Castles, Moats, & Clouds: Modernizing your Legacy IdP to the Cloud
The era of multi-cloud is here and here to stay. Strata’s mission is to help enterprises manage the shift from legacy identity systems to the cloud or multi-cloud. In an interview with “Digital Anarchist” Michael Vizard on TechStrong TV, Strata CEO Eric Olden uses the analogy of castles and moats to discuss the situation today of security on-premises versus in the cloud. And why Zero Trust architectures’ legacy identity systems don’t mix.
Orchestrating legacy identity systems to the cloud
“Strata has a mission to create the first Identity Orchestration Platform, and we’re going after the multi-cloud world. So, we’re solving the problem of identity and access that enterprises have when they run their applications distributed across multiple cloud platforms.”
“What is the orchestration challenge?”
“When you talk to an enterprise, the question is not are they going to the cloud — they definitely are. The question now is, which clouds are they going to? Three is the average [public clouds] we see, and as many as seven.
Each time you move to one of these cloud platforms, it creates a new silo of identity. And that’s because each cloud platform comes with it its own identity system, which means figuring out how to manage the people and the applications on that cloud. So as you get more cloud platforms, you have more things you need to manage. And because you are managing identities, it’s really the crown jewels [for cybercriminals], how people access applications and data.
So the challenge is how do we do this in a consistent way when all of these systems are running in separated, distributed, non-compatible identity systems? Strata isn’t replacing identity systems like Okta or Active Directory. What we are doing is making them work together.
So that you can orchestrate your identities and your policies consistently through these different identity systems and the identity systems built into the cloud, this is why we call it identity orchestration. It’s the way to solve identity in this distributed multi-cloud world.”
The two axes of identity in multi-cloud
“Identity today isn’t just about people. You are also talking about applications and microservices and maybe even the individual infrastructure. How far do we take identity?”
“The way that we think about identity is on two axes. The first one is the east/west. For instance, how do you manage identity for users across Okta, Azure Active Directory, Amazon, and VMware? So you’ve got the same thing across multiple platforms.
The second is the north/south axis which is your application tier, then the platform-as-a-service (PaaS) tier, where your microservices and APIs are that you need to think about. Then there’s the infrastructure as a Service (IaaS) tier underneath that, where you are concerned with how your compute resources, storage, and infrastructure are configured. Identity is both east/west and north/south. It’s everywhere.
The ultimate goal of what customers are looking to accomplish is zero trust architecture. It’s a new way of describing a highly distributed environment. Where you can’t trust or rely on the fact that you are behind a firewall. Instead, you have to assume that if you’re running on the public internet across different cloud platforms, you are going to have a hostile network.
So identity becomes the new perimeter. Because identities, the users, and the applications are now out there instead of being inside the firewall. You need to approach identity in a distributed way. As opposed to the approaches in the past, which was to put everything in one big system. It’s all decentralized, so don’t try to bring them all together but manage it where it is, which is in these different systems, which is in these distributed systems.”
Castles, moats, and clouds and moving legacy identity systems to the cloud
“Do you think that this whole notion of perimeters, castles, and moats is pretty much bygone, it just doesn’t seem to be working.”
“Our figurative castles and moats still exist and add to the identity management challenge. For the foreseeable future, 75% of applications and data still reside behind the [organization’s] firewall. It’s going there [to 100% cloud], but today, there is a lot of stress between managing how to manage things on-premises and how to do things in the cloud. So we are really helping enterprises make that transition to that cloud and enabling them to extend that existing investment in the cloud to make the old and the new work together.”
The DevSecOps relationship to identity management
“Do you think this shift towards identity is part of the whole DevSecOps movement? Who’s going to drive this — is it the developer or is it the security team, and what’s the relationship?”
“DevSecOps is a huge driver in our business. It’s been coming for some time where we see shops roll into infrastructure-as-code (IaaS) or identity-as-code. So we’ve got to move everything behind APIs so that you can roll out things like continuous integration and continuous deployment. So when you look at the DevSecOps world, you have a very dynamic API-driven experience. That’s very aligned with Strata’s software architecture.
We’ve taken identity, and we’ve made it work for this new infrastructure-as-code model. We’ve wrapped all of the complexity of identity around a very declarative model. So if you are familiar with how Kubernetes or how Teraform works, you have an intent-based configuration, this is what I want to have happen, and then Kubernetes or other software carries it out.
“Strata has done that with the identity layer, and we think that that’s going to be a huge game-changer as more shops move into this DevSecOps world. They’re going to need something that works within their toolchain and their processes, and that’s a big part of what we’ve done with our software.”