The Future of Digital Identity in Enterprises and Beyond - What are your EIC24 Takeaways?

Okay, so, so again, it's a talk, so we'll exchange a bit. We, we, we just a talk in the room. I think most people who are in here, were in the other talk as well, which was more, more on B2B identity management challenges there. Right now I think it's, it's an enterprise Im where setting what, what are your main takeaways and maybe before we start a bit more of introduction than just saying you're at Net IQ and have a novel legacy, so maybe you can elaborate a bit more on that.

Yeah, Sure. So thanks.

Thanks, thanks Martin. I'm Larry Chinky and I'm, I'm Senior Vice President of corporate strategy at One Identity.

So that, that means a lot of things when you look at different organizations. You have one identity, sorry. Yeah. Well I wasn't Novell for 17 years, But I think he mixed it up saying you were at Net iq.

Yeah, yeah, Yeah. Sorry.

So yeah, I was at Novell net IQ Microfocus for 17 years, going all the way back to my e directory days. I think that's probably where I first met Martin years ago. So I run corporate strategy at One Identity. Now I've been there for six years. And so that means a lot of things. So I run everything from our strategic marketing, corporate strategy, our field strategists. I do a lot of our demand generation bubbles up to me, as does our technical alliances.

So, you know, when we look at internally at one identity on what our gaps are, like, what products we think we need to have to fill and complete more of an identity fabric. Mar Martin mentioned that in his last session.

So it's, it's my responsibility to look at different m and a targets. Do we need to buy something, build partner with somebody, that sort of thing to, to kind of fill those gaps. And then all the enablement, technical enablement certification all bubbles up to my organization as well. So a lot of different pieces move up into what we call corporate strategy at one identity. And it's really all around creating a much more unified approach to how we look at the market today.

So, you know, we don't wanna, we don't wanna get into these product versus product type of things anymore, since it's really, everything is, if you guys probably looked around the conference today, made a comment on this earlier, whether it's Aon, SalePoint, some, some of the other, they're all talking about de unification of identity or a converged platform. So, and we've been positioning that for about, about the last five years.

So, so it's really kind of one of the trends we see in the markets today based in that current threat landscape. Okay.

And so, so what, what, when we look up bit at the, the takeaways e except of that, there's a lot of identity security written on the booth Yeah. And conversions and, and things like that.

But, but what is it, what, where, where you say this is, is really something you, you feel is, is very relevant to the, I would say to the, not only to the industry, but to the customers of the industry. Yeah. Because I think at the end of the day, it's about the customers.

Yeah, it is. As a matter of fact. And that's a good question. One of the things I noticed, like when, and, and just like Martin, we go to a lot of these, and you guys, I'm sure too, go to a lot of these conferences, whether it's, you know, there there's different, you know, organizations, you know, RSA and some of the other ones that put these on.

You know, a lot of the times what I see at the conferences are all built a a lot around what I would call a cost savings initiatives or, or vendor consolidation or operational efficiency and that sort of thing.

But what I'm seeing more and more in the conversations I'm having with our customers and I fall, I fly globally talking to customers in our channel ecosystem, is it seems like, and you guys correct me if I'm wrong because you're in the space, is that there seems to be a lot more emphasis now in this space specifically around building a secure platform and security not as much around OE and vendor consolidation. That stuff's important. But if you look around here, it's really all about security and, and spending money on security.

And I've always said that I thought that was the most important part of any of these individual market segments. And what's interesting about like access management, for example, you'll get, you know, Okta or Ping and some of the other ones, if you look at the top four reasons why organizations buy an access management solution today, there's, there's all kinds, but do you know where security fits number 1, 2, 3, or four? Can anybody guess? Anybody wanna take a guess? Four. Four. It's number, it's number four.

So access management is the by, by over, over two times the most widely deployed IIM market segment. And, but security is all the way down at the bottom, which is very interesting. So that means that all these other market segments are being purchased much more for the security element where access is beginning purchased more for the OE inefficiency.

So, you know, when, when I look around at like these conferences and these different, you know, market segments, it's pretty interesting how you see the trends start to separate but then also come together at the same time. Yeah.

And, and, and I think for me it's also that we see that identity management is getting bigger. So, so you talked about vendor consolidation, which by the way is, is an interesting thing. When we started, when we did the first EIC, someone told said to me, you know, does it really make sense to have such a converse, whatever, 2030 vendors and, and then they start the one vendor starts acquiring the other end. So you won't have a market maybe in, in a few years from now?

I would say we probably are more in the range of, I think we, we are, we are getting closer to the 1000 identity management vendors nowadays. When we take all the identity verification players, when we take all the decentralized identity startups, when we take all the other startups around, for instance, secrets management or, or machine identity, which is a horrible term because a machine for me makes noise and moves and iron and so on. And it's not, not just a service, but I think we can argue that would be a very separate true conversation. Here's true, yes.

But, but at the end of the day, I think we, we, we, we see that this is, this market is getting bigger and bigger. And on the other hand, we also learned that we need to bring together things again.

So, so I think it's, it's, it's a, maybe it's also a constant fight of consolidating versus adding things to the, to the overall picture. Yeah. Yeah.

And, and there's, there's a separation between, and Martin, you and I just had a webinar on this topic, very similar. What about a month ago we did that. But I mean, there's a difference between convergence and consolidation.

And I, and I think you're right, probably a thousand identity vendors, when you look at all the, well shoot, just IGA probably has eight or nine segments to fall under it. You know, access has MFA and you know, that sort of thing.

But, you know, the consolidation is kind of like the technology components coming together and convergence are like the companies come together to kind of form, you know, a whole new space there. Yeah.

And, and I think my, my colleague Alejandro currently is working on this, I think on the leadership comp, access management, and I think he has almost 50 vendors in rating Yeah. Alone in this subsegment. And it's one of many segments here. So it it is, we have a lot. And I think exactly the point is, so, so consolidation versus convergence, I think that the very important thing and is to, to, to homogenize and to unified initiatives you're taking.

So, so getting away from, I do this here a bit in the IGA here, and then I have a totally separate access management initiative, et cetera. So, honestly, so if, if in your, who, who's in an organization where identity and access are still segregated organizationally, so you don't need to raise your hand because otherwise I need to blame you, We won't call on you. That's okay. We promise. At least I won't. Martin Martin.

But, but, but, but, but it's, it is very clear to me, it doesn't make sense. And, and the thing you definitely can't vote me on if enter ID is not in the hands. And if you have enter id, it's not in the hands of your IM department, then something is wrong. So enter ID is an access management tool, and there's absolutely no discussion about the enter ID must be owned by the identity management department, for instance. We can argue a very little bit about the old active directory due to a legacy aspect. But at the end of the day, even there, I would say move it over solves a lot of problems.

Yeah. I I think you're exactly right. Matter of fact, we were just having a conversation with a, one of our customers on this today, and I think we had e and Y in the booth. We were talking about that very thing on, you know, I think Microsoft has it really figured out when they, when, when you look at a platform, what, what they're doing with entra, but some of the sub components, like you said, Martin I think are just, they, they don't, it, it's a, it's a separation that, that occurs there. So Yeah.

And, and, and we, we need to, to fix some of these things, so Yeah. Yeah.

We are, we are, we're in a, we are in, I think in a constant evolution and we need to understand, this is one thing. I think this was a lot of the, the sort around, when we came up with the identity fabric idea several years ago to say, so basically when we started this it, it was basically stepping back and saying, so why do we do this stuff? Why do we do identity management? At the end of the day, the purpose of identity management is that everyone and everything have a secure, seamless, well governed access to every service.

This is basically the drop of identity management so that someone, something can connect to a service under controlled conditions, so to speak. And that's where everything starts. All the other things we are doing, we are doing to enable this. So we invented IGA because we don't, we can't give everyone full access to everything electrically. Yeah.

Well, as a matter of fact, I, I had dinner last night with our, our, I saw, I think I saw our, a arm over there from Stanza and Gerald. And we were talking about, this is going back and dating myself again. I think 1997 when I actually wrote a, a little hook using Microsoft Access, if you guys remember access of your old, like me using Microsoft Access.

It created a hook from PeopleSoft, which is our, our HR tool at that time to automatically create, when somebody got hired into the organization that Id down in our NT domain, it was not active directory, then it was down in our NT domain with role assignments and rule assignments that I could, I could place them into different departments. And that was kinda like our first step. And it was a manual thing. But really what that all that was, was me writing a hook to make my job easier. 'cause I ran the corporate network operating system at the time, and I did that to make my job easier.

It had nothing to do with security. Yeah. It had nothing to do with, you know, protecting anything.

It was, now I don't have to spend half my day creating IDs and different accounts anymore. So it's evolved into this complete, like you said, Martin strategic initiative now. Yeah.

And, and it, it's still fascinating to me to, so I have have to admit, I I, I did a lot of around, I wrote books about Lotus Notes Domino. Yeah.

I wrote, for many years I wrote a monthly newsletter inside Lotus Notes Domino. So I, it's not that I'm negative on the tool, but it's nowadays it's for me still sometimes fascinating to meet an organization which says, okay, we still have it in a notes database. It still comes from a notes database.

And that, that shows also how, how, how long these things sometimes exist. At least, at least you set access on a dase Well, I'm D Bass would've been my college days, so I'm not that, maybe that a little bit older Fox Pro. You didn't say Fox Pro either, so, Yeah, exactly. So it can be even worse always.

But, but what, what I really see is still these things around, and clearly we need to modernize these, we need to, to, to move to a state where we are, we're more flexible because these things tend, they, they are actually, they're always broken already. It's just that we try to put enough cover tape around it to, to keep them survive until we can do things differently. But maybe back to, to, to the things where you also see what, what is changing, what is evolving in this industry?

What is, what are the things where you feel they are, they will be, they are super important or maybe for the audience to look at because they will change the way we do things in AI Management. Yeah, yeah.

And, and you know, some of the, one of the things that we talk about quite often is the use of AI and hyper automation tools. And, you know, when, when we look, matter of fact, I, I added a, a very short segment in my session a couple days ago. I think it was on Wednesday, been here all week, I forget what day, what days or, or what, but Fridays today, yeah. Okay.

That, that's good. I think my flight's tomorrow.

But yeah, so one of the things that I, we talk quite a bit about at one identity is the use of generative ai, not only from an attack perspective, but how you can use AI from an identity perspective along with hyper automation. Now, when we look at the, how this attack surface has widened over the years, there's kinda like four reasons that I like to talk about in depth.

And that's the large remote workforce now that, you know, really came on strong around covid, you know, cloud computing, which, and not, not, not necessarily cloud like goods and services in the cloud, security tools being moving to, moving to the cloud as well, like IGA as a SaaS, Pam as a SaaS, et cetera. And then, you know, the other one is this lack of, this big shortage of cyber skills. So we we're finding a lot of our customers taking 18 months to find somebody who's really qualified to do these type of things. So they invest in AI and hyper automation tools.

The problem is, is those hyper automation tools create themselves digital identities, which rely upon the credential managers inside of the hyper automation tool software for security protection, which really, quite frankly is not all that great. And so it's, we need to look at how we can leverage, you know, IGA tool or, or you know, IAM tools to basically suck that out, push that into your I Am platform, and then provide a security mechanism. So you're actually using your I am platform to provide security for the AI and hyper automation that we see in the market.

Things like bots, you know, how bots can run around and you know, we've, we've got companies, Martin, believe it or not, that don't have an IGA tool. They're actually using bots to run around, create, modify, move. So joiner mover lever functions are being done by bots in the organization. Hundreds of them with no security behind them, which I find, you know, quite fascinating.

So yeah, I, I, I like the bot idea. I don't like that much the no security ID aspect on that. Yeah. So the bot idea is not that bad.

I, I, I would dare to say, I, I think one thing here also is where I believe there's a very concrete potential for, especially for vendors who serve multiple areas. So, so one of the, so when I take all look at identity management, that would have to list the three biggest challenges that, that regularly pop up. Then it's recertification. Sure. No doubt about it. I'm still looking for the one organization globally that says, Hey, my departmental managers love for recertification. They want to do it again and again and again. I still didn't find it. Yeah. So something is, is wrong here.

Role projects also tend to be a bit challenging and onboarding application onboarding. And I believe we have, for instance, a very big potential of utilizing chain AI to get to a much higher level and much higher efficiency in application onboarding and automated application onboarding across all the pillars of IIM because when we have an application, it's not just onboarding it on IGA, that might be the, the most tricky part. But it's onboarding it on Pam, it's onboarding it on access management. Yeah. The letters who tend to be a bit simpler.

But anyway, I think in an ideal world, our agent or our bot or whatever it is, does it for us. Yeah. Yeah.

And, and, and it's definitely, like I, and I, I don't mean to be negative against bot 'cause I think they do have a very important place. It's just the security element behind that, you know, is something that we sometimes overlook we have to do.

But yeah, the application onboarding, I agree with, as a matter of fact, it's, it sounds like it would be very difficult to integrate application onboarding with an IM platform, but it's really not. And that's something that we do at One identity quite often and there are tools out there that automate that process as well. And so I think Martin, you're right on that, that is a, it's, it's something that can be leveraged.

You know, I I, I once read that an effective IM platform can resolve like 55% of those type of, whether it's GRC or some other risk component or application onboarding. So it's really amazing how much more you can do from a security angle with, with that than, Yeah.

And I, I think that this is, this is one of the areas where I feel that that AI can, can be extremely helpful. I think it's also, you talked about the skills aspect, it, it can really help doing things easier.

Also, again, in, in onboarding, you know, when you need to onboard to a certain specific platform, then the guidance that can be provided that way. So how do you do it? What is the next step, et cetera. Having maybe prompt books that guide the people through that, through the things which needs them still to be manually done manually. That's a great area for that.

Yeah, I, I agree. As a matter of fact, you know, to me it, it's almost like the next generation, you, you guys have all probably seen IGA platforms that have, I'll, I'll call it like a modeler inside of that where you, it can go out and look at, show me 20 other people that have similar roles or similar functions. I wanna give them the same access as that. Yeah. You've probably seen that. So this is almost the next generation of that where AI can step in and, and kind of resolve Yeah. And and and, and maybe do it a bit smarter.

Yeah, exactly. Than trusting. I'll give you the same access as my peer who has collected its access over the last 16 years and probably only needs two person. That's right. I think that that would be in the smart solution for that. Right. I think another area is, is, is processes, workflows, all that stuff where, where, where it's also something we, we see more and more approaches on, on, on using AI in, in, in building this, which if I were a cynic, which I, which I am factually, I don't believe you Yeah.

That, that would be maybe something which, which, which is also very helpful because still the vast majority of vendors in the space doesn't come up with this is the complete, very documented, well described process framework for IGA, which you can use to start with. So in, in many cases it's, yes, you have a technology, you may have some elements of workflows, but really, so perfect, you know, process framework was wonderful.

Whatever, EP key EPCD diagrams and stuff like that rarely found. Yeah. And so maybe AI can fix what vendors didn't do. Yeah. I Think that the, the opportunities for ai, especially when you, when you look at it in an overarching IM framework, are really kinda limitless.

There's, there's so much matter of fact, I, I just started getting, you know, you guys use Wikipedia and stuff like that, I see that, that they've incorporated a AI into some of the search results that you get there. So I think that being able to plug that into what you're doing from a security angle, that's where it can be really most helpful. Yeah.

So, so by the way, don't hesitate asking questions. Yeah, sure.

So you, you have us here, you can ask us questions. Maybe Paul has questions from the online audience. Yeah.

And, and I do have some questions too that I, I want to ask the audience. Okay. Then you ask the, so if the audience doesn't ask questions to us, we ask That's right. That's right. To the audiences. Right? That's right. Okay.

Fair, fair deal. I believe, because I Love gathering intel from the most important people in the audience or the customers. Are you gonna pick on someone?

So No, no, no. I'm just gonna ask a general question.

No, I'm not gonna pick on someone. No, I, I wouldn't do that. 'cause I know it's like to, to sit out there and get asked.

So I, I know, know a couple of people in here so I could pick some. So anyway, what's Your question, team?

Well, I'll tell you, here's the question I get and, and you know, one identity and several other companies out there that have that that, so I've worked for publicly traded in publicly owned companies and privately owned companies. And one of the things from private companies is when you, you meet with the board, they always, you, you got a bunch of very super smart people on the board of directors for that are on the private equity firms, but they've never typically run a company. So they're very interested in what's in the market and what you're telling 'em and that sort of thing.

And so they ask a lot of the same questions, but one of the things that they ask a lot and that I like to do a lot of research on, because at one identity, we like to kind of peel apart why these trends are happening and, and things like that. So one of the questions I like to find out, like I said, EV every one of these IGA and PAM vendors you see today are talking about the platform and the unification and convergence consolidation.

So one of the questions I get asked a lot of times from different PE firms are, how are the customers that you see today in organizations, are they still buying in a fragmented fashion? Like if they need Pam, they buy Pam. If they need IGA, they buy IGA, are they looking at things holistically now? And for me, when I look at every single vendor is talking about convergence and every single vendor is talking about unification.

There's a couple things that tells me, number one, when we look at how these breaches are occurring now, and I talked about this Wednesday, they're targeting the identities specifically and they're targeting them because they're very easy to target now they're out there, they're on their own, they don't, they're not being protected by dual layer firewalls and content filters and network segmentation and things like that. So they're kind of, the way these breaches are occurring is they're, they're sweeping in between the gaps of those segments, basically kind of stealing the identities.

I talked about this Wednesday where the at and t breach 74 million identities were stolen, then pushed up on the dark web. Well they're pushed on the dark web. So they could be purchased by hackers who wanna try and then punch pump them into an organization. So my guess my question for you, kind of setting up the framework of it is finally The question. Yeah. Are you guys, It's important waiting For it. It's important to set up the framework before, 'cause the question may not make sense if you don't, but are, are you customers out there organization? Anybody can raise their hand?

Are you looking at things more holistically now from a more of a platform perspective and a true unification and security framework? Or are you still looking at it via Pam?

For Pam, IGA for IGA? How, what are you, how are you guys looking at It? I I I think an all question for raise the hand is relatively difficult.

So, so I, I would limit it to, are you looking at this more holistically today, question mark? Yes. Yes. Then raise the hand, if not, yeah, there we go, Don, leave it down. Okay. Alright. So we do have a, okay, good. What I found is, seems like about it went from zero like two years ago to my experience in the organizations I talked to is about 30% roughly. Yeah.

Or saying, yeah, you know, this makes a lot of sense. Now everybody agrees it makes sense, but sometimes it's harder to, What we see is really, we see a lot of organizations picking up this identity fabric idea. Yes. At least from a conceptual perspective to have a very holistic view.

Not necessary from I by everything from the single vendor, which is also sometimes tricky because the, the timeframes, you know, you, you won't usually rip, rip and replace everything, but you do whatever I change this year and then it takes you a while and then three years later you focus on the next big project. So this is also usually very, very split over time. But maybe going back to Paul, because I also will need to run upstairs.

Yeah, yeah. Okay. Thanks Martin. Yeah. I know you've gotta run off to another session, so I think we'll wrap it up here, let you get upstairs. But thank you so much. Thank You Paul.

And, and Martin. Thanks. Thanks for these two guys. They were the Yeah, you know Martin, right before Martin goes, I, I think I thought this about this with Paul yesterday that, you know, Martin and his team were the first ones that really created a survey around this concept of identity fabric.

And it's, that was what, three years ago? Four years ago? Almost Six, I believe. Was that That long ago? Yeah.

And, and now it was, it was BC before Corona. Oh, okay, okay. Yeah. BC that's right before Corona. Now you see a few others doing that.

So Martin, Martin and his team have that, have it figured out. I think so. Kudos to you, Martin. Yeah. Thank You.

Can you, can you imagine what Larry's energy levels were like on the first day? This is what he is like on the fourth day. Wow. Yeah. Alright. Good. Thanks Martin. Good to see you again.