Download your copy of our State of Authorization: Playbook Edition Get it now »

The one about identity-first security | Dynamically Speaking

Jackson Shaw, CSO with Clear Skye, joins us to discuss today's authorization & Zero Trust landscape. and why identity-first is the future.

Few have their finger on the pulse of all things Identity and Access Management (IAM) like Jackson Shaw, Chief Strategy Officer for Clear Skye.

In our latest Dynamically Speaking interview, hear Jackson’s thoughts on how IAM has evolved, the shift to identity-first security, and what’s ahead in 2022.

Kelly: Hello again, and welcome to another episode of Dynamically Speaking. We have joining us today Jackson Shaw, who is the Chief Strategy Officer for Clear Skye. Welcome, Jackson, thank you for your time today!

Jackson: Oh, you’re very welcome. I’m really excited and been looking forward to this conversation with you, Kelly, both professionally and as an old friend, so it’s, it’s great to be here!

Kelly: Indeed, myself as well! It’s quite a treat!

So what we’re talking about today, as we start to come into the end of 2021, and look towards 2022, is what we think is going to lie ahead for the next year.

And certainly, when you talk about identity, even in the last couple of weeks, I know the industry certainly has been shifted quite a bit and I wanted to throw to you to have the opportunity to speak to that a little bit before we begin.

Jackson: Right. Well, I appreciate that. Oh, boy. I’m already having a hard time talking. Sorry.

Kelly: It’s quite all right.

Jackson: Yeah. Um, yeah, we lost a dear friend and a colleague, who, in my opinion, really, you know, a lot of ways was the founder of of the identity market. Back in ’95 and ’96, Mr. Kim Cameron.

Kim was up until he retired the Chief Architect for Security and Identity at Microsoft and I had the pleasure of meeting Kim back in 1989, as customer of ZoomIt Corporation, and then eventually went to work with Kim and Andy ball and Barry McPeak, the partners and the other folks at ZoomIt back in ’93, until we were acquired by Microsoft in ’99.

And I think Kim’s influence has been, you know, remarkable in the identity industry itself. And, you know, he just brought so much fun and pleasure and intelligence to identity. I mean, a guy like him who I sell, speak with, you know, hundreds and hundreds of people over time, both, you know, when we were at zoom it and at Microsoft, and, you know, was was a regular at business meetings with Bill Gates and Steve Ballmer and other executives.

Like I said, he made a huge difference in the industry and at Microsoft, in particular, and many of us have have warned his passing.

But the same point in time, many of us also have amazing, you know, remembrances of Kim and all of his speaking engagements, the conference he’s been to, but you know, sorry to see him, you know, go in, and my sympathies to his wife, Adele and his children, Max and Claire and their wider family. A big loss for the industry. But, man, we wouldn’t, I don’t think we’d be here if it wasn’t for Kim and all his work.

So, I appreciate the opportunity to say a few words about him because he was such an important person,. and in many ways, as people have said, the father of identity.

Kelly: Indeed, indeed, and very well said, Jackson.

So I think you know, when we think about to your point, and as we were talking about Kim Cameron, the the journey that identity has gone through in the last few years, we’ve seen various evolutions and iterations. And now one thing that we’re seeing people talk about quite a bit is identity-first security.

So why don’t we start by asking, at a high level, how would you describe identity for security, and why do you believe it’s something enterprises should should start paying attention to in 2022?

Jackson: Right. I think that’s a that’s a great question. And part of me wants to say, well, it’s always been security, you know, why now?

I also found it interesting that you know, Gartner you know, sort of made their whole cool vendors for 2021 to be identity first vendors, which we were selected as, as one of them. So, pretty happy about that.

But, you know, to me, when I just think about the last, you know, 5,6,7,8 years of cybersecurity and basically the threats from a lot of these bad actors, I think something like 80-85% of all, you know, cyber hacks have occurred because of, you know, a lack of security around identities in particular, I mean, things like, you know, bad passwords or user IDs and passwords, being able to be compromised because of  either a bad piece of software inside of a company or through, phishing campaigns or anything like that.

So, if you look at the fact that typically what happens is a hacker gets a user ID and password, and then uses that user ID and password to access an enterprise system or any kind of a system, basically looking for a privileged account so that they can go further and potentially do more damage or get more information, it really is about identity.

So, part of me sees this as, you know, kind of tipping things on their head, where in the past we’ve been very focused on things like firewalls, and intrusion protection systems. And the fact of the matter is now, especially with COVID, over the last 18-24 months, you know, we’re so distributed, there really isn’t, you know, a perimeter for the enterprise anymore. There is, I mean, just isn’t right, especially with, again, since about 2010, with the rise of the SASS platform, we have so many people using SASS platforms.

In the old days, you know, people would say, “Well, gee, I’ve got, you know, 85 different products I have to use in my, in my system, my on-prem[esis] products”.

Nowadays, it’s like, there’s at least 85, different SASS apps that most companies are using, in addition to everything they have on prem. So the perimeter is gone.

And you can’t really just protect by a firewall anymore, or intrusion protection systems, it’s it really has to be at the identity level, if you want to do protection, again, you know, by kind of look at it.

Another way around as a business person maybe, is if 80 or 85%, of all cyber hacks are caused by not having good control of identities, then you flip that around, and you say, well, if I had good control of an of our, of the identity system inside of an enterprise or a commercial system, then you’re basically saying I could prevent 80-85% of the cyber hacks that are occurring.

So, I think that’s what we mean by identity security. It’s always been there, but just because of the way especially because of COVID, the way things have changed remote workforce, and all that stuff, it’s really brought up arise to identity security.

Kelly: that that makes perfect sense, and is actually quite in line with with my next question, which was really to say, you know, IAM has been around for a while it’s not new, but now really does feel like the it’s moment, the IAM moment, if you will.

Jackon: Right.

Kelly: So, is there really a difference between looking at identity first security versus looking at traditional IAM Security?

Jackson: I think there’s another thing that’s going on. And, you know, it’s partially what’s drawn me to working at Clear Skye, which is how digital transformation is happening at companies all around the world. It’s huge.

It’s a strategy that’s driving both money and efforts in companies to get closer to the consumer get closer to their customer and their partners. It’s all about trying to help drive top-line revenue.

And I think what I’ve seen is that identity has been this silo in the past, you know, so we’ve got all these on-prem solutions, all these cloud solutions that are identity solutions, right? With, you know, very similar to some of the vendors that I’ve worked for in the past.

And with the digital transformation, there are more and more companies that are starting to gravitate towards platforms – business platforms. And by business platforms, I actually don’t mean something like Azure, or Amazon, because those are really compute platforms.

But business platforms, I mean, platforms where there’s a common data plane and a set of pluggable software modules that basically serve as a business platform for a digital transformation service now being one of them. But there were others like at least in JIRA, and there are folks like Salesforce who were acting very much in the same way.

So, for me, I think one of the other key things that starting that customers are starting to see in the market is starting to see is how important identity is to that business platform, and how identity needs to I think move away from being a solution that stands outside of the business, but as brought into the business in the platform. I think that’s another big thing that we’ll see over the next, to be honest, over the next decade.

Kelly: Excellent. Okay. And that’s an excellent and interesting distinction between the two types of platforms, so, thank you for that. I think that’s a that’s a clear way to kind of delineate between the two issues.

So, thinking ahead then to 2022, and we’ve talked about, you know, the difference between identity for security and traditional IAM, we’re also seeing other other kind of frameworks or methodologies, I guess you could say, that that have come to the fore, and people are being encouraged to look at, such as Zero Trust.

Jackson: Right.

Kelly: So Jackson, in your experience, and in the work, you’re doing now with Clear Skye, how do you believe an identity first security approach fits in, then if an enterprise is trying to implement something like Zero Trust?

Jackson: Right. Well, it’s, I mean, look, that’s a great question. And it’s, it’s really interesting, when you think, again, of what Zero Trust is, is kind of about. I mean, it’s the evolution of where we were on VPNs in the past, and VPN was quite simply, you know, user ID password, and perhaps multi factor authentication, allowing you on the highway into your company, right?

And it was a one and done kind of thing you would you would you would get on the VPN, you authenticate, and once you were inside, you were inside everywhere, you could basically get to anything you had, you know, the ability to, but at the same time, if a cyber hacker guardian, then one of the problems was they also had access to everything inside the company.

So, Zero Trust is all about sort of breaking that apart, and giving you, for lack of a better term, we call it VPN access to a particular application or a particular thing that you need to do at that particular point in time.

Now, when you think of that, I mean, it’s obviously the, you know, there’s great benefits of that, you know, of all I need inside is access to the SAP system, for example. That’s all I get, I don’t have access to other things. And that all starts with identity, of course, and it also starts with governance, in the sense of should Jackson have access to these things, or not?

And I think Zero Trust is the is the, you know, sort of mechanism for enabling that.

So, in a lot of ways, I just see Zero Trust as the evolution of the VPN, and I also see both identity and zero trust working together because if you think of where we are with modern identity management, and identity governance, it’s all about making sure Kelly has access to the right capabilities and tools and resources, or Jackson has access to his capabilities, resources or tools internally, and they may be different than you.

So rather than giving both of us full access, give each of us what we need.

And if you kind of bubble it up, it’s really clear that that starts with identity. You’re getting the things that you need, as you move from one role to another things being added things being deleted, when you leave the company, you lose, you lose that access.

So, I see that these two things, both Zero Trust and and identity-first security as being extremely complimentary. And in some ways, I would say, if you don’t have a good identity management system, you’re probably gonna have some hard, hard, hard time getting Zero Trust to be fully realized within a company.

Kelly: Fair enough. And that certainly we’re hearing from enterprise customers as well is that, you know, that’s that’s a that’s a key key component.

So we’ve talked about that as a potential challenge in 2022. Is there anything else other things that you think that enterprises will be challenged with as we head into the next year?

Jackson: Sure. I mean, I do think that if you if you go back in time, and you think a little bit about where identity was, let’s say 10, 15 years ago, there was a lot of, you know, we started off with a solution, like, you know, my original solution, which was ZoomIt that Kim and I and others worked on a standalone on premise solution, that a few years into 2000, we started to see what folks would call ‘suite solutions’, where you didn’t just have provisioning, but you also had web access, if you had, you know, ultimately Federation or these things all being able to be purchased and hopefully, looking integrated from a particular vendor.

So you’d get this on-prem solution, whether it was from Oracle or IBM or somebody else that was, you know, a best-of-suite.

And we would hear customers say, “Oh, I don’t want a best-of-breed, I want a best of suite” or we hear customers purchasing best-of-breed instead of best-of-suite for various different reasons.

I think what we’ve seen now in the marketplace is a lot of these standalone solutions similar to what we had in the old days, but now they’re SAS based, and they probably have their close brothers or sisters who are also on-prem based. I mean, it’s pretty common to see an identity vendor that has an on-prem version of their software and a cloud-based version of their software, I think what we’re going to see is these, these products merge more towards, you know, best-in-suite in the cloud, but on business platforms, like what I talked about earlier.

So, I think that’ll be one of the things that will, I certainly hope helped change the identity industry and help with with security.

I don’t see a big change happening around cybersecurity, for example, or hacking in general, it’s going to continue to to happen.

There have been some great products and capabilities that have come out that I hope we see more of like.

For example, I’ll give you an example: remote browser isolation, where when something questionable comes into the company, and someone clicks on a link, instead of the browser executing in your desktop, it executes somewhere in the cloud, in a different like, not on your premises. And the great thing about that is, if something, a bit bad payload comes in, or something bad happens, it’s not happening in your system, right.

So, I think, once we see more tools like that, more capabilities like that, expand out to companies, I’m hoping that we’ll see less and less, you know, cyber hacking, but it’s it’s not going away.

And I do believe that the more vendors like us or vendors that have a SAS approach, can improve security and get releases out faster, the better it will be for customers.

So, you know, to answer your question more directly, I don’t think cyber hacking is going away. It’s going to increase.

How we contain and monitor it, and manage it is going to be very important for identity management companies just generally, and you know, to the point of this whole conversation, you know, identity for security, and how it’s going to play to to help that.

And I think by having a business platform where you can have a common data plane, where signals can cross over multiple products very easily will be quite helpful to that.

So, we’ll see how that how that changes things in the next few years.

Kelly: Perfect. And actually speaking of the next few years, I’m going to ask you to dust off your crystal ball here.

And when you think about identity first, and you’ve spoken to this a little bit, as we’ve had this discussion, but how do you see this market evolving in, say, the next 5, 10 years? If you had that crystal ball vision, what would that look like?

Jackson: Right, well, I’m obviously very enthralled with platform-based identity. You know, and when I said earlier, how I don’t necessarily think that’s Microsoft or Amazon, because these guys have grown up as as purveyors of compute cycles, right?

And there are vendors that are, are out there and available today are growing up today that are basically business platforms that you can base your business on, right? It’s almost like, you know, the way I really look at it is almost like something like the office 365 Suite.

In theory, if all you had to do was Excel, and Word, and mail, you can be in the Office 365 Suite all day long. And I mean, we all know what that benefit is or what you’re even if it’s the Google Suite, we understand the benefit of being in that suite all day long.

I just think we’re going to see more over the next three, four or five years of a gravitation toward these business platforms being that new suite where you’ve got workflow built in, you’ve got all the tools built in, you’ve got the web services built – a real easy way to integrate all of these things together. and, back to sort of my original point, where identity can be part of that instead of a part from it the way it is today.

Kelly: Excellent. Okay. Is there anything else you you you think folks should know, who are watching right now, anything that we might have missed?

Jackson: Well, I mean, I think there’s some really incredible stuff going on across the across the industry.

Whether it’s things like remote browser isolation, or some of the efforts that are underway, you know, happening still right to eliminate the password, I think there’s a lot of great stuff that’s happening in the identity identity industry, and folks like Gartner and 451 research and Forrester has been doing pretty good job in trying to link the way also, you know, the identity professionals organization, you know, trying to do the same thing.

So, my general recommendation to anybody in the in the business would be is is, you know, get involved in something like the identity pros, or, you know, make sure you’re following some of the research and find out who are some of the strategic thinkers in in the business because there are a lot of great people out there that are talking about identity and are talking about it in a way, you know, just as Kim did, about trying to make a better future for all of us, basically through using identity.

So, I’d highly recommend, you know, getting to Gartner conferences, getting to the European identity conference in Berlin in May that KuppingerCole puts on just to see some of these these future looking things.

Kelly: Excellent. And finally, Jackson, if folks wanted to learn a little bit more about the exciting things that you guys are doing at Clear Skye, where should they go?

Jackson: and that’s ‘skye’ with an ‘e’. So, you just pop over there, and you can learn all you want.

Or, if you if anyone feels like dropping me an email. I’m or connect with me on LinkedIn. I  get on LinkedIn fairly frequently, so I love seeing all the posts there.

Kelly: Excellent. Excellent. Well, thank you so much again, for your time today. It’s always an insightful conversation whenever we get to chat so deeply appreciated. And again, thank you for the very kind words about Kim Cameron.

Jackson: Oh, you’re welcome. Happy holidays to everybody and to you and the whole team at Axiomatics!

Kelly: Great. Thank you again, that’s all the time we have for today. Hope you enjoyed the conversation. And as Jackson said, Happy Holidays to everyone!

Jackson: Cheers, everybody!

  Join us on LinkedIn for more insights
Archived under:
About the author

The world’s largest enterprises and government agencies continually depend on Axiomatics’ award-winning authorization platform to share sensitive, valuable and regulated digital assets – but only to authorized users and in the right context.