[MUSIC PLAYING] Hello, everyone. Welcome to our exclusive virtual event series, ID:30. Today we have 30 minutes of blazing insights to help you successfully navigate unique challenges of managing identities. Today's topic, addressing extreme change. Bringing the cloud into focus, and which is right for you in, for, or from the cloud.
We all know that the market is changing and has forced many organizations to re-examine how they do business. There is pressure to reduce overall costs, such as managing traditional complex on premises, applications, and data centers, but organizations can't sacrifice security or compliance requirements when considering the cloud. We're going to talk about all of this and more as our panel of experts address a number of cloud strategies they're seeing right now.
Moderating our discussion is none other than Eric Robinson, Regional Sales Director at One Identity. Eric knows this landscape well. He is CISSP certified and runs an IAM sales team across Eastern United States and Canada. Welcome, Eric. Who's on deck?
Well, thank you, Lorraine, for that wonderful introduction. Given today's rapid change that most organizations had to go through and given what we've all experienced here in the last few months, it's a great opportunity for us to actually analyze and figure out how we do business and how we can do it better, how we can scale into the future, but also how we can give better customer service while improving our bottom line.
With all the focus to digital transformation and the move to the cloud, it's difficult to really figure out the hype from the reality, particularly when identity management is involved. Is a pure SaaS solution right for you or in the cloud, as Lorraine was mentioning earlier? Or would you be better off with a cloud hosting solution from the cloud? Or do you really need to make sure-- do you just need to make sure that your cloud assets are being absorbed by your current identity management platform for the cloud? Is it a combination of all the above?
I'm Eric Robinson, your host, and along with a panel of distinguished security experts, we're going to kind of bring some clarity to this cloudy discussion and help you find the right approach for you. We'll share some real world insights and make recommendations to help you ensure your success when you're developing and maintaining your identity management and your cloud resources.
Interesting study, a recent global survey found that 97% of businesses are investing in digital technologies to transform their business, yet only 18% are involving security in these initiatives, most likely because they feel security slows them down. Cloud apps are a major component in today's digital transformation, and they need identity management. And when we say identity management, what I really mean is a couple of different functionalities.
Identity governance and administration, which includes all the activities required to manage the life cycle of an account or an identity and proving that the access and administration of that life cycle is done in the right way. And then there's privileged account management, which are those same functionalities yet focused on the critically important administrative accounts and privileged users. There is no one size fits all. We all know that by now when you're moving to the cloud.
Our three experts are each going to take one of the methods or strategies we're seeing in the market right now and represent them. Let me introduce the panel to you, as you see down there. First we have Bruce Esposito, who's going to represent in the cloud or pure SaaS. Second we have Stacey Blanchard, who is going to represent cloud hosted or from the cloud. And finally, we have Hicham Bouali, who will speak to for the cloud. So let's start with Hicham. So what is the for the cloud approach to identity governance and administration, Hicham?
Sure, Eric. It is important to involve security with identity as the core in any digital transformation. Organization can manage unified identity governance or premise, hybrid, and cloud deployments from a single interface and with a single set of policy, of rules, of workflows, and identities, and granting the full visibility into user rights, permission, data, and application, regardless of where they reside.
As you mentioned previously, more and more companies today are in the initiative of movements with the cloud. This strategy will lead to have also identities and accounts and permission defined in the cloud with the required as well governance, administration, and life cycle management that [? results ?] on the process we know like the mover and jointer and lever as well.
So a good example with customers [INAUDIBLE] where they have-- they own actually hybrid environment with AD, SAP, and also cloud applications such as Azure AD, Office 365, among other clouds and SaaS application. They have adopted a strategy to have the same administrative tools that addresses the identity governance and administration. One of the use case I have seen there and the challenges they were facing was to connect and [? not ?] standardize HR or human resource [? feats ?] with more than 200 separate HR system.
Those system resides in on prem systems but also in the cloud. And we all know that those systems play a key role in identity governance and administration where they are responsible for the employee or responsible for the line management, but also they are responsible for metadata and organizational data. So having [INAUDIBLE] IGA buffer has harmonized the [INAUDIBLE] management for this customer, regardless of the type of the HR system, and helped them to unify the governance and being compliant with the different regulation.
You mentioned administration in that description there. What's administration about in the hybrid environment?
Thank you for this question, Eric. From another angle and perspective, administration considers as well the coexistence of cloud and on prem platforms. In reality, moving to the cloud is not a big bang scenario. Indeed, it's [? not ?] obvious to get rid of all our on premise system, and there is no cloud version that can replace our tradition and legacy systems. One example I see often is that many organizations are deploying Azure Active Directory and Office 365, for instance. But can Azure AD be the entire replacement of our legacy and our traditional Active Directory?
Unfortunately, and the short answer is no. Azure Ad is not designed to be the cloud version of the AD, it's not the domain controller that we give and provide exactly the same functionalities and the same capabilities. Actually, it will provide new capabilities and functionalities in another way. So the reality is organization are still in a mixed and hybrid configuration, where having a unified administrative tools, the same interfaces, and the same policies and rules to [INAUDIBLE] both on prem and off prem system will reduce the complexity, save the time, and increase the security within an organization.
Thank you very much, Hicham. So Stacey, we talked about for the cloud regarding IGA. Now, what's the answer from the cloud for IGA?
Sure. That's a good question. So when I think about the term administration as it relates to IGA, the activity that's most prevalent in my mind is the user life cycle of provisioning, re-provisioning, and de-provisioning over time. There are many sectors in which these user life cycle activities are done heavily at certain seasons.
For example, in higher ed, customers like George Washington University, you can just imagine the number of new students, faculty, and staff that they must provision into their systems just before the start of the new year. At the start and end of every semester, these activities are greatly increased. So when you think about your IGA solution that automates these activities for you, you can imagine how much a burst of horsepower that is needed during these high season times.
But throughout the rest of the year, your system may not need such expensive resources to run. This is a perfect example for considering a from the cloud IGA solution with containerization and virtualization technologies. You can plan and budget your resources assigned to these activities much better and allow the system to flex and retract when needed. Overall, this decision could give you much more flexibility and even save you money in the long run.
You're talking about that architecture allowing you to flex and save money. But isn't a pure SaaS offering the most inexpensive way to go?
I mean, not always, and it might not be right for everyone. So many people have a real need to get applications delivered from the cloud, but it seems that the full capabilities in a pure SaaS delivery are still a ways off. However, you can host your IGA solution in an Azure instance and achieve many of the benefits of cloud delivery and operational expense strategies without sacrificing the functionality you want, because it's still a full featured IGA solution, just delivered through a cloud hosted delivery model.
So I talked to Brown-Forman a company that produces and distributes many of the world's best known, best selling brands of wines and spirits. They had complex needs due to their heavy reliance on SAP that just couldn't be met with a SaaS solution. However, they still wanted to take advantage of cloud technology. So they decided on a cloud hosted solution. They told me that SAP security used to demand an intense administrative effort, but with One Identity Manager, they were able to automate and strengthen most of the processes.
Another thing to consider is whether you have the expertise in-house to build, configure, and maintain your governance solution. If not, then you may want to leave it to some experts and take a look at, perhaps, a managed service provider. These providers can perform all of the above activities on behalf of your company in a cloud hosted solution. By deploying as cloud hosted, you will still have the flexibility to customize your company's needs yet leave the hard work to others.
Thanks, Stacey. Well Bruce, she kind of set you up there a little bit with that answer. What do we need to look for in the cloud for IGA?
Yeah, so it's definitely when you talk about in the cloud, you need to look at it very critically. Because the first thing to understand is when a vendor says that they're SaaS or they have a cloud solution, what does it really mean? Because they will define it differently. And the way they define it can really impact your long term strategy. So understanding it is really critical.
For example, in the space of IGA, there's really two different ways in which a SaaS solutions for IGA are delivered in the cloud. One is cloud hosted, the other's cloud architecture. And there are some differences of both. A cloud hosted IGA solution really is a modified on premise offering that's hosted in the cloud. It kind of refers to what Stacey was talking about, the ability to take an on prem solution running containerization on Azure AWS and deploy it to customers.
But that solution isn't necessarily natively designed for the cloud at its core. It's usually single tenancy, which means each customer has their own unique instance or image of what they're running for them. This has more parity with on premise features. So in that sense, it can be an advantage, because basically it's very similar to their on prem one that's running there. It could still benefit from third party management.
The vendor themselves may handle the upgrades or maintenance or a partner may provide that service. And this approach being a cloud hosted solution also offers for more customization. So you can keep the same kind of use cases you have now but get the benefits of having them to deployed through a cloud infrastructure instead of your on premise.
The one challenge can be that you need to look for is around a vendor's ability to scale support. So a vendor who offers this type of solution can be good, but can they continue to maintain it. If every customer they have has a unique version of their software running customized for them, then does the vendor have the ability to continue to manage and maintain this for every customer individually? What happens when upgrades are done? What happens when there are patches? They are able to do it on every individual instance despite all the changes? That's gonna be a big question.
On the other side, this is often what traditionally thought of as SaaS, is the cloud architected type of solution. These are solutions that are purpose built offerings using modern cloud architecture type solutions. Generally centers around the idea of microservices. So instead of deploying a one large software application, that application's broken down into individual discrete services or functions. So in the world of IGA, there might be one relating to governance in certifications and one for access request, one for connectivity provisioning, deep provisioning, and so on.
And so you get these-- and you can basically interconnect them. They can communicate with another. You can deploy or interact with them individually or they could work together. These types of solutions are usually multi-tenancy, which means it's a shared code base for everybody. They're all the same. And that has an advantage, which means that when upgrades are rolled out or maintenance is done, it happens to everybody at the same time quickly versus a staggered approach. These type of solutions are still more immature, so they're usually not as feature rich as an on prem solution.
So it leads to often constraints. Typically in the IGA SaaS solutions that are available, the customer is constrained to what the vendor considers a idea of a best practice. So because they can't customize it, because there's limited configuration for it, then when you sign up for it, the vendor says, OK, this is how you do certification. This is how you do access request. And so you kind of have to change whatever your model might be to fit with the vendor decides to develop in that type of model. So it's very limited your ability to customize or have it fit your needs.
The ideal approach is to avoid trying to go to either of these right away. Avoiding the complete shift from saying, OK, today we're on prem, tomorrow we're just going to shift to a vendor SaaS solution. Doing that is a big risk, because that requires you to bet your future on the vendor's approach. You're not saying, OK, this is what we're going to do. We're going to go with that.
And often when you make a big shift like that, it results in making sacrifices. You're going to have to decide which requirements or the way things you're doing today that you're just going to have to give up or you're going to have to eliminate some of your requirements to make that shift.
But instead of doing it with that kind of full sail from one to the other, the ideal solution is to make progressive hybrid approach as your path to SaaS. So as these offerings become richer and richer and catch up with your individual needs, then you switch over those specific functions as it makes sense. So really, it's a strategy of implementing discrete microservices as it makes sense. And ultimately, over time it will add up to a full blown IGA SaaS solution that really fits and molded for the way you want it to fit.
Nestle, familiar with, a big manufacturing known for chocolates and others, they went kind of this approach. They have a large on prem IGA solution they've had for years. But they found a need, obviously, to begin to connect more and more to SaaS based applications. And it really isn't ideal to open up that wide open to say, OK, I'm going to have my on prem with all these external connections in SaaS solutions. They wanted a better approach to do that.
So they really went with a SaaS solution to handle connectivity and provisioning to other third party SaaS based applications. So simplified it. They really set up the SCIM connection from there on prem to this SaaS connectivity, and then that SaaS solution provided all the interactions with the other SaaS third party applications that are out there. So it's more secure, it's easier to deploy, and it provides a better architecture to fit their needs.
So having this approach really means you're able to pick and choose what you want and even amongst different vendors. For example, one hypothetical, a lot of organizations now have moved their access request to an ITSM vendor, like a ServiceNow, for example. And so maybe that's where they want to standardize on access request. So what they could do is they can say, OK, this might be the [INAUDIBLE] request, but that ITSM vendor isn't very strong in governance and certification or reporting.
So in that case there, you could add to that [INAUDIBLE] request as certification from a SaaS provider to augment that capability and then still have another one maybe perhaps that handles the connectivity to your on prem. So by doing that, that type of approach, you're not locked in, and you pick and choose each one as it fits your needs and as the market matures long term.
Yeah, I think there's one common theme I heard in all of those. It's what's right for you? And that's the real key is what's right for you. I mean, nothing's changed in an IAM program. You need to start with your workshops. You need to do the work up front. Your whiteboard sessions, whether we do them on computers now or we do them on a real whiteboard. And really understand what you're trying to get accomplished and then set your path to get it done.
So let's switch gears here a little bit. We talked about IGA. Let's move to those sacred administrative accounts and privileged users. So what about privileged access management for the cloud? Hicham, what are your thoughts there?
Sure. Let's define first what's the privilege access management for the cloud. Actually it is about how the PAM initiative will apply to manage and secure access to systems and service that resides in the cloud. This can be SaaS applications used by the business or technical team, for instance. It can be cloud platform for application development, and also can be critical application system or databases that are stored in the cloud.
Obviously, moving to the cloud will ensure scalability, efficiency, and accessibility to customers. But migrating all critical resources or even a portion of a hybrid environment to the cloud will present serious security challenges and risks to the organization. So to address the challenges of PAM for the cloud organization need to fulfill and focus on the following main use cases. The full life cycle management of provisioning and de-provisioning access and account, securing access to the cloud apps and [INAUDIBLE], session monitoring and reporting for the cloud platform and all privileged activities, and vault and secrets management in DevOps environment and for application to application.
So those use case really do not differ from the way to manage privilege access for on prem solution. So the bottom line is to have a hybrid system that can answer those challenges independently from the type of the access.
Yeah, those use cases, obviously, are key. Your use cases are what the most important and those are the most common that you just mentioned there. Stacey, what about from the cloud for privileged access management?
Yeah, I actually have really strong opinions about the decision to deploy your PAM solution in from the cloud way. So it would depend on what you're thinking of when you think of from the cloud. First, you should think about what you're comfortable storing in the cloud and what secrets you really prefer to keep on premises. Of course, if you're considering a cloud ready PAM solution, then you should think about and check with your vendor of choice to make sure that they support their PAM solution in your cloud provider of choice. Like AWS, Azure, Google Cloud.
When thinking about the vault that contains the passwords and rotates your secrets, you still may want to consider something like a pretty hard end physical appliance to ensure that the encryption and security that you desire are completely covered. In the end, it may make the most sense to deploy your PAM solution in a hybrid model. So keeping the passwords and the rotation, the vault, on prem and perhaps putting things like session management and other services where you're not storing data into the cloud. Those are my thoughts.
Thank you, Stacey. Bruce, how about the in the cloud or the SaaS privileged account management?
Yeah, so in the world of the Privileged Account Management or PAM, the SaaS market there is really in its infancy. We're beginning to see different types of solutions roll out in that area, but it still is relatively new. And for that reason, customers need to be cautious. Since the risks are far greater, managing your most important privileged accounts from the cloud or in the cloud itself.
So at that point, organizations really need to define for themselves what's their appetite for risk. They've got to weigh the-- what are the benefits they're going to gain from having that solution in the cloud versus what are the risks involved? What level of trust do they have to have for that vendor? Because I think Stacey makes a good point about customers really need to think twice about do they really want to put the keys of their kingdom outside of their kingdom in some third party's environment?
Do they truly trust that? Legally can they do it? What are the ramifications are doing that to do that? Because again, these are the most important. This is the biggest vulnerability they may have is putting those type of credentials outside of their environment today. And is the technology that's being offered today as mature and as proven as you would trust?
So again, I think at that point, it may make more sense if you're risk adverse to simplify your PAM solution by looking at a hard end appliance based approach, having that is something that you keep control of your secrets. That gives you the flexibility of easy management and control but still keeps it within your own secure environment that you may have a greater sense of trust than the market itself. So that that's kind of where I would view a PAM as far as in the cloud right now.
OK. Kind of still goes down to what's right for you. And most importantly in that scenario, what I heard is what's your risk appetite for putting those secrets somewhere outside of your contained environment. So let's go ahead, we have a couple of tips to share with the audience. So why don't we go ahead and run that, and we'll come back and do some closing remarks.
Just as big trees start from small seeds, so should your cloud strategy. If terms like containerization, [INAUDIBLE] DevOps, continuous integration, continuous delivery, orchestration, or names like Docker, Kubernetes, Azure, AWS, or Google Cloud are new to you, then start small. Take time to learn about each of these.
Play with Docker. Complete a workshop using Docker's tutorials and playground. Try to point your container on Azure, AWS, or Google Cloud, or all three if you're not sure which you prefer. Graduate to experimenting with deploying and managing your containers using Kubernetes. At each step, you will encounter obstacles and will make mistakes. But by starting small and slow, you will gradually learn from these. You'll be better equipped to develop.
Thank you, Bruce, for those tips. And hopefully people will take them in consideration as they're moving into their strategy. Well, we've been discussing addressing extreme change, bringing the cloud into focus and which is right for you, in the cloud, for the cloud, or from the cloud. I would like to get some final thoughts from our security experts here as we wrap this thing up. So Hicham, let's start with you. What are your final thoughts on the topics we've discussed?
Sure. So I truly actually believe that it's super important that your IGA program supports your cloud entitlements and permission just as much as your legacy system and existing [INAUDIBLE]. In fact, in my point of view, it's a really bad idea to reinvent IGA just for the cloud, where you will have to redefine all the fulfillment workflow. It would reset the governance policies and the compliance framework, and you would allow a specific access [INAUDIBLE] method with its own approval workflow.
As Bruce mentioned previously, Nestle felt so strongly about this that they developed a whole strategy around extending their investment in identity governance beyond on premise application to the cloud and SaaS applications that are used by internal and partner identities in order to ensure they're following unified governance, extend access control, ensure the compliance, and reduce the time taken to provision and de-provision user entitlements in those cloud applications.
Thank you very much. Good insight there. Stacey, how about your final thoughts on this?
Sure. Thanks for asking. So I believe that if a company examines their strengths, weaknesses, and goals, then the answer to their IGA cloud strategy questions will become evident. Think about the skills that you have in-house versus what you'll need support from the outside expert. Consider the business problems that you're trying to solve and whether you'll need a highly customized solution.
And lastly, review your fiscal goals and determine how best they can be met using what you've learned about the pros and cons of each strategy. From the cloud is a way to utilize some of the advantages in cloud technologies while still owning your applications or having an expert own your behalf. So if it gives you the flexibility for customization and is often a great fiscal choice. Thanks.
Thank you, Stacey. Bruce, some final thoughts?
Yeah, so as I kind of talked a little bit about, IGA in the cloud is still in its infancy, but is maturing rapidly. So I think organizations need to take a cautious approach. Now's the time to begin developing a long term path to SaaS strategy to help guide your decision in the coming years. But it's not an all or nothing endeavor. Organizations need to go at their own pace, make the changes when things make sense, and as the market matures and provides what you need. At that point, they can begin to transition to specific SaaS IGA solutions that make sense for them at the right time.
Yeah, again, it all goes back to the timing and what's right for you. As we say, we can't tell you know what to do. We don't know what to do. But we can tell you what not to do. And that's don't ignore what you already have in place. So look at some of the analysts out there. A couple of them at least said hybrid IGA may be the way to future proof your IGA program. So consider what you're doing now, and do the sessions, do the time, and you'll figure out what's right for your organization.
I want to thank you all for joining and thank my distinguished security experts there for their insight. Everyone will receive the ninja tip, as we talked about or showed earlier. Please feel free to email me or any one of the security experts if you any questions. And again, thank you all for joining. Bye now.
[MUSIC PLAYING]
31:10