This podcast episode delves profoundly into the intricate nuances of Identity Governance and Administration (IGA) within the broader context of Identity and Access Management (IAM). We engage in a comprehensive dialogue with Martin, a seasoned expert in the field, who elucidates the fundamental distinctions between IGA and IAM while tracing the historical evolution of IGA systems, notably highlighting the transformative impact of regulatory developments. Our conversation further explores the contemporary challenges facing IGA, particularly in light of the dynamic workforce and the escalating sophistication of cyber threats, underscoring the necessity for organizations to adapt their identity strategies accordingly. Additionally, we examine the pivotal role of artificial intelligence and cloud technologies in modernizing IGA frameworks, thereby enhancing operational efficiency and security posture. This episode promises to furnish listeners with invaluable insights and perspectives that are essential for navigating the complexities of identity management in today’s ever-evolving digital landscape.
In this conversation, Joseph Carson and Martin Sandren delve into the evolving landscape of Identity Governance and Access Management (IGA). They discuss the significance of IGA in modern organizations, the challenges faced, and the impact of cloud solutions and AI on identity management. The conversation highlights the need for contextual and adaptive policies, the importance of interoperability, and the role of community engagement through conferences to stay updated in this rapidly changing field.
Key Takeaways
- IGA is essential for managing access and compliance in organizations.
- The shift to cloud-based IGA solutions has transformed the landscape.
- Contextual and adaptive policies are becoming the norm in identity management.
- AI is playing a crucial role in enhancing identity governance.
- Interoperability between systems is a significant challenge.
- Phishing attacks are increasingly sophisticated due to AI advancements.
- Zero trust principles emphasize reducing friction in access management.
- Shadow IT and shadow AI pose risks to organizational security.
- The signal-to-noise ratio in ITDR systems is a major concern.
- Engagement in conferences and communities is vital for professional growth in IGA.
Chapters
- 00:00 Introduction to Identity Governance and Administration
- 01:43 Understanding IGA vs. IAM
- 04:02 Challenges and Shortcomings of IGA
- 10:05 The Role of IGA in Modern Organizations
- 17:20 Modernizing IGA: Cloud Solutions and Innovations
- 19:07 The Acceleration of Cloud Adoption
- 21:01 Evolving Identity Management Landscape
- 22:53 AI’s Role in Identity Governance
- 24:41 Managing Non-Human Identities
- 26:05 The Rise of Shadow IT and AI
- 28:37 Future of AI in Identity Management
- 30:35 Staying Updated in a Rapidly Changing Field
Resources:
Join an IdentiBeer meetup near you
https://identi.beer/
The exploration of Identity Governance and Administration (IGA) within this podcast episode reveals its paramount significance in the landscape of Identity and Access Management (IAM). The discussion is anchored by host Joe Carson, who introduces his guest Martin, a seasoned expert in the field, with a professional history that spans nearly 25 years. Martin’s journey, which began as a computer lab administrator, culminates in his current role at IKEA, where he leads initiatives related to identity and access, thus providing a rich contextual foundation for the conversation. As the dialogue unfolds, Martin elucidates the distinctions between IGA and IAM, framing IGA as an essential framework for managing user identities and access rights in large organizations. He recounts the historical context of IGA’s emergence, particularly its role in sectors requiring efficient user provisioning, such as hospitality and retail. The conversation further delves into the complexities introduced by modern technological advancements, such as cloud computing and the rise of remote work, necessitating a reevaluation of traditional IGA practices to enhance compliance and security. Martin emphasizes the critical importance of automation in IGA processes, which not only streamline operations but also mitigate risks associated with user access management. The latter portions of the episode engage in a critical analysis of the challenges organizations face today in implementing effective IGA strategies. Martin and Joe discuss the implications of emerging technologies, particularly artificial intelligence, in reshaping IGA practices by enabling adaptive policy frameworks that respond to the dynamic nature of user access. The conversation culminates in a forward-looking vision for IGA, advocating for a transition towards more context-aware and flexible governance structures. By the conclusion of the episode, listeners are left with a profound understanding of the vital role IGA plays in ensuring organizational integrity and security in an ever-evolving digital landscape.
Takeaways:
- The podcast emphasizes the importance of understanding the differences between Identity Governance Administration (IGA) and Identity and Access Management (IAM) in modern security frameworks.
- Listeners are encouraged to recognize the evolution of identity management systems towards more cloud-based solutions that enhance efficiency and adaptability for organizations.
- The discussion highlights the critical role of compliance and regulatory frameworks, such as GDPR, in shaping the landscape of identity management and security protocols.
- Both speakers reflect on the growing challenges posed by remote work and the necessity of adapting security measures to protect against evolving threats and vulnerabilities.
- The conversation underscores the significance of integrating artificial intelligence into identity management processes to streamline operations and improve security measures.
- Lastly, the podcast advocates for a balanced approach between productivity and security to minimize friction while ensuring robust access control within organizations.
Transcript
My name is Joe Carson, I’m the host of the show and it’s always great to, you know, be here every two weeks with you to share some of the latest trends, news and what’s happening around security and also some of the kind of latest kind of innovations and awesome guests on the show.
Speaker A:And I’m brought and joined with an amazing guest who I’ve known for quite a few years now and always really enjoy listening to his insights and ideas and innovations.
Speaker A:So welcome to the podcast.
Speaker A:Welcome, Martin.
Speaker A:Martin.
Speaker A:If you want to give the audience a bit of background about who you are, what you do and how you get into the industry.
Speaker B:Yeah.
Speaker B:So I’ve been in the IM industry for about almost 25 years now.
Speaker B:I’m originally from Sweden, lived in Germany, UK, now in the Netherlands and my day job.
Speaker B:I’m the product lead for identity and access at Ikea and we do run meatballs of flat packages around the world.
Speaker B:That is our core business.
Speaker B:And we’re also the best way to test our relationship as well.
Speaker B:Bring your partner to IKEA and see if you survive that.
Speaker B:Then you know that I’ve been there.
Speaker A:Quite a few times recently myself, so, you know, I can definitely vouch for, for the experience.
Speaker A:It’s, it’s definitely good.
Speaker A:Good marriage counseling and also meatballs for sure.
Speaker A:So how did, how did you get into the industry?
Speaker A:What was kind of you.
Speaker A:You’ve been doing this for quite a long time.
Speaker A:Was this something you started with or is this something that you kind of evolved into?
Speaker B:Yes, I was working as an administrator in the computer labs during university and you know, that was back in the, when MT4 was brand new and Ethernet cables was, you know, wow, we’re going from the Ethernet.
Speaker B:So.
Speaker B:And then I got my, when I got my degree, I started working for vendor as basically their security person.
Speaker B:And a large part of that was done basically integrating the ERP systems with LDAP to be able to do authentication.
Speaker A:That’s yes.
Speaker A:Our good old friend ldap, which is still around today.
Speaker B:Which is still around today.
Speaker A:So today’s theme of the episode is really to talk about.
Speaker A:IGA has been something, it’s been around for a long time and when I refer to iga, it’s identity, governance, administration.
Speaker A:How does IGA differ from iam?
Speaker A:What’s the main differences there and what’s the origins of iga?
Speaker B:Well, the, the thing here is, of course, every single kind of analyst house has their own language set.
Speaker B:So I don’t think that there is one single language set that is correct.
Speaker B:And the others are wrong.
Speaker B:But in most cases the IAM is the broader picture.
Speaker B:While the IGA is the join and movie leaver flows, the provisioning flows and the access, recertification and toxic combinations and segregation of duty.
Speaker B:That is how you usually see in most companies, how these words are being used.
Speaker B:And it’s just a bit interesting.
Speaker B:If you look at IGA originally, of course I would say that the first implementations is basically about we have a large hospital hospitality company or a large fast food or similar.
Speaker B:We need to provision retail, we need to provision a lot of users in a similar way.
Speaker B:Then you need the IDEA system to provision.
Speaker B:You know, if you have a thousand stores, you need a store manager, you need a few shift managers, you need perhaps different department heads and then you need the people who is the manager on duty and then you need the actual workers and they’re quite similar.
Speaker B:So then you can have an IGA system that just automates that provisioning that gives everyone the right access.
Speaker B:But if you look at what kind of made IGA more than a kind of a very expensive process product for very large companies, of course Active Directory was kind of the first kind of start for IGA for many back in the 90s, but that was more of a directory centric.
Speaker B:And then you have the systems that populated Active Directory.
Speaker B:So if you have an ADC today that can be connected back to the systems that we configured 20 years ago and basically sucked in data, did some processing and then pushed it out again.
Speaker B:But what really made IGA to go from a kind of a system that you mostly used in big companies who could afford automating was really the Enron scandal where you suddenly had a, a big need for the person who had the money.
Speaker B:The CTO that could choose between either you take control of your item environment or you go to prison.
Speaker B:And most CTOs do not want to go to prison and most CFOs do not want to go to prison and they had the money.
Speaker B:So then you suddenly started selling a lot of IGA systems.
Speaker A:Absolutely.
Speaker A:Even my, my own experience was really more was mostly the segregation of duties or sometimes referred to as separation of duties in different terminologies.
Speaker A:Globally was my first it was, was around physical access.
Speaker A:t really in the, in the early:Speaker A:It was, you got a credential, it was given, sometimes it was cloned from the colleague that you were, you know, doing the same role as.
Speaker A:And maybe they’ve been around for a couple of Years or even more.
Speaker A:And they may have inherited many privileges.
Speaker A:Now for me, one of the things is that I, I had, you know, a credential that had access completely everything.
Speaker A:But we had segregation duties meant that when I was in the data center I would go from cage to cage doing different tasks and I would go into one cage, which be one organization, maybe it was a manufacturing organization, do my tasks, make the configuration changes, upgrade the software, do some hardware repairs and then move on to the next cage.
Speaker A:There was a team that came after me that did all the auditing of all of my activities and work.
Speaker A:So that was basically we were not allowed to physically socialize with the other team.
Speaker A:Actually it was a proper and it was from that legal perspective is that we were not allowed to audit our own work.
Speaker A:And we also had to show and prove to our customers that we were basically making sure we were doing it with the right controls and the right regulations compliance system in mind.
Speaker A:But that was physical and it wasn’t really digital.
Speaker A:To your point.
Speaker A:I think as you know, things like Active Directory evolved and we started, you know, getting into much more, let’s say away from the static policies type of, you know, because a lot of organizations really focus on just the joiner.
Speaker A:The joiners, the joiner focus, getting people productive and they did a really poor job at the, you know, believing or even the change moving within the organization.
Speaker A:So what some of the, what’s some of the main challenges when we talk about IGA in the last couple of years?
Speaker A:Let’s say what some of the, where does it fall short?
Speaker A:What’s the challenges?
Speaker A:What, what, what’s it not capable of doing that it should have.
Speaker B:Well, I think the biggest challenge is the simple fact that the IJ is a system that is kind of has a number of potential key stakeholders.
Speaker B:So like you said, you basically have the plumbers of the organization and at the end of the day the managers.
Speaker B:Because if you have a joiner event and someone has started as a contractor, if they don’t get the right accounts to be able to work, they cost €1,000 a day or whatever they cost.
Speaker B:That is a big problem quickly.
Speaker B:And then the manager quickly finds you and go like yes, I would like to have my manager working, my new contract working.
Speaker B:On the other hand, you see the big compliance driven part where I have a friend of mine runs IAM for a in the financial sector and there the iam team spends 80% of their time doing compliance reporting.
Speaker B:And on the third hand you see also of course the rise of the Identity security.
Speaker B:So to control the attack surface by removing users no longer work for the company, both because they’ve left and therefore they probably good idea, they shouldn’t have access anymore.
Speaker B:And just the risk that if you have a lot of targets sitting there, it’s much easier for the attacker to fit in.
Speaker A:Absolutely.
Speaker A:And that’s one of the things is, you know, attackers, you know, what I find is that you’re absolutely spot on me.
Speaker A:as really that, you know, late:Speaker A:And then, of course, the last five years has been working hybrid or remotely for many employees.
Speaker A:So that dynamic workforce, the way we work today has evolved quite a bit.
Speaker A:Meaning that identity has become a massive important part of that ability to, you know, provide access and make it secure as well.
Speaker A:And also the threat landscape has changed quite a lot.
Speaker A:Where it used to be where attackers, you know, really focus around application vulnerabilities to gain access, but now, basically in that evolution of the evolving workforce, actually attackers are now attacking that workforce at remote employee.
Speaker A:Those employees, you know, accounts that have become steel, that have not had credentials changed in the last two years.
Speaker A:So absolutely, the massive changing in how we work today than, you know, how we would have worked in the and the past.
Speaker A:And also, I think, you know, even going back a few years, employees would have stayed with the company for much, much longer as well.
Speaker A:So you would have had that, you know, joiner would have been something of a very common method.
Speaker A:But moving in the organization, yes, they would get promotions, but leaving was something that was not something that was so common.
Speaker A:I think the only place I’ve seen that being a very high focus was such an education, healthcare sometimes as well, where you’ve had that high retention, high turnover staff.
Speaker A:If you look at education, you know, students and lectures come and go quite frequently in healthcare, you know, people move around different hospitals in different locations.
Speaker A:So that became a big priority.
Speaker A:So absolutely, I think, you know, now we’ve seen that area become kind of a high focus.
Speaker A:I’ve seen, you know, former times where colleagues of mine and previous companies where they may have left, they get acquired two years later or a year later, and when they come back in Their credential that they had when they left was still there, still valid, still functional.
Speaker A:And I think that’s, that’s the risk and I think that’s why definitely IGA has become a massive importance for organization and also regulation has evolved quite a lot.
Speaker A:If you look at, you know, nist, you look at GDPR has a big impact into it.
Speaker A:Hipaa, socks, PCI compliance in the financial space.
Speaker A:They definitely.
Speaker A:And to your point, we have seen it, you know, definitely in many organizations.
Speaker A:It can fall under governance, you know, grc, IGA can, can be placed under different areas.
Speaker A:It can be placed under the governance risk side of the business which could be a legal function.
Speaker A:It could be part of the identity part of the organization which is really about managing the access.
Speaker A:And sometimes it can even fall under security as well because it could be the control side of things.
Speaker A:Where do you see, you know, IGA typically today?
Speaker A:Where does it fall under?
Speaker A:You know, in your experience, where’s the best place for it to fit in the structure of the organization?
Speaker B:This is actually one of my favorite questions I ask when I have an audience in a conference or similar is how many of you report into the ciso?
Speaker B:Well first you have to ask how many it’s the end user organizations.
Speaker B:Then you can ask how many are in the, in the report to the CISO.
Speaker B:And 50% seems to be reporting into the CISO and it seems to be increasing.
Speaker B:What you do see there is of course there is a couple of changes.
Speaker B:So one important part is that the AI makes it possible for the attackers to craft beautiful phishing emails.
Speaker A:Absolutely.
Speaker B:And that does mean that things that you know old rules that how you can spot a phishing email.
Speaker B:Like I I got a phishing email to my private account today that had a, a Gmail account for that went to a Gmail address that went for one of the logistics providers that was not very hard to spot.
Speaker B:But you can really see and we when you work with people you can see that when you do your purple team and your red teams you see this beautifully crafted emails and AI really helps it writing these and it very easy to fall for them.
Speaker B:What we see then is that you get the tools are really good now to take over take over sessions today and then you have a compromise as credential identity then you need to spot it and stop them.
Speaker B:And that is that the, that is not an easy ITDR is definitely not easy today.
Speaker B:But that’s one of the big kind of growth market I see in absolutely generally for, for the IDA systems And there’s also a very interesting case of.
Speaker B:So IGA has traditionally been either that you’re provisioning centric or if you look at the systems that kind of were new 15 years ago, they were often very governance centric and they provide a good governance platform.
Speaker B:We now see should these platforms move into becoming security centric.
Speaker B:And it’s not self evident that it should be.
Speaker B:So it’s an interesting discussion as well around for the vendors how much of your.
Speaker B:Your total development budget you want to spend on becoming ITDR centric.
Speaker A:Absolutely.
Speaker A:I think that was actually one of my.
Speaker A:One of my favorite talks in the past couple of years on this topic was from Pamela Dingle and Alex from Microsoft.
Speaker A:They did a fantastic talk about when Pamela took it from.
Speaker A:Here’s the.
Speaker A:Here’s the identity, you know, enablement, productivity focus and here’s all the things we want to be able to make sure that people have access to the things they need to be able to be productive and efficient and effective.
Speaker A:And then Alex took us down the security which was actually complete the opposite of the productivity side.
Speaker A:And that was fun.
Speaker A:It was a very.
Speaker A:I enjoyed the way that they presented it and delivered it because it really made you think about sometimes they are a bit conflicting.
Speaker A:You know, if you, if you want to focus on the productivity side that IGA can make it be much more autonomous, much more automated.
Speaker A:Absolutely.
Speaker A:But when you put the security in place, it can actually be the friction side of things.
Speaker A:It causes friction to employees.
Speaker A:Yeah.
Speaker B:And there’s.
Speaker B:You really need to look at kind of.
Speaker B:You can’t have as much friction everywhere.
Speaker B:The cost of having friction for the many is very, very high.
Speaker B:On the other hand, on your tier zero accounts.
Speaker B:Yeah.
Speaker B:You probably should have some friction there.
Speaker B:Absolutely.
Speaker B:That also means that a lot of the tech that you roll out.
Speaker B:So let’s say that for example, you need.
Speaker B:It’s very clear that we are heading towards phishing resistant MFA solutions primarily with passkeys.
Speaker B:And kind of the top of the chain there is the hardware based which are the hardest one to hack.
Speaker B:And you need to figure out like how do you roll that out?
Speaker B:Because if you roll it out in your entire organization, your support desk is most likely going to drown.
Speaker B:So the general thing when you talk to people, I think the conclusion is that, well, let’s start with the Tier 0 and go to Tier 1 and then continue outwards and then use the kind of right tool at the right time.
Speaker B:And what you need to do in ITDR is trying to get as much signal as possible.
Speaker B:So in addition to you have the devices, do you control the devices or do you use a brewing your own device?
Speaker B:So then you don’t really control the devices but you have the ability to see that someone is using a different device.
Speaker B:You have the ability to see okay for large populations of frontline workers if you are a manufacturer or if you’re a retailer.
Speaker B:Derek for example could use egress IP networks.
Speaker B:Yeah.
Speaker B:Is it perfect?
Speaker B:No, but it is definitely a.
Speaker B:You have to think more of in speed bumps and we have seen it that yes it sounds stupid but it actually, it’s actually is really can be very effective to make the attack slow down a bit.
Speaker A:Absolutely.
Speaker B:And then on top of that you then put the ITDR to recognize when you know something is outside of your norm.
Speaker B:But the two main problems with ITR is that firstly the signal to noise ratio is absurd.
Speaker B:Mm.
Speaker B:We’re talking about, you know, 0.01% or so of the total events are actual real events for a good system.
Speaker B:And the second part is the fact that today you see there’s going to be a very interesting at Gartner IM in London in about a month earlier, a month and a half, there’s going to be another interrupt.
Speaker B:So that’s.
Speaker B:I’m really looking forward to that.
Speaker B:But you still have a situation that yes, you can do it within your own, within one stack but if you happen to buy the ITDRs from, let’s say from Cisco who bought an ITDR vendor and you have your IDP from, from Octa and you have something else from somewhere else ij it still is hard to kind of exchange information in a cost efficient manner until we really have gotten to the same place as kind of SAML or IDC scim of adoption.
Speaker B:This is very challenging if you need to do it cost efficient.
Speaker A:Absolutely.
Speaker A:Dropability, you know, if you’re, if you’re, you know between those solutions becomes definitely challenging.
Speaker A:And that’s, you know, you want to make sure that, you know, doing it in a phased approach and making sure you’re doing it really well and having those integrations, you know, a lot of them do come with APIs but it’s almost like a build yourself the data, the data exchange between them.
Speaker A:So I think for many organizations dropability becomes very, very key because.
Speaker A:Because that means that you have less resources to maintain it once you get it working together in tandem.
Speaker A:I almost called this like putting an orchestra together and you know, if you don’t get it the right kind of harmony, it’s going to Sound really awful.
Speaker B:Yeah.
Speaker B:And you really see that.
Speaker B:I think it’s another product family that’s going to come in either as a module to the existing product or as a freestanding product is ITDR orchestration.
Speaker B:You know, you buy this, you get ITR functionality in lots of different places and you somehow have to get the signals together.
Speaker B:And one of the challenges that the classical SIEM platforms that were built for network based recognition, they aren’t really that good at identity yet.
Speaker A:Absolutely.
Speaker B:Yeah, yeah.
Speaker A:What things for you know, how is IGA modernizing?
Speaker A:What’s, what’s the steps?
Speaker A:How is it getting what significant areas, you know, is organizations and vendors looking to make improvements on that area?
Speaker B:So I think the main, what has happened over the last 10 years is the rise of the cloud based IGA stacks.
Speaker B:So 10 years ago they were really lightweight and you couldn’t really, you could use them if you were a quite simple and quite modern company, which made a lot of sense if you look at the big stacks.
Speaker B:I would say that in many cases the cloud offering has kind of surpassed the on premise offering today.
Speaker B:And what you do see is that you have a lot more modern features come first to cloud.
Speaker B:And this is a little bit of the nature of especially Microsoft’s done a really good job in having this concept of the private preview, the public preview and then ga for something.
Speaker B:But it does mean that if you have a good idea you can kind of take it to in a private preview and see and the customers knows that, you know this be supported for three months and if it doesn’t work, it doesn’t work.
Speaker A:And then, and it’s, it’s in when, when you have a cloud base and in platform scenarios it is a switch of on off.
Speaker A:And a lot of cases, you know, you can either I can try it, see if I like it, if it’s ready.
Speaker A:If not you can, you know, turn it off with a click of a button and you know, move it until release two comes along.
Speaker B:Which is very different for how it works on the on premise because they usually have perhaps two, you know, 12 months, 18 months, two years of just planning time and then you develop the thing, you spec it, you develop it, you test it and then you deploy it and then someone has to take it and install it on your platform.
Speaker B:So it’s often that if you have a great idea today in a traditional idea setup, it will take two, three, perhaps even four years until it’s actually implemented at client.
Speaker A:Absolutely.
Speaker A:It’s a speed, the speed to adoption is hugely different.
Speaker A:And it’s moving especially also the way it’s designed in cloud.
Speaker A:It becomes micro segmentation, microservices.
Speaker A:It’s literally just, you know, sometimes switching a service out and the workflows and workloads as well.
Speaker A:Meaning that the speed to kind of adoption is so much more quicker.
Speaker A:And also it means, you know, speed to securing those systems is much quicker as well.
Speaker A:And also the kind of resources of maintaining a lot of the underlying requirements and stack and hardware and you know, to maintain as well also kind of, you know, that kind of moves away from having those dependencies and then you.
Speaker B:Have obviously the other big change that’s kind of almost ebbing out now is that the concept of the used to be that there were IJ vendors, there were PAM vendors and there were access IDP vendors and they were, you know, they never overlapped and now basically they all invade each other’s territories.
Speaker A:Absolutely.
Speaker B:So they’ve all created the platform of that where it’s supposed to use it for everything.
Speaker B:And I would say that it’s really useful if you’re a kind of an SMB, medium sized and not too complex and not too much regulation, etc.
Speaker B:The advantage of being able to just kind of start doing PAM and not having to buy a product integrated with your other, your idea system, it’s huge.
Speaker B:But the disadvantage then comes that okay, but if I don’t, if I bought already a pam, I might not want to use the PAM system that comes with my idea.
Speaker B:So it’s also a little bit about where you kind of are positioned in the market space.
Speaker A:Hybrid approach really comes down to that.
Speaker A:Hybrid capability is you may want to use all of the platform stack or you may want to use bits and pieces.
Speaker A:As long as that, you know, go back to the interoperability as well in the APIs that allows you to do really strong integrations with your existing choices and existing stack that you’ve already decided.
Speaker A:What about the move?
Speaker A:You know, there’s a big move from the old, you know, static policy based to being much more context and adaptive based policies.
Speaker A:Is that something you’ve been looking away, you know, looking at in regards to where it used to be?
Speaker A:You set up, you have a policy and that was it and it was fixed and it, you know, would not change for a long time to moving to much more attribute based or fine grain based.
Speaker A:How have you seen the evolution in changes in policies over the years?
Speaker B:Yeah, it was very interesting at the IC last year.
Speaker B:It was really the return of the PBAC that the out Z came back and obviously that is something you need when you have a much more flexible workforce, for example and flexible access to applications and the whole kind of standardization of sso for example when you have new applications coming in.
Speaker B:And there of course also you have the advantage of being able to use more modern models.
Speaker B:So especially graph based data models are kind of starting to become more standard and that will help a lot to be able to kind of to formulate the vision of how access should be given.
Speaker B:And you also have all of the AI based where you basically create core your peer groups of access and then provide it.
Speaker B:So if you 20 years ago you had a model on approach make him like James and now it’s like okay, we have a modulation of people who works in this kind of role and then you get this base access and if it’s kind of in the middle then it’s totally okay.
Speaker B:Of course there you see a lot of very interesting ideas around access re certification for example at perhaps you don’t depending on your regulatory landscape you might not need to do onboard.
Speaker B:Perhaps you should focus on the ones that are outside of the pyramid.
Speaker B:oard things to TOR accelerate:Speaker B:Because the majority of the time is all the ba time going out and asking you want to create?
Speaker B:Yes.
Speaker B:You want to move?
Speaker B:Yes.
Speaker B:You want to leave.
Speaker B:Ok, what should happen?
Speaker B:Do you need disable, you know, all of those things.
Speaker B:So the, the idea that you kind of put a little AI agent there and listen in the traffic and then you have a suggestion.
Speaker B:Because it’s also that if you have a suggestion you can put on a table that people can say yes or no.
Speaker B:The problem is the kind of chicken and egg where you have nothing and then you start, you know, asking all the questions and then very.
Speaker B:It’s very time consuming for the analyst as well as for the owner of the system.
Speaker A:Absolutely.
Speaker A:I mean that’s, you know, we’ve had lots of conversations around, you know, how AI is impacting IGA and I think you know absolutely where you’re getting it.
Speaker A:It’s, it’s in certain areas this evolve quite a bit where one is the documentation, you know, you can interact with the documentation and get the answers you need very, very quickly.
Speaker A:The next stage is really getting into well how do I take that documentation further and have the documentation create predefined configurations and policies for you.
Speaker A:So you can say, you know, I would like to create a policy based on this type of access for this type of role.
Speaker A:And this is the risk that I want to make sure that I mitigate and then the policies can be created for you.
Speaker A:So.
Speaker A:Absolutely.
Speaker A:It’s really exciting to see where, you know, where those levels and integrations and leverage of AI is going to be going.
Speaker A:How do you see what’s the future for you?
Speaker A:What things, let’s say in the next year or a couple of years, what’s the future look for you when it comes to iga?
Speaker A:What things are you looking to be able to achieve in the coming year?
Speaker B:So I think one of the things we look at is also to expand the scope.
Speaker B:You know, we have quite good control of the employees and the contractors and so on.
Speaker B:But then you take another look at, okay, but how about all of the business partners, are we handling them in a good way?
Speaker B:And also the rise of the NHIS and non human identities, like how do we handle that?
Speaker B:It’s also the kind of you build a good strong core engine and then you have all of the creative people who do things outside of the core engine that you need to start looking at.
Speaker B:Okay, how can we kind of make sure that we don’t accumulate too much risk by having people trying to solve problems in very creative ways?
Speaker A:Absolutely.
Speaker A:I’ve seen we’ve had the rise of shadow IT in many years and now we have the rise of shadow AI as well, where employees are now starting to use AI in the background outside of the organization and it’s visibility and security’s visibility and.
Speaker A:Absolutely.
Speaker A:I think you’re spot on.
Speaker A:And we’re talking about building a very refined, robust engine.
Speaker A:Now the question is how to make sure that everyone has a seat in that same vehicle and not creating their own little ways of getting around and their own ways of being able to access systems outside of that visibility.
Speaker A:Because I think, you know, that’s.
Speaker A:It’s the shadow services and applications and AI and it that creates a lot of the pain for organizations.
Speaker B:Yeah.
Speaker B:And fundamentally also that in the ITDR space is that attacker gets better and better.
Speaker B:So we had to become better and better as well.
Speaker B:What was okay two years ago, it’s fascinating with mfa, for example, the fact that every time I thought that if just implement this thing there then it would be good.
Speaker B:No, absolutely.
Speaker B:Attack, you find out a new way to attack it.
Speaker B:So.
Speaker B:And it’s a little bit that some people talk about, you know, phishing proof.
Speaker B:I prefer Phishing resistant because I’m very sure that the phishers will figure out a new way to do things.
Speaker A:They’re always very creative.
Speaker A:And I think you brought up when you mentioned earlier about how attackers are using AI for phishing emails.
Speaker A:Absolutely.
Speaker A:And the campaigns have become so well perfected and you know, I talk regularly with the Estonian governments in regards to their, you know, strategy on reducing attacks in the country.
Speaker A:And we used to be very dependent on the language as a protection because the language is so complicated.
Speaker B:Yeah.
Speaker A:And now it’s, you know, the phishing emails perfect.
Speaker A:The Estonian grammar.
Speaker A:It’s almost like it’s even better than the most people actually communicate on a regular basis.
Speaker B:We’re almost switching over to kind of telling them, please, you know, if it’s a nice letter with good grammar, then it’s most likely a fish game.
Speaker B:Bale.
Speaker B:If it’s badly written, then it’s probably.
Speaker A:From, you know, because it used to be, it used to be like spot spot the, you know, spelling mistakes in the grammar and bad translations.
Speaker A:And that was the way you could.
Speaker A:Now if it’s perfect written, you know, almost like Shakespeare.
Speaker B:Yeah.
Speaker A:You suspect it may be suspicious.
Speaker B:So.
Speaker B:And that of course.
Speaker B:And also another very interesting area is the supporting the bureaucrats.
Speaker B:Actually I really liked your talk about that a few years properly a couple of years ago now.
Speaker A:You’ve talked about five years ago now.
Speaker A:I think it was so.
Speaker B:And I think that’s a very interesting area.
Speaker B:What should the cost of yours and the have that helps you.
Speaker B:What should rights should I have?
Speaker B:Should I have your entire right set or should I have a subset?
Speaker B:And how do we make sure that they have exactly right rights?
Speaker A:I always talk about.
Speaker A:It’s, it’s, it’s going to.
Speaker A:That principle is privilege.
Speaker A:It’s getting into really thinking about, you know, that I, I would say, you know, we talk about zero trust as a big element in the security side.
Speaker A:There’s a framework.
Speaker A:And then moving away from zero trust, I always talk about.
Speaker A:Then you get into zero friction.
Speaker A:If you’re thinking about zero trust, you have to have as little friction as possible because that’s what enables the productivity also means that, you know, it’s finding that balance between training and awareness and, and, and culture as well.
Speaker A:But we’re getting into the point where, you know, we will now have, you know, we talk about the agentic AI systems and that’s where we will have.
Speaker A:In Estonia, they created the crackpot which is the citizens AI assistant, you know, virtual assistant that allows you to ask the questions and get answers immediately and how to interact with the government.
Speaker A:And I think that’s what we’re going to end up having is corporate kind of versions of these, you know, AI agent systems that will be our systems, you know, that will help us.
Speaker A:You know, I receive an email and I’d be like, I can’t tell the difference.
Speaker A:I’ll say hey, AI agent, you know, is this, is this a phishing email or not?
Speaker A:And it will then go and do all the checks in the background.
Speaker A:So I don’t need to become an employee who’s a, everyone becomes a security professional.
Speaker A:My AI agent will have the intelligence and they can do it interactively where I will ask it to go and check it or it’ll be autonomously where I’ll do it in the background automatically.
Speaker A:And that’s the great thing is I think, you know, somebody definitely kind of made a step to a jump, I would say probably a few years ago when they made that decision.
Speaker A:But it’s exciting.
Speaker A:If I take that idea and I look at it and apply it to companies and businesses and people around the world that becomes something exciting.
Speaker A:Especially when you look at, you know, an IGA side of things.
Speaker A:You know, this person needs to move positions in the company, what permissions should they have, what should they be removed and be able to interact with AI that way and I’ll be able to create you what kind of a fine grained some time access, least privilege approach with the right security controls in place as well.
Speaker A:So we’re coming that you know, really getting into where it’s, it’s fully dynamic identity and access and security all being applied.
Speaker B:Yeah and it’s of course in any organization of sufficient complexity and size there’s this problematic incentive that if you don’t understand how things works, you can kind of make changes and then you blow things up and it’s somehow it’s not your problem if you actually do understand the complexities of organization and life becomes much harder.
Speaker B:It’s a big incentive to not understand sometimes.
Speaker A:And that’s, I think that’s the key.
Speaker A:So question for you, how do you stay.
Speaker A:This is a massive area.
Speaker A:It’s always changing, it’s always evolving and I think even you know, the pace of acceleration evolutions happened so much in the last couple of years.
Speaker A:How do you stay up to date?
Speaker A:Is there conferences that you go to that helps you?
Speaker A:Is there communities that you’re involved in or what resources?
Speaker A:What do you do to make sure that you’re, you’ve got the latest and greatest news when it comes to iga.
Speaker B:So I’m quite.
Speaker B:I do enjoy hanging out with other people who are interested in this strange area.
Speaker B:So I’m engaged in a number of the community.
Speaker B:I do, I would say if you’re in northern Europe, you can check out my list of conferences.
Speaker A:Ooh, well we’ll make sure to add it to the show notes because that’s definitely for the audience.
Speaker A:I always want to find out where’s the best place to meet or what conferences should they go to in order to.
Speaker A:To to find out the latest news and trends.
Speaker B:I discovered it was much easier to my notes of which coverage was in the GitHub and then it assists for people to find it and you can send me a pull request if you want something out to it.
Speaker A:Absolutely.
Speaker A:We’ll also make sure that one of the things is how the audience will be able to if they’ve got questions or would like to connect with you and what’s the best way?
Speaker B:Probably a shot on LinkedIn.
Speaker B:But in general I would say the big conferences there is of course partner IM London a few months and also EIC are the big, I would say the big European wide.
Speaker B:There is also the for example Identity beers.
Speaker B:I run the, the Amsterdam Identity Beer and we have Identity beers in most places nowadays in Europe and also some in the US So it’s another way to.
Speaker B:It’s kind of a low, low effort.
Speaker B:We just go there and talk to people and there’s always a need.
Speaker B:I’m on the board of a number of these conferences and there’s always a need for new speakers.
Speaker B:We love to get speakers, especially from companies and the simple fact is that usually in a year you can do like you know, three, four high perhaps things you can investigate, you know, if you have a decent sized team.
Speaker B:But by going to the conferences you can kind of talk to people that you know is also doing three or four things and they usually do slightly different things.
Speaker B:So then you can get a good idea and you know, and half an hour’s talk you can get the same kind of information that you normally would take you a 30 day beautiful concept to try out.
Speaker A:Absolutely.
Speaker A:That’s one of the hits for me as well.
Speaker A:That’s, you know, I’ve always that I think that’s for me is why I really like EIC a lot is because for me, you know, I, I come from a very security background approach to identity and EIC is a very identity centric view on the world that covers some security.
Speaker A:So for me I always really enjoy going to those, you know, pure identity based conferences that really kind of focuses more about the standards, the efficiencies, the productivity.
Speaker A:And then I have to think about how do I make sure that, you know, how do you do that with security in place but as little friction as possible.
Speaker A:So I always find this very, very intriguing.
Speaker A:Even others that I think Globally Identity Verse was always another great event that I’ve attended.
Speaker B:Yeah, Dent Diverse is definitely great, but of course it requires a trip across the ocean.
Speaker A:It does for me.
Speaker A:It was always challenging because of the dates in June.
Speaker A:That was never.
Speaker A:They were quite easiest for me to get to.
Speaker B:And then of course you have RSAC and so on, but.
Speaker A:Absolutely.
Speaker A:But much broader than Identity though.
Speaker A:That’s the identity becomes a small part of it.
Speaker A:Absolutely.
Speaker A:Well, we make sure we get your links to the GitHub in there for the conferences.
Speaker A:Also the links to the identity peer meetups that you have just in case anyone in the region happens to find themselves at the right time in the right place.
Speaker A:Martin, it’s been awesome having you on.
Speaker A:I always really enjoy chatting with you.
Speaker A:I enjoy your insights and what you do in the identity space in IGA is definitely fantastic and and making sure that we make the future of organizations more flexible and more enjoyable.
Speaker A:So thank you for everything you do Every two weeks bring you ideas, thought leadership and fun topics to make sure that you are staying ahead and informed and making sure you’re keeping your organization and the world a safer place.
Speaker A:So thank you.
Speaker A:Stay safe and take care till the next time.
