The Identity & Access Podcast talks to professionals in the IAM industry about their experiences and thoughts on the future of IAM.
Episode 1 features Shane Day, CTO of UNIFY Solutions and discusses his recent visit to The European Identity & Cloud Conference.
Below the embedded podcast episode you will find key links and a transcript for today’s episode.
Identity & Access Podcast Episode 1: Soundcloud
UNIFY Solutions: Website | LinkedIn Twitter
Identity&Access.Org: LinkedIn | Twitter
The European Identity & Cloud Conference: Website
Shane Day: Website |Twitter
Katryna Dow: LinkedIn | Twitter
Kantara Initiative: Website
Eve Maler: LinkedIn | Twitter
Colin Wallis: LinkedIn | Twitter
Kim Cameron: LinkedIn
Jackson Shaw: LinkedIn| Twitter
Robert Lapes: LinkedIn | Twitter
Alessandro Festa: LinkedIn | Twitter
Transcript for this episode:
Intro – 00:04 – Welcome to the Identity and Access podcasts where we talk to professionals working in the IAM industry about their experiences and thoughts on the future. The Identity and Access podcast is sponsored by UNIFY Solutions and identityandaccess.org. We hope you enjoy today’s episode.
Joshua Jager – 00:29 – Welcome to the Identity and Access podcast. Today we are joined by Shane Day was the CTO of UNIFY Solutions and is based in Brisbane, Australia. Today we’ll be talking to Shane about all things identity and his recent visit to the European Identity Conference by Kuppingercole. Shane, welcome to the podcast.
Shane Day – 00:29 – Thank you, Josh. It’s a pleasure to be here.
Joshua Jager – 00:40 – So, Shane, your role here at UNIFY is CTO and you’ve been with the organization for some 10 years now. Um, before we get into your recent visit to Germany for the European Identity Conference, wanting to hear a little bit more about how you got into the identity industry and what’s kept you in this space for so many years.
Shane Day – 01:05 – That’s an interesting question. Um, I guess, uh, I got into the industry through being a software engineer. So my background is actually in engineering. I studied, I studied electrical and computer engineering at university and I was working as a software engineer when someone I’d been working with previously who was already working for UNIFY that we were looking at it how do we strengthen our product suite and he suggested that I should come in and as a senior software engineer. So that’s how I got involved with UNIFY. I didn’t have any identity experience before I started with the organization and it was a pretty, I wouldn’t say a steep learning curve, some of the principles, some of the technical principles of identity are pretty similar to what you do in most, um, software engineering and of course the, the concepts of authentication authorization are pretty key to most information systems that you build.
Shane Day – 01:59 – But uh, it was interesting in all of a sudden, I found myself in a world of um, of administrators as opposed to just pure software engineering and the application of it to some pretty serious business analysis type stuff where the stuff that you’re doing in software has great impact on people’s ability to work in the business. So I think that was, it was, you know, I’ve managed to stick with it because I found that um, the identity actually is key to how people interact with businesses and I find that a really interesting thing to do and I think in the future we’re going to have a more interesting things to look at as identity becomes more involved with things such as privacy, which I think is going to be very hot topic over the next 10 years as the world tries to grapple with the privacy implications of all the data systems that we have built.
Joshua Jager – 02:54 – Thanks Shane, It sounds like your story resembles that of many others that they come to the identity industry from perhaps a different sort of software background or straight out of university. And something about the industry just sticks with them and it’s kind of like a bug. What is it, do you think about the identity industry that gets you up in the morning?
Shane Day – 03:17 – Uh, I think it’s, um, it is the ability to really make an impact on businesses and people’s lives and their ability to work efficiently but also be able to present themselves their digital identity in, in the Internet world. I think before the, before the Internet became mainstream that it was probably less important to people’s everyday lives and it was sort of something that just happened when you worked in an enterprise, but, but now with, um, with how ubiquitous the internet is almost every person’s lives every day, you know, the identity industry is very important in being able to help them interact with others online and transact digitally and also to protect their privacy online. And I think that’s, you know, it’s, that’s what keeps, keeps you getting up every morning.
Joshua Jager – 04:12 – I think more and more we’re seeing in the media and in government, people paying attention to privacy and people trying to get people to be aware of their own privacy settings for instance, and the risks that taking online. Um, what changes are you seeing? How people are interacting with companies and sort of what, what concerns of companies got that they’re calling on UNIFY for help with?
Shane Day – 04:38 – That’s a pretty good question actually, because I still think we’re at a very early phase of people actually understanding what the privacy constraints are and they’ve seen a changing regulatory environment and they’ve seen the results and pretty poor identity and privacy practices in, I won’t list the organizations you can go look them up on a newsfeed and probably every single day you’ll see something that’s gone wrong. You get, um, I think though that, that the average person hasn’t really thinking about these things yet because they haven’t personally been impacted by the result of it. But you’re seeing an upswing in say activism around privacy and privacy is not something that’s really well understood by most people. They think it’s about the security around, uh, around personal information. Their privacy is actually a social construct. And privacy is, is what we give to people within the social constraints of what we do.
Shane Day – 05:36 – And we’re seeing a new society building being built on the Internet. And in some regards, you know, I’m not sure whether it’s the tail wagging the dog with government coming up with regulations or not. It may very well be a or I’m not sure whether there’s, there’s activists have been getting in the ear of government and they’re, and they’re trying to do about it before it becomes a real issue. Time will tell. Um, you know, obviously what we’re going to be talking about during this podcast and we’ll be talking about one of the things that government is doing in that space.
Joshua Jager – 06:10 – Well, I think you just read my mind about my next question and it was sort of around who’s leading, who is a consumer sort of crying out for change or companies pushing for more regulation or uh, perhaps governments seeing and looking into the future and determining that change is needed now to prevent bigger breaches and bigger things from happening. Because it seems like just recently at least we’ve had a perfect storm of Facebook, scandals and a few other major breaches that have gone on. And the GDPR is just coming into effect. And it seems like right now it’s a very hot button topic, but for a few different reasons.
Shane Day – 06:50 – Yeah. Um, I don’t think it’s companies asking for more regulations. Obviously companies want to protect their own reputation. Um, they also want to protect their customers as part of protecting their reputation and protecting their revenue streams. Um, as far as governments are concerned, um, you know, they have a obligation of duty of care to their citizens and the residents of their countries. And you know, there’s only so much the government can actually do in that space. And I still think that, um, the general public probably aren’t that clued up in it. I mean, you mentioned the, you mentioned the Facebook a scandal. Well, in that instance, a lot of the data was actually taken with people’s consent. It wasn’t as if Facebook just gave it up, people who agreed to do things. And maybe the real problem was that, um, the people who were collecting it weren’t to, forthright with what they’re actually gonna do with this particular direction.
Shane Day – 07:51 – And there will be using it, collecting it under a seemingly innocuous, um, you know, fun games and quizzes and stuff like that and people and it was being used to collect data and provide social maps. Now obviously Facebook’s whole business models around creating social maps and being able to target, target certain demographics for advertising. But I don’t think it was meant to be used for that purpose. So you know, there’s going to be a quite a big readjustments in people’s thinking. I haven’t seen any, I am a Facebook user and I haven’t seen any reduction in the number of silly quizzes that people can give up their private information on which ask more information than is required to actually participate in, in the, in the quiz. So, and that’s just one example of it. I mean there’s um, whenever you collect large amounts of information about people in one place, it’s going to be attractive source of information. Information is of value. And of course people are going to try and get their hands on it.
Joshua Jager – 08:55 – So I think recent stats sorta said that the average Facebook user is worth around $32.52 Facebook annually, um, and you of course times that by billions of users and a lot of that value is based on the demographics of collected and the ads they can serve to those people. Um, so we’re really talking about information being money and information collected that organizations collect, they can use, at least internally. Um, and then on the other hand, we have laws that are coming in and they’re saying that the user owns that information and the use can take that information away from the company. Now it looks like there’s a natural, a natural battle there and companies saying, look, we want to collect your information and use it to serve you better, or take advantage of you, and government saying no, every bit of information a user provides, they can take away from you. How are you finding that’s going down in the industry?
Shane Day – 09:51 – Uh, it’s too early to say at this point. Um, there’s a big divide between where organizations are located. Obviously, you know, you’re obviously talking about GDPR being the main one. There are increased privacy legislation coming through other jurisdictions as well, but I think GDPR and only came in place of a week ago. The world hasn’t ended yet, but it may do that sometime soon for some organizations. I think a lot of that has more to do with, um, where majority of people’s customers are, you know, what the. And there’s a little bit of misunderstanding about what that data. Who owns the data. I mean, no one owns data. It’s actually the custodian. You’re a custodian of data about a data subject under GDPR. Um anyway, I think you’ve probably got questions about that later so we.
Joshua Jager – 10:43 – Sure. Yeah, Well, let’s dive into the conference a little. So the conference you’ve visited was the European Identity Conference..
Shane Day – 10:43 – European Identity and Cloud Conference.
Joshua Jager – 10:53 – Oh, thank you. So there are a number of events around the world now. It seems like the calendar in the Identity and Access space is getting more and more busy. How did you determine to go to this event in particular?
Shane Day – 11:06 – I think, um, the European Identity and Cloud Conference, is one of the key events. Conferences tend to be a bit of a sales fest. I mean, you do need sponsorship to keep them going. They’re not cheap things to happen, and all you have to do is say how many people take all the desserts from the buffet to know how much it’s going to cost to run one of these events. But I think what’s different about the European identity and cloud conferences that there’s a lot of conversation about the human element and I wouldn’t go so far as to say ethics because I’m not a, I’m not an expert in ethics, but it’s certainly about these things that we’re doing with technology. Are they actually the right thing to do? What’s possible with what, we could do right now with technology, but um, is it the right thing to do?
Shane Day – 11:55 – And there’s always a good stream of that. And I’ve noticed that. Um, yeah, this is the second time I’ve attended it and there was a lot more about it this time. Yeah. The last one was two years ago. And there was some of these topics stand, but I think at the changing environment has caused there to be more discussion about that. And I think that’s one of the main reasons for it. I mean, you kind find a find, um, you know, with the, with the main events around the world, the time you often get the same kind of, you see the same faces. You always say hello to them. But I think because this one is European focused, it, it’s not really the European markets. It’s a global conference. There’s people from all over the world that attended. But you, you get, you get a good side conversations.
Shane Day – 12:43 – You know, there’s, yeah, a lot of the keynotes obviously from big sponsors who are peddling things at you. But the way that, um, that Kuppingercole structure their events is that, you know, they really have to tone down the product sales and they have. And you, yes, , they can use their, their product as an example, but they have to really talk about what the function is and what, how, how it’s relevant in the marketplace. And you end up, even with the keynote speeches being a lot more interesting as a consequence.
Joshua Jager – 13:16 – It sounds like on the topic of ethics, perhaps there wouldn’t be many companies that have that as their main product suite, but a lot of people were talking about that?
Shane Day – 13:25 – Yeah, there was some pretty interesting product offerings actually. Um, you know, the kinds of things that, um, I kind of know every night I imagine putting systems together in what, what could you in the marketplace and, and I don’t have the, don’t have the capital to try and get these things into market, but it’s always kind of kind of nice whenever you actually see someone that’s come up with one of your ideas and is actually executed it very well. And there was some know GDPR is as a service type software where they help you construct your compliance to it to make sure that you’re doing all the right activities. I might be a little early to know exactly what the right activities are because essentially when you’re looking at your compliance to something like GDPR, you’re looking at, um, with, uh, the risk management around it.
Shane Day – 14:13 – You probably can’t be compliant to the exact word of any legislation, but, but you’re always looking to minimize the risk that you aren’t in compliance with it. So, it probably needs some enforcement case samples to know exactly what the real risks are going to be. But yeah, that was some pretty good software in that, um, people had, their conversations were good too. They didn’t just, know that they just had the url of the bottom of their slides and they actually talked about how you can comply. They used their software, an an example of how you comply, but they really talked about the, how you organize your organization to be in compliance with that legislation.
Joshua Jager – 14:53 – So I think it’s gonna take a maybe a few years for really everyone to see how the GDPR laws are really going to affect the market. Companies seem to be taking it seriously even if many have done so at the last minute as being a barrage and most people’s email boxes. And it’s actually still continuing for me. Now almost awake after. And you mentioned GDPR and you’ve mentioned that ethics conversations that were happening around the conference. Um, what other themes were there that will highlighted?
Shane Day – 15:22 – I’ll just quickly, I will say, Oh yeah, if there’s any ethics professors listening, we’re not talking about that kind of ethics. So, you know, I would actually welcome hearing from any of them what they actually think about it from that perspective. And I haven’t studied ethics at all. So you’re my idea. It’s probably not quite right. But, um, I guess there was a lot of themes that have carried over from previous, previous conferences. So, you know, artificial intelligence know that’s a hot topic in all of it. And, and, uh, identities, no, no stranger to people talking about it. I mean there’s decisions and to be made that can be made by machines that have learned to do it quicker and faster and more accurately than humans could certainly lot quicker. They can also look at things such as compliance now that, that had been spoken about before.
Shane Day – 16:15 – And um, there’s some good software in the marketplace and I see a lot of vendors taking on artificial intelligence for, uh, being able to see whether there’s any outliers and sets of data. I mean, machines are really good at that. They’re good at finding trends and finding outliers and of course we’ll we’re talking about identity and access management. We could, artificial intelligence can actually pick up whether there’s there’s this cost as the people with the same access rights of systems and all of a sudden you’ve got some outlier than it actually picks up something and you got to go and investigate and you know that there’s been development. Further development of that. I mean you see it making its way into all sorts of devices, unit reverse proxies for accessing a terminals with privilege access. It actually can, can look at the use artificial intelligence to be able to pick up whether your usage patterns that actually you or not.
Shane Day – 17:08 – You know, and if. And if it’s not, you’re going to put you off into. I’m trying to think of the right word. I think it’s honeypot where they go and put you into something that looks like you’ve got where you’re, where you want it to be and what they’re really doing is collecting enough data to be able to take action against you. There was, um, a lot of talk about micro services and devops, which was very interesting. I mean, obviously I’m interested in that as a software engineer, background, uh, you know, we’ve been actually investing in that fairly heavily at UNIFY looking at, um, how we can use those to provide better services and products to our customers and know it was kind of, I hadn’t heard at a conference before, so it was kind of cool for me to have to have that spoken about when we’d already started investing in it and it’s good to good to know that we’re on the right track with that and I think they’re looking at how to get better efficiency, better quality outcomes for customers using those kinds of methodologies.
Joshua Jager – 18:05 – Wow. I’d like to dig a little bit deeper into some of the things UNIFY are doing, um, especially in the Dev ops department, but perhaps we’ll do that in a future podcast.
Shane Day – 18:13 – Yeah, happy to do so.
Shane Day – 18:56 – I actually think that they have, taken on a lot much more seriously than I expected them to. So, you know, I kind of expected the big, the big global players to kind of play lip service to it, but they really haven’t. They’ve actually taken the lead and try and help their customers be compliant with it. So when they’re dealing with their customers. And I guess in a way, if you look at the way the laws are structured, they’re pretty much liable as data processes anyway. So they need to make sure that they’re compliant as a data processor under the law so that they can supply to their customers are obviously going to be the people collecting the data on your subjects. Uh, as far as leadership is concerned, I still think there’s a way to go in terms of thought leadership. I think at the moment there’s a lot of people worried about compliance because they’re worried about the punitive nature of it.
Shane Day – 19:50 – And I think it’s too early to say how that’s going to go. I mean, I don’t think the European Union are going to go after mom and pop companies just because. Because they don’t, they’re not entirely compliant with it. I think you’ve already seen activists raise cases against, against them. I think it’s one of them was an 8.8B worth of potential penalties in, in terms of the cases that have been raised. Uh, I think there are a lot of. The smaller players are actually better leaders. And you’re there thinking, thinking about how the, how this change is changing the way that you might interact with your, with your customers. So you have the bigger players are sort of like, oh you’ve got this stuff in place and how we’re going to get you compliant today. You know, so people like a, like a Katryna Dow, they’d see over a partner organization, Meeco .
Shane Day – 20:41 – They’re very much focused on while these things are just, they’re natural that if you want to build best trust with your customers, don’t treat them like, like the data is evaluated and treat them as if they’re a value of you and that the fact that they’re sharing data with you is valuable in the trust relationship you’ve got with them. And I think if you look at it that way, you’re going to have a much, much better experience. You know, the customers will have a better experience and the organizations dealing with their customers and have a bit of experience because they’re going to get much better quality information to work with.
Joshua Jager – 21:16 – So it sounds like more of these startup organizations or organizations that have sort of come around the last few years are already thinking about data and relationship with customers in different ways. Is it because perhaps they’re more nimble or they’re a child of this generation perhaps, that they’re able to adapt so quickly?
Shane Day – 21:37 – I don’t think. Yeah, I think nimble is probably the best way to do it. I’m sure there’s people inside the large organizations have had similar ideas and concepts. Uh, they, it’s just harder for them to get a voice. You know, when you look at the, if you’ve got more legacy, obviously you have to worry about what you can do with the legacy to stay compliant. When, when you’re, um, when it’s sole focus, then of course you can focus more on the innovation side of it. It’s not to say innovation isn’t done in the larger organizations. It is, It’s harder to come to the surface as whole thing. I think when you’re a startup is the whole thing.
Joshua Jager – 22:11 – Sure. Yeah. So why would, looking at the actions some organizations are taking in this space, what are the biggest misconceptions on missteps you’ve seen companies make around their GDPR laws?
Shane Day – 22:24 – I think you’re seeing it now. I mean, you mentioned all the emails that you’ve been getting about stuff like the GDPR is about having the right to process data and the right consent. Well, consent is only one of the ways that you can actually have the right to process data that can be legislative or regulatory reasons for doing that. There can be, it could be a required part of supplying the, the obvious service that you’ve got, an this, um, it seems very much to be driven out of the US and that, um, and Australia’s followed, followed suit. They all seem to think it’s a, you have to update your privacy statement and let everyone know that it is and get consent to the new privacy statement. Well, that’s not what that’s about. It’s about having a defensible position for having processed data. So if there’s a legislative or t that you need to do to supply the service, then you don’t need to go and get the customers consent for it..
Shane Day – 23:17 – You need to get their consent for things that they’re not expecting you to do with it. And having that hidden in a privacy statement isn’t going to be considered that consent. So you know, that’s another misconception is that that you can update your privacy statement to say that you compliant with GDPR and all of a sudden you are, that’s not, that’s not true either. People have to understand what they’re consenting to and when, well, let’s just use Facebook as an example. When people are using it, they expect to able to socialize with their social networks and be able to build new social connections. So, they don’t really need consent for collecting that, what they need consent for is shipping that off to other people too, to other organizations to profile individuals or demographics to target them for advertising. That’s what they need consent for. So I think um, GDPR is one of those things like Sarbanes Oxley or the Y2K bug thing though, that there’s a lot of baz and not a lot of understanding about what’s actually going on.
Joshua Jager – 24:17 – I’ve seen a few organization, some newspapers out the US. I’m just simply blocking European visitors from their sites. What do you think about this solution to being compliant?
Shane Day – 24:27 – I wonder if they even know why they did that. Their obviously scared and couldn’t get the right advice to let them understand or they’re doing something with data they collecting on people that, that isn’t nefarious and they probably shouldn’t be doing it.
Joshua Jager – 24:42 – Do you see this kind of law being adopted in Australia or maybe the US or do you think GDPR will remain a European thing that international companies will have to comply with? Um, I think many companies have said they will comply and they will comply for residents of every country. Do you see, do you see this being enforced in their local residences as well?
Shane Day – 25:08 – I think, um, you’ll see that there’ll be a ground swell and once people find they understand what’s been happening, you know, the US is a very large, large place and it can take a long time for a common understanding of what’s been occurring into, to look at. I will name them. I said I wasn’t going to, but I will if I name Equifax, for example, if people actually understood what that, what that, what had actually happened and what’s happened subsequent to that, then they’d probably be appalled and they’ll probably want something done about it. And I think, um, the US Congress, uh, starting to look at these things, but at the moment it really just looks like they’re playing lip service to it and I think they’re going to have to. It’s going to be politically expedient to make sure they actually do something about this. If you have a look at Australia, we’ve actually had recent changes in privacy laws and have signaled that this wasn’t the end of the changes. So I’m hoping that Australia gets close to close to it. I’ve don’t think it’ll probably necessarily be as punitive as the, as the GDPR laws, but it will definitely be something which I think we need better privacy protection rights in Australia.
Joshua Jager – 26:19 – Another thing you mentioned was at the conference you attended a number of panels and discussions with different companies and thought leaders from the industry. Did you want to share a little bit more about those?
Shane Day – 26:31 – Yeah, absolutely. So UNIFY in a nutshell, many people know, we probably should shout from the rooftops a bit more, but we joined the Kantara Initiative, uh, as, as a member, I’m a few months ago and we’re quite heavily invested in making sure that User Managed Access, or UMA 2 standards get, get taken up and with been making our own investments in that space. So there were a number of Kantara Initiative panels and workshops. Unfortunately, I didn’t make the workshops at the beginning of the conference, mostly because I arrived late and my luggage arrived even later. Not that I planned to arrive late, I just did. But uh, it, there were a number of other sessions about that where we talked about things like how, how do you model consent and how do you, how do you model delegated access, but not just within the people making decisions about it.
Shane Day – 27:24 – If there’s legislative for contractual delegation, how does that get modelled inside these systems? So pretty interesting conversations and some pretty good thought leaders. Eve Mailer from Forge rock. She was there. Collin Wallace , of course, they are our friends that Meeco again at the very heavily invested in that space and I say is vitally important and there’s a number of government organizations or government agencies that we’ve been talking to that need exactly that and insurance and anything that involves with providing services to families that need to model that kind of stuff. A public education, private education have similar needs. So that was, that was very interesting. Uh, uh, panels and discussions. And side discussions afterwards when you go and have a cup of coffee with someone just asked an interesting question too. Um, the one about the future, the panel about the future of identity, which is where we started touching on the ethical nature of identity.
Shane Day – 28:26 – That was pretty interesting. I can’t actually remember off the top of my head all the people that were involved in that, but, uh, Kim Cameron told a very funny possibly made up story about Bill Gates in that and him worried about people using, using our bitcoin to get hitmen on him. I’m sure that’s not the case. Bill. And I’m sure, I’m sure Kim exaggerated and if he did say that, but um, yeah, there was a, there was Kim on that panel, there was Jackson Shaw was on that one. Robert Lapes who’s a very interesting character. I enjoyed my conversations with him from CapGemini. He chaired the future of identity pedal. There was um, uh, Alessandra from One Identity who he’s a technical product manager, but he loves talking about this stuff. So, and you know, there was a number of other people involved in those things that, um, I’m sure that I’ll be embarrassed when they, if they hear this and they contact me letter saying, why didn’t you mention me? But, um, you know, it’s Friday afternoon, I can’t remember everything. Yeah.
Joshua Jager – 29:30 – Um, so you have a lot of big names and a lot of talk around the future of identity. And were there any outlandish or wild predictions made?
Shane Day – 29:43 – Did these involved skynet or not?
Joshua Jager – 29:46 – Uh, anything?
Shane Day – 29:48 – Uh, I think, um, most of the predictions were around, um, kind of being a revolution in the way that we think about privacy, particularly as, um, you know, there’s a persona that we put ourselves in the digital world and we’re going to have to build some constructs around privacy. I mean, there was some people predicting that in the future we probably might not have privacy and we are such as societies will be conditioned not to expect it
Joshua Jager – 30:14 – completely open data I guess.
Shane Day – 30:15 – Yeah, that’s right. I’m not sure how that will go. Probably need a little bit more tolerant societies before we can actually deal with that kind of concept, but it, anything could happen. I guess.
Joshua Jager – 30:26 – It certainly sounds like a conference that was definitely thought provoking and had a lot of the leaders in the space there. Before we go Shane, I’d like to ask you, is there any burning identity questions that keep you up at night?
Shane Day – 30:39 – Uh, my own personal identity, I’m pretty comfortable with that actually. What keeps me up at night? Well, in terms of identity, maybe why, why do I identify with my cats? Because they keep waking me up at night, um, but otherwise, no, not, not really. Uh, uh, I tend to sleep pretty well.
Joshua Jager – 30:59 – Well, in my case, it’s definitely my daughter. Waking up two to three times a night would be the main thing that keeps me up. Um,
Shane Day – 31:05 – you know, but she doesn’t scratch your carpet
Joshua Jager – 31:10 – She just screams. Shane Day. Thanks for coming on the podcast.
Shane Day – 31:11 – You’re welcome. Thank you.