IAM and why it is important in Cloud environments

all right good afternoon and welcome everyone we appreciate you joining back on with us um we've got another exciting talk for you for the the fourth uh talk in our cloud track so again we sincerely appreciate your support and attendance for making this a success in partnership with the cloud security alliance of tampa bay it's my my pleasure to introduce dan uh storm uh i'm gonna try to do it thorma's guard yep thermal skirt there we go thank you and i am and why it's important in the cloud environments so as a kind of quick bio um dan is the cto and co-founder for fish tech he's he's a strategic advisor to fortune 500 enterprise accounts

uh technology companies government institutions he's focused on long-term cloud transformation security initiative initiatives specializes in finding unique solutions to successfully meet corporate security goals and business objectives so with that dan i want to go ahead and hand it over to you and we can get uh started in the in the talk i look forward to it thank you very good thank you so today we're going to get a hello everybody and uh good afternoon uh thanks for joining for those of you that have joined i appreciate the opportunity to speak with you here today um the organization that uh fish tech we started in 2016 and really we we call ourselves born in the cloud uh

because we started uh you know obviously fresh from from in 2016 and uh so a lot of the stuff that i'm talking to talk about here today applies to what we went through and how we went through that journey of of building our organization and cloud first type of uh approach and today we're talking about really identity access management and how it relates to the cloud adoption really it is a pivotal uh core component of really a cloud adoption program i'll talk about what is i am and why is it important organizational challenges that we've seen as a consulting agency our approach that we uh we walk customers through that journey the impillers and why they're important

how do we develop an overall strategy uh so that we make sure that we meet business goals and objectives and obviously governance is is foremost importance in terms of meeting compliance objectives which then drives the architecture and then i'll walk through a real quick uh use case so what again identity access management especially in a cloud adoption program is vital um we you know we no longer can have source and this source ip address and source and destination ports that provide the control framework identity is the core uh component of really of a control in terms of how we get access to uh data so it's really a combination of who the user is and

what they're authorized to do in addition to the device that you're coming from so for example if it's a if it's a managed asset i would be able to have residual data on that device or be able to take data down to that device and then i would obviously have access to data and what types of data do i have access to so identity is that core component with the obviously with the pandemic this has become even more vital because we have a lot of we're supporting a lot of work from home users and in order to allow them to use their home computers we obviously need to know what you know who the user is are they authorized

and is the device uh is the device allowed to be able to download data on that device really uh some of the challenges that we've seen for organization is really we we continue to support both hybrid so on premise and cloud-based solutions and so obviously the different there's different approaches to how we have to deal with cloud so for example in a cloud environment you know there's been several discussions earlier on about key management and access and and rotation key rotation and all kinds of different aspects those are much more important in a cloud architecture and that is part of an identity the keys do have access to resources and profiles like in a in a in an ism paths

environment and they they you know that is important because we want to be able to bulldoze those when they're not used and oftentimes those that's one area that we see that is oftentimes forgotten um obviously sas is and pass sprawl uh examples of that would be where we've onboarded applications uh the user identity is a birthright in the application as opposed to in our in our identity platform and so i have these identities all sprawled all over ayas and paths and and sas environments to where i have to figure out you know where are those identities what roles do they have and how do i get better control over that privilege versus non-privileged access reduce the attack surface the attack

surface is way too too large we need to reduce that down you've heard i'm sure you've heard recently about zero trust networking and things of that that's that from that perspective and obviously that whole that whole initiative is identity based and and obviously we're trying to reduce our attack surface by having a zero trust architecture authentication behavior authentication patterns we're currently working on an application where we're looking at uh you know anomalies of users logging in from one minute in in the us i'm out of minneapolis so minneapolis i log in here and then two minutes later you see me logging in asia pack obviously that's a that's a that's a problem right and we want to be able to

get visibility to that and to be able to um take corrective action risky behavior are we seeing uh you know users that are escalating unusual escalation of privileges uh and so on and so forth insecure access we talked about that we're zero trust networking uh we're we're you know your typical network type vpn virtual private networks and getting rid of those and going to uh more of an uh user-based uh zero trust networking account anomaly lateral movements these are all areas of of concern and we want to present you know obviously identity is a core component to obviously taking care of a lot of these issues in a cloud-based architecture and cloud adoption it is vital that you

have multi-factor authentication because again we no longer have that is the boundary and that is the control point of access we uh we take an approach where in no matter where we're at in an organization and discussion with them we we bring it up to what is your strategy what are you trying to get accomplished what are your goals and objectives around your cloud iem program and cloud adoption how does that map to your governance program so for example if i'm a heavily regulated entity with pci hipaa gdpr we need to take those things into consideration when we're rolling out an overall architecture that drives the architecture in terms of what should that architecture look like

what are our use cases and our patterns that we're deploying validation to make sure that we do a proof of concept to make sure that it works effectively so that we're not uh missing any items that would cost us downtime or or have to go back for asking for budget again obviously the implementation and then the operational piece this operational piece is probably one of the larger pieces that we're seeing now in terms of uh deficits and and challenges um you think about your privilege access management beginning getting talent talent is difficult and maintaining the talent is a hard thing to do so obviously we've got to think about how we're going to operationalize this in order to have

an effective program what are the four pillars that we we identify as part of im an im program uh really the uh identity governance so provisioning access certification uh is the you know does the uh getting access to applications does the user have the rights to have that application approval process etc and then access management obviously with a single sign-on adaptive access we talked about that conditional access reverse proxies federation it is vital to federate all of your sas paths and ios to it identity provider uh for obvious reasons that we want a single point of onboarding and off boarding of users and then obviously we talked about strong authentication we must have two-factor authentication

so that we can ensure the identity of that user is who they are step-up authentication for privileged access in terms of administrators that they're able to step up and and go through a process of uh approval for that step up authentication password rotation obviously these are all extremely uh important items vaulting you know in a cloud architecture you know we heard earlier other folks talking about uh hashicorp vault uh obviously we want that as part of the infrastructures code process where we're volting these these identities and the whole key management life cycle as well is is another discussion topic but very important session recording and checking check in and checkout process so the first thing we do is we really we

identify the stakeholders we understand exactly what are the use cases and requirements and our whole goal is to get a good handle on what is what what is the current state of their environment and then put together an overall program so that we're not missing any any uh any anything in terms of items that we need to be thinking about what sas what sas applications do you currently have what is your onboarding process of your applications are you ensuring that these uh applications do have uh that can be provisioned by an identity provider um which is which is extremely important so that way that business units aren't going just buying applications without going through a

process of of you know through the uh governance program to make sure that we're meeting the necessary requirements one of the ways that we take take control of that obviously is through expense management systems ensuring that organizations are not spinning up uh aws azure gcp uh without going through a approval process and making sure that we're staying staying on track with regards to you know maintaining our governance program the overall im strategy uh really you know these are just some examples that we've gone through with other customers uh improved security posture centralize uh centralization consolidation uh think about uh in a in a lot of organizations we have a multitude of different uh uh different types of im tools uh

there's a we're seeing a tremendous trend to uh to go to a consolidated solution using a single uh access management and mfa solution whereas in the past in years past we'd have an mfa solution from one manufacturer and then we'd have identity uh identity provider and radius and all these other different uh authentication and authorization platforms that consolidation is is is definitely uh over the past three years we've seen a tremendous uh consolidation in that direction and that obviously reduces cost it reduces our our need for support the ability to effectively operationalize it and and reduce our significant reduction of overhead the onboarding and off-boarding process should be smooth and easy as opposed to complicated and

distributed the first thing you want to do as part of your governance program is make sure that you're meeting you're maintaining your compliance objectives so uh you may have a nist program you may have you know you may have a sock to type 2 or a wide variety of different compliance programs consolidation of that and map that to a cloud control a couple of them out there that we see we use that we've used for our customers has been csa ccn that's basically the cloud security alliance control framework this csf are those are probably the two most popular and then the cis benchmark and obviously we're mapping those in our discussion here today how does that map to your governance

program governance program and at the end of the day we're here you know the whole objective here is to protect the data and keep us out of trouble um from data leakage and situations that may arise business drivers again regulatory compliance the i.t to business mapping uh this is where obviously the i.t sprawl has has occurred uh over the past many years where uh it was too arduous and too complicated to go to go through our it organization we we essentially went out and did our built our own cloud infrastructure because we could move at a much faster pace so today we must must be business objectives and we must have uh you know we must have a good program

in place so that we can move at a fast pace but yet maintain our regulatory compliance and maintain security uh secure compliance doesn't mean it's more secure there's obviously other areas that we need to improve to reduce our risk cost reduction real-time provisioning streamlined consistency diminished manual process we'll go through a couple of examples of where obviously you know that has uh reducing that manual process can can save a tremendous amount of time for onboarding and off boarding productivity we want our users to be productive we want the business units to be able to do what they need to do and then competitive advantage how do we compete in the industry uh by reducing uh you know complexity

and move at a much faster pace and then obviously the user experience is vital in terms of ensuring that we're providing a consistent [Music] use of user user satisfaction where do we start so when we're starting in a overall im strategy we look at you know what are the current identity governance administration process that they have oftentimes organizations are doing manual reporting we had one organization that basically they would go through an audit and they had four or five people that were walking through going through the audit and as part of going through the audit it would take them essentially each quarter by the time they finished the audit uh it would we would be able to start

the next one so essentially four to five people consistently just going through audit looking at uh you know user privilege access management uh auditing user activity user user permissions etc we can automate that so how do we reduce that overhead and maintain our compliance access management has been a key identity access management right now is extremely uh very hot topic and a lot of activity our our im team is the busiest it's ever been uh over the past five years we're all you know deployment of sso um federation to sas application ayahs and pass and uh obviously making things uh working towards a consolidation of a single platform for uh identity and access for access

management privilege access management obviously with a cloud environment and a on-premise environment we're typically looking at different scenarios and different tools but clearly and different process etc and so we you know we need to look at each use case and requirements physical authentication we're now seeing where this this physical in the years past we didn't have that single platform that would uh would tie into physical uh authentication they were often uh by separate budgets uh um you know the the the facility folks oftentimes uh you know own the physical access authentication piece we're now starting to see that uh consolidate together we need to look at user behavior what are you know are there anomalies that are occurring as

part of a user behavior detection are they were they getting access to something physically that they shouldn't get access to and we start seeing a pattern that they start accessing other systems and taking advantage of access that they shouldn't be and we can map that into a pattern of behavior and increase our you know start taking action so what do we look at for key uh key features and capability account provisioning um how do we you know how do we make it smooth where are the birthrights of users oftentimes those are in hr systems where they are the user identity is is birthright in in that hr system then how do we push that identity out to

the various different platforms that we have for access management and also for role based what application should they have access to periodic reviews of of role mining of you know you know as part of a uh compliance objectives to make sure that we're going through our our continuous auditing life cycle and reducing that overhead segregation of duties high risk and mitigation controls and uh privileged access users and then password reset policies that's usually your iga tool um is you know providing those services from a pan perspective obviously managing wide a privileged access uh you know escalation of privileges the secrets management vaulting and auditing reporting of those systems and then encryption ensuring that we have encryption for those areas that we

have privileged you know confidential information and access management in terms of data data sync options access control methods encryption methods cloud host on-prem again we've seen a lot of these uh access management tools that are much that are focused not only on in a hybrid environment they can they can solve the problem from a cloud sas has an ies perspective but they also are addressing things such as radius authentication for typical network type systems and and conventional legacy vpns an example i'll use ourselves as an example we we have an hr system that um you know at first it wasn't the most uh friendly uh api tool uh but we use it we're currently using an iga tool to

uh to use our sap hr system to birthright those identities work through a fully automation automated process of getting those users into active directory and then active directory to our access management solution um and then from the access management solution we then provide provision those users based on roles um with an iga tool to what they can what applications they can access and what authorization they have within the applications itself uh so that we've been able to take a very what used to be a very manual process where we uh our hr people would uh put the identities in in the hr system and then we'd have to go to the i.t and the it would have to

go in and create the identities in active directory and those active directory would get pushed out to to these various different applications based on their role we've been able to automate that and reduce our our onboarding and off-boarding um significantly by um automating this entire process

i don't know so the the the big hot item today is really a sassy secure access service edge and an example of this with the uh one one customer health care provider that went from 75 work from home users to 150 000 work from home users approximately a year ago and as part of that we had to we obviously had to change the way that they're getting access to their systems and their uh in their data centers uh and their cloud applications and the way that we're doing that in a you know we've seen a significant increase in in these tools of of secure access service edge solutions which are providing the security um basically the security stacks such as

casby next generation firewall swig private access uh etc uh all all based with uh access based on identity so depending upon who you are can you access can you access a system in internal within your uh corporate infrastructure or can you access an application uh et cetera et cetera this has really changed this is a game changer in our industry and we're starting to see a significant activity uh in this whole secure access service edge pushing that pushing that into a micro services platform and into a cloud architecture since most of everyone is working from home at the moment and we're accessing systems from home so uh going through those micro service architecture um has reduced the overhead

we saw a kind of a shift going from initially to kind of a workspace environment where they would you know most of your csps aws azure and gcp all provided some sort of a workspace but you know from that perspective most of the applications are all web-based applications it doesn't make sense to spin up a workspace specifically just for a web app we can achieve the same security controls and access controls using a much you know using a sassy type architecture

so when we go through an integration process the first thing we typically do is looking at provision govern and review authorize authenticate federate and high risk user service accounts through privilege access management and going through each one of the applications and looking at the use cases and patterns and what do we need to do from a from a deployment perspective and each one of these when we're engaged in a customer i am program we're going through that process of of identifying each one of these use cases and then look at low hanging fruit of where can we have get success at a uh at a much faster you know where can we gain some easy wins

so on a use case um we had a large organization that essentially went from a homegrown saml solution and wanted to consolidate down into a a single platform using a commercial a commercial uh access management solution in mfa as part of that we reviewed their existing applications they were roughly about 150 000 uh users and and i want to save roughly about 800 applications roughly somewhere in the neighborhood of that some some customer facing some internal facing and as part of that process we identified the overall strategy and program on how to migrate off of this existing system the existing homegrown saml solution onto a commercial based sample solution the benefits that they would receive obviously by doing this

would be reduce administrative overhead a single single solution for access management and mfa they had reduced their time to market and user experience increased their user experience significantly where we started off was we identified some smaller applications that we could basically federate those sas applications over to this new platform and start working at low weight you know some low hanging fruit wins and then we had to move over to uh that's one of the things when you're moving over to an access management system it's when you federate the application it's it's flip the switch so you have to you have to have all your ducks in order uh the the biggest one was obviously the

office 365 environment where we were taking roughly about 50 000 users and moving them over to moving them over to a flip the switch scenario with the office 365. fortunately it went very very well no issues some minor issues in terms of just user user getting access and getting their mfa solution up and running but essentially uh that is uh uh in any events then we now we're moving over to their customer uh customer identity and access management their external facing applications and working through that process with that we can take any questions you have

can you hear me we can hear you yeah okay cool so i didn't see any um questions posted in the qa but now is the time um if anybody had any questions um related to any of the other benefits of this or questions about what to do um like i saw it was pretty astounding that you didn't run into any uh major hurdles trying to migrate those 50 000 users that's uh quite the accomplishment yeah now that's a lot of planning so you know you you really work through your scripting and your your cut over scenarios uh with uh um you know you have to have that you know you're gonna run into some certain

circumstances that are gonna cause you some pain but you can clearly achieve that by having things in order help desk ready to go when they you know their mfa on their phone for whatever reason didn't didn't go as planned but at the end of the day we really didn't have much of any problem and that goes to the technology itself and the capabilities within technology have come a long ways in terms of ease of use and and uh which helps our deployment mechanism you know a deployment strategy yeah it's it's it's actually not entirely uncommon for it to go extremely well which is a good thing yeah absolutely a good thing and i can uh painfully

understand um having to deal with audits and then getting ready uh for the next audit as soon as you finish another so yes yeah you can automate then uh definitely can save quite a bit of a time and frustration and uh of course money too yeah in that situation we we essentially reduce the five person audit and and obviously taking uh each quarter to complete the audit the full quarter actually to a week and to two people um and so yeah it well yes you're paying for the the tool itself to help you through the uh the identity and your iga tool to help you with that but the automation and the simplicity that you get out of it is significant

um so the time invested now those those typical projects are can be six months to a year we've had a couple of situations large organizations that you know it takes a length of time to get that deployed but you can take some the idea here is to take low hanging fruit areas of where you can get some quick wins and then start working on other areas of expansion yeah absolutely it's not a microwave solution for that especially because i see audits getting um very in-depth lately and kind of having to modify their strategy and increase the amount of depth that they've been asking on certain questions regarding your solutions regarding how you're managing your assets how you're managing

your access you know i've been a lot of good questions asked by them that's uncovered some um concerns that uh you know that's why we're auditing precisely yeah and then you're obviously your third party uh audits uh from your third parties which are significant um in addition to that as well right i mean you have contracts with organizations that have contracts such as ourselves we have you know many clients out there that we have to um adhere to their third-party assessments so we can automate more we can automate that the more we simply simplify it when they're asking for these types of situations we have a program in place that identifies these areas we have everything documented

and then we can show them the results of the of the audit uh in a in a very simple way without having to go through a manual process reduces time significantly oh yeah time is money yes it is you know i know i got a little earlier so i got done a little earlier so i hope it uh you know i didn't see any questions either so all right so i guess um last call for questions if anybody's got anything else otherwise i can close this out i see karen's jumped on unless uh you had anything to add to karen no i just um say thank you dan for you know participating i think that this is a

a very important topic that a lot of people are you know moving or are already in the cloud so having a strong identity program is key um so great presentation i think probably gave a lot of people some things to think about so um again thank you so much for your time on on a saturday afternoon um i just wanted to you know take a minute to to to call out the appreciation that's that's all i have thanks for having us we appreciate it yep all right chris i'm handing it back to you okay thank you karen again thank you so much dan