Mike Vesey

Date published: 7/23/2020
Mike Vesey, President and Founder, IdRamp
Follow IdRamp on Twitter: @IdentityRamp

On this episode of the podcast Steve talks with Mike Vesey, Founder and President of IdRamp about his entrepreneurial journey to launching a company focused on easing integration and management challenges of next-gen decentralized identity, and how decentralized identity gives people power back over their own identities and enables organizations with continuous business model innovation.

Also on this podcast, consultants and advisory practice leaders will get a better understanding of how IdRamp’s decentralized identity platform can give service delivery super powers by removing the system and integration complexities while delivering new differentiated value and delighting customers. In this podcast you will learn how you can create new revenue opportunities by enabling both tool sets and governance programs through decentralized service delivery and policy orchestration and, in Mike’s own words, by “adapting to market forces.”


Wordcount: 6497
Average reading time: 32 minutes


So, in other podcasts you have explained your beginnings in the identity world via networking and ARPANET at the University of Iowa, how you got into the software world, and sold the company, and so forth. You are the president of IdRamp, which I believe you co-founded in 2016. I might be wrong on that. And before getting into tech and more about your company, when did you get interested in business, and how did you get started thinking about solving business problems?


Wow. Yeah, so we’ll go way back on that one. I grew up, my dad was self-employed. He had his own concrete business. My grandpa had gas stations and convenience stores, so I grew up tagging around with those guys. And when everybody else would quit and go home for the day, we’d be checking gas levels in tanks, and doing books, and getting ready for the next day. So I guess that whole solving business problems and being in entrepreneurship, I guess you could say, is just kind of baked into my DNA. I’ve been around it my whole life.


That’s awesome. I’d really like to learn more about your background, like who is Mike Vesey? A technologist, entrepreneur? What really motivates you when you co-founded … Am I right about that, you co-founded or founded IdRamp?


Yeah, I founded IdRamp. It was really the culmination of all the ideas I had around identity and access management as I worked with my customers, and partners, and people that we’ve been involved with over the years. And it really is truly, as we’ll get into, it’s kind of the culmination of all of my experience and how we see the world from a service delivery perspective.

As for me, I have always been interested in technology. And so definitely a technologist. The entrepreneurship side of me, like I said, was instilled early on. So I’ve always been looking for a way to form my own path with the technology that I am so passionate about. When I started thinking about identity challenges, I became very concerned about the rate at which we were growing. And it’s exciting, right? We all love the fact that our world is getting smaller, and we can order … I just ordered something yesterday afternoon, and it’s going to be here today. I mean, what? That’s just crazy, how fast we’ve evolved in so many short years.

What’s really daunting is the cost that all of this is coming with. And that’s where I get really concerned with identity, because we’re pretty free and pretty loose with all of our identity data today, just because of the way these systems have been built and how they work. And I believe now is the right time to start effecting some change there and trying to change the way that we think of identity, and what that means, and taking a little more ownership and stewardship of our identities so that we don’t make the problem any worse than we already have.


Yes. There’s plenty of opportunities for things to get worse before they get better without having a mindset shift about how we architect the internet, and how we manage identity, and authorization, and access, and a whole new world of protocols. And speaking of new, last December, Gartner published a report, and the top prediction in their report is that the growth of decentralized identity, which is right above taking a CARTA-oriented approach to fraud management. So that was kind of a surprise to me.

Not everyone respects Gartner, but there is some weight behind their point of view, which says decentralized identity and the growth of that is something definitely to watch out for. Something is catching on in this space, and I know that’s been something you’ve been thinking about. Your company has a ton of experience and background in traditional or legacy identity and access management. But, switching gears, based on conversations you’ve been having with your customers and out in the field, what do they see as driving this growth? And how are businesses exploring and prioritizing their investment in decentralized identity and self-sovereign identity?


Yeah, that’s a great question. And we do see a lot of organizations are investigating and looking at ways to incorporate decentralization into their delivery of services and identity. One thing that keeps coming back is that business IAM systems, they’re constantly evolving, but they just can’t keep up with consumer demand. So they integrate a new directory, and their customer wants social login. They integrate social login, the customer needs multi-factor. So it seems like there’s a constant evolution of challenges.

the promise of decentralization and self-sovereign identity is to really break the continual retooling of the legacy IAM systems.

And the enterprise, they’re trying to keep up as fast as they can, but each of those evolutions require some complex integration with IAM vendors, and it’s expensive. So the promise of decentralization and self-sovereign identity is to really break the continual retooling of the legacy IAM systems. So we see organizations reaching out to places like The Trust Over IP Foundation, which we’ll talk about a little bit, I think, later, and getting involved in the conversations happening there.

For example, just over the past few weeks, the Trust Over IP ecosystem working group call has just been loaded with potential use cases for decentralized solutions, from healthcare to education. I mean, it’s all over the place. So there’s a definite movement going on to further decentralize the identity footprint within the enterprise and within these external ecosystems, as well. And it’s very exciting to see.

I think the businesses, they’re exploring it by looking to, and reading, and investigating in things like Trust Over IP, and they’re looking at these use cases. Tactically, they’re trying to find places where they can implement decentralization in some piece of their organization without completely retrofitting their identity and access management systems today. So all these things are exciting, and we’re happy to see it happening because it will be a general change for the good as we evolve in that direction.


Without a doubt. As of this morning, as of this recording, we’re reading, last night and this morning, of the breach that occurred at Twitter and some very high-profile accounts that got hacked. And there was a Bitcoin scam going around, this morning, in I guess the last 24 hours.

It makes me think, with these legacy identity and access management systems … You might have seen this, too. One of the requested features in these systems for administrators or administration purposes is impersonation and/or password reset. And you have those features attached to a centralized database and accounts of very high-profile figures represents a pretty significant risk. Does the question of safety and security come up in terms of a driver for decentralizing your identity infrastructure?


Oh, no question. Yeah. And I’m glad you brought up the Twitter incident. Of course, I’m in the identity business, so I see everything as an identity challenge or a problem that identity can fix. But this is absolutely one of them. This came from an impersonation, I’m sure. And so the elimination of passwords … Not the masking, or storage, or whatever. I mean the elimination of passwords. Passwords have no place in identity.

So the promise of credentials and the promise of changing the authentication and access control models using some new technology like verifiable credentials is that those traditional, “I give you something that you then bring back to me, to prove that you’re you,” all of that goes away. Now I’m just proving you’re you via things that you have that represent you, and I make the decision based on that. That’s incredibly hard to impersonate, if not impossible. And when tied to a physical device or something that I control, that’s biometrically protected, that’s even more difficult to achieve that impersonation that’s happening so frequently in our world today.

we could literally change the world for the better, and protect our identity information gradually without doing a complete lift and shift.

So that is one of the most exciting things about seeing the technology shift. It’s, “Yes, it can save money. It can add velocity.” It can all of those things. It checks all of those boxes. But it fundamentally is a better mouse trap for securing consumer interaction with every service and everything that we interact with in our lives. So that’s why I get so passionate about this journey that we’re all on, right now, is that we could literally change the world for the better, and protect our identity information gradually without doing a complete lift and shift. That’s our challenge, is we have to do this gradually so that everybody can come along without having a total retrofit.


I was having an exchange with a few folks, last night, on Twitter, postulating how this attack could have occurred. Impersonation is one way. Password reset, or changing the email and disabling MFA is one way. Another way, which I’m familiar with, is billions of leaked credentials are used in plain text for things like penetration testing, or risk and threat analytics, and so forth. One comment was made, “Well, you just come from a perspective of trashing a competitor or being disgruntled that you didn’t win their business.”

And I would take that further and totally reframe this as civil liberties, and protecting our democracy and national security. The President of the United States, at this time, is a big user of Twitter. And imagine it not being too difficult that a nation-state attacker or cyber-criminal could have logged in and obtained sensitive information about the president’s account, or even posted some pretty dangerous messages on behalf of him. And so I think that the safety and the security has to carry a lot of weight in terms of how we think about re-architecting things for the future.


Yeah. In one of my opening comments when I was talking about the world’s getting smaller. It’s that very thing. We have these platforms now that allow us to reach global audiences instantaneously. With that very great power, of course, comes the responsibility to protect and make sure we do as much as we can to prevent that from falling into the wrong hands. And I feel like we are still in our infancy, in that part of it. And that’s really what this movement is all about. We need to change the identity layer for everything in our world. We need to really turn that on its head, and look at it differently than we do. And that’s the piece that excites me the most.


And this isn’t the first time that organizations or our society have gone through these fundamental changes, right? We’ve gone through the change from directory-enabled networking, for example, and active directory, to centralizing credentials on prem, on premise in a corporate network, to going through this whole fundamental shift towards cloud computing. We’re just trying to find a better way to tackle this problem.

Then cloud computing became a dominant computing model. And then the hybrid models came up. And now we’re going through this whole rethink, yet again, which I think is very much needed, to be honest. It’s why I’ve dedicated so much of my time and my interest, and recently at the Nonconformist Innovation Summit, to understand and share about this problem and opportunity.

What are some of the toughest challenges that your customers are facing, who might be curious about next-gen identity and self-sovereign identity, all the while managing and maintaining their existing legacy identity infrastructure?

Episode sponsor:
IdRamp Sponsor


We will notify you about new episodes and important updates.


Yeah. Boy, that’s a great one. It’s always integration. It’s always integration and deployment. As we mentioned, IAM in any enterprise, really of any size, is a constant target. It’s always in flux, and changing, and evolving. And it’s generally central to everything that happens, so it’s a very difficult place to start playing around with R&D projects. So it’s always integration, and that’s really what drove IdRamp to do what IdRamp does, was the concept of being able to say, “We are going to integrate with existing IAM, and make a seamless transition to this new verifiable credential,” or maybe it’s just other identity systems, or other services.

So the toughest challenge is, without question, it’s always the integration of the decentralization. And self-sovereign is … Again, if you think about that, that’s going to be a whole ‘nother challenge. How does an organization go from a centralized trust model to a decentralized trust model? What’s going to be involved in that? Well, it’s going to be governance. I mean, there’s going to be a lot of things. Right now, it’s pretty easy to control. It’s centralized. This is you. I create my impression of you in my identity, and that’s it. And that’s all changing now. So it always comes down to the integration and deployment that we see as the constant need from our customers.


And that is changing, all of the time, right? You have a lot of organizations that have hybrid and heterogeneous computing environments with mountains of legacy systems where interoperability is always one of the main challenges. And also, from a consumer perspective, you have the challenge where maybe the average internet user has 140 or more credentials that they know of, that they manage. That really comes down to how you define credential. But in the broader sense, we have a lot of documents and data that can be defined as credentials. So that number can actually be a lot larger.

On my phone, just in terms of usernames and passwords alone … Folks in our industry tend to be a bit heavier in their consumption of accounts and passwords. I have over 500 of them. So it’s not enough to just come to the market and say, “Hey, we’re going to be password-less and do password-less authentication as sort of a way to make our existing internet infrastructure more secure.”

For one, you can’t just go password-less overnight. Maybe Microsoft can come to market and say, “Hey, 80 or 90% of our staff are all password-less now.” But that’s not a standard by which to evaluate or to use as a reference for other companies or for consumers, because that’s really a pretty daunting challenge.

As you think about those same challenges, what does good look like to you in the next cycle or this next generation of identity and access management? And if I could play devil’s advocate for a moment, how can we know that we aren’t just trading one set of problems for another?


Sure. No, that’s a great question. Next-gen for me would be the identity and access management system integrating digital verifiable credentials into the service delivery process. So that’s not to say the IAM goes away. The identity and access management system doesn’t go away in favor of self-sovereign or something like that. That’s a lofty goal, but the current identity and access management stack provides great value today, and it seems a more natural progression to augment identity delivery with verifiable credentials to streamline the user authentication process, as well as access control.

So this manifests in things like we’ve been talking about, like password elimination for end users, decentralization for service authentication, which is the removal of the dependency on the IAM system during the authentication process. So instead of that traditional backhaul connection through the IAM for every single user interaction, we can now fracture that. We can decentralize that with credentials. I can give you a credential. You can interact with that service without having to backhaul that connection through my centralized identity and access management system every single time.

And that’s the big security point, is that it’s easy if you are delivering a service to your customers, it’s easy for me as a potential bad actor to know exactly where you’re going to authenticate, which gives me … I know exactly where I need to attack. So we can now fracture that with credentials. We can get rid of that dependency. We can even go so far as to put that identity and access management system behind the firewall and not even make it publicly viewable or accessible, which will really help reduce that threat surface.

And that’s not a heavy lift. That’s not a dramatic change from where we are today. It’s simply the application of verifiable credentials and the integration of that process into our existing IAM strategies that then allows us to change our fundamental business practices to be more secure and more streamlined. And if you take away the password requirement for your users on your service delivery, and just sit and back out, and what cost savings you enjoy from that, it’s pretty dramatic. Your help desk costs go down for password resets. The risk of exposure for the impersonation stuff we were talking about earlier goes down. There’s just a lot of advantages to doing that.

And that path is not … It sounds like it would take a big diversion to get from where we are now to that world, but it’s really pretty straightforward. And that’s the most exciting thing about it. There’s always a risk that we’re trading problems, that we’re just saying, “Oh, this is now a new set of challenges.” But in my mind, getting the identity information where the identity information belongs is never going to be considered a wrong move.

So I see this working as an organization is going to associate with me as an employee, not issue me, “Here is your identity.” Instead they’re going to say, “Oh, I see your identity. Here’s a credential that allows you to interact with me, with my organization.” And so it’s more of a technology partnership than today, which today is a very structured relationship. You are an employee of ABC, and here is the proximity card or whatever that controls your access.

And I see this as more of a natural thing. We’re all going to show up with our identity. That identity is going to receive some credentials that allow me to interact and do my thing. And when that relationship is over, we sever those connections, we revoke those credentials, whatever the case might be, and we both go on.


I’m tempted here to ask how is this different than federation. I don’t really want to go down a technical rabbit hole here, but I do want to pose the question. I don’t know if you think that it’s easy, but the shift may be a fundamental shift, but there are also things along the way that you could do that just help make this transition to be smoother. It begs the question, at least for me, how big of a change is this for big players like Okta or Ping Identity? And why can’t they just make minor changes to their tech stack to go after this decentralized identity and self-sovereign identity opportunity?


Yeah. Well, and they potentially can. There’s certainly no reason that those systems couldn’t be updated to support it. And this is really where IdRamp’s vision of the world is a little bit different than most other IAM vendors. So IdRamp doesn’t do identity. So we’re really good at orchestrating, and managing, and building policy for service delivery or identity integration, different identity sources with different services.

But we’ve never … And this was a very, very, very difficult decision to make. Many times we’ve come to the table and said, “You know what? Life would be so much easier if we just kept a copy of this identity for a user coming through, and we’d just treat our own identity as master.” But it was never the right decision. My vision has always been that the world has enough identity providers, and we just need to be smarter about how we use them.

So the biggest change that IdRamp brings is that we’re not treating an identity as something that we own and control, and then entitle services based upon. And so I think the challenge with a traditional identity and access management system is that very point. It’s that I can’t take someone coming in with their own identity or with an identity from another location, and still provide the same level of service delivery that I can if I’m controlling that user’s identity.

And so I think that’s where IdRamp is really kind of fundamentally different. And I think that’s where others will have some challenges with that integration, going forward. We look at the world completely open and say, “I don’t care where your identity is coming from or where it’s rooted. Just bring it in, and tell us where you are trying to go and what you’re trying to do, and we can orchestrate policy across that.”

So I think that’s one of the fundamental differences. And it is certainly different than traditional federation, which you touched on, which is I’m going to tie my thing to your thing, and then those are going to be … and then we’re going to do some entitlement based on that whole federation. We see the world a little bit differently there. We see the world more as a connected fabric of identities, and not necessarily a point-to-point connection.

So traditional federation is very centralized, point-to-point connections, and we see it as just a mesh. Why make 10 connections to 10 different identity systems when I can just make one connection into some larger mesh that can then help me facilitate communications with all of these other 10 systems?


You make so many great points, Mike. And I spent quite a number of years, way too many, managing, architecting, owning really, large identity management implementations for big companies in finance, telecommunications, the high-tech sector. You would know all of them.

And as an owner, and manager, and operator of the systems, I think one of the things that vendors tend to overlook is the need for management, how these systems are managed. And when you’re trying to manage hundreds of applications or thousands, really, if you factor in now IOT devices, edge devices, SaaS, and cloud, and APIs, that this problem has really exploded exponentially.

I used to say, “Why does anybody need standards anymore,” because at the end of the day, the enterprise has the burden or the responsibility to support all of them, whether you’re an OAuth, or a SAML, or a basic Auth, or whatever the case may be. Large enterprises have the responsibility to really support a lot of different ways of authenticating users.

And so Gartner has referred to this as an identity bridge or an access bridge. And your company, likewise, has some pretty deep expertise in the traditional identity and access management stack. What were the early indicators that decentralized identity and self-sovereign identity was going to be a big enough business problem to pivot your focus and your company, and allocate time and resources to pursue that? And then maybe tell us about your story about you made that pivot, and where you’re at today.


Sure. Without question, the promise of protecting the identity and access management stack was paramount around that concern. Once we really understood that decentralization … specifically verifiable credentials, which is the ultimate decentralization. That’s a connection. That’s a relationship between me and my consumer directly. So that still falls under the governance of the organization providing that issuance. They still have the ability to revoke, all of the different things that they can do with a traditional identity today.

Once we really understood that dynamic, then it became about protecting the identity and access management stack. So we can take, through credential management, and we can issue a credential, and we can send you out to interact with services, and do your service delivery experience without having to expose that identity system to each of those 100 different cloud services you might be integrating with. That’s a game changer for service delivery.

Also, not having to build those bridges. It is a very onerous process for the enterprise, right now. They have armies of people that sit around and do nothing but build SSO connections. Some are SAML, some are OAuth, some are OIDC. It’s a big vegetable soup of different technologies and things that we have to understand and learn. And verifiable credentials offers the promise of completely flattening that, and standardizing that, and doing exactly what TCP/IP did to the networking world in the ’90s. I’m showing my vintage a little bit.

But that’s the promise, so it can take away a lot of these complexities, and standardize. So I’d be lying if I didn’t say that password elimination wasn’t top-of-mind. I mean, I hate passwords. They’re just my … I’ve got so many, like you mentioned, that I can’t manage them. And it’s just a terrible thing. There’s so much bad that comes from passwords that they have to go away.

And since we’ve been living in this world of verifiable credentials, I’ve freed myself from a lot of passwords. All of our internal services and things that we interact with as an organization are all done through different credentials that are issued to me to control my access and entitlement level with the services that we use in the wild. And it’s so much easier. It’s so freeing for me to go and log in to Zoom by scanning a QR code instead of putting in a username and password. Things like that just are very, very freeing. So I have to mention that as a requirement, or [crosstalk 00:27:45].


Of course, I love it. It sounds … I think anything that helps organizations to improve their protection capabilities, their detection capabilities, their management capabilities, because that’s where they suffer. In our industry, we have less than a 1% unemployment rate, and you just can’t keep adding teams of SSO engineers and security engineers to manage this problem. If you offered that as a solution accelerator for large organizations who all have this common integration challenge, that you’re very well positioned.

So while preparing for our conversation, reading up on your website, it talks about what everyone is talking about; SSI, password elimination, SSO, identity management, and so forth. But what really stood out to me was this concept you’ve really narrowed down your marketing focus on decentralized directory integration, I guess as a service, which I was intrigued. So is this IdRamp’s approach to decentralized identity governance, or is it decentralized infrastructure and tools management, or both?


We will notify you about new episodes and important updates.


Well, it’s both. So IdRamp is an integration mesh or fabric that enables organizations with decentralized identity governance and credential management tools. So it can enable both the tool set as well as the government ecosystem on top of that. So it allows organizations to provide decentralized service delivery and policy orchestration across a wide range of infrastructure and services. And it really acts as a bridge that helps the organization gradually acclimate to decentralized economy forces that are influencing all aspects of their business today.

businesses can maintain distributive control over diverse ecosystems and adapt to market forces without the need to build more unsustainable identity sources, or services, and delivery silos.

The centralized command and control models that are just becoming increasingly unsustainable in terms of cost and complexity, and with IdRamp, businesses can maintain distributive control over diverse ecosystems and adapt to market forces without the need to build more unsustainable identity sources, or services, and delivery silos.


Adapt to market forces, I really like that one.


And if we really boil it down, what IdRamp is trying to effect is, and where the decentralized infrastructure and decentralized directory integration came from, was the two big values that we provide is that we have the ability to make any existing identity management system on the planet, any one of them that can speak any kind of a native federation protocol, we can turn those into a credential issuer instantly. So by integrating with IdRamp, just as you would integrate with any traditional service, IdRamp can turn your identity and access management system into an issuer of verifiable credentials.

So all of the things we were talking about earlier, and I said it’s really not that far from point A to point B, this is kind of what I was alluding to. If you have a directory, Azure Active Directory, or whatever it is, and you want to start issuing verifiable credentials, IdRamp can allow you to just plug in and say, “Oh, you’re a member of human resources? Here’s a human resources credential that I want to assign to you and put in your digital wallet.” And then you can take that to the service and present that to a service as a proof that you are a member of my organization and in the human resources group.

The other side, as you can probably guess, the other side of that is for the service delivery side. So services like Zoom that I mentioned earlier, or take your pick, they really don’t have a firm understanding of verifiable credentials yet. There aren’t any that I know of that are saying, “Oh, log in with Google or Facebook, or log in with a verifiable credential.” It’s coming, but they’re not quite there yet. So what IdRamp did is we built the other side of that. We built for the service providers. Any service in the world, and any cloud-based service that can speak any kind of federation protocol can literally plug into IdRamp and provide verification services, become a verifier of digital credentials with that integration.

So we will speak natively the SAML, or OAuth, or whatever they require for their SSO connection. And we’ll do the translation and the verification against the ledger for the verification of that credential that’s been presented. So those are the two pillars, I guess, that we offer from a service delivery perspective, that allows us to go to an organization and say, “We can transition you from where you are today with an existing legacy IAM strategy, and help you evolve to a verifiable credential world.”


It’s becoming clear to me, it’s evident that you’ve put a lot of thought into this from a business, an ecosystem, and an engineering perspective. You talked about the policy ecosystem, a little bit ago. I am just wondering if you could elaborate. Is this something that you’re just brokering and doing protocol architecture? Does your platform develop its own proprietary way to stitch together and make policies interoperable? What do you mean by policy ecosystem, and how does it play a role in the decentralized identity and governance world?


Sure. So an ecosystem is a community of stakeholders, suppliers, distributors that are all involved in the delivery of specific products and services through competition and cooperation. Each entity in the ecosystem affects and is affected by the others, which creates a very dynamic relationship that drives a shared value through trust relationships. The policy ecosystem represents technology and human governance rules, regulations, standards and practices that bind an ecosystem to its strategic purpose.

So in a decentralized governance model, the policy ecosystem empowers diverse participants to join forces for their larger business objective. This includes full spectrum of controls that range from machine-readable code as policy, into human governance dimensions. So by establishing this common ground, ecosystem participants can focus on intersecting value versus building walled silos that hinder business velocity.


So with this mesh that you’re talking about, do IdRamp customers have concerns or questions about trust and privacy when it comes to managing their policies and potentially other sensitive data? How are you addressing that issue of trust, and maybe even compliance with regards to third party risk management?


Yeah. I mean, customers, they constantly want to know better ways to protect and control their data across the many different systems and services that they use to deliver. And as we have seen, a single data breach can just destroy a brand, literally overnight. So the need to employ tools and systems that carry all of that sensitive information not controlled by the customer directly is increasingly gaining popularity.

So customers want cost-effective solutions that can give them security and trust controls that are very dynamic and move quickly. So, for many customers, the business front line is moving a lot faster than the security options, as we discussed before. And so keeping up is a constant challenge. Those are the things that keep people up at night. These are keeping our customers awake trying to figure out how they can be dynamic enough in the security and protection of this sensitive data.


So your company was a sponsor for the Nonconformist Innovation Summit, and we had keynote speakers like Ann Cavoukian. And one of the big focus of the keynotes in the morning was privacy by design. Do you have thoughts about that? You mentioned a dynamic controls for privacy and risk. Were these principles taken into consideration how you managed the data, or are they just implicitly baked into the sovereign foundation’s protocol for managing decentralized identities?


Yeah. No, we’ve given a lot of thought to that. And if you think about IdRamp and the platform that we built, everything in there is based on privacy by design. Our platform provides the customer the ability to orchestrate the entire service delivery flow. And by that, I mean they can choose, “Here’s the service that we’re trying to deliver. Here is the one identity solution that we want to deploy, or here are the 10 that we want to deploy, or here is the one with multifactor.” I mean, everything we do is about allowing design of the delivery experience and very highly customized and tailors on a per-service basis for our customers and clients.

So we firmly believe in the ability for the customer to kind of design his own security using a common set of tools, which is why Trust Over IP was so fascinating to us when we became involved in that, because it’s really the fracturing of this very static mold that everyone had to abide by. And now we have layer one utility networks, and it doesn’t matter which one you use. They’re all going to be compatible with the technology.

We have the verifiable credentials, and it doesn’t matter which vendor you use to issue or which vendor you use to verify. They’re all going to be compatible. And so it’s a total game changer from the design perspective because it puts the enterprise now back in control of the things that really matter, the business processes and the policies that help them effect a more effective service delivery.


Just back in May, you were one of the founding members of the Trust Over IP Foundation. As we kind of wrap up here, coming up at the top of the hour, I’m just curious what’s next for IdRamp that Trust Over IP digital trust ecosystem is going to enable and accelerate solutions and delivery for your customers and for businesses?


Sure. Yeah, and we’ve talked about it a little bit, but Trust Over IP really standardizes the decentralized identity and credential management trust principles that operate at the heart of IdRamp. By establishing the industry standard for digital trust, IdRamp can provide businesses with a clear path to fortify and transform digital business strategies.

IdRamp provides the trust ecosystem implementation and operation tools that businesses need to adopt a better trust model. This will lead to new business models with less risk and more focus on the bottom line. Trust Over IP provides a repeatable pattern of trust that IdRamp can enable across all service delivery models.

So we see that a lot with our customers today. They get a repeatable pattern, and they say, “This is a level three security application, and here’s what it looks like.” And allowing the orchestration of that repeatable pattern across disparate services and disparate identity providers is very empowering for the organization.

And when you couple in with that the power of the verifiable credential to help secure the actual data source, and abstract, really, the service, the things we didn’t even hit on, the cost savings of not being responsible for integrating all of those different services back to an IAM. Or what happens when that IAM changes, and what’s that process look like? Now we have to go and reconnect hundreds of services. So that’s really the promise, and where we’re seeing our most traction is that organizations are really able to focus on the standards and focused on the security, as opposed to focusing on a lot of the integration work that they’re doing today.


Really appreciate you sharing these insights. So, for the audience and podcast listeners, what would you imagine being the next steps in terms of evaluating or getting started in a pilot or issuance and management of verifiable credentials? What would your guidance and direction to them be for getting in contact with someone at your company?


Sure. I’d say head on over to the website, idramp.com. You can download the IdRamp application in the app store for iOS or Android. It’ll walk you through issuing you your first verifiable email credential, which is just a simple verify your email address, and you’ll have a digital credential that you can use for accessing services. IdRamp does have the ability to just … you could just sign up. And if you have an identity management system you want to connect, it’s very, very easy to connect up an existing identity management service and actually try it for yourself.

We have a number of whitepapers and videos, things that will help understand what the technology is all about. And we’re always anxious to work with proof of concept projects or pilot projects for organizations. Generally, our approach is turn it on and let it sell itself, because it’s so easy to integrate. Nothing that we do is code-level from the organization perspective. So if they know how to configure a typical SAML service, for example, they can integrate IdRamp in 20 minutes and actually be issuing credentials based on their metadata, and trying it out. So, very excited to work with anybody that has interest in giving it a try.


Sounds great, Mike. I just went to the Apple Store and did a search. So Passport by IdRamp definitely shows up there. Downloading it now. Mike, thanks for joining the show. I really appreciate you taking the time to talk and share your insights.


Awesome. Well, thank you very much. And congratulations on the summit. It was very well done and went off without a hitch. So I appreciate being part of that, as well.