just really, why wouldn't you want to enable that from an API perspective, and I think the best applications are built with the core functionality being in the API and then they write the UI on top of that to interface with the same APIs that you can make available to your application. I don't think most organizations want abusing the net extensively. I think it's the right way to go.

Jeff:  I can see some very specific use cases that it's very handy and right checking like a training database or things like that where you need to make a decision on access based on some sort of other data point that is not in your IGA platform or fitting data into the IGA platform. I think what you brought up around ITSM is a huge one that has been a struggle for many organizations. Where do you put your access requests? The IAM team typically is biased towards the IAM system and the I.T. support team is typically biased towards whatever the ticketing system is. And you're right. I think we've seen a growth in the capabilities of ITSM tools to have a much better interface and that is really becoming the front door and being able to pass off an approved request to the IGA platform to just handle the provisioning side of it, I think is a good step towards making things easier for folks. Now, I don't think ITSM interfaces are that great yet, right?

I mean, most people trying to figure out a ticket ServiceNow or remedy. I've seen some real nightmare scenarios of trying to figure out what am I supposed to type in here and is a free text. People putting in sensitive information to comments, things like that. But I think having the flexibility to be able to take advantage of it when it makes sense is a very good development.

And I hope that, more IGA vendors will enable that for more of their services across provisioning, password management, all the different parts of their products.

Jim: Yeah, the most important is the account correlation and having whatever you want to call it entanglement theory in one place to go to know how access to what I don't see at ITSM, moving towards that.

Jeff: Yes. What about things around governance? Being in whether to approve, whether or not access is appropriate or not having some sort of access review cycles?

What are you saying around that?

Jim: I think, it's interesting where he uses a big thing now being able to define rules so that if, let's say, an account gets locked out and then unlocked or there's passwords reset choice within 24 hours, I'm coming up with some scenarios where you say, hey, bets, some fishy activity. Maybe we should have somebody review the access, make sure so appropriate if you can integrate something like your SOC or your User behavior analytics to catch that fishy activity and report back to IGA system that you know. Let's just say I think one of the biggest improvements that are happening or have happened in the IGA spaces, the use of risk having risk scoring kind of like a credit score, and you can compare this credit score. And I want to apply for a loan that requires a certain credit score and you have to be at a certain number to pass it. I think it's kind of conceptually very similar where you can say if you can raise a user's credit score or the risk score high enough, then certain things, certain activities would be triggered like a governance review and access review. Another would be risk scoring around different types of access. So you could say that access to the SharePoint home page is like a very low risk event. But access to SAP is a very high risk event. And you may you get to the point where somebody goes in and request SharePoint. It doesn't even go through an approval because you say all we're keeping our SharePoint is, some very low risk information that we've classified that data as public data or share data that you share outside of the organization.

Then why then require a manager to approve that?

However, you know, with SAP, the just the hurdle of getting into SAP, they could have access to numbers or product lists and things, information that is secret or private that you require that they go through approval may be to separate through leaving. But using a risk I think is a big development within the IGA is a very important development. It allows you to kind of accomplish what we were talking about earlier, where you don't engage managers with too much who approve. And at the same time, you don't compromise and say we're gonna make it so easy. Just hit the easy button.

And then the event driven access for use, I think is a nice improvement in the access or use case.

We're not just going to review monthly or quarterly or annually, but we're also going to review something fishy is appears to be taking place.

Jeff: Yes, the dynamic review or on demand review, whatever you want to call it. I think that makes less sense, especially like in a scenario like a transfer, right, someone moving from one group to another. If the facts change from an absolute perspective and the access doesn't line up with what they should be kicking off, some sort of on demand micro certification that says, hey, Jeff, move to this new group, is this access still appropriate or not? I think that's a lost opportunity that a lot of organizations really aren't doing and they struggle with it. And I think things like that, where that use of risk makes a lot of sense.

And, it's funny. It was one of the questions that came up during our family feud game was how often should, you know, an organization recertify access? And we had, you know, numbers all over the place. I think we had I don't member of us four or five different answers, but, the common ones, monthly, quarterly, yearly.

The one that people didn't get was dynamic. And that was a common answer that we saw from the desk team. And it kind of is like, oh, yeah, that that makes sense when you think about it.

Jim: The funny thing was with the family feud game was, there was the survey that was set her up for a company.

So these are people's own answers that were being given back to them.

Jeff: I had to remind them a few times that was like, hey, if you don't like these answers, you guys are the ones that fill this out.

Jim: That was the funny part of the whole thing. Yeah.

 Jeff: All right. Well, I think that's probably a pretty good spot to leave. Unless you've got anything else you want to add.

Jim: I do. I do. So I wrote a few notes. So one of the things, that you and I complain to each other about for years is non-employees sorts of record. I mean, this is something that most companies don't want to put their contingent workforces. In other words, are not employees in there HR our system? Two reasons, one is the user charges. So for payroll, that's like the primary purpose. The second is H.R. is really does not concern themselves responsible for those people. And so they don't want them in their system.

And so, IAM practices, we sort of find an authoritative source on these folks. And so what you're seeing pop up now are some systems that know proprietary systems for managing that type of user. And then if you want to just manage those people in the IGA system, which is what most customers expect.

And so we have to kind of do backflips.

But I think we're seeing more of a trend toward finally, you know, IGA vendors are getting it back, that's what customers want.

jeff:  I have no idea why this is taking so long, but that's high right now.  IGA vendors, if you're listening, this should have been a day one feature expect, and Identity source for all of your users and not be able to do that with your own product. I think that's a huge mess and a lost opportunity for at least a decade, if not longer, when products they just assume, oh, they're gonna be Nutria system. No, they're not. Not in the real world. So, IGA vendor if you're listening and if you're building an IGA platform, make sure you have a way to account for identities.

If they're not coming from an authoritative source, you've got to be able to master those identities and have a process to get them in the end to your system with the right approvals and the right attributes and all that stuff. That's driven me crazy for a long time and I'm glad you brought that up.

Jim: Yeah, so my next one is going to be another one. I think we can recommend to the IGA vendors, which is better integration with SSO system. So one thing that I think Microsoft does really well and probably because a closed ecosystem is if you go out to say OneDrive and you share degrading folder that you have not been given access to yet, it will give you a little message.

You don't have access. Click here to request it when you click there.

It's been a while since I've done the workflow, but it essentially sends an email to the person who manages that Onedrive and says, Know Jim McDonald wants access to your folder. You want to give my access. Why can't we have that for everything? So if I’m, let's say I'm using a single sign on system and IGA system, but I'm Joe average user.

I go out to my kid for expense management system and say, you don't have access. Click here to get access, Say, my SSO system thinks I don't have access on the entitlement to use that up. If there is up a message saying you don't have access right now and just say you don't have access and be kind of stuck there, why not be able to just do blanket so that they click on that link? It sends me back to my IGA system. We're right at the page.

Maybe everything's filled out already that says the cell phone service access request that can request access to her page.

To me, that just seems like such an improvement from a user usability perspective. And I don't think it would be that hard to do especially, you can do it all with APIs and just defining a format for the message that you expect to be sent or , you know. Yeah, the message essentially, here's the redirect URL you need to send me. That's where you have all the parameters that I need. And then you just need your SSO system to throw up that page with that link that would send all those parameters.

Jeff: I think that's a killer. I mean, that's a killer use case. I think the reason we don't see it today is that I'm trying to think right now on the spot.

If there are any IGA vendors that have a big enough SSO part of their product as well, where they can control that ecosystem like Microsoft does on their side.

Jim: Right, you're exactly right. If it were if there was a vendor who is also a cloud, this cloud IDP cloud US or so vendor, they probably would have inquired into their own. But I guess what I'm saying is try to set it up as like an open API. Don't worry about whether or not you're getting paid by the essence of so vendor or not. Make the API available and then the last thing again for the IGA vendors. The thing I keep seeing is that in the customer IAM space. When it comes to user lifecycle management, the ability to manage users, self-service and administratively, there is a gap around that in terms of a product focus.

So there are a lot of authentication capabilities and very basic user lifecycle management, user registration and then some light administration screens. But you don't see a whole lot in terms of the ability you delegated administration to customers, things like that. So the conversation we're having earlier about having an API focus, but a lot of clients come to us and say we want to look for a system that does, we can use to replace our web authentication.

But we also need to replace our web user management system. They're usually so many gaps between what's available commercially and what they have currently. They either need to really change functionality or reduce functionality, reduce customizations or rebuild so or people they have.

So I just feel like that's an area where IGA could really extend.

Jeff: Yeah, I agree. And I think you really hit it right on the head, so I think they did though, and it was like perfectly summed up. Well done, all right, anything else?

Jim: No, no, another excellent, hopefully excellent episode that much love in the back, too much.

Jeff: I think it was another good one.

I think coming up in the pipeline, we're gonna have some conversation around blockchain. So that's something to stay tuned for. Hopefully we'll get that one recorded later this week and put it out as part of next week in the next episode. But that's something to look forward to as well. So I think we'll call it for today. Again, appreciate everyone listening. Feel free to share it with your friends, your enemies and everyone in between. The show continues to grow in a way. We appreciate that.

Where can they find us? From an e-mail perspective, that would be questions@identityatthecenter.com. If you guys want to listen to the Family Feud episode, that was episode 18, then let us know what you thought about it. Be great. If you've got ideas for other types of shows and topics, that's definitely the place to send it, send those messages to us as well, And with that, I think we'll call it. Thanks everybody!

 

 

 

Jim McDonald & Jeff Steadman

Jim McDonald & Jeff Steadman

Jim McDonald is a professional with over 10 years leading teams through business-critical technology initiatives. Technical Strategist, Leader and Champion of Change with history of crossing organizational boundaries, cultivating strategic alliances and building consensus and alignment among diverse constituents to leverage IT as strategic asset and deliver solutions that rejuvenate and advance global business’ financial performance. Also as part of our advisory practice and with over fifteen years in the identity and access management space behind him, Jeff Steadman helps develop realistic IAM strategies and provide vendor agnostic recommendations to move the needle on IAM maturity for organizations large and small.