Welcome to Words of Identity. And there if you saw the last presentation or any of the other ones, you know there are a lot of words in identity. My name is Esmond Baggo and I like to ask questions. So that doesn't mean I'm good at asking questions, but I'd like the outcome that questions lead to that I understand more. So that's the topic of this presentation. By the way, if I may ask a favor of you that for the next 15 minutes at least, be sure that you remember that what we work with in this, in this industry is those are not real things. It's not real objects.
You can't touch a digital identity maybe as you ask you to, to say that with me. You can't touch a digital identity one more time. You cannot touch a digital identity. But can you touch a user? Now get interesting.
So some backstory, I said version two of the words of Densi because I gave this presentation the first time during the pandemics from the home office at Universe in 2021. After that it's been adapted into an article in the ID Pro Body of Knowledge and we've published last, late last year. And just a comment on that.
There's a lot of other articles of identity and access in the ID pro, but we still need more. So if you don't know, ID pro go to id pro.org and inform yourself because I'm sure there's a lot of you that have a lot of things to contribute there to fill out the body of knowledge.
So if you are already good at two things and one is asking good questions and making others ask questions too, you can leave. You don't need to be here.
If not, I'll try to give you some perspectives that can help us facilitate better conversations. So we have a problem in access and identity with misunderstandings. I mean with all those words that we have and we don't understand them the same way. There's a lot of improvement that can be made here. And I think a lot of the problem is due to why I asked you the favor before the abstraction that we work with. And it matters a lot how we facilitate those conversations. And it matters a lot that we understand who we are talking to. Mostly we are not just talking to ourselves.
I like step one of Christopher's steps in the last presentation, know what you want.
That's important. But then you also need as step two to be able to communicate that to the people that will help you with it. Because most of us will not be alone on this journey. So you might say, why don't we make sure that everyone just speak the same language? And there's been some attempts at that, but there are too many actors for that to happen. I think at least, well, a prediction, it will not happen in my lifetime.
That's not to say that there aren't good sources for information, good terminologies, good glossaries that collect relevant information that you should be aware of as identity professionals. And let me point especially again to the ID pro body of knowledge, the terminology article, which is taken very well care of by Heather Flanagan in Rose here. And you should know about that one.
And also, as was the main point of the first version of this presentation, create your own local terminologies and put in the meanings that you need your collaborators to know about.
So that was a bit of the first point about why care about this. And I'd like to talk a little bit of why I think we as an industry has a bigger problem with this than others. And the main point to raise the awareness as in the short term gains, short term gains are always an easier sell, right? I would like to just go into a few examples of where a sentence can be understood in too many different ways.
So again, when communication suffers, it means that we are not building the right things for the right people at the right time or for the right reasons. This is another part to it as well. And that has to do with the recruitment that we need to have as the industry. So if you go to a club and you find out that all the people there are speaking different dialects of gibberish, you will go elsewhere. And by elsewhere I mean other areas of security.
So that suffers, that hinders our inclusivity.
And for as for some of the, sorry, I feel the dry air as you said, and we are after all, a young industry might not feel that way always, but compared to a lot of others, we are, we're still finding our footing, which also means, not directly correlation, but there's a lot of money invested in this market, which means, again, there's a lot of marketing departments allowed to choose all the words that they think sound best. So those are some of the causes.
It all goes to, feels like it all causes the anything goes mentality, which means that we have the challenge of getting from the dark areas of alchemy, surviving the wild west gold rush, and getting to a point where working in access and identity feels more like a science than a hobby. By the way, I'm choosing the alchemist metaphor here because one of my previous lives was in chemistry.
So I naturally tend to compare a lot of things with that. Chemistry is definitely also a club full of weird people, or I should say weird language, but chemistry managed to coalesce around one single source.
I mean, it's technical jargon of course, but it at least it means one thing. The reason I don't think we can get to that point in my lifetime is, again, this is, these are real objects.
You can, you can touch these things. You, you probably shouldn't, but we can't do that, right? So with structure and rules in place, something might happen that that's a long term things.
And again, we have too many tribes that compete for the meanings within our own industry, don't we? I think this, this slide just shows that my prompt engineering skills for image generation aren't that good yet.
I, I tried Googling tribes to use for the privileged access tribe and, and towards the governance tribe that didn't give me the results I was looking for. So, so version three will probably be a lot better than this.
So we have, I mean I'm sure all of you can come up with words that have more meanings. I want to start with one of those I feel is the worst because this is the one I, I really get tired of asking questions about that one. So it already means so many things in normal language that we have trouble talking about then.
And then we drag it into the axis and identity and we want to assign it so many meanings just to scratch the surface a little bit, just from the documentation of Im of AWS compared to Google.
The bottom there sounds easy enough if we had just used that one for example. But it means there are too many meanings, too many meanings and too little time. So if we don't have time to wait for that end goal of one universal language, let's say what we can do in the meantime. So I think raising the awareness means thinking about words more.
One of the ways of thinking about words is trying to group them. Those suggests suggestions for you to do something similar. So when I put together this presentation, I thought about the words and how I can look at them in different ways and start with the mathematical words. And I call 'em that because I think very often we need to look at these as function with clearly defined or at least it should have inputs and operation and a desired outcome. And I was happy to watch Ian's presentation on ceremony ceremonies because, well, it's the same point for authentication at least.
But there's a lot of the words in identity that describe a function of something that needs to happen.
Less useful are the visionaries. And there could be a lot more words here for what I mean by this are, these are like items on a menu that you order and then we have to implement them. Can we have zero trust by next year? But this doesn't facilitate the necessary conversation, I feel because we should be talking about what's the appropriate amount for privilege for these scenarios.
What's, I cannot, I can never have absolute the least privilege, but I can get you a certain amount and what's good enough, same with zero really any word that has an absolute qualifier in front of it, like maximum or least or or zero hinders that conversation because it gets hard to ask those follow up questions that what, what do we really mean in in this example, in this scenario? And then I guess I could say that all of the words are nebulous words.
I certainly think we can add paradigm and convergence to this list as well.
These are impressive words that where you have to just remember that the other persons in the conversation, you can be sure they don't yet know enough about what the word means. So you have to spend more time in the conversation. Then there's a linguistic term called false friends, which covers all of the words that had a different meaning in the other language. Well the real world language outside our profession already before we drag them into this one. And this matters every time you need to talk about identity with someone from the outside. And I think you, you do need that sometimes.
And then we have a few words or a lot of words in identity that I don't think we can avoid assigning them a lot of meaning, the workhorse words. So I think that's, that's fine. You just need to remember that we need to support these words with extra follow up. So we make sure the person that needs to understand them understands all the risk to know about them. And at the last moment, I added another category here, which I just think fits all of our words because they seem to say to us, I can be whatever you want. Let's talk about identity for a moment.
So this quote could have been taken from a lot of places, it's taken from a podcast a couple of weeks back, but I think you heard something similar a lot of places. So I have two points I want to make about this one. So there's something moving around and we call them identities. I'm pretty sure they're not identities and they might be a few different things at the same time.
And it matters because if it's a session moving around, session management is a lot different than token management and management and governance, whatever you want to call it about the accounts is different from that again. And different people will need to do it. So the sentence is, it's good to start with but, but you need to follow it up with having a real conversation. But there's this problem of us just having that sign of sentence and then we move on to the next item in list and the next sentence.
The other point with it, I think some of you probably already noticed is the none of the objects moving around there were ever actually human. You wouldn't be able to touch them. And this is the point where you might say, well say to me, well, you know what he meant, right? I think I kind of know what he meant, but I still think it's not good enough because I think the conversation needed here is since none of them are human, but some, some of them are less human than others, that's the conversation that is needed for implementation. Where's the dividing line? Where do we separate them?
When do they become non-human? Those entities, whatever they are.
And take this one about controlling your own identity. So I'm just asking the internet found of all knowledge here, chat, G B T, what a digital digital identity is. And if it's true, it's the sum of everything, which I think that's a fair definition in some, in a lot of cases, I don't think it's relevant for us to hope that you can own that. So the conversation about self-sovereign identities seems to be swerving around in a weird direction.
So this, some more conversations need to be had there. Following up on that one, a quote from a recent research paper quoted at the bottom is that digital identities today continue to be a company resource, which feels right to me. I haven't read all of the sources. That leads me to think that maybe a better definition of digital identity, since it's defined by the service provider is a digital service interface.
I'm not saying we should switch to that, I'm just saying think more about it. So this is really the end of it. So I just just wanna have too many words of my own.
But the point is here, please remember that we need to have better conversations because that means we can ask better questions and have better understanding which leads to better products. And join id pro because that will also help you have better conversations. And then if you have more, well the color contrast not too good, but feel free to contact me on LinkedIn or email if you want to talk about this or have more pointers. Thank you.
Thank you.
Perfect.
Perfect, perfect.
Any perfect. Any questions in the audience?
Could
Turn on my microphone. Hello?
I could take this one as well. Okay. Technical issues.
Okay, so thank Thank you very much Esplan. Great presentation. And I really appreciate the introduction with finding the right vocabulary because with every customer, maybe even taking my presentations, talking about information security, there's so many different meanings and interpretations even within organization, especially in such a big group.
And it's, it's really very important to have a, the right understanding with all of these people. So what would be used, sorry, dry to start with here. Is it like sitting together discussing what is your meaning? What is your understanding should be used or which kind of words should be used?
I think the fir, the first thing to make sure is to set aside a little more time that than you had planned it. Especially if they're new people into it. I mean it's an easier problem if everyone knows each other's strength and weaknesses from before, but we are never in this situation.
But then I don't think there's a straightforward answer to exactly do this or do that. But, but take time to talk together and and encourage to ask more questions. And then again note, note it down. And then you have the start of that local vocabulary I was talking about.
Perfect. We have a question from the audience.
I think that one of the things I've found is that actors in use cases is one of the area where you can find problems when you describe the actors and you use your own perhaps actors in use cases and the, if you have a client, they don't understand the same words.
So in, in my opinion, you always need to talk to the stakeholders you have and agree on the terms you use. And in my case, if you have clients start to ask the client what words do you use for all these specific functions or whatever and and start there. And if you have something you say, well this, this is not true, then argue that. But don't argue all the others.
And I would add to that, please ask them for concrete examples because you need that context to understand how they have that meaning.
Especially, especially around the topic you mentioned about the roles groups and stuff like that. I mean we call it entitlement and it may be might, it's our definition and all dimension from you could be a subset or even the customer's user identity. I mean we all had this kind of discussion. What is in user the Azure ad admin for, for him the user. The ad user is the most important identity within the organization, but maybe not for HR and maybe not for the identity and access management team. Okay. Any further questions here in the audience? Also online? No.
Okay then thank you very much again.
Thank you.
