Sponsored: What is Extended Identity Access Management?

A

Hey everyone, this is Casey Ellis. For Risky Business Today we're talking to Fletcher Heisler, who is the founder and CEO of Authentic. Fletcher, thanks for coming on.

B

Thank you, Casey. Thanks for having me.

A

So you guys have created or invented a new acronym. Do you want to tell me about that?

B

I'm afraid we have unleashed yet another acronym on the world. Extended. I am so xiament. You know, we've been working toward this for seven years with Authentic. Actually, our founding cto, Jens, has been starting that as an open source project from the ground up. We saw a little bit of what's coming now, Fast and furious that everything is autonomous and programmable. You need identity for all users, all devices, etc. In one cohesive place. And just calling ourselves an identity provider didn't really cut it. You can think of plug in the IDP and that hands users one set of credentials to SSO into all their applications. And that's kind of base table stakes maybe where you're going passwordless and have token based accounts and so forth. But for extended iam, we see this as being for all users, so human and non, human workforce and customer and your customers, customers, et cetera, all of this needs to be in one cohesive place. And we could get into the agent side of. There are a lot of things being invented for AI users, but the way we see it, they'll have all the same capabilities, they need all the same guardrails, et cetera. Similarly, for devices, if you're looking at various endpoints, remote infrastructure, even your work laptop, you can log into directly with authentication, that's one fewer step to manage. And we could also use those health metrics and data to inform what is traditionally your identity provider. In a way that kind of an MDM or things like that would as well and integrate with those at the same time. So extended IAM is kind of that full user lifecycle for every possible user. And the last piece is running wherever you need it to with that multi region, multi cloud on prem some hybrid mix of the subset there. The fact that Authentic is really a stateless machine that you can put where you need it gives a lot of flexibility for the security of that architecture, but also just the ease of integration with other pieces of your infrastructure. Right.

A

And when you're talking about extended there, really you're talking about the fact that identity is definitely bubbling up. I guess the question I was going to ask there is what's driving this from a market standpoint? What are you hearing from the coalface right now?

B

Yeah, I think what we're seeing is just a lot of need for consolidation, a lot of need for better security, a lot of need for. We have these duct tape solutions and solutions for solutions where you've seen things like identity orchestration come into play, just kind of solving a problem that shouldn't have existed. Now you have three IDPs, you're trying to balance them and you have another layer that could go down that's kind of duct taping them all together. So the fact that resiliency really, really matters. It's not just a matter of some of my workers can't get to some of their applications for a couple hours. None of us can do any business, especially our service accounts that are true, trying to do whatever automated actions run their pipelines, et cetera, everything grinds to a halt. And then on the security front, if you have a cloud IDP that's kind of a proprietary black box, maybe doesn't have the best history when it comes to security, are you going to hand out all of your tokens for controlling the whole business, or do you want to keep those a little closer in house as well? So that's also part of the security side of trying to lock things down and not expose as much as possible to the wide open Internet.

A

So security and availability both as kind of priorities that you're hearing from the street.

B

Definitely. Security, availability, also flexibility, the fact that you can very quickly integrate with whatever new application or protocol you might need there and have a lot of different accounts doing that in an autonomous way is much more important now. So I think folks like Okta might have a very broad catalog and sort of got where they got to by saying, yes, we Support the top 200 other SaaS apps, but you can only keep up that way with sort of the proprietary black box for so long. The way we've built this with a very flexible infrastructure, you. You don't even have to wait on us if you need that data attribute, just read it in. If you need to map something out to a user, you could do that as well. So that kind of flexibility to save a lot of the, again, duct tape and headaches along the way.

A

Yeah, well, I mean, in terms of the need for duct tape or the obviousness, I guess, at this point of the need for duct tape, in the absence of a solution like authentic, you want to talk a bit about what you're seeing in terms of AI like agentic identity, the kind of security and availability considerations are starting to bubble up around that kind of field.

B

Sure, yeah, I Think as we've seen a lot, we're kind of relearning all of the classic security lessons just with a new layer of a new type of user. And the way that we see things going at authentic is if your AI agent is going to eventually be doing all the same tasks as humans, you know, in terms of extending that capability, they need that kind of capability and that kind of access, but you also need to give them, you know, appropriate guardrails. They need very fine grained permissions. You don't want to hand over the keys to the castle without knowing that you've done so, or without, you know, any restrictions on that. And so we see it as of course non human identities will need all of the same IDP infrastructure there. That also means that everything you should have been doing before is even more important, of course. So you should be infrastructure as code, have an API for every possible action within there, have type based access and token based and so forth. All of those become absolutely critical when some of your users are non human users who might be. We're seeing that there's a lot of again, on the duct tape side, reinvented security a bit where things like MCP will see if that wins out as a model. It feels like again a solution to a problem that shouldn't need to exist. If applications had better APIs or better means of access, you wouldn't need a lot of this sort of newly invented architecture for a non human user. And on the flip side, giving an agent only sort of a crud GUI interface that it gets to figure out how to take in every pixel and figure out what to do. Sure, eventually that can happen, but it seems wildly inefficient when it could just update a bit adjacent for you.

A

Yeah, we can probably do better on the compute side of that, right?

B

For sure. Yeah.

A

Yeah. It's cool hearing you kind of go through this because yeah, I did notice your post from 2024 saying proudly not AI powered. And it doesn't sound like you're doing that. It sounds like AI is starting to reveal a whole bunch of different kind of issues that you guys have been well ahead of on the identity and authentication and access side of things.

B

Yeah, the point of the not AI powered blog post was primarily that we're not trying to slap AI onto the product. Its I think we're seeing another trend of everyone saying here's the LLM thing embedded into our product, whether it makes sense or not, especially for something that's self hosted and that you get to absorb all of that infrastructure cost. We're not about to throw a chatbot into your IDP directly without a very strong need to do that. But we are trying out all the latest and greatest tools and sensibly carefully using them wherever it makes sense. And similarly definitely supporting our customers who need security and identity for agent use.

A

Yeah, exactly. Like the idea that you guys are focused on fundamentals and now the deployment of AI by literally everyone else is kind of revealing the need for that and creating an opportunity for new acronyms and agents and all sorts of good stuff.

B

Yep, for sure.

A

So BSIDE's coming up. What are you guys up to there? RSA, BSIDes San Francisco Circus comes to town.

B

Yes, it'll be a busy month. We have two different talks at BSIDES talking about sort of the open source project of authentic and what we did to support it and keep that going and options for other folks who might have an open source project and looking to scale that up. We also have our head of Devrel giving a really interesting talk on the history of SSO that goes into some bizarre corners of history I never knew about. And then at rsa don't have a booth or anything, but of course we'll be around for all the events there. So looking forward to seeing some folks

A

in San Francisco and yeah, how do people get in touch? So if folks are looking to dive deeper into your product to try it out for the first place for the first time, what does that look like?

B

Just head to the website. So it's goauthentic IO that's T I K Goauthentic. You just take a look at. It's a Docker compose. Pretty much the vast majority of it is open source so don't have to sign up for anything. You could just get started and try it out. Easy to schedule a demo and schedule a call with us if you're on the enterprise side and want to hear a bit more and learn that way as well.

A

Fletcher, I really appreciate your time. Congratulations on all the progress and all the stuff that you guys are doing and look forward to catching you in the zoo in a couple of weeks time.

B

Sounds good. Thanks so much, Casey.