An Interview With Ned O'Leary
Hiya,
This is another in my series of interviews about the future of CIAM from experts in the space.
Ned O’Leary is co-founder/CEO of Tesseral, an early-stage startup that builds open source auth infrastructure for business software. Ned and co-founder/CTO Ulysse Carion previously launched SSOReady, an open source middleware for SAML and SCIM.
Ned previously worked at recruiting software startup Gem, spent time at the Boston Consulting Group, and dabbled in SaaS VC at OpenView Partners in Boston. Ned lives in San Francisco, CA, where you can often find him at Crissy Beach with his puppy, Fred.
I’m excited to hear Ned’s views on CIAM, identity, security, and more.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Ned: CIAM can serve a variety of needs, but it consistently does two important things well:
Helping customers focus on excellence in their core product.
Improving customers’ security posture.
Our customers, many of whom are developers, have a series of options for CIAM, as is the case with other categories of infrastructure software. Customers rarely opt for a vendor by default; they’ll at least consider building something themselves, especially if their needs appear simple.
Customers tend to approach us when they perceive a homegrown solution, or a potential homegrown solution, to be untenable. They’ll choose a CIAM vendor like Tesseral to relieve their maintenance obligations, improve end user experience, and expedite time to market. In short, our customers want to focus their limited time and energy on core products.
Of course, CIAM confers major security benefits. Dedicated vendors anticipate common attacks and build solutions into their products (e.g., simply checking Have I Been Pwned). CIAM vendors often make subtle design decisions that confer security benefits. We, for example, will simply reject SAML assertions that do not conform to established conventions. Moreover, vendors can handle complex security features that only the largest or most sophisticated companies would consider building internally, from continuous authentication to bot protection to adaptive MFA.
The way we see it, CIAM exists to help customers build polished, secure products.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Ned: I encounter one persistent challenge over and over: our industry struggles to communicate effectively. I think there’s a huge opportunity for us to do better!
Prospective customers often tell me that they’re confused. They can’t figure out what different identity products actually do – much less whether a given identity product meets their requirements. Even very technical, experienced developers will struggle. They can get stuck with concepts that feel foundational to CIAM experts, like “what’s the difference between SSO and SAML?”
It’s really not their fault, either.
Our industry recycles jargon that is inaccessible to most people. We drop opaque initialisms like ‘JIT’ or ‘RBAC’ or ‘ACS’ on people instead of using simple language. Too often, security leaders inadvertently lose empathy for people that are dipping their toes in the metaphorical water, just trying to make sense of the basics.
I think identity experts – like technical experts in many fields – can develop an affinity for detail that doesn’t help much, bordering on pedantry. Striving to be technically correct in documentation, experts will sacrifice clarity. I hope our industry can get more comfortable making practical recommendations. Often, that means we should say something like “You don’t need to worry about that yet.”
We can reduce cognitive load for developers with clearer communication. I see a few ways we can do that:
Use less jargon. Avoid initialisms when possible. Write simply.
Fill in the blanks. Don’t assume that customers know what you know.
Issue practical recommendations. Avoid the impulse to always be technically correct.
Dan: What excites you about the future of CIAM? Any predictions?
Ned: I’m not really fond of making predictions, but I’m confident in two things:
Developer productivity has never been higher – yes, largely due to AI.
The need for software to establish identity isn’t going anywhere. Software will probably change a lot, but you can’t just serve up arbitrary data to anyone.
We’re in the earliest stages of a dizzying boom in software production. We who make software infrastructure will probably ride the wave a bit.
For example, we at Tesseral are seeing enterprises adopting AI-first software applications from really early stage startups. We’re seeing those early stage startups scramble to match customers’ demands for boring but important enterprise features, like audit logging. For companies like ours – companies that provide those features as an infrastructure offering – it’s a really exciting time.
Put simply, I expect CIAM will get a lot bigger over the next decade. I imagine that could mean new standards, more specialization, and higher customer expectations. I assume we’ll see a different distribution of market share among vendors – with a bit of a shake-up in the dominant players.
It’s hard to say exactly what will happen, but it’s exciting!
Thanks again to Ned for sharing his perspective, and thanks to you for reading!
Dan