1 00:00:09,700 --> 00:00:13,000 You're listening to the identity of the center podcast, this is 2 00:00:13,000 --> 00:00:15,600 the show that talks about identity and access management 3 00:00:15,700 --> 00:00:18,600 and making sure you know who has access to what let's get 4 00:00:18,600 --> 00:00:24,100 started. Welcome to the identity of the 5 00:00:24,100 --> 00:00:25,300 center podcast. I'm Jeff. 6 00:00:25,300 --> 00:00:26,400 And that's Jim. Hm. 7 00:00:26,700 --> 00:00:27,900 Hey, Jeff. How are you? 8 00:00:28,200 --> 00:00:30,500 That's a bad yourself, good. Hey, I'm wondering. 9 00:00:30,500 --> 00:00:32,900 Have you ever heard of a show called Game of Thrones? 10 00:00:33,200 --> 00:00:36,100 Now what's it all about? Oh, it's really wild. 11 00:00:36,100 --> 00:00:40,100 Anyway, there's this one episode where there's a scene with a 12 00:00:40,100 --> 00:00:41,800 think? She's the queen Cersei. 13 00:00:42,100 --> 00:00:44,700 Yeah. And she has to walk through the 14 00:00:44,700 --> 00:00:47,300 crowd and everybody's yelling. Shame shame. 15 00:00:47,400 --> 00:00:48,400 I don't know. Exactly. 16 00:00:48,700 --> 00:00:50,800 It's burned into my conscious right. 17 00:00:50,900 --> 00:00:54,400 So anyway, I had a meeting yesterday with Mike angle from 18 00:00:54,400 --> 00:00:58,400 one Cosmos and he was, he had the idea of who should have the 19 00:00:58,400 --> 00:01:02,300 authentication Wall of Shame. And, you know, the identity of 20 00:01:02,300 --> 00:01:05,099 the sender podcast said, certainly one cause was there 21 00:01:05,099 --> 00:01:08,500 not about throwing people under the bus, but we were going 22 00:01:08,500 --> 00:01:11,700 through kind of some of his great examples. 23 00:01:11,800 --> 00:01:14,800 Would go in the Wall of Shame. And let's just say, one was a 24 00:01:14,800 --> 00:01:18,500 top Airline, and we talked about this on one of the previous 25 00:01:18,500 --> 00:01:21,700 episodes, right? Like their multi-factor 26 00:01:21,700 --> 00:01:24,600 authentication is Is what is your dog's name? 27 00:01:25,100 --> 00:01:28,400 Yeah, yeah, it's stuff. Like that is like, that's not 28 00:01:28,400 --> 00:01:30,900 good. That is not up to Modern 29 00:01:30,900 --> 00:01:34,600 standards. Yeah, I love to use this 30 00:01:34,600 --> 00:01:37,700 opportunity to call out United every time I can because as a 31 00:01:37,900 --> 00:01:41,500 former United flyer now that I've moved to North Carolina, 32 00:01:41,500 --> 00:01:45,600 that is not really a viable option for me, I always and have 33 00:01:45,600 --> 00:01:49,500 de tested the way that they do their multi-factor because it's 34 00:01:49,500 --> 00:01:53,100 always just knowledge-based and they have favorites and That 35 00:01:53,100 --> 00:01:57,900 list favorites change stop using favorites, if you have to 36 00:01:57,900 --> 00:01:59,900 default back to a knowledge-based authentication, 37 00:01:59,900 --> 00:02:03,800 please don't use favorites because they're just they're 38 00:02:03,800 --> 00:02:06,900 just terrible questions. What and I think what the you 39 00:02:06,900 --> 00:02:11,000 know to add insult to injury? I think the password policies 40 00:02:11,000 --> 00:02:15,200 now like a 16 character password, which is probably 41 00:02:15,200 --> 00:02:19,400 appropriate for an Enterprise but for a consumer site like 42 00:02:19,800 --> 00:02:21,600 that's really painful. Yeah. 43 00:02:21,600 --> 00:02:24,100 I mean I get why right? I am stronger passwords but all 44 00:02:24,100 --> 00:02:27,200 that, all that means is that it's going to be a longer 45 00:02:27,200 --> 00:02:30,800 password and more probably more numbers at the end to sort of 46 00:02:30,800 --> 00:02:32,900 differentiate. Yeah, it's funny. 47 00:02:32,900 --> 00:02:34,000 You bring that long. That's what they got. 48 00:02:34,000 --> 00:02:36,400 Because I've had actually a couple people reach out to me 49 00:02:36,400 --> 00:02:41,100 this week colleagues asking about sort of the guidance for 50 00:02:41,100 --> 00:02:46,600 password changes and this put out guidance, I want to say in 51 00:02:46,600 --> 00:02:52,600 2017 as part of 863 be to stop changing passwords randomly. 52 00:02:52,600 --> 00:02:55,000 So Like oh, we change our passwords every 90 days, and 53 00:02:55,008 --> 00:02:57,300 they have to minimum of eight characters. 54 00:02:57,700 --> 00:03:00,500 Three of four complexity write a script thing at all. 55 00:03:00,500 --> 00:03:01,900 It is. But something must be going on. 56 00:03:01,900 --> 00:03:03,900 There must be some sort of Assessments being done for some 57 00:03:03,900 --> 00:03:06,100 of our clients and three different people reached out to 58 00:03:06,108 --> 00:03:08,500 me saying, hey, what do you think about changing passwords? 59 00:03:08,500 --> 00:03:11,600 And I will publicly say my answer here, I think it's 60 00:03:11,600 --> 00:03:13,600 stupid. I don't think it adds any value, 61 00:03:13,700 --> 00:03:16,900 the only reason and I agree with nist and and Microsoft on, this 62 00:03:17,300 --> 00:03:19,600 is the only time you change passwords is when you know that 63 00:03:19,600 --> 00:03:23,100 there has been a compromise of that individual password Having 64 00:03:23,100 --> 00:03:26,800 people change it every 60 days, 90 days year, whatever it is, 65 00:03:26,800 --> 00:03:29,700 just because it doesn't make any sense in it. 66 00:03:29,700 --> 00:03:33,300 It's terrible for the user experience and a my, my sorting 67 00:03:33,300 --> 00:03:37,900 recommendation for an IM practitioners like don't try to 68 00:03:37,900 --> 00:03:44,000 roll your own. I am password policy policy, you 69 00:03:44,000 --> 00:03:46,600 know, in other words like, oh, we're going to do 16 characters, 70 00:03:46,600 --> 00:03:47,800 but we're still going to make cheap. 71 00:03:47,800 --> 00:03:51,800 People change their password every 90 days, and we're going 72 00:03:51,800 --> 00:03:54,900 to require You know, all this different stuff, but we're not 73 00:03:54,900 --> 00:03:57,800 going to do the, you know, dictionary checks. 74 00:03:57,800 --> 00:04:00,300 Because we don't have the technology in place, like that's 75 00:04:00,300 --> 00:04:03,500 roll your own. So if you get compromised, you 76 00:04:03,500 --> 00:04:07,500 can't point back and say we follow the best practice and I 77 00:04:07,500 --> 00:04:11,500 think you really need to be able to be able to point back and say 78 00:04:11,700 --> 00:04:14,300 this is the practice we follow which was the nurse guideline. 79 00:04:15,500 --> 00:04:18,399 Well fortunately though right this is the year, the password 80 00:04:18,399 --> 00:04:22,700 dies again so you know will this is like take 12. 81 00:04:22,800 --> 00:04:25,100 I think of the password, I'm but maybe we're getting closer. 82 00:04:25,100 --> 00:04:27,900 We'll see ya password discussion, fatigued. 83 00:04:29,600 --> 00:04:32,700 Hey, the other thing I wanted to mention so good friend of ours, 84 00:04:32,800 --> 00:04:38,100 Arturo Cordoba, who was the? I am lead. 85 00:04:38,100 --> 00:04:41,100 When we did a project way in the past, anyway, he moved to the 86 00:04:41,100 --> 00:04:47,000 United States and Arturo and I are meeting up this weekend. 87 00:04:47,000 --> 00:04:48,500 I haven't seen him in a few years. 88 00:04:48,700 --> 00:04:52,700 He grew up in Mexico and the only Americans. 89 00:04:52,900 --> 00:04:56,800 You station that he had was TBS. So he became a huge Atlanta 90 00:04:56,800 --> 00:04:59,300 Braves Sam back when they stunk really bad. 91 00:04:59,300 --> 00:05:02,900 Well they're really good now and he lives in North Carolina and 92 00:05:02,900 --> 00:05:06,000 he's coming to visit me and then we're going to go to a land of 93 00:05:06,000 --> 00:05:09,200 Braves game tomorrow. So shot out to Arturo. 94 00:05:09,200 --> 00:05:13,100 I know he still listens to the show and looking forward to this 95 00:05:13,100 --> 00:05:14,300 weekend. Yeah. 96 00:05:14,300 --> 00:05:16,300 Our truest good people really smart. 97 00:05:17,600 --> 00:05:19,400 Yes, that'll be that'll be a lot of fun. 98 00:05:19,400 --> 00:05:22,300 It's always cool. Like you kind of peel back the 99 00:05:22,308 --> 00:05:24,400 curtain right? We do identity Consulting during 100 00:05:24,400 --> 00:05:26,200 the day, but every once in a while, right? 101 00:05:26,200 --> 00:05:30,100 You'll just hit it off with a client and, you know, you become 102 00:05:30,100 --> 00:05:33,900 friends rather than just, you know, a client relationship, you 103 00:05:33,900 --> 00:05:36,000 know. And that terms in Arturo, 104 00:05:36,000 --> 00:05:37,200 definitely fits into that category. 105 00:05:37,200 --> 00:05:41,000 So very happy for for him. Even if you are going to go see 106 00:05:41,000 --> 00:05:44,400 a baseball game. Well hey that's what Arts core 107 00:05:44,400 --> 00:05:46,100 and I like to do. Yeah. 108 00:05:46,100 --> 00:05:48,900 That's that's totally cool. We got some other things that 109 00:05:48,900 --> 00:05:51,000 are going on. We've got the authentic a 110 00:05:51,008 --> 00:05:55,100 conference is coming up in Brr you and I will be there, maybe 111 00:05:55,100 --> 00:05:57,700 doing some podcasting, we're hoping we're working with our 112 00:05:57,700 --> 00:06:00,700 friends over at Fido to help us get that set up. 113 00:06:01,000 --> 00:06:04,100 We've also got Octane and November so we'll be in San 114 00:06:04,100 --> 00:06:06,700 Francisco for that. Still figuring out how that 115 00:06:06,700 --> 00:06:09,000 might potentially work, but the idea is to May refer some 116 00:06:09,000 --> 00:06:10,900 episodes. So if you're listening and 117 00:06:10,900 --> 00:06:14,300 you'll be at either of those events, you know, definitely hit 118 00:06:14,300 --> 00:06:16,800 us up on LinkedIn. We'd love to fist bump or say 119 00:06:16,800 --> 00:06:19,600 hello or even, maybe sit down and have an identity 120 00:06:19,600 --> 00:06:22,400 conversation of some sort, put it on, put it in the books. 121 00:06:22,400 --> 00:06:24,700 So to Peek. Yeah, absolutely. 122 00:06:24,700 --> 00:06:27,600 I mean, it is always great to, you know, especially people 123 00:06:27,600 --> 00:06:30,400 listen to the podcast and kind of have some thoughts or some 124 00:06:30,700 --> 00:06:33,800 recommendations, you know, we'd love to hear them or, you know, 125 00:06:33,800 --> 00:06:35,600 like you said, just meet in person. 126 00:06:36,400 --> 00:06:40,000 Yeah, I can't say that we will act on the recommendation or 127 00:06:40,700 --> 00:06:43,500 maybe we may disagree. But we're happy to take it under 128 00:06:43,500 --> 00:06:46,100 advisement and make make adjustments as needed. 129 00:06:47,000 --> 00:06:48,300 Should we get to our main topic today? 130 00:06:48,300 --> 00:06:51,100 Because I think we wanted to talk through identity and access 131 00:06:51,100 --> 00:06:54,800 management for the cloud. And why are we go ahead and 132 00:06:54,800 --> 00:06:57,000 introduce Our Guest? His name is Jay clauser. 133 00:06:57,000 --> 00:07:00,400 He's the head of global sales engineering and Tech alliances, 134 00:07:00,400 --> 00:07:01,800 with bright of, welcome to the show. 135 00:07:01,800 --> 00:07:04,700 J job. Jim, thank you so much. 136 00:07:04,700 --> 00:07:06,200 Appreciate you having me on today. 137 00:07:06,900 --> 00:07:09,100 Yeah, thanks so much for joining us and this topic that we're 138 00:07:09,100 --> 00:07:12,000 going to get into identity for the cloud is something that 139 00:07:12,000 --> 00:07:13,700 we've hit on a few times in the past. 140 00:07:13,700 --> 00:07:17,500 So I'm excited to go through sort of this conversation with 141 00:07:17,500 --> 00:07:20,800 you is one of the experts in this area, but before we get to 142 00:07:20,800 --> 00:07:22,800 that, we always like to find out the origin. 143 00:07:23,000 --> 00:07:26,800 For the, I am Heroes of the world that are out there doing 144 00:07:26,800 --> 00:07:30,300 the work day in day out. How did you get into identity 145 00:07:30,300 --> 00:07:33,100 access management? Is it something that you chose 146 00:07:33,500 --> 00:07:36,100 or did it choose you? Yeah, that's a good question. 147 00:07:36,100 --> 00:07:40,100 I mean, to be honest, I kind of chose identity and access 148 00:07:40,100 --> 00:07:44,400 management. You know, my kind of expertise 149 00:07:44,400 --> 00:07:47,700 in history. Is it really started on more of 150 00:07:47,700 --> 00:07:50,500 them that endpoint security, right? 151 00:07:50,500 --> 00:07:54,400 Understanding the risk there and And and then kind of moving more 152 00:07:54,400 --> 00:07:57,400 into the zero trust network access space right? 153 00:07:57,400 --> 00:08:03,100 And so you know really really was interested in getting into 154 00:08:03,100 --> 00:08:06,900 both identity and Cloud Eye-Fi. Really felt like you know as I 155 00:08:06,900 --> 00:08:11,500 looked at and a new skill and a new area to grow my expertise. 156 00:08:11,500 --> 00:08:15,000 And moving into both of those is really the future right? 157 00:08:15,000 --> 00:08:17,400 Because you know zero trust network. 158 00:08:17,400 --> 00:08:21,400 Access is at the foundation of the zero trust movement. 159 00:08:21,400 --> 00:08:23,800 But I feel like the The goal lines. 160 00:08:23,800 --> 00:08:27,300 Moving a little bit in the managed network is becoming less 161 00:08:27,300 --> 00:08:32,500 and less prevalent in really cloud and identity is where 0 162 00:08:32,500 --> 00:08:35,500 trusses is going to be the future of being implemented. 163 00:08:35,700 --> 00:08:39,799 And and so I found bright event because it kind of met both of 164 00:08:39,799 --> 00:08:43,100 those needs, right? It was really looking at Cloud 165 00:08:43,100 --> 00:08:48,100 native Cloud forward Technologies as well as, you 166 00:08:48,100 --> 00:08:54,500 know, providing a new way of managing Identity in the cloud 167 00:08:54,500 --> 00:08:56,900 right in really looking at separating out that 168 00:08:57,000 --> 00:09:01,500 authentication and authorization which I kind of find it akin to 169 00:09:01,500 --> 00:09:03,900 a zero trust, you know framework right. 170 00:09:03,900 --> 00:09:06,200 You kind of think of the data plane in the control plane and I 171 00:09:06,208 --> 00:09:09,700 think of authentication as the data plane and kind of Bride of 172 00:09:09,700 --> 00:09:12,200 or authorization as the control plane. 173 00:09:12,200 --> 00:09:16,600 So yeah I chose it actually and I'm excited to be in the space 174 00:09:16,600 --> 00:09:19,200 out. So you mentioned bright, if we 175 00:09:19,200 --> 00:09:22,400 had John Morton on oh about a year ago or so, I would have 176 00:09:22,400 --> 00:09:28,700 been Episode 1 15 October 21 2021 when we had that 177 00:09:28,700 --> 00:09:31,600 conversation, but for those who aren't familiar with bright, if 178 00:09:31,800 --> 00:09:33,900 what is, what is bright of do. Yeah. 179 00:09:33,900 --> 00:09:37,300 Thanks, you know, so, yep. John's agreed to colleague of my 180 00:09:37,300 --> 00:09:40,300 love working with tan. He's no our field CTO. 181 00:09:40,300 --> 00:09:43,400 So we're continuing to grow. And really what bright of does 182 00:09:43,400 --> 00:09:48,900 is is, you know, we provide a unified privileged access 183 00:09:48,900 --> 00:09:52,700 management or really just access management, you know. 184 00:09:52,800 --> 00:09:56,900 Platform for the broader Cloud so that is, you know, the 185 00:09:56,900 --> 00:10:01,400 ability to both through. Visibility understand the 186 00:10:01,400 --> 00:10:05,700 identity landscape across Cloud Solutions who has access to what 187 00:10:05,700 --> 00:10:08,600 what are the the identities in the entitlements out there and 188 00:10:08,600 --> 00:10:12,600 more importantly, what what of those which of those identities 189 00:10:12,600 --> 00:10:16,000 have standing privileges are standing act. 190 00:10:16,000 --> 00:10:18,200 As because that's really the Ritz, you know, where the risk 191 00:10:18,300 --> 00:10:22,100 and lies. And so, in the end, what we 192 00:10:22,100 --> 00:10:26,400 really Customers to do is Implement a just-in-time 193 00:10:26,400 --> 00:10:30,400 ephemeral access model across a broad set of cloud services, 194 00:10:30,400 --> 00:10:32,500 right? Reducing that standing act us 195 00:10:32,500 --> 00:10:36,400 and really with a goal of getting 20 standing access where 196 00:10:36,400 --> 00:10:39,600 possible and then also obviously like will touch on some of the 197 00:10:39,600 --> 00:10:44,200 things today just you know really embracing and adapting to 198 00:10:44,900 --> 00:10:48,300 fitting in with the way the cloud works from it. 199 00:10:48,300 --> 00:10:50,800 You know an automation standpoint has really been key 200 00:10:50,800 --> 00:10:53,500 to that but in the end it's really about Out, you know, 201 00:10:53,500 --> 00:10:56,700 needing business needs while. Also improving security through 202 00:10:56,700 --> 00:11:00,400 just-in-time ephemeral access across those cloud services. 203 00:11:01,700 --> 00:11:04,400 So, we have this concept of of, I am in the cloud or going to 204 00:11:04,400 --> 00:11:08,300 get through, and we've touched on topics, like Keem, Cloud 205 00:11:08,300 --> 00:11:12,100 infrastructure and title at management and dream, which is 206 00:11:12,100 --> 00:11:14,200 dynamic resource and title, and access management. 207 00:11:14,200 --> 00:11:18,400 We talked with gal, disc in from awesome eyes back on episode 208 00:11:18,400 --> 00:11:22,400 number 98 about the Keen topic, we talked with Paul Fisher from 209 00:11:22,400 --> 00:11:24,600 Cooper here. Hold on episode 1 36. 210 00:11:24,600 --> 00:11:27,700 So that was a March earlier this year. 2022. 211 00:11:28,100 --> 00:11:31,800 So we've got Keen. We've got dream I guess just to 212 00:11:31,800 --> 00:11:35,700 kind of help level set Y is managing identity in the cloud 213 00:11:35,700 --> 00:11:39,800 different compared to maybe you know on premise or application. 214 00:11:39,800 --> 00:11:42,900 Yeah, premise type environments. Yeah good question. 215 00:11:42,900 --> 00:11:46,400 I mean I think it starts with just how things operate in the 216 00:11:46,400 --> 00:11:49,000 cloud, right? Fundamentally the cloud was kind 217 00:11:49,000 --> 00:11:52,700 of born out of, you know, Deb Ops and Deb said God. 218 00:11:52,800 --> 00:11:55,100 Sand. And I think, you know, when you 219 00:11:55,100 --> 00:11:59,800 look at the cloud, it's it's very fluid right in it of 220 00:11:59,800 --> 00:12:02,500 itself, a lot of cloud services are ephemeral. 221 00:12:02,500 --> 00:12:05,700 Meaning that you know, services are spun up there short-lived. 222 00:12:05,700 --> 00:12:10,700 And so, you know, along with that the different Cloud 223 00:12:10,700 --> 00:12:15,100 providers have have built out their own identity, and access 224 00:12:15,100 --> 00:12:17,900 management mechanisms or constructs wherever you want to 225 00:12:17,900 --> 00:12:22,000 say in. That's why it's so difficult. 226 00:12:22,000 --> 00:12:25,600 I think to try Translate the on-prem concepts and some of the 227 00:12:25,600 --> 00:12:28,500 on-prem tooling to adapt to the cloud. 228 00:12:28,500 --> 00:12:33,800 Because again, you know, in the cloud, you know, that the 229 00:12:33,800 --> 00:12:36,300 resources are short-lived. So the identities that go along 230 00:12:36,300 --> 00:12:41,500 with those are also sure lid and then you know more and more as I 231 00:12:41,500 --> 00:12:45,600 mentioned that you know how AWS works with things like role 232 00:12:45,600 --> 00:12:48,800 assumption and permission boundaries is fundamentally 233 00:12:48,800 --> 00:12:52,700 different. To how gcp works or Azure work. 234 00:12:52,800 --> 00:12:56,400 Works with managed identities. And so it's been really I think 235 00:12:56,400 --> 00:13:01,800 of challenge to adapt, kind of traditional thinking about kind 236 00:13:01,800 --> 00:13:06,300 of who has access to what on-prem to who has access to 237 00:13:06,300 --> 00:13:10,600 what in the cloud many with the, you know, the as code I think, 238 00:13:10,600 --> 00:13:13,700 mindset in framework. Now, it's what has access to 239 00:13:13,700 --> 00:13:16,100 what, right? I mean, it's not only humans 240 00:13:16,100 --> 00:13:19,400 week that, you know, very much, if not more of the identities 241 00:13:19,700 --> 00:13:22,600 that exist are now moving to work. 242 00:13:22,900 --> 00:13:26,400 And to machine identities. And so I think it's just it's a 243 00:13:26,408 --> 00:13:30,800 New Concept and it's difficult to to you know, have a single 244 00:13:30,800 --> 00:13:35,400 expert who understands how these different I am controls and 245 00:13:35,400 --> 00:13:39,000 capabilities work across the different cloud services, 246 00:13:39,000 --> 00:13:42,600 whether that's infrastructure as a service, you know, with gcp 247 00:13:42,600 --> 00:13:47,100 Azure, you know, an AWS or even, you know, kind of these new 248 00:13:47,100 --> 00:13:50,000 cloud services that are being built into applications. 249 00:13:50,000 --> 00:13:52,600 You know, things like Snowflake and data as a service. 250 00:13:52,800 --> 00:13:56,300 Soare, you know, you know, servicenow Haka, so on and so 251 00:13:56,300 --> 00:13:58,400 forth. So it's just different, right? 252 00:13:58,400 --> 00:14:00,800 And it takes a lot of time to understand that. 253 00:14:01,700 --> 00:14:03,600 Yeah, that was the episode we did with John. 254 00:14:03,600 --> 00:14:06,800 We called. We said the cloud is different, 255 00:14:06,800 --> 00:14:08,800 right? So, that was the title of that 256 00:14:08,800 --> 00:14:11,200 episode. But I'd like to take us kind of 257 00:14:11,200 --> 00:14:15,500 Back to Basics and started the very foundational level. 258 00:14:15,500 --> 00:14:19,700 So if I'm a see so your organization that is either 259 00:14:19,700 --> 00:14:24,800 adopted the cloud or is in the process of Adopting the cloud. 260 00:14:24,800 --> 00:14:29,000 I'm looking at this Cloud infrastructure as an extension 261 00:14:29,000 --> 00:14:33,200 of my it environment and over time I've made investments in 262 00:14:33,400 --> 00:14:36,700 other, I am technology. So it acts as manager, you know, 263 00:14:36,700 --> 00:14:41,500 our single sign-on and IGA tool are privileged access management 264 00:14:41,500 --> 00:14:45,200 tool. Why can't I use those tools to 265 00:14:45,200 --> 00:14:48,700 manage the cloud infrastructure just like it did my on-premise 266 00:14:48,700 --> 00:14:52,600 infrastructure and or maybe they have questions better ask like 267 00:14:52,800 --> 00:14:56,500 How far can those tools? Take me and where, where can 268 00:14:56,500 --> 00:14:58,900 they not get me? Yeah, really good questions. 269 00:14:58,900 --> 00:15:01,500 Um, I mean I think it starts with what we just touched on. 270 00:15:01,600 --> 00:15:06,100 It's fundamentally different. And so you know, understanding 271 00:15:06,100 --> 00:15:11,100 and having tooling that fits in with the way that the cloud 272 00:15:11,100 --> 00:15:13,500 works, I think is important to that, right? 273 00:15:13,500 --> 00:15:17,700 So it doesn't mean that there's, you know that there's let's 274 00:15:17,700 --> 00:15:22,000 let's abandon any of those tools and you know many companies have 275 00:15:22,000 --> 00:15:30,200 put in Very, you know, comprehensive IGA programs and 276 00:15:30,200 --> 00:15:33,400 solutions, it's really about making sure whatever you choose 277 00:15:33,400 --> 00:15:36,700 integrates with those Solutions right and extends those 278 00:15:36,700 --> 00:15:38,800 Solutions. And I think that's a big piece 279 00:15:38,800 --> 00:15:42,400 if you kind of look at cloud and why it's different, you know, 280 00:15:43,100 --> 00:15:46,900 you talk about, you know, that that integration Network, 281 00:15:46,900 --> 00:15:50,700 everything kind of is very much API native, it's very 282 00:15:50,700 --> 00:15:54,500 extensible, it's very easy. So, So, I don't think that, you 283 00:15:54,500 --> 00:15:58,100 know, as an IM team looks at getting their, their hands 284 00:15:58,100 --> 00:16:00,400 around the cloud. It's not, let's abandon what we 285 00:16:00,400 --> 00:16:02,100 done. It's, let's look for 286 00:16:02,100 --> 00:16:05,600 opportunities to find, you know, tooling or solutions, that can 287 00:16:05,600 --> 00:16:11,000 enable us to meet the needs of that development team, right 288 00:16:11,000 --> 00:16:13,400 without interrupting their productivity. 289 00:16:13,400 --> 00:16:17,900 Because I think what I've seen is that in many ways, the cloud 290 00:16:17,900 --> 00:16:21,100 just kind of took off, right? That developers were doing their 291 00:16:21,100 --> 00:16:24,700 own thing and The unfortunate reality is sometimes the 292 00:16:24,700 --> 00:16:28,200 identity and access management team wasn't really plugged into 293 00:16:28,200 --> 00:16:32,400 what was happening there, right. And so they built out this very, 294 00:16:32,400 --> 00:16:39,100 you know, comprehensive and very automated workflow and Pipeline. 295 00:16:39,100 --> 00:16:42,300 And like you're saying now, Jim, now all of a sudden, the 296 00:16:42,300 --> 00:16:45,300 identity team is being charged with making sure, you know, it's 297 00:16:45,300 --> 00:16:48,700 properly managed. And so that I think is, is the 298 00:16:48,700 --> 00:16:52,000 balance in the challenge. It's, you know, how can we 299 00:16:52,000 --> 00:16:56,100 integrate Rate, our current identity ecosystem, whether 300 00:16:56,100 --> 00:16:58,700 that's an authentication or ID P. 301 00:16:58,700 --> 00:17:02,600 RI GA, you know, maybe our current Pam for certain things. 302 00:17:02,900 --> 00:17:08,300 But how can we Implement that? I'm sorry, keep that while 303 00:17:08,400 --> 00:17:11,700 adding on the dip. You know, the proper solutions 304 00:17:11,700 --> 00:17:14,000 to meet the needs of those developers. 305 00:17:14,400 --> 00:17:15,400 It meet the needs of the business. 306 00:17:15,400 --> 00:17:16,400 Ultimately. Right. 307 00:17:16,400 --> 00:17:19,900 Because if we Implement something that interrupts what's 308 00:17:19,900 --> 00:17:22,599 happening on that you know, devops pipeline. 309 00:17:22,700 --> 00:17:26,700 That's delivering, you know, Revenue generation that's going 310 00:17:26,700 --> 00:17:29,500 to be a challenge, right? So it's about looking at an 311 00:17:29,500 --> 00:17:32,900 extending I think the current identity and access management 312 00:17:32,900 --> 00:17:38,200 programs in integrating, any solution that you have to meet 313 00:17:38,200 --> 00:17:40,000 the needs of those developers. Yeah. 314 00:17:40,000 --> 00:17:43,000 That makes a lot of sense to me. I mean, when I think about the 315 00:17:43,000 --> 00:17:47,500 cloud infrastructure I think, okay, the scope is also 316 00:17:47,500 --> 00:17:51,600 different especially I mean, if you kind of look at the cloud 317 00:17:51,600 --> 00:17:54,500 and say we're going to lift And shift what we have. 318 00:17:54,500 --> 00:17:57,400 We're not going to step into the future, we're just going to host 319 00:17:57,400 --> 00:18:00,800 it and made of us or in as your Google Cloud. 320 00:18:00,800 --> 00:18:02,400 We're not going to change the applications. 321 00:18:02,400 --> 00:18:07,000 We're going to keep all the same tears and in plays then probably 322 00:18:07,000 --> 00:18:10,000 you can get more out of your traditional, I am tools because 323 00:18:10,000 --> 00:18:12,700 they don't have to do that. However, if you're moving to, 324 00:18:13,700 --> 00:18:17,400 you no more modern architecture using containers, if you're 325 00:18:17,400 --> 00:18:21,400 using that, that pipeline, you talked about or infrastructures 326 00:18:21,400 --> 00:18:25,200 code, you Start introducing a much greater need for what you 327 00:18:25,200 --> 00:18:27,700 talked about earlier which is the machine identities. 328 00:18:27,900 --> 00:18:31,300 I think that the I am tools that we have today do a really good 329 00:18:31,300 --> 00:18:34,200 job at managing the human identities. 330 00:18:34,700 --> 00:18:39,000 It's these machine identities and platforms that you know, 331 00:18:39,100 --> 00:18:41,500 with the human identity we're looking at an authoritative 332 00:18:41,500 --> 00:18:45,500 Source like who is the human being the carbon-based. 333 00:18:45,500 --> 00:18:49,700 Life-form is some people like to say that we're trying to manage 334 00:18:50,000 --> 00:18:55,200 their access whereas these He's machine, accounts are being spun 335 00:18:55,200 --> 00:18:59,400 up by application platforms, you know, like a terraformer. 336 00:18:59,400 --> 00:19:02,900 Something is just creating the account that needs while it 337 00:19:03,000 --> 00:19:05,600 spins up. The infrastructure with takes 338 00:19:05,700 --> 00:19:08,100 what it destroys the infrastructure, the ideas that 339 00:19:08,100 --> 00:19:13,500 would destroy the account that's completely foreign to what we've 340 00:19:13,500 --> 00:19:17,700 had you know, ten years ago or how we managed it in the past 341 00:19:17,700 --> 00:19:21,300 traditionally speaking. So let me turn this into a 342 00:19:21,308 --> 00:19:24,200 question because I think Does human versus machine. 343 00:19:24,200 --> 00:19:28,600 Identity is really the biggest Crux of the issue. 344 00:19:28,800 --> 00:19:31,900 Maybe even just start with what is a machine identity. 345 00:19:31,900 --> 00:19:36,000 How do you define a machine identity and then add any flavor 346 00:19:36,000 --> 00:19:39,700 to anything? I just said, yeah, I know, it's 347 00:19:39,700 --> 00:19:41,200 good question. I don't know that. 348 00:19:41,200 --> 00:19:44,300 Anybody has the theater The Uber, right? 349 00:19:44,300 --> 00:19:45,800 Definition of a machine identity. 350 00:19:45,800 --> 00:19:48,400 I do think it's a little bit, you know. 351 00:19:49,100 --> 00:19:52,500 Different terms are used, right? You have the, the RPA. 352 00:19:52,700 --> 00:19:56,400 Pays for robotic processes, you have, you know, workloads you 353 00:19:56,400 --> 00:19:59,900 have containers, you have scripts, right? 354 00:19:59,900 --> 00:20:04,300 And in so you know, if you have all these different names, I 355 00:20:04,300 --> 00:20:08,500 mean I looked at a machine identity as you know, you know, 356 00:20:08,500 --> 00:20:11,800 I think any one of those and actually I was we were all like 357 00:20:11,800 --> 00:20:15,200 Gardener I am and I think I'm going to do a shout out back to 358 00:20:15,200 --> 00:20:18,000 that is, you know, it was in one of the, one of the sessions 359 00:20:18,000 --> 00:20:22,500 about machine identities and it was kind of like anything that 360 00:20:23,100 --> 00:20:28,500 You know, is basically a workload is code, you know, is 361 00:20:28,500 --> 00:20:32,800 is really, you know, non-human and non not a device. 362 00:20:32,800 --> 00:20:35,100 So it's kind of like they bucketed machine identities 363 00:20:35,100 --> 00:20:36,400 into. There's two kinds of machine 364 00:20:36,400 --> 00:20:39,200 identities devices, right? That's like, you know, my phone. 365 00:20:39,200 --> 00:20:41,900 My BM now. Those are pretty well defined. 366 00:20:42,200 --> 00:20:45,200 But then, I think the flip side of that are all of the 367 00:20:45,200 --> 00:20:48,700 programmatic processes, right? The workloads that the 368 00:20:48,700 --> 00:20:52,700 pipeline's, the, you know, the robotic processes, all of Of 369 00:20:52,700 --> 00:20:54,700 that. And it's really like you said, 370 00:20:54,700 --> 00:21:00,200 it's a it's a, you know, it's a it's a process that gets run 371 00:21:00,200 --> 00:21:04,500 programmatically and it doesn't have a necessarily a human on 372 00:21:04,500 --> 00:21:06,500 the other side executing it right? 373 00:21:07,100 --> 00:21:09,000 And I think there's fundamentally different 374 00:21:09,000 --> 00:21:12,800 challenges from the identity side around that, right? 375 00:21:12,800 --> 00:21:18,300 Like with humans the you know the pattern of usage is much 376 00:21:18,300 --> 00:21:20,600 less predictable because we're humans were doing different 377 00:21:20,600 --> 00:21:21,400 things. Right? 378 00:21:21,600 --> 00:21:25,400 Important thing when you talk About identity and managing. 379 00:21:25,400 --> 00:21:28,400 These machine identities is is much more around the 380 00:21:28,400 --> 00:21:29,600 observability. Right? 381 00:21:29,600 --> 00:21:31,800 What is it doing? Is it doing something different? 382 00:21:31,800 --> 00:21:34,100 Because it's a machine, it should be doing the same thing 383 00:21:34,100 --> 00:21:35,600 for the most part. It's, you know, it's 384 00:21:35,600 --> 00:21:40,200 understanding its understanding that as an important factor in 385 00:21:40,200 --> 00:21:44,500 securing that identity much more than, you know, looking at, you 386 00:21:44,500 --> 00:21:49,100 know, you know, the having that extra MSA or whenever right. 387 00:21:49,100 --> 00:21:51,300 It's, it's, it's a, it's an interesting space. 388 00:21:51,300 --> 00:21:55,200 And then, you know, No, kind of bad as we talked about, I think 389 00:21:55,200 --> 00:21:58,900 the day ultimate goal is really to get machine identities to 390 00:21:58,900 --> 00:22:02,400 start using, you know, ephemeral credentials, things like, you 391 00:22:02,400 --> 00:22:08,500 know IDC instead of a token Ray and and or you know generation 392 00:22:08,500 --> 00:22:12,400 of a session token and STS token, when they need to connect 393 00:22:12,400 --> 00:22:16,900 because you know, ultimately anytime you have standing access 394 00:22:16,900 --> 00:22:20,200 keys on these machine identities, it's a massive risk 395 00:22:20,200 --> 00:22:22,300 because again, it's not associated with human, it's 396 00:22:22,300 --> 00:22:24,500 hard. Find the owner of that machine 397 00:22:24,500 --> 00:22:27,000 identity sometimes. So you know I think those are 398 00:22:27,000 --> 00:22:30,400 some of the how I there's probably much more gym than what 399 00:22:30,400 --> 00:22:32,800 you asked about, how do I Define it, but I think that's kind of 400 00:22:33,600 --> 00:22:36,900 how do I Define it in? Also, what our, why is it 401 00:22:36,900 --> 00:22:40,200 fundamentally different way of thinking about them? 402 00:22:40,200 --> 00:22:44,400 And why is it posing a challenge for the traditional? 403 00:22:44,800 --> 00:22:48,100 I am teams who are now being charged with, you know, managing 404 00:22:48,100 --> 00:22:51,300 and controlling these identities, you know? 405 00:22:51,300 --> 00:22:55,800 It's a it's a It's just a New Concept to learn about and 406 00:22:55,800 --> 00:22:58,100 understand J. When I was talking, what kind of 407 00:22:58,100 --> 00:23:01,400 introduced the idea? I was talking about, you know, 408 00:23:01,400 --> 00:23:05,200 the sea so perspective that, hey, the cloud is really just an 409 00:23:05,200 --> 00:23:09,200 extension of my it environment. Another words are another way to 410 00:23:09,208 --> 00:23:13,500 look at it is, I've got certain business objectives to achieve. 411 00:23:13,600 --> 00:23:18,100 I need to do this compliant, you know, I have to be compliant, I 412 00:23:18,100 --> 00:23:21,400 have to be secure, not only in my internal data center, but 413 00:23:21,400 --> 00:23:24,300 also my cloud data. Enter or by my cloud 414 00:23:24,300 --> 00:23:25,700 infrastructure, whatever you want to call it. 415 00:23:25,700 --> 00:23:29,200 Sometimes people correct me when I call it a cloud data center is 416 00:23:29,200 --> 00:23:33,500 a so different, but my business objective is kind of the same 417 00:23:33,900 --> 00:23:38,500 and then when I, you know, kind of put on my controls hat. 418 00:23:38,500 --> 00:23:42,900 I think about detective controls and preventive controls. 419 00:23:43,100 --> 00:23:46,500 I kind of feel like this, you know, team technology is really 420 00:23:46,500 --> 00:23:50,500 helps us on detective side, identifying accounts that are 421 00:23:50,800 --> 00:23:54,500 over-provisioned roles that are Not being used things like that 422 00:23:54,500 --> 00:23:57,100 accounts that are not being used that potentially can go out 423 00:23:57,100 --> 00:23:59,900 there and just acts that access, right? 424 00:23:59,900 --> 00:24:04,100 But that's happening as, you know, months after its kind of 425 00:24:04,100 --> 00:24:08,400 like, the accounts been sitting there and over-provision state 426 00:24:08,600 --> 00:24:11,500 and, and the issue with that from again, C. 427 00:24:11,500 --> 00:24:14,900 So hat. Trying to make my environment, 428 00:24:14,900 --> 00:24:20,300 more secure Rich. My business objective is no, 429 00:24:20,400 --> 00:24:22,400 I've got an expended attack surface. 430 00:24:22,600 --> 00:24:27,500 All right so what can I do preventatively to make sure I 431 00:24:27,500 --> 00:24:30,400 don't have over provision to counsel in the first place or 432 00:24:30,400 --> 00:24:34,700 where the tools or processes that I can put in place. 433 00:24:34,900 --> 00:24:39,200 So one, you know, am I right? In terms of where Keen fits in 434 00:24:39,300 --> 00:24:41,800 and then from preventive Sandpoint? 435 00:24:41,800 --> 00:24:44,900 What's the best solution? Yeah, no I think you're 436 00:24:44,900 --> 00:24:47,500 absolutely right on Keen, right? That's really where we're team 437 00:24:47,500 --> 00:24:50,200 was born. It was about understanding, 438 00:24:50,500 --> 00:24:53,300 right. The entitlements in The accounts 439 00:24:53,300 --> 00:24:57,400 in really being able to not only visualize, but, but better 440 00:24:57,400 --> 00:24:59,500 understand and have some recommendations about how to 441 00:24:59,500 --> 00:25:02,600 reduce that over privileged in that risk. 442 00:25:03,600 --> 00:25:07,500 I think dream really kind of brings the preventative side of 443 00:25:07,500 --> 00:25:09,900 it. It's, you know, it's Sookie, Ms. 444 00:25:09,900 --> 00:25:13,500 That first step. It's I need to understand right 445 00:25:13,500 --> 00:25:16,600 and that's really important for these identity teams, right? 446 00:25:16,600 --> 00:25:21,400 I need to understand what's out there so that I can move towards 447 00:25:21,400 --> 00:25:25,400 kind of that dream. Space of the dynamic resource 448 00:25:25,400 --> 00:25:29,300 entitlement, they removal of these, you know, standing 449 00:25:29,300 --> 00:25:33,900 accounts, as you said, they came side, you know, is important to 450 00:25:33,900 --> 00:25:37,900 understand what's out there, but by the time I understand what's 451 00:25:37,900 --> 00:25:41,200 out there and I've done my 90-day, you know, assessment of 452 00:25:41,200 --> 00:25:42,900 this, you know, privilege or account. 453 00:25:42,900 --> 00:25:46,000 As, in bit used, that's 90 days of potential risk. 454 00:25:46,000 --> 00:25:50,400 Whereas a dream says, okay, let's start actually moving to 455 00:25:50,400 --> 00:25:52,000 and it doesn't happen overnight, right? 456 00:25:52,000 --> 00:25:53,100 Nothing. Happens overnight. 457 00:25:53,100 --> 00:25:56,800 But let's start moving to an idea where we're dynamically 458 00:25:56,800 --> 00:26:01,800 provisioning access in it with a short-lived credential or 459 00:26:02,100 --> 00:26:04,800 through privilege elevation. There's different ways to do it, 460 00:26:05,000 --> 00:26:09,300 but anytime we need to provide an identity access to a 461 00:26:09,300 --> 00:26:11,700 resource, let's do it in a dynamic. 462 00:26:11,900 --> 00:26:14,800 And in a short-lived or an ephemeral fashion because as you 463 00:26:14,800 --> 00:26:19,400 said, then your risk, you know, factor is dramatically reduce, 464 00:26:19,600 --> 00:26:21,800 could you don't have these singing accounts and it and 465 00:26:21,800 --> 00:26:25,800 that's a pretty big Challenge in devops right developers whether 466 00:26:25,800 --> 00:26:28,600 they like to do they like to develop right well it's part of 467 00:26:28,600 --> 00:26:31,400 that, right? It's you know there's a lot of 468 00:26:31,600 --> 00:26:35,200 these in keep this is why Keynes important is a lot of these for 469 00:26:35,200 --> 00:26:37,600 Finn to counts out there. All right we'll provision in a 470 00:26:37,600 --> 00:26:40,000 kennel will run the job. Will develop something. 471 00:26:40,300 --> 00:26:43,600 Maybe even if it's under Deb environments, you know they're 472 00:26:43,600 --> 00:26:45,600 still valuable data, they're still risk there. 473 00:26:45,600 --> 00:26:48,800 In those environments that are well managed and and so that's 474 00:26:48,800 --> 00:26:51,700 where I think team and dream kind of coming together gives 475 00:26:51,700 --> 00:26:55,700 you Both sides of it, right? And ultimately getting to that, 476 00:26:56,200 --> 00:27:02,400 that idea of, you know, the dynamic provisioning of access 477 00:27:02,400 --> 00:27:05,900 rather than the traditional, you know, even even when you talk 478 00:27:05,900 --> 00:27:08,400 about the traditional just in time, you know, a lot of times 479 00:27:08,400 --> 00:27:12,500 it was we're going to worry too V an account that has standing 480 00:27:12,500 --> 00:27:14,900 Privileges. And when you need it just in 481 00:27:14,900 --> 00:27:17,300 time, you kind of check it out and you check it back in. 482 00:27:17,400 --> 00:27:20,400 But in the end that account, lived permanently and it was 483 00:27:20,400 --> 00:27:24,000 provisioned permanently, right? Rain is really about getting to 484 00:27:24,000 --> 00:27:27,700 the point where either the account is a is dynamically 485 00:27:27,700 --> 00:27:31,100 generated and expired or the permission is Diet. 486 00:27:31,100 --> 00:27:34,900 You know, is just in time elevated and then removed at the 487 00:27:34,900 --> 00:27:36,600 end. There's no standing privilege to 488 00:27:36,600 --> 00:27:40,800 compromise, you know, in the end and you know, yeah. 489 00:27:40,800 --> 00:27:44,000 I think the the, the Crux of the problem here is the 490 00:27:44,000 --> 00:27:48,200 over-provisioned account. I think if you're in this 491 00:27:48,200 --> 00:27:52,400 scenario where you've got a lot of over-provision accounts, or 492 00:27:52,500 --> 00:27:55,900 Be looking at some kind of cleanup process that needs to 493 00:27:55,900 --> 00:27:59,900 take place but if you don't have to Evergreen processes in place 494 00:28:00,200 --> 00:28:03,300 to prevent it from happening again, you're going to be in a 495 00:28:03,300 --> 00:28:08,300 lifetime of cleanup mode. I think again, kind of when you 496 00:28:08,300 --> 00:28:11,900 think about over-provisioning the existing, I am tools should 497 00:28:11,900 --> 00:28:16,000 be able to do a large part of, you know, for a human beings 498 00:28:16,600 --> 00:28:20,300 preventing over-provisioning. Right to do the things necessary 499 00:28:20,300 --> 00:28:25,900 to stop rubber-stamping of Access to enable managers 500 00:28:25,900 --> 00:28:30,600 understand and remove access to users, no longer need, but it's 501 00:28:30,600 --> 00:28:34,400 these machine identities that when they get over-provisioned 502 00:28:34,400 --> 00:28:38,300 it's very it's a new ballgame, the Ballgame. 503 00:28:38,500 --> 00:28:43,800 And I think, you know, I think the scenario where you're just 504 00:28:43,800 --> 00:28:45,900 going out to the cloud. Now, you're lucky, you can get 505 00:28:45,900 --> 00:28:49,000 in front of this and you can start to say to your developers, 506 00:28:49,000 --> 00:28:52,300 like, hey, let's set up a partnership to make sure. 507 00:28:52,500 --> 00:28:55,400 Sure that we don't end up in the state where we have over 508 00:28:55,400 --> 00:28:57,200 provision accounts all over the place. 509 00:28:57,200 --> 00:29:00,100 Unfortunately, a lot of times projects been up like, hey, we 510 00:29:00,100 --> 00:29:03,300 have to move our entire data center to the cloud by the end 511 00:29:03,300 --> 00:29:06,500 of the year. So it's lifting shift City and 512 00:29:06,800 --> 00:29:11,200 GSD, just get the stuff done and we'll clean it up later. 513 00:29:11,200 --> 00:29:14,300 And that's where you end up with so much, over-provisioning 514 00:29:14,300 --> 00:29:16,500 problems. But I want to get to this 515 00:29:16,500 --> 00:29:21,700 question around, you know, it's really the developers that, you 516 00:29:21,700 --> 00:29:25,300 know, in my view Or my experience of working with my 517 00:29:25,300 --> 00:29:29,500 clients, who, you know, I've gotten to the cloud and now have 518 00:29:29,500 --> 00:29:31,100 all these over provision accounts. 519 00:29:31,100 --> 00:29:36,100 It's primarily, you know, developers have driven the drive 520 00:29:36,100 --> 00:29:40,700 to the cloud and kind of left. I am behind a little bit. 521 00:29:40,700 --> 00:29:44,300 So they, I am practitioners now, saying, where do we fit in? 522 00:29:44,500 --> 00:29:49,800 And so I'm almost wondering, like one is, do you see the same 523 00:29:49,800 --> 00:29:54,000 phenomenon happening and to like Like how do the C. 524 00:29:54,000 --> 00:30:02,700 So now get his his or her arms around this this issue and, you 525 00:30:02,700 --> 00:30:06,500 know, create move to that partnership and not slow down 526 00:30:06,500 --> 00:30:09,900 development but get a more secure and compliant 527 00:30:09,900 --> 00:30:12,100 environment. Yeah, it's a really good 528 00:30:12,100 --> 00:30:14,700 question and I think you're spot on right. 529 00:30:14,700 --> 00:30:17,500 I mean the cloud just kind of took off and you know, so you 530 00:30:17,500 --> 00:30:21,900 mentioned the, the identity team and it's not that the developers 531 00:30:21,900 --> 00:30:25,100 are don't Of an iron security. It was just, you know, I think 532 00:30:25,100 --> 00:30:31,600 that that the way the identity team was was engaged with was, 533 00:30:31,800 --> 00:30:35,600 you know, not until after the cloud had already been well 534 00:30:35,600 --> 00:30:37,600 matured and most of these organizations. 535 00:30:37,600 --> 00:30:42,100 And so I'm definitely seeing today that, you know, that the 536 00:30:42,100 --> 00:30:46,500 ccos role is is a you know, it's more of a partnership at least 537 00:30:46,500 --> 00:30:50,700 where I'm seeing successful implementations you know of 538 00:30:50,700 --> 00:30:54,400 security and identity. And In Cloud its approach much 539 00:30:54,400 --> 00:30:59,000 more from a partnership with security and the devops team. 540 00:30:59,600 --> 00:31:03,300 I do feel like you know, been in several situations where you 541 00:31:03,300 --> 00:31:07,600 know the security team really loves rate what, you know, the 542 00:31:07,600 --> 00:31:12,200 idea of going to Dynamic resource entitlements and just 543 00:31:12,200 --> 00:31:16,900 in time, ephemeral credentials, but it absolutely right to be 544 00:31:16,900 --> 00:31:19,300 successful. You have to get that devops team 545 00:31:19,500 --> 00:31:24,100 engaged in onboard, right? That Kind of the think the idea 546 00:31:24,600 --> 00:31:28,000 of, you know, security, I remember back in when I first 547 00:31:28,000 --> 00:31:31,000 started my career, I was just, you know, an internal architect 548 00:31:31,000 --> 00:31:34,000 and it was like, you know, the security team you'd go and 549 00:31:34,000 --> 00:31:38,200 present Your solution and, you know, hope and pray that that 550 00:31:38,200 --> 00:31:41,500 security team would bless it. Like they were the authority, 551 00:31:41,600 --> 00:31:44,000 right? I think Security in my opinion 552 00:31:44,000 --> 00:31:48,400 has changed, whereas, you know, security is front first and 553 00:31:48,400 --> 00:31:52,000 foremost, but it can't be at the expense of productivity. 554 00:31:52,900 --> 00:31:57,100 Of those developers. And so you know, I do think that 555 00:31:58,000 --> 00:32:03,700 being able to, you know, partner with the devops team, right? 556 00:32:03,700 --> 00:32:09,200 I've even seen situations where where the large organizations 557 00:32:09,300 --> 00:32:13,600 have actually started to merge somebody from the devops team 558 00:32:13,700 --> 00:32:16,600 into the identity team, right? Because it is a leap, It's A New 559 00:32:16,600 --> 00:32:21,500 Concept and into into kind of, you know, accelerate the 560 00:32:21,500 --> 00:32:25,000 learning in the Option of identity practices in the cloud, 561 00:32:25,000 --> 00:32:28,000 they take it actually a cloud, you know, as sorry. 562 00:32:28,100 --> 00:32:31,700 Who knows how the cloud Works. Naturally brought them over to 563 00:32:31,700 --> 00:32:34,400 the identity team. So I'm starting to see this kind 564 00:32:34,400 --> 00:32:39,500 of, you know, um, definitely collaboration and in in 565 00:32:39,500 --> 00:32:43,500 Partnership from security and identity with the devops team, 566 00:32:43,900 --> 00:32:48,600 because if if an identity or security team tries to go in and 567 00:32:48,600 --> 00:32:52,300 I think impose their will on the debates teens these days, I'd 568 00:32:52,400 --> 00:32:54,300 Seen it fail several times, right? 569 00:32:54,300 --> 00:32:57,400 So I do think it's important to understand, as you said, the 570 00:32:57,400 --> 00:33:02,100 business objectives understand how those Dev Ops teams are 571 00:33:02,100 --> 00:33:06,000 working and ensure that what you put in place either makes our 572 00:33:06,000 --> 00:33:09,500 life easier, right? That's the best case or at a 573 00:33:09,500 --> 00:33:11,800 minimum. Does it complicate what they're 574 00:33:11,800 --> 00:33:16,100 doing while improving security? Yeah, I think it's a, it's a 575 00:33:16,108 --> 00:33:22,500 delicate balance. If you are now trying to, you 576 00:33:22,500 --> 00:33:25,400 know, if you're the, I am practitioner, you haven't been 577 00:33:25,700 --> 00:33:30,300 fully involved or your the sea. So do you do really, you know, 578 00:33:30,300 --> 00:33:34,600 this this Cloud infrastructures kind of like, take it off 579 00:33:34,700 --> 00:33:38,300 without your oversight. What you don't want to do, is 580 00:33:38,300 --> 00:33:42,100 just try to go in and heavy-handed and like, say stop, 581 00:33:42,100 --> 00:33:44,200 right? I think the other thing is like, 582 00:33:44,500 --> 00:33:47,100 what works in the Enterprise for human identities? 583 00:33:47,700 --> 00:33:51,300 Might not be the right solution in the cloud, especially for 584 00:33:51,300 --> 00:33:55,400 machine identities, right? Just so I think you have to take 585 00:33:55,400 --> 00:33:59,800 a caution approach tonight. I don't think the only answer is 586 00:34:01,200 --> 00:34:03,800 that you just have policy and you just make sure that the 587 00:34:03,800 --> 00:34:06,700 policy is being followed. Even though I think that's the 588 00:34:06,900 --> 00:34:08,400 What you're trying to accomplish. 589 00:34:08,500 --> 00:34:12,699 I think you can do more, but I think you have to proceed with 590 00:34:12,699 --> 00:34:16,500 caution that you don't take processes that work. 591 00:34:16,500 --> 00:34:21,500 Well, for human provisioning for Enterprise services that you 592 00:34:21,500 --> 00:34:26,699 have control over in in your traditional, it infrastructure 593 00:34:26,900 --> 00:34:30,000 at, then, heavy handedly say hey if you want a machine Identity 594 00:34:30,000 --> 00:34:33,000 or you want to create a roll, open up a service now. 595 00:34:33,000 --> 00:34:35,400 Ticket. And then five days later, maybe 596 00:34:35,400 --> 00:34:38,300 you'll have it or maybe Be somebody will pooh-pooh it. 597 00:34:38,500 --> 00:34:42,300 Like that is just going to the extreme other end and it's going 598 00:34:42,300 --> 00:34:46,900 to, you know, kill productivity. So that's, that's my feeling on 599 00:34:46,900 --> 00:34:48,500 it. Is that you've got to try to 600 00:34:48,500 --> 00:34:53,000 find that right balance and wade into the pool, especially if 601 00:34:53,000 --> 00:34:56,400 your organization is a lot further, along in there in the 602 00:34:56,400 --> 00:35:00,100 cloud Journey. Yeah, yeah, that's right. 603 00:35:00,100 --> 00:35:03,600 On in, you know, you think you touched on like earlier 604 00:35:03,600 --> 00:35:06,700 terraform right? Like I think it's as important. 605 00:35:06,800 --> 00:35:10,500 As you're looking at solutions for kind of managing and 606 00:35:10,500 --> 00:35:14,100 provisioning identity and access in the cloud, it's as important 607 00:35:14,100 --> 00:35:19,600 to ensure that the solutions you're going to propose or bring 608 00:35:19,600 --> 00:35:24,400 to the table, really sit well with the kind of infrastructure 609 00:35:24,400 --> 00:35:25,900 as code. Write automation it. 610 00:35:25,900 --> 00:35:30,600 You will find, you know, when you talk to devops engineers and 611 00:35:31,000 --> 00:35:35,700 you know, you talk to, you know, Sr, he's those guys only want to 612 00:35:35,700 --> 00:35:37,900 touch a console. Like you told they have to go 613 00:35:37,900 --> 00:35:41,800 somewhere and log into you know into a web browser somewhere in 614 00:35:41,800 --> 00:35:43,700 Click a mouse, it's like Kryptonite right? 615 00:35:43,700 --> 00:35:46,300 They love to automate, they love to script. 616 00:35:46,300 --> 00:35:51,000 So I think as you look at these tools, it's making sure. 617 00:35:51,000 --> 00:35:55,300 Even if honestly Jimmy - it is a human user, who wants to get 618 00:35:55,300 --> 00:35:57,900 access to a resource in the cloud, right? 619 00:35:57,900 --> 00:36:02,400 Making sure that even provisioning that access in an 620 00:36:02,400 --> 00:36:07,900 ephemeral aesthetic sense. Making sure it Integrates well 621 00:36:07,900 --> 00:36:10,400 with the tools, they're using whether that's python or 622 00:36:10,400 --> 00:36:16,500 terraform or you know, a CLI, AWS CLI G, she'll like making 623 00:36:16,500 --> 00:36:20,600 sure that that the way that they access those resources and 624 00:36:20,600 --> 00:36:25,600 utilize the identity that you're providing, has to be very much, 625 00:36:26,100 --> 00:36:29,300 you know, integrated with the tools are using today from an 626 00:36:29,300 --> 00:36:32,800 automation standpoint, this concept of of this ephemeral 627 00:36:32,800 --> 00:36:35,300 Identity, or at least permissioning it. 628 00:36:35,600 --> 00:36:38,800 It sounds all awful. Like zero standing privileges, 629 00:36:38,800 --> 00:36:41,200 which is what John Wharton. Last time he was on the show, 630 00:36:41,300 --> 00:36:44,400 kind of talk through, is it the same thing or is it an 631 00:36:44,408 --> 00:36:46,800 evolution? I guess, you know what I'm 632 00:36:46,800 --> 00:36:49,900 looking for? I guess, part of my question is, 633 00:36:50,200 --> 00:36:52,000 what are the solutions? Because we've talked an awful 634 00:36:52,000 --> 00:36:54,400 lot about. Here's all the problems, right? 635 00:36:54,400 --> 00:36:58,400 So how do we fix it? I think the idea of having zero 636 00:36:58,400 --> 00:37:00,500 standing privileges makes a lot of sense, but I would imagine 637 00:37:00,500 --> 00:37:02,600 there needs to be technology back. 638 00:37:02,600 --> 00:37:04,800 Ending that to actually make that a reality. 639 00:37:05,200 --> 00:37:09,000 Or is it just another script? They that that runs and then 640 00:37:09,000 --> 00:37:11,400 takes it away immediately. After you end up with like, you 641 00:37:11,400 --> 00:37:13,700 know, a whole bunch of different scripts, doing very specific 642 00:37:13,700 --> 00:37:16,600 tasks, which could be probably a nightmare challenge, but I'm 643 00:37:16,600 --> 00:37:20,100 wondering if that if that ephemeral linkage, 20 sending 644 00:37:20,100 --> 00:37:22,600 privileges holds up workers something else to it. 645 00:37:23,500 --> 00:37:25,800 Yeah I think it's good question. I think it's fundamental. 646 00:37:25,800 --> 00:37:29,400 I mean honestly I think zero standing privileges to goal and 647 00:37:29,400 --> 00:37:32,000 ephemeral credentials is the mechanism to get you there, 648 00:37:32,000 --> 00:37:35,900 right? They had the ability to generate 649 00:37:35,900 --> 00:37:39,000 an ephemeral Credential, what does that mean, right? 650 00:37:39,000 --> 00:37:43,000 It's you know a developer you know, needs access whether it's 651 00:37:43,000 --> 00:37:47,900 human or non-human developer or workload needs access in Amazon, 652 00:37:48,800 --> 00:37:51,500 you know, to get to an S3 bucket, let's say to scrape some 653 00:37:51,500 --> 00:37:53,600 data, or to post some data, right? 654 00:37:53,600 --> 00:37:59,200 Rather than having a credential that has static access, that is 655 00:37:59,200 --> 00:38:04,100 long-lived, okay, that can be compromised, it's moving that 656 00:38:04,300 --> 00:38:06,600 that 20 standing privilege saying. 657 00:38:06,900 --> 00:38:10,300 We'll give you the mechanism. The end of summer roll generated 658 00:38:10,300 --> 00:38:13,800 credential when needed but in the end, right? 659 00:38:13,800 --> 00:38:16,300 At the end of the time that you're done with a credential, 660 00:38:16,300 --> 00:38:18,900 it's expired. So I look at it as they're 661 00:38:18,900 --> 00:38:20,600 they're they're at into each other, right? 662 00:38:20,600 --> 00:38:24,400 Zero standing privileges to goal that is the the ultimate state 663 00:38:24,400 --> 00:38:29,600 of, you know, not being able to, you know, compromise standing 664 00:38:29,600 --> 00:38:34,300 privileges by cheating that to the mechanism of a platform that 665 00:38:34,300 --> 00:38:36,600 can provide and generate a femoral. 666 00:38:36,700 --> 00:38:39,200 Tools that make sense? Yeah, yeah, I think so. 667 00:38:39,200 --> 00:38:41,300 And I think it leaves me space. The second part of my question 668 00:38:41,300 --> 00:38:44,300 which is all right, so I'm sold right. 669 00:38:44,300 --> 00:38:47,000 Let's go to zero standing privileges but I've opted very 670 00:38:47,400 --> 00:38:51,500 automated your scripting environment and I'm wondering. 671 00:38:51,500 --> 00:38:54,300 What would that look like in realize that sort of scenario 672 00:38:54,300 --> 00:38:59,400 where yo containers may rise and fall based on scalable 673 00:38:59,400 --> 00:39:02,200 workloads? Or you know, whether it's just 674 00:39:02,200 --> 00:39:04,700 in time provisioning or privileged access management 675 00:39:04,700 --> 00:39:06,100 like those, those sorts of things. 676 00:39:06,500 --> 00:39:08,100 Hi. You see that sort of zero 677 00:39:08,100 --> 00:39:12,200 standing privilege idea come to come to life. 678 00:39:13,300 --> 00:39:16,600 Yeah, I mean it's really integrating, right? 679 00:39:16,600 --> 00:39:21,700 The you know as part of the pipeline integrating the you 680 00:39:21,700 --> 00:39:24,500 know the interaction with the platform. 681 00:39:24,500 --> 00:39:26,200 In this case, what started while bride of right? 682 00:39:26,200 --> 00:39:30,200 It's about right integrating? Almost, bright it into your 683 00:39:30,200 --> 00:39:34,300 pipeline, you know, when I need access when my job or my 684 00:39:34,300 --> 00:39:36,800 workload needs access to a particular resource, Search 685 00:39:36,900 --> 00:39:39,700 across multiple clouds and that's really where it gets 686 00:39:39,700 --> 00:39:42,000 difficult, right? And when you have to have a 687 00:39:42,400 --> 00:39:46,100 solution that needs to reach into an access multiple cloud, 688 00:39:46,100 --> 00:39:49,500 service providers, you know, data as a service providers like 689 00:39:49,500 --> 00:39:53,100 snowflake so on and so forth. Right, what that means is 690 00:39:53,100 --> 00:39:57,800 instead of them having it, you know, in access to you in gcp, 691 00:39:57,800 --> 00:40:01,200 that gives me access to a particular project that gets 692 00:40:01,200 --> 00:40:06,000 either hard coded or honestly, even, you know, even vaulted 693 00:40:06,200 --> 00:40:10,400 where you Do is instead instead of having the call to, you know, 694 00:40:10,500 --> 00:40:13,700 go to the bolt to get it, you can actually make a call to a 695 00:40:13,700 --> 00:40:15,900 solution like braided to say, hey, you know what? 696 00:40:15,900 --> 00:40:18,700 I'm running my job, right? I you can use things like oh, a 697 00:40:18,707 --> 00:40:22,000 DC or workload Federated identity to connect a pride of 698 00:40:22,000 --> 00:40:24,300 in. It says hey I need access to run 699 00:40:24,300 --> 00:40:26,200 this job. Give me this profile which gives 700 00:40:26,200 --> 00:40:29,900 me access to you know this project to do these things, 701 00:40:29,900 --> 00:40:33,900 right in that case, right? Friday will generate that 702 00:40:33,900 --> 00:40:36,500 credential real time pass it back. 703 00:40:36,700 --> 00:40:38,600 Back through code to the workload. 704 00:40:38,600 --> 00:40:40,600 And now it's along its merry way, right? 705 00:40:40,600 --> 00:40:46,100 So it's really just enabling those devops teams and those 706 00:40:46,100 --> 00:40:49,100 developers, whether again, they're doing it through their 707 00:40:49,100 --> 00:40:53,200 own scripts as a human or restore workloads having a 708 00:40:53,207 --> 00:40:56,800 mechanism or a framework where they can, you know, get a 709 00:40:56,800 --> 00:40:59,700 credential generated. And then, you know, we take care 710 00:40:59,700 --> 00:41:03,300 of, you know, essentially removing access when the job is 711 00:41:03,300 --> 00:41:06,100 done, right? So there's no standing access at 712 00:41:06,100 --> 00:41:09,300 all the It seems like a very Dynamic sort of Shifting 713 00:41:09,300 --> 00:41:12,200 environment. Certainly, an interesting 714 00:41:12,200 --> 00:41:14,900 approach to kind of put in place for managing that acts. 715 00:41:14,900 --> 00:41:16,400 As I think it's I think it's a cool idea. 716 00:41:16,400 --> 00:41:20,000 I'd love to see set of more organizations to take advantage 717 00:41:20,000 --> 00:41:23,300 of that especially for some of those automation use cases where 718 00:41:23,700 --> 00:41:26,300 you can kind of set it and forget it and the Securities 719 00:41:26,300 --> 00:41:27,600 built-in. It makes a lot of sense. 720 00:41:27,600 --> 00:41:30,900 So I think it's I think it's certainly a good approach to 721 00:41:30,900 --> 00:41:33,100 think about at least consider, if you're out there kind of 722 00:41:33,100 --> 00:41:36,000 managing, especially multi-cloud environments where you are 723 00:41:36,000 --> 00:41:39,500 having to Translate between weight as your does, things gcp, 724 00:41:39,500 --> 00:41:44,400 does things AWS, you know, x, y z, whatever cloud is out there. 725 00:41:44,700 --> 00:41:46,700 There there's, there's that translation layer. 726 00:41:47,800 --> 00:41:50,100 I know that we are running short on time and I want to make sure 727 00:41:50,100 --> 00:41:53,200 I'm respectful of that. But it wouldn't be a show. 728 00:41:53,200 --> 00:41:56,700 If we didn't get into something silly towards the end and you 729 00:41:56,700 --> 00:42:00,400 and I are Chicagoans or at least I am former since I haven't 730 00:42:00,400 --> 00:42:02,800 moved there, but we were talking a little before he recorded, I 731 00:42:02,808 --> 00:42:06,300 noticed that I actually lived in the town next door to you. 732 00:42:07,200 --> 00:42:09,000 For years. And you know what? 733 00:42:09,000 --> 00:42:12,800 A small world it is. But here's my, here's my my 734 00:42:12,800 --> 00:42:15,600 challenge to you Jay. So Jim is the odd man out here, 735 00:42:15,600 --> 00:42:18,600 he is not familiar with the Chicago, area's as you and I 736 00:42:18,600 --> 00:42:21,500 like be. And what I want you to do is 737 00:42:22,100 --> 00:42:26,500 sell Jim and others who are listening not familiar with the 738 00:42:26,500 --> 00:42:32,000 draw of Portillo's. And why is it just so popular 739 00:42:32,100 --> 00:42:34,700 for Chicagoans and I think probably want to start his? 740 00:42:34,700 --> 00:42:36,500 What is Portillo's for people who are on? 741 00:42:36,600 --> 00:42:40,500 During, and why is it that it was the first meal that I had 742 00:42:40,500 --> 00:42:44,400 when I flew back into Chicago, for first and meetings, after 743 00:42:44,400 --> 00:42:47,000 having been away from from the area for a couple months now? 744 00:42:47,500 --> 00:42:50,000 Yeah, well, that's a great question and I am a huge 745 00:42:50,000 --> 00:42:53,700 Portillo's fan as you are. I don't know, honestly, many 746 00:42:53,700 --> 00:42:57,300 people in the Chicago area or many people that have visited 747 00:42:57,300 --> 00:42:59,300 the Chicago area. I've introduced super till has 748 00:42:59,300 --> 00:43:04,100 who are not big fans of Portillo's, you know, and it's a 749 00:43:04,107 --> 00:43:07,200 really good question. I mean, I think, you know For 750 00:43:07,200 --> 00:43:09,200 till has, it's good way to put it. 751 00:43:09,200 --> 00:43:13,100 It likely is the best, I won't. I guess we could call it fast 752 00:43:13,100 --> 00:43:14,600 food. It's got a kind of drives 753 00:43:14,600 --> 00:43:19,500 through right, but it likely is the best fast food around at 754 00:43:19,500 --> 00:43:22,700 least in this area and, you know, it's just such an 755 00:43:22,700 --> 00:43:28,000 experience, you know that anything from the Italian beef, 756 00:43:28,700 --> 00:43:32,500 you know, and I love the way that that you can get a 757 00:43:32,508 --> 00:43:35,600 choose-your-own-adventure there, you know, you go in and you get 758 00:43:35,600 --> 00:43:38,600 your beef and They have everything from a beef and 759 00:43:38,600 --> 00:43:41,000 cheddar on the course, Allah, which is, it is a treat every 760 00:43:41,000 --> 00:43:44,300 once in awhile there just to their their, their traditional 761 00:43:44,300 --> 00:43:46,100 Italian beef, but you can get it. 762 00:43:46,200 --> 00:43:48,100 You know, I think I can remember the exact terms. 763 00:43:48,100 --> 00:43:52,500 I think it's like dipped wet in something else, but it's like, 764 00:43:52,500 --> 00:43:54,600 do I want a splash of the others you on it? 765 00:43:54,600 --> 00:43:58,500 Do I look the entire sandwich actually dipped in the odds you 766 00:43:59,600 --> 00:44:05,300 and then, you know, so it's just an amazing sandwich to begin 767 00:44:05,300 --> 00:44:07,300 with that's what I recommend. You're going to go there the 768 00:44:07,300 --> 00:44:09,400 first time, there's a lot of other good stuff there to 769 00:44:09,400 --> 00:44:13,400 burgers are great as well by the way, but but then you I think 770 00:44:13,400 --> 00:44:15,500 that the thing that gets everybody else if your chocolate 771 00:44:15,500 --> 00:44:18,800 cake fan right there, chocolate cake is to die for. 772 00:44:18,800 --> 00:44:24,400 So I always make sure whenever I bring, you know, my colleagues 773 00:44:24,400 --> 00:44:28,600 into town, or my family into tone, it to make sure that they 774 00:44:28,600 --> 00:44:33,200 not only try the Beast, right? You can but also the chocolate 775 00:44:33,200 --> 00:44:36,500 cake to the point Jim where you can get a chocolate cake shaped 776 00:44:36,600 --> 00:44:38,700 Eight, right? No, I actually take bits of that 777 00:44:38,700 --> 00:44:41,700 chocolate cake, and, and blend it into the shape. 778 00:44:41,700 --> 00:44:45,400 So, it's a, it's a really great experience. 779 00:44:45,400 --> 00:44:49,500 And, you know, just, uh, I actually have had people where, 780 00:44:49,500 --> 00:44:51,900 you know, colleagues will come in will be doing meetings 781 00:44:51,900 --> 00:44:55,000 downtown Chicago, and it's like, you want to go to this nice 782 00:44:55,000 --> 00:44:58,200 steak house, or do I go to purtill O's and it's like, let's 783 00:44:58,200 --> 00:45:00,100 go to Portillo's right? What's that tried it? 784 00:45:00,100 --> 00:45:04,100 So it's a it's a lot of fun and that the last plug on maker 785 00:45:04,100 --> 00:45:08,300 Portillo's is there. I've through efficiency is the 786 00:45:08,300 --> 00:45:09,900 most amazing thing I've ever seen. 787 00:45:10,800 --> 00:45:14,300 They will probably have 30 40 cars in the Drive-Thru and, you 788 00:45:14,300 --> 00:45:16,800 know, normally you would be like throwing your hands up and go 789 00:45:16,800 --> 00:45:20,200 somewhere else they had they got about seven or eight people work 790 00:45:20,200 --> 00:45:22,700 in that line and it's the most efficient thing you ever seen. 791 00:45:22,700 --> 00:45:25,200 You will get through that wearing probably faster than a 792 00:45:25,207 --> 00:45:27,100 typical drive to that had six people in it. 793 00:45:27,100 --> 00:45:31,300 So it's really good experience. Really great sued, I started to 794 00:45:31,300 --> 00:45:33,000 see they've moved out of Chicago. 795 00:45:33,000 --> 00:45:35,000 So they're going in Arizona, and kind of where a lot of the 796 00:45:35,000 --> 00:45:39,400 Chicago transplants are going. Sadly, they are, they're moving 797 00:45:39,400 --> 00:45:41,300 on. But if you're here, you gotta 798 00:45:41,300 --> 00:45:42,200 try it. And you're right. 799 00:45:42,200 --> 00:45:42,800 Jeff? What? 800 00:45:42,800 --> 00:45:44,600 People come back. It's one of the first meals that 801 00:45:44,600 --> 00:45:46,700 hat. So that chocolate cake is 802 00:45:46,700 --> 00:45:50,200 absolutely legendary, absolutely, 100%. 803 00:45:50,800 --> 00:45:54,000 I've heard a rumor and out of his true or not. 804 00:45:54,000 --> 00:45:56,800 That really, what makes it so good as they used mayonnaise in 805 00:45:56,800 --> 00:45:58,700 it. I've heard that it's some of the 806 00:45:58,700 --> 00:46:01,000 kids see if it does just like the Chicago folklore that you 807 00:46:01,000 --> 00:46:02,500 get into when we start talking about. 808 00:46:02,600 --> 00:46:05,600 Yeah. I guess / to Lowe's is like it's 809 00:46:05,600 --> 00:46:07,500 like fast. Casual I guess, but as I guess 810 00:46:07,500 --> 00:46:10,300 it's described as like Chicago Street food, Italian beef 811 00:46:10,300 --> 00:46:13,900 sandwiches hot dogs, hamburgers, fries onion, rings, you know, 812 00:46:13,900 --> 00:46:17,200 cheese dip, all the healthy things that you want in your 813 00:46:17,200 --> 00:46:20,700 life. Jim based on that descriptions. 814 00:46:22,000 --> 00:46:23,800 What are we thinking? And do you have something 815 00:46:23,800 --> 00:46:25,900 comparable? And well, you gotta in your 816 00:46:25,900 --> 00:46:30,000 thinking is this episode of the identity of the sender pot 817 00:46:30,000 --> 00:46:32,500 gracias, mi amor, you lie Portillo's. 818 00:46:33,800 --> 00:46:36,400 And what came to my mind, first off. 819 00:46:37,700 --> 00:46:41,000 Audio Only podcast, but if you can see the look on Jay's face 820 00:46:41,000 --> 00:46:44,800 when he's talking about, purtill owes, you have to go there like 821 00:46:44,800 --> 00:46:48,100 you would you'd be sold I'm completely sold. 822 00:46:48,100 --> 00:46:53,400 I want that chocolate cake. Yeah, I mean it sounds great and 823 00:46:53,600 --> 00:46:56,700 I don't think we have anything at that level at in Augusta 824 00:46:56,700 --> 00:47:01,000 Georgia but we do have is a lot of good food here. 825 00:47:02,100 --> 00:47:05,000 I would say the best place. I've been for food is Las Vegas 826 00:47:05,400 --> 00:47:09,100 but they have really good food. In almost in most cities you 827 00:47:09,100 --> 00:47:12,600 have really good food but I definitely wouldn't next time 828 00:47:12,600 --> 00:47:15,600 I'm in Chicago. I'm going to, I'm going to try / 829 00:47:15,600 --> 00:47:18,600 tillers, it doesn't know. And the other thing that made me 830 00:47:18,600 --> 00:47:21,300 think of was remember that Saturday Night Live skit where 831 00:47:21,300 --> 00:47:25,400 they're like bears and they would always like, oh, heart 832 00:47:25,400 --> 00:47:26,700 attack. Heart attack. 833 00:47:26,800 --> 00:47:30,500 Okay, I'm all better. Now, that sounds that sounds 834 00:47:30,500 --> 00:47:31,400 about right? For sure. 835 00:47:31,600 --> 00:47:34,300 I think, you know, having been away now for a few months, 836 00:47:35,000 --> 00:47:39,200 Portillo's is so good and so efficient and so consistent, 837 00:47:39,200 --> 00:47:41,700 like you said this, every this this episode not brought to you 838 00:47:41,700 --> 00:47:45,400 by portals but we're definitely fans at least j&i you could 839 00:47:45,400 --> 00:47:47,500 actually get purtill has shipped to your house. 840 00:47:47,500 --> 00:47:51,800 So, one of my brother sent me Italian beef, kind of kit that 841 00:47:51,800 --> 00:47:56,100 has like the Italian beef near the, the the fresh French rules 842 00:47:56,200 --> 00:47:58,700 for to make the sandwiches, the, I'll do all that kind of stuff, 843 00:47:59,700 --> 00:48:01,400 and you can also get the chocolate cake ship too. 844 00:48:01,500 --> 00:48:03,300 As well. And I discovered in my 845 00:48:03,300 --> 00:48:06,000 investigations of you know how can this be? 846 00:48:06,200 --> 00:48:11,100 Is they actually have a Portillo's 365 subscription 847 00:48:11,100 --> 00:48:14,300 because here we are 20 22. Everything is the subscription 848 00:48:14,300 --> 00:48:17,500 where basically every month you get something shipped to you 849 00:48:17,500 --> 00:48:20,600 from purtill owes it could be. Okay, could be like a hot dog 850 00:48:20,600 --> 00:48:24,000 hamburger kind of, you know kit. It could be the Italian beef. 851 00:48:24,300 --> 00:48:26,400 I mean, what a time to be alive, right? 852 00:48:26,400 --> 00:48:28,500 Yeah I'm getting a subscription to death though. 853 00:48:28,500 --> 00:48:32,400 I mean, I just bought a truck and it's like they were 25 bucks 854 00:48:32,400 --> 00:48:36,100 a month for their app. I'm like, you got to be kidding 855 00:48:36,100 --> 00:48:39,200 me. Software is eating the world and 856 00:48:39,900 --> 00:48:41,600 twenty five dollar sounds like a pretty good deal. 857 00:48:41,600 --> 00:48:44,600 For some of the stuff that it's not that that I use. 858 00:48:45,200 --> 00:48:47,000 Alright, let's go ahead and start to wrap things up. 859 00:48:47,000 --> 00:48:49,300 Ju been really great with your time but what I give you kind of 860 00:48:49,300 --> 00:48:52,600 a final, let's just take pass around the room real quick here. 861 00:48:52,600 --> 00:48:54,500 You know, what are some final thoughts that people should take 862 00:48:54,500 --> 00:48:58,500 away from our conversation about identity and managing those in 863 00:48:58,500 --> 00:49:01,100 the cloud and anything else it won't pull away or should we 864 00:49:01,100 --> 00:49:03,300 just Keep talkin purty lows, that's fine too. 865 00:49:03,300 --> 00:49:05,300 You know either way is good for me. 866 00:49:05,300 --> 00:49:09,600 But now we'll yeah I mean you know I think I think its first 867 00:49:09,600 --> 00:49:12,600 off and you had a whole episode on this with my colleague John 868 00:49:12,600 --> 00:49:15,700 but you know, it's okay to accept identity in the cloud is 869 00:49:15,700 --> 00:49:18,100 different, right? And that's that's good to 870 00:49:18,100 --> 00:49:23,500 recognize up front and, you know, I think it's important to 871 00:49:23,500 --> 00:49:28,200 embrace that and you know want to as an identity team want to 872 00:49:28,200 --> 00:49:30,400 learn about that. You know, I've seen multiple 873 00:49:30,400 --> 00:49:33,400 ways to Achieve that, as I mentioned, you know, I've seen 874 00:49:33,400 --> 00:49:37,700 groups kind of meld and you know, come together and we're 875 00:49:37,800 --> 00:49:41,600 adding Cloud expertise to an identity team, you know, has 876 00:49:41,600 --> 00:49:44,800 helped. But I think that, you know, if 877 00:49:44,800 --> 00:49:50,900 you want a successful project of, you know, from an identity 878 00:49:50,900 --> 00:49:55,100 team, being able to understand and control a meet your goals 879 00:49:55,100 --> 00:49:59,000 of, you know, protecting identity in the cloud, I do 880 00:49:59,000 --> 00:50:04,000 think going in and Partnering with that devops team, right? 881 00:50:04,000 --> 00:50:07,200 Is a really going to be a really important part of that, right? 882 00:50:07,200 --> 00:50:11,200 And, you know, starting with, you know, understanding a little 883 00:50:11,200 --> 00:50:14,000 bit of how they work and how to meet their needs. 884 00:50:14,200 --> 00:50:17,000 And then again, in looking at both, we talked about it that 885 00:50:17,000 --> 00:50:19,000 the visibility side understanding. 886 00:50:19,300 --> 00:50:23,400 And then ultimately getting to a point where, you know, you can 887 00:50:24,100 --> 00:50:28,900 you can Implement that those ephemeral credentials only 888 00:50:28,900 --> 00:50:31,200 because that's the way the cloud Works in general, right? 889 00:50:31,600 --> 00:50:34,600 Out in of itself is a femoral so that kind of understanding those 890 00:50:34,600 --> 00:50:38,800 Concepts and really going in with it with a wits goal of 891 00:50:38,800 --> 00:50:40,200 learning and understanding first. 892 00:50:40,200 --> 00:50:43,600 I think it's going to get you to the end and you know get your 893 00:50:43,600 --> 00:50:46,000 program implemented much more successfully. 894 00:50:47,200 --> 00:50:49,400 It's okay to get smarter and I'm glad you were here to kind of 895 00:50:49,408 --> 00:50:52,200 help educate myself and hopefully others. 896 00:50:52,800 --> 00:50:54,500 Jim final thoughts for this week. 897 00:50:54,800 --> 00:50:58,700 Yeah I hope it didn't come off as - on the king space, I think 898 00:50:58,700 --> 00:51:04,400 what Kim does is terms of the Of control in the analysis of your 899 00:51:04,400 --> 00:51:06,800 accounts. Entitlements is very important 900 00:51:06,800 --> 00:51:09,800 on the detector side of it. What I was trying to point out 901 00:51:09,800 --> 00:51:11,700 was is not the whole picture, right? 902 00:51:11,700 --> 00:51:14,900 There's the preventative side which I got into as well. 903 00:51:15,200 --> 00:51:19,000 And I also wanted to point out kind of one of my life mottos 904 00:51:19,000 --> 00:51:22,400 is, don't let Perfection be the enemy of better. 905 00:51:22,800 --> 00:51:26,600 So, you know, I work with a lot of clients where they have a lot 906 00:51:26,600 --> 00:51:28,800 of over-provisioned accounts already. 907 00:51:29,000 --> 00:51:32,600 If you can start to eliminate a couple, Richard over-provisioned 908 00:51:32,600 --> 00:51:37,600 accounts or get them right size. You reduce your attack surface 909 00:51:37,800 --> 00:51:41,400 and that's important. And it only takes the one 910 00:51:41,400 --> 00:51:43,500 account. That's over provision to cause 911 00:51:43,500 --> 00:51:45,900 the problem. So, if you can eliminate a bunch 912 00:51:45,900 --> 00:51:49,400 of them by doing a cleanup project, assisted by Hakeem 913 00:51:49,400 --> 00:51:54,100 platform, then you're better. And, you know, I think that's 914 00:51:54,100 --> 00:51:57,700 the game in cybersecurity, right? 915 00:51:57,700 --> 00:52:01,400 Is there is no perfect, you're never going to be Bulletproof. 916 00:52:01,500 --> 00:52:05,100 Proof your another words you're never going to be 100% 917 00:52:05,100 --> 00:52:07,700 risk-free. So it's about managing the risk 918 00:52:07,700 --> 00:52:11,600 and about reducing the risk. So if you can go and do a 919 00:52:11,600 --> 00:52:14,600 cleanup of over-provision accounts, I highly recommend 920 00:52:14,600 --> 00:52:16,300 doing that. That's pretty good. 921 00:52:16,300 --> 00:52:18,300 Pretty good tips there. It's a journey. 922 00:52:18,300 --> 00:52:21,400 Right security and it's never-ending you've got to get 923 00:52:21,400 --> 00:52:23,100 it right? Every time people who are 924 00:52:23,100 --> 00:52:25,300 looking to do bad things only have to get it right once. 925 00:52:25,600 --> 00:52:30,100 So trying to put as many layers of, you know, thoughtful risk 926 00:52:30,100 --> 00:52:31,300 mitigation is probably the waiter. 927 00:52:31,500 --> 00:52:33,300 Watch it. But all right, let's go ahead 928 00:52:33,300 --> 00:52:34,700 and leave it there for this week. 929 00:52:34,900 --> 00:52:36,800 I'll have links in our show notes where you can connect with 930 00:52:36,800 --> 00:52:41,100 j-jim myself, which you've got five questions, concerns, you 931 00:52:41,100 --> 00:52:42,900 know looking to get more information, upper 20's, 932 00:52:42,900 --> 00:52:44,300 whatever it might be. Right? 933 00:52:44,300 --> 00:52:46,000 I'm sure the three of us will be happy to talk. 934 00:52:46,000 --> 00:52:48,000 Well, maybe not Jimmy so much about this point you towards me, 935 00:52:48,000 --> 00:52:50,700 but why look? So that we also have linked to 936 00:52:50,700 --> 00:52:56,000 Bright of Bri tive.com so people can check out what those guys 937 00:52:56,000 --> 00:52:58,200 are doing and thanks to you for being part of the show, we're on 938 00:52:58,200 --> 00:53:02,100 the website or on the website. Our website is is identity at 939 00:53:02,100 --> 00:53:04,700 the center.com so you can find out more information about us 940 00:53:04,900 --> 00:53:07,600 including our snazzy. New listen page, that is joined 941 00:53:07,700 --> 00:53:11,800 the year 2000 and now has all of our episodes and and show notes 942 00:53:11,800 --> 00:53:14,400 and links and stuff like that. And then we're on Twitter at 943 00:53:14,400 --> 00:53:17,500 idac podcast. So with that, we'll go ahead and 944 00:53:17,500 --> 00:53:20,000 leave it for this week. Thanks everyone for listening, 945 00:53:20,200 --> 00:53:22,000 and we'll talk with everyone in the next one. 946 00:53:25,100 --> 00:53:28,000 Thanks for listening to the identity at the center podcast. 947 00:53:28,000 --> 00:53:30,400 If you like what you heard, don't forget to subscribe and 948 00:53:30,400 --> 00:53:33,100 visit us on the web. Identity at the center.com.