Podcast 102 | Identity Orchestration with Gerry Gebel

Podcast 102 | Identity Orchestration with Gerry Gebel
Podcast-Visual-System-IAT-Landing-Page

Podcast-Visual-System-IATCSpotify-Icon

Subscribe to Identity at the Center

Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.

Do you know who has access to what?

 

Subscribe


Protiviti Podcast Transcript Transcript
Jeff

You’re listening to the Identity at the Center podcast. This is a show that talks about identity and access management and making sure you know who has access to what. Let’s get started.

Welcome to the Identity at the Center podcast. I’m Jeff, and that’s Jim.

Jim
I was trying to figure out what our situation is for conferences for the rest of the year. We talked about the Authenticate Conference, which is FIDO’s conference. It’s coming up October 18, 2021, in Seattle at the Motif hotel. We’ve been to a conference there before. It’s a really great setting. It’s a smaller venue but a great place to have a conference and interact and network with other people. We submitted an application, a call for speakers, so who knows if that’ll be approved or not, but either way, I’m hoping we can get there and maybe do a cool little episode of the show. What do you think?
Jeff
Yes, I think that would be cool. I think, yes — we’ll see if we get selected. I think either way, whether we get selected to speak or not, I think we’ll both try to make it out there, and that’ll be a spot that we want to be at to maybe do an interview or three.
Jim

Yes, we’ve talked about trying to do a live show or a live stream. That could get interesting, to try to launch doing something like that for the first time and be in a new territory — in other words, not knowing what the Wi-Fi situation is, and things like that — it might be too much new at once, but that’s something that we’ve gotten feedback from our listeners about in terms of “We’d like to see you guys do a live stream,” and the software we’re using now could enable that.

Jeff
Yes, I think it’s something we both have wanted to do for a while. I think, last year, we took a mulligan because the travel arrangement wasn’t working out for COVID and stuff like that, but we might pick it up at some point here, so I’m up for it. I think we can always record something, and if it sucks, either we don’t release it or we figure out a different game plan to tweak it into something that might be usable for people.
Jim

Yes, and that’s really the only in-person conference that I’ve really potentially looked out for — this year, anyway — but I’m definitely looking to get back on the circuit again next year.

Jeff

Today, we’re going to get into identity, and I think one of the conversation topics that we’ll probably want to approach here is talking about identity fabrics and orchestration, and what the heck does that even mean, and trying to decipher how that works in the real world. We’ve invited Gerry Gebel from Strata.io, Strata Identity — he’s the head of standards — to help with this conversation. Welcome to the show, Gerry.

Gerry Gebel

Jeff and Jim, thanks for that very much. Thanks for the intro and the invitation to be part of the Identity at the Center podcast series. It’s great to be here.

Jeff

Yes. Thanks so much for joining us, and I think, as a first-timer on our show, we like to discover your background and how you got into the identity space. One of the theories that I have is that for the most part, most people didn’t choose identity, it chose them, and I’m curious if that’s the same for you. How did you get into the identity space?

Gerry Gebel

It’s a bit of a long and winding story, I guess. I’m not sure if I was pushed or pulled into it — maybe a combination of the two. My time started in security before identity even was a thing in the industry, back when I was at Chase Bank in New York and had a great mentor there. I think a mentor has a big role in how our career is guided over time, and the opportunities that are presented and the ones that we take or not. I had a great mentor there, Bill Wan, who emphasized the need, the importance, of getting outside of your cubicle or office and seeing what’s happening in the world, and he really encouraged me to be part of some of the standards activities at that time — for example, at the Open Group. Then, I also was part of starting an organization on Wall Street that we called the Securities Industry Middleware Council, where I met another great mentor from that time period, Eliot Solomon.

That really expanded the horizons and got me introduced to a number of different people, including folks at the Burton Group, so that’s how I got connected with the Burton Group and joined them around 2000 as part of their consulting team. At the time, Burton had two services: One was directory and security, and the other was networking. What I was part of when I joined was, we split up directory and security, so we had a security practice, and then the directory side became identity and privacy. I guess that’s my intro into the identity industry, and from there I went on to join Axiomatics, focusing on dynamic authorization, and now here, of course, at Strata.

Jim

Cool background, Gerry, and one of the things that really popped out to me was the Burton Group. That was the analyst firm covering the IAM space as I got into the industry around the 2003 time frame. I’m wondering what it was like working at an analyst firm like the Burton Group and being the go-to for how we look at the space, how we develop our strategy, how you compare Product A to Product B, things like that.

Gerry Gebel

It was an incredible experience. I have to say, the people I got to meet and work with there are just the who’s who list of people in the industry, many of the names we’d be familiar with. It was incredibly intellectually stimulating working with all of these smart people, and being the dumbest guy in the room and just soaking it all in, it was really, from that perspective, an amazing, amazing experience. The whole process of being a consultant or research analyst was quite a jump from being an individual practitioner within an IT department, but you just learn over time. You learn from your colleagues, and you take in all that guidance.

It was a big job. It was a huge responsibility to be part of that industry, because so many people, as customers of the research service, are looking to us for very important guidance. It definitely was a combination of a great work environment with an amazing group of people, but also that burden, or the responsibility, of, you really have to do your work, do your research, think about what you’re writing, what you’re presenting onstage, because it was so impactful for so many people. I think that was quite a combination.

Jim
You mentioned the alumni at the Burton Group. We had Ian Glazer on in an earlier episode — that was episode 76, for anybody who wants to scroll back and take a listen — but I’m wondering: The Burton alumni, do you guys have a Slack channel, or do you guys stay in touch at all?
Gerry Gebel

Informally. I think there are small groups of us that still make the conference circuit, like you were talking about before — hopefully, starting to get back into the swing of that later this year or certainly into next year. There’s some informal expert alumni that will get together at the bar afterward and swap stories and so on, but nothing formal at the moment.

Jeff
No secret handshake, or anything like that?
Gerry Gebel

No, nothing like that.

Jeff

I think one of things I always find interesting around the analyst consultant versus what I’ll call a “normal” consultant is having to be able to keep track of all the different products in the space. For better or for worse, a lot of organizations will take a look at analyst reports and say, “OK, this sounds good,” and then they might invite the person who actually wrote the report to talk to them directly: “Hey, so tell me what is exactly the difference between SailPoint and Saviynt? Why is one better than the other, or Ping and Okta or Microsoft?” or whatever it may be, and I would find that extremely challenging, I would think, to be able to stay on top of so many products in the space. With the way that the velocity of the industry has picked up, especially over the last couple of decades, how do you stay on top of all that stuff?

Gerry Gebel

To your first point there, I will say, yes, it can be very uncomfortable. Sometimes, when a customer prints out one of your reports and they start going through it paragraph by paragraph — “What did you really mean here?” — that can be a little challenging, but I think to your later question, one person can't know everything. Look at Gartner today: How many thousands of analysts do they have? It’s an incredible number, and it shows you have to start to divide and specialize a little bit.

We did that at the Burton Group. We had across a team of analysts, they would focus on different areas, whether based on their experience or their background, and then, when you get a customer call — inquiry about a certain topic — if it wasn’t in your wheelhouse, then you had to defer it to someone else because you don’t want to go down the path of talking confidently about topics that you’re not really an expert in, because that’s where you’re in a danger zone.

Jeff

Yes. Knowing when to engage and when to pull back and defer, I think, is important. One other thing that you mentioned about not being the smartest guy in the room, I think, everyone can relate to that, and I think it’s commonly referred to clinically as imposter syndrome. It’s like, “What the heck am I doing here? Why did they even pick me?” — those sorts of things — and I’m curious: Is that something that you can relate to from your role?

Gerry Gebel

I know what you mean by the imposter syndrome. I don't think that that applies to my experience, but I think having reverence and respect for the other folks in the room and learning from them and over time gaining your own confidence level — I think that’s really what was a valuable part of that experience, is that everyone around us was so supportive, so that quickly led to having some confidence in your own research, in your own opinions and so on.

What was an important aspect of learning to be an analyst at the Burton Group was being able to defend your positions, and so you could take any wild, harebrained idea and throw it out there. That’s fine, but that was only part of the effort. You really had to back it up: “Why did you think this should be the way to go in this certain industry?” “Why do you think this technology is better than that one?” You can’t just throw wild statements around. You needed to back it up, and that was, I think, an important element of gaining that confidence level.

Jeff

Yes. I think another thing that Gerry said is around learning from each other, and I’ve started to incorporate that and say that to clients — like, “Yes, you definitely brought us in as the experts, but we’re going to learn from each other.” Honestly, I think that’s how I’ve become a much better consultant. My past 10 years in consulting is learning from my clients, seeing how things are done in different places, because it’s not like I have another day job where I’m an IAM manager or program manager in a company anymore.

Now, what I’m doing is consulting and working with different clients and learning from them, learning what they’re doing that’s best practice, and obviously combining that with research that we do, but it’s a very important aspect. If you have the personality of being open-minded, that helps you in any aspect of life, but it’s a firm requirement when it comes to being in consulting and probably being an analyst as well. I’m sure, Gerry, that was your experience — learning a lot from your clients.

Gerry Gebel

Absolutely. I think there is no limit on what you can learn or how much you can learn. It’s a lifelong experience. You’re absolutely right, Jim, that conversations with customers were very enlightening, and it goes back to what Jeff said earlier about “How can you know everything about everything?” You learn bits of information from every conversation that you have, whether it’s talking to a customer directly about a specific topic or question or getting briefings from vendors or seeing demonstrations or those fantastic one-on-one chats in the conference hallway or at the bar afterward. You learn every step of the way, so you try to bring all of that together as your combined experience and go forth from there.

Jeff
That’s the past, and now let’s talk the present. You’re with Strata Identity at Strata.io, and you’re the head of standards. What the heck does that mean?
Gerry Gebel

In some of my past roles, I’ve had, say, one foot in the standards community, but back at the Burton Group, I authored a number of reports on things like SAML and WS-Federation and XACML and hosted a number of interoperability demonstrations at our annual Catalyst Conference. From that perspective, it’s half a foot in the standards community.

At Axiomatics, of course, technology was all built around the XACML standard, so pretty involved with it there, but now, with Strata, I think I’ve got both feet in the standards world, because part of what we’re trying to do here is build out a new standard around what we call Identity Query Language. It’s to help facilitate getting a common declarative form of access policy across a multicloud environment, and we can get deeper into identity fabrics and orchestration here in a moment, but it’s to publish a standard around this and a set of APIs so that not just Strata but also other organizations can take ahold of this standard and incorporate that to facilitate this multicloud, multi-identity world we are in today.

Jim

That’s fantastic, because that’s how these standards get started: Somebody takes a shot at drafting version one, and then it goes from there. You’re involved with some of the early standards development that today are very mature standards, correct?

Gerry Gebel

That’s right. Also, some of the founders of Strata were also coauthors of some of those standards, like SAML — Security Assertion Markup Language — which is still heavily used today for federated single sign-on.

Jim

Gerry, you mentioned identity orchestration, and what I’ve seen on the Strata website is identity orchestration for multicloud. I’m wondering if you could put that more in layman’s terms, or help our listeners, people like me, understand: From a plain English perspective, what does that mean?

Gerry Gebel

If you take a step back and you think about the precloud days of identity and access management, all enterprises had multiple what we called identity siloes. They were typically connected or hardwired to a specific set of applications for the line of business or maybe within a certain data center and things of that nature, but now, over the last several years, cloud computing has emerged as the preferred way to deploy and manage application workloads.

The promise of the cloud is cost savings, simplified operations, new capabilities that are available that are much better than the data center environments of the past: “OK, great. Now, everyone’s moving to the cloud, but, oh, by the way, we have all these new cloud identity systems.” Azure, Google, Amazon — they all have their own way of doing identity, and then part of the challenge is that organizations are not just going to a single cloud platform. They want to spread out that risk, or maybe there are different tools that are better for different applications across the organization and then, of course, you have all the different SaaS applications that we consume.

Now, we have this hybrid of some legacy identity clouds from the on-premises world, but now across all of these multiple cloud environments, so how do you manage that? That’s where we talk about an identity fabric to start with, because the fabric is the connectivity tissue. It’s how we connect to the legacy environments, to the cloud environments, and then you can begin to orchestrate or manage or facilitate that entire spectrum of technologies in a more single-pane-of-glass fashion, so I’ll stop there and pause.

Jeff

It sounds to me like it’s the development of a Rosetta Stone as a translation layer between all of the disparate cloud languages that are out there. You mentioned Azure, Google, AWS — those sorts of things. Everyone does identity in different ways. The concepts and structures may be slightly different, but at the end of the day, it still boils down to who has access to what. That’s what identity gets down to, and with the disparate methods, it seems to me like this identity fabric and this identity orchestration is trying to come up with that common language to be able to say, “I want to give this user this thing” and then be able to translate it from whatever the common language is. It’s down to essentially the machine code for each of these different services. Is that an accurate depiction, at least in my brain, of how I see this working together?

Gerry Gebel

Yes, Jeff, I think it is, because in the absence of having that fabric and that orchestration layer, you have to individually manage all those environments, and we know that can be expensive. You need staff to be experts in all of these different platforms, and then you have a pretty good chance of inconsistent settings across these environments, which, of course, exposes you to different kinds of risk. Yes, we’re looking to have a single way to manage all these access rules and policies and then, as you said, transform them into the native format of those target systems. We’re not doing enforcements in the Strata orchestration layer. Rather, we’re just managing the access policies in a uniform way.

Jeff

You mentioned Identity Query Language. I think it’s what you referred to earlier as a new standard to pull that all together. Can you talk a little bit more about that, because I don't know if I’m too familiar with that standard, or maybe it’s so new that it’s probably not breaking news — not as familiar, maybe, for the people in the identity space? Where is that in a process perspective, who’s working on it and when do you think it might become something that’s out there that people might be able to start leveraging?

Gerry Gebel

Yes. We think it’s important enough, the work we’re doing here across unifying the policy formats, to standardize that aspect of it, so that it can be put out into a standards organization, have open source code available to utilize, so you can call the APIs, you can use the policy language and have it work within your own environments. It’s still at a fairly nascent level, although we’ve been doing a lot of work behind the scenes. Right now, we’re organizing a working group to get started on outlining the specification, defining the APIs, building some of the open source code, and we’ll be doing that through the remainder of 2021. You’ll see the various announcements around this streaming out over the course of the rest of this year, and they’re hoping it’ll be more public by early 2022 and going into a standards organization and really busting it open for a wider audience.

It’s a fairly accelerated and aggressive timeline, but we want to get started on this right away and get a lot of important industry contributors behind that. We’ve been talking to a number of different folks in financial services, in insurance, in the networking world, in the data services world. What’s interesting is although we’re calling it Identity Query Language, or IDQL — it’s a new acronym you all need to learn — but we are also seeing a lot of interest not just from the application, the traditional web application layer, but also into the infrastructure of cloud platforms, the data layer and all the way to the networking. You can think of it as an east-west across multiple cloud environments, but north-south across stack from the application to the data, the infrastructure and right down to the networking level. It’s really quite an expanded horizon we’re talking about here.

Jeff

Whenever I hear orchestration, I think of a conductor, and I would imagine in a scenario like we’re talking about here, the conductor might be some kind of common dashboard where I go and set my policies or configure the security settings — that then my system is going to out and reach out to my various cloud endpoints and enact those settings. Am I thinking about that in the right way?

 

Gerry Gebel

Yes, you are. There’s a central control plane, if you will, where you can author and managed these access policies, these identity policies, and then there will be connectors that are gateways that will take this central policy definition and convert it or map it to the bespoke format, that target system, and so you could use, for example, APIs to do that. If the Amazon IAM API is available to do this manipulation, then great. We can just call that, or you can have the connector do that mapping, so there’s that functionality at different levels. You’re right, Jim. You have the central place where you define the policies, and then you have APIs available so that the connectors can call. You get the latest version of the policy for this data set or for this set of business apps and then do that mapping or conversion and load it into the target system.

 

Jim
I can imagine the challenges from the standpoint of — if I wasn’t using an orchestration layer, trying to manage and understand my policies across a number of proprietary clouds — I would imagine those are a lot of the challenges that you face in developing your solution.
Gerry Gebel
Absolutely. That’s what we see customers are dealing with on a day-to-day basis, and in some cases, it can be overwhelming, because you’re under a lot of pressure. You’re trying to move your applications and users to the cloud, but they’re hardwired to their existing environments or systems. Maybe at the executive level, it’s easy to say, “Hey, let’s just move to the cloud,” but from the IT staff, the identity professionals and the network folks, it’s not so easy to do that in an efficient and risk-safe way.
Jim
You mentioned one of the challenges that immediately popped to my head at least, when you were thinking about multiple clouds, and I think of the open S3 bucket. That seems to be the root cause of so many different breaches and data exposures and things like that, and I can imagine with a mature orchestration and fabric in place, things like that would be potentially mitigated. Is that a good way to think about it, and are there other challenges that you can think of that people should be aware of that this might help approach and solve for?
Gerry Gebel
There is that aspect, and I think that goes to the consistency, trying to apply a consistent level of security across different types of resources. If we have an easier way to identify what container, whether it’s an S3 bucket or some other kind of storage that has sensitive data — if it has sensitive data for whatever reason, PII or so on — then we can apply a certain level of policy to that. To do that automatically, I think, can help mitigate against those scenarios. I won’t say it’s 100%. Of course, nothing is 100%. It requires a lot of diligence on everyone’s part, but it will help automate, I think, a lot of these basic settings so that we can focus more attention on those higher-value environments that we need to.
Jim
I’m wondering, are there baselines that are available in the industry where someone said, “All right — these are the best-practice settings”? I’m wondering, does that exist for cloud environments — so, in other words, “Here are the best-practice AWS or Google Cloud settings” — and then have you guys gone and baked that into a product where an organization can more or less say, “OK, here, on these settings, I’ve deviated from the best-practice setting, but at least I’m aware of that”?
Gerry Gebel
Jim, when you say the term best practice, these light bulbs go off in my head, and I think of Fred Cohen saying, “There’s no such thing as a best practice.” We won’t go too far down that rat hole, but—
Jim
I’m with you, man. I’m with you. I despise the term, and yet I use it all the time because I’m in the consulting field. People ask me, “What’s the best practice?” The answer is, it depends, but I also think there are these “Hey, here’s a baseline configuration for a Windows server,” and that’s just a very simple example. The idea is like, “OK, if you were to lock down the server, here are the settings,” and then most organizations can't operate their apps with all those restrictive settings, so they have to unroll some of them. It’s valuable, I think, at least to know where you’ve deviated.
Gerry Gebel
I like the term recommended settings or recommended practices, because so few things are so uniform that we can just make generic statements about them, because security requirements vary so much industry to industry. Yes, there’s a lot of commonality, and we can focus on that 80/20 portion, but I hesitate to use the term best practice. As far as “Are we baking that into the model here?” at this stage, we’re focusing more on the basic building blocks, not so much on the templates that would be part of a recommended palette in the future. I can anticipate that happening over time, but at the moment, we’re at the 101 stage here.
Jeff
I feel we’re talking almost in terms of contract language. We are negotiating the baseline risk that is acceptable, and then what are the areas that we’re able to accept risk, and that might be a setting here or there, those sorts of things, so I’m just thinking here: It’s like, “OK, it sounds like if we can agree at least on a common platform — we can all agree that MFA is good — we should have that. All right, great.” Then, it becomes, “OK. Well, what are the methods for MFA? OK. Well, SMS — not really recommended anymore, but better than nothing. What’s the target?” You go through this negotiation between security and compliance and the business to come up with best practice for that organization using a common fundamental security setting that everyone agrees on, and then you tweak it from there until you’re comfortable with whatever risk is identified as acceptable.
Gerry Gebel
Agreed. I think MFA, multifactor authentication, is something that a lot of people can agree is a good thing. It’s a step up. It’s an improvement. The terminologies discussion is fine as an exercise, but I think the real challenge for practitioners is, how do we install it and implement it, especially with all of these legacy systems that were never built in a cloud-native way? Maybe we don’t have the source code or don’t control it, so that’s also something that an identity fabric can help you accomplish, because you can connect the MFA solution into the fabric, and then we all use the term orchestration. Then, it can orchestrate or facilitate the use of an MFA during the session without having to change the application, so that’s another value point for an identity fabric that has this abstraction layer. Because you’re not hard-coding or customizing or changing your applications, you can introduce something like an MFA at a higher level, and that’s shown to be a real winning approach.
Jeff
We’ve been talking an awful lot about the cloud, and I know that you gave an Identiverse presentation way back in 2019 around “Bring your own identity.” There may be some overlap here with fabrics and orchestrations and things like that — maybe not — but can you sum up what that presentation was that you gave?
Gerry Gebel

That was a real fun presentation for me to put together. I have to give a shout-out to Steve Wilson, who really encouraged me to put that together. It’s something that had been boiling over many, many years — even going back as far as 2008, when I first wrote about “Bring your own identity.” I thought of this presentation as my own personal digital ID journey over time and how it impacts you on a personal level.

As an analyst or as a practitioner, you’re always thinking more from a corporate perspective or industry perspective, but that was some of my own personal thoughts about the impact of single sign-on: Is it really a good thing, the social login approach, which really is a formulation of bring your own identity? Because what I said was, “Well, I’ve already proved my identity to some level with this other internet property or environment. Why can't I reuse that? Why do I have to register at every single website that I visit?” Social login through Google or Apple or Facebook, that’s everywhere today, and I think I have a little bit of buyer’s remorse that this is great for some people, but for me, I am uncomfortable with that approach because of all of the connectivity behind the scenes and all of the ability to track everything I do, whether it’s through websites I visit or purchases I make or even the devices I use, they’re tracking data.

Jim

The one thought that I’ve been having is, there are so many websites out there that still are not using a social identity provider. As you’re creating a profile, you’re thinking, “OK, this site is definitely going to get breached at some point, and they’re going to take my data and dump it on the internet. I really don’t want to create a profile.”

There are some sites that I walk away from, and then there are some that — for example, I had to create an identity to sign my son up for Little League baseball, and it was a local organization of Little League. It wasn’t the international Little League organization. I’m thinking, “OK, there’s one more place that my private data is probably going to get breached from.” At the same time, I think at the early stages of “Bring your own identity,” some folks were thinking, “OK, this is going to be the way I log in to work, or the way I log in to my bank,” and it’s like, “I could never imagine trusting that using my Google Gmail login or my —” I don't have Facebook or Instagram or any of those, but I could not imagine trusting those to log in to my corporate assets or to my financial records. There’s still value in it, but I don't think it achieved 10, 15 years ago what we hoped it could.

Gerry Gebel
I think the world has changed a lot since then. The technology has advanced so quickly to surpass what we thought of, say, 15 years ago or so, and that’ll continue to be the case. I think a lot of focus right now is around identity-proofing. It’s not an area I cover or focus on myself, but I see a lot of interest and research in this area because how can we really proof identity in an online setting without a face-to-face going to your bank or to the motor vehicle office, or what have you? So that’s one thing, and how can we get digital identifiers out to the masses of population that maybe are not as technology-enabled as those of us in a developed country? I think there are always new challenges to work on.
Jim
We kick around a lot on this podcast the idea of decentralized identity, and the use cases we think of a lot are things like government organizations issuing a blockchain ID. I think Big Tech could put together a consortium and do that, but I think at the same time, they have so much value from having your identity data in their proprietary systems that where is the business benefit of putting together something that is like, “Hey, we’re going to put you in charge of your own identity”? How are they going to make money off of that?
Gerry Gebel
Jim, you said “best practices,” and now you said, “blockchain.” What are trying to do to me here? This is going off the rails pretty quick.
Jim
I’m trying to get you fired up, man.
Gerry Gebel
So, yes, control of your own identity. You’re right. How does the corporate world make money off of that if we truly can’t control what aspects of our identity are released, and in what manner and under what conditions? That’s something we talked about at the Burton Group as well. We called it a limited liability persona, and it was the concept that you could actually incorporate a persona and, therefore, have some of the legal protections that such an incorporation would provide. I think it’s a fantastic concept. The self-sovereign folks are following a line of thinking from that, but it’s a difficult business model. I think, as consumers, yes, we want to control our identity data, but from a commercial or business perspective, there’s certainly a lot of friction between releasing that power. It’s a very asynchronous power arrangement today, and I think the concept of self-sovereign identity is trying to equalize that. It’s very difficult to get those scales back in balance.
Jeff
I think it’s an area that a lot of people are very interested in, and I feel like that can be multiple episodes for our show. Maybe we’ll pull it back and tackle that in a future episode with you, Gerry.
Jim
I know we’ve run a little bit long here, but I think it was a really good conversation. I do want to start to wrap things up just to be respectful of people’s time, so what I’ll do is, I’ll pass it around the room for any final thoughts. Gerry, if there’s any other analyst nuggets or tidbits or inside baseball that you feel like sharing, now would be a good time to do it. Let’s go with you, Gerry.
Gerry Gebel
It’s been great to talk to both of you about some of the ideas. It brought back some of the memories — especially the Burton Group memories. I do remember dealing with vendors was always a challenge, and now I’ve been working in a vendor a couple of times here, but they would certainly berate you on the side channel if you didn’t recommend them over someone else or, of course, about their position in a paper, so a lot of that definitely happened in the back rooms. It’s been great to be part of the podcast series. I would love to come back in the future. Maybe we’ll make a little progress down the road here with the IDQL efforts and let you know what is happening there. Thanks, again, for inviting me.
Jeff
Yes. Thanks so much, Gerry. Definitely, once we have some firm things around IDQL, Identity Query Language, definitely, let’s get that on the calendar and start to figure out how we help contribute and push that forward. You mentioned the analyst firm with the vendors. I’m not looking for a comment. I’m just going to throw this out there: I wonder what it was like in the Microsoft and Okta war rooms when the most recent access management quadrant came out from Gartner where Okta was finally dethroned as the upper right. I think that was probably a very interesting conversation, and the unfortunate thing is, both are great products, but I think there’s so much competition to be that upper right or top or whatever it is and then quadrants or leadership, whatever that may be. I’m just going to throw that out there. I think that would be an interesting area to be a fly on the wall and listen to the conversation. Jim, what about you? Any final thoughts before we leave it for this week?
Jim

Jeff, I did not think you were a trickle-down economics kind of guy.

Jeff
It doesn’t work in economy, I’ll tell you do that right now.
Jim
If you ask me to name 1,000 people who would have said what you said, you would not have even made the list. You wouldn’t have even been 1,001. You shocked me with that answer, but to everyone who listens, thank you so much for putting up with us and listening to us on a weekly basis. Thank you to Gerry, giving us his time today, and I’d encourage you all to connect with Jeff and me on LinkedIn. Gerry, I think the same thing for you - we’ll have all that contact info in the show notes, and, yes, networking is just one of my favorite parts about doing what we do.
Jeff
Yes, we’ve got a lot of content from our listeners and the folks who connect with us. We try to bring it out here for folks to listen to and get great guests and interesting conversations like Gerry and others. Yes, keep those connections and ideas coming. Definitely, we read them all, and we try to incorporate as much as we can into episodes over time as we work through things. I think, with that, we’ll go ahead and leave it for this week. Thank you, Gerry, for joining us. If you want to learn more about Strata.io or Strata Identity, it’s Strata.io on the web. You can also visit us on the web at Identityatthecenter.com, and you can find us on Twitter @IDACPodcast. With that, we appreciate everyone. Thanks for listening, and we’ll talk with you all in the next one.

Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at Identityatthecenter.com

Ready to work with us?