[podcast] Talking IAM with Ash Motiwala
Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
On this episode, Jim and Jeff talk with Ash Motiwala, Managing Partner at Identropy, about the history of Identropy, current IAM trends, and the future of IAM.
We hope you enjoy this episode and please subscribe to the podcast for updates on new episodes!
Listen Here or read the full transcript below.
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #8 Full Transcript:
Identity At The Center #8: Talking IAM with Ash Motiwala
Jeff: Welcome to another episode of Identity at the Center. I am Jeff. And we've also got Jim on the line. Hi Jim!
Jim: Hey Jeff. Hi everyone!
Jeff: And we've got a special guest this week Jim, don't we.
Jim: Yes, we have Ashraf Motiwala. So Ash is the Co-CEO of Identropy for almost eight years and I've known Ash for a little bit longer than that. He is truly a legend within our industry and knows if I can make him blush little bit, but he really is somebody who has been in the industry for probably 15 plus years. I guess obviously prior to 2006 that he's worked with hundreds of companies to do what we're doing now, which is developing, IAM strategies for our clients. So I kind of invented the process that we do today, obviously is part of the learning from people over the years. But for us to have Ash on today is kind of give his perspective and talk through kind of the history of the company, why he started Identropy, some of the different phases of growth that we've gone through and what he sees as the future, not only for Identropy, but for the IAM industry as a whole. So welcome to the podcast.
Ash: Thank you very much to both of you and congrats on this podcast, I’ve been listening and great work!
Jeff: It truly is a gem in the podcast space. I like to say.
Jim: It's one of the few IAM podcast that I'm not sure if that's luck or just lack of interest.
Jeff: I'm going to go ahead and say we're the best IAM podcast because I don't think there are any other ones. So we just get it by default.
Jim: We’re definitely in the top 10.
Jeff: Definitely top 10, that's for sure. So you are in this space for a while. And I think there's one thing that Jim mentioned. I think you've actually got some patents. Is that right?
Ash: I mean, that has to deal with the software startup that we did in the middle of the Identropy history. And we had a software startup. So, yeah, there were some patents there. To be honest, there was a a team of people who really put the bulk of the effort in there. And I just kept to rubber stamp my name in there. But yeah, we did. It's a nice thing to put on your profile.
Jeff: yes, for sure.
Jim: I was just to say to Ash, if you could kind of take us back to 2005, 2006, when you and Victor Barris got together to start this company, what was that projected you into this space and why did you want to start a company? Why haven't you figured that you could do something different and more value add than what was being done elsewhere?
Ash: yeah, that I wish was a more eventful story than it was with Victor and I used to work for another consulting company that we weren't terribly fond of and we said we could probably do a better job. And that's pretty much up. Identropy started back in 2006. We did start as a consulting company. We were part of a larger security consulting firm that did lots of different areas. And we really felt that there was a need in the market for a focused company on Identity and Access Management.
We believed it had amazing growth potential and myself becoming a sort of an Identity geek or so terribly fascinated with the problem and still so fascinated by the problem as it continues to evolve. But, so that's kind of how we started it off. And, we learned along the way, and it was a lot of fun. And both of us did have previous startup experience as it came in flat. But doing it in this space was definitely a new thing, and it was such a great time because like everybody, it was still a relatively small group. But every back then, really, everybody knew everybody. If you went to a conference, you pretty much knew everybody in the world that cared about identity at that time. And so you got got to rub elbows with some interesting people. And those connections are really what helped us do all the great things that we've been able to do over the years.
Jim: Did you find yourself competing with in the beginning; was it mostly for consulting firms or other companies that were kind of like you guys?
Ash: there's a little of both. So back then, I remember there were a couple of companies. So there was one company called Neil, Jim.
Jim: Intolergy, and then called Intolergy.
Ash: Intolergy that’s right. So Intolergy focused on, I believe, UFSN or Oracle one of those two. And so I think P.W.C pick those guys up. Rex, I think was a guy, who was head over there. I'm not sure if he's still a PWC or not.
Jim: So Mary was the owner. And Rex was the managing partner CTO.
Ash: And I remember looking at that. There is another company called Neogent based on California that was partner with Sun.
And those were the ones where like, hey, I want to be those guys when we grow up. And, they had interesting little tools that they had to speed up deployment work. And so that's kind of what we started off doing and we really started off on Microsoft and carried on. And, very quickly, when we wanted to go and sell these solutions to customers and this happened almost immediately, we identified that customers would say this is great technology, but we don't have our act together yet. You don't have our project drivers laid out in our vision and roadmap. And so you know what? We're going to be working on that. So get back to us. And when we heard that one too many times, we said we could probably help solve that problem. And that was really the birth of the advisory program.
Jim: So you did an advisory service by yourself for a while, right? I guess I don't know the full history. I know that I saw some of the early documents that you produced. I think I feel like we're still using the same framework today, but it's evolved over time. But talk us through some of those early advisors. Were you by yourself or were you in the team?
Ash: So, I would sometimes work with a team, team meeting two people, and sometimes by myself for the first like four or five of them. And so we're trying to figure it out, we would talk to customers. What makes sense; we'd already done a lot of projects. So we had a lot of experience, but we just didn't have a way to package it, to give it to a customer in a program fashion.
And I think that was really the impetus for us to start thinking about that very early on. I did a few and then we brought on Frank Villavicencio, of course. Frank that’s how we mean. You know each other. Jim Right.
Jim: I know Frank, and Frank is another legend in the space.
Ash: So if Frank would help, so I think we came up with like an initial framework and then very quickly. So I'm good at starting stuff. Not so good at putting the polish. And so I had a few great ideas, put them together, started delivering them, getting some experience, and then got Frank involved.
And he's he really took it to the next level. I think throughout the experience of Identropy advisory arm, we've always had really great, you know, smart people who brought their own take and perspectives and added things to the program, as you guys do right now. And I think that's really what's made it great. It really hasn't just I would argue it has not rested on just the initial spark. It's always evolved and come up with new approaches and based on the industry changes. And that's what makes it so relevant to why it's been such a successful part of our business.
Jim: I kind of feel like Frank probably left his mark on Identropy more than any other single person here that's not here any longer. Wasn't one of the founders? I mean, I always remember him talking about we want to revolutionize IAM. And, his some of his sayings were just, really memorable, if you say something like that. And then it would just click for you at some point where like, OK, I get what he means, but the other big thing. So when I joined the company, it's the two things. And these are two of the reasons why I joined the company. One was going to revolutionize IAM. We really had meaning. It was like, at the time more than 50 percent of IAM initiatives were failing. And it was like, we want to change that. We want to have a big impact on the industry to change what was happening in. And we played our part because that is no longer the case. The other was just building a company with a strong culture. And maybe you could talk a little bit about the culture. But to me, that was always, kind of a centerpiece of Identropy.
Ash: Yes, sure. Frank was definitely a big part of that as well. I think when we're small; it was easy to maintain culture as you started growing and adding people. I think the magic is how do you keep that going and how do you maintain that culture among people? Frank was huge in that. I remember just another Frank story. There's going to be a frank part podcast. You just understand. I'm sure you appreciate it. But I remember we were one of the first advisers I did, like I went overboard and wrote a 100 page document.
And just, like, poured my heart out in terms of what this vision is for this company and all that type of thing, And then Frank came on and he read, it is like, this is awesome Ash. But nobody's going to read this.
Jeff: I feel the same way when I see a long report. I've been the customer side. It's just like, come on, man, hundred pages or 200 or 300 pages of anything to get to the point.
Ash: I think you guys just saw that we went to a customer recently and they sent to the previous attempt at this and they gave us 250 page documents. That was all right. I mean, Identity. And I love this stuff and I'm reading this.
So actually Frank was the one who actually sat away with the documents were going PowerPoint and it's much better format for what we want to accomplish. Keep it simple. Try to keep it under so many slides. Really get to the point. Create two versions, one for the executives, one for the general population of attendees and stakeholders. And so, I think he really added this additional level of pragmatism outside to the program that helped. The same, I'd say, for culture. I think that's a more of a joint thing, and part of doing I mean, what really differentiates one company from the next is what your day to day experience is like. And I think the most valuable part that impacts that is culture. So we've always spent a lot of time thinking about culture and maintaining it and spending time and effort and really trying to live by that. And so we believe in things like transparency and autonomy so that we're not micromanaging. A lot of things like that. It's I think those are really valuable things because it keeps us on a certain path and keeps us true to our mission and allows people to hold each other accountable because these values are beyond any of us in an individual from an individual perspective. But as a team, it allows us to keep ourselves at least on the right track.
Jim: So what I thought was cool was going to join the company. I was like the employee number 30 and only 33 or 34 people had ever been employed by the company. And, the people that were left, they left on their terms or whatever, they could pursue something. But it wasn't like there was a lot of turnover. And I attribute a lot of that to the culture. Right. It was a place of people who wanted to be. So I don't those really cool. You learned a little bit earlier it was around that time that Identropy was getting into what I think was a real attempt to revolutionize IAM and were developing an Identity as a service platform. He talks a little bit about that So maybe talk was a little bit about SQUID Lifecycle. What the dream was for that, and then, the whole lifecycle for the SQUID Lifecycle.
Ash: And so that basically happened in 2010 or so where we raised some venture capital and started building software, At that point, we effectively spun out. I want to say effectively, because it's not totally true. It was still legally one entity. But we did our best to run two organizations as one. And for any listeners, never do that. That's a lesson learned as an entrepreneur that you don't want to run a consulting software business under one umbrella seems kind of obvious looking back. But at the time, there were some positives for keeping them under one umbrella that we thought was worth it. But anyway, I ran the software side. Victor continue to run the services side and we did that for a number of years. And until about 2014, we were going to raise our B round of funding. And there are a couple of interested parties who wanted to I wanted to acquire squid. And ultimately, it was acquired by Computer Associates around that time. And the consulting part of the company continues to live on. And so that's the story. But it was it was the vision behind it at the time was, people had these really bulky old Oracle type of implementations and would take ridiculous amount of time and very low success and.
Idea was to create a lighter weight version of that that can do. That's cloud-based that really took advantage of the trend at that time. And so we built that a platform around that I fetch a number of the people who we brought on were industry guys would help build those software companies to begin with. So we had Michonnet Kosuke who joined us. We had Ranjeet Vidwans who joined us, in all these other such as Tom Nicole joined us as well.
Jim: legends in this place.
Ash: Yeah good folks. It was a fun time. I think we all really enjoyed it. And as any startup, it had its roller coaster moments. But it was a lot of fun looking back and happy to hear, where things ended and a number of folks ended up at CA and stay there for about three years, and I'd say most of them have moved on by now.
Jim: That was a major part of the lifecycle of Identropy was building this product and having consulting services essentially, support the company, basically having an income stream to continue with building the product, of course, But, we made a shift at a certain point after the sale to CA what the shift was essentially one hundred percent IAM consulting so that was our moniker for quite a while and I think that was to highlight the fact that we're not a product company anymore. We talked about that a little bit.
Ash: I think that comes down to marketing. And you have to make sure that customers understand what you're doing and who you are.
A lot of times you can get caught up. I think this is one of the biggest problems that startups face. And I would recommend capping a very singular focus on any startup that a person runs is you have to know exactly who you are and what your value prop is to a customer. And if you have more than one, then chances are there's a problem with your business model. And so part of that you don't change that moniker at the time was really to focus attention to the customer, to say, what we're doing is a very broad based marketing approach. But I think we've evolved out of that now where we're starting to really come into our own again as a consulting company and thinking about, you know, emerging trends, what are the newest things and really trying to push the envelope rather than simply being a traditional identity partner who goes and implements a specific technology.
Jeff: Is there a particular technology that you think is right on the cusp of becoming main stream?
Kind of like how we saw IGA over the last maybe decade or so kind of ride that wave and then we've seen behavior analytics start to come up over the last few years. What's next?
Ash: I don't know if I could pick it next. That's a tough one. Do you have have a next?
Jeff: I'm a big fan of analytics; I think that there is a lot of lost value when companies don't take advantage of the IAM data that they're collecting. So that was something that I always like to pull together, was reports and metrics and indicators from an IAM perspective to be able to measure. Right. How are things working people kind of like the basic stuff, right? How long does it take to get to create an account? How many customer sets we're doing those sorts of things. But I was looking for things to provide more value or to find anomalies that might be interesting, last point taken over by the A.I. side of things, though, companies like Exabeam and others.
Ash: I mean, what I think this is one of the areas where Identropy shines, right, where we have brains who can think about where these next things are going. And I mean, I'm very excited about analytics and specific, but not on its own, not a standalone. I'm more interested about how it interacts with identity. I mean, I'm obviously from an identity practitioner's perspective. The future is Identity. Everything is Identity. There's nothing more important than then Identity. It's the central paradigm of everything, every problem that exists out there, but there's a truth to it because, the quote unquote, disappeared perimeter. And, all those at this point, overused phrases. But here's a practical example of where analytics plays in. I mean, you have it play into adaptive authentication where you actually can do things a lot more real time. And you have instead of rules based type of engine; you have analytics starting to feed that so that it could make decisions on the fly regarding what level of authentication is required for a specific transaction. And those kinds of things are really cool, right? Where you start seeing traditional Identity technologies starting to interact in nuanced ways with the, other cyber technologies that are out there. And the net result is that now you could do things a lot more efficiently, intelligently than you've ever been able to do that as before. I think that the authentication that whole world, I think is changing because of those types of mashups.
Jeff: Yes, there's so many different ways now.
And just the way that the technology's evolved where you're taking milliseconds to make these decisions through logic. It's been embedded with whatever application using adaptive authentication or continuous authentication, things where they're detecting the cadence of your typing and all these kinds of sounds kind of fringe. But when the atom all together can create a very powerful and relatively secure, nothing's perfect but relatively secures authentication change. It gets interesting. I think the other areas that really interest me too are the interface elements of IAM. So when I think of like you're traditional, IAM, it's a web page. You go to it, put in some feel pieces of data and you click submit and then something happens. What’s after that? Are we going to have a 5 percent for things like Siri, Cortana, Alexa, is going to be a chat bot interface where you're able to do things on those lines. What is the next generation of IAM look like from a how do you interact with it? Is it going to be like a computer that you talk to or something else?
Ash: I think those are a little bit out because, it's all ultimately going to come down to, natural language, generation of processing type of technologies maturing. And those are just starting to come out. Right now, I think recently Google released some new APIs that allow you to do detection in understanding what different, let's say, sets of data mean or natural language inputs if they both mean the same thing. I think that as those things start to mature, I think you could definitely start applying it to Identropy. I think that's a bit out. But the other part about where from the authentication, adaptive authentication that's here now, I mean, that's I mean, we were talking about password list authentication a couple of years ago, like all this is the panacea. I mean, we're starting to see, Deshong, for example, Deshong Koshik was squid's CTO work for this year. He went over it now as CTO at Unican. I forget the name of the company Unican. And there's a competitors callsign at that whole space. I love those. Remember, reading a term is called Invisible M.F.A... That's pretty cool. Those are kind of things that are actually in play today. It's not even the future. So I think that's exciting because. The technology is here, we'll start to see the use cases. I wouldn't say it's totally mainstream yet, but I think that's definitely one of the forerunners right now for being the next wave.
Jeff: There's definitely some interesting is happening there, and, I think when we talk about the password, where a lot of people are kind of banking on biometrics as being something that would replace a password or at least reduce the dependence on it. Fingerprints, retina scans, those sorts of things. But recently there was a breach for a company as a primer. And they do physical access security through an application and fingerprints and facial recognition, data recognition data, along with a whole bunch of other stuff was taken. And that's scary in that you can't change your fingerprint. Or you can't change your face, probably in a way that would make sense for authentication. What the whole privacy concern around that is interesting, too. And , what happens in those cases where you're index finger is no longer able to be used as a authenticator to other finger you, do you blacklist that once you know that that digit and you have to use another finger or a different method.
There's a lot of interesting things that I think can come out of that breach as to what comes next.
Ash: I think like GDPR and everything that's come out of that with privacy requirements that have emanated from that or driven that, I hate to say, but is from the top down causing some type of innovation by force through compliance in the industry? a lot of chatter right now happening at the analyst level about, block chain enabled Identity, And I think Gartner or Force, one of them has this whole thing about decentralized identity as a topic specifically for this issue right here, where you have multiple components, whether it be fingerprints or all the different potential inputs to authenticate a person, but how to be able to do that in a way that is out of band, it's not sitting at the actual service provider themselves, very similar to the sample concept, but taking that to multiple methods of authentication that's going to impact countries right now. You're gonna have entire countries moving in that direction. And that's powerful stuff.
Jim: We had Luis on the podcast a couple weeks ago and he made the comment that Banes-Oxley was the best thing to happen to IAM, I know from IAM vendor of respect over people who make their living in IAM. I think GDPR has potential to be, second place to that. I mean, it's on everyone's mind. Everyone knows something because of GDPR and everyone's trying to figure out what it is. Yeah, it could be a driver in the next wave of spends. You know what I was going to say, Jeff, as we were talking about that topic before I go to there was talk about secure real quick and I did a little bit of reading on that hack and the thing that jumped out at me more than anything and I encourage our listeners to go out there and read an article or two, was the response from that company after this hack was issued and was like, what? We'll come back with our return when we're ready. And it was not very comforting and not very professional, quite honestly. It's like, you know what, you just coughed up a ton of data and that's your response. Well, we work with a client recently who was a customer of one log in. And the sense that I got from them was that no one log-in worked very closely with them, too. And we're not a one log in Partners wouldn't have any stake in this, but they worked very closely with them to make sure that they understand what is at risk and what actions they need to take to make sure that they were as secure as possible after the breach that they suffered a couple years back.
It's really important that companies after these breach take place do the right things. And I would say even for if you're IAM program manager corporate environments thinking ahead that if you're for breach, what are the actions that you would take? What do you have a plan in place to deal with such things? Who gets involved and making sure that your communications go out in an orderly fashion? So, take away from that whole breach. But I do want to go all the way back to something you brought up, Jeff, about, What do you think are kind of the game changing next big waves within IAM. And what I think is the next big wave is I'm going to cheat a little bit is I think it's already here is the move of customer or external facing systems to leverage IAM products, so 10 years ago very few customer facing systems were on IAM products that were growing their own or maybe they had some. IAM infrastructure in the background, but for the most part weren't leveraging cloud services. They weren't using automated workflow system. They're kind of building their own applications for user management, user rich creation, password management, either authentication. I see a much bigger shift away, especially in the authentication, the password management space, because the services are now being tallied so that the ASP customer even cloud traditionally enterprise services like an Okta or a Microsoft is offering for managing credentials, managing authentication and password management, multifactor authentication. Those things no longer make sense to build for the external environment and products and even cloud products are being used. I think with the next big wave is really the ability to more advanced workflows for, as proxy as a cloud offering. So, we were working with Forgerock. They were kind of like an incumbent to Oracle or CA and IBM because they were a newer platform built more toward an updated developer methodology for developing applications. So they really were able to kind of bridge from the old to the new. And I think that's really a huge audience and a huge opportunity out there that if somebody can and it can't be just basic registration work, it's got to be flexible. It's got to be some things where eco-tourism hooks in and change the way you do a registration check and database, things like that. And there's some of that I see coming along. But that's really the opportunity is the whole use your lifecycle management side for external, whether it's B2B, which is very difficult to solve, or B2C just see a more advanced than just, hey, I'm just going to register or I'm going to do create an account through social registration. It's the more difficult stuff. And I think that that's a huge opportunity. A lot of money sitting out there that could be spent on cross cloud services.
Ash: And I think those are those are great points and that you're starting to see vendors starting to move towards that, I mean, who in 10 years, may be ended like this , who in 10 years is going to be the winners in identity space vendors. You guys want to you want to stake your career on the honored guests?
Jeff: I think you'll see some of the same players that are still out there. But 10 years is a long time in the technology space.
Ash: That's true.
A company like SailPoint been around for a while. They've done really well from the cells. But before then it was what Oracle, IBM, C-A and those guys didn't recognize the importance of the cloud and moving away from these very heavy architectures, what's next will be interesting. The products that have come out that, I'm sure we'll give SailPoint a run for their money and who knows what happens the next five years even.
Jim: I'm going to mention trends instead of actual vendor, two trends; one trend is 10 years ago. The trend is the willingness of people to adapt their technology to fit what's available. And what I mean by that is, you know, 10 years ago, 50 years ago, when you're looking at Oracle, CA and IBM and why they were prior to them, even like Obelix and Taggerty which became more influence here, their strength was they were able to manage the heterogeneous environment. They had a plug in for Lotus, Domino and for Java app application servers and IS application servers and they could throw headers at the apps and you know, they had a plug in for everything. And there are multiple ways you go about integrating and now you look at applications like two or three ways to integrate that SAML, OpenID Connect, maybe something else, maybe as an API call for an authentication that isn't necessarily standard based. OK, but basically you go in and those kinds of companies, those kinds of solutions are winning almost all the deals. And he's using reverse proxy more now. He's using web agents. I said nobody. That's not true. Some people are. But more folks are moving away from that. So the trend is on the authentication side. We're willing to give up being special or you need to buy a product that plugs in to our application the way it works, We're willing to change the application to make it work. That's trend number one. Trend number two is I see most companies that are moving into the cloud. It's what we used to call cloud washing. In other words, we're saying we're in the cloud. We've got a cloud service. And really, what they're doing was hosting an individual instance of their application on the cloud and other companies were coming and saying we are true software as a service, and, the advantage of each. Each one has its advantages and disadvantages from a customer perspective. And what I'm finding most my conversations with customers is don't really care about the difference, whether it's hosted in the cloud model or software as a service model, as long as they're not having to maintain the infrastructure, maintain the core system themselves. There's good with that, they want to get a subscription model where they're paying a monthly bill or annual bill and they don't have to run the infrastructure. Now, obviously, the service goes to the furthest degree of that that you can get. However, I think that most companies out there are good with a hosted instance of the software, as long as it's the vendor themselves that are doing those things.
Jeff: I agree with that.
Ash: I think one of the trends that are interesting to me is, as the infrastructure, the service players start playing a more dominant role in I.T. shops operations.
I think that becomes store as the source or the center of the world for them. And that if those places are starting to offer some serious identity services, they have the largest opportunity to just dominate. And that is likely Microsoft and Amazon. It might maybe put Salesforce as a distant third as a pass. But I think those kind of companies have the largest opportunity to just disrupt in a very substantial when you are seeing some really interesting technologies come out of both of them, like Microsoft has made identity a lot more centric central to their conversation, more than they've ever had in the past. AWS is definitely moving in that direction, too, with Cognito and Linden all the capabilities that they're bringing out. So I think those have, had the largest opportunity to disrupt. And I have a feeling that they will if they have the right team on play in place to acquire whatever technologies they need to build that out. I think those are the ones that really own the whole market.
Jim: That's true. Microsoft's probably in the proposition in terms of being a platform. I think there are always going to be some organizations, some people who don't want to go to Microsoft. And I will say, I mean, almost every component from a security perspective that Microsoft offers, there's somebody who has more capabilities. So you have to piece of all this capability, see others that build your infrastructure. Was they at least a checkbox compliant with a component for everything? And so it kind of be seen if they're going to open their ecosystem. So that, I think that Microsoft traditionally has been they've filled their solutions to manage Microsoft products and so things that you have outside of Microsoft. That's where you start to fall down. Well, a lot of things have moved toward standards, especially in the authentication space. So if it's Samwell compliant now, if you have an Azure single sign on a tenant, you can integrate the application. However, when you look at something like Microsoft Privilege Access Management, it's not really threatening what say a Cyborg can do in terms of its ability to support many different things. So that kind of works against my first point, which is that people are willing to change their apps to fit what you've got. But I think what you really need to get to first is some kind of set of standards that are not proprietary. They're not set by one company or another.
Jeff: Well said.
Jim: Always interesting dialogue on the Identity at the Center podcast.
Jeff: It's always changing, you just you just never know where things are going to happen next. And I think that's probably a good spot where we can leave it for now, Ash totally. Thank you for joining us and sharing your pearls of wisdom and appreciate the time you give us with us today.
Ash: Thank you for the invite. And it's been been a pleasure working with you guys.
Jim: Thanks Ash we appreciate it.
Jeff: All right. And we'll talk to everyone else down the road. Thanks, everybody!