[podcast] Talking IAM with Binod at Ilantus
Jim and Jeff talk with Binod Singh, Founder and CEO of Ilantus Technologies, about where the IAM market was, is, might go, and why the mid-market space for IAM is hot right now.
For more information about Ilantus, visit ilantus.com.
We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!
LISTEN HERE or read the full transcript below.
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #32 Full Transcript:
Identity At The Center #32 - Talking IAM with Binod at Ilantus
Jeff: Welcome to the Identity of the Center podcast. I'm Jeff. And that's Jim. Hey, Jim.
Jim: Hey, Jeff.
Jeff: So I'm going to come right out and say that I have screwed up the episode numbers twice in a row now for the last two episodes. So I'm not going to say what episode number it says because this is whatever episode it says wherever you are hearing it. So take a look at your monitor or whatever so that you know where you're at. So that either way, they're kind of jump right into it today because we've got a special guest. He's the founder and CEO of Ilantus technologies, welcome to the podcast Binod.
Binod: Thank you so much. Appreciate it.
Jeff: So, Bin, I know you've been in the identity space for a long time. How long have you actually been in IAM?
Binod: Oh, boy. It's been about two decades now. This is, to be precise, my 20th year.
Jeff: 20 years.
Binod: I got into this field just about the time and identity management was being born. And the very first generation of companies were beginning to surface in the world.
Jeff: So 20 years is a long time. I'm sure you've seen a lot of changes in the industry over that. Can you talk a little bit about maybe what you've seen when you first got into the industry and how that's progressed to where we're at today?
Binod: Sure. In fact, it would be very interesting to talk about that, you may be knowing that in the year 2000, when the whole thing began a little more formal way, we had it all beginning with simple provisioning. That used to be sort of an issue for the identity administration of the administration people from the I.T. side and companies such as Access 360 and many of the other ones, small ones, all of them got, of course, acquired in the next round, the next generation by the IBM, Sun, Oracle of the world. So it all began with provisioning in the year 2000.
And by 2000 to 2003, we had that couple of companies, three or four of them pretty small in size, beginning to be contributing to user provisioning, bit of an automated provisioning, and in that sense, would you like me to go on, and since I've already talked about the first generation, you want me to talk a little more about the rest of it?
Jeff: Yes. Keep going, please.
Binod: So that led somewhere around 2003, if you remember the socks 2003 for socks came in and that kind of gave a lot more recognition to the identity and access management technology. And couple of things happened around that time. One was the Web access management came in that really kind of companies which later had got acquired by CA came in at that point in time. That generation, if I had to really put in terms of timeframe, was from 2003 to 2006 or 2007 and that when the access management and also towards the later part of that enterprise single sign on the ESSO came in from again smaller vendors which got before we knew that got taken over by the Oracle and CA, IBM. So those things happened in the second generation.
But I think the real turning point for identity and access management came when it went into its third generation somewhere around 2008 when access and governance was born. And that was the time when the company called Aveksa. In fact, that the CTO of nitty-gritty, after selling his company to CA, went on to look for newer opportunity and identity and access management. And that's when most of us met somebody on the streets of New York and we became good friends and we wanted some help in terms of going to some CIOs and talking about what is the next set of things that they would be looking for. And so it's interesting. Everybody talked about forms of access governance because it was really knocking on the doors of everybody and people were looking for that kind of compliance. And that's when the booksellers got bored. Within a year of that sale Quint came in and before we knew access governance had become more important to people than the provisioning.
And that's when the largest suite companies like Oracle and IBM and CA, they began because they had no way to accommodate access governance in their current suite of things. So they either began developing things on the governance side as a separate module and integrating that to provisioning or acquiring companies are looking to acquire acquired companies which had the access governance components and that went on for a while that eventually I would say somewhere around 2012 13 gave way to the fourth generation, which I think is still on, which is identity as a service with cloud coming in, not because but natural that like any other domain, cloud will have its dominance and identity and access management as well.
I think that that's happened at the right time because that's when more agility was required, especially on the access management side, because things such as authentication were beginning to get very, very important and people were looking for easier modes and mindset to be SSO was a failure.
They had been there for several years, but it was very difficult to implement. Most important, you had to do modifications to the applications and that never made it a popular. And therefore, when the iDesk came in that was really embraced with a lot of enthusiasm by people in the beginning, by smaller organizations with just about a handful of users.
As soon as we all know access may be the single sign on, the access management has become, leaving its wait for identity, governance and administration also to get into that.
Jim: One of the things I think is really interesting and you touched on it is kind of a graduation of, you started out with, Thor Technologies on the provisioning side, you had nitty-gritty and now Blake's on the access management side.
There is a consolidation where that Oracle, CA and IBM went out and purchased those companies and they were the only thing really in the IAM space. And then as these transitions into IGA and Cloud Single Sign on happened, my feeling as those companies were so addicted to license revenue that you want to change your model. It's very rare when you look at Microsoft, how they were able to change your model and go from a license company to a cloud company like in a couple of years. And it really saved their company as far as I'm concerned. But in the IAM space really did see that happen too much. And those legacy vendors. They're not all that relevant now. They still have some customers who stay with them. And I think also they were engineered toward the heterogeneous model, the backward compatibility, the ability to, get in there and not have to make your application standards aware just to kind of put a proxy in front of it or put a filter on a server. And I think that they just more or less missed the market. I mean, they certainly had the financial resources. They could still be in first place now. But they kind of they were, I believe, too addicted to the license revenue to be willing to adapt to really where the market was heading. What do you think?
Binod: I completely agree with you. See, you got to look at the underlying reasons.
I believe most of all of the larger of the companies like the Oracles and IBM of the world finance driven companies, not trading technology or innovation driven companies, they would rather play it safe.
The model of cloud subscription that came with it is pretty dangerous in the short run for a large public company, it makes a revenue go down.
And that's a hit which not many companies would really take because of the market perception is that the company is not doing though. An average investor does not really understand why this has happened. It happens. Only people embrace it.
Like, do you really like each of the example of Microsoft? Microsoft was under threat. They didn't have much of an option but to really look for innovative ways, dramatically different ways to do things, to come back up and wait with the changes in management. They took that decision and they plunged into that. But that's pretty rare for really companies to do that. Microsoft also did it because, that product as goes to every home and every individual. It's much easier, perhaps, to do those kind of turning points in your philosophy when you're dealing with D2C. And that's more embracing to those kind of changes, but in B2B kind of a space in which you see most of your other identity and access management companies.
It's pretty difficult to do that and add it to the fact that if you look at identity and access, I often talk about it being almost like an ERP. It's like a titanic ship.
It's difficult for to make it difficult to make a turn so quickly and it's amazing, but most of the companies which had their first generation of products like the IBM of the world, they still continue to have mostly the same set of codes with some changes, of course, coming in over a period of time and additions to it. But there's not been a lot of innovation with the larger companies anyway. That's been true for identity access as well. I think these are some of the reasons you haven't really seen them changing so quickly.
Jim: It's interesting you use the ERP example, I use that a lot as well as yours.
I'm a IAM practitioner and talk to other IAM practitioners a lot in terms of the complexity of IAM.
And I say the only thing more complex is really ERP and deploying ERP in your company and trying to replace old legacy systems is just so many connections.
And plus it touches a business. IAM those in the same way IAM it's not just security software really touches how you do business.
And not only that, but a large global company, you've got touch with the different places that you do business in different rules and different accounting principles and things like that.
And it made me think of the fact that today you're calling in from India. You're kind of a world traveler. Your company is internationally focused. And you get to see IAM in action in a lot of different areas, regions of the world. And so I'd like to maybe the shift focus to that and kind of get some of your feedback in terms of, what are some of the main differences you see from the IAM perspective globally, or do you feel like is being address pretty similarly worldwide?
Binod: There has been obviously quite a bit of differences in the past and I continue to see them right now as well.
Essentially, I would classify identity and access management markets into two types, the emerging markets and the mature markets in the mature market. I would put the Europe in the obviously the Americas, the US and Canada. Even between these two there are some differences. But mature markets of Americas has always been accepting to new technologies, new changes or changes that are occurring. There are always more keen to embrace these changes much more rapidly than the European region. But by and large, if you look at the US, also the enterprise market, which went on for the technologies like IBM, CA and so on, has stayed on their except adding elements and components of access management. Not much has really changed in the identity governance and administration. Of course, the change in the technology itself has been very slow in that particular area. If you look at barring SailPoint and more product and a few other products that have emerged over the last few years on the cloud based identity, governance and administration, that's not been a lot of a lot of change and these organizations, the enterprise market finds it very difficult, even if they have not been very successful in implementing these technologies and they're not satisfied, they find it very difficult to bring about a change as one of the CIO's in the US put it.
I have been justifying my technology to my board every year, asking for three to four million dollars.
And I how do I go back and ask for a change in technology after seven long years?
So there are different reasons because of which the enterprise markets in the US have not really shifted in terms of from the traditional to the more newer technologies. But there have been additions, as I said, in the access management and some of the other things. If you look at Europe as the other large chunk of the mature market, it's been very slow and traditionally it's been slow to changes. You'd be shocked to know that I still keep on seeing Pockets of Control of BMC Software, which has gone in the rest of the world many, many, many years ago. As you know, this company got acquired by SailPoint. I don't think SailPoint has got a BMC customer anywhere else other than Europe. So both ways, both the markets have been slow to change, especially in the IGA area.
But access management has been pretty well embraced in the cloud. Barring some of the sectors like we still see pockets like the banking and financial segment where people are still thinking in terms of doing this transition as opposed to that. If you look at the emerging market, the picture is a very, very different. But before I go to the emerging market, I would also like to classify the markets in terms of enterprise and mid-market. Mid-Market is unquestionably the most attractive market space today in the world. You talk to any analyst with Gartner or Forster or KuppingerCole.
Everybody talks in terms of the midmarket being the most rapidly expanding space in identity and access. Perhaps it's true in some other more than others. Some other technology domains as well. That market if you look at a midmarket definition in the US or Europe, I would typically classify it as companies in the revenue range of about four to five hundred million to about three and half million users, anywhere from 500 to about 5000, for the same revenue if you look at in the emerging markets, they would have close to ten to fifteen thousand people such as the nature of business and doing business in those countries. So if you look at the definition of the revenue range for the developed world, for the mature markets that embraces almost hundred percent, close to 98 percent amount of statistics off all the enterprise in the emerging markets and the pace of getting into cloud has been quite rapid and the low end up the mid-market. And that's where most of the organizations of the emerging markets fall. Because of that, we are seeing suddenly over the last six months to a year. As new as that, there is a big, huge increase in the customers in the emerging markets wanting to go into the identity and access management. They're finding it very difficult to survive without that because a lot of movement towards the cloud is happening. So at the same time, their understanding of identity and access management as a domain is fairly low. They don't understand the complexities of the technology. They don't understand. It's very important to have some processes in place before you put in place things like IGA and therefore they're having their share of disappointments in the first phase. But having said that, perhaps in the emerging markets get a little more agile because of the size of the organization. And so they're falling, but they're getting up and they're moving fast in a way. One trend that I see, which is of great help for the emerging markets and the emerging economies in that sense is that IAM is helping them to put more processes and systems in place than they had without IAM, something that has not happened in the more mature markets. So, yeah, the trends are very different, but both in terms of growth and how fast and the expectations of the customers you see.
Jeff: So the Internet of Things and bots have become much more prevalent over the last few years. Do you see similar increases in both the enterprise and emerging markets and how do you see those types of non-humans being managed in and IAM in today in the future?
Binod: First of all, I think by the emergence and the rapid proliferation of bots and industries have brought in a major security concern. As you know, the people who are manufacturing robots are focusing all on the functionality of the bots rather than the security of the bots. And especially when it comes to the access management of the bots, there is a lot to be said about what's being covered by the manufacturers of the bots, so from that point of view, there's a big role that identity and access has to play in the management of bots. And a lot of interesting developments that I saw over the last few years. As you may be aware, one of them is because of lack of great success in the implementation of IGA, I saw the trend was actually triggered by some of the big four who used the RPA and the bots to do most of the IGA functions because there were still pockets of organizations who had been very apprehensive of IGA.
Had perhaps gotten the past but not implemented. And the big four brought in the whole generation of bots and BRP is to do the complete IGA or at least portions of IGA. In that sense. That's another set of things that I've seen happening. Less IGA is made simpler to implement and more cost effective. That trend will continue to grow alongside with that, the very, very rapid proliferation of bots has obviously made it very important for Identropy and access to be able to handle them. And today, I think it's difficult to really look at an enterprise and see identity management handling the applications. 20 to 30 percent of the focus of organizations or implementing IGA, is to manage the bots from an identity and access perspective as well. That's going to be a major shift that I see from what it used to be just about 2, 4 years ago.
Jeff: It'll be interesting when at some point in the future artificial intelligence becomes more prevalent.
And if there is at some point does an AI or an associated bot get some sort of protection legally similar to like what we've seen with, sometimes animals, you may have some sort of protection and an identity unto itself. So I'll be curious to see how that works out in the future. I dug a little bit through your Twitter account and back in 2018, towards the end of it, you had a tweet that I thought was really interesting. And you basically say you tweeted that the IAM world is now divided into access management and identity governance. We need unification, not disintegration. So that was back at the end of 2018. Here we are a little over a year past that. Do you still feel that way? And if so, can you explain what you mean by that tweet?
Binod: Yeah, sure. So if you look at the fabric of identity and access management, there are two components. There is the access management and there is identity governance and administration. Of course, now the last couple of years, privilege access management also has become a part of the core identity and access infrastructure. But if you look at access management and governance and administration, they happen to be part of the same entity. You have to have the identities and the identities have to access applications. So devices or the bots or whatever it is, the way this technology, this whole domain has developed, essentially access management and IGA have remained two separate entities. And the real benefit is truly comes in when they merge together as one single, not to be said integrated externally, but one single code base. And really in terms of the software and that's become even more important now from the time when I tweeted because now analytics and risk management is becoming very important from Identropy. Everybody is talking about risk engines, identity and access or risk engines. And you cannot have a fully functional identity and access risk engine unless you have got all the attributes of both the access side as well as the idea side coming together as imports into the risk engine for it to take any efficient to any important decision. And so we see some trends. If you look at the access management company, they're beginning to bring in some lightweight identity administration. But I think the pace of that is very slow.
That is limited to cloud applications, that are limited to a fairly simplistic way of doing provisioning, nowhere close to the expectations of even a mid-market into in a large mid-market customer. There is hardly anything in the government side that's available. And to that extent, barring just one or two, I know my company has taken an initiative to put it all together and perhaps with the first product in the world doing that. But there's got to be more of that happening if identity and access has to deliver on what the real needs in the market today, which are not just doing an administration or separately doing access management, but all of it together, coming together to not only be delivered for day to day operations, but also for risk management. So it's not happening enough. It needs to happen more rapidly.
Jim: I think the timing for having you on the podcast is excellent. I'm going to bring you back and you mentioned your friendship with Deepak, who was the founder of Aveksa came out in the news today that Dell has done is in the process of divesting its RSA business. And I guess I'm looking for a hard take you. What are your thoughts on now you've seen the company start from being a startup and to now it's changed since couple of times and. Yeah. What are your thoughts?
Binod: I see this as a part of the two things. One is that lot of companies and a lot of products are becoming somewhat redundant. If you look at RSA, they had too many things to chew with the merger that happened without for RSA. There were multiplicity of multiple products that were available and I would say it has taken them a long time to divest one of the products that did too many things in this table. Secondly, many of these organizations, even though they happened to be security companies, have not been able to handle identity and access for some reason or the other. It is a data domain which is exactly like any other ERP Quest lot at Focus. And together with multiple other products, nobody has been able to do a great job of it. The other factor is that private equity investors are beginning to be really interested in identity and access management. That is a new phenomenon. If you look at many of the acquisitions that have happened over the last two to three years, they are not from strategic investors and not from other kinds of investors, but private equity investors. And that kind of shows very quickly that shows very clearly that people are beginning to look at making a fast buck in identity and access management for the first time, because private equity investors have a different way of looking at things.
Jim: Yeah, exactly. So what is that way? I mean, are they do private equity usually look to get in and flip? I mean, I've seen some other examples where there seems PE firms get into the IAM space, for example, with SailPoint, they really kind of stayed the course. And I think my initial concern was that they were going to look to prompt the company up and sell it. And that really wasn't the case. You're more of an industry insider than IAM, but I'd like to hear your thoughts on what usually happens with the PE entering and buying IAM company.
Binod: So, EP essentially looking for quick returns and lower risks.
And that's why they do what they do. But within that also you'll find certain be investors having more patients. And it's also a nature of the company that they acquired. SailPoint as you made. A good point is, is a kind of the nature of that company is it's difficult. It's deals with one product set and deals with one of the domain of identity and access management, which is governance and administration, which is a very mature, slow moving kind of an area even today.
And it's difficult to really rip it apart into a number of pieces and do a very quick divestment. That's not possible. Maybe they realized it after they acquired SailPoint if they did not know that earlier. And so that is a bit of an exception. But many of the acquisitions that you would see would be of the type where you'll see very quick exists.
And that's because they talked to some of the investors very clearly. They're beginning to look at the identity of access as you can make a fast buck here. They do see the trends.
This do see lots of mergers and acquisitions, a lot of large infrastructure companies do not have within their own stable in identity and access management something the fact that identity and access management is becoming a part of all of the infrastructure of fiber, not just a security technology like many of the other security technologies, makes it an extremely attractive proposition for investors to do what they're doing.
Jeff: And I think I've seen the opposite of that, too. And I go back to Courion They've got acquired my equity was a PE firm and Courion not even a proctor anymore.
So it seems like that company has shifted over the course security in. And I think it's that some other company name they've taken now and it seems as kind of take a step back from the IGA component of the identity of their identity business and move now into a more like a general security type practice. So I guess you never really know what's going to happen, right, when a company gets acquired. You hope for the best, but it can certainly go both ways.
Binod: Sure. Courion is excellent. That you brought in, but minded Courion acquisition happened long ago. There was not a company. It was already bleeding quite a bit. For many years before it was acquired. So. So it would not be acquisition of Curion would have different intent and say that's where she would be to get a cheap acquisition and perhaps make some money in the short run, which did not happen.
But things have changed dramatically from that time to what it is today.
Jeff: Yeah, there's definitely a lot of change going on. So I know you've been you very gracious with your time here and kind of want to start to wrap things up.
I've just got a handful of more questions here for you. And let's kind of maybe do like a little lightning round. And we'll start with what are some of the current IAM trends that professionals in this industry should be aware of over the next year or two?
Binod: interestingly enough, when you look at trends, I think there are two kinds of trends and they may not meet all the time the trends that the industry sees in terms of what the analysts are talking about or what you see coming in and the trends that the customers expect. The customer expectations many of times can be a little different from what you see happening from a technology perspective at any point in time.
But that is quite true for any domain. I've seen it for the last 30, 35 years I've been in the IT domain. So what I would talk about is more in terms of what the customers would wish to see as the trend. And of course, movement is happening in that direction as well. So we're talking about three or four, maybe five of these that come to the top of my mind. The first one is the customers are looking for more simplicity. They're fed up of all the complexity of the move into the access management to many products. Too much time it takes to implement. People are losing patience. And that is going to force me beginning to see products emerging, which are combination of everything that you need in IAM, majority of things that you need, and I am rather than islands of solutions which have to be there. You've got to put in more effort in integrating them, then solving problems. So for a customer that I think is going to be a very important emerging trend that will accelerate. The second is I see, you guys have seen it, too I'm sure, identity and access management, in spite of it being so important to any tool that you have, especially a cybersecurity tool that you have, has remained more like an island than anything else. So people and I think we people, the audience are to be blamed for that. We have really gotten too immersed in solving the internal problems and making the software efficient, doing things, bringing additional features sometimes which may even not be which are fanciful and not really required by the customers today. And in all that, they have really to some extent ignored the importance of being merged and being to act like one single monolithic piece with the entire cybersecurity. And that is a trend that is going to accelerate big with things moving into cloud rapidly. There's no way identity and access would be seen as just one technology. The importance of IAM in terms of its playing is the central role to the entire cybersecurity ecosystem is becoming more and more important and you'll see more movement towards that third area that I feel is going to be the intelligent IAM. It's been a lot is being talked about it, but nobody seems to be doing much in over that yet.
It's been a long time. Identity and access has been in existence. But all this while by and large what it has been doing is to convert the manual systems into automated systems, a force that can do a few things which are very difficult to do manually. Technically, everything is possible. There is no intelligence that it really has. It does not. And it's becoming very important now to do that. They talked about the risk management part of it. Their identity management is going head on, and that's what the expectation of the users are unless you get to be management. Begins triggering actions based on the trend, changes in the trends and all that. This is not going to be fulfilling the desire of the marketplace. So I would just give you an example based on the risk core in the risk engine. If you say risk core of a user ID goes beyond 4.2 on a five point scale, then it should be able to automatically trigger a certification. So access certification, as we all know, difficult stuff makes life very difficult in a manual of doing it, even if you automate it through an IAM engine, it's a huge, humongous exercise and people are looking for certification by exceptions, other certification as a rule. And they're triggering a micro certification based on the changes in the risk core those kind of things that identity management should be doing. The sooner they do it, the better, because that's what the customers across the world I see wanting to do with identity and access. On the trend, I think, which is going to be this has not really happened.
You see only a handful of companies doing this right now is what I call industry specific IAM. So we kind of see a little bit of that in the healthcare provider and others, but not much of that has been seen with identity and access becoming such a large domain. So no more than 15 billion dollars today rapidly growing. There is going to be more of industrial specific IAM products that you see emerging over the next three to four years.
And finally, as I said in the beginning, the expectations of consumers is really, really increasing on quick implementations, very high ROI simplicity and things of that nature.
So these are a few things that I see are going to be and these are necessarily driven by the desire of the customers, not necessarily by the fancy imagination of developing technology, by a startup or many of the other technology companies.
Jeff: Ok, so I'm going to put Counterspy here and I'm going to ask you one final question before we wrap things up.
What is the most important innovation that you've seen in the IAM space over the last, let's say, five to 10 years? You can only pick one.
Binod: And that's a tough one. So when we look at innovation, again, we go to look at it from the point of view, just technology or it as it is from a customer's perspective. So if you look at last you asked me 10 years, right.
Jeff: Let's say within the last decade or so. And this is totally obviously your opinion in a way. What do you think is the most important thing that's come out of the IAM space?
Binod: I think it's the risk management. It's still evolving, but the risk one in management that that too in the IDaaS mode I think is the most important trigger. And that is going to be a good part of IAM tomorrow. It's one by the need.
And, getting into cloud and the complexity of cybersecurity increasing was this part of identity management's become extremely important. And I see, that is the most important thing that got triggered in the last six to seven years and still in its infancy.
Jeff: So I think you heard it here, folks. The cloud is not going away.
It's going to stay relevant and take over more and more of the world. That's where you. That's why he tuned to the show to get those golden nuggets of information like the cloud is not a fad.
Jeff: Jim, you have any other questions for Binod?
Jim: Not I mean, how can people find out more about you and your company? You know, I guess now's your chance to say how if we find out more about Ilantus
Binod: I think we're your kind of docs are very useful. You can check out on our Web site ilantus.com. Oh, we're there almost in all the key events, exhibitions.
So it's not difficult if you really want and be a very partner centric. So you can go to our partners to check out and ask, because we're one of the world's ratio companies whose stated mission is to do 100 percent business to partners.
And that's what we're trying to rapidly do, a despondent time.
Jim: How active are you guys on social media? So we do Twitter.
Binod: I wouldn't say we are as active as we should be, but that's rapidly increasing.
Jeff: That's like our show, too. We have Twitter. Ever use it? But I will put a link to Ilantus Web site in the show notes so people can check it out there.
And I'm sure you guys will be out at RSA next week as well. So I'm sure I'll be stopping by the booth and shaking hands and fist bumps and all that. Good stuff. Maybe, maybe with or without a mask. We'll see how the new virus is treating folks at that point. But I certainly appreciate the time. And looking forward to meeting the folks next week at RSA. If you guys or your family's gonna be out there and wants to wants to do a fist bump or masks, masks, what? You know, feel free to e-mail us at firstname.lastname@example.org. And, Binod thanks for joining us. And with that, we will go ahead and wrap it up for this time and we'll talk to you guys in the next one.
Jim: And Jeff, before we do. Nobody want to make masks swap, right? The author should add why you would wear a mask anyway.
Jeff: Talking about it, it's worn by world famous podcaster Jeff Steadman. Come on. Who wouldn't want that? I better not see it on eBay. And we'll talk to you guys on the next one.