Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.
Do you know who has access to what?
Welcome to the Identity at the Center podcast. I’m Jeff, and that’s Jim. Ian Glazer is the cofounder and vice president of IDPro, and we’re very lucky and happy to have him on. Welcome to the show, Ian.
Scene closes. A couple of months later, the guy who’s covering sales in my region got recruited by a user-provisioning company. Happened to be Axis 360, which was one of the really early user-provisioning companies back in the day, when BMC control SA was a big deal, and whatnot. Well, he got recruited, and he was like, “Look, this company’s recruiting me,” and this was at the height of the dot-com bubble. He’s like, “I don’t get all the technology. Would you mind coming out with me to SoCal and be my BS sensor?” I was too young and stupid to realize that I was also being recruited at the time — like, “Yeah. Good job.”
It turns out that I ended up being offered, and taking, a position of field sales engineer and consultant and a bunch of other stuff at Axis 360, and so I started in user provisioning properly — my little foray into directory services notwithstanding — and, I don’t know, I like it. It liked me. I don’t know, it was like a good chocolate–and–peanut butter thing, and I stuck with it. From there, I got to see more of the industry.
We got acquired by IBM, which put me in a much bigger company with different opportunities. I got the opportunity to move into product management, got the opportunity to work with analysts at that time. And from IBM, I went to a network-based access-control company that was putting identity into packets themselves, which didn’t really pan out, but I learned a ton, especially from a debugging perspective — like, if you can debug wacky, strange network stuff, you can debug almost anything. Moved from that into a company that was doing governance risk and compliance at the height of the segregation-of-duties, SOX-compliance world, and I built a bunch of identity stuff there, plus a segregation-of-duties engine.
And then finally, after years of trying to figure out how to get in, I joined the Burton Group, which was an analyst firm known for identity and security research. We got bought by Gartner and I spent a bunch of time there, and then I joined my current employer, Salesforce, almost seven years ago to help look after some of the identity products.
So, a winding path, but I played a lot of different roles around identity products, and I’m really grateful for that because, honestly, I got to see the world and meet some amazing people all over the place and see some amazing customers, and helped them with their success, so I’m deeply appreciative of the opportunities I’ve had.
When I joined Burton, I got to join an amazing team of identity practitioners. These are some people — one of them is still my mentor — amazing folks in terms of the ability to think about a problem space and its implications for customers. The first thing about being an analyst is, it’s terrifying, because people think you’re the expert. If you’re just starting out, sure, you brought some stuff to the table, but to be the expert — if it’s, say, Axis certification, which was one of the first reports I had to write — was daunting. Not so much writing it, but taking inquiry, taking phone calls like, “Hey, we want to talk to the expert about x,” and that winds up on your desk, and you’re like, “I’m sorry. You were looking for an expert, sir, that—? You should go talk to Laurie or Jerry” — you shouldn’t talk to me.
In fact, I have a whole talk about this. Actually, my secret-strengths talk is just about this experience of being called an expert and yet not feeling that you have the confidence to be so. There’s a steep learning curve to get to comfort there, which is true in taking any role, but the thing that was fun about it was, I got to help a lot of people and a lot of customers at scale. Think about what would really work, validate that with enterprises around the world, and then publish good practices from there. I love that. You reach a point at any gig when you feel like, “You know what? I’m doing more internal than I am external, and I’m not helping as much. I’m not really getting the time with my customers that I’d like to,” and I hit that point, and it was time to move on, but I really enjoyed the time I spent doing it.
Because of the way Burton got folded in with Gartner, I never worked on any of the MQs. We would collaborate a little bit around questions and things like that, but we were on our own little island of misfit toys. It was a great time — got to do a lot of other things, but having just recently responded to a Forrester wave, it’s still like I can’t skip too far away from the analyst gig, it seems.
One of the things I think about — that people expect you to be the expert — this happens to Jeff and me all the time. We’ll be asked to consult on privilege access management or access management or identity governance, and it’s the same kind of scenario where people expect us to know every product, whether each one of the products can fit their exact niche use case. My feeling is that there’s nobody in the world who could answer that question for all the different vendors, and if anybody could, it would be the analyst from Gartner or from Forrester or from Kuppinger Cole — and I don’t even think that they could, but if they could, they still don’t do the kind of consulting that we do.
I wonder if you feel the same way — that, especially as the landscape is broadening, there are so many offerings, so many vendors, that it’s impossible for any one person to know how each product handles each specific use case, and that’s — from looking at the Gartner process and how they go about serving and having products demoed to them, you have to have that kind of framework in place that you even have the starting point to gather and stay up with that kind of information.
Yeah. I think it’s possible for someone to know within a given discipline and identity the good practices, and the things to avoid, for certain. In a product-neutral way, it’s totally in bounds to someone to know what’s a good practice. To your point, it is, practically speaking, impossible to know all the products in the space. Consider strong authentication, multifactor authentication — dozens upon dozens upon dozens of vendors. There’s just no way, and so I think that when I’ve been asked, whether I was an analyst or not, to talk about “Hey, how is this going to fit my use case?” the focus has always got to be back to “What’s the outcome you’re looking for? Let’s just start with that.”
What I find is, seven out of 10 times, people aren’t 100% sure of what they really want as that outcome. Then the process of working backward: “OK. Well, let’s break that apart, and what are the specifics that you need, and how do you get there?” That’s more valuable a lot of times than comparing product A versus product B. Now, certain products have their differentiation, and there are reasons why and why not to use them, but at least in my experience, “Focus on the outcome and work from there” has always been more successful, because at the end of the day, some of the time, the decision’s like, “Oh, what we have is fine — the way we’ve wired it up isn’t,” or “The stakeholders we have for the program aren’t fully aligned.”
There’s a real different but, honestly, better outcome than “Let’s go tear out a bunch of middleware” — if you own a bunch of middleware — “and hope it’s all going to pan out at the end.” That’s not really a great outcome, and what’s interesting about the maturity in many areas — in many products of the many areas in identity — is, a lot of them are mature, quite mature, and so it is less about a specific niche feature here and there.
To be fair, there are plenty of use cases that call for those things, but in a general case, it’s more about “Are we clear about the outcome we’re looking for? Does the operation, or our organizational physics of the enterprise, get in the way — like, distributed versus centralized IT, what have you?” Not like “All of those things are a way better indicator of how the program’s going to go” than like, “Did we buy the upper-right product in a parallelogram, or did we actually suss out what it is we need to do to delight the stakeholder?”
Yeah. I think you brought us something that’s really important, and it’s losing what you’re trying to do because you get so distracted by the shiny thing. A lot of applications and programs and products out there are like that, where “We can do all these neat things,” etc., but is that really what you need to do? If you’re trying to solve IGA, for example, it comes down to provisioning — who has access to what at a most fundamental level? Sure, there are a lot of other things you can do, but if you’re really trying to solve base use cases, and all of a sudden, you get distracted by “Oh, we could do user-behavior analytics”— spoiler: That’s three to four years out for you if you’re not even doing the basics right.
That’s something you see in Microsoft, which I feel has really been on a tear for the last several years. They’ve adjusted their interface to match what is it that users are doing. They get a lot of analytics: the program itself, what menu buttons people are clicking. So they recently adjusted the toolbar on their applications to put the stuff that most people were using to be more predominantly displayed in the interface, and I think that’s something that they recognized.
They still have the diskette for saving.
That cracked me up.
It’s like that clippy — I’m sure somewhere around — if you’re old school.
I saw someone post in Twitter that they showed their child a 3.5-inch diskette, and the kid said, “Oh, you used a 3D printer to print out the Save icon.”
Yeah. Whoa. Mind blown.
Our mission is to promote excellence in the practice of digital identity management. Let me give you a little bit of the origin story for it, because it explains a lot of the things that we’re doing now. I, and others who’ve been around for a while, have had some amazing opportunities. Like I said earlier, I’ve gotten to see the world through this industry. I’ve met some amazing people who are now dear and close friends. I have learned a ton, both within the discipline and as a professional in technology. I wanted to find a way for people to get the kinds of experiences and opportunities that I had, because not everyone can go to a conference —not everyone can go to a Burton Group Catalyst conference — not everyone gets that travel budget, not everyone has the opportunity to interact with an analyst or find a mentor or learn technology-neutral practices. Often, you learn product-specific practices.
I wanted to figure out a way that more people could get to experience the awesome things that I was so lucky and fortunate to, and so privileged to take advantage of. Part two is, as I would travel around, I would talk to enterprises around the world and say like, “How long does it take you to build new identity practitioners?” and they’d be like, “Eighteen months, three years. There are enough of them; it takes too damned long. It’s too expensive.”
That was consistent across everybody I talked to. Every enterprise: big banks, little higher-education institutions — didn’t matter. I pointed to that, like, “That looks like a problem. Do you agree?” They’re like, “Yeah, it’s a problem.” It’s like, “Yeah. So, why don’t you do something about that?” and everyone said, “Yeah, you should do something about it.” I’m like, “Oh. Huh. Didn’t see that coming” — and so I was lucky enough to start to socialize this idea.
Our friends at the Kantara Initiative helped us incubate this, and Sarah Squire (now, it’s Sarah Cecchetti) and I cofounded IDPro to build a space where people could give back — those of us who’ve been in the industry for a while — a way to show what we know, and a place for people to come and learn and accelerate their time to proficiency or their time to feeling proficient, which are two different things, but there aren’t enough practitioners in the market for the need for the size of the industry. Honestly, I looked around.
I was in Washington, D.C., where I live, but I happened to be at the International Association of Privacy Professionals global summit. It’s an amazing event. It happens in the spring, typically, when you had conferences. I don’t know if you guys remember conferences. Those were things where lots of people came and didn’t wear masks in a space. I know, it’s Fantasyland.
Conference, yeah. We’ll talk about it later. I remember looking at all the amazing speakers and all the content, and these were people in a single practice with an organization that helped promote that arc, that skill set, those skill sets. I remember sitting in the lobby of the hotel, going, “Where’s ours? Where’s identity’s? Where’s that organization that is going to promote us as practitioners, that’s going to promote this as a profession?” and that did not sit well with me, and I kept thinking about this problem. I’m like, “OK, we’ve got to fix this.”
So, a long-winded answer, but IDPro is an organization to do just that. It’s meant to be the professional association for our industry. It’s meant to provide people a safe space to ask questions, to learn from one another, and build material in a vendor-neutral way — a technology-neutral way — that people can learn from and really accelerate the time to value for themselves and their own careers.
One of the things that I think about IAM, and why I was drawn to it: I fell into it by accident, like most of our guests, or probably most people in IAM — they’re in other areas of business or IT, or they end up working on the help desk, and rise up into the IAM space — but I found that it has a philosophical backbone to it as well, and that’s what really got me interested. Speaking about Digital ID World, that was the first time I heard Kim Cameron speak and go over his laws of identity. I had been thinking, “Somebody really needs to write the history of our industry.” I know it predates Kim. We’ve had a lot of folks on the podcast who have been, like Jackson Shaw, in the industry before it was an industry.
So, you saw me at DIDW in 2005. Was that in the Mountain View area?
Oh. I remember that one. Digital ID World was pretty amazing because it was the first conference in the industry, and Eric Norlin, who came out of Ping, and Phil Becker were the two folks that put it on, and they’re amazing as a team, and I went to a couple of those and had my mind blown in two different ways. One was like, “Oh, my God, there’s so much more to learn.” The little sliver that I knew and was aware of was just that — it was a sliver. And then two, the number of people that are already or also doing this, it’s like, “Oh, wait a minute. There’s more of us.” Those two things combined opened a window for me into “This is how big it could be,” and it only grew from there. The number of conferences that we now have in this space — the number of practitioners we have globally — it’s amazing. It’s totally amazing.
There was already the concept of this “identerati,” and you were a part of that, right? Nishant was part of that.
I don’t know. You may just be confusing us with the people that were at the bar at the end of the night. It’s hard to distinguish at some point in time. Let’s not go too far.
Do you have a favorite identity conference today? Is it Identiverse? Because I feel like IDPro has taken that on as its home conference, but are there other identity conferences that you think are worth noting — assuming that we do those in the future?
There absolutely are, and I think the thing that’s important is that there are four different kinds of roles as well, because you have a spectrum of events where you have things like Internet Identity Workshop. I went to the first one, and I ended up sitting in between Dale Olds, who came out of Novell — he’s at VMware — and Tony Nadalin, who was with IBM at the time. I had no idea who they were. These guys were mega-huge brains in the industry. I’m like some kid, like, “I don’t know who these guys are,” but that’s where Kim Cameron demoed card space for the first time, and Dick Hardt talked about Sxip — or the predecessor to Sxip, really.
IAW has been a stalwart in terms of the people that are really thinking about how standards and the bedrock of the things we build our solutions on really work, and pushing idea boundaries, but here’s the thing: If you’re not a standards person, you may be like, “Ooh, that seems like a little bit in the weeds for me.” Well, that’s cool too. Back in the day, Burton Group Catalyst was awesome. It’s different now. Let’s just leave it at that. Identiverse is IDPro’s home conference here in the States, but then you’ve got Identity North in Canada, and I know people who’ve been involved with it really enjoyed it, and I have not had a chance to go and attend. I very much want to. But then you have your European Identity Conference — Kuppinger-Cole hosts — which is great, in the EU, and continues to get bigger.
But then, what I find recently — in 2020, I’d learned that I don’t know understand how time works. I don’t really know what that means anymore, but I’m going to say within the last two years, organizations like FIDO and the OpenID Foundation also have events, and I have of late really enjoyed those, because it’s a very concentrated sort of subject. They put up a boundary in the sense of, well, this organization is hosting, so it’s going to be around authentication, or it could be around federation protocols, or these other things, and listening to people within a subject matter shows you the richness of what, from the outside, you’re like, “Eh, strong auth. How much is there?” and then you really look into it, and you’re, like, “Wow, there’s a lot of interesting things — use cases and detail — here,” and I find that really interesting because at some point, you have to sum over some of these functions in the sense of, “OK, we’re going to have a stronger adaptive authentication solution in this. We’re going to have an IDA solution.”
You think of them as big block pieces on the slide, and then, when you reimmerse yourself at a topic, you’re, like, “Well, yeah, I forgot there’s a lot here,” and that’s good. It’s always good to go back and fill up the tank in a subject area that you’ve worked in but you maybe haven’t spent time in recently.
I feel like that would be a good article for the Body of Knowledge in IDPro, right? What are the conferences that are out there? And I think IDPro has a calendar.
We do. Yeah. Among the things we do is, we try to track all the local IAM user groups in the world, and we’re tracking dozens upon dozens when they meet. We’re tracking all the conferences as best we can. Online has been a little different last year. Hopefully, it will be different in 2021 — fingers crossed. We’re keeping track of those things, because I think the interesting thing that happened in 2020 was the push toward virtual for a lot of events, and on the one hand, it made things a lot more accessible. On the other, it peanut-buttered a conference through an entire month or a couple of weeks— which made it, in some regards, a little bit harder to attend, but you could cherry-pick the sessions you wanted to go to, so it’s a nice balance and change, coming out of 2020.
I know I’ve used that calendar on the IDPro.org website to look at the different things that are coming up. There are so many different conferences out there that I think people are probably familiar with some of the bigger ones, but there are a lot of really good small ones, and the thing that I’ve noticed coming out with COVID is that virtualization of those conferences. They may have started a little bit rough, but they’ve gotten really good — the last few that I’ve been in.
People are figuring it out, and I will be very curious, as the year progresses, about what that looks like, because being together with people not in a proper, not a two-dimensional space, but a three-dimensional space, is real different. I am glad that there’s been a bit of democratization access to content, which is I think a very good thing for all of us. It’s good. I do miss being with everyone and seeing people that I haven’t seen in a while, but also meeting new people and hearing from speakers that I haven’t heard from before. I think that’s the thing that I like about in-person conferences: I’m going to attend this session. The next one, I don’t know who the speaker is, but the one after, I do, so I’m just going to sit here and keep this chair warm, and I get to hear someone I’ve never heard of, never talked to before. I’d hear something amazing out of serendipity — that’s a great thing about an in-person event, in my opinion.
Yes. It’s very hard to replicate the interaction between attendees, guests, etc., when you’re trying to do things virtually. There’s that aspect — a travel aspect. Typically, these are in destination cities.
So, the week we’re recording this, you realize this would’ve been Gartner IAM. I don’t know what kind of condition that would make me miss a technology conference in Vegas, but we have hit that point where I’m like, “Yeah, I’d be down to go to a tech conference in Vegas. Yeah, I miss that,” and that’s a horrifying statement, but OK — all right. Yeah, that’s where we are.
We’d all be in hazmat suits, though.
Maybe this is a good kind of like palate cleanser. Let’s pick Gartner. Gartner IAM, next year, is the first in-person conference that people get to — people might be excited to actually go again. I don’t necessarily have a problem with Vegas. I’m not much of a drinker or a gambler, so I can ignore that kind of stuff, but I sure like good food, and Vegas is a great city for food too.
Yeah, great people-watching. That’s for sure. So, IDPro does a bunch of different things. I know one of the things that has been discussed in the past is around IAM certifications, and I think this is an area that is of interest for a lot of different people because there are different organizations that have different IAM certifications. We had Henry Bagdasarian on a few weeks ago, from the Identity Management Institute, for example, and they’ve got some. Is IDPro considering anything in the certification space that we should be looking into as well?
Absolutely, but let’s start with a foundational, which is one of the things — and you talked about it: We have published three issues of our Body of Knowledge. One of the clear things that came out of the skills survey that we’ve done for the last couple of years is, people are desperate for technology-neutral things to learn from, to understand either their subdiscipline within IAM or the whole practice. Not everybody has access to analyst material, so that really leaves a big gulf to be filled. So we, from the very beginning, started our Body of Knowledge Committee, and that has been shepherding through content over the last year-plus, so we’re just now on issue three.
Now, there’s a bunch of content in there that ranges from “Here are standards that you should probably know about” to “Here are identity architectures” to “This is the overview of the discipline” to “Things about access certification,” which I think is in the pipeline for issue four. There’s a constant stream of content. This was written by practitioners for practitioners, and it goes through a really rigorous process to ensure that it is neutral, in the sense that it is not codified — one vendor’s best practices — but is actually looking at what is best for the practitioner as a whole and, by extension, the organizations that we work for. Now, that gives people a place to start to learn more about disciplines within identity management.
We also have had as a goal upper professional certification. Our theory was, we needed a body of knowledge so that we could test against something because, otherwise, pulling that together would be challenging. We wanted to make sure that the certification had teeth, so to speak — meant something — that you really did have a knowledge base to operate on for your enterprise or your customer. So, we have a certification committee that has been meeting over the last six-plus months. We’ve really kicked this into high gear. We now have a set of what we call knowledge standards, which are essentially “Here are the areas that you need to know about, and to what depth to be a practitioner,” and then we will start to flesh that out, start writing questions.
The goal — and when I hang up with you guys, in about an hour, I’m meeting with the board to talk about our FY ’21, next year, this year, in terms of listener plans — one of the big ones is certification and our push to try to get that out into the market in 2021. And the big thing for me is, I want this certification to be looked upon in the same way that the IAPP has their CIPP or CISSP, that security and privacy have very rigorous, robust certifications from professional organizations. We really want the IDPro certification to be that thing. Over time, it will branch into both job persona and industry, so I think we will have a base certification and then have one for architects, one for, say, program managers — have something specific for higher-education research, have something specific for healthcare. One foot in front of the other. We got to get the first certification out there, and that is a big goal for ’21.
Yeah. So the CISSP is so ubiquitous. How do you get any certification to be that on the tip of people’s tongues? Is it jobs demanding that? is it creating an industry around an open platform? Is it all of the above?
I think it is a little bit of all of the above. I do feel slightly like a fraud in answering some of this, because I’m an identity practitioner. I barely understand how to run the nonprofit that I started, let alone what does “a body of knowledge” mean, and what does certification mean? This is the amazing thing — that it is members helping doing this. We are very much driven by our members’ time, and their generosity with that time, to help produce this.
Now, we are bringing in experts who work in certification programs about how to do this, and do this right, but I think one of the things it’s going to start with is, I expect that service organizations are going to use the certification as a differentiator for their people. So, you can go into a prospect and say, “We have the largest bench of certified identity practitioners in the industry,” and what that means is, they not only have our methodologies and can bring together our tooling, they also can pull from a base set of knowledge that’s been certified by the professional organization for the industry, and that makes them more valuable. I think that will be a component of it. I think we’ll see recruiters. My hope is we’ll start to see recruiters be interested in this and job postings be interested in this.
At the same time, I’m nervous. I want the certification to mean something. I do not want the certification to be a barrier for someone to achieve their professional goals in the industry. That’d be a failure if we put up a barrier. The whole point of IDPro is to grow the practice, which means grow the number of practitioners. There is more work for all of us than all of us can absorb. We need more people, and anything that an organization does to limit or to exclude is not beneficial to the industry. It’s not a part of our mission. One of the things I’m deeply concerned about is making sure we strike the right balance there: How do we make this valuable without making it exclusionary?
I’m glad you’re thinking about that, because from a membership standpoint, I’m a member of IDPro, and certifications can be very wide ranging. Identity access management is not “Everyone’s a technical person in IAM.” There’s a ton of space for professional and personal growth within IAM. You do not have to be a developer to be an IAM person. I think that’s one of the challenges that we have for certifications: How do you establish that right balance of “What does the front door look like?” and then “What do the other doors of that house look like from a certification standpoint?”
For certain. In my experience, some of the best minds in identity, I know, don’t have a college degree. They’re tradesmen. They’re journeymen or journeywomen — people that learned by doing over time. Someone gave them an opportunity early on, and then they kept adding success on top of success, and it’s those kinds of people that really drive a lot of my thinking and knowing. Look, these are total badasses, and there is no college degree to have for identity. Threading that needle is going to be challenge to make the certification worth something but not make it a barrier.
Yes. I’ll give you case in point: I don’t have a college degree, and I’ve been in the IAM space for — well, since 2003, I guess. Before that, IT. Before that, restaurants. No college degrees for IAM, but I didn’t know I was going to get an IAM until later on in my career path.
Sure. It chooses you.
It absolutely chooses you. I chose infosec. I didn’t necessarily choose IT admin —administration of access. That wasn’t where I thought it would end up, but here I am, and I love it.
To your point about how there are certifications that are ubiquitous, back in the day, a Novell-certified engineer — the NCEE, or there was an equivalent one in Windows that was a big deal in the early ’90s, and you saw it everywhere — and I wondered, “At what point are those things devalued in some regards?” because, essentially, it just meant it’s a rubber stamp on someone who’s had a couple of years, and so I am very excited for this certification. I am wondering whether I could pass it myself, but at the same time, I also want to make sure it remains valuable, that it truly does enable someone to demonstrate that I do have a library of knowledge: Not only do I have operational experience that I can draw upon for the things that are maybe a little bit further out, I know where to get that information. I know how to interact with the community for that. And I think that’s the larger challenge ahead for the organization.
I think that plays pretty well into what we see from an IDPro as just the body of people. You mentioned the skills survey before, and I think that was done earlier this year — probably right around when COVID really started to hit the United States — so I’m curious as to, what did you take out of that report that was recently released within the last month or so, the finalized report?
Yeah. It was released right around Thanksgiving — so, November — in the States. We started gathering responses at the end of February 2020, the leading edge of “Oh, this lockdown thing is going to be a thing,” and what I took from it was, as an enterprise, we’re going to have a remote workforce that we never expected. I know many people had large struggles about just getting IT equipment and infrastructure in place, network connectivity in place, but then the very next thing, I think, that was clearly universal was, “All right, what are the most effective controls we can put in place to protect our stuff? Whatever that industry is, whatever that data is, what are the basics?” Far and away, multifactor authentication was that thing. People who had the plans for MFA quickly dusted those things off. I think that was one very clear indication that we saw from the survey.
The thing that we didn’t see in the survey — and I think this is a function of when we asked — was around customer identity and access management. I think, had we asked the same questions in the late summer, we would’ve seen people saying like, “We had a three-year digitalization strategy, a digital transformation plan, and we basically were given four months to get it together, and part and parcel to that is IAM.” That didn’t show up in the skills survey, so when we run it again in February of 2021, I expect to see CIAM in the top enterprise priorities, and when MFA is considered more of a done thing, that’s lower down the priority stack, because a bulk of our enterprise has already tackled that, and they’re on to “Oh, crap, we’re digital only,” or “We have to significantly augment our brick-and-mortar with the digital strategy,” and CIAM is part and parcel.
A couple of things that I thought were interesting too were around the years worked in an industry — I think that was one of the questions — and how predominantly veteran the respondents were. I think the respondents were a combination of not only IDPro members but maybe some nonmember or public responses, and some corporate response as well, but from what I remember of the statistics, more than three-quarters of the respondents had been in the IAM space for at least five years or more.
Off the top of my head, I think that’s about right.
I think given where we’ve been talking about getting newer talent, newer expertise developed from an organization standpoint, there’s clearly an opportunity to get people interested in IAM as a potential career path and things like the Body of Knowledge, certifications, having what I perceive is a very open and inviting community will do a lot to help people who are not as familiar with IAM. It could be developers, and they have some coding expertise, for example, but they never really considered IAM as a path for that. It could be project managers, program managers, people who are interested in the more businessy aspects of IAM. I think there are certainly opportunities to grow the number and available pool of younger, less experienced workforce into identity practitioners of the future as well.
For certain. I think the other thing that there’s an opportunity to do is make our industry a more diverse and equitable one — our peer organization within identity, who are all friends of ours, and we’ve been closely aligned with the work that Women in Identity are doing around this. How do we bring a more diverse workforce to bear? How do we identify and work to eliminate bias in the services that we’re building? As an enterprise, if we’re rolling out our services to be used by everyone, then they need to be serviced and managed and built by people that reflect what everyone looks like, and that’s our local communities, that’s our global communities. I can’t say enough good things about Women in Identity and their efforts to help drive this along, because it’s not just about growing the pool. We also have to make sure that we grow that pool in a diverse way so it really represents our communities.
It’s interesting, because having run this podcast now for more than a year — I think this will be, like, episode 75 or something like that in our hopper — I see the stats of who’s listening, where they’re coming from, etc., and the people who are listening, who show up, are predominantly male: something like 80%. I have no idea how that can grow beyond that, so I’m looking to those types of organizations for ideas on how we become more diverse. How do we get listenership to be more reflective of the organizations that are listening — the companies that we’re working for, those sorts of things — so it’s important to try to be more equitable, as you mentioned, throughout the entire process. I think the other thing that was interesting too from that skill survey was a question around “When do you feel proficient in identity and access management?” I think more than half of the survey respondents were somewhere between two and 10 years, which is a big range. When do you feel proficient? Do you ever feel proficient? There’s so much to learn.
I want to touch on something you said, and then I’ll answer that: You should reach out to Kay Chopard if you haven’t. She’s the U.S. ambassador for Women in Identity. I’ve known her for years. She is awesome. You should definitely have her on the podcast and talk about the interesting things that — her experiences, and what Women in Identity is doing regarding diversity in the workforce. I’ll help you get that done.
With regard to feeling proficient — we ask that question very specifically, which is “How long till you feel proficient?” because being proficient and feeling proficient are two different things, and this causes much rancor on the IDPro board, because of the nearly 30% of people who respond saying, “I still don’t feel proficient.” Full disclosure: I am one of those people. To me, it’s a great thing that a third of our respondents — I think it’s 28% this year, off the top of my head, say that. To me, that’s a reflection that we are a growth industry and that we are adding constantly to the areas that a practitioner could know about. I say, “Could know about.” It doesn't mean you’ve got to know everything about everything. It’s not possible. It’s too big a space, but the fact that we are a growth industry means that there are always going to be new things that you could go research and learn about if you wanted to. There are new kinds of programs you can go do if you wanted to. To me, I love that.
To your point, two to 10 years — the bulk of the answer, which means the truth is probably around about eight years; that’s my guess. That’s an awfully long time. That’s an awfully long time, and I want to push that down to like five. We can get it that way. You’re not going to be a Jedi knight overnight, despite what the movies might actually tell you. You just don’t go to a swamp and do pushups with Nishant on your back, and suddenly, you’re an expert in IGA. That’s not how that works, but at the same time, you can’t be a hermit and go off and live in a cave for a decade and come back and be like, “I now fully understand access management.” That also is not the path to productivity.
One of the things that I find so fun about IDPro is that our online community is a really great space for people to ask questions. Real practical. “Has anyone done x, y and z with these two products, or even without products? These are the constraints I’ve got.” “How would I go about this?” That’s super useful, because the other takeaway from the “How long did it take you to feel proficient?” question is, it pretty much means that they’re very few, the number of people that actually feel they’re proficient and probably are proficient, which means we’re all trying to figure it out as we go.
There’s something comforting about that, which is that you’re not alone in your journey in this industry, and that you’ve got a piece of the puzzle — a peer’s got a piece of the puzzle. You know what? Somebody who works for one of your competitors in identity has a piece of the puzzle, and here’s a place you can go and talk to these people, and I think that is really powerful.
Ian, I was going to ask you the question “What are some things that folks who are listening, IAM practitioners, can do to help IDPro?” The first thing that comes to mind, of course, is join IDPro, but I also was thinking just from a mentoring perspective, I’m sure you’ve had some great mentors in your career. I’m sure you’ve also mentored others. One of the things that came to mind was some of the great women that we’ve had on the show. I’m looking at the list of some of the great women that we’ve had on this show in the past months: Joni Smith, Rebecca Nielsen, Mary Writz, Mary Berg, our own Mayda Gonzalez from Identropy. These folks are able not only to pass on that wealth of knowledge that they’ve built over decades plus careers but also to be role models. I think all these things are important, but I’m wondering, what is your perspective on mentoring that next generation?
We’ll take this in two parts. I think one of the things to start helping our fellow practitioner is, go to IDPro.org and see if there’s a Meetup in your local area. If there is, see how active it is, where you can get involved, because building that local network is really powerful. It helps build some of the connective tissue among practitioners that we need to grow the industry.
Then, if you do choose to join, which is awesome, be active in our online community. We have a Slack environment, which is a lot of fun, and it is a really safe space to ask some tough questions. I’ve talked to people who are like, “Wow! In a matter of minutes, I got answers to questions that I have been struggling with!” or we could see the industry coordinating around “Hey look, there’s a —” case in point, there was a vulnerability in XML comment handling that had impact in SAML, and very quickly, people who represented their employers are like, “Yeah, we patched this. Nope, it’s next week” — very quickly, a triage — and so, even if you didn’t feel comfortable asking questions, you can learn a lot just passively watching what’s going on.
Then, to your point around mentorship, it doesn’t have to start formal or complex, which is why I come back to “Get active locally” because I could answer a question or two, and we can meet and have coffee. That’s where real lasting relationships come from. I am far more, right now, interested in figuring out how we build those from the grassroots level. Then, as people progress, there are amazing people to learn from, and they’re universally very generous with their time. This is one of the things that I have heard from members: I was surprised how wiling people were to talk and to spend some time. So, I do think mentorship is incredibly important. We asked in our skills survey what somebody wished you had in order to be more successful. Top answers are vendor-neutral material, the body of knowledge, and peer-to-peer networking opportunities and mentorship opportunities. Those are the top three, and it’s been consistent for the last three years.
Our need to connect has never been more vital, and to do that as best we can in a COVID era, that’s an awful big challenge, but organizations — whether it’s your local Meetup, or IDPro in a global sense — help there. That doesn't solve everything. It’s not the silver bullet, but it is a great start.
I think it’s an opportunity for people to take ownership over their career as well. Don’t wait for a handout or for someone to come to you and say, “Here’s what we want to do.” If this is something you’re interested in, go out, research, get involved with the community. I’m glad you mentioned the IDPro Slack channel, because I’m not much of a contributor to it, but I’ll tell you, I learn a lot just reading the different challenges that people are facing, the different comments, etc., so even if you’re just a lurker, like me, there is so much to be had for that, so I definitely agree that if you’re in IDPro and you’re not taking advantage of it, do it. If you’re not in IDPro, consider joining. I don’t know if that’s a perk of joining, but it’s definitely a great spot to commiserate, collaborate and celebrate with other IDPros.
Yeah, for certain.
Ian, you’ve been so generous with your time, and we’re getting close to wanting to get things wrapped up here. What I thought would be interesting is to talk about some of the predictions that you’ve had around the next 10 years of identity, and in more of a rapid-fire format. I know that there are a lot of different technologies that are out there, and this is loosely based on the talk that you gave at Identiverse in 2020 around the next 10 years of identity. Maybe we can start with web authen. That is something that really hit in early 2020, when Apple finally joined onboard, supporting with their Safari browsers. Where do you see web authen going in not only the next 10 years but in the nearer term — 2021 to, maybe, 2022?
I think long-term, web authen will become on equal footing with social sign-in and CIAMs environments, which is to say it’s a magical experience: If I can just look at my phone and then get signed into an app, that’s sweet. Who wouldn’t want that? Web authen helps broker that now — you do have more ubiquity in terms of availability in the mobile OS platforms. The reason I say that I think web authen and social sign-in will achieve a certain parity is that although social sign-in gives me a nice sign-in experience — I click a button, and basically, I’m in an app — we’re seeing enough concern about the social networks and the use of data either provided or derived, people are looking for alternatives, if I can get that same kind of experience: I look at my phone, and I’m in the app through web authen. That’s going to be a real boon, not to mention all the security benefits that go along with that, and not to mention all the good things that come from it.
In 2021, what I expect around web authen is, we’ll see a lot more people kicking the tires in their platforms and in their apps and figuring out ways to integrate it in a lightweight way as best they can, and that’ll start to make that ceremony — the way that sign-in experience works — become more and more prevalent, and that’ll pave the way for mainstream adoptions.
Do you consider sign-in with Apple a social log-in?
That’s a very interesting question. I think no, insofar as the data that is available — so, it’s like wires. The data you get if you’re a relying party is very minimal — first name, last name. That email can be pseudonymized, and you only get it once, which is very interesting, so there isn’t a constant flow of attributes from Apple to the people that are consuming sign-in with Apple. In some regards, it’s provided by a third-party provider, and although Apple doesn’t really have any social network per se, it does have some things that feel like it, and you will see it on top of the sign-in with Facebook and Google, what have you, but from an implementation perspective, it looks pretty darn different.
What about standards like Open ID Connect, SCIM, SAML? Well, first of all, SAML’s still dead in 2021, as it’s been?
For sure. SAML is going to remain incredibly useful — and dead. That’s not going to change. What’s going to change is that what we will see in this next decade and probably the next five years is that OpenID Connect is the de facto federation standard for most people, and along with it, all the supporting technology — Oauth, the JOSE suite, etc. — and then, we’ll see SCIM, from an IGA perspective, being the language choice. I still keep hoping to resurrect SPML, but that’s apparently not going to happen.
So, as people move platforms, that’s where we’re going to see the migration from SAML to OpenID Connect. You’re not going to see it before that. No one is really going to get funding to do a big reimplementation of their single sign-on, because if it’s working, don’t mess with it. No one’s desupporting SAML anytime soon. That’s going to be with us for the rest of the decade, but when you move platform, there’s the opportunity to uplift your standard specs on your standard stack to something a little bit more modern.
That’ll require coordination with all those applications that have been standardized in SAML? They’re going to have to figure out moving over to OpenID?
Yeah. If you’re coordinating a bunch of parties doing work, they’re like, “But it works. Do we have to mess with it?” This is why renovating your house is more expensive than building a new one, because you’re like, “Well, if you tear open the wall, I’ve got no idea what I’m going to find in there.” You start mucking around your SAML federations, you don’t know what you’re going to find. It’s going to be a mess.
This is the question, then, that Nishant passed on last time. He gave us a next question on this.
I didn’t know that was a thing. Can I do that to the next one?
You may, and that’s why I’m posing that as an option.
Sovereign identity and blockchain. I feel like we’ve been hearing about this for the last couple of years. It’s the next big thing. I haven’t seen an enterprise use case for it. I think maybe there is some opportunity in citizen ID or banking or healthcare or education, but I don’t think it’s gotten the traction yet, even in those spaces. Where do you see blockchain or sovereign identity going in the future?
I’ll talk to the sovereign side of things, which is going back to the first internet identity workshop. User-centricity, and user-centric identity, has always been a thing: Put the user in control of their interactions and their information. This is not rocket science from a concept. Making it real, that’s a bit of a different story, and so to me, there’s a lot of similarity around things that we have been trying to do, and chipping away at it, for quite some time — for over a decade. I think the thing that is not interesting to me is the storage mechanism.
So, back when I was talking about identity relationship management, everyone’s like, “Oh, so you’re saying we’ve got to use object and network databases for everything? Is it that graph databases are the way to solve identity?” I’m like, “I don’t care about the back-end storage. What I care about is the kinds of things that we can represent the use cases we can unlock.” I don’t get super excited about different kinds of storage mechanism.
I think what I have seen is people moving away from “Oh, this has got to be all about blockchain to verify credentials,” and that’s interesting, and it’s a different way to get the outcome that people want to be able to do, which is present something that is verifiable and validated in a manner that the individual has analogies they understand, a ceremony that they can engage with to exchange or to present these things, and a nice technology stack that actually helps engender trust.
A lot of this is not new. This is card space, but we’re redoing it in a different way. I think that’s important. We should explore these kinds of things, but I’m not going to wager any specific “Where things are going to get to in 10 years.” I’m going to go more than Nishant, which is, I tried to answer the question.
Absolutely. So, score one for Ian in the Nishant vs. Ian battle, let’s call it. What about deepfakes? Where do you see deepfakes intersecting with identity? I’m most likely talking here about fraud situations where an issue may come up where deepfakes are a good social engineering mechanism to do things — not necessarily trick the technical underpinnings of authentication, although there’s certainly potential for that as well. I’m curious as to your thoughts on deepfakes and identity.
I think one of the things that is coming is an increase in proofing and progressive proofing in our CIAM and citizen-identity worlds, especially CIAM. I think government has understood the need for remote, in-person proofing. I think CIAM is a little bit more challenging, where I have a consumer scenario, and I want to give them some value. And to do that, I don’t want to put too much friction in the process. However, I also do need a degree of assurance that this is a legal entity to whom I am speaking, and so proof of liveness is going to be more and more important. As we slide more proofing into the progressive profiling or progressive proofing processes, that’s where proof of liveness is going to be important. So, yes, there may be a fully synthetic social identity. You may even have synthesized video for that synthetic identity. The thing that’s going to matter is detection of liveness as you’re starting to bind that synthetic identity to a legal identity, and that’s where the rubber’s going to meet the road.
When you say proof of liveness, I’m thinking implants, and how do you prove you’re alive? Well, maybe it’s something within you, whether it’s an RFID chip, which we’ve heard about — people implanting an RFID chip and doing the old scan on a bad reader, or whatever it may be. Where do you see implanted identity going?
I think we’re going to see it as an outgrowth of wearable. We are in a more comfortable time for wearables — smart watches, but also rings and things like that where mostly NFC, some payments, but then also it’s a sleep analyzer or some other functions along with it, and I think that’s reasonable, normalized, in some cultures globally. Obviously, it’s not a global thing yet, just because of cost.
I think that we’ll then see a natural progression to things like smart hearing aids. We’re starting to see things like a replacement cornea or a smart contact lens. I think that’s going to be the progression in a reasonable time frame — let’s say five years. I think implantable — from a personal perspective, we all struggle with Bluetooth headphones. I’m just thinking, “Oh, my God, are we going to go through the same clowniness with embedded or implanted that we do with Bluetooth headphones?” This is just a bad outcome.
I don't want it to be a semipermanent kind of thing, so I think it’s going to be more like, we’ll see a lot more wearable — even integrated into clothing — and then implanted will start under certain conditions. I think it really will be around hearing and sight and going from there. There will always be the biohackers. There will always be the folks who are like, “I’ve got a full raspberry pie inserted in my left thigh,” and like, “Look at all the cool things I can do with it.” That’s cool. That really pushes boundaries, but I think for the next five years, it’s going to be more kinds of wearables, and then moving into some of those applications of near-implanted scenarios.
So, we’re not going full cyberpunk in 2021, huh?
Go for it if you want to. There’s all of that stuff that’s out there. I think mainstream, probably not.
Obviously, I think there are the privacy concerns about having some kind of chip inserted under your skin, but I think it’s all going to come down to tradeoffs. If there’s enough value to do it, people will do it. If you could insert a chip in my heart and detect before I have a heart attack that something’s going wrong, I think Ian’s point is great — that you’d probably achieve a lot of that with wearables. In other words, if I don’t want to be tracked, I could take it off, but I think if the tradeoff is there to do an implant, I could see people signing up for it.
Yeah, I get that. I think as much as I love the bleeding edge, some things are like, “Hold on. Hold on. Let’s back up for a sec.” I still don’t have a consistent digital driver’s license that I can present in lieu of the plastic card. So, before we pole-vault into “I have an embedded digital passport and an early warning system on my insulin levels,” let’s peel that back and go like, “What is the utility that the most people can get from something?” Then that’s going to show you where the addressable markets are going to be.
As a service provider, as somebody who’s consuming identity service, I’m thinking about “If I’m going to add technology to my stack, what addressable market does it unlock for me?” It’s like, “Oh, wait, I should support things around digital driver’s license because it gets me this entire state — it gets me the Commonwealth of Virginia, for example, or Utah” or what have you. That, I can measure, versus how many people are going to have the fully implanted digital passport in the next five years? You’re going to make those tradeoffs, right? As a business owner, you’re going to be like, “Does this unlock a new segment of my stakeholders that I can go address?” I think we’re going to find there’s low-hanging fruit still in the more pedestrian, if you will, use cases in identity that will unlock more value from vastly large numbers of people. You know what? Some of those mundane cases, which are kind of exciting — yeah, from a plumbing perspective, I get it, but from a stakeholder perspective, I’m really excited for those kinds of use cases.
How about managing expectations? Because the future has so many different things you could do, right? Well, that’s probably a good spot to close out this conversation, because I feel like we could talk for hours and hours, and Ian, thanks again for joining us. Before we get going here, any final words of wisdom, or not, that you’d like to impart upon the listening audience?
If you’re starting out in the industry, never connect your demo provisioning system to the production UNIX cluster and then delete someone’s home directory. Just a tip at random. I would say if IDPro appeals to you, the opportunity — the idea of having the opportunity — to meet with likeminded people around the world or these people in the same industry who are approaching problems in radically different ways and you want to learn about that, hey, join IDPro. But if nothing else, we make a lot of material for you over time. We want to grow this practice, this industry, and we’d love to have you involved, and otherwise, it’s now 2021. The year 2020 was a strange year, obviously. The year 2021 may still be strange. The important thing for our practitioners and our listeners to know is that you’ve never been as needed as you’re needed now. Identity services is a growth industry. There are so many different kinds of applications that need your help. They’re out there, and I think this is a great place to be and a great time to be here.
I think this is, if not the longest episode, definitely one of the longest episodes that we recorded, and no better one to do it. So, we appreciate it, Ian. I think with that, we’re going to go ahead and leave it. We’re going to have a bunch of links to a lot of the things we talked about today — IDPro, connections to LinkedIn, some of Ian’s talks that he gave at Identiverse, those sorts of things, and IDPro itself. So, with that, we’ll go ahead and close it out. Thanks for listening, and we’ll talk with you all in the next one.
Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at IdentityattheCenter.com.