Ever wondered how an economics graduate ends up orchestrating identities in the tech world? Join us as Gerry Gebel unpacks his incredible journey from an unexpected programming class to spearheading a bank's leap into IBM technology. His story, far from typical, is a testament to seizing opportunities and navigating the dynamic landscape of IT. In our engaging conversation, we uncover the perks of smaller companies, the diverse roles waiting to be filled, and why understanding the bigger business picture is just as crucial as technical expertise.
This episode goes beyond code, shining a light on an often-overlooked skill in IT: writing. Gerry Gebel and I dissect how penning down complex tech concepts isn't just about documentation—it's a powerful tool for persuasion and clarity in a field where the right words can mean the success of a project or the resolution of a dispute. We also peer into the future of Identity and Access Management, speculating on how it must evolve to keep up with the cloud's scale and what this means for strategies and solutions in the space.
Finally, we navigate the latest currents in identity management, from the allure of passwordless systems to the necessity of AI's touch in the domain. We scrutinize how design considerations, like user-friendly interfaces, are critical in the era of serverless computing and how IAM solutions must adapt to offer robust oversight. And as we zero in on the push for standardized fine-grained authorization systems, we highlight the strategic edge of staying abreast of AI advancements, ensuring our listeners are well-positioned to ride the wave of tech evolution. With Gerry Gebel's insights, this episode is a treasure trove for both seasoned IT professionals and those considering a fresh career path.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
1
00:00:00
Speaker 1: I was going.
00:00:00
Jerry, it's great to finally get you on the podcast.
00:00:03
It feels like we've been trying to plan this thing for probably
00:00:07
a year at this point.
00:00:08
Speaker 2: Almost.
00:00:08
I don't think it's been that long, but it has been a while.
00:00:11
Yeah, it's great to be with you here today.
00:00:14
Speaker 1: Yeah, it at least feels like it.
00:00:16
I'm really interested in hearing your background.
00:00:20
You know how you got into IT, what made you want to get into
00:00:24
that field, you know, and just hearing that story, the reason
00:00:29
why I started everyone off there is because you know there may
00:00:33
be some listeners that are trying to do that jump
00:00:37
themselves.
00:00:38
They're trying to do a career change in IT and I feel like
00:00:41
hearing everyone's story, you know, lets them know that, hey,
00:00:46
this is possible for me.
00:00:47
If this person did it, maybe it's possible for me.
00:00:51
Speaker 2: Yeah, sure, I guess I have one of those
00:00:55
non-traditional entries into the IT world.
00:00:59
I did not have a computer science degree, this is an
00:01:02
economics degree back at college , did a little bit of
00:01:06
programming work there.
00:01:08
I was doing one or two of my courses and then I bounced
00:01:11
around a little bit and then decided to take a programming
00:01:15
class at a technical school and I think there was like a six
00:01:19
month program or something like that and was fortunate to get an
00:01:25
opportunity at a small savings bank in New Jersey that was
00:01:29
converting from, of all things, burrows, the gaming equipment,
00:01:34
onto IBM Tech.
00:01:35
So I was part of the new IBM based team plan and that was
00:01:41
really my start into the IT world and then later on worked
00:01:46
at Chase Bank in New York and got more focused on the security
00:01:52
aspects of the mainframe and middleware and literally
00:01:56
web-based and you know it was before we called it identity
00:02:00
management, but later on was part of the identity management
00:02:05
emerging market, if you will.
00:02:07
When I joined the group as an industry consultant and then as
00:02:12
an analyst and then from that and went to the software side,
00:02:16
you know was that Axiomatics a sweetening based, fine-grained
00:02:20
authorization vendor for several years and then now coming up on
00:02:24
three years at Stratap, identity and Head of Standards.
00:02:30
Speaker 1: You know, when you, when you look back on your start
00:02:34
, you know it kind of sounds like it was a right time, right
00:02:39
place sort of situation.
00:02:41
Is that how you look at it as well?
00:02:46
Speaker 2: Absolutely.
00:02:46
It was very fortuitous that, you know I decided, then you did
00:02:51
the data of the program in class and then, of course, you
00:02:55
know that there was a local opportunity at this bank that I
00:02:59
was able to join and really learned a lot under the
00:03:04
through-lead of, you know, some more senior folks there.
00:03:07
It was really a great place for me to get started.
00:03:10
You know, got about it.
00:03:15
Speaker 1: Yeah, I'm sure you know, starting in that kind of
00:03:19
environment is it's like trial by fire, right?
00:03:22
Do you?
00:03:24
Do you find yourself enjoying those larger environments, or do
00:03:28
you like the smaller, the smaller environments?
00:03:32
Speaker 2: Yeah, definitely in more of a small company kind of
00:03:36
person these days.
00:03:36
You know the savings bank well.
00:03:39
We had to think about 100 branches.
00:03:41
At the time.
00:03:42
You saw a lot of the employees were, you know grab range-based
00:03:46
people, but the IT department that I worked in was was fairly
00:03:50
small.
00:03:50
Of course, chase Bank was a huge company.
00:03:54
When I left there were almost 100 employees.
00:03:57
Now it's quite a bit larger than that even.
00:04:00
And when I joined Burton Group I think we were about 50 people
00:04:08
and 150 earlier about when the company was acquired by Gartner,
00:04:12
and then you know with Axiomatics and now Strata, you
00:04:16
know both less than 100 person companies.
00:04:19
So yeah, I definitely like the smaller environments.
00:04:22
You know there's no place to hide.
00:04:24
You know everybody in really has to pull their weight.
00:04:26
You get to do a lot of different things so you're not
00:04:30
just boxed into one single area.
00:04:33
You get to work on different things.
00:04:36
I enjoy that for sure.
00:04:41
Speaker 1: Yeah, I feel the same .
00:04:44
You know, like after being in the field for about 10 years now
00:04:50
, you know I've worked at really large companies and very small
00:04:57
companies.
00:04:57
You know 30 person startup like companies, and I really
00:05:03
appreciate the experience that I've gotten at the really small
00:05:07
companies.
00:05:07
You know, because you have to wear so many hats, you know
00:05:12
you're wearing customer service, you're wearing engineer, even
00:05:15
some developer or whatever might be right, and the experience
00:05:22
that you get is like invaluable.
00:05:24
You know, I feel like I feel like people you know always
00:05:29
think that like the only place that you could get real valuable
00:05:33
experiences from, like you know , the big name tech companies
00:05:37
like video or Facebook or whatever might be, but I feel
00:05:43
like there's a lot of other companies that are doing really
00:05:45
cool things.
00:05:45
Especially now, with how you know the space is where everyone
00:05:49
can really dive into whatever they want to write with AI, you
00:05:56
know you can easily very cost affordably, you know get into AI
00:06:01
and integrate it with your product and things like that,
00:06:04
right.
00:06:04
So there's a lot of room now that exists with these smaller
00:06:10
companies that are able to do a lot more with it for you to get
00:06:13
that experience.
00:06:15
Speaker 2: Yeah, I think that's right and you know, the barriers
00:06:18
to hatred into different fields are definitely lower with a lot
00:06:23
of the automation and AI capabilities that are out there.
00:06:25
You know that can help bootstrap you in different ways.
00:06:28
I definitely agree with that.
00:06:29
I didn't, you know, get going back to the smaller work
00:06:33
environments.
00:06:33
You can get exposed to different areas, like you're
00:06:38
saying, and maybe ultimately you specialize in one area or
00:06:42
another.
00:06:42
But I think having that exposure is also valuable
00:06:45
because it gives you a sense of a bigger picture.
00:06:48
You know what does it take for a company to operate, and that's
00:06:53
going to be super valuable, even if you go to a large company
00:06:57
with 10 or 50 employees.
00:06:59
And having that awareness of how the company operates and
00:07:04
functions from a business perspective is super important,
00:07:07
especially to us, I think, people you know just sometimes
00:07:09
we're disconnected from that but also learning how different
00:07:13
departments have to work together and but it is a matter
00:07:17
of scale, you know, can that scale up to a large organization
00:07:22
?
00:07:22
And maybe, if you're more comfortable in that environment
00:07:25
or maybe not, you will realize that.
00:07:28
You know, I prefer to know that 100 to 500 employee size
00:07:32
company.
00:07:33
So it gives you that level of exposure experience, I think is
00:07:37
super important.
00:07:40
Speaker 1: Yeah, the larger companies.
00:07:41
They have very unique problems.
00:07:44
You know, like how do you build an internal application to
00:07:49
scale, you know, across the globe for half a million people,
00:07:54
right, like it's internal and you have to make sure that it's
00:07:58
completely protected with everything.
00:08:00
You know it has people's, you know, private information in it.
00:08:03
That's a problem that you're not going to get at a really
00:08:07
small company, right.
00:08:09
And it's interesting to go back and forth between you know, kind
00:08:13
of the two sizes I haven't really seen too much in the
00:08:16
middle, but you know it's interesting to go back and forth
00:08:22
between them because you see these really large problems.
00:08:25
And then you know you go to the smaller environments like, oh,
00:08:30
we need to.
00:08:30
You know kind of plan for this and this and this.
00:08:33
You know we need to be thinking ahead for this Because that's
00:08:40
where those bigger problems down the road are really mitigated.
00:08:45
You know up front.
00:08:48
You know, when you look back on your career and the different
00:08:54
skills that you've obtained, is there one place that you've been
00:09:01
that you have felt has given you the most I guess ROI, right
00:09:05
the most skills, the most valuable skills, whatever it
00:09:10
might be.
00:09:12
Speaker 2: I think I would have to point back to my time as an
00:09:16
analyst because it really helped to sharpen my writing skills,
00:09:23
because you know, we're doing research reports every quarter
00:09:27
and you have to review that with your peers and then it goes
00:09:33
through a copy edit process and let me just say that it was like
00:09:36
getting the English comp lesson every quarter when those
00:09:41
redlined reports did that.
00:09:44
So I think that was being valuable in helping you to be a
00:09:48
better, brighter and had a great writer, and I think that's a
00:09:51
universally valuable skill to have, I would say.
00:09:55
Second to that is being able to become a decent presenter at a
00:10:01
conference or on a webinar or what have you.
00:10:04
But overall it was teaching me to be more specific and precise
00:10:11
with the language that I used, because that's what you know
00:10:16
that environment was all about was being able to put forth an
00:10:20
analysis of a market segment or a vendor or what have you, and
00:10:24
kind of top it and then be able to defend that position when
00:10:27
you're being questioned by your customers or by the audience.
00:10:30
So that's a skill set that I really am grateful to have, you
00:10:37
know, being able to go on during that time.
00:10:43
Speaker 1: Yeah, that's really fascinating, right.
00:10:47
I've been talking to a lot of people lately and the idea of
00:10:54
writing as a skill in IT keeps coming up, and it keeps on
00:10:59
coming up as being a very valuable skill, which is it's
00:11:04
interesting to me because, like me personally, you know, I am
00:11:09
not interested at all when I'm told I have to write some
00:11:13
document on something.
00:11:14
You know I try to avoid it.
00:11:15
But I've been on teams where we have had, you know, a technical
00:11:21
writer right there on the team and they're writing down
00:11:26
everything you know that we're doing for different processes
00:11:29
and whatnot, and they're, you know, adding context and
00:11:32
everything and they create, you know, fantastic documents.
00:11:36
Right, they're doing the stuff that none of the engineers want
00:11:40
to do, that's for sure.
00:11:43
But it's coming up, as you know , a really valuable skill which
00:11:48
I find interesting mostly because it's not like a
00:11:53
traditional skill of IT and yet people are finding that it's in
00:11:59
higher demand or in growing demand for them to have that on
00:12:04
their IT team.
00:12:05
Speaker 2: Absolutely.
00:12:06
I mean for me personally.
00:12:08
It's a bit ironic because you're in college.
00:12:10
What did I hate the most of in the final exams?
00:12:13
Doing research reports.
00:12:16
Yeah, here, I ended up doing it for more than nine years as a
00:12:21
profession, so definitely some of my professors were enjoying
00:12:26
that moment, I'm sure in the graves.
00:12:28
But it is super important to be able to write because if you
00:12:33
need to justify a project you know you want to start, you can
00:12:38
say, from a customer's perspective, I'm going to deploy
00:12:41
some new identity or security system.
00:12:42
Well, you need to be able to convince the stakeholders who
00:12:47
are going to approve that budget that this is a worthy cause.
00:12:51
And if you can't adequately write that in a document or do
00:12:57
you present that in a presentation format, then your
00:13:02
chances of getting that project approved go down precipitously.
00:13:06
So, yeah, it's super, super important for those reasons and
00:13:11
many others, yeah.
00:13:15
Speaker 1: Yeah, absolutely, it's becoming invaluable,
00:13:19
honestly, especially if you're a technical person that has those
00:13:23
skills and they're able to do it.
00:13:25
Being able to defend your work in a written email to an angry
00:13:37
customer is a skill that you're only going to use a couple of
00:13:42
times.
00:13:43
Hopefully, I mean hopefully you're not making a lot of
00:13:45
customers angry, right?
00:13:46
But it's a skill that if you have it, you're really going to
00:13:52
shine.
00:13:53
And I remember earlier on in my career I was always taught like
00:14:00
when you're building these cases against customers
00:14:05
necessarily not a case, but the situation was where when we're
00:14:11
setting up the system, if a customer misconfigures it, they
00:14:16
can incur a $100 charge for doing the wrong thing, for
00:14:21
making the wrong phone call, and that's not a $100 charge from
00:14:25
us, it's a $100 charge from this national agency.
00:14:27
So it's the same thing for everyone in the country,
00:14:32
irrespective.
00:14:33
You know we're just passing on the feet and when that's going
00:14:38
on, you know when you're getting them set up, it's your job as
00:14:42
the technical SME to identify that immediately and reach out
00:14:46
to them and say, hey, let's avoid, let's avoid these.
00:14:49
Right, because we'll cover, you know, the first couple and
00:14:52
whatnot.
00:14:52
Right, because we're getting you set up and whatnot.
00:14:57
Well, this customer, you know I don't know where, where it came
00:15:02
from for them.
00:15:02
They just decided we're going to test.
00:15:04
You know 20, 30, 40 of these things you know in one sitting,
00:15:11
within 30 minutes, and you know let's see what happens, right,
00:15:16
and they didn't want to pay.
00:15:17
They didn't want to pay when it , when it came due, and I wrote
00:15:21
this.
00:15:22
You know really well described email of all the phone calls I
00:15:26
made, the timestamps, the emails I sent, the screenshots.
00:15:29
You know every single thing.
00:15:32
And the guy at my company that's actually tasked with, you
00:15:37
know, getting the customers to pay this fee.
00:15:40
He came over and he said, if they send anything other than a
00:15:44
check, I would be shocked.
00:15:45
It's like, how can you defend any of that?
00:15:48
Right?
00:15:50
Well yeah, I mean, that's, that's a skill you know that
00:15:55
I've had to use a couple times, right, not a lot, but it does
00:16:00
absolutely separate you apart because after that, after that
00:16:04
one experience, you know, I had other people coming to me for
00:16:08
input with a difficult customer email and things like that.
00:16:11
You know, and you know I'm just a young, you know tech guy,
00:16:16
young app specialist.
00:16:17
You know I don't know anything, right, I could probably write
00:16:21
better than I could any technical you know task or
00:16:24
whatnot.
00:16:25
Right, it's, it's interesting how that played out.
00:16:28
So, you know, I wanted to, wanted to ask you where do you
00:16:34
think the future of IEM is going ?
00:16:37
And the reason why I ask is because we're kind of in, we're
00:16:44
kind of in a limbo phase right now within IEM.
00:16:48
I would say right, because we're on the cusp of IEM really
00:16:53
changing, really changing significantly, I feel.
00:16:56
But we're still trying to use older solutions for new problems
00:17:02
.
00:17:02
You know where a PAM solution used to be the end, all be all.
00:17:08
You get a PAM solution, you get something that you know can,
00:17:13
can kind of have a self-service functionality with roles and and
00:17:18
permissions, and you're pretty set.
00:17:20
You know, you're pretty locked in, you're good to go.
00:17:23
And now we're finding that that doesn't really scale well with
00:17:28
the cloud, and the cloud has so many different facets to it.
00:17:33
Iem is so different in, you know, each cloud that that that
00:17:40
teams are having issues keeping up and their, their solutions,
00:17:44
that they've already invested millions of dollars into, are
00:17:48
not keeping up and they're not going to keep up.
00:17:50
So you know, where do you, where do you see this going?
00:17:53
Where do you think the future is with this?
00:17:58
Speaker 2: Well.
00:17:58
Well, there's I mean, lots of different things happening
00:18:00
within the identity management market.
00:18:02
You know a lot of advancements have occurred recently in
00:18:07
authentication.
00:18:08
I think over the last several years we've had more and more
00:18:11
emphasis on using stronger methods of all the dedicated
00:18:15
rather than just relying on passwords.
00:18:17
You know we keep hearing that year X is the year that
00:18:22
passwords go away.
00:18:23
We've made some progress toward that.
00:18:25
I think the latest iteration of that technology trend is now in
00:18:31
password list systems.
00:18:32
We're using other technologies rather than the different line
00:18:37
on the other number of passwords , the longings, so that that's
00:18:41
going in its own trajectory.
00:18:44
But there, as you said, there are so many different components
00:18:48
to identity management infrastructure and so many of
00:18:53
them, as you said, that we used in the data center are not very
00:18:57
applicable to cloud native environments.
00:18:59
And of course, every cloud has its own method of doing it and
00:19:05
the or doing access, and within the cloud it's up and down the
00:19:10
stack to write, you know, the application layer, the
00:19:13
infrastructure, the network for data, all of these different
00:19:17
techniques and technologies.
00:19:18
So I guess one of the one of the things we see being valuable
00:19:23
in this area that has been applied elsewhere is abstraction
00:19:28
and orchestration.
00:19:29
You know, if you think about where Kubernetes is today, you
00:19:34
know what happens.
00:19:35
Before.
00:19:35
Then you had the end where making virtualization a
00:19:40
commodity, right, or you get to the mass market, and that was
00:19:44
the prevalence for a period of time.
00:19:46
And then we switched to containers.
00:19:48
You're running our apps and workloads and APIs within
00:19:52
containers, but then how do you manage a containerized
00:19:55
environment, due to all the complexities that you point out?
00:19:59
You know, if I want to run workloads across clouds, you
00:20:03
know how do I do that.
00:20:04
Or even across different regions within a single cloud
00:20:09
platform.
00:20:09
So that's where Kubernetes evolve, right.
00:20:12
Kubernetes abstracts away the complexities of each cloud
00:20:16
platform and allows you to do that.
00:20:18
Orchestration, right to manage workloads for availability, for,
00:20:24
you know, automatic or elastic assay, and so on.
00:20:27
So I think these principles more and more.
00:20:31
He applies you to identity and that's a time that will continue
00:20:36
.
00:20:40
Speaker 1: Yeah, you talk about the different trends overall of
00:20:46
technology and now we have this serverless thing right.
00:20:50
It's funny because you know we call it.
00:20:56
Serverless functions right, but they're running on servers,
00:20:59
yeah ultimately, they are yes.
00:21:02
Yeah, and they're significantly more complex to track and
00:21:09
monitor within the environment.
00:21:11
You know, because I feel like the overarching technology
00:21:17
evolution is growing much faster than what security solutions
00:21:23
are keeping up with.
00:21:24
You know, that's why we kind of see so many new security
00:21:28
companies, I feel, come out of the market so often is because
00:21:33
there will be a fringe.
00:21:34
You know technology evolution in one area like serverless, and
00:21:39
now we have a security company that's built around how to
00:21:42
protect it, how to monitor it, things like that, something that
00:21:46
we didn't need before, but now you know there's a growing need
00:21:50
for.
00:21:52
And you know, same thing with IAM.
00:21:55
Right, like, these IAM solutions, they have to grow,
00:22:00
they have to have more visibility into the cloud, they
00:22:03
have to be able to tie things together and monitor who's
00:22:07
accessing, what roles are accessed and used.
00:22:11
And you have to do this, you know, across all of the clouds
00:22:15
right, all at the same time and be able to tie it together in a
00:22:19
way that is simple for that analyst to look at and
00:22:23
understand what's going on.
00:22:24
Right, like there's a very short window that these analysts
00:22:28
actually have to look at these things right to determine if
00:22:33
they need to pay attention to it or not, and I always appreciate
00:22:38
a good product that takes that into account right and kind of
00:22:42
thinks that through, and you can always tell when a product
00:22:46
thinks that through.
00:22:47
Is that something that you also look at because of your prior
00:22:50
experience as an analyst?
00:22:52
Speaker 2: Yeah, and also comes through.
00:22:54
With my experience at an end user company, you know, being on
00:22:59
that side of the table where we're concerned about uptime and
00:23:03
availability and resiliency, for example, and wanting to make
00:23:09
sure that a product, while it has, you know, a purpose of
00:23:15
securing a certain aspect of the operation, will that work in my
00:23:19
operation?
00:23:20
You know it is applicable to me in my environments and so, yeah
00:23:25
, that really comes through and we do.
00:23:28
We have to think about that right now as we're looking at
00:23:32
new features or functionality or capabilities to move a strata
00:23:37
product set and trying to address certain scenarios.
00:23:42
You are we approaching this from the end user's perspective?
00:23:46
You know that that sock analyst or, you know, the CISO office
00:23:52
or the auditor or whomever, is the person that would be
00:23:56
operating that functionality from the other side.
00:23:58
You know, are we hitting all the notes that they are
00:24:01
interested in?
00:24:01
You know?
00:24:02
So that's absolutely part of that.
00:24:04
You know that product planning perspective.
00:24:07
Speaker 1: Yeah, it's, um, I find it, you know, kind of UI
00:24:14
design.
00:24:15
I find it to be fascinating, right, because when I, when I
00:24:19
was an analyst, and I was going through the different venues in
00:24:23
our solution, you know, there would be times where I could I
00:24:27
would say, hey, these two things , they can be combined.
00:24:30
Right, like, why do I have to go to these several different
00:24:34
places to configure this one thing?
00:24:37
You know, like, this is a common use case, right, why
00:24:41
don't we just put this all in one place?
00:24:43
And so I'm not going around?
00:24:46
Right, and looking at it from a process perspective, I feel
00:24:51
like it forces you to be more customer centric, you know,
00:24:55
especially when you deal with bad products and products that
00:24:59
you know don't make any sense and you have to configure the
00:25:03
same thing and three or four more different places just to,
00:25:08
you know, make sure that it's configured and acting right and
00:25:12
all that sort of stuff.
00:25:13
Like that sort of you know, product I typically hate and I
00:25:21
try to steer away from, because I've had poor experiences with
00:25:26
it.
00:25:26
Right, I've had, I've had products do things that were
00:25:32
unintended and I thought that I had configured it.
00:25:36
You know, one way and it did another thing, and I reach out
00:25:40
to support and they're like oh, you know, you forgot this other.
00:25:43
You know, tucked away sub menu, you know that has this
00:25:49
configuration as well, that that's what it really keys off
00:25:53
of.
00:25:53
You know it's like guys, what If it says it?
00:25:57
If it says it in one place, it should just be it.
00:26:01
You know, like that should be the solution.
00:26:04
Speaker 2: Yeah, a couple, yeah, a couple of thoughts there.
00:26:05
I mean, even when you're using a website, you know, for
00:26:08
personal use and things are disorganized, or you know I'm
00:26:14
mentoring data over here, but that it could.
00:26:17
The button for accept or next is, you know, all the way in the
00:26:20
far corner.
00:26:21
It's just even simple usability .
00:26:23
Things like that stand out to us.
00:26:25
I guess you know, based on our past experiences, but also we,
00:26:31
when we're thinking about, you know, product design, you know
00:26:33
we have folks that have really specialized in that area and
00:26:35
they're super good at it and we don't want to just focus on what
00:26:39
we call the happy path.
00:26:40
You know, when everything works well, great.
00:26:43
But, like you were just describing, you know where, if I
00:26:45
get myself into a corner and something doesn't work, you know
00:26:49
we want to which part of steer people back or give them.
00:26:53
You know that's a place to have a help you know logo or
00:26:58
something to help them get out of that corner.
00:27:01
So you want to think of okay, where, where can the user go
00:27:05
wrong because I haven't maybe designed things perfect and help
00:27:10
them out of that so they don't have to get on the you know the
00:27:13
phone to your support folks.
00:27:15
Speaker 1: Right, yeah, always limiting how often you know a
00:27:21
customer has to call support is it's a great thing, that's for
00:27:26
sure, and he's.
00:27:27
Any support person would say that you know.
00:27:31
To kind of circle back to IAM, what are some emerging areas for
00:27:38
emerging problems that you see IAM, you know, kind of
00:27:43
transforming or evolving into to solve?
00:27:48
Speaker 2: Yeah, maybe I can talk about a couple of
00:27:51
initiatives that I'm involved with.
00:27:53
You know one we started here at Strata to deal with access
00:27:58
policy differences across that multi-cloud scenario that we
00:28:02
talked about earlier.
00:28:03
You know, with each of those platforms having different ways
00:28:07
of defining an access rule or policy, and you know how do you
00:28:11
manage that because, you know, without some kind of policy
00:28:15
orchestration model, you've got to have some subject matter
00:28:18
expertise, you know, to cover all of those areas.
00:28:22
So we've come up with a, you know, a standard way to define
00:28:26
an access policy.
00:28:27
You call it identity query language and we built an open
00:28:31
source system called HEXA that can translate to and from the.
00:28:36
You know that identity will standard format into, you know,
00:28:40
the slope format of a cloud system and that's a CNCS project
00:28:45
, probably made it from CUNY Foundation, and you know we
00:28:49
continue to build out that accessibility and, you know,
00:28:53
show how that kind of model can work.
00:28:55
So that's, you know, one way we're trying to help address the
00:28:59
complexity of the cloud access systems, you know, through,
00:29:03
again, abstraction and orchestration.
00:29:06
So that's one area.
00:29:09
A second area that is involved in is now a working group at the
00:29:14
OpenID Foundation.
00:29:15
So those are the folks that pre-use.
00:29:17
You know share signals framework and continue to do
00:29:21
this access evaluation profile and open ID connect and such.
00:29:25
So there's a new working group that's working on standardizing
00:29:31
some of the interactions of fine-grained authorization
00:29:34
systems.
00:29:34
So there's many of them out on the marketplace.
00:29:37
You know most of them are proprietary models.
00:29:40
You know some of them are based on Open Policy Agent or the
00:29:44
exactable standard or other formats, but there's not a lot
00:29:49
of interoperability.
00:29:50
So the authorization exchange, or a lot of Zen working group
00:29:55
for short, is working to standardize some of those
00:29:59
interactions between authorization systems and we're
00:30:03
aiming to do an interop demonstration at the Identiverse
00:30:06
Conference late May with the first basic profile.
00:30:13
So those are a couple of things that you know we're involved in
00:30:17
here at Strata.
00:30:18
You have to try to help the industry move forward in a more
00:30:22
standardized way.
00:30:25
Speaker 1: How do you think AI is going to be impacting IAM?
00:30:29
What impacts IAM?
00:30:32
How do you see that going?
00:30:39
Speaker 2: Well, there's a lot of people interested in both of
00:30:42
those projects and a lot of focused energy on it right now
00:30:48
and I think, with the intention in the industry around security
00:30:53
and all of the breaches that we continue to hear about, some of
00:31:03
those kind of issues can be dealt with with these two
00:31:05
projects, but it's just a way to try to improve security overall
00:31:11
and there's a lot of interest out there and a lot of grounds
00:31:15
will be mentioned behind them, he says.
00:31:20
Speaker 1: Yeah, it's interesting to see where the
00:31:23
space goes in the next five years.
00:31:26
Right, it's just a fascinating time because I feel like there's
00:31:32
a lot that we don't know of what's to come just yet,
00:31:38
especially with that huge X factor of AI.
00:31:43
Speaker 2: Well, it took us before we mentioned AI, and it's
00:31:45
pretty good actually.
00:31:47
Speaker 1: Yeah, I mean, I've had a whole podcast about AI and
00:31:52
quantum cryptography and all that sort of stuff.
00:31:56
It's a fascinating area, that's for sure.
00:32:01
But I wonder.
00:32:04
I just try to look at everything from the perspective
00:32:08
of if I was starting over today, right, what's the thing that
00:32:13
I'm trying to future proof my career against?
00:32:15
What's the thing I'm trying to learn now that in five or 10
00:32:19
years is going to be very valuable, right?
00:32:22
And obviously one of those things is AI.
00:32:25
But AI is so broad you really have to dial it in and figure
00:32:32
out what niche of AI you should be taking part in.
00:32:36
So that's how I approach it.
00:32:39
Is that how you look at it as well, or how do you view the
00:32:44
industry like that?
00:32:46
Speaker 2: I think with any new technology that comes onto the
00:32:50
scene, especially one that is so impactful as artificial
00:32:54
intelligence, you really need to examine how that number one
00:32:59
ethics your own career path.
00:33:01
Which is going to do for me or against me and I would say most
00:33:09
people should look at learning more about AI.
00:33:14
How could it be used to help me in whatever job I have, whether
00:33:19
I'm a developer.
00:33:20
Look at these code generators and co-pilots Is that something
00:33:25
that's going to help me become a better developer or not?
00:33:30
Another way to look at this is well, if I am a developer and
00:33:34
there's all these co-pilot code generators out there, find out
00:33:40
what the limitations are, because if you can fill in the
00:33:43
gaps of where they have a limitation, then that's a
00:33:47
valuable asset to be able to bring forward.
00:33:50
If you're just a me too I'm just a basic, I can run of a
00:33:57
little developer then your value is, I think, a little bit
00:34:02
decreased.
00:34:03
But if you know how best to use AI in your role, then that's a
00:34:08
value add Because, as we can see , we're still in the very, very
00:34:13
early days of it.
00:34:14
I mean, look at the stumbles of even the giant like Google in
00:34:20
their launch of Gemini recently, which that just is further
00:34:25
evidence that we're in early days, so getting it now learn
00:34:30
where the limitations are and how that evolves over time, and
00:34:34
that's, I think, the best position you to take advantage
00:34:37
of that where appropriate or where necessary.
00:34:43
Speaker 1: Yeah, we haven't dove into it very much yet, but
00:34:50
could you tell us what the problem is that Strata is
00:34:56
solving and how you're going about solving it?
00:34:59
Speaker 2: As far as with AI or just in general?
00:35:01
No, just in general.
00:35:03
Okay, sure.
00:35:04
Well, Strata is an identity orchestration company.
00:35:08
So when we think again back to the multi-cloud environment, if
00:35:14
your company is adopting more than one cloud platform, then by
00:35:19
definition your multi-cloud will use your multi-indentity.
00:35:26
What Strata enables you to do with identity orchestration is
00:35:29
manage these different identity components, whether they're
00:35:33
legacy and on-premises or in the cloud, so that in the user
00:35:38
journey of when a user logs on to an application environment,
00:35:43
we can direct that user to authenticate to the right
00:35:48
identity provider.
00:35:49
If they need to also add a multi-factor authentication,
00:35:54
like an ass-wiz or two-FA authentication, we can direct
00:35:57
them to that source.
00:35:58
If we need to gather up additional data points to start
00:36:03
the session, you know that the application needs we can go over
00:36:06
and retrieve those.
00:36:07
So we're in the middle of that session, orchestrating what
00:36:11
happens in order to get the right information to that
00:36:15
application so that it can operate for our crookier.
00:36:19
So that's the abstraction that we talked about earlier.
00:36:22
So we extract away the hard-thoded implementation of
00:36:36
your apps to your application so that you can choose out these
00:36:40
identity components as the technology does advance.
00:36:43
You know a few implemented and ordered multi-factor
00:36:47
authentication technologies, say , five years ago.
00:36:50
Now you want to move to pasties or some other ass-wiz-less
00:36:55
model.
00:36:55
Well then we can just pull out one component and plug in the
00:37:00
other and make that migration much easier and faster than if
00:37:06
you get everything was hard wired to each application.
00:37:13
Speaker 1: Yeah, it's really interesting.
00:37:15
It's really fascinating that you know you're approaching the
00:37:23
problem from that angle, because I feel like that is that's
00:37:30
something that you typically don't want to change very often,
00:37:34
because it is so difficult for your developers to set up the
00:37:41
new identity authentication process or method or whatever it
00:37:45
might be, and you need something very lightweight to
00:37:49
sit in there that can manage it right.
00:37:51
That's really the only solution .
00:37:53
But from what you're describing , it's kind of like almost plug
00:37:57
and play.
00:37:59
Speaker 2: Well, it becomes that right.
00:38:00
Because if you want to change the technology without that
00:38:04
abstraction in the middle, then you have to refactor those
00:38:08
existing applications to change out their own indication modules
00:38:12
and that's costly from a resource and time perspective.
00:38:17
You know, that's what our research has showed us and shown
00:38:21
our customers.
00:38:22
So introducing that abstraction gives you that flexibility to
00:38:27
adapt to technology just much faster.
00:38:30
Because you know there's I think historically there would
00:38:35
be a resistance to change.
00:38:36
Well, I just installed that system five years ago.
00:38:39
I'm expecting a seven to ten year lifespan out of that
00:38:43
investment.
00:38:44
But if technology is faster than that and the security
00:38:49
threats accelerate faster than that time frame, what do you do?
00:38:52
You're forced now to make an investment earlier than you
00:38:57
wanted to and that could be costly.
00:39:00
But with abstraction in the middle it's much, much easier to
00:39:06
get those changes when we need to, other than you know, forcing
00:39:10
a specific timeline on that.
00:39:14
Speaker 1: Yeah, that makes a lot of sense.
00:39:15
Well, you know, unfortunately we're at the top of our time
00:39:21
here.
00:39:21
You know I try to be very cognizant of everyone's time
00:39:26
before I let you go.
00:39:27
How about you tell my audience, you know, where they can find
00:39:30
you if they wanted to reach out, where they can find Strata If
00:39:33
they want to learn more great information about your company.
00:39:37
Speaker 2: Sure appreciate that, joe.
00:39:38
Yes, you can find me via email at Gerry, at strataio, gerry
00:39:43
with G, and the Strata's website is also strataio.
00:39:48
So we've got lots of great information out there and we're
00:39:52
typically at some of the major industry conferences around the
00:39:57
world.
00:39:57
You know European identity conference in Berlin come up in
00:40:01
June and I get a verse in May out in Vegas, probably at the
00:40:05
Carter identity event later in year as well.
00:40:09
So we're usually at those major events.
00:40:11
Stop by and say you are see some of my colleagues and
00:40:15
appreciate being on the show, joe, and it's been great talking
00:40:19
with you.
00:40:21
Speaker 1: Yeah, absolutely Likewise.
00:40:22
Thanks everyone for listening.
00:40:25
I hope you enjoyed this episode .
Speaker 1: I was going.
00:00:00
Jerry, it's great to finally get you on the podcast.
00:00:03
It feels like we've been trying to plan this thing for probably
00:00:07
a year at this point.
00:00:08
Speaker 2: Almost.
00:00:08
I don't think it's been that long, but it has been a while.
00:00:11
Yeah, it's great to be with you here today.
00:00:14
Speaker 1: Yeah, it at least feels like it.
00:00:16
I'm really interested in hearing your background.
00:00:20
You know how you got into IT, what made you want to get into
00:00:24
that field, you know, and just hearing that story, the reason
00:00:29
why I started everyone off there is because you know there may
00:00:33
be some listeners that are trying to do that jump
00:00:37
themselves.
00:00:38
They're trying to do a career change in IT and I feel like
00:00:41
hearing everyone's story, you know, lets them know that, hey,
00:00:46
this is possible for me.
00:00:47
If this person did it, maybe it's possible for me.
00:00:51
Speaker 2: Yeah, sure, I guess I have one of those
00:00:55
non-traditional entries into the IT world.
00:00:59
I did not have a computer science degree, this is an
00:01:02
economics degree back at college , did a little bit of
00:01:06
programming work there.
00:01:08
I was doing one or two of my courses and then I bounced
00:01:11
around a little bit and then decided to take a programming
00:01:15
class at a technical school and I think there was like a six
00:01:19
month program or something like that and was fortunate to get an
00:01:25
opportunity at a small savings bank in New Jersey that was
00:01:29
converting from, of all things, burrows, the gaming equipment,
00:01:34
onto IBM Tech.
00:01:35
So I was part of the new IBM based team plan and that was
00:01:41
really my start into the IT world and then later on worked
00:01:46
at Chase Bank in New York and got more focused on the security
00:01:52
aspects of the mainframe and middleware and literally
00:01:56
web-based and you know it was before we called it identity
00:02:00
management, but later on was part of the identity management
00:02:05
emerging market, if you will.
00:02:07
When I joined the group as an industry consultant and then as
00:02:12
an analyst and then from that and went to the software side,
00:02:16
you know was that Axiomatics a sweetening based, fine-grained
00:02:20
authorization vendor for several years and then now coming up on
00:02:24
three years at Stratap, identity and Head of Standards.
00:02:30
Speaker 1: You know, when you, when you look back on your start
00:02:34
, you know it kind of sounds like it was a right time, right
00:02:39
place sort of situation.
00:02:41
Is that how you look at it as well?
00:02:46
Speaker 2: Absolutely.
00:02:46
It was very fortuitous that, you know I decided, then you did
00:02:51
the data of the program in class and then, of course, you
00:02:55
know that there was a local opportunity at this bank that I
00:02:59
was able to join and really learned a lot under the
00:03:04
through-lead of, you know, some more senior folks there.
00:03:07
It was really a great place for me to get started.
00:03:10
You know, got about it.
00:03:15
Speaker 1: Yeah, I'm sure you know, starting in that kind of
00:03:19
environment is it's like trial by fire, right?
00:03:22
Do you?
00:03:24
Do you find yourself enjoying those larger environments, or do
00:03:28
you like the smaller, the smaller environments?
00:03:32
Speaker 2: Yeah, definitely in more of a small company kind of
00:03:36
person these days.
00:03:36
You know the savings bank well.
00:03:39
We had to think about 100 branches.
00:03:41
At the time.
00:03:42
You saw a lot of the employees were, you know grab range-based
00:03:46
people, but the IT department that I worked in was was fairly
00:03:50
small.
00:03:50
Of course, chase Bank was a huge company.
00:03:54
When I left there were almost 100 employees.
00:03:57
Now it's quite a bit larger than that even.
00:04:00
And when I joined Burton Group I think we were about 50 people
00:04:08
and 150 earlier about when the company was acquired by Gartner,
00:04:12
and then you know with Axiomatics and now Strata, you
00:04:16
know both less than 100 person companies.
00:04:19
So yeah, I definitely like the smaller environments.
00:04:22
You know there's no place to hide.
00:04:24
You know everybody in really has to pull their weight.
00:04:26
You get to do a lot of different things so you're not
00:04:30
just boxed into one single area.
00:04:33
You get to work on different things.
00:04:36
I enjoy that for sure.
00:04:41
Speaker 1: Yeah, I feel the same .
00:04:44
You know, like after being in the field for about 10 years now
00:04:50
, you know I've worked at really large companies and very small
00:04:57
companies.
00:04:57
You know 30 person startup like companies, and I really
00:05:03
appreciate the experience that I've gotten at the really small
00:05:07
companies.
00:05:07
You know, because you have to wear so many hats, you know
00:05:12
you're wearing customer service, you're wearing engineer, even
00:05:15
some developer or whatever might be right, and the experience
00:05:22
that you get is like invaluable.
00:05:24
You know, I feel like I feel like people you know always
00:05:29
think that like the only place that you could get real valuable
00:05:33
experiences from, like you know , the big name tech companies
00:05:37
like video or Facebook or whatever might be, but I feel
00:05:43
like there's a lot of other companies that are doing really
00:05:45
cool things.
00:05:45
Especially now, with how you know the space is where everyone
00:05:49
can really dive into whatever they want to write with AI, you
00:05:56
know you can easily very cost affordably, you know get into AI
00:06:01
and integrate it with your product and things like that,
00:06:04
right.
00:06:04
So there's a lot of room now that exists with these smaller
00:06:10
companies that are able to do a lot more with it for you to get
00:06:13
that experience.
00:06:15
Speaker 2: Yeah, I think that's right and you know, the barriers
00:06:18
to hatred into different fields are definitely lower with a lot
00:06:23
of the automation and AI capabilities that are out there.
00:06:25
You know that can help bootstrap you in different ways.
00:06:28
I definitely agree with that.
00:06:29
I didn't, you know, get going back to the smaller work
00:06:33
environments.
00:06:33
You can get exposed to different areas, like you're
00:06:38
saying, and maybe ultimately you specialize in one area or
00:06:42
another.
00:06:42
But I think having that exposure is also valuable
00:06:45
because it gives you a sense of a bigger picture.
00:06:48
You know what does it take for a company to operate, and that's
00:06:53
going to be super valuable, even if you go to a large company
00:06:57
with 10 or 50 employees.
00:06:59
And having that awareness of how the company operates and
00:07:04
functions from a business perspective is super important,
00:07:07
especially to us, I think, people you know just sometimes
00:07:09
we're disconnected from that but also learning how different
00:07:13
departments have to work together and but it is a matter
00:07:17
of scale, you know, can that scale up to a large organization
00:07:22
?
00:07:22
And maybe, if you're more comfortable in that environment
00:07:25
or maybe not, you will realize that.
00:07:28
You know, I prefer to know that 100 to 500 employee size
00:07:32
company.
00:07:33
So it gives you that level of exposure experience, I think is
00:07:37
super important.
00:07:40
Speaker 1: Yeah, the larger companies.
00:07:41
They have very unique problems.
00:07:44
You know, like how do you build an internal application to
00:07:49
scale, you know, across the globe for half a million people,
00:07:54
right, like it's internal and you have to make sure that it's
00:07:58
completely protected with everything.
00:08:00
You know it has people's, you know, private information in it.
00:08:03
That's a problem that you're not going to get at a really
00:08:07
small company, right.
00:08:09
And it's interesting to go back and forth between you know, kind
00:08:13
of the two sizes I haven't really seen too much in the
00:08:16
middle, but you know it's interesting to go back and forth
00:08:22
between them because you see these really large problems.
00:08:25
And then you know you go to the smaller environments like, oh,
00:08:30
we need to.
00:08:30
You know kind of plan for this and this and this.
00:08:33
You know we need to be thinking ahead for this Because that's
00:08:40
where those bigger problems down the road are really mitigated.
00:08:45
You know up front.
00:08:48
You know, when you look back on your career and the different
00:08:54
skills that you've obtained, is there one place that you've been
00:09:01
that you have felt has given you the most I guess ROI, right
00:09:05
the most skills, the most valuable skills, whatever it
00:09:10
might be.
00:09:12
Speaker 2: I think I would have to point back to my time as an
00:09:16
analyst because it really helped to sharpen my writing skills,
00:09:23
because you know, we're doing research reports every quarter
00:09:27
and you have to review that with your peers and then it goes
00:09:33
through a copy edit process and let me just say that it was like
00:09:36
getting the English comp lesson every quarter when those
00:09:41
redlined reports did that.
00:09:44
So I think that was being valuable in helping you to be a
00:09:48
better, brighter and had a great writer, and I think that's a
00:09:51
universally valuable skill to have, I would say.
00:09:55
Second to that is being able to become a decent presenter at a
00:10:01
conference or on a webinar or what have you.
00:10:04
But overall it was teaching me to be more specific and precise
00:10:11
with the language that I used, because that's what you know
00:10:16
that environment was all about was being able to put forth an
00:10:20
analysis of a market segment or a vendor or what have you, and
00:10:24
kind of top it and then be able to defend that position when
00:10:27
you're being questioned by your customers or by the audience.
00:10:30
So that's a skill set that I really am grateful to have, you
00:10:37
know, being able to go on during that time.
00:10:43
Speaker 1: Yeah, that's really fascinating, right.
00:10:47
I've been talking to a lot of people lately and the idea of
00:10:54
writing as a skill in IT keeps coming up, and it keeps on
00:10:59
coming up as being a very valuable skill, which is it's
00:11:04
interesting to me because, like me personally, you know, I am
00:11:09
not interested at all when I'm told I have to write some
00:11:13
document on something.
00:11:14
You know I try to avoid it.
00:11:15
But I've been on teams where we have had, you know, a technical
00:11:21
writer right there on the team and they're writing down
00:11:26
everything you know that we're doing for different processes
00:11:29
and whatnot, and they're, you know, adding context and
00:11:32
everything and they create, you know, fantastic documents.
00:11:36
Right, they're doing the stuff that none of the engineers want
00:11:40
to do, that's for sure.
00:11:43
But it's coming up, as you know , a really valuable skill which
00:11:48
I find interesting mostly because it's not like a
00:11:53
traditional skill of IT and yet people are finding that it's in
00:11:59
higher demand or in growing demand for them to have that on
00:12:04
their IT team.
00:12:05
Speaker 2: Absolutely.
00:12:06
I mean for me personally.
00:12:08
It's a bit ironic because you're in college.
00:12:10
What did I hate the most of in the final exams?
00:12:13
Doing research reports.
00:12:16
Yeah, here, I ended up doing it for more than nine years as a
00:12:21
profession, so definitely some of my professors were enjoying
00:12:26
that moment, I'm sure in the graves.
00:12:28
But it is super important to be able to write because if you
00:12:33
need to justify a project you know you want to start, you can
00:12:38
say, from a customer's perspective, I'm going to deploy
00:12:41
some new identity or security system.
00:12:42
Well, you need to be able to convince the stakeholders who
00:12:47
are going to approve that budget that this is a worthy cause.
00:12:51
And if you can't adequately write that in a document or do
00:12:57
you present that in a presentation format, then your
00:13:02
chances of getting that project approved go down precipitously.
00:13:06
So, yeah, it's super, super important for those reasons and
00:13:11
many others, yeah.
00:13:15
Speaker 1: Yeah, absolutely, it's becoming invaluable,
00:13:19
honestly, especially if you're a technical person that has those
00:13:23
skills and they're able to do it.
00:13:25
Being able to defend your work in a written email to an angry
00:13:37
customer is a skill that you're only going to use a couple of
00:13:42
times.
00:13:43
Hopefully, I mean hopefully you're not making a lot of
00:13:45
customers angry, right?
00:13:46
But it's a skill that if you have it, you're really going to
00:13:52
shine.
00:13:53
And I remember earlier on in my career I was always taught like
00:14:00
when you're building these cases against customers
00:14:05
necessarily not a case, but the situation was where when we're
00:14:11
setting up the system, if a customer misconfigures it, they
00:14:16
can incur a $100 charge for doing the wrong thing, for
00:14:21
making the wrong phone call, and that's not a $100 charge from
00:14:25
us, it's a $100 charge from this national agency.
00:14:27
So it's the same thing for everyone in the country,
00:14:32
irrespective.
00:14:33
You know we're just passing on the feet and when that's going
00:14:38
on, you know when you're getting them set up, it's your job as
00:14:42
the technical SME to identify that immediately and reach out
00:14:46
to them and say, hey, let's avoid, let's avoid these.
00:14:49
Right, because we'll cover, you know, the first couple and
00:14:52
whatnot.
00:14:52
Right, because we're getting you set up and whatnot.
00:14:57
Well, this customer, you know I don't know where, where it came
00:15:02
from for them.
00:15:02
They just decided we're going to test.
00:15:04
You know 20, 30, 40 of these things you know in one sitting,
00:15:11
within 30 minutes, and you know let's see what happens, right,
00:15:16
and they didn't want to pay.
00:15:17
They didn't want to pay when it , when it came due, and I wrote
00:15:21
this.
00:15:22
You know really well described email of all the phone calls I
00:15:26
made, the timestamps, the emails I sent, the screenshots.
00:15:29
You know every single thing.
00:15:32
And the guy at my company that's actually tasked with, you
00:15:37
know, getting the customers to pay this fee.
00:15:40
He came over and he said, if they send anything other than a
00:15:44
check, I would be shocked.
00:15:45
It's like, how can you defend any of that?
00:15:48
Right?
00:15:50
Well yeah, I mean, that's, that's a skill you know that
00:15:55
I've had to use a couple times, right, not a lot, but it does
00:16:00
absolutely separate you apart because after that, after that
00:16:04
one experience, you know, I had other people coming to me for
00:16:08
input with a difficult customer email and things like that.
00:16:11
You know, and you know I'm just a young, you know tech guy,
00:16:16
young app specialist.
00:16:17
You know I don't know anything, right, I could probably write
00:16:21
better than I could any technical you know task or
00:16:24
whatnot.
00:16:25
Right, it's, it's interesting how that played out.
00:16:28
So, you know, I wanted to, wanted to ask you where do you
00:16:34
think the future of IEM is going ?
00:16:37
And the reason why I ask is because we're kind of in, we're
00:16:44
kind of in a limbo phase right now within IEM.
00:16:48
I would say right, because we're on the cusp of IEM really
00:16:53
changing, really changing significantly, I feel.
00:16:56
But we're still trying to use older solutions for new problems
00:17:02
.
00:17:02
You know where a PAM solution used to be the end, all be all.
00:17:08
You get a PAM solution, you get something that you know can,
00:17:13
can kind of have a self-service functionality with roles and and
00:17:18
permissions, and you're pretty set.
00:17:20
You know, you're pretty locked in, you're good to go.
00:17:23
And now we're finding that that doesn't really scale well with
00:17:28
the cloud, and the cloud has so many different facets to it.
00:17:33
Iem is so different in, you know, each cloud that that that
00:17:40
teams are having issues keeping up and their, their solutions,
00:17:44
that they've already invested millions of dollars into, are
00:17:48
not keeping up and they're not going to keep up.
00:17:50
So you know, where do you, where do you see this going?
00:17:53
Where do you think the future is with this?
00:17:58
Speaker 2: Well.
00:17:58
Well, there's I mean, lots of different things happening
00:18:00
within the identity management market.
00:18:02
You know a lot of advancements have occurred recently in
00:18:07
authentication.
00:18:08
I think over the last several years we've had more and more
00:18:11
emphasis on using stronger methods of all the dedicated
00:18:15
rather than just relying on passwords.
00:18:17
You know we keep hearing that year X is the year that
00:18:22
passwords go away.
00:18:23
We've made some progress toward that.
00:18:25
I think the latest iteration of that technology trend is now in
00:18:31
password list systems.
00:18:32
We're using other technologies rather than the different line
00:18:37
on the other number of passwords , the longings, so that that's
00:18:41
going in its own trajectory.
00:18:44
But there, as you said, there are so many different components
00:18:48
to identity management infrastructure and so many of
00:18:53
them, as you said, that we used in the data center are not very
00:18:57
applicable to cloud native environments.
00:18:59
And of course, every cloud has its own method of doing it and
00:19:05
the or doing access, and within the cloud it's up and down the
00:19:10
stack to write, you know, the application layer, the
00:19:13
infrastructure, the network for data, all of these different
00:19:17
techniques and technologies.
00:19:18
So I guess one of the one of the things we see being valuable
00:19:23
in this area that has been applied elsewhere is abstraction
00:19:28
and orchestration.
00:19:29
You know, if you think about where Kubernetes is today, you
00:19:34
know what happens.
00:19:35
Before.
00:19:35
Then you had the end where making virtualization a
00:19:40
commodity, right, or you get to the mass market, and that was
00:19:44
the prevalence for a period of time.
00:19:46
And then we switched to containers.
00:19:48
You're running our apps and workloads and APIs within
00:19:52
containers, but then how do you manage a containerized
00:19:55
environment, due to all the complexities that you point out?
00:19:59
You know, if I want to run workloads across clouds, you
00:20:03
know how do I do that.
00:20:04
Or even across different regions within a single cloud
00:20:09
platform.
00:20:09
So that's where Kubernetes evolve, right.
00:20:12
Kubernetes abstracts away the complexities of each cloud
00:20:16
platform and allows you to do that.
00:20:18
Orchestration, right to manage workloads for availability, for,
00:20:24
you know, automatic or elastic assay, and so on.
00:20:27
So I think these principles more and more.
00:20:31
He applies you to identity and that's a time that will continue
00:20:36
.
00:20:40
Speaker 1: Yeah, you talk about the different trends overall of
00:20:46
technology and now we have this serverless thing right.
00:20:50
It's funny because you know we call it.
00:20:56
Serverless functions right, but they're running on servers,
00:20:59
yeah ultimately, they are yes.
00:21:02
Yeah, and they're significantly more complex to track and
00:21:09
monitor within the environment.
00:21:11
You know, because I feel like the overarching technology
00:21:17
evolution is growing much faster than what security solutions
00:21:23
are keeping up with.
00:21:24
You know, that's why we kind of see so many new security
00:21:28
companies, I feel, come out of the market so often is because
00:21:33
there will be a fringe.
00:21:34
You know technology evolution in one area like serverless, and
00:21:39
now we have a security company that's built around how to
00:21:42
protect it, how to monitor it, things like that, something that
00:21:46
we didn't need before, but now you know there's a growing need
00:21:50
for.
00:21:52
And you know, same thing with IAM.
00:21:55
Right, like, these IAM solutions, they have to grow,
00:22:00
they have to have more visibility into the cloud, they
00:22:03
have to be able to tie things together and monitor who's
00:22:07
accessing, what roles are accessed and used.
00:22:11
And you have to do this, you know, across all of the clouds
00:22:15
right, all at the same time and be able to tie it together in a
00:22:19
way that is simple for that analyst to look at and
00:22:23
understand what's going on.
00:22:24
Right, like there's a very short window that these analysts
00:22:28
actually have to look at these things right to determine if
00:22:33
they need to pay attention to it or not, and I always appreciate
00:22:38
a good product that takes that into account right and kind of
00:22:42
thinks that through, and you can always tell when a product
00:22:46
thinks that through.
00:22:47
Is that something that you also look at because of your prior
00:22:50
experience as an analyst?
00:22:52
Speaker 2: Yeah, and also comes through.
00:22:54
With my experience at an end user company, you know, being on
00:22:59
that side of the table where we're concerned about uptime and
00:23:03
availability and resiliency, for example, and wanting to make
00:23:09
sure that a product, while it has, you know, a purpose of
00:23:15
securing a certain aspect of the operation, will that work in my
00:23:19
operation?
00:23:20
You know it is applicable to me in my environments and so, yeah
00:23:25
, that really comes through and we do.
00:23:28
We have to think about that right now as we're looking at
00:23:32
new features or functionality or capabilities to move a strata
00:23:37
product set and trying to address certain scenarios.
00:23:42
You are we approaching this from the end user's perspective?
00:23:46
You know that that sock analyst or, you know, the CISO office
00:23:52
or the auditor or whomever, is the person that would be
00:23:56
operating that functionality from the other side.
00:23:58
You know, are we hitting all the notes that they are
00:24:01
interested in?
00:24:01
You know?
00:24:02
So that's absolutely part of that.
00:24:04
You know that product planning perspective.
00:24:07
Speaker 1: Yeah, it's, um, I find it, you know, kind of UI
00:24:14
design.
00:24:15
I find it to be fascinating, right, because when I, when I
00:24:19
was an analyst, and I was going through the different venues in
00:24:23
our solution, you know, there would be times where I could I
00:24:27
would say, hey, these two things , they can be combined.
00:24:30
Right, like, why do I have to go to these several different
00:24:34
places to configure this one thing?
00:24:37
You know, like, this is a common use case, right, why
00:24:41
don't we just put this all in one place?
00:24:43
And so I'm not going around?
00:24:46
Right, and looking at it from a process perspective, I feel
00:24:51
like it forces you to be more customer centric, you know,
00:24:55
especially when you deal with bad products and products that
00:24:59
you know don't make any sense and you have to configure the
00:25:03
same thing and three or four more different places just to,
00:25:08
you know, make sure that it's configured and acting right and
00:25:12
all that sort of stuff.
00:25:13
Like that sort of you know, product I typically hate and I
00:25:21
try to steer away from, because I've had poor experiences with
00:25:26
it.
00:25:26
Right, I've had, I've had products do things that were
00:25:32
unintended and I thought that I had configured it.
00:25:36
You know, one way and it did another thing, and I reach out
00:25:40
to support and they're like oh, you know, you forgot this other.
00:25:43
You know, tucked away sub menu, you know that has this
00:25:49
configuration as well, that that's what it really keys off
00:25:53
of.
00:25:53
You know it's like guys, what If it says it?
00:25:57
If it says it in one place, it should just be it.
00:26:01
You know, like that should be the solution.
00:26:04
Speaker 2: Yeah, a couple, yeah, a couple of thoughts there.
00:26:05
I mean, even when you're using a website, you know, for
00:26:08
personal use and things are disorganized, or you know I'm
00:26:14
mentoring data over here, but that it could.
00:26:17
The button for accept or next is, you know, all the way in the
00:26:20
far corner.
00:26:21
It's just even simple usability .
00:26:23
Things like that stand out to us.
00:26:25
I guess you know, based on our past experiences, but also we,
00:26:31
when we're thinking about, you know, product design, you know
00:26:33
we have folks that have really specialized in that area and
00:26:35
they're super good at it and we don't want to just focus on what
00:26:39
we call the happy path.
00:26:40
You know, when everything works well, great.
00:26:43
But, like you were just describing, you know where, if I
00:26:45
get myself into a corner and something doesn't work, you know
00:26:49
we want to which part of steer people back or give them.
00:26:53
You know that's a place to have a help you know logo or
00:26:58
something to help them get out of that corner.
00:27:01
So you want to think of okay, where, where can the user go
00:27:05
wrong because I haven't maybe designed things perfect and help
00:27:10
them out of that so they don't have to get on the you know the
00:27:13
phone to your support folks.
00:27:15
Speaker 1: Right, yeah, always limiting how often you know a
00:27:21
customer has to call support is it's a great thing, that's for
00:27:26
sure, and he's.
00:27:27
Any support person would say that you know.
00:27:31
To kind of circle back to IAM, what are some emerging areas for
00:27:38
emerging problems that you see IAM, you know, kind of
00:27:43
transforming or evolving into to solve?
00:27:48
Speaker 2: Yeah, maybe I can talk about a couple of
00:27:51
initiatives that I'm involved with.
00:27:53
You know one we started here at Strata to deal with access
00:27:58
policy differences across that multi-cloud scenario that we
00:28:02
talked about earlier.
00:28:03
You know, with each of those platforms having different ways
00:28:07
of defining an access rule or policy, and you know how do you
00:28:11
manage that because, you know, without some kind of policy
00:28:15
orchestration model, you've got to have some subject matter
00:28:18
expertise, you know, to cover all of those areas.
00:28:22
So we've come up with a, you know, a standard way to define
00:28:26
an access policy.
00:28:27
You call it identity query language and we built an open
00:28:31
source system called HEXA that can translate to and from the.
00:28:36
You know that identity will standard format into, you know,
00:28:40
the slope format of a cloud system and that's a CNCS project
00:28:45
, probably made it from CUNY Foundation, and you know we
00:28:49
continue to build out that accessibility and, you know,
00:28:53
show how that kind of model can work.
00:28:55
So that's, you know, one way we're trying to help address the
00:28:59
complexity of the cloud access systems, you know, through,
00:29:03
again, abstraction and orchestration.
00:29:06
So that's one area.
00:29:09
A second area that is involved in is now a working group at the
00:29:14
OpenID Foundation.
00:29:15
So those are the folks that pre-use.
00:29:17
You know share signals framework and continue to do
00:29:21
this access evaluation profile and open ID connect and such.
00:29:25
So there's a new working group that's working on standardizing
00:29:31
some of the interactions of fine-grained authorization
00:29:34
systems.
00:29:34
So there's many of them out on the marketplace.
00:29:37
You know most of them are proprietary models.
00:29:40
You know some of them are based on Open Policy Agent or the
00:29:44
exactable standard or other formats, but there's not a lot
00:29:49
of interoperability.
00:29:50
So the authorization exchange, or a lot of Zen working group
00:29:55
for short, is working to standardize some of those
00:29:59
interactions between authorization systems and we're
00:30:03
aiming to do an interop demonstration at the Identiverse
00:30:06
Conference late May with the first basic profile.
00:30:13
So those are a couple of things that you know we're involved in
00:30:17
here at Strata.
00:30:18
You have to try to help the industry move forward in a more
00:30:22
standardized way.
00:30:25
Speaker 1: How do you think AI is going to be impacting IAM?
00:30:29
What impacts IAM?
00:30:32
How do you see that going?
00:30:39
Speaker 2: Well, there's a lot of people interested in both of
00:30:42
those projects and a lot of focused energy on it right now
00:30:48
and I think, with the intention in the industry around security
00:30:53
and all of the breaches that we continue to hear about, some of
00:31:03
those kind of issues can be dealt with with these two
00:31:05
projects, but it's just a way to try to improve security overall
00:31:11
and there's a lot of interest out there and a lot of grounds
00:31:15
will be mentioned behind them, he says.
00:31:20
Speaker 1: Yeah, it's interesting to see where the
00:31:23
space goes in the next five years.
00:31:26
Right, it's just a fascinating time because I feel like there's
00:31:32
a lot that we don't know of what's to come just yet,
00:31:38
especially with that huge X factor of AI.
00:31:43
Speaker 2: Well, it took us before we mentioned AI, and it's
00:31:45
pretty good actually.
00:31:47
Speaker 1: Yeah, I mean, I've had a whole podcast about AI and
00:31:52
quantum cryptography and all that sort of stuff.
00:31:56
It's a fascinating area, that's for sure.
00:32:01
But I wonder.
00:32:04
I just try to look at everything from the perspective
00:32:08
of if I was starting over today, right, what's the thing that
00:32:13
I'm trying to future proof my career against?
00:32:15
What's the thing I'm trying to learn now that in five or 10
00:32:19
years is going to be very valuable, right?
00:32:22
And obviously one of those things is AI.
00:32:25
But AI is so broad you really have to dial it in and figure
00:32:32
out what niche of AI you should be taking part in.
00:32:36
So that's how I approach it.
00:32:39
Is that how you look at it as well, or how do you view the
00:32:44
industry like that?
00:32:46
Speaker 2: I think with any new technology that comes onto the
00:32:50
scene, especially one that is so impactful as artificial
00:32:54
intelligence, you really need to examine how that number one
00:32:59
ethics your own career path.
00:33:01
Which is going to do for me or against me and I would say most
00:33:09
people should look at learning more about AI.
00:33:14
How could it be used to help me in whatever job I have, whether
00:33:19
I'm a developer.
00:33:20
Look at these code generators and co-pilots Is that something
00:33:25
that's going to help me become a better developer or not?
00:33:30
Another way to look at this is well, if I am a developer and
00:33:34
there's all these co-pilot code generators out there, find out
00:33:40
what the limitations are, because if you can fill in the
00:33:43
gaps of where they have a limitation, then that's a
00:33:47
valuable asset to be able to bring forward.
00:33:50
If you're just a me too I'm just a basic, I can run of a
00:33:57
little developer then your value is, I think, a little bit
00:34:02
decreased.
00:34:03
But if you know how best to use AI in your role, then that's a
00:34:08
value add Because, as we can see , we're still in the very, very
00:34:13
early days of it.
00:34:14
I mean, look at the stumbles of even the giant like Google in
00:34:20
their launch of Gemini recently, which that just is further
00:34:25
evidence that we're in early days, so getting it now learn
00:34:30
where the limitations are and how that evolves over time, and
00:34:34
that's, I think, the best position you to take advantage
00:34:37
of that where appropriate or where necessary.
00:34:43
Speaker 1: Yeah, we haven't dove into it very much yet, but
00:34:50
could you tell us what the problem is that Strata is
00:34:56
solving and how you're going about solving it?
00:34:59
Speaker 2: As far as with AI or just in general?
00:35:01
No, just in general.
00:35:03
Okay, sure.
00:35:04
Well, Strata is an identity orchestration company.
00:35:08
So when we think again back to the multi-cloud environment, if
00:35:14
your company is adopting more than one cloud platform, then by
00:35:19
definition your multi-cloud will use your multi-indentity.
00:35:26
What Strata enables you to do with identity orchestration is
00:35:29
manage these different identity components, whether they're
00:35:33
legacy and on-premises or in the cloud, so that in the user
00:35:38
journey of when a user logs on to an application environment,
00:35:43
we can direct that user to authenticate to the right
00:35:48
identity provider.
00:35:49
If they need to also add a multi-factor authentication,
00:35:54
like an ass-wiz or two-FA authentication, we can direct
00:35:57
them to that source.
00:35:58
If we need to gather up additional data points to start
00:36:03
the session, you know that the application needs we can go over
00:36:06
and retrieve those.
00:36:07
So we're in the middle of that session, orchestrating what
00:36:11
happens in order to get the right information to that
00:36:15
application so that it can operate for our crookier.
00:36:19
So that's the abstraction that we talked about earlier.
00:36:22
So we extract away the hard-thoded implementation of
00:36:36
your apps to your application so that you can choose out these
00:36:40
identity components as the technology does advance.
00:36:43
You know a few implemented and ordered multi-factor
00:36:47
authentication technologies, say , five years ago.
00:36:50
Now you want to move to pasties or some other ass-wiz-less
00:36:55
model.
00:36:55
Well then we can just pull out one component and plug in the
00:37:00
other and make that migration much easier and faster than if
00:37:06
you get everything was hard wired to each application.
00:37:13
Speaker 1: Yeah, it's really interesting.
00:37:15
It's really fascinating that you know you're approaching the
00:37:23
problem from that angle, because I feel like that is that's
00:37:30
something that you typically don't want to change very often,
00:37:34
because it is so difficult for your developers to set up the
00:37:41
new identity authentication process or method or whatever it
00:37:45
might be, and you need something very lightweight to
00:37:49
sit in there that can manage it right.
00:37:51
That's really the only solution .
00:37:53
But from what you're describing , it's kind of like almost plug
00:37:57
and play.
00:37:59
Speaker 2: Well, it becomes that right.
00:38:00
Because if you want to change the technology without that
00:38:04
abstraction in the middle, then you have to refactor those
00:38:08
existing applications to change out their own indication modules
00:38:12
and that's costly from a resource and time perspective.
00:38:17
You know, that's what our research has showed us and shown
00:38:21
our customers.
00:38:22
So introducing that abstraction gives you that flexibility to
00:38:27
adapt to technology just much faster.
00:38:30
Because you know there's I think historically there would
00:38:35
be a resistance to change.
00:38:36
Well, I just installed that system five years ago.
00:38:39
I'm expecting a seven to ten year lifespan out of that
00:38:43
investment.
00:38:44
But if technology is faster than that and the security
00:38:49
threats accelerate faster than that time frame, what do you do?
00:38:52
You're forced now to make an investment earlier than you
00:38:57
wanted to and that could be costly.
00:39:00
But with abstraction in the middle it's much, much easier to
00:39:06
get those changes when we need to, other than you know, forcing
00:39:10
a specific timeline on that.
00:39:14
Speaker 1: Yeah, that makes a lot of sense.
00:39:15
Well, you know, unfortunately we're at the top of our time
00:39:21
here.
00:39:21
You know I try to be very cognizant of everyone's time
00:39:26
before I let you go.
00:39:27
How about you tell my audience, you know, where they can find
00:39:30
you if they wanted to reach out, where they can find Strata If
00:39:33
they want to learn more great information about your company.
00:39:37
Speaker 2: Sure appreciate that, joe.
00:39:38
Yes, you can find me via email at Gerry, at strataio, gerry
00:39:43
with G, and the Strata's website is also strataio.
00:39:48
So we've got lots of great information out there and we're
00:39:52
typically at some of the major industry conferences around the
00:39:57
world.
00:39:57
You know European identity conference in Berlin come up in
00:40:01
June and I get a verse in May out in Vegas, probably at the
00:40:05
Carter identity event later in year as well.
00:40:09
So we're usually at those major events.
00:40:11
Stop by and say you are see some of my colleagues and
00:40:15
appreciate being on the show, joe, and it's been great talking
00:40:19
with you.
00:40:21
Speaker 1: Yeah, absolutely Likewise.
00:40:22
Thanks everyone for listening.
00:40:25
I hope you enjoyed this episode .
Related Episodes
Outsmarting Cybercriminals: A Deep Dive into Social Engineering, Deepfakes, and Digital Defense with Aaron Painter
Prepare to have your mind broadened and your digital defenses bolstered as we journey with cybersecurity expert Aaron Painter, whose insights from Microsoft and NameTag are nothing short of enlightening. We tackle the increasingly sophisticated realm of social engineering, where attackers prey on h...
Educational Grit and Quantum Communications in Space Security
Embarking on the rollercoaster ride of higher education can be daunting, but what if it's the key to unlocking a career in the complex world of cybersecurity? That's exactly what I dive into in our latest episode, as I peel back the layers of my own experience, from the decision to pursue...
Unlocking the Secrets of Effective Insider Threat Management With Joe Payne From Code42
From the fizz of soda pop to the buzz of cybersecurity – witness Joe's extraordinary journey through the tech landscape. Our latest podcast episode takes you through a narrative of unexpected career leaps and the critical role of intelligence in the digital age. Joe, a former soft drink enthus...