Transcript
We just had a talk in the room. I think most people who are in here were in the other talk as well, which was more on B2B identity management challenges there. Right now, I think it's in Enterprise IAM where it's heading, what are your main takeaways? And maybe before we start, a bit more of introduction than just saying you're at NetIQ and have a Novell legacy. So maybe you can elaborate a bit more on that. Yeah, sure. So thanks, Martin. I'm Larry Shinsky and I'm Senior Vice President of Corporate Strategy at OneIdentity. So that means a lot of things when you look at different organizations. You're at OneIdentity, sorry. Yeah, well, I was at Novell for 17 years. I think he mixed it up saying you were at NetIQ. Yeah, so yeah, I was at Novell, NetIQ, Micro Focus for 17 years going all the way back to my eDirectory days. I think that's probably where I first met Martin years ago. So I run Corporate Strategy at OneIdentity now. I've been there for six years. And so that means a lot of things. So I run everything from our strategic marketing, corporate strategy, our field strategists. I do a lot of our demand generation, bubbles up to me, as does our technical alliances. So when we look internally at OneIdentity on what our gaps are, like what products we think we need to have to fill and complete more of an identity fabric, Martin mentioned that in his last session. So it's my responsibility to look at different M&A targets. Do we need to buy something, build, partner with somebody, that sort of thing to kind of fill those gaps. And then all the enablement, technical enablement, certification all bubbles up to my organization as well. So a lot of different pieces move up into what we call Corporate Strategy at OneIdentity. It's really all around creating a much more unified approach to how we look at the market today. So, you know, we don't want to get into these product versus product type of things anymore, since it's really everything is, if you guys probably looked around the conference today, I made a comment on this earlier, whether it's Archon, SailPoint, somebody else, they're all talking about the de-unification of identity or converged platform. So we've been positioning that for about the last five years. So it's really kind of one of the trends we see in the market today based on that current threat landscape. Okay. And so when we look a bit at the takeaways, except of that, there's a lot of identity security written on the boost and conversions and things like that. But what is it where you say this is really something you feel is very relevant to the, I would say, not only to the industry, but to the customers of the industry? Because I think at the end of the day, it's about the customers. Yeah, it is. As a matter of fact, and that's a good question. One of the things I noticed, and just like Martin, we go to a lot of these, and you guys, I'm sure too, go to a lot of these conferences, whether it's, there's different organizations, RSA and some of the other ones that put these on. A lot of the times what I see at the conferences are all built a lot around what I would call a cost savings initiatives or vendor consolidation or operational efficiency and that sort of thing. But what I'm seeing more and more in the conversations I'm having with our customers, and I fly globally talking to customers in our channel ecosystem is it seems like, and you guys can correct me if I'm wrong, because you're in the space, is that there seems to be a lot more emphasis now in this space specifically around building a secure platform and security. Not as much around OE and vendor consolidation, that stuff's important. But if you look around here, it's really all about security and spending money on security. And I've always said that I thought that was the most important part of any of these individual market segments. And what's interesting about like access management, for example, you'll get, you know, Okta or paying in some of the other ones. If you look at the top four reasons why organizations buy an access management solution today, there's all kinds, but do you know where security fits number one, two, three, or four? Can anybody guess? Anybody want to take a guess? Four, it's number four. Access management is by over two times the most widely deployed IIM market segment, but security is all the way down at the bottom, which is very interesting. So that means that all these other market segments are being purchased much more for the security element, where access is being purchased for the OE inefficiency. When I look around at these conferences and these different market segments, it's pretty interesting how you see the trends start to separate, but then also come together at the same time. Yeah, and I think for me, it's also that we see that identity management is getting bigger. So you talked about vendor consolidation, which by the way, is an interesting thing. When we started, when we did the first EIC, someone said to me, you know, does it really make sense to have such a conference, whatever, 20, 30 vendors, and then they start, the one vendor starts acquiring the other. And so you won't have a market maybe in a few years from now. I would say we probably are, more in the range of, I think we are getting closer to the 1000 identity management vendors nowadays. When we take all the identity verification players, when we take all the decentralized identity startups, when we take all the other startups around, for instance, secrets management or machine identity, which is a horrible term, because a machine for me makes noise and moves and is of iron and so on. And it's not just a service, but I think we can argue that would be a very separate conversation here. But at the end of the day, I think we see that this market is getting bigger and bigger. On the other hand, we also learned that we need to bring together things again. So I think maybe it's also a constant fight of consolidating versus adding things to the overall picture. Yeah, and there's a separation between, and Martin, you and I just had a webinar on this topic, very similar, what about a month ago? But I mean, there's a difference between convergence and consolidation. And I think you're right, probably 1000 identity vendors. When you look at all the, well, shoot, just IGA probably has eight or nine segments to fall under it. Access has MFA and that sort of thing. But the consolidation is kind of like the technology components coming together, convergence, or like the companies come together to kind of form a whole new space there. And I think my colleague Alejandro currently is working on, I think on the leadership compass and access management. And I think he has almost 50 vendors already. Yeah. Alone in this sub-segment, and it's one of many segments here. So it is, we have a lot. And I think exactly the point is, so consolidation versus convergence, I think the very important thing is to homogenize and to unify the initiatives you're taking. So getting away from, I do this here a bit in the IGA here, and then I have a totally separate access management initiative, et cetera. So honestly, so if you're, who is in an organization where identity and access are still segregated organizationally? So you don't need to raise your hand because otherwise I need to blame you. We won't call on you. That's okay. We promise. At least I won't, Martin might. But it's very clear to me. It doesn't make sense. And the thing that you could definitely can quote me on, if Entra ID is not in the hands, and if you have Entra ID, it's not in the hands of your IAM department, then something is wrong. So Entra ID is an access management tool, and there's absolutely no discussion about that Entra ID must be owned by the identity management department. For instance, we can argue a very little bit about the old Active Directory due to a legacy aspect. But at the end of the day, even there, I would say move it over. Solves a lot of problems. Yeah, I think you're exactly right. Matter of fact, we were just having a conversation with one of our customers on this today. And I think we had E&Y in the booth. We were talking about that very thing on, you know, I think Microsoft hasn't really figured out when you look at a platform, what they're doing with Entra. But some of the subcomponents, like you said, Martin, I think are just, they don't, it's a separation that occurs there, so. Yeah, and we need to fix some of these things. So yeah, we're in, I think, in a constant evolution. And we need to understand this is one thing. I think this was a lot of the thought around when we came up with the Identity Fabric idea several years ago to say, so basically when we started this, it was basically stepping back and saying, so why do we do this stuff? Why do we do identity management? At the end of the day, the purpose of identity management is that everyone and everything have a secure, seamless, well-governed access to every service. This is basically the job of identity management so that someone, something can connect to a service under controlled conditions, so to speak. And that's where everything starts. All the other things we are doing, we are doing to enable this. So we invented IGA because we don't, we can't give everyone full access to everything electrically. Yeah, well, as a matter of fact, I had dinner last night with Art, I saw, I think I saw Art, there was Art over there from Askanza and Gerald, and we were talking about, this is going back and dating myself again, I think 1997 when I actually wrote a little hook using Microsoft Access, if you guys remember Access, if you're old like me, using Microsoft Access, it created a hook from PeopleSoft, which is our HR tool at that time, to automatically create, when somebody got hired into an organization, that ID down in our NT domain, it was not Active Directory then, it was down in our NT domain with role assignments and rule assignments that I could place them into different departments. And that was kind of like our first step, and it was a manual thing. But really with that, all that was, was me writing a hook to make my job easier because I ran the corporate network operating system at the time, and I did that to make my job easier. It had nothing to do with security. It had nothing to do with protecting anything. It was, now I don't have to spend half my day creating IDs and different accounts anymore. So it's evolved into this complete, like you said, Martin, strategic initiative. Yeah, and it's still fascinating to me too. So I have to admit, I did a lot around, I wrote books about Lotus Notes, Domino. I wrote for many years, wrote a monthly newsletter inside Lotus Notes, Domino. So it's not that I'm negative on the two, but nowadays it's for me still sometimes fascinating to meet an organization which says, okay, we still have it in a notes database. It still comes from a notes database. And that shows also how long these things sometimes exist. At least you set access on a DBase. Well, DBase would have been my college days. So I'm not that, maybe a little bit older. FoxPro, you didn't say FoxPro either. Exactly. So it can be even worse always. But what I really see is still these things around and clearly we need to modernize these. We need to move to a state where we are more flexible because these things, actually they are always broken already. It's just that we try to put enough gaffer tape around it to keep them survive until we can do things differently. But maybe back to the things where you also see what is changing? What is evolving in this industry? What are the things where you feel they are? They are super important maybe for the audience to look at because they will change the way we do things. Yeah. And one of the things that we talk about quite often is the use of AI and hyper automation tools. And when we look, a matter of fact, I added a very short segment in my session a couple of days ago. I think it was on Wednesday. Been here all week. I forget what days or what. Friday is today. Yeah. Okay. That's good. I think my flight's tomorrow. But yeah. So one of the things that we talk quite a bit about at One Identity is the use of generative AI, not only from an attack perspective, but how you can use AI from an identity perspective along with hyper automation. Now, when we look at how this attack surface has widened over the years, there's kind of like four reasons that I like to talk about in depth. And that's the large remote workforce now that really came on strong around COVID. You know, cloud computing, which not necessarily cloud, like goods and services in the cloud, security tools being moving to the cloud as well, like IGA as a SaaS, PAM as a SaaS, et cetera. And then, you know, the other one is this lack of, this big shortage of cyber skills. So we're finding a lot of our customers taking 18 months to find somebody who's really qualified to do these type of things. So they invest in AI and hyper automation tools. The problem is, is those hyper automation tools create themselves digital identities, which rely upon the credential managers inside of the hyper automation tool software for its security protection, which really quite frankly is not all that great. And so it's, we need to look at how we can leverage, you know, IGA tool or, you know, IAM tools, basically suck that out, push that into your IAM platform and then provide a security mechanism. So you're actually using your IAM platform to provide security for the AI and hyper automation that we see in the market, things like bots, you know, how bots can run around. And, you know, we've got companies, Martin, believe it or not, that don't have an IGA tool. They're actually using bots to run around, create, modify, move. So join or move or leave or functions are being done by bots in the organization, hundreds of them with no security behind them, which I find, you know, quite fascinating. So I like the bot idea. I don't like that much the no security aspect on that. So the bot idea is not that bad, I would dare to say. I think one thing here also is where I believe there's a very concrete potential for, especially for vendors who serve multiple areas. So one of the, so when I take all, look at identity management, I would have to list the three biggest challenges that regularly pop up, then it's recertification. Sure, no doubt about it. I'm still looking for the one organization globally that says, hey, my departmental managers love recertification. They want to do it again and again and again. I still didn't find it. So something is wrong here. Role projects also tend to be a bit challenging and onboarding, application onboarding. And I believe we have, for instance, a very big potential of utilizing Gen AI to get to a much higher level and much higher efficiency in application onboarding and automated application onboarding across all the pillars of IAM. Because when we have an application, it's not just onboarding it on IGA. That might be the most tricky part, but it's onboarding it on PAM. It's onboarding it on access management. The latter two tend to be a bit simpler. But anyway, I think in an ideal world, our agent or our bot or whatever it is, does it for us. Yeah, yeah. And it's definitely like, and I don't mean to be negative against bots because I think they do have a very important place. It's just the security element behind that is something that we sometimes overlook we have to do. But yeah, the application onboarding, I agree with. As a matter of fact, it sounds like it would be very difficult to integrate application onboarding with an IAM platform, but it's really not. And that's something that we do at One Identity quite often. And there are tools out there that automate that process as well. And so I think, Martin, you're right on that. It's something that can be leveraged. I once read that an effective IAM platform can resolve like 55% of those types, whether it's GRC or some other risk component or application onboarding. So it's really amazing how much more you can do from a security angle with that. Yeah, and I think that this is one of the areas where I feel that AI can be extremely helpful. I think it's also, you talked about the skills aspect. And it can really help doing things easier. Also, again, in onboarding, when you need to onboard to a certain specific platform, then the guidance that can be provided that way. So how do you do it? What is the next step, et cetera? Having maybe prompt books that guide the people through the things which need still to be done manually, that's a great area for that. Yeah, I agree. As a matter of fact, to me, it's almost like the next generation. You guys have all probably seen IGA platforms that have, I'll call it like a modeler inside of that, where it can go out and look at, show me 20 other people that have similar roles or similar functions. I want to give them the same access as that. You've probably seen that. So this is almost the next generation of that where AI can step in and kind of resolve. Yeah, and maybe do it a bit smarter than trusting, oh, give me the same access as my peer who has collected its access over the last 16 years and probably only needs two persons. That's right. I think that would be then the smart solution for that. Right. I think another area is processes, workflows, all that stuff where it's also something we see more and more approaches on using AI and building this, which if I were a cynic, which I am, especially. I don't believe you. Yeah, that would be maybe something which is also very helpful because still the vast majority of vendors in the space doesn't come up with, this is the complete, very documented, well-described process framework for IGA, which you can use to start with. So in many cases, it's, yes, you have a technology. You may have some elements of workflows, but really so perfect process framework with wonderful, whatever, EPC diagrams and stuff like that, rarely found. And so maybe AI can fix what vendors didn't do. Yeah, I think that the opportunities for AI, especially when you look at it in an overarching IAM framework, are really kind of limitless. There's so much. Matter of fact, I just started getting, you guys use Wikipedia and stuff like that. I see that they've incorporated AI into some of the search results that you get there. So I think that being able to plug that into what you're doing from a security angle, that's where it can be really most helpful. Yeah. So, by the way, don't hesitate asking questions. Yeah, sure. So you have us here. You can ask us questions. Maybe Paul has questions from the online audience. And I do have some questions too that I want to ask the audience. Okay, then you ask. So if the audience doesn't ask questions to us, we ask questions to the audience. Okay, fair deal, I believe. Because I love gathering intel from the most important people in the audience. Are you going to pick on someone? No, no, no. I'm just going to ask a general question. No, I'm not going to pick on someone. I wouldn't do that, because I know what it's like to sit out there and get asked. I know a couple of people in here, so I could pick some. So anyway, what's your question? Well, I'll tell you, here's the question I get. And you know, One Identity and several other companies out there that have... So I've worked for publicly traded and publicly owned companies and privately owned companies. And one of the things from private companies is when you meet with the board, they always... You got a bunch of very super smart people on the board of directors that are in the private equity firms, but they've never typically run a company. So they're very interested in what's in the market and what you're telling them and that sort of thing. So they ask a lot of the same questions. But one of the things that they ask a lot and that I like to do a lot of research on, because at One Identity, we like to kind of peel apart why these trends are happening and things like that. So one of the questions I like to find out, like I said, every one of these IGA and PAM vendors you see today are talking about the platform and the unification, the convergence, consolidation. So one of the questions I get asked a lot of times from different PE firms are, how are the customers that you see today and organizations, are they still buying in a fragmented fashion? Like if they need PAM, they buy PAM. If they need IGA, they buy IGA. Are they looking at things holistically now? And for me, when I look at every single vendor is talking about convergence and every single vendor is talking about unification, there's a couple of things that tells me. Number one, when we look at how these breaches are occurring now, and I talked about this Wednesday, they're targeting the identities specifically and they're targeting them because they're very easy to target now. They're out there, they're on their own. They don't, they're not being protected by dual layer firewalls and content filters and network segmentation and things like that. So they're kind of, the way these breaches are occurring is they're sweeping in between the gaps of those segments, basically kind of stealing the identity as I talked about this Wednesday, where the AT&T breach, 74 million identities were stolen, then pushed up on the dark web. Well, they're pushed on the dark web so they can be purchased by hackers who want to try and then punch them into an organization. So I guess my question for you, kind of setting up the framework of it is- Finally, the question. Yeah, are you guys- I was waiting for it. It's important to set up the framework before because the question may not make sense if you don't, but are you customers out there, organizations, anybody can raise their hand. Are you looking at things more holistically now? From a more of a platform perspective and a true unification and security framework, or are you still looking at it via PAM for PAM, IGA for IGA? How are you guys looking at it? I think an all question for raise the hand is relatively difficult. So I would limit it to, are you looking at this more holistically today? Yes. If yes, then raise the hand. If not, then leave it on. All right. So we do have a- Okay, good. What I found is it seems like about, it went from zero like two years ago to my experience in the organizations I talk to is about 30% roughly are saying, yeah, this makes a lot of sense. Now everybody agrees it makes sense, but sometimes it's harder to- What we see is really, we see a lot of organizations picking up this identity fabric idea, at least from a conceptual perspective to have a very holistic view. Not necessary from, I buy everything from the single vendor, which is also sometimes freaky because the timeframes, you won't usually rip and replace everything, but you do whatever I change this year and then it takes you a while. And then three years later, you focus on the next big project. So this is also usually very split over time. But maybe going back to Paul, because I also will need to run upstairs. Thanks, Martin. Yeah, I know you've got to run off to another session. So I think we'll wrap it up here, let you get upstairs. But thank you so much. Thank you, Paul and Martin. Thanks to these two guys. They were the, yeah. You know, Martin, right before Martin goes, I think I talked about this with Paul yesterday, that Martin and his team were the first ones that really created a survey around this concept of identity fabric. And it's, that was what, three years ago, four years ago? Almost six, I believe. Was that long ago? Yeah, and now- It was BC before Corona. Oh, okay, okay. BC, that's right, before Corona. Now you see a few others doing that. So Martin and his team have that, have it figured out, I think. So kudos to you, Martin. Yeah, thank you. Can you imagine what Larry's energy levels were like on the first day? This is what he's like on the fourth day. Wow. Yeah, all right, good. Thanks, Martin. Good to see you again.
