Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.
Do you know who has access to what?
Good. You’re not the only one with the new company, you know? Jeff and I are as well. I’m not sure if we’ve even mentioned it in any of our other episodes, but our new company, Protiviti, acquired Identropy at the end of 2020, and so we’ve been on this ride — we’re recording on January 27 — so almost a month. How long has it been, Luis, now, that you’ve been at Clear Skye?
Yes, it sure has. John Milburn, who ran One Identity and he was with Quest — I worked with him when I was at Quest — he’s our CEO. I’ll tell you, I’ve never worked for someone that can put so much pressure on me for selling and yet keep such a great sense of humor. He says, when people ask, “How are you doing?” he says, “We’re at a startup, so every day is Friday.” You would think that everything is wonderful, because you’re at a technology startup headquartered in Silicon Valley in one of the fastest-growing industries — cyber security, identity management — but you realize how much effort that people put into it, these visionaries that found a company, and then the people that embrace them and build it: It is a lot of work.
I remember early on, John asked me, “What do you want to do with APAC?” Being the sales guy that I am, I said, “Let’s go for it.” If we could get a couple of deals out there, that’d be great, and we did. We have a very, very interesting reference account in Australia — first deal that we’ve done with Accenture — which, for us, is really important. But I’m taking calls at eight, nine, ten o’clock at night and then getting up at six-thirty, seven in the morning and already have an inbox full of emails from the team in Europe. I’m not complaining — it’s amazing — but hats off to all those that have come and gone before us and have succeeded in building a business, including Victor and Identropy, and all the things you guys have done — and congratulations on the Protiviti thing. How’s that going for you guys?
From my seat, not much has changed, and I know that’s probably not the shared seat of everybody, but at least I’m working with a lot of the customers that I worked with prior, either in presales or actually in consulting, and still working on tails of projects that started prior. Definitely, I see the things that will change from a corporate standpoint. Even though Identropy wasn’t a startup, it wasn’t a very big company, so we didn’t really have a different system for everything, and obviously, with big companies, that’s exactly how it is.
But, at least, one of the great things is the opportunity that I’m seeing — there are so many folks who are in other areas of information security or technology, or not even in technology. I was always impressed, when we were at Identropy, that we could be a small company that definitely wasn’t a household name, and the household marquee brands that we would step into on a regular basis, and we were consulting with household-name companies. And it just seems like that these doors are opening even more at Protiviti. I’m excited about it because what I love to be able to do is provide my experience and my advice and advisory services. I like to map that back to what advisory is: It’s advice. I’d like to be able to give that advice to as many folks as possible. That’s why we do the podcast — to get that information out there and work, and then, help those clients be successful.
And we’re all trying to accomplish the same thing, which is stay one step ahead of the folks who are looking to pull off exploits and data breaches and things like that. We’re also looking to create a better customer experience. That’s one of the things I love about information security — that it’s less guarded, from the standpoint of everybody trying to get a competitive advantage – it’s not really a competitive advantage in security. We’re all trying to accomplish the same thing. People, in my experience, have been pretty open to sharing their stories and sharing their methods to succeed.
What do you think, Jeff?
Yes, I would echo that. It’s always a change, whenever you go from a very small company, from 50 people to 7,000 — navigating some of the process around that. But at the end of the day, the job is still the same. It’s like you said: It’s providing advice, providing an opinion, and I think it’s a great job. You’re basically paid to provide an opinion. We want to make that opinion based on as much fact and real-world experience as possible. I think that’s where it makes it really easy for yourself, me and the other members of our team to be able to do that.
I certainly was excited when I heard, and the reason for that is — first, just a little bit of background. Not to make this about Clear Skye, but for context, Clear Skye, we’ve developed an identity governance administration tool natively on the ServiceNow platform. Fundamentally, we’re a ServiceNow product. It’s a ServiceNow user experience, and for those that are integrating IGA using our product, it’s ServiceNow skills.
As I was building out the channel, a friend of mine at ServiceNow who manages their risk channel — they’re partners that do governance risk and compliance — she pointed me to Protiviti in Italy. She said, “Protiviti in Italy is the one of the partners that is doing the best GRC work,” so I immediately called those guys — tremendous amount of ServiceNow experience — and when I heard that Identropy was becoming a part of Protiviti, I called Victor up and I said, “Vic, we’re really going to be able to do some great things now,” because identity is about process. How do you automate access to applications, or how do you govern that access?
If you think about it, it’s all a process, and ServiceNow is about process automation, making workflow better, making that user experience better. If we take those identity processes and we move them onto the ServiceNow platform, the execution of that really is about ServiceNow resources. The concept that you have identity practitioners such as yourselves that understand how to ask the right questions, to understand a company’s business process, to optimize it, then what you can do with Protiviti is, you can lean on the ServiceNow bench to then automate what you guys are discovering and recommending. I think that’s a value there that we see Protiviti bringing to the identity space and complementing the skills that Identropy had.
Thanks. One thing that I’ve been thinking about is exactly that convergence of technology and business, and what we’re seeing over and over again with our clients is, they’re engaging these digital transformation efforts, and identity is right at the center of those digital transformation efforts. But you can’t get very far until you have control over that customer and the 360-degree view of the customer. But I had in my mind the digital transformation approach — there are two bookends to it. There’s the best-of-breed approach, a hundred different applications, where you took the best application for each one of those functions, and you’re trying to pull them all together, and then there’s the total opposite end, and you say, “This is the platform that we want to go on,” whether it’s Salesforce or ServiceNow or Microsoft or whatever, and that becomes what you build your application portfolio on.
What I find the most is that everyone is somewhere in between, but they trend one direction or the other. I wanted to get your thoughts on that, and then, just to mention, when I first started hearing the digital transformation term — and still, what I hear the most is around the customer IAM — but I think it’s just as relevant for companies transforming digitally internally as well, so talk a little bit about digital transformation, and ServiceNow as a platform approach and where you guys fit into that.
I won’t speak for every identity practitioner. I’ll speak for myself and say that I’ve been in the identity governance space for 15 years, and whether we like it or not, we become very myopic, where it’s all about Identity governance all day, all night, and that’s it. Moving to Clear Skye, what I’ve come to realize is that there could be a different way to define the value around IGA than the one I was accustomed to. I always told customers that identity governance was about two main value propositions: One was IT optimization, which would be through provisioning and the automation of granting that access, and the other one would be enhanced security through governance, access reviews, etc.
Well, ServiceNow somewhat opened my eyes to that fact that if you look at those two value propositions, both of them are really about user experience. Whether I’m a new user — a new employee being onboarded — and having to gain access to systems, that process is a user experience, a new-employee user experience, which is even more critical, or whether I’m an employee, where I’m reviewing access or I’m requesting access, that is also user experience. What ServiceNow’s messaging and their value proposition to the market showed me is that user experience is about productivity, and that user experience is really an enabling factor in a business, and that’s what digital transformation is all about.
What I’m learning is that companies, as they digitally transform, what they’re trying to do is change the way that they’re dealing with customers and dealing with employees, and they’re looking for ways to maximize those interactions. Once we start to think about identity in that capacity and you start to think about the role — that knowing who the user is, what they have access to, who they report to — when they gain that access, those are things that can become a fundamental building block as you change the way you’re interacting with employees and customers.
I think the user experience is something that you bring up that’s always been near and dear to my heart. I’ve been involved with holy wars inside of that enterprise with “What does that user experience look like?” and a lot of times, it revolves around access request, because that’s the front door for IAM for a lot of organizations and how people are going to consume those services. It used to be that there are two choices: Either you put it in your IAM platform, or, in this case, what we’re talking about, specifically, is identity governance platform — something like a SailPoint and a Saviynt, a Clear Skye, something on those lines. Or do you put it into the IT request management platform? Maybe it’s Remedy or ServiceNow. That was always a struggle internally as to who is going to be responsible for that.
Sometimes, there’s a lot of kingdom building that takes place between different services, because it’s pretty rare that your IT request tool is going to be run by the same people who are running your identity and access management tools. I used to be very much a proponent of “Put it in the IGA tool. That’s what it was designed for — it has the workflows, it has the approval steps, etc.” And that was probably true 10 years ago, maybe even longer, but I think that products like ServiceNow and others have come along and greatly improved their user interfaces at this point, where there is a lot of feature parity.
And it make sense now to consider just putting it into the IT request tool, which is obviously how Clear Skye has positioned itself — putting it within the ServiceNow platform — which makes a lot of sense if you already have development capability and technical chops around your IT request tool and you can put your access request in there, and it’s in a manner that is good for the user from an experience perspective and can be updated in a way where you don’t have to worry about stale Active Directory groups showing up and people requesting things that probably don’t exist anymore and things like that? It’s some dynamic way to be able to keep that data updated that makes a lot of sense. Can you talk about what your experience has been, taking into account that internal struggle that has been of one of the historical factors of a lot of request management processes?
It would make sense if you think about it. Access request, back in the day, before the IGA platforms, would’ve originated in that request system, and over time, it specialized, and it became independent, and most of our IGA use cases that are integrated with an access request system, it’s just that. It’s like an ITSM integration, and when I first started working with Clear Skye and understanding the platform, I thought, “Great — we have a better integration with ITSM because we’re native. There’s no need for an integration module.”
What I’ve come to understand is that ServiceNow is much more than, by far, the leading ITSM access service request product. Under Bill McDermott, the new CEO, it’s really an app engine, a digital transformation engine. Clear Skye IGA on the ServiceNow platform is really not about integration with ITSM, although that’s there. It’s really about enabling and powering the platform. What I mean by that is that on that platform today, you’re going to have products or processes that are being run — workloads like CMDB or GRC, which they call IRM. They have security operations products, vulnerability management products. They have cloud operation management products. They have asset management products.
In my mind, a gaping hole would be identity information — getting that identity information and making it available to those other processes that are being run — and GRC is probably the best example that I could think of. But not only that — making the data in those other products available to the IGA product. For instance, before provisioning, I might go and check the CMDB before I make a workflow-approval decision on whether this should have that access or not. What’s interesting is that the platform becomes increasingly more valuable as there are more and more processes being run on that platform.
Luis, is governance in an ITSM system only for small and midsized businesses? Can it handle the complexity of a large enterprise?
Jim, that is, to me, the most surprising thing, and the way you phrased that question was perfect. When I first started looking at Clear Skye, I thought, “Great. This is going to be a midmarket, slow-enterprise product. People who have been doing a greenfield, we’re going to be able to be a little faster, a little cheaper, a little better because we’re in the cloud, better workflow, etc.” What I’ve come to learn is that most of the attention we’re getting, thank goodness — it added a zero to our business plan from the large enterprise.
There are lots of different examples. Right now, we’re engaged with a very large healthcare system, and they have one of the legacy products. By legacy, I mean the old-school IBM, CA, Oracle, etc. They want us to take the entitlement catalog from that legacy system, move it up to the platform, and allow the users to be able to request entitlements on the new platform and leave that legacy system in place to provision to Epic, and we all know how complicated that is.
We have a very large bank that has one of — I don’t want to give away the bank if I say too much, but it has a very large Oracle implantation, huge. Oracle is doing all of the provisioning. They’re setting out now to tackle the governance aspect, and we’re doing that component. We just closed a very well-known hedge fund that had a very well-developed — I hate to mention the product, but the leading product that comes to mind, the on-premise version, which is incredibly flexible, and they say, “Look, we’re digitally transforming. We’ve got to move this to the cloud. The cloud product doesn’t meet our needs, and we want this on ServiceNow.”
So, yes, that’s really the most surprising, and I’ll be the first to admit that we have some gaps. For instance, we have 20 connectors available today, or 15 in 20 — competition has hundreds. We’re developing advanced functionality like segregation-of-duty rules, so we don’t have everything that you would expect, but I’m surprised with — or people are surprised with — how much we have, and that large enterprise looks at us and says, “I can live with your gaps, because this is a low-code, no-code platform, extremely flexible, so I can take the solution that you guys have built inside ServiceNow and build upon it.” It’s pretty cool.
What’s the driver — in your experience, that customer base you’re talking to, what is the driver for them? Is it enablement, is it reducing cost, is it something else? What do you think?
I really think it’s about — I hate to say it — that buzzword, digital transformation. Let’s start bringing that down to user experience. Is it the customer user experience? Is it the employee user experience? Break that down even further — that’s productivity, that’s becoming more competitive in the market. A lot of the analysts I’m talking to, and people that on the SI side, who have been doing this a long time, they say, “Look, IGA is long in the tooth.” It killed the Gartner Magic Quadrant, we’re now in the market guide, because we entered the plateau of productivity.
The SIs are saying to me, “Look, there is very little value-add that we could bring beyond application onboarding and adding a ton of connectors to bring a ton of applications into the fold. You guys are offering a ton of opportunity for us to innovate because now, identity is on the platform” and we can do use cases that span multiple products. We can add value that we couldn’t before, and Jim, also, to a degree, from a selfish perspective for them, they are now going to be able to tap into budgets that are probably 10x their identity budget. If you go talk to a large bank or a large telco, you say, “What’s your identity and access management budget?” and you say, “What’s your digital transformational budget?” it’s significantly bigger.
I think that’s huge. I’ve got someone very close to me— he’s a CTO of a very large packaged-goods company — and he said that their whole mission in life right now is to ethically acquire user data and user-buying tendencies, and how they’re doing things differently because they have this route to market, they have this relationship with retailers and with consumers, so now they’re thinking, “Because of the digital era we’re in, how do we further capitalize on that mindshare we have from the consumer and the retailer? What are other things that we can make better in their lives? What type of data or information can we make available to them that would make us the natural company for them to buy other goods and services and products from?”
We’re seeing that transformation in fintech. I think Amazon, for me, was the first that I saw that where I’m willing to pay more, because Amazon’s making the right recommendations, has all my credit cards on file, delivers in two days —I forget I bought something in the products at my house. Yes, I think that’s really what it’s all about.
Also, Jim, the other trend is cloud. If you think about us crossing the chasm, we’re in a fad. The real smart people, the cool kids, know we exist, and they’re really interested in us, and thank goodness we’re taking on a lot of momentum. But we’re a fad within the trend of digital transformation and movement to cloud.
If you guys remember, the identity space where we always had legacy last-mile connectors, if you remember, I’d always say, “OK, cloud’s great, but what about the stuff that’s still on-prem legacy?” What I observed, being an identity practitioner, was, “OK, well, people are moving to the cloud application by application — Salesforce, CRM. All right. Well, let’s get rid of these old services. Let’s go there.” HR Workday — let’s get rid of these servers and move to Workday. The platform vendors today — like Microsoft, where the app dev engines, which are Microsoft, Salesforce, ServiceNow, and OutSystems, which is a kind of a no-name one — are saying, “Move everything to me. Automate your processes on our platform. You could do it all here.” And that way, you have lower cost across all your functions, because it’s all the same resources.
I think that plays in, too, with general consolidation that we’ve been seeing in the IAM space, with companies spinning off different parts and being acquired by former competitors — things like that. I’m thinking of CyberArk and Centrify and Idaptive, for example. I think that consolidation is going to continue to happen, obviously. One of the things I want to go back and touch on real quick is the mentioning of the silos of data, and that is a historical problem that is very difficult to solve for, and the further you kick that can down the curb, the harder it gets to fix. It also is a privacy concern for a lot of folks now because of the potential types of data that could be stored and how it’s used, and you’ve got things like the California privacy protection, things like the GDPR, and at some point I would imagine, in the U.S., at least, there’ll be probably something very similar to the GDPR coming along.
The way that companies and organizations are storing all that data across all of those silos has become very difficult to manage, so the challenge from an IAM perspective there is, how do you bridge those silos and get to that single source of truth and make the data available to the appropriate parties when it’s needed for whatever purposes are being used, but also give the user, or the customer — however you want to look at it — the ability to manage their own data? I think that’s going to be an interesting challenge for a lot of organizations that have not really had to deal with that yet but are absolutely going to have to at some point in the future. And by simplifying and reducing the number of disparate silos of identity data, it’s going to make it a lot easier.
I just want to go back on that real quick, and then I talked about that consolidation. I think you were getting into it, too, with low-code, no-code solutions and people building processes on that and then having businesses and people within the business willing to adapt their daily processes to be able to take advantage of those technologies, because that’s always one of the hardest things: Change is hard. This is the way you’ve always done it. I have always sent a fax to somebody for some access or some request, and this is just the way we do it. Before that, I used to stop by someone’s desk, or instant message, and now it’s this new way that is maybe more self-service.
I love the Amazon example, because that, in my mind, is a great example of a user-friendly process. It just works. No one trained you how to use Amazon. You just went on, you bought that thing you needed, and it was intuitive enough where you figured it out. And then, like you said, two days later — and maybe even earlier than that — the thing is showing up at your door. I think there’s a lot of opportunity to take that model and apply it to services from an IAM perspective.
That’s interesting. I thought we were going with that, Luis — are companies going to look for a way to offload identity, like they did with the credit card data? And I think that would be to their detriment. I think the social log-in idea has a lot of benefit, and for some companies, maybe it makes a lot of sense, but when I think of something like when Facebook acquired WhatsApp, they paid some exorbitant amount of money — like $3 billion — for an app that, at least in the U.S, we were not using that much, not that they’re buying the technology. The technology was OK. It wasn’t $3 billion worth of technology. It’s all the identity data. Once they knew that identity data and they could apply their artificial intelligence to all the data that they were collecting about people, they could make money off of that data. I think that’s what smart companies have to do: They have to be able take that identity data — I’m calling it artificial intelligence as, certainly, the buzz term — but they’ve got to apply some intelligence around what people are all about in order to turn that into revenue in the future.
Jim, you said it much better than I could have. You just nailed it. You just said companies need to take that identity data and wrap things around it, like AI. Well, guess what’s up on that platform? They have an AI module. That identity data is up there. Can we do anything around vulnerability management with that data? A nexus of processes and workloads and information? I’m not saying this is true, but a thought came to mind right now. It’s almost as if the centralization of these processes on a platform resembles mainframe. If you remember the decentralization off the mainframe, the distributed, maybe what we’re seeing is a similar process to those platforms in the cloud.
I wanted to ask a question to wrap things up. I’ve been reflecting on the name of this podcast: Identity at the Center. It’s something that I truly believe from an information security perspective, but I’m thinking about it today in terms of the digital transformation perspective. Identity truly is at the center from a security perspective. When you think about something like the concept of zero trust — when zero trust first came out, I thought, “This is kind of buzzy and things, and what about firewalls?”
And we’ve been talking to some folks, and I certainly understand that zero trust doesn’t mean you don’t need firewalls. It just means that you can’t just rely on firewalls. Then, when you break down that level of comfort that people on the outside of the firewall are outsiders and people on the inside are insiders — and certainly, with the pandemic, we’ve seen that all fall to pieces — to me, it’s the identity and the identity control plane that really gives you your best sense of security. It’s not DLP, it’s not network-intrusion prevention, things like that. It’s identity and access management.
But also, thinking from a digital transformation perspective and what we were talking about earlier, digital transformation means a whole bunch of different things to different people. It could be replatforming applications. It could be coming up with new technology for master data management or customer data management. It could be all be these things, but until you have your arms around the identity of whoever is your customer — whether those your employees, or those are people buying your products, you have your arms around them and understand relationships between them and where all your data is for that identity and you’re able to pull it together — to me, you can’t succeed in the digital transformation. To me, it’s just one more reason identity is at the center. I want to throw that out there and get your thoughts before we close it out.
I love that concept of identity at the center. I think our team at Identropy, we did a lot of work around that. The question I have now is, where’s the center? Where do you want the center to be? If you look at companies like Microsoft — and that’s the first one that comes to mind — or Salesforce or ServiceNow, where if you plot this trend out, let’s assume that this trend is actually victorious and organizations, instead of 200 vendors, have three, four, five platform vendors, the pendulum swings all the way over to the other side from distributed and decentralized, that will be the center, and that’s where you want identity. Not on some often authentication authorization platform or some convoluted, complicated cloud PAM platform, or something like that.
You want it at the center, where most of your workloads are being processed, and that’s what’s so exciting, Jim, and that’s why I’m happy to be where I’m at, and I’m so privileged to be speaking with you and Jeff and getting the band back together again, because I think the Protiviti thing for you guys is a similar trend. Now, your identity expertise could be at the center of Protiviti, which has much more reach, much more breadth, and it can provide much more value to your customers, so congratulations.
Well, thank you, man. I think that is the opportunity. When I think about this industry — and I’ve been in this industry since ’03 — it’s funny that some of the folks that we’ve had on the podcast were stars in the industry back in 2003. So, 2003 sounds like a lot, but it’s really not. I think identity, for some people, will become just a stop along the way. And to be able to have stayed in this industry for as long as we have and see it grow, and work through it and survive — when I first got into IT, I was really into network computing and setting up servers and things like that. To me, that’s still happening, but at the enterprise level, it would always get outsourced. Identity is still so crucial to the business that I don’t see it going away in terms of being a discipline that is really important. And to your point now, in a bigger organization, where there’s so much focus on security and privacy, the epicenter of all that, it still ties back to identity, so it just creates more additional opportunity.
Amen. It’s like, we didn’t pick the identity life, the identity life picked us, and I sure am grateful for it, guys.
I think that’s a common theme that we’ve asked everyone who’s come on the show, did it pick you, or do you pick it? I don’t know. I don’t have official numbers, but I’m going to say, at least 90% have come through and said identity picked them, and I’ll go with it too. Before we close out here, identity at the center — I think you could be at the center of whatever you wanted to be. I think it’s flexible enough that depending on the use case, depending on the problem you’re trying to solve, there’s enough flexibility there to be able to work it in some way.
I just came up with the new tagline: Identity Everywhere.
That sounds like a real nightmare for somebody who is in the identity field.
That’s right. Sorry, I take it back. That’s why you guys are the advisers. Again, thank you guys so much for inviting me. I love the conversation, so thanks for giving me that opportunity.
Yes, so just talking IAM among old friends. Hopefully, at some point, we’ll be back in Vegas enjoying a nice cut of wagyu steak. I think the last time I saw you, back at the end of 2019, I guess it would’ve been for Gartner, so, hopefully, we’ll get back together at some point. Before we close things out, any final words of wisdom from you, Luis?
Oh, my gosh. Absolutely not. But I hope there was some value. Definitely for me, catching up with old friends was valuable, so, again, signing off. Thanks so much, guys.
Thanks, Luis. Jim, anything you want to close with?
Well, you got me thinking about wagyu steak. I would say wagyu steak on somebody else’s credit card is better than wagyu steak on my own credit card. I will say that. We had some really good steaks in Vegas at the 2019 Gartner IAM Summit, but like I always close out with Jeff, we are honored to have the listeners that we have and want to connect with them, and I’d say the best way to do it, at least for me, is on LinkedIn, so if you listen to the show and you’re interested in connecting and networking, just go ahead and send me a connection, and I’ll be thrilled to accept it and respond to you.
Yes, same here. I’m always happy to connect with folks who are listening, and just the identity space in general, and just talk. I’ll throw our LinkedIn connection information into the show notes, and we’ll put links to there for Luis and for Clear Skye as well so you guys can check them out. With that, we’re going to go ahead and close it out for this week. I appreciate everyone listening, and we’ll talk with you all in the next one.
Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at IdentityattheCenter.com.