Listen to Identropy's Jim McDonald and Jeff Steadman on their podcast at "Identity at the Center".

Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
In this episode, Jim and Jeff recap their time in Las Vegas at the 2019 Gartner IAM Summit.

Brought to you by

Want to join the conversation? Leave us a message here: or email us at .

We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!

or read the full transcript below.

*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.

 Podcast #24 Full Transcript:

Identity At The Center #24 - 2019 Gartner IAM Summit Recap

Jeff: Welcome to the Identity of the Center podcast. I'm here with Jim in Las Vegas.

Jim: Viva Las Vegas!

Jeff: Viva Las Vegas.

We're here to give our thoughts on the last IAM conference of the decade of the Gartner IAM Summit. We've been here for the last few days taking in the sights, the sounds, the buffets.

Jim: The buffet was going to say, I don't think some dumb talk about the buffets, I don't want to be on this podcast.

Jeff: Yes. I mean, totally. So I'm going to go ahead and say, Caesar's definitely better than Cosmo, we enjoyed the Cosmo Buffet earlier today. And as a direct comparison, because those the best buffets I've been to, Caesar's wins hands down. And that's also, what, twice, three times as expensive.

Jim: Yes. It's a lot more expensive. So, I mean, you get what you pay for when it comes to that. But I mean, so. Yeah, first off, we're staying at the Cosmo. I think the rooms of the Cosmo were fantastic. I mean, that's the food court that they have here is pretty amazing. It's got a lot of great restaurants and the buffet is really good. I think you see only buffet you've ever been to say buffets are fantastic. I love it. But if you've been to the Caesars, it's like seafood heaven.

 Jeff: Yeah, it's like going from one part of the magic quadrant to another.

 Jim: Exactly. There you go. What a Segway.

Jeff: So speaking of magic quadrants, Gartner conference all about identity and access management. I like it. I thought it was pretty good. I know that sometimes Gartner gets a little of a bad wrap around content being too vanilla, and I can certainly see the case of that sometimes. But in the specific for this year, I thought the keynotes actually were really good.

Jim: I thought the keynotes were fantastic.

 Jeff: My favorite was the one around culture that was given by Dr. Steve Robbins. It was really entertaining. It was funny. And it talks really about a couple of things. The ability to multitask or more accurately, the ability of not being able to multitask. People just aren't very good at multitasking. And he gave a great example of that, naturally had some audience participation where he had someone come up. And the whole point was to do the alphabet, A to Z stats as you can. And I think the lady got it done in something like six seconds or seven seconds or something like that. And then do the same thing with numbers. Count from one to twenty six in sequence. Go as fast as you can. OK. No problem. And there's another like, six, seven seconds or less. And then the wrinkle came in. It was count from A to Z. And one to twenty six alternating at the same.

Jim: A1, B2, C3.

Jeff: Yeah. Exactly. And that's what it's like. OK, The wheels are starting to come off a little bit. Got it done. But it was obviously a lot slower and it was like 50 seconds or something almost minute. The other thing and also had to get help from the audience because you start to lose your place where things are bright and see how it really brings out in my mind what I was thinking of. And of course, every computer, because I'm a big nerd, all tatting between two different applications in my brain when it's go to A to Z, and another going through 1 to 26. And sometimes you're going to really quickly between spreadsheets and PowerPoints or whatever it may be. Sometimes you all have the wrong way. So now it's kind of like the way that I kind of put it in a context for myself.

Jim: Well, we you weren't the only one who's impressed by that one. We met a guy named Nigel, so hey Nigel if you are listening from Switzerland. And he was plenty of bring that whole piece back to his team and running that exercise with them. But yeah, I mean, I thought that.  What I said to him was that we have a concept similar to a consultancy called Context Switching. If you're working on multiple clients, so you're working on five clients in a single day and you're planning on putting an hour toward each one of their projects. It takes a good fifteen minutes to go from thinking about this client. Now think about that client having to remember the people, the context for their IAM situation, their business concepts or things like that. And so, yes, you can do it, but you're not as productive. And so if you were to take 15 minutes and truly not count that concept switching, you turn five hours of work into seven hours of work like that.

Jeff: Yeah, I think that's an astute point, because I think, I've been consulting now for four whole years. I think that's the hardest part of the job. And I still don't feel like I'm great at it because I naturally want to dig deep into problems and kind of let's fix this thing. And when you have to change tracks, that's gonna be difficult. The more tracks you have to switch. It becomes a lot more difficult.

 Jim: I've been doing it for eight years or so, not good, so I don't think you'll be any older, you're going to get much better.

We had a customer appreciation day in a row. we're out here and one of our clients is working with recently out of Atlanta. And he mentioned like, you guys turned around in two and a half days. It blew me away. I was like, you worked here for 20 years. And I know with that particular client, I had no contacts with chants like I'm getting. I was on site with them for a week, came back, worked on their project for, the two and a half days turned over deliverable to them. And they were just like completely blown away because there's like two and a half days of solid focus. It's such a difference maker.

Jeff: It's still fresh in your brain. And, you're not ever that kind of go back and refer notes and. I think it's a little bit of lower management. I want to talk MBA terms, like LeBron, he's played every game so far this year. But at some point, he could probably take, a few off. Kawhi Leonard, he takes off games here and there. I think if you're able to focus on that particular task, get pretty good headway into it makes it a lot easier to kind of keep it going and tend to be a lot more successful with it.

Jim: The good thing is, if we stay focused, we will not get injured.

Jeff:  That's what PTO is for us.

Jim: That's right.

Jeff: And I've got some coming up. So I am totally looking forward to that, the other thing, too, is I think it also applies to IAM programs because the truth of it is not, very few IAM programs are going to have enough resources, enough funding and enough bandwidth to do multiple tracks of technology program all at the same time.

And I think that's what the privatization really becomes a very important part of the strategy, because you're probably going to be jumping around a little bit, but you want be jump around too much, because switching those gears, especially if someone is, you know, wearing multiple hats, becomes a lot more difficult as well.

Jim: Right, you're going to there's kind of a multi-tasking tax,  you probably could run multiple tracks, but you're going to need to bring in more help to get it done. You need to spend more money than maybe if you spent it all out.

Jeff: Yeah, totally. The other thing that came out of that same keynote was around it was a culture. Let's talk, I guess, to be the to put it, but there wasn't super much culture, I guess it was kind of look at both how the brain works, but also that was really the context of creating the appropriate culture within an organization and a team project, whatever it may be.

And, essentially people are much more effective when they feel included. And part of the tribe, the team, the project, wherever it may be. And they're just that much more effective versus not being part of that. I know that you and I always talk about getting the business involved and making sure all the appropriate stakeholders and you know, we do onsite discovery sessions and remote discovery sessions, whatever may be part of the work we do, trying to get as many people involved with that. And, sometimes it's a technical reason. Sometimes it's purely political. Making sure people's which is a heard and they were part of the problem and helping develop the solution, whatever my new percentage that might be, at least they were included in that. I think that helped kind of validate that approach that we typically take.

Jim: There are a lot of things that happened during this conference that I thought validated a lot of what we do and a lot of what we say. And I started wondering when stuff is up because we've been coming to this conference every year that really we're actually just thinking what they're telling us. But I don't think it's that. I think we are kind of a head of the curve on certain things. And the other thing is what our experience is telling us is probably the what other people's experiences also telling them, I thought the keynotes were great. It's only from that multitasking or prioritization and focus. One of the things that I noticed in the conference is that there were certain themes that were really focused on a I was really focused on showing authentication. To me, it felt like authentication was like more of the theme this year, whereas last year more around identity governance and administration. And so I feel like Gartner is in the same boat where they've got to put more emphasis on certain areas certain years than in other areas. And so I think that also goes with the high kind of, they've got to focus and they've got to put you know, you can't go in and just shotgun every IAM topics and say they're all equally as important. There are some topics or some themes that I want to get into in a little bit. But so in that keynote piece, right before the culture and multi-tasking keynote that you're just talking about, there was a keynote on communicating, which had a lot of great takeaways from and it was a couple of folks from Gartner who delivered the speech and they kind of were doing some role-playing of various C-level actors within the organization and just kind of like, it was it was also almost like a skit where they'd go in and they show here's the wrong way to do it.

And some would come would blast in and just start a bunch of technobabble about how the sky is falling and how we're getting hacked or getting scanned. And then they would go and do it in a way that was much more effective. And, overall, IAM practitioners sitting there listening to it. And before they understood the first skit where he was doing all the technobabble, everybody I think, 100 percent of the people in the audience would agree. The second way that kind of telling the story was the more effective way, even for technically minded people. So the idea was, tell a story. Remember that the higher ups don't know IAM and they don't really want to know IAM focused on informing and educating, influencing a decision and then changing behavior. So you try to take an idea that might be complex and somewhere that you need to invest something like strong authentication, try and tie it to a business initiative or something that the higher ups really understand that, hey, this initiative like rolling out a new digital transformation with a new marketing website and then tie your investment to why that's important, why that's going to enable the business to be more successful with that. The other thing was pilot your message with non-experts. So, it's so often that you, Jeff and I will bounce our ideas off each other.

And the thing is, I could just technobabble most factor authentication and strong off and he'll know the nuances in between. But that's not really who my audience is going to be, is not other IAM versus people who don't really know IAM.  And then the last one, which I thought was interesting and I'm still chewing on this a little bit, which is understand the risk appetite of your audience and decision makers. So one of the skits that they did was this whole thing like, The Chicken Little, the sky is falling or getting scanned, other organizations, they've had a data breach. They lost 8 million dollars and things like that. It's just like, all this crazy stuff. And then, the response from the CEO was like, yeah, we're not like them. In other words, it was kind of like that sales phish didn't work for him. So it's kind of like you have to re shift the context of some of what you're going to say based on understanding their risk appetite for the audience, understanding what are the push-buttons for those people that are going to get them to listen to you. So I think this is important for Jeff, not because we're often presenting to a senior audience and we don't always know those folks. So we really need to rely on our counterparts and our clients to kind of prep us to understand these are the things that are on these folks mind and the fatal know so well that we need to do further investigation.

We need to find out who understands how that person thinks and what their risk appetite is.

 Jeff: Because sometimes the folks that we're working with, they don't have that much interaction with the C-suite or the executives and so forth. So getting that message across is important.

And yeah, I like that session, too. I feel like you really do have to know your customer to put an idea of who you're gonna talk to and what type of message resonates with them, the stories, good, emotions, etc. But there are folks out there who take emotion out of it and they're looking for facts, figures, statistics, basically evidence to support your position. And you should have those even if you are going down. And a story, based pattern of telling, whatever message you're trying to do is you should know your information behind the scenes as well. 80 percent of breaches have something to do with identity and access management, typically a compromised credential, etc. Have that figure in the background and say, hey, you know what? However, you got to explain the message to whoever we're presenting to or people who are listening, if they're talking to their folks, understand who you're talking to and tailor the message in a method that makes sense to them. And if you don't know the person you're talking to, try to use them until you don't talk to people who might notice. Hey, what's Jim like? Right. Well, Jim likes baseball. And if you can throw a baseball analogy in there, bang, you know, all of a sudden you've got, maybe a lay in.

Now, you don't wanna get too deep, Jim, because he'll definitely let my doors off when it comes to baseball.

Jim: Yeah. Use a baseball analogy. And, he mixed pitching and hitting or something.

You might lose me.

Jeff: If you like, that coming to America scene where they're talking to where Eddie Murphy's character goes to watch a football game. And, he's trying to impress the girlfriend's father and he's like, what are you talking about?

Jim: That's the danger.

But, I just like a little take. I had the best one liner I heard all week was that hackers don't break in. They log in.

Jeff: Oh, yeah, that was awesome.

Jim: I thought that was awesome. As like, you know, bringing it back to identity access management. When you're talking about the 80 percent of breaches that you talk about, these stated breaches. What are people doing? They're not putting up, it's funny because we show the pictures of people who are you know, all of these hackers have like a ski mask on. It's like traditional physical security. That's why it locks into a computer within an insider or outsider. They're just hammer away on a computer or maybe, you know, I think the biggest devious way that people get their hands on credentials is still phishing.

Jeff: Phishing is definitely liked.

Jim: They trick people and giving over their credentials.

Jeff: And once you've got one credential, people tend to reuse that credential.

So now you just try that same credential, gets a whole bunch of other services and, feeling hit, if a percentage of a percent of those. That's all it takes. And I think that also talks a little bit about KARTA. So you talked about KARTA last week, maybe the week before or maybe both. And that's continuous adaptive risk and trust assessment. Which is a crazy long name. I'm going to stick with KARTA. Yeah, I did attend a session on that. I thought that was pretty good. I know that that's been something I think that you've been kind of looking at recently. Did you go to that session or?

Jim: I did go to that session. So to me, it seems theoretical still. Here's what's happening is that a name is a source artistic. That was from the Gartner MQ on access management. 60 percent of access management solutions will have UBA built into them. Yeah, I'm not sure what the timeline was.

Jeff: I think twenty  - twenty  five,.

Jim: Yeah, something like that.

So the idea is that, the next generation of access management is going to look different, it's not just IAM is who has access to what is not just letting people in the front door, but after they're in the front door, continuously monitoring their session. Building a risk profile and determining whether or not the person should be challenges,  knowing where resources are accessing things like that. Some of the things that you can see, the foundational components for the major access management vendors are have in place today, but they don't have that risk intelligence. One of the major themes of IAM right now is artificial intelligence and machine learning. I mean, so, what you do with that information? Well, as you already kind of bought off on your single Sign on Solution, you're already implemented and things like that which play not all not a whole lot that you need to do, but start becoming AI focus and machine learning focus in your IAM program. Overall, look for opportunities to get your feet wet with that. Look for opportunities to take that and make your identity administration, your governance and your authentication processes more intelligent and more using machine learning more to become more secure. But if you're in the process now of selecting a vendor, look for a vendor that's already got that as part of their message. It's already working. And if they're not working on that now, they're saying that's a future that's coming, then they're probably already behind the eight ball. Yeah, right. If they're not one of the leaders in the market, they're on the lower end of the market and they're not talking about machine learning. You got to wonder, was their place going to be in this space two, three years on the road? And really, do you want to kind of go and invest in deploying their technology? I'd say probably not.

Jeff: That's something we've seen Microsoft really touting recently. All the advanced analytics that they're doing on Azure and they run a world class IAM system for all their users across Windows and Outlook and etc. So they have a lot of experience and data they can pull in as part of that. But they've made a core to their Azure message of behavior analytics and that kind of feeds the conditional access and adaptive authentication, all the stuff that's kind of been there now for it's just gonna become even more supercharged over the next five years. It's twenty twenty five Sounds a long ways away, but that's only five years. It's twenty, twenty in a few weeks.

Jim: my goodness told me that.

Jeff: The other area that I thought was interesting I was touched briefly on was privilege access management. It seems like the bar has changed a little bit. So from a basic level of maturity, it used to be really just password vaulting. Now it's vaulting MFA and privilege session recording of monitoring and sort of the baseline.

 Jim: Entry level.

 Jeff: Yeah. From a project manager perspective. And then from there then you start to look at things like service, account management application or app to app password management, those sorts of things. I think the long term trend is more along the lines of just-in-time permissions versus someone who perpetually has access. So a lot of companies we talked to and this is fairly common practices. I have my account and then I have my domain name and account and I'm supposed to only use my regular account for day to day stuff and then use my domain name and account, when it's required, etc. But I retain possession of that domain a common all the time, which means that it is an open door that potentially could be phish.

Jim: Just so important to do so anyways the only way you get the most data. They shouldn't do that because..

 Jeff: separation is very important.

Jim: Separation is very important just from a standpoint of if you get phish, you shouldn't get phish.

 Jeff: But I think that the really the drive will be you do not have a domain admin account full time.

So when you do need elevated permissions, you have some sort of process that grants you that just in time, whether it's checking something out from a vault with a very specific timeframe, or maybe you're using your IGA platform to request an access that has some sort of timeframe, that's associated with it. And obviously you need to make sure you've got the appropriate audit logs, etc., to kind of show the chain of custody of that access. But I think that's a trend that we'll see over again over the next five years or so is moving away from perpetual privileged access to more of a just-in-time modeling. I know there's a few vendors out there that that will look to play in that space. I'm thinking specifically of a company called Plain ID that we've talked to a few times for a few years, and that could be like an option maybe for just in time. You could do it. Certainly, I think through an IGA platform, if you have the appropriate permissions and access cataloging and so forth set up.

 Jim: Just a certain to see a blend. And one of my main themes that I saw is like there's a kind of a curtailment of OK. If you looked at the space two, three years ago, you just say these guys were IGA vendors, these guys are SSO access management and these guys are PAM and a lot of partnerships between the different vendors. Well, now what you're seeing is those partnerships are really getting stressed because the vendors in the different categories are starting to take on capabilities of the other categories. And so, it's obviously the growth or the opportunity for an individual company standpoint to become a suite to offer more services and products to their clients so that they can get a bigger piece of the pie that they're growing pain in between is for us abstract issuers to say, well, who's going to be successful and who's not? Which partnerships are real and which ones are going to break down next year or two? And it's it's not easy to figure out.

Jeff: Well, it seems like we're getting cyclical now in two. That's what Oracle C.A. strategy was, you know, 10 years, 50 years ago was to be the sweet right. They do everything. Maybe they do everything well, or maybe they cobble together through acquisition, etc., mostly through acquisitions. Yeah. So now, there is a shift away from that to go more best of breed. That's where things like SailPoint popped up and Okta, CyberArk, etc. where they were attacking a very specific part of the IAM problem. You see companies like Saviynt and now where they have the IGA component. They also do, you know, some level of programs access management and reporting and analytics. And, there they look like they're kind of going a little bit down the sweet level, kind of where a central file was before they split up a few years ago between provisioning and privilege access management. So I wonder if we're going to see at some point kind of the circle conflict come full circle and end up with like, OK, now that's the take on like the SailPoint sweet and SailPoint does access management and, privileged access management and MFA and all that sort of things. And now they've tried to do some of those things and kind of stepped away from it. But companies are going to be profitable. They want to land. They want to expand.

Jim: IAM companies that were privately held or becoming polling firms and they have commitments to shareholders. And, they've got growth markers on their stock price based on expected growth. I mean, think of all the years of like Amazon losing money, losing millions and millions of dollars. But now look at them. I mean, can you imagine a world without Amazon?

Jeff: I think a lot of people could, but they're super convenient.

Jim: Yeah, well, I can.

But you know, there are some things that were kind of eye-rolling moments. And one of them was when I saw somebody say, well, I go design or identity 3.0. And I kind of like, OK, here we go and try and come up with. And I think when you brought up CA and Oracle, I really think they were in the Identity 1.0. Right. So this kind of spit balling here because I'm kind of thinking through this. But, they had from the access management side, it was the first wave of access management that was secure your web apps using our web server filters. And there's really focus on you're running your own web applications in your data center. And then it became identity 2.0 and access management. Were the vendors like Okta who said cloud apps and use a federation protocol. And at first it's like if you're on the one plaintiff side, it was scoffed at that thought like that's not going to solve a problem that big companies have. Well, you know what? Big companies started to say, we need those Cloud apps and we want to shift towards open standards like Open IDConnect. We can rewrite our applications to work with that. And it's a much better way. And when companies start to take the 2.0 Web 2.0 version of their apps and digital transformations, they start rewriting them towards those services.

Now, on the identity management side, it was the traditional, access request provisioning to app. So as a push model from the center and then identity governance came along, vendors like SailPoint and veksa said, no, we can just reach out in the apps and pull what they have and then we can give you one place to go to how has access to what? And again, a lot of folks just as well. Where's your automation? Well, they've realized, yeah, we do need to automate. We need to be a little push out as well. But that became the predominant force in NASA force today. And so those two I still think those are predominant forces, but you're starting to see the next generation that's going to come along is a focus on artificial intelligence, machine learning and risk and using all those paradigms, if you will. To take this platform senex also will be a true identity 3.0 don't know, but I still think where we're going see the biggest transition is what you were just talking about, which is privilege access management. So from a privileged access management standpoint, those systems were primarily built around you running your own data center is number one. And we've seen the shift. We said, OK, well, we can manage that through, being able to federate identities into that and get people access to servers and the console in a secure way, in a multifactor way.

That's 1.1, So it's in other words, like you have different data center and front by different company where I really think your 2.0 is that the idea of server service breakdown? You have containers and you have got container and you have automation and bots running everything. And servers that exist today don't exist next week. And you've got containers and things like that. And how do you and then you've got scripts that are rolling all this out. Well, now you have all this these new credentials or the hot terms of secrets, which basically means credentials. And how do you manage all those things in a way. And here's the thing is what is happened is all of these things have happened. So this isn't groundbreaking stuff. The problem is there's like no information security or IAM program to say how do we get our arms around it? They will understand how it works. Well, what I can tell that IAM practitioners that are out there is, like you say, relevant. Do you want to be able to continue to provide a meaningful service to your organization? You better learn about this stuff.

You better understand how DevOps works. And the place I would start is you too. What is it worth watching much YouTube? You're not going to understand it at first. You might need to have some conversations with other folks in your organization. Understand how it's being done, but could you get a mean of understanding of how this whole DevOps change is changing? That's really going to be PAM 2.0. And so what is 3.0? I'm not sure. But, you know, if we can get our arms around 2.0, we'll be in a good place. One of the things I saw was one of the vendors who is an IGA vendor was really talking about this as like their next generation of privilege access management. What they wanted to do, the vision spot on right now where they're at is they want to at least be able to provide governance and visibility to all of those things. Who has access to these containers? Who has access to the DevOps tools, things like that. And but the other thing is, like the bots, the bots like people, the bots have to go out, like pull to the credentials. So you need not only governments, not only visibility, but you actually need some tools, some faults that are API driven or API based that DevOps can reach into and pull from .

Jeff: That's a big deal. I don't think that's a fad. I see it everywhere. I was just working on a Windows laptop earlier today and, messing around and power settings just because I like to goof around and test things out. And  I don't know when they did this. It's probably within last year or so. Is Windows has now integrated a bot as part of their troubleshooting in the OS. So you can do some natural language searching, etc. Somewhere that bot is able then to call some sort of API or hook to run specific troubleshooting settings within the OS itself. So that is extended already down to the user device. How do you manage that or how do you make sure that you know laterite?

I think discovery is kind of the biggest thing is before you can start managing all the stuff you have to know. So being it will take an inventory of all of your access, including privileged human nonhuman and even contractors like us who don't fit in either threading an organization, being aware of those. The other part of the keynote that I thought was interesting was around the Magic Quadrant discussions.

So, they talked about the IGA when that was what I thought was most interesting, personally, it's very clear SailPoint and Saviynt have really kind of stepped as the overall leaders in the space. sailpoint got a lot of love because a lot of innovation that they've done this year, especially on their southpark IdentityNow Saviynt as well as doing really well and they've really kind of separate it from the pack. And I think we can talk about that in our Magic Quadrant episode a few weeks back, but they were definitely head and shoulders above other folks. The other one was Omada. Omada is not someone that's really known in the US as well. They're much bigger in Europe. Jim and I have looked at them before and we both like it a lot. And they got really good kudos from the analysts that were. About it in that same keynote. So it wouldn't surprise me that Omada sees a nice bump from that conversation because they are just as capable as the other two. And, I think competition is making it better for everybody because it really is starting to become kind of a cutthroat battle between not just sailpoint and Saviynt, you've got Omada there IBM is still out there doing things, but there's also some other products that might be a great fit that maybe don't carry the same weight as one of the bigger ones, but are good enough.

Jim: One of the big things that they talked about, they wanted to make sure their vision so is like being on the Magic Quadrant is a major, that's a major step big on itself. It's like, making the cut is not easy to make the cut. And there were some vendors who didn't make the cut. I mean, on the IGA side, Microsoft's not. Right.

So I think that is something to consider. I think if you're the more nearshore organization is, the smaller your organization is, especially when it comes to, you know, IGA, workforce access management, it's the more likely you are to not need someone who's in the upper right.

But I would say you're looking at the upper right hand side is SailPoint, Saviynt, Omada which was nice to see as a surprise. I think one of the things I like about them is your user interface I think is great. Yeah, I think saviynt user interface is a greater thing. Sailpoint, it's just got such a track history of success. Yeah. I think the other vendors were IBM and Oracle were in there.

Jeff: Now Oracle slipped out of the leaders and moved into upper left, basically like almost dead center. If you're looking at the square, I got together. So they've moved down that patch on the spot here. Who has the best UI between Saviynt, SailPoint and Omada overall?

Jim: So this is personal preferences, but I like to say Saviynt. I thought it was very intuitive. I thought, you know, it's web based and it's not it doesn't look like Windows 10. It's like, honestly, I'm like, I'm not a Windows guy. I mean, I actually used to be I was a MCC way back in the day before for Active Directory was even a concept, but they looked at those titles as panels and it just doesn't do it for me.

Jeff: That doesn't do it for you.

Jim: It was Omada looks like.

Jeff: Omada like very clean. It's very like data driven. So it's like rows and rows and rows of data. Very simple. Some people like it. I feel like Omada is the most polarizing. You either love it or it's not enough for you. I do like Saviynt. I think they've  been spending some time this last year doing UI updates. So what they may not have that UI, the new refresh that they're working on across all of their capabilities yet, but the ones that do definitely grow sharp. So I like that kind of approach and we would rather converge conference for Saviynt before Gartner just a few days ago and we were all going to kind of get into it, but it did show some of the upcoming UI things and there were some pretty neat things that were coming through there. And as much as SailPoint gets the love from being the leader for years. I don't think their UI is as good as either of those two. So if I had a rank and it would be, Saviynt, Omada Then SailPoint.

Jim: The only thing I would to say the challenge is how important should your PTO? Is it really depends on if you want to drop it in and or there's two things. One is, first off, this is like your workforce. And what's more important is that they find the stuff and do the job efficiently. Right. You're not there to entertain them. So that business for the old argument, really where I was going to go is, the new UI is API. And in other words, so, one of the themes that I've heard mentioned a couple times is like use your ITSM or other, ServiceNow as the front end to requesting access. So you're a tiny company or can do. But if you're sizeable or if you have an external use case, what's more important is the API. So you know, what it looks like in your web browser out of the box is not very important. But if you're a small organization, you're going to drop in. It may be an important consideration.

Jeff: Yes. Excellent point. I think UI is not as important because the API. I think it's more important for the people who are doing access reviews, which typically is not something done through an API, at least not right now or very common, or if you're using your IGA platform as your access request interface. And I see still a lot of companies that are split between doing an ITSM. Do they do it and in ServiceNow or they do it in sailpoint or Saviynt And there are pros and cons for each of those

Fought battles on both sides in my career as far as, preferences and my opinion has changed over time and it really does depend on the organization.

Jim: Mine goes back and forth. Yeah.

Jeff: Yeah. If you're heavily invested in ServiceNow to get as much as you can out of it. Same thing for BMC. If you're looking at digital workplace, that's something you're headed down. Take advantage of it. If there is a gap that you see there and he can't solve it, then maybe look at it. So the UI doesn't maybe make so much sense on that specific use case.

Jim: Let's also be clear about so the user thinks it's important as we run into clients. Sometimes you think, why do I need an IGA system? I have ServiceNow. They have this. They have to they can provision to active directory. Did you see ServiceNow anywhere on this conference?

 Jeff: Nope. Nope.

So they are not an IGA platform . And we'll talk about that in a second because I want to talk about products. All right. There you go. So I think we beat that one pretty well. Let me think. So the last thing that I think maybe you want to touch on before we wrap up is products.

So I'll start first and then ask in a second here. What are some of the products that you think are not as well known that people should look at?  First, because we just talked about servers now and that's clear sky. So they have built an IGA platform on top of ServiceNow it's a ServiceNow application you can download from ServiceNow store, etc. Super nice guys, definitely headed in the right direction. Relatively new products, but they already do have some customers using it. And I think if you're an organization that has heavily invested or wants to heavily invest into the ServiceNow platform for certain beyond I.T. service management tickets, service catalog, change management database, all the ISO type functions that a lot of your organizations want to get to. I think that stuff we want to take a look at, because if you can just write on your service now platform, that's so much easier than trying to stand up your own IGA infrastructure, etc. So that will be one to look at. The other one that I'll talk about is a company called "SecurEnds" recently had a demo with them a few weeks ago. I really like it. It's very focused on IGA, so it doesn't do more than that. It knows what it wants to be, at least right now.

And that's identity governance and administration. Creating accounts or moving accounts, running certifications, etc. Super simple to configure. I talked with Kelly at their booth here and I offered them the the tagline that they can totally use free and that is so simple. Even your manager can configure it, so, it is something that, I think would  be a very good option.

If you are looking at this like the small mid-size business type size and you can't necessarily afford a sailpoint or need that level of a sailpoint or saviynt or even Omada, it's a lower cost option. It looks really good. Do you due diligence on it? But those are the two products that I thought that don't have a lot of name recognition right now, but I want to keep an eye on clear sky and secure.

Jim: And I don't have a deep of a conversation on my two, but there's a company called "Preempt", basically analytics and continuous set threat detection and continuous access type of fly. And the idea. What I liked about them is honestly, it's like their head is already on the future of whatever it was. I know where the market's going. They're already Putting together something like that now. Again, smaller company and kind of an emerging corporation, if you will. But they have a chance to you know, sometimes in the Magic Quadrant, companies can just show up overnight. Right. They need to get kind of the market penetration and the customer adoption. There's somebody who I think is doing some really cool stuff, Transmit Security is another one authentication platform focused on strong authentication because the developer first approach. So I think the developer first approach is so funny. Like I'm involved with some projects now implementing, Cloud IDP solutions and you go in thinking is going to be a lot of samuel integration and Open IDConnect integrate when you can the Open IDConnect or working with the developers. And really it's like that's where a lot of these projects end up. So I guess we can get the low hanging fruit of integrating over cloud apps and their basic stuff with samuel or W.S. Fed and things like that, but then eventually need to pull into the developer as well. If you have a lot of developer built applications and only handful of cloud apps, then that's going to lead you more sort of solution where it's fit for purpose. But really the thing that I think makes these guys special is that they're focused on detecting risk, detecting a time where you need to do a strong authentication.

 Jeff: Anything else you want to talk about?

Jim: No. I think what I was talking about was early in the podcast was that, it's they had to focus on a few areas. There's one of the major couple of majors that just hear a lot about, honestly, you could have been based on the different sessions I chose to attend and some of the ones I didn't attend. Obviously, you can't be in every session, but dealing with breaches and privacy regulations, those were things that were a really big focus on the covers we were at in Seattle and talked about September. There weren't as much of focus. I think both of them were talked about. But I mean, those to me are things like that have to be top of mind for any IAM practitioner right now. Privacy and breaches.

Jeff: Yeah. All these technologies, they are risk mitigation strategies.

Jim: That's right

Risk mitigation strategies. And if the problem is like you can you can never block 100 percent right from right, 99 percent prevention. If you're that 1 percent, you need to know how to deal with a breach. And then, for privacy regulation symbol, you need to know the hammer that those regulators have in the real.

Jeff: And if you're an organization that knows you've got problems and you choose not to spend to fix it, whatever it may be. People process technology and that gets out after you've been breached. Boy, you have a lot of trolls.

Jim: Just assume it will. Yeah, exactly.

Jeff: So, you know, something to think about, therefore, for people who are making budget decisions is what is the cost of not doing it versus what happens when you get breached, not if. And what is the aftermath that people have to deal with after that. I think that does kales a little bit too back to the training side of things. People who are looking to get into IAM maybe not as familiar in some of things that you're talking about earlier, get out to these conferences. These are a great way to learn. And I would encourage managers and directors and folks who make decisions on budgets to send your people there. You need that talent just as much as anyone else does. And, it is a fast changing market. So keeping up with the skills is a very important part of being in the business.

 Jim: This one, the best Gartner conferences I have been to in Years, I think, is well attended, over a thousand attended.

Jeff: Things at twenty five hundred.

Jim: And I'm not surprised. I mean, it just felt like everything is crowded. And I think there's a place for everybody. I highly recommend it for anybody who ever you would choose, as this podcast should be, trying to attend this conference. So if yet to get it in the budget, do it. I also think if you ever find yourself in a position where you need a job.  And you're in this space. If December rolls around your job hunting, you should definitely be here. Spend the money and come on your own. Say it. I don't know. Circus. Circus or something. Just be here.

Jeff: Yeah. Exactly. All right. I think because if there's one thing I'll touch on, that was just what I think the folks who took time out to meet with us when we were here on site shout out to the folks from our customer dinner. Who was that at the advisory table? So Jody, Otto, Marsha, Mike, Randy and Brian. I got them all. That is a record, I think, for me. We had great conversations around the dinner table there and then in the hallways and so forth. It's great to see folks and really kind of interact in a more casual manner, I guess would be the right way to put it. And have some conversations about not just IAM but just kind of life in general and, commiserate and celebrate and all the things in between. So it was a great dinner. And I want to thank all those folks and the others who I didn't really talk to, partners and so forth. But it was it was a great time.

Jim: So great week overall.

 Jeff: Yeah, definitely was good times. All right. So at that, I think we will close it out for this week and we'll talk to you guys on the next one.



Jim McDonald & Jeff Steadman

Jim McDonald & Jeff Steadman

Jim McDonald is a professional with over 15 years leading teams through business-critical technology initiatives. Technical Strategist, Leader and Champion of Change with history of crossing organizational boundaries, cultivating strategic alliances and building consensus and alignment among diverse constituents to leverage IT as strategic asset and deliver solutions that rejuvenate and advance global business’ financial performance. Also as part of our advisory practice and with over fifteen years in the identity and access management space behind him, Jeff Steadman helps develop realistic IAM strategies and provide vendor agnostic recommendations to move the needle on IAM maturity for organizations large and small.