Interview with Robert Byrne

Let's bridge the gap between that great presentation and what the audience would love to know. So I'm gonna ask you Robert, a few questions from the audience first. So the first one, do you see a trend of identity government's for machines and IOT devices as a use case in reality, or is this just an aspirational use case?
I think, I think it is aspirational. What, what I'm seeing right now is a lot of organizations are discovering it's a so-called undiscovered need. They're actually starting to own up. And to realize that these machine identities are a thing, lots of things, some of them, thousands of things that they need to get a handle on. I believe that the, the accounts, the privilege accounts and machine accounts within the organization absolutely should be taken on board and managed by the governance platform. IOT is a, is a different question, right? Like the smart city, we got sensors and meters distributed with millions of these things. I'm not convinced that an IGA platform is the right way to secure. You can certainly secure access to the administrative interfaces for those systems, for sure. But the devices themselves, that's a very, you know, what access they've got, what they can do. I, I believe that that's a very specific problem just due to the scale.
Yeah. A good point there. And then another question from the audience, do you see that offering too much flexibility, being an issue at times, perhaps allowing companies to create too much complexity?
Yeah, that's definitely true. If, if you can get, so this decision paralysis, or you can be overly ambitious, tragically, tragically, some projects run a ground, not because they're too timid, but because they're, they're overly ambitious. And to me, there's an important point in all this. I am a technologist, but as I said, I, I stress the business importance, but the importance of the project management and the program management and the leadership around that, that's where we have to look to make sure that our decision tree is appropriately pruned. Right. We can do anything right with this technology, but what is it that we should be doing? And that's the, really the, the important question.
Great. And then let's shift gears a little bit and, and think about the architectures behind IGA services. So if we, if we consider perhaps multi-tenant or single tenant, how important, how essential are these architectural models really?
Mm yes. Well that, that, yeah, so I, so my take on this is they're not important at all. If the service provides the capabilities I need. Okay. So why should I care what service now are doing with the, my SQL database that they've got? Why should I care if they're using application level, you know, virtualization, why should I care about that? There's no real reason to, I think, worry about that. And there, actually, if you want to get into it, you can say that there are clearly advantages to having this single tenant model, right. In terms of isolation, you know, the data is Coke and Pepsi really are separate. There's no significant risk there availability. Those solutions can to some extent evolve at their own rate, right. In terms of upgrades and patches. So there's an isolation property to having the single tenant that is very attractive, particularly for, you know, it might not matter for some project management, you know, I don't know tools or something like this, but for security related privilege, identity governance, I think, I think there's a case to be made there, but, but I think that's a detail. I think as long as the service is, is providing the capabilities that I need. I don't think it really matters from the customer's point of view.
Interesting there. Yeah. And then let's take a, take a look at scaling operations here. And so how is one idea or one idea, one identity, excuse, scaling operations here for the on-demand IGA services.
Yeah. We've got lots of ideas. I, you know,
Good. Not just one idea, right. There
You go. Yeah. So see, this is related to the previous question and it, it touches on how can a vendor, if they're not using a multi-tenant approach, how can they possibly scale this realistically? Well, the answer is staring you in the face, right? If you actually are following what's happening in the cloud, and it's called application level virtualization, right? It's called modern tooling for orchestration, you know, Kubernetes, Docker, kudo, right. Which builds on top of Kubernetes for orchestration. We're not in a world anymore where you have to stand up a VM and copy it around. Right. You've got very, very agile application level virtualization, which allows you to stand up single tenant instances very, very rapidly and very efficiently. And that is a distinct difference to where the world was five years ago, when object, I would say objections to the single tenant model made sense because we didn't have the tooling at that time to, to scale operations in the way that you're suggesting. Right. And that that's changed. And, and it touches on economy of scale. How can we, how can a vendor pass on economies of scale? If, if, if, if it's too costly to run, well, it's not costly to run because, you know, we have all this modern tooling. So that's a really important development. I think some people have not really taken on board. So,
And so then you're saying that you should really consider all the options available for a very scalable deployment.
Yeah, exactly. I mean, I, I don't, I don't really think that that's, what is the architecture behind it is your decision point. Okay. But we can talk about it if you want sort of thing. That's, that's the way I would look at it.
Very clear. And then let's take a look at these authoritative sources out there, entitlement repository targets. We're still dealing with so many different sources is standardization, is consolidation helping here to manage this?
Hmm. Yeah, yeah, yeah. That's, that's it. So it's extraordinary, you know, if you talk to an organization in the early stages of, of IGA and they're looking out at their landscape, and they're just, as you say, seeing this, this wide variety of, of, of sources, of, of access and, and, and so on, it's quite bewildering. I mean, they're perplexed as to where they should start and so on and, and certainly consolidation into the IDPs, if all your applications or most of your applications are being authenticated federated through one or two it's rarely one, right. One or two IDPs. And that's, as I said, a, I think in the presentation, a great source for the IGA platform, standardization promises a lot. We obviously we would all immediately think about skim. Some of these protocols, what we're seeing is they still remain quite immature. I mean, I'm very hopeful. I, I love it to become standard. I mean, it only helps us all move forward. I think it's still a little bit immature in terms of where they are, but we're definitely, that's something we're working with several organizations to advance that we see some of the larger lumbering giants, I would say in terms of service providers, cloud providers being rather slow to, to evolve their environments in that way touches on, on maturity of APIs in SaaS applications. Right. So another topic, but so there's progress, but, but it's not a done deal.
Yeah. And maybe there's something you wanna share about the maturity of APIs and, and that's that role here as well?
Well, what, one of the things that we, we are seeing, I mean, so the SAS vendors, the security models in these applications are often relatively straightforward, which is great news. Right. I have an account, I have a few roles, you know, there's the very simplistic approach, but unfortunately the APIs that they're providing for identity management, maybe not so mature. So things like that, they've not thought about Delta synchronization, you know, like, so, so, so, so just gimme the changes to the environment. So you gotta be on your guard for things like that. And, and it's actually one of the values that a vendor can bring, right. Is to isolate you from these rather immature APIs, cuz we can, we can work around some of these. Sometimes we can work around these and that's a value we can bring. And certainly as they evolve, some of them are better than others in terms of backward compatibility. But again, as a vendor, we can shield our organizations from those changes that may or may not be very well announced. So I think that's an advantage to having a platform between you and that raw API that you need to consume. They're evolving very rapidly as you're, for example, as we know, we all know is, is, which is great, right? Going Microsoft, doing some great work there, exposing great services, but you know, evolving, evolving, quite rapidly.
Good to know, and, and interesting things to look out for. Then let's take a look at this possible convergence between IM and IGA out there. And so sometimes you're seeing the merging of CAPA capabilities between these two different fields into platforms. So what's, what's really happening. And, and what do you see from your perspective?
Y yes, that's that's right. So I think this, this comes back to the difference between IAM or the relationship between IAM and I am and IGA, right? So IAM is I suppose, the larger subset, but it includes very much, the key point is I think authentication Federation, the enforcement point for multifactor, right? So what I call the, the IDP, right? Which for which is I mentioned earlier is a great source of application access. And by the way, not just application access, but ongoing activity, right. Is this account, is this actually being used by this person? Cause they never log into it. So it's a great source of, of information and a rich source. The thing is, I think some organizations, depending on the level that the person's working at continue to confuse authentication with governance. So I find even today, a lot of the time almost the first thing we have to do is to, is to reestablish what is the difference between these things.
Now some of, I think what you're touching on is that some of the authentication vendors have a minimal set of governance capabilities for their platform, which is great, right? Because you know, you start to get native capabilities around, around governing that platform. And that's brilliant. And absolutely we would absolutely say if you've got native capabilities and you like it do use them. I think the mistake is to assume that you can then go on and use the go the limited governance capabilities of that IDP platform for your enterprise-wide governance needs. That that is a frustrating, I think, mistake and comes back to Martin's point, right? Which is, there's no one technology that will get you to zero trust. So there's no one IDP, however important it is to you, Microsoft Azure, you you're gonna need other and Microsoft themselves say, you know, you're gonna need other capabilities built on top of our security offering to, to really achieve an enterprise-wide, you know, governance stance. Definitely start there definitely exploit those security capabilities that those cloud operating environments are providing no question, but don't, don't fall into the illusion that you can govern all of your applications, you know, your hybrid multi-cloud from that one it's not gonna happen.
Yeah. So solid advice there. Yeah. Then perhaps it's happened to your, your practical view in, in running a IGA programs. What's the role of good project management here?
Yes. I, it is a topic for, I think I may have hinted earlier. I, I do the value of a good, so IGA is a program. I mean, Martin, I mean, if I said IGA is a project, he, he would probably push you out the way there and start complaining. Right. It's clearly a program, but it maybe think of it as a set of overlapping ongoing project, the role of the project manager in each of those individual areas and of the program manager is so, so, so key. And if there's one thing that they should be good at it saying, no, I think, you know, like to avoiding scope creep a little bit, what I was saying earlier about being over ambitious, just a simple example, which is we had an organization that we were working with. Clearly the project had run a ground, which often, you know, happens, right.
It was, there was stalled. The team was not happy with where they were. It was a perception. They were not making progress. A good project manager was sent in there. What's going on? Well, we're trying to do this. They were obsessed with UI. They, they were obsessed with having it look the way it used to be. And she said, look, why you guys buy this thing? Well, we bought it for, you know, JML for reer. Okay. Have you done that? Well, we've done the joiner, but not the ML bit. Right. The mobile. Okay. Well forget about the UI. Let's do, let's fulfill why you bought it. Let's get the project by and then slowly start deliver the JML then you deliver the certifi and then everybody starts. And then of course, as we all know, successful, IGA projects never showed of work. Right. Everything snowballs.
And I, I just think that's a brilliant story about kind of banging a couple of heads together, kind of resetting, you know, back to basics. Why are we all here? And you're on your way. Right. And, and I just think the role of a person like that who can bring that, that skill set, and this is, is, is brilliant. Right? So a project manager is not just the guy who books the meetings, right. If that's, if that's what he's, if that's what he's doing, you probably need somebody else in there. Right. In, in that role, because there's a, he's not, he's not saying what we should do, but he's saying how we're, he's gonna help you determine how you get there. Right. And this is very, very important,
Good to stay focused on the original goal. And however, that may need to adjust as you go along, but stay focused on that. Right. Yeah. So then a next question, as practitioners, we're interested in new IGA capabilities, this is always very exciting deployment optimizations, you know, the, the features here. So how do we communicate this to higher management to decision makers for ultimately making the best choice for their organization?
Yeah, exactly. And, and, and that, that is, that is, that is a diff that that can be a challenge, right. Is, is talking to those, let's say exec level guys and giving them the right language so that they can go to the board and get all the funding that you know, that the organization needs to protect itself. Well, again, and then they cost totally unplanned, but Martin's zero trust presentation, zero trust. Right? And so the point I'm making is zero trust. As a concept, as a thing, being something you can talk about is something that the, I think the exec level guys can hang onto. If I can put it that way, it's something they kind of get. So they can bring that to their leadership and say, we're having this zero trust model. And here's the broad lines of what that means. And we're go, it's gonna make us more secure.
And then the teams like the identity management teams, but the end point teams, you know, the malware teams, the whole set of teams can get behind that, that message, right. And, and becomes a way for everybody to align in the way that that Martin was outlining and, and take that to the leadership. So it, you know, I have colleagues who are very skeptical of, oh, zero trust, it's marketing, it's it's rubbish. It doesn't really mean anything. Actually it does mean something. And more than that, it means something to the exec level guys. It's so super. I actually think we should have more of this kind of thing that we can get behind. The other thing I would mention that I think is really important for communicating to the exec guys that is, again, something that is, is highly transferable, consumable, understandable is KPIs, right? So, you know, key performance or key risk indicators, basically numbers, right?
So things like, and it's amazing how many projects don't do this. You, I mean, I've seen projects running for two years, very successful. And I say, show me a slide with your key KPIs, right? What, what are you gonna talk? They don't have one, right? You should have one all the time. And it's the first thing you put up and, you know, Q out to joy, right. And you know, the uplifting music and number of requests we take on board number of service desks that came through in a self-service way that didn't go to the service desk, percentage of applications that are, you know, automatically controlled provisioned. Deprovision right. And, and of course, here's the thing. Once you've got the numbers, you can show the trend, right? You can show that it's going up more and more automation, right. How many sod violations have we got?
How many policies are there of the access that is available? How much of it is exposed and governed by our platform? These are the key numbers, right? That our leadership can bring to their leadership to get funding for, for the, you know, the next stage of the project, the next stage, that will keep us all safe. So, yeah, it's, it's perhaps an obvious point, but again, as I say, it's, it's really quite, and when somebody does it, it's really, really powerful. It really, you really say, I wanna be that guy, you know, I wanna be the guy showing the KPIs in this project because, you know, it feels like a good place to be. And yeah, so maybe there's other ways to, to do it. But I think those are those getting behind an architecture, a framework, right. That the exec level guys can, can understand and get behind, I think is great. And then having the numbers to back up what, what we're doing, you know, but you can present the numbers in a nice way, right. It doesn't have to be like some giant spreadsheet in a bunch of nice circles with big numbers and you can play the game. Right. You can put up the number. What do you think that number is? Right? Oh, I have to guess. I don't know. You know, so it's a ways to make it that little bit more engaging, you know?
Yeah. Really interesting. Yeah. Could tip there, Robert, let's come full circle here and, and go back to some audience questions that they have for you on this. Thank you for sharing your thoughts here. And, and here's a question from the audience. Would IGA tools make Z S P you know, zero standing privilege, a standard in the future? Is that something which one identity is looking into? Do you think that's a good direction? What's your stance?
Yeah. The, the zero standing privilege, the, the kind of just time sort of approach. So keeping those accounts, deactivated, keeping them stripped of their entitlements. So there are no privileged accounts lying. At least there are no privileged accounts lying around that are currently not being used. Right. Or very few, I think it's brilliant. And it's very much part of the integrated, you know, security platform story that, that, that we story, I mean, reality, right. That we have with our set of products in so far as they present that platform of, you know, integrated solutions. So ensuring that in our, in our, you know, our Pam system that access to those Pam accounts have been vaulted in a nicely safe and sort of secure way that the access to them, the accounts are not lying around and that they get activated in a timely way. I think it's brilliant.
It may, it may. I mean, because the next, the next thing that the person's gonna gonna say was, well, that sounds good, but then there's a time lag, right. Because I have to activate it. Right. So that's true. So does that, then you run into that then relationship with the DevOps guys that that would, would, you know, get, might not appreciate, which then there's this delay, but that's the whole dev SecOps thing, right. It's not devs. Right. And it's not even devs it's dev ops. Right. Because you've got sod considerations there as well. Right. So I think there's some maturity perhaps there building around that. But again, I, I think this is where leadership, right. And, and the, the idea of working within a framework is so important. Like IGA doesn't happen in a void privilege, doesn't happen in a void any point. So the leadership should, should have that, that vision. And if zero trust is the way that helps them to achieve that, then go for it. Right. You know, but yeah, a short answer, I, I love the whole idea of just in time and, and zero standing privilege.
Interesting. Thank you so much for your thoughts here. We have more questions from the audience more than we have time for, unfortunately, but I'd like to remind the audience that Robert will be in the networking lounge. You can bring your questions to him and continue the conversation there. Robert, thank you so much for your time.
Yeah. Pleasure. Thanks. Thanks Aaron.
Thanks. Bye.