Good morning everyone. Thanks for coming. There may be too many chairs for me, but we'll, we'll figure that out. My name's Jeff Margoles, chief Product and Strategy off here, Savitt. And here to talk a little bit today about the future. Where are we going and how come AI is such a important thing to talk about as part of that.
So, AI is probably the buzzword of the year, if not the decade. I guess it's not technically a word, it's an acronym, but you know what I mean.
It's, it's something that everybody is talking about. And really, I wanted to speak to you today about, well, how can we practically leverage AI and our identity security models? And why is it so important that we transform our, our current identity security stack into an ai? So first of all, maybe an existential question.
Why, why are we here and assent?
We like to start first about talking about, well, what are our customers doing? What are enterprises medium and large? What are governments, what are they actually doing that is making identity such an interesting and important topic today?
Well, let's talk about a few examples. How about the energy sector?
You know, we're in this massive transformation from fossil fuel technologies to green technologies. As we do that, we're leveraging the latest in our digital technologies to power that, you know, we're rolling out solar cells, we're rolling out wind, we're changing distribution, we're changing storage of energy, we're trying, we're changing transmission. All of these things while we're doing it, we're putting an IP address on everything. We're giving instant access to what all of that energy infrastructure is doing.
All of those things and all of those people who need to access all of those things, increase our attack surface, increase what we need to worry about things in, in the new energy economy that we didn't have to worry about in the old energy economy.
That is a complex ecosystem of identities of people and things that need access to people and things that we need to solve that we haven't had to solve before. It generates risks that we haven't had to worry before. You know? So that's something that's going on in one sector that's really driving the need for more identity security.
How about another example in the healthcare industry, whether it's patients or providers, insurance companies, pharmacies, all of these companies, all of these enterprises are in the process of digitizing. They're moving electronic me, they're moving medical records into electronic, they're sharing that across everyone.
You know, as a patient, I think, you know, I've got my aura ring, I'm connected, I've got a glucose monitor, I've my phone. All of these things are storing patient health information, my personal health information. I need to make sure that the right people have access to that, not the wrong people, that I'm maintaining privacy, that I'm in the, in the process of protecting all of that, but powering this, this improvement in, in medical care, powering this drug discovery process.
All of these things that are going on is a, is an immensely complex ecosystem of identities of people who need access to that patient healthcare information. And, and it's a, a more challenging problem than what it what was in the past. You know? And then a third example, if you think about global trade, you know, how how we move product, how we deal with our supply chain, how we manufacture, whether that's physical goods, digital goods, intellectual property, all of these assets, they all have an identity. All of them are digitally online. People need access to them.
They need to understand where things are, where they're going in order to efficiently handle global trade. And so, you know, yet another example of where we need to think about who has access to what, why do they get that access? What do they do with that access? And it is critically important to our economy that we figure out how to manage the security of this.
You know, so to sum up, what are our customers doing? They're doing incredible things, right? And it is so important for all of us to figure out how are we going to help them do the identity security, protect their assets and empower their people to be able to do these things.
So why is, how is identity today falling short?
First of all, the processes that we've created over the last I've been in this industry three decades now are pretty manual, figuring out who will, who are all of the people, what are all the assets, who gets access to what it is a very human intensive process. And that as we scale with all of the problems that we talked about on the, on the last few use cases, is just creating cognitive overload, which leads to risk either rubber stamping, you know, people just don't understand what is being asked of them or they just ignore it all together.
You know, when you put password rules in front of them or, or things like that, you know, it is just too hard for humans to process at the speed that we're asking them to do with things that aren't part of their normal job. We have aging infrastructure. The the systems that we've built are on-prem. It takes us longer to upgrade them than it does to roll out new capabilities and, and it's time for, for change and, and how we think about our identity infrastructure. And lastly, you know, breaches, 86% of breaches over the last several years have in some way involved in identity.
And the identity infrastructure itself is increasingly a, a target of, of, of attackers and, and, and a source of breaches.
So, you know, it's almost a cliche to say that identity's the new perimeter, but what do we mean by that? 30 years ago, I was rolling out firewalls to protect the perimeter.
20, even 10 years ago, we could still count on, on network security as our primary control. Then once they got in, then we had identity management to a deal with a lot of things. But the reality was it was a secondary control. It wasn't that important to get it right.
Well, today, that firewall perimeter is gone. It doesn't really matter anymore. And identity is the primary control point, and that's why it's so important for us to get it right now.
All right, to the, the main point here. So why does this need to be an ai? Why can't it just be the same processes that we had before? And what are some examples of how we can leverage AI to make this scale, to make it be more effective?
Identity security, we're all familiar with recommendations engine. Spotify helps me figure out what songs to listen to. Netflix helps me figure out what I wanna watch. Amazon helps me figure out what I wanna buy.
You know, all of these are basic artificial intelligence. It's machine learning. It's understanding what are things that I know and I like. What are things that others who have similar, similar attributes to me, what do they like? And it's making recommendations and it's learning and improving over time as I decide and, and reinforce these algorithms of, yeah, that was a great song recommendation. I listened to it, I liked it. I reinforced that I trained the system or helped train the system.
That, that this is a, this is a good song for me. Well, that's the same thing that we need to give to decision makers from an identity perspective.
You know, our, our decision makers and managers and data owners and role owners and entitlement owners and all, all of these deciders, they're making policy decisions all the time of who gets access to what they may be making that based on a role or a job function. It may be a variety of attributes.
Whatever policy is in place, they're looking at a request or they're looking at a, at a spreadsheet and a role engineering exercise and they're making a decision. Should this person have access to this thing? How long should they have access? How much entitlements should they get in order to do that?
Well, those are the sort of recommendations that an AI can help with. It can take a look at all of the peers that are, have similar attributes to you. Understand, do they have similar access to you? They can understand the context of the risk of the system, they can understand why you're making this request.
And all of those can be used to help a decider, a manager, an approver, a data owner, understand, should I make this decision? Give them more context.
You know, who else like them has this access? Is this really risky? Is this an SOD issue? All these sorts of things are recommendations that n AI can give to deciders and can do that at a time when it makes sense for that particular persona, that manager to do it while they're in the middle of doing a access certification. They can have the information that says is, is this risky? Should I permit this or not?
And, and just in context, help the users through a, through a process that takes it from being a rubber stamping exercise to a true risk process. Incremental but important sort of advances.
You know, what's another area?
Microsoft, thank you for giving us this term and this analogy of copilot. You know, we talk about ai. We often assume we're talking about gen ai. Now generative ai, large language models, AI is a much bigger topic, but generative AI is a really interesting opportunity for us to improve the user experience related to identity security copilots. And you think about what Microsoft's been doing with copilot, lots of different applications, lots of different personas get co-pilots and they help you make decisions. They help you understand what's going on.
They help provide additional context and information related to the task at hand. And so think about that manager co-pilot, you know, here is some additional information. Let me prompt your way through this process and give it more of a natural language interface and, and you know, make it more of a, your own native language rather than, than some arcane web interface.
So you can take this process that you don't do very often and make it more easy to understand and more efficient for identity security developers, for your project teams, for your scrum teams, giving them assistance with designing identity security integrations within your environment, building and configuring complex systems. Having all of that generative AI capability. Make the work of doing identity security projects better, faster, cheaper, so that our customers can get to where they want to get to, which is operating their identity security.
We've had this endless projects for the last 30 years around identity. Now is the time to get past the project and really start operating in that infrastructure. And copilots can give our operators an easier ability to generate reports, have dashboards action, the responsibilities that they have within, within their, within their identity security domain.
So just a, a few examples of where copilots can help.
A third area is visibility.
You know, if identity security is the new perimeter, CISOs need to be able to see, they need to be able to see the attack surface. They need to be able to know who are all the identities, you know, their attack surface are all the things. Every entitlement at a level of granularity. They need to manage the risk and all the people and the things that need access to those things. But just knowing your situation, having an understanding and awareness of your situation is critically important to being able to manage your identity security. And we lack that visibility real time.
What are all the assets? What are the identity security controls that are in front of all those assets? Who are all the individuals? What are the attributes I need to know about all those in individuals, all those people and things that need access to all those things. Who has access to all those things? What are all my policies is reality in line with my policy? All of these questions are fundamental to a ciso being able to manage our identity security that requires visibility. And the scale of the problem requires automation and AI to be able to solve that problem.
All right?
Then lastly, once you have that visibility, we need to move identity security from a purely protective set of controls to being able to detect and respond as well. If we're gonna truly manage security at the perimeter, we're gonna do that with identity security. We need to be able to identify, protect, detect, detect, respond, and recover. So what sort of things do we need to detect? We want to detect changes to our posture. We've seen the visibility. Did we've seen what the attack surface looked like? Did something change?
Is there all of a sudden an EC2 bucket hanging open on the internet that I didn't know about before? What do I need to do? How should I respond to that sort of event by putting the appropriate identity security controls in place? Do I understand the risks? Are there? What's actually in that bucket?
All these questions, right?
Are being able to detect a change in our security posture and appropriately manage the risk, looking at activity and detecting changes in activity, behavioral analysis, all of these things that we need to do to better detect and respond to what our end users are actually doing. And, and be able to put in effective response to deal with that.
So, very simple demo, maybe a little bit of a, a copilot and, and an intelligent recommendation. You know, in this scenario, Lois gets that dreaded email. You have to do your quarterly access review. She hates doing them, but goes to this the first time and a copilot is helping guide her through this process. What are the recommendations that they would make based on that? It would make based on a variety of factors, pre-populating some answers that Lois has to verify to, to better understand and then showing, showing its work, right?
Like any recommendations engine, why are you telling me this? Well, a lot of peers have this access. It's a low risk asset, it's not an SOD issue. Why don't you just go ahead and accept it? But this one here, you ought to take a look at this one. Not a lot of peers have this. It's an SOD issue. It's also a regulated application.
You know, here's something you really ought to pay attention to. You may still go ahead and and accept it, but you know, I'm gonna flag this for you so we can greatly improve the usability of this, reduce the amount of rubber stamping and just give a lot more context to that end user so they can make a better decision.
Alright, let me wrap this up. Or, or land this plane here. So what do, what do we need really for identity to be an ai?
Well, first we need the platform to be converged. We need to know internal identities, external identities. We need to know humans. We need to know machines. We need to know privilege, we need to know non privilege. We need to have things available at a course grain level, at a fine grain level. All of these things we need to have in a single platform, in a single data set to train that AI on what is the posture and what is the situation and what's changed.
And in order to, to really be effective, you know, we can't just, every time there's a new identity type, throw up a new tool with a new data set and continue to be in a, in a, a disparate environment.
Second, it's gotta be comprehensive. It's gotta handle all of the use cases of the modern enterprise. All of those complex ecosystems that I talked about.
You know, light processes aren't gonna work. It's gotta handle what the enterprise needs, you know, and lastly, it's, it's gotta be in the cloud. To be in the cloud means that the software companies understand how the software's being used can train the AI and how to do that.
You know, able to build it on the cloud, leveraging the latest GPU technologies and LA latest algorithms and LLM models, you know, quickly, if it takes you two years to upgrade your on-prem system, you know, you, you're in pre, you know, pre LLM times right now, isolated, insecure, and it's gotta be constantly learning. With that, thank you very much. It was great to, great to meet you today and come visit us at the booth.
Thanks very much Jeff. We have a couple of questions here in regards of visibility and ai.
Usually identity projects lack information because of the depth of integration is often a very high level user or identity to role or group. How can AI add value when the level of integration stays on that high level?
Yeah, I think that the level of integration needs to be more granular or granular enough for the risk of that target system. And so, you know, if you have privileged information, if you have fine grained entitlement information, you need to know that for your high risk systems. You don't need to know it for your low risk systems, but it means much more complicated connectivity to those applications.
Okay. And is
This something I said?
Yeah, I don't know if you guys are leaving the room, could you just do so quietly please because and finally just do it. And security teams need new skills to manage AI driven identity security systems.
Yeah, absolutely. But at the same time it's less development skills and more higher level skills.
You know, when we were first doing identity projects, we had to know how to insert a CD into a server and install 57 CDs for Oracle Identity Stack. Right now that's click a button in savvy and deployed in the cloud. And so it's different types of skills that kind of move up the stack into more business related capabilities.
Okay, thanks very much everyone. Jeff Mar, thank
You.
