Security Starts Here…Identity!

[MUSIC PLAYING] Hi. I'm Todd Peterson with One Identity. Today, we're going to do a little presentation called, Security Starts Here, and figure out what here actually is and then ways to achieve security through this here thing. So to start off with, let's actually define what security is. I would say from an IT standpoint, security is all about getting a bunch of stuff right. The things that you need to get right are make sure that the right people have the right access to the right things. Now, that could be Active Directory, it could be Azure Active Directory, could be any number of apps on prem. In the cloud, it could be servers like Unix and Linux, whatever. But there's a lot of stuff that you have to have people with the right access to the right stuff. They need that access in the right time and in the right way, and the bottom line is you have to prove that all that access is right. So in other words, you have to be compliant with this access. So the right people, the right access to the right things at the right time in the right way, and you have to be able to prove that's all right. So the bottom line is if you think about that, the real common denominator across all those things is that it's identity. So I would say that security starts with identity, so let's go to the next slide. So I'll just write ID here so we remember that that's what we're talking about. So there's a big difference between an identity and an account. Most people would assume that your account in Active Directory or your account in Salesforce or your account on a specific server is your identity. But there's more to it than that. Your identity is actually your digital representation of you. So a single source of the truth that would be who you are and then that would translate into all the various accounts that you have access to. So I'd say identity is bigger than account, but let's talk it a little bit about the difference between those and what actually happens with an account. So in order for you to access stuff in the right way, there's a few things that have to happen. You have to have request, meaning somebody has to say, yeah, I want to give this person access to this thing. You have to have fulfillment, sometimes it's called provisioning, somebody has to go in and actually setup you in that account, and when they set you up, they do it with the correct entitlements or permissions or roll, or whatever is used to decide what you can and can't do with that account that you've been granted on that specific system, and then somebody has to go in and do the certification to say that that was all done appropriately. So once all that happens, then you have access and security can happen there. So let's walk through how this would happen with Active Directory. So new person's hired, somebody has to go in and request that the new person get their Active Directory account. Then that request is somehow gets to some guy in IT. He's going to go in and do the fulfillment or the provisioning, just put you in there correct groups, and all that stuff, so you can do it, and then as they do that, there should be some concept of entitlements. So what are the permissions, what are the rights that are associated with that account, so the what can you do, what can't you do within those, and then somebody is going to have to do the certification at some point to say, yeah, all that stuff happened correctly. So that's a pretty cumbersome process, especially in multiple systems. So an Active Director, you dealt with the account, that could be considered the identity for that one thing, but now you have to do the same thing for Azure Active Directory. So you've got the exact same four things happening, but now it's on a different account. So you're still the same person, but your account is different. Same thing happens with SAP. Same thing happens with Azure Web Services. Same thing with Unix and Linux, same thing with Workday, same thing with Service Now, same thing with everything that you've got. So you've got all these accounts that are being dealt with, these things have to happen, request, fulfillment, entitlements, and certification across all this stuff, and it's really disjointed. It's really a mess, and so that's where people run into trouble. That's where the risk, that's where the compliance troubles come in, because it's not consistent. But we haven't even talked about the privileged accounts. Every single one of these systems has a privileged account associated with it. Every one of those published accounts is probably going to be used by an individual that has an identity. So you've got this disconnect between the identity and the account that's going to cause you more trouble. So let's talk about how you could actually overcome this problem with basing things on identity. So let's assume that we have decided there is an authoritative source, there is a single identity. There's someplace where that concept of, you are a person and this person has access to multiple things, exists. We could say as the HR system, it could be Active Directory in some cases, it could be some other directory. Bottom line is, there's a single identity. Imagine that identity isn't there behind all of the accounts that you have based on. So you're going to do a thing called identity correlation. Basically what you've done is you said that all of these accounts are tied to the identity, they're not individual islands unto themselves. So correlating the identity gives you a single source of truth for entitlements. You can now