Name: Always On, Always Aware: Building a Continuous Identity Strategy
Uploaded: 2025-11-18T17:30:04.569Z
Duration: 59 min 19 s
Description: Always On, Always Aware: Building a Continuous Identity Strategy

Transcript for "Always On, Always Aware: Building a Continuous Identity Strategy": Hi there and welcome to today's webinar brought to you by The Cyber Hut and signal. My name is Simon Moffatt. I'm founder and research analyst at The Cyber Hut. With me is, Mat Hamlin from SGNL. Matt, how are we doing? Good. Good. How are you? Yeah. Mat Hamlin, director of product marketing at Signal. Good to be here. Thanks for having me. Hi, Matt. Well, we'll do some, I'll do some intros in a second. I guess a little bit of housekeeping before we dive into today's fascinating topic looking at continuous identity. Everybody is obviously, globally muted today, but, we do have the Q and A functionality available. So please use that as we go through today's content and we will leave some time at the end to answer any specific questions. We can try and weave those in to today's conversation as well. And, of course, this is being recorded, so you will have access to that on demand, to watch at a time of your choosing or share with your colleagues in the future. But today's topic, always on always work building a continuous identity strategy. It's an area which The Cyber Hut has been researching for a good sort of twelve months or so. There's been lots of sort of subtle moves within the market and within industry to move towards something more dynamic and more responsive. And there's certainly more, there's more inquiry time being spent on this. There's more questions being asked around what this is, how to operate, how can we solve some of our sort of legacy identity deployment pattern. So absolutely thrilled to be digging into this topic in a bit more detail. My name is Simon Moffatt. I'm a founder analyst at The Cyber Hut. I've been fortunate to be in identity, for a number of years, nearly twenty five, in fact, which is a little bit scary. And identity has never been as important as it is today, empowering not only productivity, but also things like security, integration, things like cloud, mobile, and obviously now more likely things like AI as well. They certainly made identity much more sort of central and strategic to how the modern enterprise functions. And it's it's really it's a a little bit of a privilege for me to still be in the industry and seeing all of that change over that period. And I guess, Mat, yourself as well. You I know you've been around for for quite a while, so maybe sort of quick intro to yourself and but but your backstory perhaps so we can get started into today's content. Yeah. Thanks. Yeah. So I I only have twenty years in engineering. You and I got started at the same time, I think, but that took a little five five year step out to do some, backup recovery and security at a different company. But, yeah, it looks like, you know, I think we've rejoined the industry about the same time. And, we had some overlap, right, over at Sun Microsystems. years. and years. ago. So, but, yeah, across my twenty years, I've had the privilege of working at a number of, vendors and covered just about every area of identity over that time, starting with provisioning. And then you and I had to overlap with role mining, role management, access certification. And then, and then for a while, I spent some time at Salesforce on their platform identity, making sure that, all access was controlled really well. So a lot of time on authentication and MFA. And now over at SGNL, I'm focused on authorization. So I've been very lucky in my career to be able to cover a lot of these areas and listen to a lot of customers, try try to understand their problems better. That's fantastic. I think it's all technologies change, don't they? And they evolve and they they they obviously some some technologies disappear. I think it's just it's just fantastic way to see identity. So I move away from being the sort of LDAP thing of twenty odd years ago, where it was it was sort of operations. And it was just this guy in the corner. And that was I was that guy in the corner doing directory services stuff, and suddenly it it's bloomed and blossomed to where it is today, and it it still continues to surprise me that these are directions. It goes in. And today's agenda, we're hopefully gonna cover some of those new directions really. We wanna start just, I guess, understanding a little bit about where we are and understand some of that history and legacy I support around point in time identity and access management and how technologies were designed, how they'd be used, the isolation around some of those technologies and really trying to make that more enabled, more dynamic, going from something that was static to something more smart, informed, and able to respond to not only external cyber threat, but also the business requirements around risk and integration as well. And and sort of end up a little bit understanding a bit more about sort of runtime risk and how we can leverage, some of those existing sort of risk signals or data signals within our identity world. And as I said earlier, it is really becoming quite a quite a pressing problem. I think identities it is becoming more important. It is strategic to enable things like zero trust, absolutely productivity and governance and access to the right systems. But we have a whole host of other things to deal with. In humans, we have non humans, we have migration to the cloud, which sort of hasn't really completed. We're still sort of hybrid, I think, in our landscape there. And identity is now suddenly it's being metric, if you like, or, from a success perspective. Our success isn't it? It's it's empowering things like zero trust and just in time access, zero standing permissions, and sort of integrating with the broader security ecosystem, which I think will will probably uncover a little bit more in detail today. So I I wanna start off, not necessarily, describing identity in a bad way, but it it does need to evolve. And there's a lot of sort of excellent, knowledge and maturity and concepts we've built up over the past probably sort of three decades, really, you know, this late nineties, I guess, where we sort of started to commercially deploy things like directory services and then a bit of a bit of single sign on and access request review that you mentioned there earlier as well. And that's great. You know, we've deployed a lot of software over the past twenty odd years. And I think some of that is is good. It does a good thing, but equally, things evolve. Many organizations are really stuck in this sort of assurance trap, aren't they? I think around this there's multiple disconnections I wanna sort of pull out here and I'm looking to get your thoughts on this as well, Mat, around you know, we're very familiar with things like identity verification and, validation, step up authentication and so these so big barriers to onboarding and big barriers to sort of logging into systems based on risk. And these are great. You know, they do the the the basic security control points. But over time, and this this could be relating to, you know, the time a user is logged into a system that things like session lifetimes and things. So it could well be the time a user is working on a project and has permissions. And if you look at the time versus the assurance, there's always this sort of continual degradation. The longer somebody's logged in, clearly, the bigger the vulnerability, to their session could be the longer somebody has standing permissions or has been associated with roles and groups, etcetera. That becomes more of a an attack surface as well. So we have this continual slide, but the other thing I wanna briefly mention is is that disconnect as well between the identity data profiles, permissions, policies, and the things that we sort of manage from a governance perspective. And then all of the runtime world around authentication, policy enforcement, access control, they're often very disconnected. And I wanna sort of throw this just to you, Alicia, you know, what what your immediate thoughts are on that disconnect. Is it am I scared? Is this a bit of a scare story or is this is this just a, I guess, an inevitability of of this sort of two, three decades worth of identity investment we've all made? Sure. Thanks. I mean, I definitely think it's a inflection point and exciting time in our market. I think identity and enterprise identity especially move very slowly. But you see over the years, most organizations will focus on the areas that they're required to focus on. Right? For so many years, the initial focus was just on operational efficiency. Right? So all the way back to my Sun and Data Manager days. Right? Like, Sun and Data Manager, it provisioned accounts. It really didn't even provision the titles. Right? It was about when somebody joins an organization, what systems they need access to. Right? And there was a little bit of, you know, customizations and evolution to say, well, let's create accounts for these folks on these systems, but maybe we could also put them in a role or give them a little bit of titles. But fundamentally, you know, the origins of user bridging were fairly operational just to make sure that you can get people some level of access, you know, base level of access and get started on their daily tasks before they may, quickly pass the turn the organization. Right? And so, then you see it evolved again, right? There was a shift in the market. There was a regulatory demand. So SOCS four zero four happened. And so, organizations were held to account, right? It was a financial control. But in that, it said, you know, organizations must ensure that users only have access to the systems of data required to do their job. That one little sentence, you know, forced organizations to do a lot, to do a lot, to really, spend some time on that area because, you know, creating accounts is one thing, but, you know, only the things they need to have access to their job. Now you're getting into a little bit more granular, down to entitlement. What can I do inside of the system? So that sort of gave gave birth to the the areas that, that we focused on, right? So enterprise role management and mining to try to understand exactly what a person should have in certain systems at certain times, depending on geography or whatever it might be. It also gave gave rise to access certifications, right? So every quarter or every year, taking a look at who has access to what, making sure that you can prove that people only have access to what they need to have access to. So, back to your point, right? So we all a history of identity management over the last three decades start off very operational. It moved us from a compliance standpoint where, again, organizations are focused on what they had to focus on. Right? So they were required to do meet their compliance obligations. So we ended up with joiner, mover, lever operations. When somebody joins your organization, what access do they have? Hopefully, we've you know, folks evolved over time to sort of build out some level of business roles and technical roles to make that process, efficient and effective and correct. When they change roles in the organization, they move, really should deprovision access and add access. We still know that even today that probably doesn't happen, right? Too often still when you change roles, you get more access. And you have the classic access collector that the longer they're. in the organization to your point in your graph, right, you just have more and more access, and then later. So we got we got better at those, those functions. And then I think there's some evolution into starting to get a little bit more into, identity as a security control. Obviously, they're all security controls, but the shift happened, I think, to where we wanted to make sure that, we were doing a little bit more checking at least at the front door. So to your point, authentication step, right? We sort of focused on that for a few years. Let's get MFA in place. Let's really make sure that we know who they are. Maybe even moving back to the joiner, right? There's a time in the industry where we spent on, identity proofing. Right? Let me hire this person. Let's really make sure we know who they are and and those steps. We've evolved there. But, now we're to a point to where we need to focus a lot more on what's happening right now. Right? What's happening in real time? Those sort of four. points of checking, right? Simon, remover, labor, and log in aren't quite cutting it anymore. I think it's a good opportunity for us to refocus, mainly driven by we have these, you know, ongoing and increasing security threats. So maybe from sort of operational to compliance to now there is a shift. There's a shift to more on security, as we move to cloud identity as the security perimeter. Everyone always says that, right? And I think it's coming true. And all I see is a lot more security teams than identity teams, coming together. So I I think there's there's there's a little stone picking that. You know? I think there's there's definitely, people operate via incentives and identity. I guess, part of that was was compliance led. You know, people had a as you mentioned, it was things like SOX and and all that. And then that's sort of financial services world. And it was a case of, like, well, identity is doing this plumbing thing. It's connecting systems. And there's the productivity gain. It's a measurable thing to make sure both staff and maybe privileged accounts, you know, are provisioned effectively, rapidly. You don't want staff sitting around for days on end, waiting to get to be set up on systems and and try try to gain access to things. And, obviously, if you speed those things up, you this is a tangible cost or a tangible saving there to say, look, well, I can, you know, give my staff who are getting paid, you know, big dollars. If they can be onboard you in a couple of hours versus a few days and weeks, clearly, there's there's a saving there. And I think, you know, if we talk about sort of JML, really well understood. It's well designed, lots of workflows and processes. Is, but it as you said, it wasn't really built for security in mind. And that isn't a criticism. That's just a you know, it's only it's a fact really. You know, it was their productivity amplified with maybe some, sort of compliance, and productivity wrapped together. But ultimately, it it wasn't feeding those security metrics around things like discovery and controls assurance and and those sorts of things. And, you know, you you talk about sort of data breaches in this you can Google. It's probably been another one today from from some, unlucky company somewhere. And they often have those core, pillars of identity deployed. So maybe two, three, four different MFA systems probably due to, like, consolidation issues or usability issues or whatever. Yes. Probably got a good IDP or multiple for federation and things, but they still get breached. They still have issues and know it's visibility, maybe it's detection and that sort of thing. And I think as identity does take on, I guess, more responsibility, it does need to be more in tune with what the business is trying to achieve. And I think if you start looking at things like, you know, hyper competitive markets and challenger markets and these sorts of things, You don't want identity insecurity to be the thing which holds those, sort of products and services back. And I think there's a maybe a little bit of a risk at the minute around maybe the rise of a Genetec AI and this sort of stuff where the innovation of the business is very rapid. And what you don't want is your identity and security layers to be either seen as being slow and too controlling and holding things back or they just get circumvented. I think there's a little bit of a risk there if if you aren't sort of evolving your identity stack and make it more dynamic, make it more security focused. There is a risk, isn't it, that both the degradation continues and also the gap possibly between, data and run time gets further apart. And, there's some good things there, but I think equally, I think we do need to sort of acknowledge. We do need to do things a little bit differently. That's why I sort of introduced this idea from, you know, we've got these pillars of identity capability often tied to static business process, often tied to these sort of, unmovable feats, if you like, of joiner, mover, lever, change, and and and all that. And I think it's how come it this make this smarter? And if well, it's it's definitely an evolution, isn't it? It's not a revolution. I don't I don't wanna say we have to throw everything into the bin, but I think we do need to start considering how we can make our identity world smarter. I think that it's very clear that there are some key pillars you need within your identity world, IDP, federation, strong MFA, passwordless, centralized policy management for authorization, looking at things like posture and hygiene, continual compliance. These are all brilliant, and they are needed and they need to be deployed effectively. But I think it's also there's this layer of and I think this is where we can start to talk about augmentation integration with some of those existing data sources. I mean, this is where it's the classic thing, isn't it, to me of of one plus one equals five. It's we have existing really good sources of information in the enterprise, ticking systems, configuration management, all of our identity stack. And it's it's been able to leverage that in adding it into the identity world to me. I think I wanna pull you in here again. It's To me, it's we have we have this information, don't we, in the enterprise. Is it just a case of plugging in and and bubbling this stuff to the surface? Yes. Simple as that. Sounds so simple. Right? Just just just plug it in. No. I think it's a good point. Right? We are we are, identity teams and security teams both are under extreme pressure from the business. They always wanna move faster, and we want to make sure it's secure. Right? And there's this natural tension that happens in every organization to where, you know, identity or security practices need to be strong, need to be, well implemented, but can't slow the business down. Right? That has material impact on the company. And so there's. always this balance we've had for forever in the industry. On the, you know, moving from static to smarter, I agree. We're getting to a place where we need to start looking at implementing identity the way that we do sort of in real life, right? Which is we have these interactions with people or we have these interactions with, you know, businesses to where we're following some natural zero trust policies, if that makes sense. So zero trust, right? The whole point of zero trust is that we trust no one and then we we we check and we verify that they are who they say they are and they have access to things. You know, originally, it was the network layer. Don't trust anyone there. But we're moving to sort of a more zero trust and zero standing privilege model on identity side to where, at the end of the day, the goal is to be much more frequent with validating who the person is, why they're here, what they're trying to do, and have that be a continual process as opposed to this whole joiner, move, or lever where you get access to the thing forever. Right? That's a move or lever potentially, but it's very point in time. So now we want us to have these interactions that are much more contextual. And to your point, the data is in the organization somewhere, right? So, so a human example, right? So if I went to my company's data center on a Sunday and knocked on the door and said, Hey, can I get into the data center? I got computers in there. They would do a lot of things. They would authenticate me. They would check to make sure I am who I say that I am. They would probably do a validation. They'd probably call somebody to say, Hey, is this kinda supposed to be here? If they have work logs or our system plays, they would check the context right then. Is this a person supposed to be here right now? You know, is there any access that they're supposed to have? Can they get access to Rack 1, but not Rack 2? So like these daily interactions that we have with individuals are very contextual, right, even in even in in your personal life, right, contextual, right, even in even in your personal life, right? Somebody comes to the door to fix your air conditioner and they knock and you sort of authenticate that, Oh, yep. I knew they were supposed to be here today. There's some context. They're wearing the uniform. There's some authentication. They walked over and started working on my hot water heater. Wait a minute. There's an air conditioning person. Why are they touching my hot water heater? So like we have these contextual decisions around trust all the time. And so that's you know, we have the opportunity now to bring some of that into our corporate and enterprise identity practices. Right? And so the way that we, I often talk about it is that we need to start injecting these contextual decisions, policies at the control points that we have available to us. Right? When somebody logs into a system or logs into SSO right after they log in, we know they'll take an action. I'm trying to go to AWS or I'm trying to, you know, do my thing asana and go to Salesforce, whatever it might be. There's an opportunity there. There's a control point where you can make some policy decisions, right? Integrate with the service that can do those contextual policy decisions. You know, same thing in other areas. If, if I'm a non human identity and I'm trying to access an API, if I'm going through an API gateway, there's an authorization I could I can that's a control point where I can try to make this, smart decisions about whether this nonhuman identity is supposed to access this system, at this time based off of context. Then look at things like, to your point, for humans, you know, pager duty schedules or, security signals from your XDR system. We wanna we wanna really understand who this person is, why they're here right now, and what they're trying to do right now and and, use that information that is available in the organization. The data is there, right? We just need to get it into the policies and enforce them at the right points. And so, you know, at the end of the day, I think we're moving to a place where much more frequent checks in the interactions that we have between humans and systems and systems and systems, that's where we need to go. It's it's really, really subtle things there. You know, we wanna pick up on that. It's not frequency and and the the sort of definition of context. We've all sort of dive in with that. There was a quick question come through the through the channel there. And asking about the and we talk about control points and sort of decision making. And we get, quite focused around sort of course grained and fine grained authorization and then sort of level of of how fine grained we can. And the question is really focused about, you know, how fine grained can we go based on this sort of staticky set of person in org data. My my view will be probably not very fine grained. It's it sounds quite big, quite chunky. What's what's your sort of view there? I agree. I I think that when we're talking about making this shift to more frequent decisions about access, we we are moving from static, to sort of a more course grade. Right? So if you're bringing in that business context and the security context, you know, we we don't need to verify those things on every time someone clicks a button or every time somebody accesses a particular file. Right? We're it's course grained in that we wanna make sure that this person should be here at this moment and has certain rights on this system at this time. And then if those conditions change, we wanna take that away. But I think you're right. I think fine grained controls for the near term, will still be isolated into the applications themselves, right? Okay. So if you look at, like, a Google Drive, right, like under the covers of Sanzabar that does fine grain authorization, it's about sharing of particular objects, it's about, data structures and who can access these tiny little pieces of information inside the application, that I think fine grain is gonna live in those applications for a while. We're just trying to get from, you know, static joining the movie lever. And, you know, on this side, we have these sort of in app super fine grain things. And so we're trying to bridge the gap between those to get, to get closer to understanding, you know, who needs access at this time to what, to what things for what reasons. I think core screen is also the target at the moment. Yeah. Yeah. No. Fascinating fascinating stuff there. And it's, I think that frequency of checking is interesting as well. There's nothing like that. That sort of, I guess, it's the doctrine of zero trust around trying to collapse the gaps around where you do your control points in your decision making. And it's, you know, instead of having a big, huge barrier during authentication or maybe during onboarding, and then don't do any checks for two, three hours, two, three days, or whatever it could be afterwards. So as you said, doing that more in interjecting the control points more frequently. And I think as well, that context is really important. I think it gives give some really great examples there. I think it is trying to you're sort of trying to win this asymmetric information battle, aren't we around? Should we give access? Should we not? Should we allow access? Should we not? And I think those sort of fine grained of micro interruptions, you you need more information. To do that, you need to be more informed as a sort of decision making engine. I think it's in in my head, you sort of split that into this sort of attribution side and say, right. Okay. I know it's Simon. We did onboarding. We did IDV. We we did whatever. Liveness checks is great. Then you wanna tie that into authentication to make sure I haven't been impersonated. But equally, even if the attribution is correct, should I have access to do that thing? You know, as you said, out of context on a Sunday going to the data center, and I may well be the correct person, but I shouldn't necessarily have the portions or the ability to do so or less, of course, context indicates it's an emergency and there's a ticket open. There's a p one priority in your I don't know. Your CDN has gone down or whatever. And I have to be into the the data set so that you need more information. But we need more data to make more informed decisions. I think you you look here around this of ITM tools, but also the same configuration management integrating, both broader and deeper to that cyber world around threat intelligence, understanding things like the devices, you know, our mobile devices which we use to log in and characteristics of that mobile device operating system. Is it rooted? Does that have any malicious apps on there, which maybe not in its entirety will stop my access, but contributes to that context, isn't it? I think it's all of those to me, those those are pink boxes. We're all just contributing to our sort of signals, no pun intended, that around our signals intelligence around know how our platforms can make more informed decisions. And I guess I wanna sort of roll on to to the next aspect really is to is to what does that give us? And there's a couple of things I wanna sort of pull out here. I think we we are, I guess, both as industry and and our sole knowledge around the the assurance levels associated with, identity onboarding and also the authentication aspect. And we we talk about this the NIST guidelines there which do a super job of sort of articulating how to onboard somebody and the information you need and in person checks and and that sort of stuff. And then we talk about authentication, the different types of authentication factors. We may leverage inherence and obsession factors and this, this, this, which is great. But equally, I think we we also need to extend those concepts to the assurance that all parts of this identity life cycle or identity journey. And, you know, okay. I've authenticated, but is the session, being protected? Is is the session have, enough, again, enough context around it? You know, I may have an access token or cookie with certain, permissions in there, but should I be using those permissions right now on my system under under the particular context? And again, going right the way down through to the the particular data I want to access or the transaction I want to complete. I think it just conceptually, to me, it's it's sort of extending this assurance concept to all parts of this identity life cycle. Is this too is it is it too too too big a goal, do you think? Or is are these sorts of things, you know, getting to just in time and zero standing? Are these within our grasp now do you think if we sort of add in this additional context? I think so. And I think that's we have a real opportunity to to smart start small and start slowly. You know, and and most of what we've been talking about so far has been all preventative control. Right? Like, we need to be better about making sure people, are authorized to take the actions, at the point of login, Yeah. right, after login. After we've done all the authentication, now we're deciding on this service, what should this person be able to do permanently? But there are, you know, I think maybe we'll talk about this in a minute, but like the other piece of that is the reactive controls, right, which is what I'd call actually active and then reactive. So, you know, the context that we're talking about, the policies that we're making, that we're deciding upon to whether this person should have access to do this thing on the system right now, we definitely wanna control that in the front door. But we also have opportunities to do some of that, even coarse grained, inside the application as well, right? So, are they taking a privileged action, right? That's an opportunity that we've implemented. You know, we in the industry, we say, oh, we step up authentication. We need to say, oh, they're doing the privileged action. Let's make sure they really are who they say they are. And that's the person sitting at the desk right now, and no one's set at their desk, right? So that's a control we put in place. That's an awesome opportunity for us to go double check, other contextual information, right? Is their device being compromised? You know, do they still Are they still on duty? Do they still have an open incident? So there's active. And the last one is sort of the the reactive. You know, continuous idea in the way I define it is giving someone access when there's active business need, not before and not after. Right? So anytime that those contextual conditions change, you're gonna have users have active sessions. You've authenticated them. You've authorized them with some of these great contextual controls to get a session. But what happens when conditions change? Right? What happens when that ticket closes or your XDR system says that your device is out of compliance, right? How do we go and orchestrate, removing those sessions? So all important pieces that are inside of what I would call continuous identity holistically. And I think there are small steps that we can take. For example, if you simply want to start looking at device compliance across these different places, that's a great first step, right? You have an XDR system that's in place, whether that's Intune or CrowdStrike or Jamf or whatever it might be. You know, you could start pulling that information in and correlating it with identities across your IAM systems, and then, you know, implementing those checks with those control points. After somebody logs in, they're trying to, with single sign on, they're transitioning themselves, they've navigated to AWS or some other cloud infrastructure. At that point, let's check. Let's double check with with my XDR system. Are there any open risks right now? So there's some very small steps that you can take, to add in a little bit of context, increase your security, very, very quickly. The other thing that I would suggest folks do is, you know, put your toe in the water and try to implement some of these in a simulated fashion. I always tell the story. I don't know if it's real or not actually, but, I live in Texas and Texas A and M University, there was a story that says, hey, when they build new buildings, they don't actually put sidewalks in. They watch and figure out where the paths get drawn by people walking around. And then they put sidewalks there, right? And so, I think we have an opportunity to do that here as well. You know, work with a vendor who can help you implement some of these policies at these control points and just put it in simulation mode, right? Just watch, watch the logs. This person is trying to access this system at this time. We did a policy check and you can just log it. We would let this person through or we would not let, we would not have let this person through for these reasons. You know, so there's an opportunity to take, a few steps in the right direction, putting in place some, you know, initial policies and then watch and then learn and see how it's gonna impact your organization. I think it's a lot of, concern and fear as we move. Anytime you add security, security teams are always. worried that it impacts the business. So more opportunities to, instill that confidence to try to really understand what's gonna happen when we turn this new level of security live, what impact it's gonna have on individual users. You know, if we do inadvertently block somebody because of policy, what's the remediation path for that? So, you know, take a take a few steps, pick a simple policy, pick one, try to implement it, and then watch, see what's going on in the environment, tune it, and then take that first step, turn it on, increase your security. That seems great great advice. I was just gonna dive into one of the questions. You sort of answered that question already actually around, you know, how does this sort of contextual decision making shape the organization, from an identity point of view? I think it's great that, you know, when you're looking at transformational change, which I think this really is, you you do wanna start small. And and that that that, sidewalk analogy is is fabulous. I'm not quite sure whether that was, how popular that perhaps was, but I think getting to that end goal, it's pragmatic, isn't it? We've all seen these situations where you have, have the paths and the sidewalks and they get circumvented and the shortcut gets created anyway or the, you know, the gate gets traversed and stuff. So I think observation as you sort of read only mode in the sense of analyzing and understanding is really, really good. But I think the other one is it is that fear of of getting it wrong, which I think identity unfortunately has had a bit of a bad reputation within the past. And by that, I mean, you know, things like role mining and role analysis and, you you end up with this role explosion phenomenon or AD groups explosion because you start creating more and more missions because you're not quite sure what these existing groups are doing. There's no descriptions, there's no owners, and you're sort of scared to take them away. I don't quite get this. There's one person in this role. And if I take it away, perhaps they can't do their job or maybe they're really important and it's not worth the hassle. So you end up with this proliferation of things. And I think there's definitely a fear of of removing access, removing accounts, rotating credentials, changing things, changing permissions and access tokens because of the impact it may have on production systems. I think read only observing is really great, I think as well. If you make a change or a simulation, just be able to roll something back as well, I think. One of the quick question while we're here, pass there. I think it's probably the previous slide actually, but I don't see an authority source like an HR system in there. Is this also part of the design? I think it is. I think from my point of view, I get a little bit open in there. Mat, to me, it's it is part of design. I think it's it's it's often assumed it's there. I think possibly, the off source, it does alter. I think in organizations, sometimes it filters down and the IGA system sometimes ends up being the authority source, which, I said, pros and cons to that. But I guess, Mat, what what's your view here? Is is the HR system still got a huge role to play? Absolutely. Right? I think especially historically here with plenty of this are currently with IGA solutions. Absolutely right. Because the HR system is the authoritative source for often for identities. Now what you'll see in most organizations that they'll is they'll have two, three, four, five authoritative HR systems. Right? Because you've got contractor databases, you've acquired three companies over the last five years. Like, you end up having a lot of these authoritative sources that are HR. But it is really important, right, because identity, especially sort of the coarse grained role based side of the world, it's tied to title. Right? It's tied to your location potentially. Right? I mean, we used to when we were doing role when we were doing role mining years ago, right, that was a a huge piece of the puzzle. What's this user's what's this person's title? What department are they in? What location, what country are they in? Right? Those would all go into deciding what, business and technical roles that they would have as their birthright access or, even full access in their sort of joiner process. And so I think those are still really, really important. I think there's also a role to play in continuous identity and contextual authorization. I have had a demo where, when somebody is trying to access a certain system, you can do a live contextual check to make sure that in the HR system, they are a US citizen located within The US, right, or, whatever other data that might be in there that is interesting to making these contextual decisions. So I I do think HR, systems play a play a big role both in, you know, sort of birthright and IGA flows as well as contextual real time decisions. Yeah. Yeah. No. I I agree. I agree. I don't, I don't see that being too disconnected today and in the future as well. So let's let's change gears a little bit, and sort of take this boat home a little bit around how can we get there. I think we know identity needs to change. I think architectural patterns needs to change. Yes, we have some good building blocks, whatever else, IGA or onboarding systems and those existing workflows, absolutely super. But I think we do need to do something different. We do need to make it more in tune with both the risk appetite and obviously the business, requirements as well. And there's a couple of things I wanna pull out here. One is, you know, we've talked a lot about sort of context, and and that context can come from various different sources. And what what does that allow us to do? And there's definitely one thing which is certainly emerging in both b to e and b to c actually, identity. And around risk doesn't stand still. It's a very dynamic fluctuating thing. I don't just necessarily mean, you know, an immediate cyber threat is just just emerged or a particular, sort of MITRE attack has become more prolific or or whatever it is. But it it the the risk appetite of the business changes as well be that maybe they're going into a merger and acquisition. Maybe they want to launch a new product to market. Maybe their competitor has just launched a new product to market. And that then influences your, as you said earlier, the speed of the business. You know, business needs to need to do things and the risk and security aspects can't slow that down. But I think that contextual aspect gives us we can do more from a response point of view. And it isn't just allow, deny, black and white, block or, you know, let somebody in. We can do more things. And that improves, usability. It improves the ability for someone to complete a task even if their risk may be, maybe elevating in there. But we also have some new building blocks, don't we? Things like, shared signals, continuous access evolve profile. We we have some new building blocks here which we can leverage in use. And I think that to me, it does allow us to get to this more fine grained ability to respond not just, you know, if something really bad happens, but actually maybe if there's just a a combination of signals or a combination of, contextual events, and we can start to do things like reduce session lifetime perhaps or, you know, take someone's access should be read and write to being read only because maybe they wanna, you know, public Wi Fi in in a coffee shop or something. So to me, it's it is it's about showing risk, isn't it? Is that is that the basic building? But is that what the likes of sort of cape and SSF are really trying to achieve? Yeah. Absolutely. I I think you're we're seeing, much stronger conversions of security teams and identity teams, security products and identity products. I think that's where we're, as an industry, being pulled. Right? The threat landscape continues to go up. You know, with with the, you know, with AI being able to move a machine screen, we all probably saw the anthropic driven breach attack this past week. There's there's. a demand on organizations to make sure that their security keeps pace with the threats that are out there. So many organizations have increased their budgets for security. But if you continue to improve your security, identify your threat signals or threat patterns that might be there, you know, you're looking at IP ranges and rate of requests. You know, we have we're working on all these controls in the security side to try to identify risks, you know, based off of behavior. There's a lot of investment in that area. But when you do see a problem, what do you do? Right? We we need to get to a place where. the signals or the the events that happened that might indicate or do indicate some, security threat, then we can share that with the organization. Right? You wanna be able to very, very quickly respond and react to those security signals. And that's where SSF, Shared Signals Framework, and CAEP, Continuous Access Evaluation Protocol, come into play. And so when, for example, we talked before, right, we we we have a lot of times preventative controls. Right? We wanna make sure that when somebody does get access, they get a session into an environment. It's limited to what they need to do. But that session stays alive as long as they keep doing something in the application oftentimes, right, or as long as they keep refreshing that session. You know, as an entry, we move to sort of short lived tokens and short lived sessions a little bit, but that has an impact on the business. So what we need to be able to do is when we give somebody a session, great. We give them a session, let them do what they're supposed to do, But we also need to be really responsive and really reactive to these signals that are coming in that changes the conditions that gave them access in the first place. Right? If somebody's device gets compromised, if we believe that this session is tied to AI attack because the rate of request across systems is non human speed, right? It's machine speed. We're like, we figured that out, right? We need to be able to share that signal down and be able to allow the identity stack to then react to that. Right? Kill the session in the application that's being attacked. Kill the session at the at the IDP and let it perform single logout if that's in place. Right? We can we can send a request over to the IGA system like this account is being attacked or it's been hijacked. We believe it's been hijacked. Remove all the privileged access and move them into security hold group, for simply you know? And once we do those events, then let the security team know. Right? I I, in one of the talks I did recently, I I sort of said, would it would it be great, identity team, if when a security event happens, right, the security team figures it out, they figure out there's a, a breach that's occurring or an incident that's occurring. They oftentimes Slack you or walk down the hall and say, hey. We have a breach. We think it's this person. What are they doing right now? What are they logged in? So it's this very manual process of reaction from a security threat to, to closing off the identity threat. And so, you know, if we get better about this, if we build these integrations based off of these open standards, now your identity storage systems and services and the whole stack can react to these security threats and signals as they occur. So when a device gets compromised, signal comes over to your identity stack, we can kill session, we remove their access. And then when a security team Slacks you, walks down the hall, you can be like, Yeah, I took care of it. Right? The same system that you're using to detect it told me that it happened and our systems carried out that remediation immediately. So I think that's gonna be, you know, a really important and necessary again as we move to a place where threats get faster and faster and faster. We gotta move we have to move at machine speed because the threats are moving at machine speed. Yeah. I see Scott. I think it's, it is I think you can't respond, can you, unless you are listening. So you need to be able to listen to what's happening, you know, be able to to integrate and and pull in the information you need. And then you have that arsenal of of responses, whether it is something more sort of permanent and draconian around single logout and then maybe even disabling the accounts if if you have enough information there or it just could be something more subtle and more in control, until something's really affirmative. But I think it is I'm gonna sort of skip on a little bit here to the, you know, you you need to you need a framework. You need to integrate with a multitude of different sources, really, because where your sort of hope aspect is going. And I guess from a policy perspective, there's a couple of things there around, you know, you wanna be able to use and leverage that information to access decision making as well as the, sort of, more dynamic responses. But I think to me, you need to be listening in the sense of you need to be integrating and broadening your sort of lens of of what you are attempting to analyze. I think that's where, you know, we are suddenly talking about, yeah, IDPs, but also, you know, logging systems, device management systems, MDM systems, you know, all of that. This all, the the fabric of of managing devices and, the underlying infrastructure within the enterprise. So all of that stuff has to be has to be a contributing factor in my opinion. Is is that is that where they're sort of the whole aspect is is looking to to get to? Yeah. Agreed. I think, to respond to today's threats and to move towards a more real time continuous identity posture, we need information from these other places. Right? I think I identity systems have been fairly siloed for a long time. To the person's question earlier, right, we pull in information about from the HR system, you know, how to grant access usually based off of roles, but, that doesn't really help us in in this real time environment that we're in. And but to make those decisions, we need to have all the policy relevant data available to make those decisions super quickly. So, so if our policy is, as you see on the screen here, right, account executives can call a certain MCP tool an AI, to get access to production, Interesting. Salesforce customer records only if they're on a compliant device. Right? So you've sort of limited who could do what under what conditions. Right? And so to do that, we do. We have to centralize some information. Anything that's policy relevant, we need to have readily available to make these policy decisions very, very quickly. Because one thing we don't wanna do is we don't wanna pull together, you know, an architecture where you're point to point. Right? And, you know, for a policy decision like this, we can't. we can't make a real time call out to Workday and to, Salesforce and to CrowdStrike, like in real time. It's gonna slow the business down. So we are moving to a place where we need to build relationships between identities and assets and objects and policies, and do so in a performant way. So, so I again, back to the, you know, starting simple. Figure out what those first five policies that you wanna enforce are, then go identify sources of data for things in that policy, right, the assets, the conditions, the identities, and start start pulling those together, because that's that's where we're headed. I think that, properly enforce the counter controls that we need now and in the future, you have to bring in that context, both the business context as well as the security context and security signals. You know, and lastly, again, so the same conditions that give you access are the same conditions that should remove your access if they change. Yeah. So compliant device. Block anyone who's not on a compliant device. If they aren't a compliant device, let them in. Give them a session. As soon as CrowdStrike, in this case, says their device is noncompliant, it sends a KEEP signal, to people, consumers of that who want to know about that information, then they can take actions, remove those sessions right. I think it's, I think it's fabulous. I think I think to me as well, it's it it is moving away from that point to point sort of fragility, isn't it? And it's it is a framework in the sense of it is an ecosystem of of, I guess, providers of information and also sort of consumers of information, sort of traditional pub sub model. And it is moving towards a mesh and not just these very linear point to point system specific things. It's actually so look, we have this ability now to link together disparate systems that perhaps have different incentives, different objectives, infrastructure, CMDB, ticketing, or whatever it can be. But actually pulling that together in much more of a superhighway of risk sharing. And back to what I was saying earlier, it seems to me that, you know, maybe the small piece of information about the device maybe isn't enough to block them or stop them or trigger MFA, but the stuff with the device and maybe whatever we said there, you know, the Salesforce thing, because it's a high risk event and the MCP because it was I don't know, maybe it's a prototype thing. So once you combine that sort of stuff together, it does become an elevates, the the the security angle there. And, Mat, fabulous, chatting here. It's whizzed by. We've gone through whatever, the fifty minutes of stuff. We've had a few questions come through. Now is the time, I guess, to bring up one or two more, if you saw have them. A question I will just bring in now just while we're waiting, for one or two more questions if they do want to come through. Mentioned AI that much. Maybe a little bit, but, obviously, it's it's buzz. It's it's the it's the forcing function, in the headlines continually. Did this AI help or hinder this sort of framework? To me, you know, we need to have more control. We need to have this this dynamism, risk sharing, responsiveness. And and to me, whether we're talking about people which we sort of have been or non human and even agentic AI and or what may come in the next, whatever, five, eight years, It seems that this is quite a flexible framework. It doesn't seem too specific to people, but is AI gonna sort of help and hinder this sort of model, do you think? Definitely both. Right? I think, well, AI would definitely help the model. I think a you know, the the, you know, AI being used as a a threat actor is also driving the need for this as well. So you have AI in both sides. Right? AI will absolutely help with, security products that are out there in the world to, be better at behavioral analysis and figuring out what is right and what is wrong behavior for different types of information. So I think you're gonna see a lot more AI, across the entire range of security products that are out there. So that'll help us understand better, what signals are when a risk occurs, right? So I think that's gonna be a big factor in security products. Within the attack landscape, right? Like we saw this week, Somebody used Anthropic to attack whatever it was, 20 or 30. businesses. And so we're gonna see, much stronger attacks at machine speed where we can't react fast enough. So I think there's a there's a big threat there. And then we also have this, this push or this need to sort of also govern and manage AI within the business, within the organization. Right? And so we've done quite a bit of work with, the MCP standard, to understand how we can properly control access to certain AI functions, with the etiquette implemented within the organization. Identity plays a huge factor in that. Right? I think right now, mostly the identity is like, I have an AI client and I wanna access a back end system through an MCP server. And I authenticate as me on the client side, and it bounces through the MCP server into the back end. So I'm really doing all the operations as me. But we see this drive from the business and say, well, I don't want every single person to have it to log in to everything on the back end. So maybe I'll just give the MCP server privileged access so they can answer all questions. That's super dangerous. So I think we also need to really, really think through the implications of that. Use those MCP server as a control point. Right? I think you've seen out there a lot of almost all the API gateways of the world now support MCP. So if somebody is trying to access an MCP server, well, we should be able to put an authorization check-in there just like we do today for API calls. When the MCP server calls the back end API, we can also put a check-in there. And so I think there's, AI has implications across the board, both on threat and convention, and in line. I also think it's a really important piece of context. It's something that we haven't you know, this notion of continuous identity and real time contextual decisions is still fairly new in and of itself. But I think as we move forward, the fact that AI is working on my behalf, right, this essentially on behalf of, that's important context that could go into policy. The fact that, an account is a NHI, right, it's a nonhuman ID, that's another piece of context where we may wanna create and enforce different policies based off of those different actor types. So I think we'll see that being brought in as well. You know, a human could do something, but an AI agent on behalf of that human might not. You might not want them to do that thing with their strong people. So so, yeah, AI is going to impact us across the board. Yeah. No. 100100% agree. And maybe it's gonna be the I'll use the forcing factor to accelerate this identity and security integration and move it from yeah. We need to do something, but actually, we we have to do something now because the identity and security sort of landscape is is possibly holding things back if you're not thinking more. dynamically and and being able to think actions. You know what? We are gonna take a risk with deploying AI agents or MCP, but actually, we are safe in the knowledge that things do go wrong. We have this framework. We have the sort of belt and braces to be able to respond to things, to be able to observe things, and actually be able to stop bad stuff happening, instead of organizations being very risk averse and thinking quite you actually you know, we're gonna be slow to adopt new technology because we don't have the the sort of controls in place. Mark, it's been fabulous, chat. I think couple of calls were actually obviously, I think you guys, you know, quite a lot of stuff on The Cape, throughout the playground. I've had a good look at that. It's it's pretty powerful stuff. So you can sort of understand more about how you can integrate some of these technologies, and how to build out your own landscape of risk sharing. But thank you for sharing your wisdom, sharing the the stories and the journeys that, I guess, SGNL are now empowering for many modern enterprises. Thank you, I guess, to the audience as well. Thank you for interacting with your questions. Hopefully, we got most of those answered. I guess, Mat, any any sort of final quick comments now before we wrap things up? No. Just thank you for having me on. It's been a great discussion. Hopefully, it's been valuable to folks out there. If you wanna get in contact with me, as soon as I hang up here, I'm getting on a plane to go to Identiverse DC. So if you happen to also be at Identiverse DC, you wanna wanna chat, hit me up on LinkedIn. I'm happy to chat about it. But, otherwise, thanks for having me. It's good to talk to you again. Perfect. Excellent. Well, thank you, Mark. Thank you for enlightening discussion. This is an area which is gonna continue to grow and I think continue to add value to many organizations large and small. I think AI could be the thing which forces organizations to think entirely differently about identity and identity security. Thank you for taking some time out. Thank you for everyone for watching and we'll see you next time. Thank you.