Why consistent identities & policies are needed in a multi-cloud world [Webinar]

On demand webinar: “Why Consistent Identities & Policies Are Needed in a Multi-cloud World.” Jack Poller, Senior Analyst for Identity Management and Data Security at ESG, unpacks ESG’s research around the biggest identity management issues organizations face today. 

Transcript 

Mark Callahan: Good day, everybody. Want to thank you all for joining us in our conversation today with ESG. Our topic today is going to be around why consistent identities and policies are needed in a multi-cloud world. And you’re probably wondering what we mean by that? And that’s the point of our conversation today.
I’m Mark Callahan. I’m the head of product marketing here at Strata Identity. And with me today, I’ve got Jack Poller from Enterprise Strategy Group (ESG). He is a senior analyst on the IAM and data research side of things. Jack, can you tell us a little bit about yourself and how you came to ESG?

Jack Poller: Sure. I’m an industry analyst covering identity and access management. I’ve been with ESG for about 10 years now covering various different aspects, mostly focused on cybersecurity. Now, focusing exclusively on identity and data security. My formative years were spent as an engineer doing hardware and software development. And in the low-level enterprise, IT space, covering storage networking, 3D graphics, multiprocessor chipsets, and security products. And so through my career, as an engineer, then becoming a marketer became an analyst with ESG.

Mark Callahan: Definitely covered a lot of ground during that time and, as you and I were talking just before the conversation at Strata, our focus is around Identity Orchestration. That’s very much the idea that in a distributed cloud and hybrid world, there’s this need for coordination of identities across different platforms.
And it’s not just identities, it’s also policies. But as we thought through this idea of both Identity Orchestration and Policy Orchestration, we’d love to get a little bit of your perspective on some of the findings that ESG has seen for the need for this type of coordination across both identities and policies themselves, and would love to hear some of your thoughts about where we are.

Jack Poller: Absolutely. We do a lot of research and demand-side research, understanding what the user community is actually doing and needing and wanting with their IT environment. And one of the things we’ve discovered is we’re now in a multi-cloud world. So in the last four or five years, we used to talk about how companies are going to go to the cloud. Are they starting to use the cloud and cloud services?
And we’re way beyond that, as far as the conversation. It’s now not only do companies use products and cloud services infrastructure as a service platform, as a service and software as a service (IaaS, PaaS, and SaaS) but they do so almost exclusively these days.
So if we look at the data it says that most organizations currently use public cloud services — the research that says 95%. I actually think that’s under-reported. The last company I talked to that didn’t have any cloud products was a small, sheet metal fabrication company in Santa Clara, California.
And they had about 10 people and they were running off of an accounting system that was last updated in like 1993. And they had ancient computers that barely ran and they eventually had to move their email system to Google email. Then they become cloud users. So yeah, pretty much everybody uses the cloud.
Our data says that almost half of organizations not only use the cloud but are really cloud-first companies, which means that any time they decide that they’re going to do something new, their preference is to do a cloud-based application server or service. And only if they can’t make it work in the cloud, will they do something on-premises.

Mark Callahan: Sure. Take advantage of the resources and the benefits of these cloud-available services, because they’re here now, and there’s no reason to go back to a traditional IdP or identity platform.

Jack Poller: Exactly. And then and we all know there are lots of different benefits and we’re not going to talk about really why people choose the cloud, but just understand that not only do they choose the cloud, but particularly for the infrastructure as a service users, the people who are using say an Amazon S3 services or Google compute, or the database services that Amazon and Google and Microsoft have 80 plus percent of those companies use multiple cloud service providers. And they do so for a variety of reasons, which we can look at.
But one of the other things that we’re looking at, it’s not only just what they’re that the use of the cloud, but what are they doing with the cloud? So when we talk to companies today, about 40% of them have apps running on-premises, 32% their apps are in the cloud and roughly 30% have entirely internally developed, but still cloud-hosted.
So more than half of their applications are running in the cloud. And these are their business-critical applications two years from now they predict that they’re going to have more of their on-premises infrastructure moving into SaaS apps.
And it’s a small shift going from 32 to 35% of SAS apps and the reason is just these things are difficult and they just take time to move to the cloud.
But the COVID pandemic we’ve noticed has accelerated people’s efforts to move to the cloud because of work from home. And it’s easier to get people to access stuff when they’re SaaS apps than when they’re internally hosted on-premises.
And when we talk to companies and say, okay, now we talked 2 years, 24 months out when we say, okay, what’s going to happen in five years. Where are you going? Most of their on-premises applications. Are going to move to public cloud services. Either they are a potential or strong candidate to move to a public cloud.
There’s going to be a small portion that isn’t going to move for a variety of reasons, mostly because they’re ancient rusty legacy apps. Like the sheet metal guy was talking about, but the cost of refactoring or moving that application to the cloud is much more than the benefits you get from moving that. So there are some that just won’t move, but the majority are going to move to the cloud.

Mark Callahan: So if we think about it it’s probably fair to say, while we’re saying that there’s certainly this multi-cloud world and we’re continuing to become even further multi-cloud, that there’s always gonna be this element of a hybrid world as well.
There are going to be on-prem resources and applications that either need identities supported or perhaps identity services mapped to that, like passwordless or something to protect those since they simply aren’t candidates to go to the cloud.

Jack Poller: Yes, that’s correct. So sometimes companies will put a front-end wrap on an ancient rusty application, you still need to protect it. You still need to listen and understand what’s going on. So you’ll have some way to do an MFA or something in front of that application to ensure that only the people who were supposed to have access to it.
When we look at just that infrastructure section, where people are using infrastructure as a service? More than half of the companies we talked to say that they use three or more cloud service providers. And more than two. So it’s, this is the multi-cloud part of it.
Companies choose to use Amazon. Microsoft is your Google cloud as well as IBM, as well as Oracle, as well as HP and these others, they do it for a couple of reasons.
One, it might, one vendor might have a feature they need for one particular application. They might get better costs on one versus another, or they want to make sure that if one goes down, they need reliability. If one service goes down, I can still use the other service.
And while these things don’t go down a lot, we have seen instances where there’ve been major outages for one reason or another, with an Amazon or Google or a Microsoft.
So again, what we say is companies tell us that half of them say they have one, that’s a primary and one that’s for something very specific, a discrete use. And half the companies say that it’s a strategic decision to have multiple cloud service providers.

Mark Callahan: It was one of the things that we’ve heard at Strata is we work with our customers. And it is that oftentimes there’s this 50/50, I think that you all have certainly seen here.
We’ve also heard this thing of there’s both deliberate and unintentional cloud adoption, where we see. Certain departments for whatever reason, choose a certain cloud service because it’s appropriate to that department.
And then all of a sudden it becomes mission-critical and IT teams are required then to support additional clouds. So, the intentionality is also interesting.

Jack Poller: Which is part of why I said that first step where we said 95% of companies have a public cloud. That’s why I think that’s undercounted because there’s what we call shadow. IT.
There’s always somebody doing something that you don’t know about. It’s in the cloud because it’s quick and easy and they can, or because you hire somebody who did a project in a cloud you’re, you might be a Google shop, but you hire somebody who did something in Amazon.
And so when that person comes on board, they’re like, “Hey, it’ll take me five minutes to set this thing up and we’re up and running on Amazon.” And now we’re multi-cloud, but we didn’t plan it but now we’re here.

Mark Callahan: And then glazing through, that five minutes, they’ve also set up a bespoke identity system that is unique to that particular platform glossing over how easy it is to do but some way we’ve got these different identity stores that come with that too. In addition to identity, how about data? Let’s talk a little bit about sensitive data.

Jack Poller: So the key here is there’s a ton of data scattered throughout. In a multi-cloud world, what happens is we’ve shifted from having a single storage silo or a couple of storage silos, even in an on-premises storage environment to multiple stores or silos scattered throughout the multi-cloud world.
A third of the companies have cloud-resident sensitive data. It’s sitting there, they know what’s there. About a third of the companies have data there and a third of their data is in the cloud. In 24 months, it’s going to shift two-thirds of the companies that are actually going to have two-thirds of their sensitive data in the cloud. So we’re going to see a massive shift to have more and more sensitive data in the cloud. Less and less sensitive data on-premises, but it’s still going to be on-premises.
So again like the multi-cloud world where it’s really a multi-cloud hybrid, it’s the same thing. Here we have data scattered all over with silos of data. You might have data in an S3 bucket. You might have data in a SaaS application like your HR application.
You might have data in Salesforce — an application. And you’re going to have your internal databases that are running, maybe something internal and of course your file storage, that’s local to your on-premises data storage.
So you’ve got this data scattered all over the place that data needs to be protected. So what we know is that today, a third of the companies know they’ve lost cloud resident data. Now we asked this question two years ago in 2020, and less than 20% knew they lost the cloud resident data. So we’re now seeing more data in the cloud means more risk for losing that data.
What’s even scarier is that almost 30% don’t know they’ve lost data but think they’ve lost sensitive data that’s in the cloud.

Mark Callahan: I get heartburn, just reading that statistic and just thinking about this, it’s the fear of what you don’t know. It truly is. If you don’t understand what the environment looks like, how can you know what you’ve lost?

Jack Poller: And part of that comes in and that’s where we’re going. We’re going to dig into this a little bit, but if you don’t know where your data is and you don’t have the correct access policies and identity policies around that data, Anybody can access it and it can go on a walkabout and disappear, get exfiltrated from your company. That’s one of the big challenges companies face.
So when we say, if you lost data or you think you lost data, how did you lose your data? It’s your users. So the biggest thing people tell us is users are careless with their data. They misclassify sensitive data as not sensitive and they have sensitive data that gets on their personal devices or has access from remote work from home users now.
And they’ve got over permissioned roles that have access to the data. For the top things. This is the users, which really equates to identities, which is why companies lose sensitive data. It’s a big problem.

Mark Callahan: Like app developers. As you think about it from the developer’s perspective. What we’ve heard very specifically from companies is that app developers are more concerned about the functionality of the app than the identities themselves. And so oftentimes it’s an open gate as they set up their apps ensuring that someone else is going to be handling identity. They don’t want to be involved with that. And so speaking to those points you just have.

Jack Poller: Yeah that’s the dirty little secret of app development. As I said, my background is in engineering, and developers are judged by buying, compensated for functionality, completing functionality, getting the product up and running and working. So the dirty little secret is that security of any form, particularly identity security is an afterthought for app developers.
And we need multiple ways. And the common phraseology we use as a belt and suspenders approach to securing things, multiple ways of securing it also known as defense in depth, having multiple layers of security.
So what we know is when you have sensitive data in the cloud, it becomes a target for attack. So we know users are how we lost the data, but why did we lose the data. Three-quarters of organizations report that they’ve had an attack and they’ve lost data, they’ve either had a security incident or an attack, and that’s why they’re losing their data. So what’s the result?
What are the attacks that they’re getting? Well, they’ve got overly permissioned cloud services and applications, they have somebody who’s got a targeted attack that’s trying to penetrate their organization, they’ve got a misuse of a privileged account, or compromised user credentials.
So these are all in one form or another identity-related attack. Those are the prime ways that people get attacked. Your software vulnerability is, in there, but it ranks just a little bit less. So when people are concerned about software vulnerabilities or configuration vulnerabilities, that’s not as important in terms of the attack chain.
What people are actually doing is the primary attack chain is through an identity. And that’s actually for the biggest attack factor, these days. This is ransomware. Ransomware almost always starts through an identity-related attack.

Mark Callahan: And almost a commercial for Zero Trust posture here, as we think about going from this open gate and open door that developers often leave open for everybody. How do we quickly control it? And it’s cutting off access to all and selectively allowing them. But then we started looking at the identity silos that we discussed and we looked at the application and data silos. How do you go about that with all these different vendors?

Jack Poller: And, the key for this is why Zero Trust is so powerful, but the key for Zero Trust is you can’t decide if somebody is authorized to access something until you know who they are and you’ve authenticated them. So the fundamental atomic unit of Zero Trust is an identity.
You must have an identity before you can move to Zero Trust. And that sort of gets to the next topic we want to talk about is how do we access our sensitive data. So what we know when we talk to these companies is that 82%, which is a huge number, report that their full-time employees have access to sensitive data.
So it’s really a free-for-all. The fact that you have access to it doesn’t mean you should have access to that. And this is so, wrapped up in that concept of Zero Trust is another very important concept, which is the principle of least privileged access.
We should give our employees access to only that, which they need to complete their job. And no more, if you don’t need this to do your job, then you shouldn’t have access to. And so you see now employees are the big stick out here and that sort of everybody thinks about, but we also know that all of these other groups, business partners, supply chain, primary contractors, customers.
These other types of people have access to your company’s sensitive data. Should they? Your answer is almost always no, they should eliminate out.

Mark Callahan: If you’ve given them access one time, should they have access the second time? Or what other factors could put them at risk, even in the course of an existing session are all of a sudden things hijacked along the way, but it’s yes. It just seems again, this open door scenario that from a visibility perspective, if you don’t know which there were the doors open.

Jack Poller: So understanding, again, this goes back to in a hybrid multi-cloud world where we’re using SaaS out for using infrastructure, we’re using PaaS.
We have all these different types of people who need to access data. Do we know who they are? Have we authenticated them? Have we authorized them to access the data? Do they have the correct permissions? Do they have over permissioned to account? Should they be accessing the data? What are our policies for it?
What do we do when data gets exposed? What do we do about personally identifiable information (PII), social security numbers, or those types of things? So under just the companies if you have a free for all here, and everybody has access to everything, clearly you haven’t set up your policies and defined policies to understand who’s supposed to access what.

Mark Callahan: And not introducing too much friction. Then in the same aspect that you’re, preventing people from doing their jobs. And so there’s that, balance of, the appropriate amount of friction, based on the sensitivity of the data or resources against…

Jack Poller: So, does the user have permission to access something and they discover they need that in order to do their job? Do they have the ability to quickly get access, push a button and call somebody. So nowadays what typically happens is an entirely manual process. You call it and you say, Hey, I need to get access to this data piece, whether it’s Salesforce or it’s in whatever. And they say, oh I have to go check with the monitor and get three sign-offs and 14 steps in order to get approval, to give you access. And then we have to go through the manual process of saying, okay, let me update your account to give you access to that.
And that could mean in a SaaS app that could mean changing your account type, which may even incur more money. That frictionless part of it is important, which is why companies over-provision accounts because they’re not necessarily aware of the risks we’re talking about.
And then they say it’s just easier to give people access, than deal with somebody complaining that they don’t have access. And the amount of effort and time it is to change their access.

Mark Callahan: That’s really interesting, because then you think about the scale of that within an organization that it’s not just, this is an app by app and even resource by resource basis within those apps, you’re going to be multiplying this by 20, 30, 300, a thousand applications and ultimately a scale problem here. A scary one.

Jack Poller: Absolutely. And again, like I said, it’s that scale problem is why people provide open access because it’s easier than, limiting and dealing with the consequences of limiting access.
So as we talked about, overly permissive roles are common, and it’s what we call expanding the attack surface. That means that the more data that somebody can get access to, that’s more data that can be attacked and exfiltrated right.
So approximately 30% of the companies have somewhere between 30 and 50% of their users have over permissioned accounts and rolls. Now, this could be anything from you having access to data you shouldn’t, to you may have superuser privileges when you’re not an admin which can be extremely dangerous if somebody can get access to your identity and then they have what we call the keys to the kingdom.

Mark Callahan: Exactly. Things it’s controlling there, there may be GDPR requirements about who has access to what data based on a geo-specific basis as well. And so it’s not just maybe a security risk, but there could be a regulatory risk in some of this as well with these overly permissive roles.

Jack Poller: And the cost of exposure can be not only the actual cost of exposure, if you lose personally identifiable information, but if you’re in Europe, you have a GDPR exposure, which can lead the company to fines.
If somebody takes that data home on their laptop and the laptop gets stolen, You’re not just out of the laptop, even if nothing happens, you have a GDPR exposure. And if you don’t report it properly and get notified properly and do all the right regulatory steps, then you’re exposing the company to massive fines.

Mark Callahan: And all this keeps going back to identity and policy identity.

Jack Poller: So when we look at data loss, a lot of data loss comes from misconfigured cloud services. And you think about it, if you remember the Capital One credit card company that was attacked, that was because they had a misconfigured account. They had an admin who left the company and still was, even though she left the company, they never canceled her accounts.
She was able to get back in and do stuff. So they had a misconfigured and actually an overly permissioned role because that role should have that account should have actually been terminated, but it wasn’t when she left the company and they had a massive exposure, costing them a huge amount of money and a huge amount of customer goodwill.
Those who report data loss may likely have discovered a range of misconfigured services over permissioned accounts, unencrypted data. Resident data is accessible to more users than intended, another form of over permissioned accounts. And the other one is a lack of MFA, multi-factor authentication.
So we know when a lot about protecting accounts and MFA multi-factor authentication is key. Passwords are weak and are easy to break for a variety of different reasons. Traditional multi-factor authentication, where you use a second factor that gets sent to you by an SMS code, a text to your phone. That’s actually also not very secure.
The bad guys figured out ways to either social engineering you into getting that data or actually getting that because it’s unencrypted and easily accessible. Plus you can spoof it. There are a lot of different ways. So there’s a lot of new technology, which are all under the rubric of passwordless authentication.

Mark Callahan: You mentioned something at the beginning that I was going to call back on here, which was around those legacy applications of being able to protect that there are certain applications that are never going, but in the same breath it’s like how, do you protect those?
And, that’s one of the things that Strata that we’ve found that’s incredibly valuable to our customers is that we have abstracted identities and policies away from the applications themselves so that you can just, as you pointed out layer on that protection in front of a legacy app that might not otherwise be able to accept it and then be able to do it without rewriting the app. And, that’s where we’ve seen some incredible need because otherwise, you’re leaving all of this huge percentage of your hybrid environment.

Jack Poller: And, that’s a key because the only other way to protect those types of applications is really to lock them down almost to the point where they’re not usable. If you restrict to all the accounts to not having really access to the sensitive data, then those applications really those internally developed internally accessible applications, lose their utility for the organization.
People think about how “do I put a firewall around it?” but firewalls really aren’t sufficient anymore. And VPNs aren’t sufficient anymore now because we have so many people doing work from home. And it’s the authentication authorization you get through the firewall. Is that enough? Or authenticates the person doing the access, but doesn’t authorize them to get access to the appropriate amount of data.
So you’re not able just because you have a firewall or using a Zero Trust version of a VPN for remote access. That doesn’t mean you’re giving somebody the right level of access to the data on this internally hosted application. That may be old and rusty, and doesn’t really have a way of really limiting people’s access. It may basically say there’s exactly one level of access, which is all because it’s a very old application, how do we do that?
So having some other way to authenticate and authorize people to do something with the app is very important. Otherwise, you’re at risk of getting compromised in one form or another. So when we look at what the identity challenges people have when they want to implement identity and access management solutions to solve some of these problems. So the big issue, the biggest issue people have that’s really important is maintaining security, consistency.

Jack Poller: Particularly when you have this hybrid multi-cloud world.You need to go across both your own internal on-premises environment and multiple clouds and SaaS providers. So every IaaS has and SaaS provider has their own view of what an identity is and their own view of what the policies that you can put in place are.
You then have to have a consistent security policy that says this person say you Mark can have access to this type of information, regardless of how you’re getting that type of information, whether you’re doing it through a SaaS app, an infrastructure based app, or an on-premises app, still needs to be able to say that because you are Mark, you’re a marketing guy you shouldn’t have access to any HR data, regardless of where that HR data is. You shouldn’t be anybody’s payroll. So how do you apply that policy? How do you develop that policy and then apply consistency? And that’s a big challenge.

Mark Callahan: Absolutely. And I even see that the complex, IAM combinations make it difficult. As we’re thinking through, how do you secure applications, resources, and data? Oftentimes it’s a combination of vendors. It’s an identity-proofing organization. It’s a passwordless company and there are, five or six different things that need to take place to, protect a modern application.
And the question comes up, how do you orchestrate what’s taking place throughout that session, across all of those different vendor solutions to have a quick and frictionless experience and thankfully that’s, again, another very strong value proposition of what we’re doing on the identity orchestration side is allowing. That mix of vendors or the coexistence of multiple offers authentication solutions to enable that.

Jack Poller: Yep. And that’s and, people will say look at what about SSO, single isn’t that what single sign-on is doing? What single sign-on is really doing is it’s, touching on a very small part of that problem. It’s removing friction for the user and providing a consistent way of authenticating a user saying this user is who they claim to be as who they are. Again, it doesn’t give you that authorization. That’s the authentication portion. It doesn’t help you maintain that security policy across your environment.
It doesn’t help you set the policy either. It’s only a very small piece of the challenge people are facing. The other part of this is just when you don’t have security when you don’t have. Security, consistency across your environment, then maintaining compliance with all your regulations and laws becomes very, difficult.
You can’t define who is and who is not supposed to have access, then you can’t maintain. Compliance with either things like HIPAA, the health insurance privacy policy regulations, or the security SOC 2 compliance, or any one of the other regulations. All of those assume you have the ability to define who has access to information and who does.
So if your challenge is you can’t do that consistently and correctly, then you can’t meet any regulatory and you will fail audits consistently, and that consistency will move to failing your audits and not meeting your regulatory environments rather than to your security environment.
All so then you look at some of the other challenges companies have. That they don’t have the ability to maintain a single identity and updating roles and privileges are hard, so there are a lot of identity challenges that fundamentally come down to the fact that we’re in this multi-cloud hybrid world.
Every single platform we deal with whether, it’s on-premises, it’s a SaaS app, it’s a PaaS environment, or it’s an IaaS and infrastructure environment where we’re developing our own apps on it. All of these different environments have their own concept of what an identity is. They have their own concept of security policies of authorization and access associated with the identity.
And that makes it extremely difficult to manage your identity platform, to manage your identities, to set policies, to have a consistent view, to have a single identity for people across the.
And, one of the other keys and this a small portion of our respondents talked about this, but it’s an important part is the current directory service doesn’t provide native support for all the cloud services.
So if you try to use a single directory service, particularly if you’re using something that’s traditional on premises-based. Having that on-premise directory service map to the cloud can become very difficult for companies that are the older companies that have this big footprint that uses Microsoft active directory or some other on-premises directory.

Mark Callahan: SiteMinder.

Jack Poller: It can be to map that into all the new cloud stuff that’s happening. So what are organizations looking for? And they need a unified strategy, right? We need consistency. We need to have tools that really help us manage this huge multi-cloud hybrid cloud world, the identities in this world going, and that’s really what companies are looking for.
So one of the keys that companies are telling us is that identities used to be managed basically by the app or infrastructure owner. So you would have a SaaS app say Salesforce, and the identities involved in Salesforce would be managed and owned by whoever was managing the Salesforce app. And that would typically be a different person or a different group of people than who are managing your on-premises identities and would be still another group of people who are managing your infrastructure identities.
And you might actually have a different group of people managing your AWS environment and therefore AWS identities from your Google identities or your Microsoft Azure identities. So companies now are saying, look, we’re going to shift these teams to become a unified IAM team. So we’re going to have one team that’s really going to start owning identities throughout our IT footprint, regardless of where it is. That team is going to centralize and unify identity and access management and therefore policy management.
So now we’ve gotten to step one is to get the right people doing the work. Step two is to say, how do we get to a unified view of identities? And that is. We want to go to cloud-based identities and a cloud identity store of some form or another.
So a majority are looking at moving to a cloud-based directory service. They either are or are going to move to in the near future in the next 12 to 24 months. And that’s because having a cloud-based identity store allows them to have a more unified management environment, as well as how identities that are spread throughout that footprint that’s hybrid multi-cloud on-premises in the various different clouds all at the same time.
But there’s a big challenge there. Identity information is really your crown jewels. As we said, this is where ransomware attacks occur through identity attacks. This is where most of your sensitive data attacks occur in the cloud center. And users are, the users or the losers because they lose data.
And it’s all related to identity. So some companies are hesitant to move to cloud resident and a cloud-based identity stores. Because they perceive it might be a security concern. So there’s this sort of dilemma of weighing the value of a cloud-based identity store. Versus we have all of our stuff that’s called accessible that somebody can then attack. This is what people are doing this balancing act right now.
Now they’re eventually going to realize that the value of having a cloud-based solution and having that extend and the ability to do our orchestration and policies and get much more consistency across our IT environments far outweighs any risks they have from having a cloud-based versus on-premise.

Mark Callahan: Well, and there’s a couple of factors here that we saw, even the requiring support for on-prem applications and migrating is too difficult. Again, if that scale is a problem, because what happens in modernization and then migrating those apps, and refactoring is required of every single app and you have to have access to the owners of those applications to make the controls and get political buy-in.
And so all of a sudden you start seeing that there’s not a centralized way to solve this distributed challenge. And again, another very strong premise of why identity orchestration is so critical in helping to facilitate these migrations and do it in a way where you don’t have to rewrite the applications.
You don’t have to maintain custom code as you abstract the identities out you’re able to do it all at this Identity Fabric abstraction layer, and it counters a lot of these issues. And this is yes, very much what we’re hearing as well.

Jack Poller: Yep. And so that’s where we get to the last data point we have is companies are telling us that they want to build identity access management that can be used across their entire environment.
It’s the number one thing that they want. The second thing they want is multifactor authentication because that’s the biggest security hole to exploiting identities is through passwords. But before you even get to that, you want to be able to manage your entire identity footprint across your environment.
And you’d really ideally like to manage it from one single place and be able to then get to that security consistency. We’re talking about, where you have the ability to define policies and you have the ability to set them and have that apply throughout your IT environment, regardless of where your apps are and your data is.

Mark Callahan: Exactly. Cause you gotta have an HR approach to centralizing IAM in your organization, which you all are certainly finding, but then it’s what’s the software approach to solving this, distributed problem and call it hearkening back to the premise of that both identity and policy orchestration are really honestly critical to, to meet the overall challenge that we’re seeing as shown by the data.

Jack Poller: So that’s pretty much the story we tell to help people to understand the data, this research we’ve done. There’s a story that comes from the data that says we’re in this multi-cloud world and we have this challenge of setting, consistent policies, getting the whole identity challenge we’ve been talking about and I think that’s where Strata comes to play.

Mark Callahan: That’s great. And I think it’s unfortunate that we can’t see the audience. Cause sometimes it’s fun to see the head-nodding where people are that’s me. You’re speaking to me. As our audiences doing that head nodding there are some resources that we’ve made available at the end of this session.
And first and focus, Jack. Thank you. This has been a great conversation. Yeah. Talking with you about this. And, honestly seeing the data that, that speaks to what we’ve seen ourselves. But as you’re thinking through these challenges this is for our audience.
We have a white paper here around identity orchestration that speaks to that need and how this can be solved and done with the systems and identity solutions that you already have in place, as well as future-proofing what you are looking to add down the road be it password less.
Or identity verification, knowing your customer, lots of things along those lines. And so with that, make sure I am my audience here. We want to make sure there’s a link on the screen so you can get access to these resources. You can also contact Strata at the information that you have here.
Let’s open it up just to a couple of quick questions. I know we’re coming up on time, which is great. When we had a good conversation, it means we went long. I think we have time probably for two questions. The first one is a question about Zero Trust.
The question is, is a Zero Trust architecture possible or is it always going to be aspirational? Is that pie in the sky, I think is what they’re asking here, or is it actually possible?

Jack Poller: No, it’s actually possible. And as we talked about thinking about Zero Trust is fundamentally switching our philosophy from allowing all to deny all, but allowing very specific users to do very specific things. And that’s easy to do if you have identities and consistent identity policies throughout your environment, it’s easy to do. If you have the ability to authorize and authenticate. And so it’s really fundamentally an identity question.
The rest of it, once you know who somebody is and what they’re trying to get access to and whether they’re allowed to, or not, the rest of it is simply engineering and it’s not that difficult engineering, it’s really thinking about a firewall and flipping it the other way.

Mark Callahan: Okay. All right. And with just a few minutes left you and I touched a little bit on a remote workforce. There’s a question about it seems that COVID is permanently changed the way that we work. How do we accommodate the remote workers, the devices, and identities? I think that was certainly a data point that we saw in your data.
That the remote environment has led to a need for orchestration, but how do we accommodate remote workers, devices, and identities?

Jack Poller: So, the first thing to understand is that the world has changed because of the pandemic, but. So many companies are telling us they’re going permanently to a hybrid workforce with some remote, some in the office that we no longer actually ask those questions in our research. We just assume that sort of the, and I hate to use the phrase, but that’s the new normal.
So then again, it comes down to making sure who people are. You authenticate them. It’s an identity question. That they’re authorized to access the applications and data they want. And then you can do that through a combination of tools that are remote access tools, like Zero Trust network access, as well as implementing the appropriate zero trust type policies in your environment, in your on-premises environment, and in your cloud apps that you implemented.
So you can either have people access everything through a Zero Trust network. VPN like solution or they can with the appropriate permissions, you can implement that, philosophy without doing any additional tools, again, if you have the right like using Strata to have the right identity orchestration and set the right policies across your environment, and you’re able to authenticate people appropriately.

Mark Callahan: Got it. Okay. Thank you. I think we ran a little over on time. That’s always a good sign. But a lot of chatting with you today, Jack for our audience contact info on the screen for follow-up. Do you have a preferred way for folks to reach out to Twitter versus email for you? Twitter email works just fine.

Jack Poller: Likewise for myself. So we would love to hear from the audience as well as any additional questions that might’ve come up and thanks again for the time Jack. This was really great. Thank you. Take care everybody.

Protect your sensitive data in the cloud

We’re in a multi-cloud world that presents new opportunities as well as new security risks to your sensitive data. Consistent identities and policies are the key to protecting your cloud-resident data. And that’s where Strata’s Identity Orchestration platform comes into play.