Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.
Do you know who has access to what?
You’re listening to the Identity at the Center podcast. This the show that talks about identity and access management, and making sure that you know who has access to what. Let’s get started.
Welcome to the Identity at the Center Podcast. I’m Jeff and that’s Jim. We have a couple of guests, and one of them is Kelvin Coleman. He is the executive director of the National Cyber Security Alliance. Welcome, Kelvin.
Thanks a lot, Jeff. It’s really great to be here with you, Jim and Julie.
Our other guest, Julie Smith, is making her second appearance gracing us with her presence on the Identity at the Center podcast. She’s the executive director of the Identity Defined Security Alliance. Welcome, Julie.
Jeff and Jim, it’s always a pleasure to be with you, and thanks for inviting me back.
Anytime, and hopefully we might hear an appearance from Sly, the cat. We’ll see if he will deem us worthy of making an appearance via Julie’s mic — a special microphone that she’s probably got set up just for him, I bet.
Exactly. The SlyCam.
Why don’t we start with where we normally start, and that is, how did you get into the IAM space or infosec area? Julie, why don’t we start with you? You’ve been on the show before, but for those who didn’t catch that, but how did you get into the IAM space?
Sure. My career goes back more years than I’m willing to admit. I started in technology with one of the — at that time — Big 8 accounting firms. I was in the software development organization, so that’s where I got my technology start. Then fast-forward, again, a large number of years that we won’t talk about, and I ended up in a little company based in Colorado called Ping Identity. That’s where I got my first entry into identity and access management, and that was in 2008, and spent some quality time there learning about the industry and multiple roles, and then picked up the security side of my background at a company called Optiv — again, headquartered here in Denver — and those two things together brought me to the Identity Defined Security Alliance, where I’ve been full-time for the last two years, focused on this intersection of identity and security.
What is the Identity Defined Security Alliance? Can you recap it for us in a nutshell?
Sure. The Identity Defined Security Alliance is a nonprofit organization. We focus on educating and providing resources to primarily the security community about the importance of identity-to-security strategies. So we have 26 member companies that cross the identity and security boundaries, and we also have nine customer advisory board members who represent the practitioner community and provide oversight to our vision and our mission and help guide us. We just announced a new customer advisory board member today, Bernard Diwakar, who’s a chief enterprise security architect at Intuit. We’re super excited to have him on board, and maybe at some point in time, we can get him on your show.
Sure. We’re always happy to talk with folks in the IAM space. That’s what we’re all about. Kelvin, why don’t we pass it over to you. This is your first time on the show, we’re always interested to hear, how did you get into infosec and the IAM space? Is it something that chose you, or did you choose it?
Jeff, you point out it’s first time I’m on the show, and if I do a good job, maybe you’d invite me back, and if you don’t invite me back, it tells me how I did. It definitely chose me. I was a staff director at the Department of Homeland Security for the President’s National Security Telecommunication Advisory Committee, the NSTAC. If you think about the red phone gong from the White House to the Kremlin, kind of that lore. The NSTAC is based around that, and then my supervisor, Sanjin Jimena, said, “I need you to find out what’s happening with cybersecurity and IAM around the country as it relates to state and local,” and no one else was doing that at that time.
So, I became the de facto expert on state and local cybersecurity, and this is the early days, when people are really were not thinking about it. They’d much rather deal with Tokyo than Topeka. I love going to those state capitals around the country. So, it just evolved from there. I left the department, went to the White House for a while and then FireEye, and was at the National Security Agency. I got a call from a friend who said, “I really think you do well as executive director of the National Cyber Security Alliance,” and here I am today, very happy with this role.
We’re happy to have you here. For folks who aren’t familiar with the National Cyber Security Alliance, can you talk about what that organization is all about?
It may sound a bit self-serving for me to say we’re the premier public-private partnership in cybersecurity. We’ve been around for quite some time now. We facilitate between government and the private sector as it relates to cybersecurity and education or awareness and training. The three buckets that we like to talk about are, “We convene, we educate and we amplify.” That’s why working with Julie and IDSA is so great, because that last piece in particular — well, all of them: convening, educating and amplifying — but we get to do that with a great organization, and that’s what we do, in a nutshell. We love partnerships, we develop, and we nurture and certainly try to grow them, which is one of the reasons I’m here today.
Julie, this show publishes on April 12. Tomorrow, April 13, is Identity Management Day. What is Identity Management Day, and how did that come about?
Great timing — a day before. April 13, the second Tuesday of April, has been dubbed Identity Management Day, and it’s a day to raise awareness about the importance of identity management and securing digital identities. Think of it as not as frequent as Taco Tuesday, for example, but a day that we can all come together, hosted by the Identity Defined Security Alliance in partnership with the National Cyber Security Alliance. And it came about from one of my member companies last fall. A company called Centrify brought it to us and said, “We’ve done some research. We’ve found that there is no specific day out there that raises awareness about what we’ve all come to believe is a truly important topic, and we think the IDSA is the right organization to host that.”
The board got together, talked about it, loved the idea, and we decided, in doing some research, that we would model it after something called Data Privacy Day, which happens in January, the third week of January, and is cohosted by the NCSA. That’s what caused me to reach out to Kelvin’s team, Jen Cook and Justin Price at the NCSA, and start having a conversation with them: “This is something that we would love to host. We’d love to partner with the NCSA.”
The IDSA focuses our message toward security professionals inside organizations, whether it be enterprises or the public sector. In the NCSA, you guys do a lot of that as well, but you also have an angle from the consumer perspective — helping consumers to stay safe online. We thought that it would be the perfect partnership for us to work together, and we launched it on February 23 — we made the initial announcement about Identity Management Day coming up — and it’s been nothing but positive since we started that.
There are a lot of different ways for organizations to get involved. We have over 150 champions that have stepped up and said, “We want to be recognized as either individuals or organizations or industry partners who recognize and evangelize for the importance of identity management and securing digital identities.” It’s been nothing but a very positive experience all the way around.
What is taking place on Identity Management Day, April 13?
Tomorrow, we have a couple of different events going on throughout the day that are hosted by either the IDSA or the NCSA, and then we hope that there’ll be other events. I’m aware of a few that haven’t been announced yet, but other events will be hosted by other organizations that have latched onto this awareness day.
It starts off at 12 p.m. Eastern time with a LinkedIn Live webcast, and during that webcast, we’ll announce the winners of the Identity Management Awards, which we just launched as part of this day: Evangelist of the Year and Organization of the Year. I’m excited to say that we had 22 people nominated — might be a couple of our hosts that might have gotten nominated —as Evangelist of the Year, and we had 32 organizations nominated for Organization of the Year. So I’m super excited that we had that kind of response on our very first awareness day.
We’ll announce those winners, and then we’ll have a panel that will talk about the importance of identity management, Identity Management Day and why — similar to this conversation, but more, hopefully, and share resources and ideas about how organizations and individuals can become more secure online. The panel will consist of me, Kelvin will be participating, Stephen Lee from Okta and Tom Malta from the Navy Federal Credit Union as well. We’ll have an expert panel, we’ll talk about this topic and share best practices with the community. That’s at 12 p.m. Eastern time.
At 2 p.m. Eastern is a webinar hosted by the NCSA focused on the small to medium-sized business and why identity management is so important, and I will be participating in that, as well as a member of the FTC, the Federal Trade Commission. Last, at 3 p.m. Eastern, we’ll have an online Twitter chat, again hosted by the NCSA, at Stay Safe Online following the #IDMgmtDay chat. This is all information you can find on our website, but that will be more focused on consumers and how consumers can stay safe online. We have Identity Management Champions like LastPass and Norton LifeLock that will be participating in that, as well as being led by the NCSA. So, a full day of activities and, hopefully, lots of resources being shared across the community as well.
That’s really awesome. For those who nominated Jeff and me, thank you very much, and your checks are in the mail. I do want to ask Kelvin — there was a lot there that Julie mentioned that you guys are dong on Identity Management Day. What other ways are you supporting this day, and what is NCSA’s current role in Identity Management Day?
Jim you know, when I talk about Identity Management Day, I think about Bruce Springsteen and the E Street Band. Julie is Bruce Springsteen in the IDSA. We’re the E Street Band — we’re there to support. We’re invaluable, for sure. Bennie needed the Jets, Hootie needed the Blowfish. I can go on, but we are here to support our partners, IDSA and Julie, and so proud to do so, and so honored that they approached us with this idea. The NCSA — we are somewhat of a major force multiplier for things in this area in the IAM space, cybersecurity space, data privacy space, so we’re going to leverage all of our resources, our member companies, the folks that we work with on Capitol Hill to make sure the word gets out about Identity Management Day. That’s a lot of what we bring to the table.
People are able to go to our website to get a lot of no-cost resources — and I’m very specific when I say “no-cost”: I don’t say “free,” because somebody has paid for it, whether it’s our member companies or our generous grant from the Cybersecurity and Infrastructure Security Agency at the DHS. They provide these resources for us to be able to partner with the IDSA and provide these resources at our website at no cost for people who want to take advantage of them.
There’s nothing wrong with free. I think people will always be amenable to having free resources. Plus, you got a cool domain name: Stay Safe Online — that’s easy to remember.
That’s right in the domain name, Jeff. We try our very best to not only keep ourselves safe but help others do that as well. Julie mentioned a very key point of that: We do focus on individuals and helping them, whether you’re talking about families and communities, which are made up of individuals. We tried to cover 360 million Americans in the 50 states and six territories, because they really need to understand this information.
I’m curious — and this is maybe going a little bit off track, but from an advocacy standpoint, you mentioned talking about the individual. Do you ever get involved with advocating on behalf of individuals for any identity-type things with governments or businesses or anything like that?
Yes, certainly businesses. We were able to really help businesses understand identity and access management, why it’s so critical to the enterprise security plan, and how it’s linked to security and productivity of organizations. We’re constantly advocating on behalf of, again, small to medium-sized enterprises — businesses are one thing, but small to medium-sized nonprofits, small to medium-sized governments. We forget that there are smaller to medium local governments, particularly small governments — they don’t have the bandwidth to focus on something like this. We come in, again, to be a force multiplier to help them out and certainly advocate on their behalf.
That’s great. Julie, I had a quick question for you regarding Identity Management Day. Have you had more of a U.S.-based response that you’ve seen, or have you seen a good international response to this as well?
That’s a good question, Jeff. It’s definitely been an international response. We’ve seen organizations based in Europe. One of the organizations that reached out to be an Identity Management Champion is Cyber in Africa. It does run the gamut — geographically diverse, but also, back to Kelvin’s point, we’ve had a teacher within the Norfolk Public Schools system reach out and say, “We’re all about helping kids to understand what it means to go online and how to make sure that they’re secure, and the things they should do and shouldn’t do.” I thought that was really interesting. Today, I had the office of the CIO for the state of Iowa reach out and want to be identified as an Identity Management Champion. It’s across the board, and it’s been super fun to see the different types of organizations that have reached out and wanted to step up and say, “We want to be an Identity Management Champion.”
I did want to go back and thank Kelvin for the shout-out. I appreciate your support, Kelvin, but I will say that it’s been a total team effort — not just from the NCSA but also from Brad Shewmake, who is the chair of Identity Management Day and the global director of corporate communications at Centrify. He’s the one that brought it to us, and he’s had a number of resources in his organization helping out, and it’s very definitely been a team effort. I just get to be the drum major.
I think it’s always great to get recognition. Obviously, Jim and I have been fans of this since we heard about it for the last couples of weeks. I think the next step here is, it’s not just an international holiday or day of recognition. It’s more along the lines of a galactic day of recognition. Maybe we can work on interplanetary, interstellar recognition for IAM as it grows. One of the things that comes up quite a bit — and I think this is a big part of recognition — is how important people are to IAM, and Kelvin, we can start with you. How important are the people as a part of the IAM space?
I want your listeners to hear me very clearly here: They are the most important part of it, the most essential piece of it, and that’s a little strange sometimes when we talk about technology and when we talk about mitigating challenges as it relates to technology, because our instinct is throw more technology at the challenges.
We saw the early part of the technology evolution — if you think about Y2K just 20 years ago, and people waking up to how important technology was to our lives, we tended to see these challenges and say, “We need to build better products.” Then, once we saw that those products really were not — they were helpful but certainly not stopping all of the things we need to stop, we pivoted to processes: “Let’s develop better processes,” all the processes — again, helpful, but still not complete. So, we went from products to processes, and then, over the last couple of years, people have said, “Huh! People! That a pretty important part of it!” And hardcore technologists have now said, “You know what? We really need to focus on people, human behavior — and not people as the problem, but people as the solution.”
Celebrating the identity management practitioner is so very important and appropriate, because these are the people who on are the front lines of this battle. You have different battle domains going on, but on this battlefront, these are the folks that we need to be celebrating, because they’ve been working in obscurity — and have doing a great job for many, many years now. And now we have an opportunity to bring some recognition to the very important role they have. So that’s why, in my opinion, people — they’re the most important part. Products and processes, to all my board members and folks that support us, are absolutely important, but we have to do a better job focusing on the people. I hope the identity management practitioner gets that message tomorrow.
I think that’s important, too, to talk about that recognition. A lot of times, we’ll go into an organization, and you’ve got this loose collection of IAM heroes that are making things happen. Despite all odds, they may be the glue that’s holding things together. I think it’s important to highlight some of those roles that are out there because it is such a big part of an IAM program. Julie, what are your thoughts on it?
I’d like to give a shout-out to an organization that has emerged in the last couple of years — probably around the time we did — which is IDPro, which is all about helping to create more identity and access management professionals and to educate those folks, and they’re a great organization. I have joked about Identity Management Day, and maybe it also becomes Hug Your Identity and Access Management Professional Day as well because, certainly, back to Kelvin’s point, those folk need recognition as well.
For the IDSA, we’re focused on turning security professionals into identity and access management professionals as well by raising awareness that identity has shifted from this operational thing, and providing access for people to do their jobs to something that needs to be a core part of security, because identity is the easiest thing to get access to. A hacker essentially needs valid credentials in order to get into an organization and do some damage. I completely agree about the people side, and hopefully, everybody tomorrow will virtually need to hug their identity and access management professionals, since we’re not back in the office quite yet.
Our listeners are the IAM practitioners of the world. This day is for you. We just got a big pat on the back for those of us who were in leadership roles, and folks who work for us are on the front lines and making it happen. I think what we’re all doing is, we’re consuming all of this great information and making it relevant for our organizations and enacting those processes and technology that actually made IAM possible at scale. We’re really doing something important, not only for our organization but also for society as a whole. So, this day is for us — and it’s about time. Thanks to Julie and Kelvin for leading and pulling this together for us.
I think one of the things that is always interesting is the future and what’s coming up. What is next from an IAM perspective? We’ve been hearing a lot about different things — different types of identities — whether it is decentralized identity or blockchain or passwordless. Zero trust has really taken on a big approach and is a big part of the mind-set for security professionals, especially over the last year or so. I’d like to understand from Kelvin and Julie — we can start with Kelvin — what do you see as being next from IM? Where does it go from here?
I’m going to borrow this from Julie, who just had a great thought about — I love the question “Where do we go from here?” I think we go from here to basics. Keep it simple right now, in terms of doing what we do well in IAM now, making sure folks understand the basics. It’s super cool to talk about new and next and the future, what’s exotic. We’re getting hammered now, and we know our major breaches, many of them are coming through compromised credentials, coming through folks who had their identity compromised. So, for me, what is new — well, let’s do really well what’s old. Again, I freely admit I stole that from Julie, so I’m upon it to my friend and leader Julie to see what she has to say as well.
You totally stole that from me.
We just recently published a survey at the beginning of February, and it was a unique survey in that we asked the stakeholders questions about access challenges they have in their organizations, and it revolves around granting access and revoking access to applications, onboarding employees, offboarding employees, etc. From the stakeholder perspective, they are still seeing access challenges. Now, granting access is really more of a productivity thing, but revoking access is a security thing. Identity and access management — we’ve always thought of it as an operational activity. We’re now shifting to it in the last couple of years to really be primary security focused, but I think it’s important to recognize that from a stakeholder perspective, there are still lot of challenges out there.
I’ve been accused recently of being “old,” and pragmatic. So, I feel like where we need to be with identity management is providing the resources to help organizations be successful with the challenges they have today. The IDSA is all about providing best practices and identity-centered security outcomes that can help organizations achieve those goals that they have today. I feel like sometimes we do a bit of a disservice and focus on the shiny object, as opposed to help organizations address the here and now. Where does IAM go from here? Our organizations really need to be focused on helping today. Maybe not as flashy as some answers you’d like to hear, but I really believe that that’s important.
I think it underscores that report that you talked about— we briefly touched on it in the previous episode — and one of the things that jumped out at me was that security aspect: How long does it take to remove access in a timely manner when someone leaves? Well, what does timely mean? From what I remember from the report, it was, roughly only half of the company was taking care of access either the day of the departure or even the day after, which means that there are still a large number of organizations that are terminating access days, weeks, after someone has left, and that is risk right there for any organization. Getting back to basics and understanding that you have to crawl before you can walk, you have to walk before you can run, you really have to nail the basics before you even should start thinking about some other things.
Sometimes, organizations get distracted by the shiny thing. They hear cool things like “zero trust.” Is it the wave of the future? Sure, yes. Could you do it today? Maybe. It depends on, what do you already have in place? How are you handling things from a people and a process perspective? Do you have the right technology to back up those types of concepts? You really need to take that kind of stuff into stock, and I see things like blockchain and decentralized identity. Those have been talked about over the last two or three years, and I still haven’t yet seen a good enterprise application for that. But I certainly see the application on the consumer side or the citizen side, or something needed along education or health — things like that — but a lot of those organizations still are struggling with basics as well.
One thing that has caught on more recently is something that I’ll give a lot of credit to Microsoft and Apple for: this idea of a password list — being able to use biometrics to log in. Even people who aren’t as into the doodads as I might be, they can use Face ID, they can use Touch ID, they can use the equivalent on the Windows side, Windows Hello, to streamline the authentication experience, which, at the end of the day, is a good thing. You can have a much better security output that comes from that. Jim, what are you thinking from an IAM-next perspective?
What I see that’s happening in our industry a lot, it’s always happening. From the time I got into the industry, there were companies that grew into the powerhouses of the industry: Oblix, Netegrity, Sun — they get bought up by bigger players, and sometimes they become the new force to be reckoned with. Other times, they disappear into ambiguity. You’re still seeing that today, where there’s this consolidation going on, but what you’re also seeing happening is these major platforms like ServiceNow, Salesforce, Microsoft — they want to be players in the identity and access management space.
I don’t think most companies are going to say, “We’ll go all in on ServiceNow. Therefore, we don’t need Microsoft, and we don’t need Salesforce.” I think a lot of organizations are going to find that they need all these platforms. Plus, there are other platforms like Google and Amazon, and so, does it become that you pick a platform and that becomes your identity management set of technologies, or do you need something that glues it all together — some other best-of-breed technology that glues it together? Or do Okta and Azure become this new mega platform? I don’t know the answer, but I think it’s really interesting to watch as our industry continues to evolve in this way. What I found over my 15 years–plus in the industry is that each time these consolidations happen, it creates a gap and it creates an opportunity for new business to grow out of nowhere and become a major force to be reckoned with.
W’ve certainly seen in a lot of consolidation in the last few weeks, and I’m curious from the way that your organizations, Kelvin and Julie, approach working with multiple vendors and multiple businesses, etc., what are some of the things that come to your mind when you see something like Okta making a $6 billion purchase of Auth0, or CyberArk buying up a smaller or another IAM kind of company. How do you guys approach those types of events? Kelvin, let’s start with you.
To be perfectly honest, I see an opportunity to have another member of the National Cyber Security Alliance — someone to join the family of the willing — but it’s the nature of the business. It really is in terms of when you create something really efficient, effective, smart — these larger companies wanted to take advantage of it. I don’t know if I see it as good or bad. It’s just the nature of the beast and what we have today. More times than not, we get better technology out of it, and going into the future, I’m OK with it.
It’s just changed. But, I think it is interesting to see how we are coming back around to your comment, Jim, around the platforms. Back when I got into the industry, it was Sun and Oracle and IBM — the big platform players, at least in the identity space. Ping was relatively new and trying to be a best of breed, and now I think we’re seeing things coming back around — maybe not necessarily those names that I mentioned, but we are starting to see consolidation and platforms being created again. It’s something that we need to deal with as member-driven organizations, Kelvin and I, it’s just going to change. That just is the nature of the beast and technology.
This is the world we live in. You also have to be agile and be able to adopt change where it’s needed.
You guys have been super generous with your time, and I want to make sure that we respect that. Before we start to close things out for this week, I’ll pass it around the room real quick: Any final thoughts for folks who are listening out there in the international IAM space, as our show is? Julie, I’ll go to you first.
Yes. The last thing I’ll say is, tomorrow, Identity Management Day. Google a couple of hashtags: I’ll give them to you, and they’ll also be on your website as well. You’ll see a ton of resources that are being crowdsourced and contributed to the community around identity management and securing digital identities, and the hashtag is #IDMgmtDay, and the other one is — and this is the important one — #BeIdentitySmart. So, look for those two hashtags tomorrow, and hopefully you’ll find some fantastic resources to help you succeed in whatever aspects of identity and access management you’re involved in.
That’s great. Thanks, Julie. Kelvin, how about yourself?
I’ll leave it with a quote from the great Wayne Gretzky, who said he wasn’t the biggest, he wasn’t the fasted, he wasn’t the strongest, but he was the best because he would skate to where the puck is going to be, not where it was — not where it is, rather. He would skate to where it was going to be. And I think that’s what the National Cyber Security Alliance and certainly the IDSA — that’s what we’re trying to do, to help people to understand where the puck is going to be and, ironically, where it is now, in front of the challenges. I’ll leave you one more quote: The great Michael Jordan said, “Individuals win games, but teams win championships.” So, you don’t have to do it alone. Tomorrow, join us as we celebrate Identity Management Day and celebrate those practitioners who’ve been on the front line for so many years.
Hear, hear! I fully support. How about you, Jim?
I want to thank Julie and Kelvin not just for being on the show — that’s obvious, and we always are appreciative of our guests — but thank you for the contribution you guys are making to the IAM practitioner and, in particular, with Identity Management Day. I called myself an appreciation junkie in the past — just the fact of what the IAM practitioners are doing for their organizations, and you guys are out there providing resources, best practices and material to help us with our job, and in all cases, it’s free content: Just go on LinkedIn and follow these organizations, follow them on whatever social media platforms, get familiar with their websites and volunteer, because they’re doing great things for us, and if you have the time and the ability, please give back.
That’s certainly well appreciated. There’s nothing better than free content, and when you find content that’s relevant to your role in your organization and what you do, even better. So, thank you so much, Kelvin and Julie, and with that, that’s probably a pretty good spot where we can leave it. If you guys are good with it, I’ll have a whole bunch of different links in our show notes today. So, wherever you’re listening, you can scroll in your little screen and try to find the links there, or you can also go to the website IdentityattheCenter.com — you’ll find it there. Happy Identity Management Day tomorrow, Tuesday, April 13 to everyone. For more information, you can visit IdentityManagementDay.org. You can also visit StaySafeOnline.org, and with that, we’ll go ahead and close it out for this week, and thanks for listening. Take care.
Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at IdentityattheCenter.com.