Listen to Identropy's Jim McDonald and Jeff Steadman on their podcast at "Identity at the Center".

PODCAST36
 
Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
 

In this episode, Jeff and Jim talk about how assessing CIAM (Customer/ Consumer Identity & Access Management) can be different than an enterprise IAM assessment.

Brought to you by identropy.com

Want to join the conversation? Leave us a message here: anchor.fm/identity-at-the-center/message or email us at questions@identityatthecenter.com .

We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!

LISTEN HERE or read the full transcript below.

 *Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.

 Podcast #36 Full Transcript:

Identity At The Center #36 - Assessing CIAM Maturity

Jeff: Welcome to the Identity at the Center podcast. I'm Jeff. And that's Jim. Hey Jim.

Jim: I'm still Jim. How you doing Jeff?

Jeff: Still, Jim. Even despite the current situation, you're still Jim.

Jim: Yes, my handle on Twitter used to be Jimmy, I’m actually serious.

I was thinking I could change that to Jimmy Mac. That would really throw people for a off.

Jeff: Confusing and a little bit disturbing, I think.

Jim: Yeah.

Jeff: How you manage it?

Jim: I'm managing fine, I mean, having the kids home. I work from home anyway. Having the kids home is been a little bit of an extra challenge, but we're doing a really good job. I think after the first day of thinking, OK, it depends not on the call.

That means we can do stuff together. And so you get the question when your next call. What do you you'll be on your calls as if what's the calls are done? The day is over.

And I think that's one of the biggest challenges when you work from home and you have family members.

They think your day and what you have to do is dictated by when you have calls. But just like the people work in office, we have to get work done as well. All right.

Jeff: I've realized that I'm not in a foreign team. Right? I'm fine. My wife's fine. But I work all the time. But quarantine life is pretty much the same as my whole life anyway. So really not very much of a different for me anyway.

Jim: I did try to go to Starbucks on Monday morning because I just I felt like I needed that caffeine rush and the buzz that environment gives me to dive into Monday.

And I got there and there dining area was closed. So I said wasn't meant to be went home. And yeah. Is the equivalent of quarantine myself.

Jeff: Well, for me it is what is and I think it needs to happen to flatten the curve. Right as so a flat curve.

Jim: And hopefully find a vaccine.

Jeff: Yeah. Some promising news today. So we'll see how that works out. Yeah. So today we want to talk about something that has been coming up and a lot of the recent doing. That's how we assess. CIAM maturity, customer consumer maturity. And I know you've been working on updating the model that we use for that. So I talk about that some more.

Jim: Sure. And to give everyone the background. So we have uses this model for as long as I've been with Identropy, I inherited it. And it's been around probably for a decade where it's, the six capability areas of that we used to grade maturity both currently and in the future. And this primarily is a subjective exercise we do have a rubric that says these are the things that you can do to give an explanation of how we achieve from Maturity. And it's evolved over time. I mean, really, if you look back 10 years and where the maturity model was, it's not that drastically different today, but it's matured both with, how the industry has matured and also, based on customer feedback and the work we've done and we've been doing a lot of customer IAM projects within the past year or two and I wanted to put a little bit more meter around. But some of those metrics within each of those capability areas would be relative to CIAM. And so some of this stuff is probably guided more because of the one thing about CIAM that, within workforce, it's much more generic as you go from organization to organization. How you on-boarding off-boarding employees is, there's common practices. CIAM, you were talking about a B2B scenario where your customers are other businesses, where you can be talking about an individual consumer. So on-boarding somebody could be quite different. It could be, delegated administration model and the B2B or could be a registration process. Think I'm sure consumer and all kinds of hydrogen between. And so as I go through this list is not going to the light bulbs are going to come on for everybody. Oh, yeah. That's our CIAM environment works. But, I just want to share some of this information so people can get a sense for the thought patterns behind it.

Jeff: Yeah, that's because, I think the one thing I've seen is the consumer side is very organization specific.

Like you said, it's kind of does it a little bit different way. And there's still some things that are in common, obviously. But yeah, there is no one size fits all, really. Right. Yeah. Mean especially on the customer side.

Jim: This is like some of the CIAM projects I've been involved with are a single Web site where it's like every single application, whether it's a website or mobile app. But everything kind of find back to the same business functionality. And I work with a client right now or they've got 60 Web sites or 60 applications that all need to be connected. It's a totally different challenge. They're both CIAM, the way more in the maturity model. So within I kind of stuck pretty much on the rails of the major capabilities you've been talking about in the past. So it seems like IAM governance, authentication authorization, user lifecycle management server. So I'm going to break those down with them and kind of pick one or two. We can just kind of discuss them in the eye and governance area where we talk about you need to have a formal program, you need to have policies and standards established. Right. So those are still there. But I don't want around application inventory established and formally maintained. For example, there's a big one for me is a lot of times you start working with organizations and they build that application inventory for the first time for our project. And really, this is something that I really think this is and IAM thinking this is something that the enterprise should be doing, should have a good handle over what are our applications and what are our systems that exist in the environment or the owners, you know?

And then from an IBM perspective, what is the form of authentication where the users maintain things like that?

So that's something that I wanted to start to use as a metric. What do you think of that?

 Jeff: If you don't know what the applications you have are, how are you going to secure them access to them? So it seems kind of a no brainer. And I agree it's not necessarily specific to IAM I think that's generally more like an IT inventory, but it's crucial for identity and access management because if you want to integrate those things, you have to be aware of them. And, I think sometimes our view gets a little bit skewed toward the side of immaturity, because let's be honest, you don't really call it advisory services firm. If things are going really great. Right. We're typically helping figure out how to get out of murky waters than we are in the smooth sailing area. But, Applications Maturity supporting formal program management, those sorts of things are sort of the bedrock of how you're going to build services and for which systems.

Jim: Right. And one of the things that I found this is not some of these aren't CIAM specific. But so a couple of the areas that I also added were whether or not a formal PMO enterprise, architecture, discipline and enterprise change manage, exist and surprise. A lot of organizations just don't have those capabilities, especially organizations that have a small staff and a very large CIAM footprint. So a lot of times where you see maturity around PMO and around enterprise architecture and change management are wary of large staff organizations and they kind of built those capabilities around, from all the way back to their mainframe days and things like that. But even more organizations have come along since they typically have those. But those are if they don't exist, you're kind of going into a program like IAM, where you need a lot of sharp training, you need a lot of formality to be successful, and those baseline capabilities don't exist. And that can be a major stumbling block.

Jeff: Yeah. Where you see the customer representation being in governance. Is there any?

Jim: yeah I think that there's two things at play. One is there's an enterprise goal that's trying to be achieved. We want to have a common experience for our customer. Let's just say that's the best to overriding goal. So there's a common experience of, like you don't feel like you're going to 10 different Web sites. You're all 10. It feels like you're in one Web site. So the enterprise goal that you have two teams that are tasked with, they might be busy or how are organized or they are responsible for providing functionality or running a business through a Web site. Now, they have very specific goals that, the common experience in their opinion doesn't really isn't what it's all about. And so it's blending those two views together that, you have a forum to make sure that neither one of those is completely sacrificed to the two sides of the spectrum where you want to have your own achieve enterprise goals. But you have to achieve business through your goals as well. And get those to work together. That's one of the things that comes to mind. What do you think?

Jeff: Yeah. And I think it makes sense. It's really, what is that? It's the customer experience supposed to be. I think IAM plays a hand in shaping that vision of the journey. The customer experience when they engage with the business. So like you said,  a single approach or a unified approach to accessing services, for example, is a really common one. Right. Less passwords, more of a single type of account approach, there's a lot of organizations out there that struggle with multiple organs for their different services that they might offer. So having someone that is not architecting, but, explaining the vision for the customer journey and what is being seen as the optimal path, I think is an important part of the governance side of things to make sure that whatever IAM services are being developed, line up with that vision for their organization.

Jim: Yeah, that's something interesting in my mind, which is that one time it's our advisor engagements, we schedule meetings called voice of the customer getting that, either a representative or somebody who can speak on the behalf of the customer.

Somebody from marketing, for example, or somebody who deals with frontline support issues. Or you can actually get representatives of your customer population. They did this once with the university where they actually had us meet with students. And that became the voice of the customer.

And what I found like so interesting was that throughout the week we did the bush the customer meetings that they had throughout the week, everybody was saying, we need the ability to link students ID with Facebook and things like that. And we got the students in the room. They're like, no, we do not want our academic records tied to what we're doing on Twitter or Facebook or anything like that. It was like completely contradicted what people thought. So it was a very valuable moment.

Jeff: All right. So that's governance. I'm assuming we'll probably talk about authentication next?

Jim: Yeah. Authentication. So that's our second capability. And really where I started with this was I think a sign of maturity is are you on the right authentication platform? Now, that is going to serve you into the future or do you have to stop and pick a new platform? So if you're already on something that you know, you'll basically just create and continue to use your programs in a much better place than if you have to go out and investigate that not mean that's not the right answer. It just means that you're already starting at a point where you you've got the technology and even you just kind of start to build improvements on top of that technology. Now, what might be a little bit specific to the client and I'm working on but, that was the ideas that I think one this one of the keys to success, especially the authentication space, is being on the right platform, being on platform that you're not looking to replace in three or four years because the vendor housing continued to invest in the solution. And so that's one of the things where I know, like you can't just go with a client, go into a client just, through the Gartner Magic Quadrant and pick someone in the quadrant, but someone is not on the Quadrant or not kind of an up and comer.

You have to ask yourself the question, you know, are they going to be around long term?

At least that's going to question.  Like I said, just because they're not on the quadrant or not in a leader position doesn't mean they won't be around.

But there is something that I have a concern about or that I'm going to question is what is the best track record in terms of research and development and investing in their product?

Jeff: Yeah, absolutely. These organizations that are startups, especially maybe their business model revolves around being acquired and that can throw a big wrench into a product. Sometimes acquisition goes well and sometimes it doesn't. So you want to make sure you pick something that, has some solid grounding, needs it. But I think that's also part the importance of trying to build around some of the standards of developed from authentication sounds like Oauth 2.0.

Jim: Oauth 2.0 and OpenID Connect we've had a session coming up with somebody in our next session.

It's going to be with somebody who is, very much on the front lines of that.

And I work with him on a project and, OpenID Connect there's definitely a preferred standard going forward. Obviously, What’s the Difference Between OAuth, OpenID Connect, and SAML is just well adopted, it's the integrations are pretty easy, but they only go,  they don't go as deep as something like OpenID Connect can.

So also in the authentication space shows having mature asset management processes, being able to use your vote is a big one in the same space to be able to use your access management system to secure API authentication. So a lot of organizations are investing in an API gateways, but even if they're exposing API is individually, you know what is going to provide the Oauth 2 service to be able to perform the authentication if can leverage access management system of a better federation for your own identity, artificial intelligence and machine learning to detect behavioral and unbelief.

So this is all on that I think is really an up and coming capability where, I think it was at Gartner's conference they said I don't remember the exact year. It was only like two years out or something where 40 percent of access management vendors will have the ability to use artificial intelligence and behavioral analytics to as part of the authentication process. To me, this is this is big stuff. This is, again, where you need to be. You don't want to be in that 60 percent who are investing and you are making that part of their platform. You want to be with the 40 percent that are in our future facing.

Jeff: I think it's important to understand what the capabilities are, because it seems like every organization, every product is saying, yeah, we have AI and, analytics and other stuff. And sometimes there is a big difference between, what the expectation is and what the reality is between the two. So I think it's something to take a look at when you're working with products and vendors out there. Has to really understand when they say AI, what does that mean and what exactly are they doing? Because I think it's almost become too prevalent. I was just at RSA a few weeks ago, and it seems like every booth had some sort of AI statement right about around their product. Didn't matter what it did. AI somehow involved, though, think or something just to be cautious of and under and truly understand what is it that their product is doing with that AI and things like behavior analysis them and see if it makes sense or not.

Jim: I think that's a great point. I mean, here you get a marketing term. It's like we're a zero trust platform. OK. What does that mean?

Jeff: Like, I don't trust anybody.

Jim: I'm not even going to eat this free lunch. Okay. That's right. All right. The next area is authorization and it still starts with one place to go and who has access to one. Be able to see that in your environment, especially when you have a large swath of applications that ski. And again, some of these are probably because of the specific client I'm working with, the ability to manage roles centrally, to bundle whether that role is a single application role or we're targeting what we, quote unquote business roles, which are, based on being in a certain business role on a certain kind of customer, a member or  employee I get some default access, some group of applications and roles within those applications. That's a mark of maturity, at least the ability to even be managing in that way. That makes user administration a lot more simple when you can automate role assignment and you can manage it based on business role.

Jeff: Does classical role based access control make sense in the consumer space?

Jim: It depends on the use cases that they're right. So the client I'm working with now, I think only the same material or business roles we don't have today. And so, yes, I agree. You don't have them today. It may make sense in the future because it may access administration on-boarding people simpler. If you know that when somebody joins and they are of a certain role or a certain type of user you should get access to multiple systems. I think it can make sense, right? Because getting them all the access they need right upfront makes sense. And then if they no longer are a user of that type, taking that access away. Theoretically, I think it makes sense. What do you have in mind?

Jeff: Well, I just, I think roles make sense, but there's a time and place for everything. And, I don't necessarily think that in organizations that strive to try to bundle roles across services, unless it truly makes sense sometimes that it's kind of like, Oh, yeah. We're gonna roll base everything, doesn't make sense. Maybe it's more of an attribute based approach, but I think it's something to think about from a construction and architect standpoint when it comes to the entitlements is. How do you intend customers to use your services? Right. If I may just pick something. Thoughts on my head. Google user, I have G-mail. I have calendar of contacts. You know, maybe I have a hang outs or whatever. Maybe or maybe I'm using Google Fi for my voice or Google Voice, depending on how you look at it. How are those services supposed to tie together? And is the role that encompass all of those? Or is that a combination of roles or attributes that gives me the access to the things that I need? I think they've done a really good job of obviously single sign on because your Google ID pretty much covers all that. But there's some organizations that struggle with trying to tie those services together underneath a common authentication and authorization banner.

Jim: Right. All right. I think you make a great point, Jeff, which is that I think every time you're going to fix something like that, you need to rationalize and same with AI that you brought up earlier. Is OK. Is this going to bring us value? Is it something that we you know, the investment or use a common phrase is too short to squeeze? Because getting to the point of using business roles is not something that is going to be a simple endeavor. It's going to require some work to do. You get enough value from doing not work to make it worth it, right.

Jeff: What's next?

Jim: In the user lifecycle management area, is your com user registration system that controls all use cases one I.D. per person, right? This is generally what I think organizations strive for is one ID per person, have a multiple IDs per person is generally a hassle at the same time.

There is a balance where if you make it so that the person can create a new ID and yet they can't access their old ID, they may walk away. And so you have to be able to rationalize how difficult you make it. So I have it here as an item in the maturity area.

But the idea is, is that the norm where, having multiple IDs per person is the exception rather than, it's the use case that keeps popping up all the time, machine ID, so I think there's a big thing that organizations are really coming across as like, okay, so you have centralized identity management, it’s only been focus on the human. What about all of the machine ID that exists within applications? Or what about the machine ID use that are being issued potentially declines to access APIs? And so that's all part of the big IAM picture, and the lifecycle of those identities has to be managed as well.

It's just something to make sure that we take a look at that and understand the current state approach.

Jeff: If you want to have new customers, you want to make it easy for them on board to ever really off board customers?

Jim: Most organizations don't want to come CIAM, I think it's important to take away access there is no longer needed. And, I think it depends on the risk profile of the access, what I see happen sometimes in the CIAM environment is that some identities will time they have been plugged in two and two years and know they won't be able to log in without going through a special workload to reactivate them. But it really depends on the organization, depends on the risk of the access. Also probably depends a lot on if it's a paid service getting access to it, no longer payments of service. It shouldn't get access same time usually people don't delete. So there's a difference between deleting and disabling and removing roles and things like that.

Jeff: Ok. So that was user lifecycle management. What about Privilege Access Management?

Jim: Privilege Access Management is typically not, within your CIAM space. You're not. We were thinking about getting access to the customers are not saying people were thinking about, managing their own access, remote access of their staff to manage your applications and things like that.

It's important to you know, when you're doing the analysis, it's important part of, saying that systems are more secure because of the work that you've done.

First thing I came up with was at least having a full accounting of what is privilege access within your environment.

I feel like this is usually an item where a lot of our clients can even start to produce a list of here's what we consider to be Privilege Access, what your thoughts are?

Jeff: Yeah. I mean, people struggle with the same thing, Application inventories, who has access to what, and a subcomponent of who has access to what is the Privilege Access associated with individuals. Because a lot of times these are secondary accounts or even accounts that may be more difficult to map back to a user because they don't use a similar username or don't assign something like a employee number and attribute to be able to track it. So being able to understand what those are. Makes sense, and there are tools that will help. I know CyberArk, for example, has their DNA scan, which, we'll do some  scanning for ADA environments and then Unix and stuff like that. And I'm sure other vendors have similar things. But if you don't know where your keys of the castle are, you really need to work on identifying those that you can properly secure them.

Jim: Right, and can't manage what you can't measure. And so, I mean, the real changing area when it comes to web applications and these types of environments from privileged access perspective is DevOps. And we hear about a DevOps I used to really mean, well, it's the automation of deployment of infrastructure and code and the automation of all that runs. Will it script some robots and all those require credentials.

And, the most basic level you could kind of hard code, those credentials and description to your applications that are doing the automated deployment and then you move up the maturity scale and you have those passwords, those credentials better manage. And really, that's where we want to drive our clients towards getting away from, bad.

And the reason this has happened is that everything's been shifting out to the crop, out to the cloud in terms of infrastructure as a service. So a lot of web applications moving out cloud. There be a chain around using servers and information. And now things are moving onto the cloud is happening so fast and it's happening on new technologies that they may or may not understand.

And so, some of those same controls are we're designed for within the firewall don't work as well when they get outside of the firewall and using new technologies and robots.

So devOps, important concern when it comes to CIAM, it's an area that we will look at pretty extensively.

Jeff: Yeah, I would imagine also things like reviewing access and be able to do that. You need to be able to pull logs from different spots to be able to effectively figure out who did what to what. Right?

Jim: That's absolutely right. I mean, you need to have the information, have that the logs where you have to have the right people reviewing them. And,  on the amount of log data is obviously too much for a normal individual to go through. So you have to be able to use a learning tools and technology to play out. What's important in like SIM2 is a perfect example.

Jeff: So here's a question where does delegated administration fall? Would you consider that a privileged access, a customer, for example, and I can administrate other users in my organization? let's find a more of a B2B use case. But I could see something like a family head. Right. Can add their spouse or other people. Family to kids. Whatever it is, would you consider that a privilege to access?

Jim: I think I'm doing minder's privileged access because you're using the definition privileged access as the keys to the kingdom. I've definitely don't feel like those accounts have a very big kingdom. Now they are certainly more powerful than other accounts. And so I think an organization has to treat them differently. But I don't want to make privilege access picture so big that it becomes unmanageable. Well, what I'm really concerned with on the privileged access aside is the ability to manage infrastructure, manage applications, manage data and get to those things and, perform disruptive behavior like you are actually bringing the data or bringing down the applications or changing the way they work.

So that's really the focus that I came with privileged access. The things you're talking about, definitely those accounts have more power. And especially when you talk about Maybe it's a person who can manage one hundred thousand users or a million users. Well, now you're starting to get into the area where you have more of a major concern.

Like I'd be more willing to throw them into the privileged access pocket and maybe create some additional special controls to monitor and limit their access.

Jeff: Yeah, I think that makes sense. I think maybe that use case, maybe it belongs more as a well-defined authorization as to who has that specific entitlement that can manage other users. So I'm just curious what you thought about it.

Jim: Well, I do think there should be controls in that area. Like, for example, if certain activities are taken and email goes out. So that way, I think countless compromises, a chance that the person will be alerted that something happened on their account. So Ministry of Action was performed. Someone was added to their phone plan and they didn't do that. So then they can go and investigate further.

Jeff: Make sense. What's next?

Jim: So, the DeLacy areas are these are ones that kind of are ads or changes from normally what we do.

So identity data management a.k.a. data governance. And so really what I wanted to talk about here is especially when you have a large environment with multiple applications and you have now a higher reliance on a centralized profile data about a user how that data going to be updated? Who are the owners of that data? Should that data overwrite watching an application or watching an application come back or overwrite what is in the Central IAM. And then you have a more tactical level. What are the types of data, the lengths of the data, things like that, and making sure that there's a data dictionary. There is a governance process where some data governance office or some data governance, formal discipline to make sure that these data issues are being managed. Because if the data gets out of control, when you start connecting a lot of production systems together, you could hope so into major issues. It won't take long to figure out the major issues either.

Jeff: Yeah. And this isn't an area of prime importance for a lot of organizations because they're really trying to understand who the customer is. Right. Who's using their services or products or whatever it may be. And it's imperative to have good identity data management to be able to map back behaviors as individuals and get those insights that they're looking for, it can be a little bit weird sometimes, I think, for people to understand how their data is being used. And maybe that's where things like privacy consent will come in. And we'll talk about that a little bit. But then, proper data management is important and identity and proper identity data management is, I think, critical for a successful CIAM program and services.

Jim: That's right. And I think the point that you're bringing up is that the identity layer of all this and the data that management is foundational to other initiatives and organization was put together with the customer data. So if you want to make sense of your CRM data, having that correlated user of here's a person versus a human being. And they use all these applications. Here's some core information about them. They were also pulling in transactional data and other operational data that may be occurring outside of IT systems and pulling them into one big central picture. CRM what the Identity data is kind of keep them pulling all that together.

Jeff: Yeah, absolutely, data analytics that pull on top of that. And, that's a holy grail for a lot of marketing. Yeah. Whether they're internal or external.

Jim: It is a Holy Grail. And then there are a lot of organizations that are doing it right. They said, look, this is critical, obviously the big tech companies are doing it at a crazy rate. But I think a lot of retail organizations are doing it as well, where they have, so many bits of data and they just put it all into a no single database and then allow data and data analysts. So you have met people. I met somebody in my MBA program twelve years ago when he was in the pharmaceutical industry. And I had somebody didn't use to use a data analyst for a pharmaceutical company. A time I just had known, I couldn't wrap my brain around that. Or what it was really about was he was able to take these large blobs of data a lot of times coming from research and things like that and make sense of it. And there are people in organizations that do that all the time that the data, though, have to be able to give the foundational connections between the human being and all these transactions.

Jeff: Yeah. Now that to guard against that and you know, you have things like privacy, consent. And that's I think that's a new area that you're looking to explore as part of maturity, right?

Jim: Yeah. But if I could just one more thing about the data governance is now you have all those data and you've collected from all these different sources.

So everybody in the organization has an office contribute. That doesn't mean everything. Organization should get full access to that data. Right. This is now the issue becomes a goldmine of data. And part of data governance has to define who gets what access to that data.

Jeff: that may be considered privilege access, depending on the type of data that's being looked at to yourself. But you know that doesn't make sense.

Jim: Absolutely. So on the privacy concerns side on the tip of her everyone's tongue right now. The first thing is that an organization has to put together a privacy strategy and that they have no research in place. So they may have designed their privacy statement on their privacy, strategy, around something like GDPR. And that's great because that's the one that kind of came along. And so it came along first, but it had the base impact. And but additional privacy regulations are coming out. We know more are going to come out. She needs an evergreen strategy. How are you going to meld those in as time goes on?

Jeff: Well, it's important to be able to understand, especially when it comes to regulations. Now, from a regulation standpoint, I don't necessarily think that a lot of regulations really tackle the important part of data and consent. And in some areas, doesn't make a sense, makes sense. I'm taking things like GDPR and TCBA all the equivalence. They're going to end up being out there. It imposes an ideal state on organizations that makes it sometimes difficult to comply or expensive to comply. And at the other day, there's just so much data out there that makes sense. So when it comes to the privacy and consent, you've got it at least today. You've got to be able to do things like right to be forgotten and be able to export data and see how it's being used and make sure it's not being used unless there's you express consent. So being able to track a that is a critical compartment of how you manage the consumer experience, both internal and external.

Jim: I feel like, as a consumer myself, the approach that a lot of companies you're taking is we're going to put together a privacy statement. Privacy, statement, is going to give us why you wielding ability, whatever you want with your private data. And by agreeing to that, you're agreeing to us doing that.

And so if you go and you want to use a website to shop for cars and say you can share your data with third parties. And they're just I believe a lot of organizations are that people will read that. So I think there's two things. I think there's one is complying with the regulation of which just telling people. But if you want to use our site, you're agreeing your privacy statement. That may be enough. In some cases, however, it Doesn't do a good job of beating my leash. I think the common standard for what are good best practices and what the spirit of these privacy regulations get to. So I think because every organization has to determine where they want to be on the spectrum. But I think being forthcoming along issues is the best path. And then dial it in from there.

Jeff: Yeah. I have thoughts about this. And actually, we're going to be talking with Richard Bird in an upcoming episode. He's part of the Ping Organization Chief customer information officer. And he has some thoughts on this, too. So probably dive into it more there. But, these organizations, they come up with these user acceptance things that you have to click through. Nobody reads those, It doesn't make sense. I mean, it's a bunch of text. People don't read it. There might be even clicking through it on a mobile phone. So it's even harder to read or harder and harder to pull in. And basically, you're just allowing, that whatever happens all in the name of using whatever service. So you're trading your privacy and your data exchange of that. If it's free, you're the product. That's pretty much how it works, at least on the freeway. So, I think what you hit on was business practice. And I think organizations are tackling this different ways. And I think if you're in the space of an ad network. Right. Your whole business is trying to display a number of ads to the appropriate parties and showing, you know, click through rates on that. Good stuff. You may have a different viewpoint as to an organization that really does take consumer privacy seriously. Not that I think they're perfect, but Apple, for example. Right. They came up with signing with Apple, which obfuscates email addresses associated with Logins. So now I know they have a host of other potential issues and things, but it's a totally different viewpoint as opposed to maybe another organization that is looking to exploit customer data versus protected.

Jim: Yeah. And I think you made a good point. It was free of a product. And I am willing to make some tradeoffs for that. I feel like I need to know what their tradeoffs are. Because your point, you go through the your letters like, I don't even know what I don't sheet legalese and I'm confused. But I want to use his Web site. So I'm going to go through. However, what really bothers me is if you have that same kind of agreement to use your utility providers like or your bank's Web site or people who are companies that are making money from you, that on top of that, they want to sell your private data.

Jeff: On the revenue stream. And, I still get things about my auto warranty for a car that I had back in the year 2000. And that was many cars ago. And I have no idea why they still think I have that vehicle. And, every other vehicle, the joke is, I've been trying to reach you about the expiration of your car. Do you mean it's silly?

Jim: Right. I don't know. The one thing with utilities, though, to me, the Web site is a utility. I don't really have a choice on whether or not to use it. So should their privacy policy should be, to the greatest extent in favor of the consumer and have a look using banks and things like that? It's the same thing, you can't really not do online banking anymore.

Jeff: I really be grudgingly accept it. I like convenience. So, I use all the services that I'm sure that everyone else does. But, I think it's something from a more fundamental shift would need to take place from whether it's privacy or governance or whatever. I need a regulation standpoint just because of that.

Jim: I think it is just going to take regulation. And I'm not a government first kind of person. I don't think that everything needs to be solved with regulation. However, I saw the governor of Florida get on TV today and land bash. All these spring break people were like twenty one were done Clearwater Beach partying. I'm thinking there's a party in your state, on your beaches, in your bars that you haven't closed.

You expect me to get mad at 21 year olds for not making good decisions?

Jeff: Did a quick one that I think a little bit later, they said, try to enforce, groups of 10 or more in social distancing and all that. But yeah. I mean, I totally agree there was there was nothing against the law or any direct statement saying you can't do this. Combined with the at least before today, it seems like, it seemed like the message for media was that the young were not necessarily at risk or as much risk as, people who may have different immune therapy, immune issues or things like that in the older population. But now we're starting to see that may not even be true. So, yeah, I mean, plus, also,  that these kids, they probably dumped money on the spring break trip and they're not getting a refund. So there's cotton that's wild, like, you know, do I blow the two thousand dollars that I just spent and not use it or do I go and unfortunately, it's an interesting situation.

Jim: No, I mean, here's the thing is this. When I was that age, I don't think I would have been not worried about coronavirus It's just, I felt like sensible as your governor is coming on TV and he's like, making it sound like these kids are, they're so awful. I was close the bars. Every bar around me is close. Right. It's like you're the governor you power. Will you stop trying to blame 20 year old kids for the problem?  you have the control you should be. And if you don't have the direct control. Get on the policymakers in those areas. Call them out by name. I just keep the news with sensationalizing everything right now where it's like, it just it's a lot easier. Put 20 year olds on TV or 21 year olds on TV, dancing on a bars and look at these irresponsible 21 year old. Yet 21 year olds are responsible for the breaking news. We've known that.

Jeff: Finding for some personal responsibility. But I also think it is a news story, right? I think there are I know plenty of people that age that have you have accepted kind of where we're at and are doing, what is perceived as the right thing and staying at home, not going out, not trying to help spread things out. So I have a niece, in college. It's age, super bright. And she's in Colorado and she's on her way home back to California right now to be home and not in the school environment. So, a few bad apples make it all the news. And I hate to say they're bad apples, but I don't want to overblow it. But it is certainly a combination, I think, of not accepting personal responsibility along with not having the appropriate structure and guidance from the decision making authorities that both contribute to the issue of time.

Jim: All right. Jeff, we should have we should have a show on one of these news channels. I don't think we probably real which news channel would be. We should have one. We don't have to have our own channel, We should stop that podcast.

Jeff: we should do that. We would probably have dozens of listeners if that.

Jim: I don't know. I don't know about that.

Jeff: Well, let's get off our soapbox and bring it back to IAM still me recap here. We've got a few different capability areas that we look at. We look at. IAM governance. You look at a authentication, authorization, user lifecycle management, privilege access management, data management or data governance and then the privacy and consent factors. That's typically how we look at CIAM and programs and look to assess the maturity. Any final thoughts? Jim?

Jim: Final thoughts are going to continue to evolve. So maybe it will be a topic again next year.

Jeff: Oh, yeah. Maybe we'll see. CIAM is forever, Identity is forever, Or at least until we figure out that, we have some others we did to name things.

Jim: Right. Probably on board. We're all part of the board.

Jeff: Right. Then we'll just be numbers.  We'll be all Mac addresses connected to some giant network.

Jim: Oh, sure.

Jeff: All right. Well, I think that's a pretty good spot to leave it. Hope everyone is staying safe and staying healthy. And on behalf of Jim, we'll talk to you folks in the next one.

 

 

 

 

Jim McDonald & Jeff Steadman

Jim McDonald & Jeff Steadman

Jim McDonald is a professional with over 15 years leading teams through business-critical technology initiatives. Technical Strategist, Leader and Champion of Change with history of crossing organizational boundaries, cultivating strategic alliances and building consensus and alignment among diverse constituents to leverage IT as strategic asset and deliver solutions that rejuvenate and advance global business’ financial performance. Also as part of our advisory practice and with over fifteen years in the identity and access management space behind him, Jeff Steadman helps develop realistic IAM strategies and provide vendor agnostic recommendations to move the needle on IAM maturity for organizations large and small.