 Our next session has this very intriguing title, Day in the Life of an Enterprise Customer, and probably no one better to really walk through this perspective than our very own John Lentinen, who brings Triple Akka to his own title identity. I'll let him explain that, but let's please warmly welcome up John Lentinen. Well, good morning everybody. As intimated, I am John Lentinen, and before we begin, I need to share that good ol' State of Harbor slide where you might be making some forward-looking statements, and this is not to be confused with commitment, yadda yadda yadda. If you have questions, I invite you to meticulously come through this on your own time. So, once again, since I love the sound of my name, I'm John Lentinen, and I am an Enterprise Identity Practitioner. My perspective is informed by working in the identity space for over 18 years now, and I got my start, you know, like literally in the call center. I was manning the phones for an internal help desk, a private global for-profit education concern, and they were launching their own internal access certification tool for role-based access control. They had to do this as part of a compliance deadline to make their Sarbanes actually compliance push. So, once they, you know, through my warm bodies into the phones for a little bit, I eventually began doing access and identity management, specifically for account and role management, for the financial systems side of the house there. In fact, I was four years into my career when I finally realized that I was working in identity and access management, and I finally joined that function within that organization. So, I found my home. So, from there, I went to a very large American conglomerate, what brought good things to life as the owner for their authentication services for workforce, their B2B and B2C for all their companies, and later still I would join a major trusted information company and become their director of identity and access management. The trusted information company, that one doesn't really ring a bell quite as much. You'll have to hit me later for that one. A little over two years ago I joined Akta as the director of Akta and Akta at Akta. So, now, now much of a surprise, folk don't really get what it is I do when I tell them my title or the name of my function, Akta and Akta. So, the Akta and Akta team is more than a team and it's more than just a program. Akta and Akta is a philosophy for how we are building our business on our own platform, which is very exciting to me at least. So, our mission, you know, sufficiently generic is to deliver the best in class experience for our employees and our customers. And we approach this mission in three ways, these three interlocking missions. And the first and most obvious is that we enable the business. We own our implementations for our workforce and customer identity use cases. We helped establish and support our moves in the federal identity space. And we provide that that connective identity tissue at the center of our business operations, our security posture and our customer engagement. So, delivery across all of these fears is significant, but to be candid, that is going to be table stakes at any company. So, what makes Akta and Akta special is everything else that we get to do on top of that, like our second focus area, which is evolving our product. So, this means partnering with product, you know, everyone working with Mr. Arnab over there, quality and engineering to influence how our products are built and to provide the feedback and to make sure that they serve not only our own needs as a growing company, but also the use cases of our small and large customers alike. We try to be our best first customer and file off those rough edges and tell people those stories, because we like to also showcase the platform. We share our experiences running the business, Akta itself, on the Akta platform. So, lots of current prospective customers, they want to talk to the practitioners about how they have solved identity challenges using, or how we better said, have solved identity challenges using Akta technology. So, we show them the power of the platform through consultations, best practice sessions, and by developing and sharing the solutions to our own internal identity challenges. So, this means that Akta and Akta is much more than just an internal IT services provider. I love this line. We are a competitive edge. As our own first and best customer, we benefit from that first hand experience of securing the business with our own platform. Ideally, though, you know, there's always room for improvement, we point to our own implementation of our platform as the reference for how identity problems can and ideally should be solved, especially for cloud first organizations that consume a lot of SaaS. So, my perspective as a practitioner, first as an enterprise consumer and customer of identity services and products, and now as a practitioner, where the business itself is centered on identity, it gives me a kind of unique perspective and an appreciation for the opportunities everyone has when it comes to identity-centric security. It also gives me a good notion of what features and capabilities really make a software service attractive to enterprise customers. See, there you go. There's your look. Especially the enterprise administrators. So, identity may not be what each of your organizations in here brings to market. I can assure you that, though it is not, identity remains essential to your products, your business, all the same. And the enterprise practitioners in your customers organizations are frequently involved in the selection and the continued use of SaaS platforms inside of their own organizations. So, why then should you care what these enterprise customers think about your services? Well, I mean, besides the obvious, you want them as customers, of course, right? That's his own hook. So, to find out, let's go ahead and consider the day in the life of an enterprise customer and what may influence them in making decisions in terms of what SaaS products to use in their organizations. In doing so, there are a couple of major industry factors that I think you should all consider when positioning your SaaS offering for consumption in the broader enterprise market. The first being identity as the essential foundation for information security. So, to make sure we are all aligned on our taxonomies, let's go ahead and align on what exactly is identity-centric security. Identity-centric security is based upon verifying that all users and devices are sufficiently authenticated and authorized before accessing any resource inside of an organization. So, the users must be verified to ensure that they are who they say they are, prioritizing them credentials and binding authenticators to their user account. Devices too must be identified through various channels available such as certificates or EDR, EDM signals and or device fingerprinting. And both the device and user must be authenticated to the correct level of assurance necessary that corresponds to the sensitivity of the resource being accessed. Furthermore, said policies should be frequently evaluated and adjusted based on the needs and the technical maturity and capabilities of your organizations. Now, John, some of you may be thinking this sounds an awful lot like zero trust architecture. Why are you bearing into ZTA in the sock when we really want to hear about what makes enterprise customers tick? And you wouldn't be wrong. You definitely won't be wrong to associate the notion of identity-centric security and zero trust architecture given that the seven tenets of a zero trust architecture as outlined by our good friends at NIST because many of those are explicitly associated with identity and the ones that are not are at least identity adjacent. So, identity-centric security is a foundational principle of ZTA. So, participation time. Can I see a show of hands of how many people here are working on ZTA initiatives in your business or are aware of any of your own customers who are maybe working on ZTA initiatives? Anybody? Got a good cluster here, here, here. Good. No surprise there. So, seeing that, two thoughts come to mind. The first, I sure do hope you and ZTA have involved your own identity stakeholders in that work. Second, consider how we've already seen the impact of identity-centric security put to the test as the perimeter of information security. We had a black swan event that forced the destruction of the traditional perimeter. Organizations with on-prem dependencies were at a major disadvantage compared to those which were cloud-native. And similarly, SAS providers saw a huge boost in the need for their internet-first platforms. So, within a few weeks, the identity-centric security and dynamic ways of working were vindicated in practice at a massive scale. This isn't a hypothesis anymore. I'm pretty sure we've vetted this one out. So, organizations which did well against those challenges and the abrupt shift to remote work generally had two things in common from what I saw. The first was that they had reasonable, and note that I say reasonable. Not necessarily advanced, simply reasonable, maturity in their foundational identity capabilities prior to the pandemic. Second, they were built upon identity standards. There's a robust suite of standards for so much in identity. We have SAML and OpenID Connect for Federation, the OAuth 2 framework for authorization of APIs and services, SCEM for Federated Account Provisioning, ND Provision, Bicycle Management, and FIDO2 for Strong Authentication. These standards allow your enterprise and your enterprise customers to securely use any technology and do it in a transparent, well-documented, and repeatable fashion, which may not sound attractive to move fast, break things crowd, but when you get an enterprise, I promise you, stability becomes quite, quite attractive. So as such, identity is something your enterprise customers do care about, very, very much in fact. However, some of them may not be able to articulate this through that lens of identity that, you know, I approach it from. So how do your enterprise customers experience things when SaaS vendors choose not to follow standards-based identity? So let's consider a powerful yet potentially dangerous substance like lithium. Ever hear of, you know, lithium fire? That's not great. So when we use lithium appropriately, we can use it to power vehicles, devices, do so much more. But if it's not properly handled and stored, it can lead to a catastrophic fire, you know, being in San Francisco with lots of Teslas running around, who knows? No disrespect there, sorry, oops, redact. We only want as much of the lithium as we can safely contain it and handle for the needs of whatever we are going to use it for and the improper handling or storage could lead to a disaster. So identity data can be thought and should be thought of in a similar fashion, a powerful enabler of business and security but irresponsible to not contain or to be allowed to profligate beyond the bare minimum need for a business purpose. So what are the expectations of enterprise customers when it comes to sharing this information with vendors? So let's go ahead and start with the authentication experience. Organizations, especially large ones that must comply with certain audit and compliance requirements, expect their SAS partners to support single sign-on using the workforce identities which are under their purview and control. So this is not only for the major, major quality of life improvements which come from using a single set of credentials to access necessary work resources, it also enables, it also ensures that access for vocation to those SAS apps happens automatically at the same time that that workforce account is disabled. So additionally, if a SAS vendor does not support federated authentication, then the enterprise customer will open themselves up to all sorts of risk, like shadow IT, shared accounts, insecurely stored credentials, and a potential gap in non-repudiation for associating actions taken by an account to a specific named user. The last one is probably a little identity technical for you, but it's a real big pet peeve for your GRC team, so just bust out non-repudiation if you really want to flex in front of them sometime. All right, so of course just cutting off this access may not be enough. Enterprise customers have an obligation to remove the identity data inside of third party data silos as well. So, you know, we've already hit how important SKIM is and we're actually gonna bang that drum a little bit louder, a little bit later, but an automated lifecycle management process for these federated accounts is also a key security feature which those enterprise customers are going to look for. If a SAS app does not support automated provisioning, using a standard, ideally SKIM, or via something like a partner integration to automate the removal of user records, then using that app increases an enterprise's exposure to missing termination events through a fully manual process to help desk is fallible. So all of this means increased exposure to risk and administrative overhead for your enterprise customers and that gives them a reason to examine other SAS apps that support these features if yours does not. So, we spent some time talking about security and how important it is to understand the security drivers behind what those enterprise customers want. And so the second industry trend I feel will strongly impact your appeal to enterprise customers is the current macroeconomic situation. We're here starting to hear about that. All right, I mentioned this because each new app in an enterprise ecosystem, that represents an additional administrative burden on the technology teams. So, either the app admins who need to manage that application directly, or the identity admins who need to make sure that every app is available, always available for their business. Even just within our own function, OctaDocta has over 1,200 applications tied to our instance and we own that care and feeding of each one's identity needs for Octa the company. So, in light of this macroeconomic situation we are either already in or seeing forming on the horizon, this means anything that you can offer to lighten that administrative burden is a competitive advantage and a value add for your enterprise customers. The security features I already highlighted also are going to heavily impact the cost of running and supporting that application for the business. So, using a single set of logon credentials is going to prevent unnecessary help desk calls for recovering app accounts. That in turn is going to reduce the total operating cost of using your application in the enterprise. It also reduces the administrative overhead for enterprise customers to configure and more importantly, maintain, because we always forget about the maintenance part, those accounts and the credentials in the app if the identity comes directly from a federated identity provider. There's a similar value proposition with automatic user lifecycle management. The patterns and standards are there to facilitate dynamic user management in your applications. So, that's going to further simplify and accelerate the enterprise time to value when using your application. Complimentary to automatic lifecycle management is robust seat and license management. In organization, as organizations look to tighten up operations and cut unnecessary costs, do you want to be perceived as a service that makes user seat management and management opaque and difficult to quantify? I've seen some apps in my time where a lack of that transparency in that area gave me some serious dark pattern vibes that instead of presenting themselves as partners generating business value by making license management simple, it was made difficult, perhaps in a misguided attempt to juice extra revenue at my expense. So, I don't truly think that was the intention. You know, never assume malice when incompetence could explain behaviors after all. But even still, I doubt anybody in this room would like to have to defend their practices as either malicious or incompetent. So, why not go ahead and make this very easy and remove all the doubt? So, assuming you're also, excuse me, adding the value from automated user lifecycle management, this may not even be much of a lift. You're already automatically provisioning, deprovisioning, changing, et cetera. So, you know, this would be an incredible addition of value for ideally something that if you were to tack it on with that lifecycle management, you know, could have a pretty quick time to value. So, finally, let's consider designing specific claims for entitlement mapping in your app. Between user authentication, lifecycle management, and authorization. Authorization seems the least mature based on everything I've seen in the market. So, if your application has certain roles or perhaps differing access levels, consider the value of allowing specific roles to be assumed based on the context of the user's authentication, such as something like an attribute value in the assertion at sign-on time, or the token. This will free up your enterprise customers to build and administer their own access control model through their own identity control plane. So, this could be stuff like group membership, specific arbitrary, specific or even arbitrary, attribute value combinations that you send over at the token, anything really. As long as it is easy to add to the claims or assertion and the capability is clearly documented that you can do this in your application's documentation. So, all of these value add features reinforce and build one on top of another. And all of that demonstrates your desire to not only sell your SaaS apps to the enterprise, but it signals that you'll be a value-driven partner that walks the walk when it comes to keeping their users and data safe. Before we hit the recap, there's one more thing that I would like to caution you all about. I feel very strongly about this. So, I recognize we're all working on products and we all have finite resources and tough decisions have to be made and we gotta make prioritization decisions. So, as such, I acknowledge that getting an application to support all of these features may be a journey and may take a while to get to that level of maturity that's expected, perfectly fine. Additionally, as an enterprise customer, I would pay more for a service that offered these capabilities. But that I would pay more is not an invitation to take your enterprise customers to the cleaners by gaining basic security features, namely single sign-on, behind increasingly expensive packages. As I said earlier, my point of view, identity is perimeter security and I would expect some species of SSO to be included at all levels of service as a baseline and ideally, the rest of it too. But as an enterprise customer, I am fine paying a reasonable rate to make it worth your while to support these features. But it really is a major red flag to me if a vendor does not support SSO or even worse. Only supports it when bundled within a more feature-rich premium tier of service. This thing was that a vendor is not above extorting me because I care about securing my organization and it's a clear signal that they may not be a good partner that was going to help my business stay safe. Nor will they be likely to provide a good value through the lifecycle of our relationship. So that is definitely not the foundation for a mutually beneficial business relationship in my book. So to recap, here are some things you can do to signal to enterprise customers that you can help them stay secure and provide business value. First, please support federated authentication. Second, support for automated user lifecycle management through SCIM, platform integrations, et cetera. Next, offer transparent license management and utilization info. And ideally, support authorization using claims or attributes which are coming from that enterprise IDP. Doing all of this is going to demonstrate your commitment and your organization's commitment to your enterprise customers that you will be a trusted value partner. So thank you all for all your time, your attention today. And I hope you'll take me up on this and help your customers stay secure and safe and provide good business value. Wow, my clicker went strange. There we go. So doing all this is going to demonstrate your commitment and value to partnership. And I invite you all to please stick around. A lot more great content to follow. Thank you. Thank you.