Listen to Identropy's Jim McDonald and Jeff Steadman on their podcast at "Identity at the Center".

Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.

On this episode Jim and Jeff visit with their friends Katie, Amanda, and Marcie at Winterfell (aka Stevens Point, WI) to talk about why the 49ers will beat the Chiefs, how they got into the IAM space, and what they wish the business knew about IAM.

Brought to you by

Want to join the conversation? Leave us a message here: or email us at .

We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!

LISTEN HERE or read the full transcript below.

 *Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.

 Podcast #29 Full Transcript:

Identity at the Center #29 - Big Game IAM Chat with Katie Amanda and Marcie

Jeff: Welcome to the identity of the center podcasts. This is episode number 29 and if you're interested in Identity and Access Management talk, you've come to the right place. Jim and I on the road this week and taking the opportunity to talk with our friends, Katie, Amanda and Marcie. Hello, ladies.

- Hello

Jeff: How are you guys doing?

- Good.

Jeff: So before we get too far to talk about IAM obviously, I would like Katie to explain to me as a Chiefs fan why my forty Niners are going to beat them on Sunday.

Katie: I did explain this earlier, and I think that the Forty Niners do have more tools in their tool case than the Chiefs do. I really hope the chiefs win, but I have my bets hinged towards the forty Niners.

Jeff: I'll take that scene. And that's interesting because I don't think that the foreign owners have that many tools. I think they're run first team with defense. And I'm hopefully I'm pleasantly surprised by that. Give us your prediction.

Katie: I see them possibly falling behind.

Jeff: Yeah, they don't to be in that position again.

Katie: True.

Jeff: Anyone else have Super Bowl predictions?

- I predict that the commercials are gonna be good and that the halftime show will be excellent.

Jeff: Who's playing halftime this year?

- Shakira

Jeff: Sharkira.

- And J.Lo.

Jeff: And J.Lo, OK, Wow. I will be on a plane. Unfortunately I am stupid and booked travel and I'm not happy about that. So hopefully catch the fourth quarter.

Amanda, what do you think for Super Bowl?

Amanda: Well, I predicted that the traffic is going to be really good going up to the Upper Peninsula and coming home.

Jeff: So not interested.

Jim: I think my Mahomes Patch Mahoney is going to engineer a big time comeback in the second half. I mean, did you see what he did against Tennessee?

Jeff: Yes.

Jim: I mean, they were down 20 for nothing. And you race that just in mileage. I mean, he can take over a game and was Kelsey is like you can look like he's about a runner and then throw five yards, picked up 10 or touchdown or whatever. So my prediction is chiefs by a touchdown.

Jeff: chiefs by a touchdown, OK.

- Dream come true.

Jeff: All right. Well, we'll see.

So let's bring it back to IAM because now that we've got a cheesy pun, him already from Jim and his comment, we could actually start the podcast officially.

Jim: I wanted to say, some started off by saying we have our friends on the podcast. I just want to clarify, these are real world friends, not Facebook friends, right?

Jeff: Yes. This is all electronic voices like we used to do for the intro. Yeah, things like that.  there are like human beings sitting in front of us in this conference room that the US graciously commandeered from the team here. So let's talk a little bit about Identity and Access Management. Katie, let's start with you. How did you get into the space of IAM, I guess let's so you're right now you're leading an IAM team.

Katie: Yes.

Jeff: How did you get into IAM?

Katie: I kind of stumbled into it. I was getting out of management in a claims environment, and I wanted some space to grow my technical skills. And I was not sure where to go. And there was a job that opened up in IAM, and I thought I'd give it a try. And I've been there for 10 years now.

Jeff: 10 years in IAM.

Katie: Yes.

Jeff: That's pretty neat. So that's really kind of goes back to the first episode that Jim and I did was how did we get into IAM? And I posited that most people stumble into it. Most people didn't just start in IAM. Marcie, what about you? How did you get in IAM?

Marcie: I have had many jobs over the years and I've been pushed into every one of them. I never applied for one, but the biggest push was when I was a business analyst, and at that point we took over all of the manual access management and did all of the certifications.

And at that point, then our business analyst and practice the systems that folded and got pushed into creating the Identity and Access Management system that we have today.

Jeff: So what was a first system that you remember provisioning?

Marcie: Answer.

Jeff: Yes. That's the name of the system. OK.

Marcie: Rakoff.

Jeff: OK. Rakoff. So mainframe based, I think. Gotcha. Amanda, what about you?

Amanda: Well, I actually started out for going to school for dentistry, and then I quickly switched to the I.T. world an internship. Found out I was really good at taking something, not knowing anything about it and figuring out how to figure it out. I guess I've actually have 10 years in I.T. experience and three of those have been within security. I've been with IAM for about nine or 11 months. So.

Jeff: So still relatively new to the space. But lots of I.T. experience.

Jim: One observation I just want to put out there is obviously you guys are women. So what do you think of IAM as an industry. You know, a lot of the conferences I've been to, they'll have tracks or sessions on women in the IAM space. And, I've attended a few the sessions and kind of gotten both the opinion that it seems like it's a good industry for women, kind of build expertise and have that opportunity to kind of shine in and work up the corporate ladder. I'm wondering if you kind of feel the same way or you don't think that's the case?

Katie: Well, it's just a space that hasn't been taken over by men yet.

Jeff: I agree that that's a good one.

Katie: And I think eventually it is becoming more technical as it becomes a hotter topic as we go through breaches and giving the access to the right people at the right time. And those are the security aspects that all companies need to be aware of. And I think it eventually will become a more evenly split. Right now, I think it's more women just because of where it has come from. Like we're taking over from provisioning low JBC applications, let's say, or other applications that nobody else wanted to or security thought. Well, we don't have to do that 90s. We don't have time for that. So let's put it in the shared service.

And I think women have been in the shared services department for a very long time. And now it since it is becoming a hot button item, I think it will even out. But yes, women should stay in this field and keep growing.

Jim: Keeping Marcie.

Marcie: I think that over the years I have also seen what Katie has seen where we are the women always did all of the manual work and we didn't like get that opportunity to move out of that.

And like I said, I got moved into the next job. I got moved from here to here.

I could have applied. But I enjoyed what I was doing and I wanted to just take that further.

Jim: What do you think?

Amanda: Well, to go back a little bit. What? Growing up, my dad had three daughters and one son and he treat us all the same. So he said anything your brother can do and I can do, you guys all can do as girls and you better do it better. So I grew up with that mentality. So going to a male dominated college for my undergrad.  I did not make it myself very quiet. I was. People knew me. And so I don't see the same things Katie and Marci have seen because I've only been in the industry about 10 years and I have had different experiences where, there has been women in technical roles that have been my mentors and I've had that opportunity to see that. So, I definitely understand where they're coming from and I see that now. But I just I've always been told I can do something that guys can do and I should do it better.

Jim: Someone say you mentioned that you had a lot of female role models and mentors, and now do you feel that, you have a responsibility to that as well?

And then what would be the advice that you would be giving to somebody as a mentor or a role model?

Amanda: Absolutely. And I do feel empowered from my female mentors. I've had started out from when I went to Michigan Tech up and in Michigan. And one of my favorite professors. Her name is Dr. Bush. And she was one of my seriously one of the best mentors ever had. And she really empowered me. And she said, your passion seems to be helping other people. So she recognized something I didn't even recognize. And the way I spread the empowerment to other females is I actually teach at a local technical college and I teach I.T. courses and security courses. And there are not a lot of women in those classes. But I also take the time to spend extra time with the women so that they understand that this class, just because there are more men in the class, that they should not feel intimidated. And we have lots of conversations outside of the class so that because a lot of them want to just drop out of the class because they don't think they're going to do well. So I do spend some extra time trying to empower additional people. And actually there are, I think, three or fourth of my students or last three years that work at the same company. I do right now.

Jim: That's really cool. Marcie, do you have any thoughts on that? Like what advice you would give to somebody who's wanting to get into the space right now?

Marcie: Get into the space, do it just. Take it, take it by the heels and go.

Jim: I know you're going to you're planning on going to the Gartner conference later this year. You've been to some conferences in the past. Some of what would you recommend in terms of people, you know? Do you think they should try to go to conferences even maybe for as they have corporate sponsorship?

Marcie: Oh, definitely. The conferences that I've been to have given me a big outlook on security as a whole.

And where IAM, that's in there and that space. And I think when I first started doing just excessive reviews manually and, I didn't see that big picture.

And the more I went to these conferences and listened and I was just amazed at how much that space really is.

Jim: Yeah, what about you Katie?

Katie: I think going to conferences is very beneficial. But another thing we should do, not just going to conferences, is reaching out to, I guess, the Internet to try to find who is doing it best. Can we learn from other companies? Are there programs or are there just articles that you can read to send you down a new path, because I think a lot of the time at conferences we get caught up with other vendors or technologies that may not be the right fit, but they seem to be a right fit. At the conference. So we need to do a lot of research and find out what's the best for our company.

Jim: Right. And you're in a leadership role. What about it in terms of mentoring or, helping to identify some people who are wanting to move up in the world or move up and get involved in IAM? Do you have some people that you're helping or do you how do you approach that? Do you actually approach or just, opportunities as they come?

Katie: So typically it is opportunity as it comes. But when somebody reaches out to me and they want to find out what kind of a skill set you need for IAM or what kind of a background might you need. Really, That's the opportunity to say, we would for our company, you need a broad knowledge of what will you do. The applications that we use and somebody who has been around for a while, it helps to know the ins and outs of the company and what kind of access of a certain business unit might need versus another business area. So having, I guess, tribal knowledge of a company is important. And I know that Amanda has come from different areas. Marcie has come from different areas. Our unit is has many years under its belt. And I think that has been helpful in shaping our program.

Jeff: Now, I think you talk about those relationships. Right. And using those and I use the word exploit recently exploiting relationships to get things done. Do you have any examples of where maybe you've talked with somebody that you know for another area that those operations ship with and have been able to get what you need to get done because of that?

Katie: I think it happens every day. There are business areas that come to us with an access problem or certifications. They typically have and like. When we are helping them get something set up or we're helping them with their certifications. If you have that personal relationship, it's easier. To say now you can we're handing you this gift, which is IAM. It's easy to use. We can help you with it. But as an IAM program, we will be enabling our business areas to fish. And so they'll be able to do it themselves every day than just showing how to do it once.

Amanda: And actually, So we talk about the business areas, but as far as our relationship with I.T., I saw I mean, I don't remember if it was an October or not.

I actually got my significant other also works at the same company. And we don't have an on call team for identity and access management yet or at that point. So they had called my significant other are internal operations center and got his number called the house and had asked me to help them because they actually there were some access that was missing. And then we I ended up uncovering some groups that were untested, which was preventing issues. And I saw a need to one put us out there that, yes, we do have an on call. We offer that, we are those we are technical. We can answer your questions. And  so far, we haven't had a lot of calls. But, we've had big projects where I've been on board online ready as we roll out new projects.

Jim: So how important do you guys think training and certifications are in this space? Is it something that's just nice to have? This is something that you need to go to a class or take a test or you can do on your own. So whatever your thoughts, Amanda? training is important.

Amanda: Yes, I agree.

Jeff: What about certifications?

Are there any certifications that you think are helpful from an identity perspective at this point anyway?

Amanda: While I'm studying for the security plus that I'm going to be taken in end of March, beginning of April, and there is a section in their own identity and access management and I do fine studying for this. Very helpful. So with my background, I went to school for management information systems. And so I have that foundational understanding of I.T. and security at a foundational level. And there are things that I have taken above, but I also graduated 10 years ago. So learning more about the security in the most recent time has been really beneficial for myself and listening to my coworkers talk on the operations side or the engineering side. And it helps me be able to interpret what they're saying and be able to explain it to the rest of the team. My team.

If you have that foundational base, then your technical skills can keep growing. And a lot of what we get is on the job training and then it inspires us to get a certification or is it a designation like we have here?

Jeff: And there are very few identity specific certification still at this point. There are some around me being an IAM manager or things like that. There's an organization called i-D Pro that is in the process of, I think, developing another certification around that. So it's still a relatively new space. But I agree that I look at it from a holistic perspective where if you understand security as a whole and where identity fits into that, I think that helps to have those conversations so that when you are having conversations with people, security or in the business, it's not completely foreign to you.

Amanda: Well, one of the things that. I have said recently. We need to know where we're going and get ahead of the game because our IT teams are not slowing down. So we need to know what technologies they're moving to so we can talk the talk when we're in the meetings with them.

Jim: One of the points that really resonates with me is that especially with the DevOps area, like some of the fundamental things that I knew early in my career about servers and networking and data centers, things are becoming passé now. It's containers and incidences in the cloud.

I one point my career, I thought I'm going to become a storage expert. I got certified HP storage arrays and think about it now. It's so commoditized. I mean, I'm sure there are still people out there who actually work hands on with those things, but they're few and far between. Now, you just think of that as commodities. Just get a hundred gigabytes at Google for 99 cents a month.

So I think, one thing is you need to be flexible because what you think is gonna be hot today might not even be a thing 10, 15 years from now.

But I also think that somehow we have to figure out how, as IAM professionals, to figure out what these changes are. And for me, I say this on our podcast probably every week.

So I'm starting to sound like a broken record.

But YouTube, I mean, you go on to YouTube and learn anything you want. You can learn nuclear engineering probably on YouTube.

I haven't tried, but you can definitely learn about how things work on Amazon and how it works, and Docker. And all those things are changing the landscape of I.T. and for IAM, we're going to not be relevant if we can't adapt our understanding of how things work to this new world.

Jeff: So what is the future that you guys think from IAM perspective five years, 10 years down the road. Like, how do you see your roles changing? In that time, are we still going to be using access requests systems and provisioning Rakoff accounts and active directory accounts, is it? Is Siri and Alexa going to take over the world and someone's going to say, hey, Alexa, give me access to this thing as long as they've been pre-approved? How do you see the identity space change your job changing over the next five, 10 years?

Katie: I will be honest after, I'm working with you guys and the engagement you came on site to do with us. I am really excited. That I really hoping our I.T. area really starts thinking about IAM more than just manually adding access. You know, I really want to see us be a part of their plans. And that's what I'm hoping. Hopefully before the next five years, I can't say 10 years because I only set only goals set for five years at a time. So I'll go with the five. I want to have us more ingrained in their process for the next five years.

Amanda: And for me, I think we will be moving toward more of a governance role because with A.I. technology and machine learning, as things become more integrated, your badge when you sign on could give you all the access that you need or when you log into the system. That one log in is all the access that you need. At that point, so I can see us moving into more about a governance, now that you have the access. Are you using it appropriately? Are you logging in so many times? Moving to a. To a different space.

Jim: I still see us doing this all the time, Jeff. We say IAM is who has access to what that's becoming an old definition. Somebody who has access to what or what did they do with access her house that access being used? I think that's kind of Katie's point, which is, you know, who has access to what? It is not enough.

Jeff: It is not enough. But it's I like to use that definition still, because typically when I'm having that conversation, it's people who aren't as familiar with identity access management.

Jim: I don't have it. Don't have control over who has access to what, I mean you can't go to level two. And so you've got low right under control.

Jeff: So if you're really trying to explain it and you want to make it in that simple terms, my mind, IAM it still who has access to what? Anything past that? It's still IAM. It's who has access to what? When did they have access to what? What did they do with that access? All that other stuff. But I think it's part of tailoring their message to the individual. I'm talking to someone who's never done anything at all with identity and access management. I'm not going to throw things like conditional access and behavior analysis and all this other stuff. I'm going to speak in hopefully terms that make sense to them. But I agree from a perspective of knowing who has access to what isn't good enough. It's the starting point. And at this point it's almost a given when you think what I think is accurate at Gartner in December was that at least one of things that I thought I took away was most organs that Gartner is assuming that the organization already has a relatively decent handle on who has access to what.

So if you don't even have a system or a way to know and answer that question, you're already more behind than I thought you were.

As of November versus December of last year.

Jim: You're below the assumption of baseline.

Jeff: Yeah, exactly.

Jim: Yeah. I mean, one thing we heard at Gartner was baseline is now MFA everywhere. Not many of the organizations I work with. Is that true? Right.

I'm not saying that they're not right, that's the way it should be. But I do think that you need to have conditional access. In other words, you could be prompted for multifactor anywhere that you access systems. We talked to a lot of this on the last podcast, but I don't think that most organizations are, you know.

Jeff: No, I think it's inspirational.

Jim: I think what we got to do with what Katie was talking about with the moved to the way I.T. is changing, moving things outside of the cloud, especially infrastructure, the way the DevOps process, being able to push code from like GitHub and all the automation and robots and non-human access that's taking place. That is the game changer. And that's what's creep making privilege access management not more important. It's always been just as important, but harder and harder to do. And I think the old solutions and the old way of looking at privilege access just isn't keeping up. And so the solutions are going to have to evolve. Like, the major IAM platforms or new platforms are going to have to come along to be able to interrogate the environment, say here the gaps. You're the place where security is not tight enough and created dashboards so that, IAM teams can go out and manage it. And I see some vendors already seem to be spotting them. One other thing, and I've talked about this a few times is that I see a lot of the IAM vendors encroaching on each other states.

And so you see vendors who were traditionally IGA or access management or privilege access management starting to provide capabilities with the other. And that's not even dimension ITSM just so like servers now marketing themselves as doing identity and administration and governance. And it's like, OK, well you guys can cover like 60 percent use case requirements, but that doesn't mean that you have that capability. And you know, one of the points I like to reference is look at Gartner. If you're not listed in Gartner's quadrant in terms of I think that capability, there's one of two reasons. One, you don't. Or number two is you don't have the customer base. The second one you can understand, especially if it's a new player in that space, they might not be able to check all the boxes in terms of, actually having coverage in terms of the market share, but in terms of not having the covers, in terms of functionality. If you don't have that, you don't belong calling yourself an IGA solution or PAM solution.

Jeff: I think it's important, like when you're reading Gartner reports, is to not focus just on the Magic Quadrant, because a lot of that is also sales based. So when you're reading something like Gartner's report, make sure you look at the entire thing, because at the bottom, they typically have kind of like an honorable mention section where they will indicate, yeah, this this company has a great product, but they don't have enough customers. So they're not a magic quadrant and it could be buried in there. But I do see a lot of organizations that are promoting themselves as IGA a product, and they don't have the G. So, you know, they don't do governance. And I think of things. I'll take on a little bit here. OKTA sometimes we'll sell. Yeah, we do IAM they can do provisioning and access management a great I think that's a great product. They don't do any governance, they don't do access reviews, access certifications, etc.. So I think it's a little bit disingenuous when they'll say, oh yeah, we play in the IAM space. Yes, but they don't handle the IGA space. That's different. Because, they may partner with SailPoint or something like that.

Jim: The interesting thing with them is where the amount of functionality they have is either enough for. Organizations that are very simple or it's a major differentiator when it comes to customer IAM, and that's what sets them apart from a lot of other customer IAM vendors. Is that a lot of mergers? Just 100 percent access management. And their assumption is your user life cycle management system, whether it's a registration system or delegate administration, is going to pump information into an A-D or into our cloud directory. And then we're just going to authenticate people and do conditional access. Whereas OKTA access and capabilities around that. So that I agree with your point is like OKTA is not OKTA plus SailPoint, SailPoint is way more functional, especially when it comes to the G. However, they do have enough functionality to set themselves apart from a lot of their traditional competitors.

Jeff: Yep. From a solution standpoint, one thing that I also see is this concept of, oh, yeah, we're a cloud product and I'd be curious to see what your guys take on this because a lot of organizations will say, oh yeah, we're a cloud vendor and when you talk to them really kind of dig into it, which start to find out is they're not truly a cloud vendor, they're not multi-tenant SaaS type solution. They're more of a hosted model.

At the end of day, it doesn't matter.

Jim: So let's differentiate. One model would be something like. Salesforce, where all their customers are in the same application and what they called multi-tenancy. So it's like an apartment building. Whereas. The other model is what we call cloud hosting. So we're going to spin off a few servers at Amazon. We're going to create an instance for you of our software and we're going to call that cloud. Do you care about the differences? As a consumer?

Katie: Absolutely. we have we care because we have information and with the California Privacy Act that's coming out, that actually is live now. We. Anyone that we do business within California, they can ask how their data is being used. And if we go with a provider, that's someone else's hosting. We don't know how they are encrypting their data. Are they at least getting what they need to? So we do definitely care.

Jim: So we do, actually. Are you seeing that as a preference toward the individual? Like Amazon instances that are hosted versus the apartment building.

I mean, I wasn't sure which side you're coming down on basic based on what you said.

Katie: So the Amazon piece. Yes, I think that they have enough checks and balances. The other pieces are if someone is hosting the information for this third party and they don't know how they are protecting the data. That's where I think we would have an issue with it, because that is, data classification issues.

Jim: Because of the new opinion on that.

Amanda: No, but I have a question now. Because if we are in the cloud and we are using certain, I guess, let's say we're using SailPoint, and I know that in our engagement with Identropy we've talked about so predictive analytics and data analytics. Can those, I guess, modules. Protect us from internal breaches. Is there anything? Out there right now. That is good enough to say we can protect your data from an internal or even an external breach because, like say that, they don't want to break in the log in.

Jeff: So I think it's a little bit of a question to ask of what are you trying to detect? Because at the end of the day, all of these machine learning, analytics, behavior analyst and analysis tools, easy for me to say, require data. So the data is typically in the form of a log, whatever it may be. And those systems will ingest that information and pass it faster typically than a human would, or they're more tuned for identity type events than maybe a traditional security event monitor. So the question then becomes is where are the logs and can that capability reach that log, whether it's direct connection or it gets put onto a chair that, that can make it that way. So are there tools that will that will detect and identify identity events internally? Yes. Same thing for the cloud. So I think it makes a difference, though, of where the logs are at. OK. So if you can send all your 80 logs into the cloud, which is kind of a no brainer because it's way a lot of works that. Yeah, there's probably something could be done there. But if you're adverse to sending that things to the cloud because you don't want it to lose control of that data, now you're in a different ballgame because are there analytics tools that you can run in your own environment that do not have a cloud component?

I'm not so sure about that one, because even the ones the ones that I'm thinking of still require some connection to the cloud to do that processing. That's probably something I should probably take a look at RSA in a few weeks and I'll be out. There is sort of almost like an off line analytics tool. And the way that all kind of putting zamba there is this is the way Apple does a lot of their encryption on the iPhone and IOS, a lot of it is done on the device itself. So that data never leaves the device.

It's encrypted and secure it before it gets to even the series. So when you're saying, hey, Siri, send a man a text message. It's figuring all that out on the device first and then initiating the cloud API to actually carry out the service SRT secure it.

So the idea would be then if you take that same type of concept to. Not to doing some sort of behavior analytics.

You would have to have it all on Prem or cloud prem within your firewall. And then do you have enough instances to run that because that could be very data intensive and, now it becomes a matter of, OK, well, do I scale up my own cloud infrastructure, you know, what do I need 40 instances of machine learning, running to be able to check this or do I send it up to the cloud somewhere else figure it out.

Amanda: And we are moving to the cloud. I mean, that train's not going to stop.

Jeff: But the cloud is a fad.

Amanda: That's one of the things that comes back to us as IAM, how do we get there and still protect the data?

Jim:  I feel like you have to do your due diligence with each cloud provider and you have to have somebody like on your security engineering team who digs down into how are you going to keep my data secure, not only from the public, not only from other customers, but even from your own engineering staff. How do I know that your database administrator is not going to my customer list and dump it on the dark web or sell it to some hacker or something like that? So you have to do all that due diligence. So, I was in the financial services industry before coming to before getting into consulting.

And kind of the general view was, you know, we're not putting our customer information in the cloud. We're going to keep it all on prem. But then you just have all those controls that you need to maintain yourself.

And you might say, yeah, work, we're good enough to do that. But then when you kind of figure out like, OK, well, the application functionality is moving out of the cloud. Financial services had to get okay with putting their data up there. And the way they did that was really by interrogating the cloud vendors and cloud vendors are used to doing that. So it's not like you're going to be, annoying or anything like that. If you ask these tough questions, especially what I would recommend to start by putting together some kind of checklist of 100 or 200 questions of like how do you do this? How do you do that?

- So the legacy we do have that job that our governance risk clients team does have a security assessment that they do on all vendors that we work with and based off of the level of data classification. So whether it's restricted data or highly sensitive or interlinking, it's only our public will depend on what type of assessment is generated for them to fill out. So based off that assessment, it's then they work. The security risk team then works with the I.T. area, infrastructure security engineers, security architects and make sure that their understanding and where we are doing the right thing by picking the right vendor based off the assessment.

Jim: Right. And this why shadow can be such a problem, because, somebody in marketing, not typical marketing, but somebody marketing takes their credit card, gets a online service, skips the security assessment search, putting customer data in the cloud and hasn't gone through a security assessment. No good. That's just not come to work. Back to the topic we were talking about, about multi-tenant size vs. individual kind of the hosted model, which, I've known a lot of people to call it cloud washing because really they're saying we're in the cloud, really all they're doing is solving drawn from software and Amazon saying it's in the cloud. And I guess where my preference comes down is I'd rather be a multi-tenant at a high level. And I say that because then you're going to upgrade the software, you're going to do it more often.

And I'm not going to have to go once a year and do a big upgrade process. Right. You're constantly maintaining it and everything like that.

And so my preference is toward that. But I will say that I think companies that go the other route and in some ways have a strategic advantage in that they've built those on premise system for years and years and years. And the move to the club, all they did was they started installing it at Amazon or Microsoft Azure. And that really means that like the software didn't take this big step back. We know the SailPoint has kind of gone the route of rebuilding as a multi than SaaS. And I don't think the jury's in terms of who's going to win. I think strategically they said, listen, we're doing things the right way and building multi-tenant. SaaS Philosophically, I agree with them, but their competitors just take their software and put it onto a cloud infrastructure. And so they got a kind of a jumpstart or a catch up.

So will SailPoint following the right model with the IdentityNow ultimately win? I don't know. I don't know. I don't think anybody knows for sure. I don't care.

Jeff: If you'd asked me two years ago, like would do you prefer a cloud or prem slash hosted?

I would've said, yeah, make lot more sense about the cloud. Now I don't really care because I'm treating the service as an outcome. I don't care how the service gets delivered to me as long as it meets my requirements and needs. Just give me the thing that I like. However, you guys want to figure it out behind the scenes. Do it over, you want that as long as it meets all the requirements that I've got. I could care less.

Jim: If you took a look at an access management, which I think is a lot simpler than governance. There's no way an on prem product could compete with, the major club vendors you have to say OKTA , for example, no one's going to spin up a new on prem access management system. That's better.

Jeff: I think that's where the challenges for paying them. Right. So think Federer has traditionally been an on premise type solution. They're trying to compete with Okta with Ping One. And yeah, I mean, I think the way that things have moved and moved up to the cloud and, the edge is that Internet kind of connection. So that's where they need to be. So there panel that ketchup on them.

I think we've beaten that horse pretty much.

Jim: What we do on this podcast, we beat horses.

Jeff: little while here. I want to close out with a question for the three of you. And that is what is something that you wish the business knew about IAM. Or the roles that you perform here that they just they don't know today that you wish they knew. And we'll start with Amanda because she's like smiling. I mean, she's got a good list. All right. Worked out.

Amanda: I wish they knew our keeper automation capabilities and what we could do to help streamline their access provisioning. a lot of people may need to cover for someone who is out of the office unexpectedly and they need access right away. And instead of it being a manual process, we could definitely streamline a lot of things for them.

Jeff: Marcie.

Marcie: I think the one thing that I want them to know is how important IAM is because I don't think the business always understands that. I think they just think, give me the access and, I just need access, and they don't understand that there's processes behind giving them that access. we have the approvals and even the certifications, they don't understand all of the steps to get there. And I just think that if they were better informed and we're able to maybe even just have us as a team go out and explain this to them individually as a two teams, that it would be very helpful.

Jeff: That's a good one.

Katie: And I would like. I guess, our business to know how capable. Our unit is, I think many times we're seen as. Just a practices and systems. Team that, you know, all we do is provision access. And we can do so much more. We've taken on a lot of challenges recently. And I believe that we're moving in the right direction.

Jeff: Now, I feel like there's a lot of good teams out there that are very good at what they do, but do not have enough seamier push behind them to help organizations become aware of that capability so that we might pitch out there as we kind of wrap up for this week as no one go. Give some coffee cake to your fellow ID admin people take care of them. They're doing hard work out there. But from an executive standpoint, recognize the value that those people are bringing to your organization and make sure that your peer set at the executive level understands why they're there, what they're doing and why it's important and to help push that forward for everybody.

Anything else?

Jim: I think should be a good podcast.

Jeff: I certainly appreciate you guys taking the time to talk with us. We had a great time here.

A lot of good stories and things going on I think as far as the show goes, and appreciate everyone listening. I'll be at the RSA Conference in a couple of weeks. So if you feel like doing a fist bump or, shake hands or whatever it is, who knows of the Corona virus? It may be we may all be wearing NASA at that point in San Francisco. I don't know what's going on, but feel free to send a quick email to and we'll be talking to you all on the next one!

Jim: Go, Chiefs!

Jeff: Go Niners!

- Go Chiefs!

- Go Packers!




Jim McDonald & Jeff Steadman

Jim McDonald & Jeff Steadman

Jim McDonald is a professional with over 15 years leading teams through business-critical technology initiatives. Technical Strategist, Leader and Champion of Change with history of crossing organizational boundaries, cultivating strategic alliances and building consensus and alignment among diverse constituents to leverage IT as strategic asset and deliver solutions that rejuvenate and advance global business’ financial performance. Also as part of our advisory practice and with over fifteen years in the identity and access management space behind him, Jeff Steadman helps develop realistic IAM strategies and provide vendor agnostic recommendations to move the needle on IAM maturity for organizations large and small.