Okay. We have a panel with a long name.
Anyway, my colleague YRG is always good in creating long, long names for panels. So trends and innovation panel, what are the most important innovations and who are the innovators? So what we talk about is really looking a little bit into what are the areas where we see the, the biggest innovations to, to emerge whom we do ECS innovators. There's one very clear rule. Don't brace your own employer. Even if you feel that's you yourself or your employers, the biggest in a Wayer that's the rule here. Don't braid them. We have five people here including me. I start with the ladies.
So we have which you all know from the last hour, the one who always raises the questions. She's west president innovation and emerging technology at Fox rock. I didn't know that you have such a great title, Jo named it. Then we have P Dingle, senior technical architect, that P identity. We have Kim Cameron, chief architect of identity at Microsoft. And then we have checks and haw, I think whose formal title is different than the one which is displayed here.
So he's sometimes names itself, only an identity management expert, but he has also formal title of Dell security, which I already have forgotten, but you maybe can remember your own formal title here. So for the next hour,
I'm the ambassador for Dell latitude. XBS 13.
Okay.
Oh, you mentioned.
So I will mention one of my products.
Exactly. You violated the so, so is it one of the top innovation then
The XBS 13? Yes. It's gotten great reviews.
Okay. So as I've said, the topic is a very broad one, so we can talk about a lot of stuff and maybe we start given the, that case. I started introducing the ladies. So maybe Jackson, because you are on the other end of the row, you start with maybe a little bit of view view on, on one of the most important innovations maybe, or we do a little bit different.
So is the B words for blockchain, not beer, the most important innovation track chain blockchain.
Are we supposed to drink something when we mention
No, no, not today. Yes. Yesterday at the Analyst panel. Okay.
Some sort, every time someone manages this blockchain, he will drink, drink some beer. I'm
I hate, I hate to say this, you know, I'm a I'm well, my title includes product management. So in theory, my job at Dell is to help build products and, and part of helping to build products is building products that customers will buy and building products that customers will buy usually means they have a problem to solve. And there's been a lot of talk about blockchain. And I keep going to my CTO, who should be asking me these questions.
But the question he asks me is when I say, oh, couldn't we do this with blockchain. He looks at me like, you know, when you talk to your dog and your dog goes like this,
He looks at me just like that. And he says, Jackson, what customers are you talking to that are saying, they need to use blockchain for this.
So I'm, I'm, I'm obviously very interested in blockchain because it's a new, it's an, you know, a very new and innovative thing. And people are obviously interested in Bitcoin and I'm asking questions about what we can do internally around blockchain, but in all honesty, you know, being a hundred percent Frank with folks, I'm not having customers coming to me saying, I have a particular problem that I know can be solved with blockchain. And would you be willing to help us solve that problem? Now I don't talk to every customer. I haven't talked to everybody in this room.
And if people think that they're innovative things that we should be doing, or I should be doing in blockchain, I'd love to, I'd love to hear about them.
Yeah.
But, but maybe it's the wrong question anyway. So if someone says
Or the wrong answer, is that what you mean?
No,
No, not the wrong answer. Really not. I think maybe it's the wrong question because you know, if you say I have, I want something which is solved in blockchain, the question should be what is the best solution to solve a particular problem? And then if blockchain helps, it's fine. If it doesn't help, who cares? Right.
Well, I know of places where I can force fit blockchain into, for example, with, with, with auditing. Yeah. Right. If you want, I irrefutable proof non-repudiation of audit logs, you could do that through the blockchain yet we have hundreds and hundreds of customers who are banks, probably some here in the room where we provide forensic audit logs for investigations all the time without using blockchain. Yeah.
You, you might end up with saying at the innovations that you can do it better, cheaper, less, less, or more temper proof with blockchain than it might be something where you say this in, it's worse to use that. Right. But you're, you're still a little reluctant regarding who, who else is.
Oh, so maybe someone of you as a more positive perception, more
Positive,
Or maybe we can just come up with some other thing. That's an innovation,
Some other ways. Great
Question. Great point. Or
Maybe we define innovation.
I mean, obviously there are ways to do things better and faster, and then there are the problems that you never knew you had, that someone comes up with a solution
For, and they are the problems you've you always had, but never were able to solve. Right.
So yeah.
I mean, both of us are, we're both in CTO's offices. Right.
And so, you know, we, I spend some time talking about, okay, well, what, what does that office do? You know? And sometimes I talk about, well, motivated innovation push and seeing around corners, right?
So, you know, sometimes when a, when somebody who owns a car, hears a noise and takes it to the dealership, or, you know, somebody who could fix a car, if they go in saying, I know exactly what's wrong. Well, oftentimes they're wrong. That just happened to me with my car. And I know nothing about cars. So the idea is you have a problem and you take it to people who can think about solutions broadly. So that's what I think of is innovation. Right? And you want the solution to be well motivated.
It also maybe should scare you.
Someone says, oh, I know what the problem is when you come, come up and say, oh, my car has a problem. Says, oh yeah, I noted problem. Then.
Yeah, something got wrong anyway, before.
And luckily for me, in this case, it was two wires that got sort of loosened in another fix and could be reconnected. And it wasn't a thousand dollars fix, but I can nominate one, one innovation that I've been seeing. Now I talk about this sort of thing a lot, but this I've been spending some time on consent technology. And so I've been talking with a lot of innovators in the space of consent technology. And the reason why I think it's a thing is we've been seeing a regulatory environment. I'll
Talking, what is consent technology first?
Yes.
All right. I will define it.
So, you know, we, we know about things like widgets that will help you put opt-in check boxes on your webpage. But I, I think, you know, there's a market demanding more now because there are top line of the business and bottom line of the business reasons to do so.
And I don't wanna steal too much of my thunder this evening when I talk more about this, but I'm starting to see companies who are starting to specialize in actually consulting with businesses who need to have better relationships with their customers when they do things like present terms and conditions, terms of service, privacy policies. We saw ex we've seen examples of people who interact with online services, freaking out when those terms are not good.
And so these companies, I'm thinking of, there's a new little company in London called project, if which is really fascinating, they're actually a design studio.
So they come from the creative end of the world first, and they they've actually started cataloging permission and consent models that they're seeing in the wild, like little mobile apps and different ways of interacting with people just to collect consent, offer consent, do all kinds of things.
And they've collected, like, I don't know, a couple dozen of these and not all of them are for compliance reasons, which I just found fascinating. So there's one example of an innovative company that's taking user experience as their touchstone. And there's another company which many of us may be familiar with control shift, which also has a consulting arm that does similar consulting to ensure that a kind of customer journey, if you will, around consent processes is as solid as possible. So I just find that fascinating,
Pam, what is your favorite? Dun Kim Pam came tracking?
No, I just, I just wanted to make, you know, Ken clean Stein from
Yes. Oh yes. Scalable consent. Yeah.
Yeah. So that's another thing that ties in and is really fascinating. He's the guy who set up really. He was kind of the driving organizational force behind sh with and internet too.
So yeah, he's done great work on that too. And
Yeah, so he presented a couple weeks ago at internet identity workshop demonstrating work that was tested by CMU, very highly respected with things like toggles for whether somebody will know this is in a higher education environment toggles for whether, you know, what it is you're permissioning to be shared in terms of your personal attributes. I was wanting to deep dive with him further. That's excellent consent tech.
Well, I think for me, the innovation that I'm most excited about is not something I've seen yet. However, it involves user experience also around. So what I'm seeing right now is that people want to authenticate users with more factors, passive factors, you know, login hints. Some of the technology around login hints is very interesting right now, but what's happening is companies are building, they're building an understanding of the exact situation. A user is in, in a single moment of time. At the time they access a resource and that's a very complex picture they're building.
However, what happens is the, the, what it does is it complicates the reasons why a user might be locked out of a, of a resource. So the user may be perfectly authenticate. So the innovation that I see as necessary, and some of the CASB companies in fact have been innovating here are, is along the idea of not simply placing an error page, but instead, essentially sending a user through a workflow that becomes a conversation between a user and a resource to negotiate the situation until it's acceptable to be able to gain access to a resource.
That's nice. Yeah.
The flip side to that is you also have a conversation with the, the attackers and there's some really fun things you can do if you actually believe you're talking to an attacker, you know, you shouldn't simply put up an error page when you do that, you make it cheap and efficient for that attacker to leave and go somewhere else. Why not cost them money and time?
This sounds exactly what I like. What you can do to that Nigerian. The spammers is like, oh, that's interesting. Tell me more. Where can I meet
You? Send me the check. Yeah.
Kim, you can have either
One. Let's
See, is that one on?
Is it on, I'm not sure it has been on at least if, if
It's hold it right
Up. Hello? Is this on? Yeah.
Hold it. Eat the mic.
I don't feel I'll use it because I don't want get too close to it because I'm not feeling
Well. So get Jackson's sick.
I'd rather, I'd rather give this to
Jackson's.
So gentleman of you,
The least of the things we've ever shared,
We won't go there.
I, I guess. Okay.
Well, there's a couple of things that, that, that I would say about what I find interesting. I, I really find this Meco interesting. Now everybody, all of you guys know Nico.
Yeah. We had an award, sorry
To last, you gave it an award already. So like that's how, you know, asleep. I am that I only discovered it this year. I really didn't tune into all the details of what they're doing, but when I actually saw the, the UI of it and, and how simple they, they had made the whole question of sharing, you know, attributes between people and so on. I thought that was very interesting.
So that type of thing excites me a lot. And, and my hope is that, you know, if we, if we do things to professionalize the, the identity experience for service providers, like your average enterprise, and so on that we can have a socket in it. One of the things, one of the advantages is, you know, that we can put in sockets so that things like that can suddenly be enabled so that the, because otherwise things like Nico, they have to go in and convince the enterprise to change a whole architecture and blah, blah, blah. And it's almost an impossible problem.
So, so maybe to give a little background to the ones who are not that familiar with Miko, Miko is an approach of allowing people to keep control about their data, their PII, and other types of attributes while sharing this. It's I think pretty close to what we've called live management platforms very much. Yeah. And so the idea is basically that, so currently it's more the situation that once you share an attribute or other type of information with someone else it's under, it's out of control.
And the idea is basically to better enable someone boing to do both things, having control and share information, wherever it's web. And so this is basically where Miko is around and what I think, what you brought up a very important point, as long as we don't have sort of, sort of standards around that. So what you touch with your socks just don't, as long as we don't have a standard way of integrating such technologies in the ones who are receiving data from their customers, for instance, as long it's have the situation very hard to, to improve the control.
And I think going back to there, there's a lot of stuff we wrote about, I think it can beneficial. And this probably sometimes underestimated to both parties, the one who shares attributes and the one who consumes attributes, because people might be far more willing to share information. If they keep control, then they are today. When they know, okay. If I give that information to them, then they will use it for spamming me for advertising me, whatever else. That's true. So this is just the background to Kim's
Point. Yeah.
So anyway, I, I, I find that fascinating and I just would love to see more of that happen and, and balance out some of the current trends. The other thing, okay. Now I'm gonna say it, I'm gonna get really block key Chaney.
So, you know, I'll be the odd man out drink. It's vodka better watch
Out. Are you
It's
It's actually, you know, I really, I won't say blockchain, I'll say distributed ledger, right? The distributed ledger to me is one of the things that is going to really be transformational.
So, because, you know, if you look at say, well, you know, the whole process of performing a transaction and then being able to follow that transaction and, and the reconciliation, the effort in reconciliation, especially if you have to go across a bunch of partners, right. Is so expensive. And it just is so dominant as a, as a complication and a cost in so many industries.
I, I just think it's very, very important. Yeah. Now the problem is that, you know, I don't, I don't believe at all in this whole, a big public blockchain that is just gonna sit there, you know, spewing even more private information into the stratosphere.
There, there has to be mechanisms for controlling things.
Not, not even, not even because it's rationally necessary, but just because it's emotionally necessary.
And, and so I think that the way in which some of these things are presented is, is, is, you know, no wonder everybody, you know, no wonder Jackson is laughing so hard. I mean, I mean, you hear people, people will say, well, blockchain solves the problem of identity. Sure. Other room laughs gives us, gives us another, gives us another name space. And we really need that in the identity world. Thank you. And better still the, the, the key is your identifier. So if your key gets compromised, your identity is hose, which is I think another real advantage and so on.
So when you look at, when you look at it, all of the identity problems that we have, all of the identity technologies, you know, to me, one day I had this aha, which was blockchain is gonna bring about a Renaissance of, are you ready? Cover your cover, your ears, X 5 0 9.
It's the year of PKI it's gotta
Be, or it's the year of PKI. Okay. In other words, most of this stuff cannot function without assertions made about the entities. It's one thing when it's all just a bunch of hashes being calculated and energy being burned, and we call that money.
It's another thing when we're actually talking about things that we create or, you know, have value for us and therefore are associated to things that have identity. And so the, and so, so the whole idea that blockchain is, is a panacea for all these things, to, to my way of thinking, it's actually going to give birth to a whole bunch of other things.
And so there are anyway, I'll, I'll, I'll leave it there, but just to say that I am positive about, and when, when you look at say the problems, I, I mean, I don't want to talk about a large corporation that provides services well, and I really like the fact that we can't talk about our employer, because that way, if our employer isn't innovative, we won't be embarrassed.
But anyway, the, the thing about the, you know, the, the, these, anybody who's running a cloud service is in the position where they have to constantly be proving that they're not meddling with information or spying or stealing, or so you, you need to have ways of doing this thing where you're, you know, people are able to trace the purity of the, of the transactions and of the accesses to machines and to information and to databases with absolute certainty.
A couple of thoughts on the B word. I've got one, if I may, just, before we move on to other innovation areas, please real quick.
Number one, I do find there is one company innovating around a substrate of, I'm just gonna call it the B word. I just can't even say it anymore. Although I hope that we move on to whiskey tonight when we drink every time we say the actual B word and that's block stack, I think that they have found ways to avoid for anybody. I don't know, is block stack represented at this conference? I don't think they're here block stack.
No, but so block stack has found way a very nice elegant way to put pointers to actual sensitive data data into the thing, not the actual data and data can reside in a traditional repository so that the data does not have to be in a many, many copies of a distributed ledger.
And it, therefore doesn't have to have a larger attack surface, and they've done some neat things with identity so that you they've, they've actually innovated around how you can treat identity or pointers to multiple identities in that thing. And I think that is really, really innovative.
So that's number one, number two, we are as sure as heck going to have to innovate all of us, if we do B word around PKI and around key management. So it had better be the year of PKI. If we actually do anything with this technology that I'm talking about.
End of, end of my rant.
Okay.
So, so maybe I Trump in, because I also have to say something around blockchain, ah, where's
The whiskey.
I use the word. So I personally believe that it's extremely important innovation, particularly then when we don't know anything about blockchain anymore, or when you don't care about it anymore.
So, you know, it's a little bit like IP, so dearly. Some of us still like to look at, so use company commands like ping and trace RT and all the stuff, and to have deeper into it, using their sniffer and look how this, the stuff is really working. But at the end of the data, massive people is not interested in how this works anymore. I think what blockchain gives us or distributed lecturers and based on the blockchain technology and based on blockchains. So the blockchain for itself is just transactions put into blocks and blocks connected with each other, changed with each other.
That's what blockchain is. It's not Bitcoin or anything like that. There's a Bitcoin blockchain, there's a Syrian blockchain, but blockchain for itself is not that new idea.
The Mery is some years old right now. I think probably the same age as R F by the way, the underlying me tree. So just to give you an impression.
And so, but once we say, you know, we have problem, we need to store data in some way. And there are times like relational databases, which are excellent for some use cases. And we just use blockchains or distributed lecturers for other types of use cases. When we are at a point where we don't care about all the other details anymore, then I think it's really a very, very worthful innovation, but not as long as we try to do blockchain for the blockchain sake, so to speak. So if we do blockchain, because we want to do blockchain or to want to be blocking Chainy, then we do something wrong.
If we do it because we can solve a business problem better. And if we don't care at some point anymore about what we use underlying, because we know it works and it provides what we need, then we have delivered on that innovation tracks. And it's your term. And don't use the term blockchain because we know
Critical all it's been used up.
No, no, I won't use it. How about a little audience participation? How many companies are using cloud properties of sub nature, office 365, Salesforce tole, Workday, you name it, how many people understand and govern all the documents that your employees have put up there and understand the security rights of all those different documents on those different systems.
One, because all you use is Salesforce. Great.
So to me, that's one of the areas I'd like to see some innovation around and, and I I'm following a number of different companies. You know, cloud access security brokers were mentioned a little a little earlier, but, you know, again, when I talk to customers, some of their biggest problems, and I talked to a couple this morning, before this session, they're putting things in the cloud.
They, they, they need to put things in the cloud, but they don't have either a set of sockets, which would be nice if there is at least a set of sockets, let alone one socket that they could use to manage identity, manage passwords, manage security, manage governance, and manage all of the compliance issues around all those things in the cloud, much like we've been able, able to achieve on-prem.
So it's one of the areas that I'm following and certainly would, would love to have anybody shout out or tell me later on that they found the one socket or the socket set that you could buy from home Depot, because I would, you know, that's what my customers are asking me all the time is how do we solve that particular problem? And that's an area that I would love to, you know, see more innovation around. And so send me an email. If you see something please from your Dell XPS 13
Best.
And I think it goes, goes back to, to some other topics.
And probably it's also one of these things, which we already had a long time ago with innovation, which is all this rights management drivers you'd like to call it, which allows us to do a lot of stuff and better protect information, which is still not as widely used as it should be, because it allows to do this lot of things. And it also relates to discussion. We started last year, which unfortunately still stuck in my mailbox. I feel guilty for that because we, we started a conversation about how can we better have control about access on cloud services.
Currently, if we are realistic, it means we use a proprietary web interface. Maybe we use a little bit of SPM L to help us, but we, we use a lot of proprie web interfaces of all each of these cloud providers to configure the access controls and all the other stuff.
So we, I think from an innovation perspective, it would, it would be great to have the ability to centrally from our perspective, centrally control, who has access in which way to which cloud service in the standards based way. And I think some, some things, and that's where we started discussion. And as I've said, I'm guilty for having it still in my inbox. I think it's the oldest male I have to work on.
Right.
Which is for instance around thinking about, can we make O or two murder dynamic with dynamics copes, and so which we can grow from outside.
And if you do something like that, that I think that maybe it's the wrong way, but I think if we have some innovation in that space, which allows us to get rid of proprietary management interfaces of cloud services, that would be a really great innovation.
This, this ties in, I think to the last session, I don't know how much overlap we have in people from the last session to this one. But Darren rolls was talking about, you know, needing to have that sort of structural governance layer do the right thing.
And I had asked about, well, what in a highly, what about in a highly federated environment, if you use SAS services and such, and it was a tough thing to know what to do about and cloud access service brokers CASBS seemed to be not really scratching the whole itch. And you just mentioned SP M L and I think skim the ski standard.
It
Is, that's
What I'm sort of the more modern answer, but I
Can't, I can't keep in, in my mind what ski really means.
Yeah. Because they, it's more identity provisioning.
It's,
It's still complicated. Yes.
But you know, it, George Fletcher and I were just talking sort of in the inters between one session and the other. And I kind of think we, we haven't been looking at the right architectural model. You just mentioned OAuth, which is, I've been referring to it as the, the standard. You can't get fired for choosing to protect your APIs these days. Right. Everybody has an API first approach.
If, if you do enterprise architecture that I've seen in the last couple years, and I don't know if this violates the terms of my being on this panel, but I'm gonna mention Uma user managed access. It's not my company.
It's a standard,
It's a standard. And
I got a couple last year
You're
Allowed to, to man it,
And there's the stickers too. He's got the sticker on his show, the crowd will you, but so Uma user managed access the user in user managed access can be an enterprise. And it's based on OAuth. And the idea is centrally managing the entitlements you hand out. Yeah.
So it can do that. It can do a federated authorization use case. And I'm wondering if that's simply the better architectural model for a CASBY to do.
I mean, maybe that's the next wave of innovation. You know, I've been talking to people about their struggles to do centralized governance of what their, what constrained delegations their employees are handing out. Yeah.
To, you know, their own applications.
One thing I have to add the, the initial idea of what I trust manage came from Pamela, not from me. Okay.
So she,
Oh, that's your innovation idea. Yes.
Her, it would innovation.
Well, there's a lot of stuff going on in the standards world right now, actually that I think makes a big difference and that you all should be aware of.
Anyway, if you're not. So for example, token binding, how many of you here are familiar with the token binding spec that's coming out? Okay.
So, so a few, but not many it's. I mean, from a security perspective, it's a huge deal because it actually binds a person's TLS session to their, you know, to their web session.
Maybe you, you explain it a little more for the, so there were not that many hands raised, so maybe
One more level of detail. Let me see if
I can get it right. That's the trick is explaining it correctly.
And that just walked in. So we'd be good.
So, oh no, he will be too technical.
There's enough people in the audience to correct me if I get it wrong. But essentially the idea is that when you instantiate a, a TLS session, you essentially create something that can be tracked. There's an identifier that goes there and that identifier is fairly persistent. So what you can do is track whether that identifier changes over the course of a session that should be consistent.
So, I mean, that's a very high level example, but it gives you something, not exactly physical, but something, a binding that you can use to look for anomalies. And it, you know, I think you guys are, are, there's a bunch of people who are working on this, this right now. Yeah.
TLS is only hop to hop. It's not truly end to end. And so token binding basically makes it go all the way through to your actual session, which is a big deal.
So end to end security is a good thing.
I think, yes, you should have far more of it tracks on Kim. You were required for a while. So any other innovations to add?
Well, I love token binding, but it's so funny because it just reminds me, it's almost like we've gone back to a multi-layered architecture.
We goes around, comes around or so
OSI. Right. We used to have all of that stuff. We gave it up because stateless is better. And guess what?
Yeah.
Stateless, isn't better though. Right? Stateless is how you get abused because you keep forgetting and your enemy keeps remembering. Right. And they're gaming your system.
Well, you're just forgetting, they've even ever tried to attack you something,
Tweet that like it is sister. I love that explanation.
We should just bring back X 500.
Oh no.
Oh no.
Well that was another, I mean, not that I want to talk about the B word, but that was another great thing that people talked about for quite a long time.
We saw it, we saw it working very well. We built things together that worked very well, but nobody could find a good use for it.
I think there are good use cases, but
So, you know, I talked, I talked a little bit about, you know, the, the, the cloud stuff, you know, I think, I think from an innovative perspective, I'm still, you know, just personally in, in the things that we're looking at, trying to figure out how we better connect, you know, and I talked a little bit about this yesterday during IOT, but just this whole aspect of how do you better connect identities to the network layer from the firewall perspective?
How do you, how do you have a, you know, I hate these conversations where you go in and talk to a customer and they say, well, I'm using this vendor's gear. Therefore I can't interoperate with your system.
You know, cuz I'll go in and I'll talk about a particular firewall vendor and they'll say, well, we don't wanna replace all of our firewalls to be able to get this particular feature.
And I'm thinking about things like where we can control firewall ports and network access based on things like risk and where people are coming from.
So, you know, I, I'm quite interested in that also because some of these next generation attacks and next generation threats where, where I think there's some benefit that an identity system and a risk system, and a lot of us are working on things around risk and threats that are happening. I mean, you, you see some great stats come out of, out of Microsoft and other companies about what they see every day, because they're in they're, they're, they're seeing billions of authentications every day.
How do you take that and turn that into actionable knowledge by companies, even to the point where you can control perhaps firewall access. I mean, I have this vision and I've talked to companies about this vision of having sort of that red button that gets pushed possibly by, by the identity system or the risk system that increases the, the threat level across the company, not just at the web Porwal, but internally and externally.
And, and I think that's a, a very interesting area, but there's so many problems in trying to do that and different firewall vendors, et cetera.
But there are some, some interesting innovations on the standard level. So if you look at taxi and stuff, there are standards popping up, which allow you to, to share threat information. And the other thing I think, which is close to what you start, you, you talked about is that's clearly one of the areas where we already see a lot of innovation happening.
This is this combination of big data technologies, then the analytics, cognitive AI, however you've phrased it and the entire security space. And there, I think there's a parallel drag looking at this stuff. And I think this is one of the areas of innovation. I think we started talking at Cola about, is a three time security intelligence, some two or three years ago. And what we currently observe is that it's becoming more and more reality that we have more. So you see more behavioral analytics stuff.
You see more areas where they really advance analytical capabilities are, are, are applied to security challenges. And I think that's one of the fundamental things where we have to, to continue innovation that is that we not. So access governance is fine, but you know, if you give you someone an entitlement and even if you're, let's say a six month circle, it means you kind of five months and 29 days or so of excessive entitlements. And even if he has that entitlement and uses it and he has it correctly, it still can be a fr fraudulent use or it can be a high checked account.
You never will know. So we need to, to move to realtime analytics, to understand, are there changing? Is there a change in behavior? Are there different patterns of views? And this is where we really need to apply technology, which is far better in dealing with large amount of data, because we have to look, look at not only what happens at that point, but what has happened over the past.
So which means far more data than just the, the realtime data. I think you talked about how much data is collected by some devices already.
And so we talking about real big numbers of data and we need other types of analytics, which are better. And I don't believe by the way that much in the machine learning term, because for that particular problem, because machine learning associates always that you learn by something which went wrong. So machine learning apply to security means you have to have, you have had some incidents until your machine knows what to do. So it's better to, for instance, detect that there's something different than it has been.
But I think it's more the marketing problem that they applied term machine learning for something which isn't machine learning, but all of this technologies will help us.
I don't understand what you just said at all.
I, I think I, what would be the right term then? So I think he's saying that.
Yeah,
Because to
Me, so machine learning is properly understood as being, you have negative effects and, and the machine is learning from negative effects in order to self. Correct. But in security, that's exactly what you don't want. You'd rather have it learn from positive. Nobody's
Learning, it's learning from both negative and positive. Why are we saying negative? I don't understand.
I'm not sure myself cuz I'm not an expert in machine learning. So
Anyway,
I mean I think that the machine learning is fundamental.
It's absolutely fundamental to the whole rest of the big data thing.
I, I don't, don't say that it's that it's wrong. Maybe it wasn't misunderstanding.
I I, in
Fact, in fact it's one of the obvious, exciting innovative's
Areas. Well, if we have enough breaches, we'll have perfect, you know, we'll have a perfect fraud
Intelligence.
No, but I mean, imagine we can actually have sort of analytic systems that really know the range of legitimate transactions. Now that is huge.
Let me give an example.
So I'd be happy to come back next year and talk a little bit about, we're just starting a machine learning project right now, and I'm very, very excited about it. And this is a trite example, but I want to give it to you cuz to me it was what opened my eyes. We did a very short experiment where we looked at, we took inside of our, our corporate network.
We took all of the group and administrative access just in active directory. Okay. And we fed that into a, a cloud based machine learning system. I won't mention whose it was, but he sits to my left. And the interesting thing that came out of it was the guys. When they brought me in to show me this, they said, well, take a look at the scatter plot. And it shows, you know, people and privileges and the size of their scatter, their, their plot, their, their bubble shows how many privileges they have.
And you literally saw, you know, the quadrant and you saw, you know, tens of thousands of people down in this lower left corner. And you saw how things go out a little bit, a little bit, a little bit and up in one corner, the top, right? There was a huge bubble with one person. And my colleague said to me, do you know who that is? And I said, well, no, but I'm gonna guess it's one of our windows, administrators, something like that. And they said, no, it's somebody in presales. And you know, I said, excuse me, presales.
Why would someone in presales have what looks like every privilege known to mankind in sitting up here? Well, above anybody else, I could pick out our windows, administrators down here.
He said, well, that person used to be an it. Oh, and I saw that and I just said, this is, you know, this is just a very, very basic example of machine learning.
I mean, very basic, but it really opened my eyes to something that I thought was, was quite interesting. So we're just kicking off a whole thing around that night, you know, it's, I think it's gonna be really, really interesting use case negatives and positives. Yeah.
Okay. More innovations.
I was just gonna say, I think sometimes it's not sort of something really new, but rather that is of interest, but rather something being used and what's sort of what hasn't really happened is, you know, we've gone beyond the firewall now and we have all of these, you know, O and open ID connect in particular have done you a great job of democratizing the sort of, you know, we have identities that actually work across boundaries and isn't it fabulous, et cetera. The only problem is that nobody uses them for anything.
I mean, the only thing we use them for is say getting into a website, but they don't use them for all of the really. So we haven't made any contact with the application developer world for them to say, gee, we can use all of that if you go back.
And he, he mentioned it's lab cetera, but he mentioned active directory.
So NOST, but the, the, the whole, it was so simple.
You know, everybody had an identity, it was like, you know, just a simple little name, blah, blah, blah, blah, blah, blah. So all the developers knew that they could use this to make useful things. Now we have this slightly, but it's really a tremendous achievement that we can have identity across boundaries, but we haven't communicated that this can be used.
And if, if, if you actually start using it, then that becomes, you know, really important theory. It's a theory, an unusable, it's a proposal. It's no costs
To, I, I'm not sure whether it's, it's not used or whether we already maybe not, not as perfect as it could be, but we are seeing this, this merge of world of applications, where we use that information about persons and the identity side.
So if you look at this, another password, CIA, M so consumer or customer identity and access management, I don't like the aid that much on the, the term, because it's really more about identity than about the access here. But if you look at this happening, I think we see that it's about starting to, to converge where we have the area of, how can we sort of, it's a little bit like a mat directory. If you collect all the information about our identity you have in various systems, then it's technology wise. It's not that far away from what we did traditionally in identity.
So getting a full picture, maybe not a, in a, in one directory, but a more dynamic picture of the person, but also of their behavior, but the, the, the, the, the realtime aspect and the, the behavioral aspect and how, how can we use it in marketing? And what can we do based on that comes into play.
There, there things are starting to, to come together. And so I think we are finally entering this and, and finally, a colleague of mine recently brought up a slides where he then got gone back to a blog post. I wrote back in 2007 around I am and CRM, which should be connected far tighter. And I think this starts to happen right now. So I think your, your wish is becoming fulfilled
Slowly.
You know, I, I would comment maybe rather than talk about problems. I'm gonna state this sort of in the positive and the hopeful and the hoping for innovation, the challenge that I think we've had to set, set up my hopefulness is that it's all about name spaces, name spaces, and that we still need pre-established trust in order to effect going across boundaries with identity. And so that's true. It's as true of customers and consumers as it is of employees.
And to give an example, you know, in, in the user managed access context, if you wanna share some data with somebody who's kind of in another far flung domain, if you don't have pre-established trust all the services acting on your behalf, can't really work it out. It's unsafe to do so.
So I'm going to express a hope that nobody's gonna believe given my earlier reluctance to say this word, but if the blockchain people can figure it out, how to actually share claims about a person that might be associated with a chain without having pre-established trust, I would be forever grateful for that solving that use case, because that's a kind of a wide identity ecosystem scenario that is otherwise unsolvable today because it's insecure today to share without pre-established trust.
I think the other thing that's unsolvable today that kind of amazes me is the fact that we're very, very good at granting access. And we're absolutely terrible at taking it away. We're we're, I mean, your, your example earlier in
Scatter
Plot. Yeah. Right.
About, about accumulating credentials, but also human will. So if you look at a standard right now, that's being ratified in the open ID foundation, which is the open ID connect session management specification.
This is in theory, the, the ability to either via a browser or via arrest API say cease and desist, something that I have previously been granted access to, and that doesn't sound like such a big deal, but it's actually very hard right now, short of revoking or, or expiring credentials, but imagine the power of you, you know, because more and more services are going to be watching your devices, your activities.
I mean, we talk about how great it is that everything's gonna be studying everything you do all the time, but wouldn't it be great to have a big red button, but a personal one that says, okay, shut it all down. I, I, I know I'm not gonna have any access. I know that by hitting this big red button, my corporate, you know, everything corporate about me is taken away. And now it's just me, the person and stay out of my business, right, until such a time
And invite to my talk later on today, there you go.
There
You go until such a time when I must again, engage and become a corporate animal and therefore, you know, have all of the surveillance startup on me again,
An innovation I'd like to see is where you guys, the customers don't have to pay hundreds of thousands or millions of dollars to get identity and access management systems up and running. I mean, I've been doing this a long time. Kim and I have known each other since 1989, when he and I, he was my supplier and I was the, the, the customer. And it's still making
Him pay hundreds of thousands. I loved every minute of it.
I'm still paying. But, you know, if I, if somebody said to me, you know, what do you think some of the greatest achievements are? And we get asked that all the time of not just myself, but of the industry, we can talk about a lot of things that we've done all of us on the panel, all of you guys, but when people ask me, what do you, you know, what's your biggest disappointment?
And I would say, that's probably my biggest disappointment is the amount of money that customers have to pay for these systems that we should be able to build that don't, you know, that, that, that aren't so hard and need. I mean, I know, you know, it's like the old movie, you know, where you have to have all these people who clean up the stuff that gets broken on the floor and all that jazz and all kinds of people are employed and services guys and things like that.
But gosh, I sure would like it to be a lot easier for, for the customers that that's an innovation I'd love to see.
That was great. Final statement.
Maybe, can you continue with your final statement for this session aside of the fact that you laughed at the dollars LAR
Well, I actually think that it's happened. I mean, I think that the, the, you know, and I apologize for, you know, being so cloud centric, but it really has fun, fundamentally changed, transformed the equation. Like you look at what it costs using cloud technology to do something like consumer management, it's just, you know, a fraction of, of what it costs to do it yourself in the it's.
It's almost in fact, one of, I shouldn't say this, but when we first went out to customers with some of the proposed fee structure for the cloud-based customer management, people said, oh, well, that, that can't work. That's that's too cheap. It can't be any good at all. So we had to of course increase the cost, but yeah, so I actually think that we have achieved a we've we've cut.
We, we are cutting the costs dramatically and we are increasing the capabilities dramatically at the same time. I agree. Yeah. And now the question is, are we opening up opportunity for further innovation as we do that? Or are we becoming, are we closing it down? Right. But as long as everything is open, as long as it's based on standards, as long as there's socket, so people can plug in demo democratically into what, what happens there.
Then, then I think it's positive.
Pam.
I would say that I'm excited to stand on the shoulders of today's a hundred million, you know, the, the things that you really wanna pay for.
And I, you know, I can't wait to see the things that you really wanna pay for next.
That's a great way to put it. You sound like my wife, I'll just comment on an innovation that's already happened and is still giving benefits to us. Now actually made reference to it earlier, which is APIs, restful APIs. I think it's upended what we can do. All of the standards that some of us still have a hand in building today have underneath them, standardized restful API endpoints.
And, you know, the reason we have an IOT economy today is in large part because we have an API economy. I mean, we had M Tom for, I don't know, 15 years prior to this, but if it was still in the, the hands of, you know, embedded programming engineers, it wouldn't have exploded. So the API substrate that we have is key to everything that we're still doing. It's made things cheaper. The API first mentality that I was talking about is key to the application economy. It's key to just everything going forward.
And, you know, the tweaks that we do to make it fit, constrained devices and everything else that we do marching forward, it is just key to everything. And I think a lot of innovations that come are because of that innovation. I'm so grateful for that.
Okay. So the innovation I'd like to see this one, which is not, is not techno technical, which is more organizational. The one I've been talking about in my keynote and I talked before, which is adjusting the it organization as a whole, to the reality of today's business. I think that's another innovation which should take place.
And then there's the innovation I have to follow up in my mail folder. That's something I promise to do. So thank you to all the panelists for participating in this panel. I hope it brought some interesting information.
