You're listening to the identity of the center podcast, this is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the center podcast. I'm Jeff. And that's Jim. Hm. Hey, Jeff. How are you? That's a bad yourself, good. Hey, I'm wondering. Have you ever heard of a show called Game of Thrones? Now what's it all about? Oh, it's really wild.
Anyway, there's this one episode where there's a scene with a think? She's the queen Cersei. Yeah. And she has to walk through the crowd and everybody's yelling. Shame shame. I don't know. Exactly. It's burned into my conscious right.
So anyway, I had a meeting yesterday with Mike angle from one Cosmos and he was, he had the idea of who should have the authentication Wall of Shame. And, you know, the identity of the sender podcast said, certainly one cause was there not about throwing people under the bus, but we were going through kind of some of his great examples. Would go in the Wall of Shame. And let's just say, one was a top Airline, and we talked about this on one of the previous
episodes, right? Like their multi-factor authentication is Is what is your dog's name? Yeah, yeah, it's stuff. Like that is like, that's not good. That is not up to Modern
standards. Yeah, I love to use this opportunity to call out United every time I can because as a former United flyer now that I've moved to North Carolina, that is not really a viable option for me, I always and have de tested the way that they do their multi-factor because it's always just knowledge-based and they have favorites and That list favorites change stop using favorites, if you have to default back to a knowledge-based authentication,
please don't use favorites because they're just they're just terrible questions. What and I think what the you know to add insult to injury? I think the password policies now like a 16 character password, which is probably appropriate for an Enterprise but for a consumer site like that's really painful. Yeah. I mean I get why right? I am stronger passwords but all that, all that means is that it's going to be a longer password and more probably more numbers at the end to sort of
differentiate. Yeah, it's funny. You bring that long. That's what they got. Because I've had actually a couple people reach out to me this week colleagues asking about sort of the guidance for password changes and this put out guidance, I want to say in 2017 as part of 863 be to stop changing passwords randomly. So Like oh, we change our passwords every 90 days, and they have to minimum of eight characters. Three of four complexity write a script thing at all.
It is. But something must be going on. There must be some sort of Assessments being done for some of our clients and three different people reached out to me saying, hey, what do you think about changing passwords? And I will publicly say my answer here, I think it's
stupid. I don't think it adds any value, the only reason and I agree with nist and and Microsoft on, this is the only time you change passwords is when you know that there has been a compromise of that individual password Having people change it every 60 days, 90 days year, whatever it is, just because it doesn't make any sense in it. It's terrible for the user experience and a my, my sorting recommendation for an IM practitioners like don't try to
roll your own. I am password policy policy, you know, in other words like, oh, we're going to do 16 characters, but we're still going to make cheap. People change their password every 90 days, and we're going to require You know, all this different stuff, but we're not going to do the, you know, dictionary checks. Because we don't have the technology in place, like that's
roll your own. So if you get compromised, you can't point back and say we follow the best practice and I think you really need to be able to be able to point back and say this is the practice we follow which was the nurse guideline. Well fortunately though right this is the year, the password dies again so you know will this is like take 12. I think of the password, I'm but maybe we're getting closer. We'll see ya password discussion, fatigued.
Hey, the other thing I wanted to mention so good friend of ours, Arturo Cordoba, who was the? I am lead. When we did a project way in the past, anyway, he moved to the United States and Arturo and I are meeting up this weekend. I haven't seen him in a few years. He grew up in Mexico and the only Americans. You station that he had was TBS. So he became a huge Atlanta Braves Sam back when they stunk really bad.
Well they're really good now and he lives in North Carolina and he's coming to visit me and then we're going to go to a land of Braves game tomorrow. So shot out to Arturo. I know he still listens to the show and looking forward to this weekend. Yeah. Our truest good people really smart. Yes, that'll be that'll be a lot of fun. It's always cool. Like you kind of peel back the curtain right? We do identity Consulting during the day, but every once in a while, right?
You'll just hit it off with a client and, you know, you become friends rather than just, you know, a client relationship, you know. And that terms in Arturo, definitely fits into that category. So very happy for for him. Even if you are going to go see a baseball game. Well hey that's what Arts core and I like to do. Yeah.
That's that's totally cool. We got some other things that are going on. We've got the authentic a conference is coming up in Brr you and I will be there, maybe doing some podcasting, we're hoping we're working with our friends over at Fido to help us get that set up. We've also got Octane and November so we'll be in San Francisco for that. Still figuring out how that might potentially work, but the idea is to May refer some
episodes. So if you're listening and you'll be at either of those events, you know, definitely hit us up on LinkedIn. We'd love to fist bump or say hello or even, maybe sit down and have an identity conversation of some sort, put it on, put it in the books. So to Peek. Yeah, absolutely.
I mean, it is always great to, you know, especially people listen to the podcast and kind of have some thoughts or some recommendations, you know, we'd love to hear them or, you know, like you said, just meet in person. Yeah, I can't say that we will act on the recommendation or maybe we may disagree. But we're happy to take it under advisement and make make adjustments as needed. Should we get to our main topic today? Because I think we wanted to talk through identity and access
management for the cloud. And why are we go ahead and introduce Our Guest? His name is Jay clauser. He's the head of global sales engineering and Tech alliances, with bright of, welcome to the show. J job. Jim, thank you so much. Appreciate you having me on today. Yeah, thanks so much for joining us and this topic that we're going to get into identity for the cloud is something that we've hit on a few times in the past.
So I'm excited to go through sort of this conversation with you is one of the experts in this area, but before we get to that, we always like to find out the origin. For the, I am Heroes of the world that are out there doing the work day in day out. How did you get into identity access management? Is it something that you chose or did it choose you? Yeah, that's a good question. I mean, to be honest, I kind of chose identity and access management. You know, my kind of expertise
in history. Is it really started on more of them that endpoint security, right? Understanding the risk there and And and then kind of moving more into the zero trust network access space right? And so you know really really was interested in getting into both identity and Cloud Eye-Fi. Really felt like you know as I looked at and a new skill and a new area to grow my expertise. And moving into both of those is really the future right? Because you know zero trust network.
Access is at the foundation of the zero trust movement. But I feel like the The goal lines. Moving a little bit in the managed network is becoming less and less prevalent in really cloud and identity is where 0 trusses is going to be the future of being implemented. And and so I found bright event because it kind of met both of
those needs, right? It was really looking at Cloud native Cloud forward Technologies as well as, you know, providing a new way of managing Identity in the cloud right in really looking at separating out that authentication and authorization which I kind of find it akin to a zero trust, you know framework right. You kind of think of the data plane in the control plane and I think of authentication as the data plane and kind of Bride of or authorization as the control plane.
So yeah I chose it actually and I'm excited to be in the space out. So you mentioned bright, if we had John Morton on oh about a year ago or so, I would have been Episode 1 15 October 21 2021 when we had that conversation, but for those who aren't familiar with bright, if what is, what is bright of do. Yeah. Thanks, you know, so, yep. John's agreed to colleague of my love working with tan. He's no our field CTO.
So we're continuing to grow. And really what bright of does is is, you know, we provide a unified privileged access management or really just access management, you know. Platform for the broader Cloud so that is, you know, the
ability to both through. Visibility understand the identity landscape across Cloud Solutions who has access to what what are the the identities in the entitlements out there and more importantly, what what of those which of those identities have standing privileges are standing act. As because that's really the Ritz, you know, where the risk
and lies. And so, in the end, what we really Customers to do is Implement a just-in-time ephemeral access model across a broad set of cloud services, right? Reducing that standing act us and really with a goal of getting 20 standing access where possible and then also obviously like will touch on some of the things today just you know really embracing and adapting to fitting in with the way the cloud works from it.
You know an automation standpoint has really been key to that but in the end it's really about Out, you know, needing business needs while. Also improving security through just-in-time ephemeral access across those cloud services. So, we have this concept of of, I am in the cloud or going to get through, and we've touched on topics, like Keem, Cloud infrastructure and title at management and dream, which is dynamic resource and title, and access management.
We talked with gal, disc in from awesome eyes back on episode number 98 about the Keen topic, we talked with Paul Fisher from Cooper here. Hold on episode 1 36. So that was a March earlier this year. 2022. So we've got Keen. We've got dream I guess just to kind of help level set Y is managing identity in the cloud different compared to maybe you know on premise or application. Yeah, premise type environments. Yeah good question. I mean I think it starts with just how things operate in the
cloud, right? Fundamentally the cloud was kind of born out of, you know, Deb Ops and Deb said God. Sand. And I think, you know, when you look at the cloud, it's it's very fluid right in it of itself, a lot of cloud services are ephemeral. Meaning that you know, services are spun up there short-lived.
And so, you know, along with that the different Cloud providers have have built out their own identity, and access management mechanisms or constructs wherever you want to say in. That's why it's so difficult. I think to try Translate the on-prem concepts and some of the on-prem tooling to adapt to the cloud. Because again, you know, in the cloud, you know, that the
resources are short-lived. So the identities that go along with those are also sure lid and then you know more and more as I mentioned that you know how AWS works with things like role assumption and permission boundaries is fundamentally different. To how gcp works or Azure work.
Works with managed identities. And so it's been really I think of challenge to adapt, kind of traditional thinking about kind of who has access to what on-prem to who has access to what in the cloud many with the, you know, the as code I think, mindset in framework. Now, it's what has access to what, right? I mean, it's not only humans week that, you know, very much, if not more of the identities that exist are now moving to work.
And to machine identities. And so I think it's just it's a New Concept and it's difficult to to you know, have a single expert who understands how these different I am controls and capabilities work across the different cloud services, whether that's infrastructure as a service, you know, with gcp Azure, you know, an AWS or even, you know, kind of these new cloud services that are being built into applications. You know, things like Snowflake and data as a service.
Soare, you know, you know, servicenow Haka, so on and so forth. So it's just different, right? And it takes a lot of time to understand that. Yeah, that was the episode we did with John. We called. We said the cloud is different, right? So, that was the title of that episode. But I'd like to take us kind of Back to Basics and started the very foundational level. So if I'm a see so your organization that is either adopted the cloud or is in the process of Adopting the cloud.
I'm looking at this Cloud infrastructure as an extension of my it environment and over time I've made investments in other, I am technology. So it acts as manager, you know, our single sign-on and IGA tool are privileged access management tool. Why can't I use those tools to manage the cloud infrastructure just like it did my on-premise infrastructure and or maybe they have questions better ask like How far can those tools? Take me and where, where can
they not get me? Yeah, really good questions. Um, I mean I think it starts with what we just touched on. It's fundamentally different. And so you know, understanding and having tooling that fits in with the way that the cloud works, I think is important to that, right?
So it doesn't mean that there's, you know that there's let's let's abandon any of those tools and you know many companies have put in Very, you know, comprehensive IGA programs and solutions, it's really about making sure whatever you choose integrates with those Solutions right and extends those Solutions. And I think that's a big piece if you kind of look at cloud and why it's different, you know, you talk about, you know, that that integration Network,
everything kind of is very much API native, it's very extensible, it's very easy. So, So, I don't think that, you know, as an IM team looks at getting their, their hands around the cloud. It's not, let's abandon what we done. It's, let's look for opportunities to find, you know, tooling or solutions, that can enable us to meet the needs of that development team, right without interrupting their productivity. Because I think what I've seen is that in many ways, the cloud
just kind of took off, right? That developers were doing their own thing and The unfortunate reality is sometimes the identity and access management team wasn't really plugged into what was happening there, right. And so they built out this very, you know, comprehensive and very automated workflow and Pipeline. And like you're saying now, Jim, now all of a sudden, the identity team is being charged with making sure, you know, it's properly managed. And so that I think is, is the
balance in the challenge. It's, you know, how can we integrate Rate, our current identity ecosystem, whether that's an authentication or ID P. RI GA, you know, maybe our current Pam for certain things. But how can we Implement that? I'm sorry, keep that while adding on the dip. You know, the proper solutions to meet the needs of those developers. It meet the needs of the business. Ultimately. Right.
Because if we Implement something that interrupts what's happening on that you know, devops pipeline. That's delivering, you know, Revenue generation that's going to be a challenge, right? So it's about looking at an extending I think the current identity and access management programs in integrating, any solution that you have to meet the needs of those developers. Yeah.
That makes a lot of sense to me. I mean, when I think about the cloud infrastructure I think, okay, the scope is also different especially I mean, if you kind of look at the cloud and say we're going to lift And shift what we have. We're not going to step into the future, we're just going to host it and made of us or in as your Google Cloud. We're not going to change the applications.
We're going to keep all the same tears and in plays then probably you can get more out of your traditional, I am tools because they don't have to do that. However, if you're moving to, you no more modern architecture using containers, if you're using that, that pipeline, you talked about or infrastructures code, you Start introducing a much greater need for what you talked about earlier which is the machine identities.
I think that the I am tools that we have today do a really good job at managing the human identities. It's these machine identities and platforms that you know, with the human identity we're looking at an authoritative Source like who is the human being the carbon-based. Life-form is some people like to say that we're trying to manage their access whereas these He's machine, accounts are being spun up by application platforms, you know, like a terraformer.
Something is just creating the account that needs while it spins up. The infrastructure with takes what it destroys the infrastructure, the ideas that would destroy the account that's completely foreign to what we've had you know, ten years ago or how we managed it in the past traditionally speaking. So let me turn this into a question because I think Does human versus machine. Identity is really the biggest Crux of the issue. Maybe even just start with what is a machine identity.
How do you define a machine identity and then add any flavor to anything? I just said, yeah, I know, it's good question. I don't know that. Anybody has the theater The Uber, right? Definition of a machine identity. I do think it's a little bit, you know. Different terms are used, right? You have the, the RPA. Pays for robotic processes, you have, you know, workloads you have containers, you have scripts, right?
And in so you know, if you have all these different names, I mean I looked at a machine identity as you know, you know, I think any one of those and actually I was we were all like Gardener I am and I think I'm going to do a shout out back to that is, you know, it was in one of the, one of the sessions about machine identities and it was kind of like anything that You know, is basically a workload is code, you know, is is really, you know, non-human and non not a device.
So it's kind of like they bucketed machine identities into. There's two kinds of machine identities devices, right? That's like, you know, my phone. My BM now. Those are pretty well defined. But then, I think the flip side of that are all of the programmatic processes, right? The workloads that the pipeline's, the, you know, the robotic processes, all of Of
that. And it's really like you said, it's a it's a, you know, it's a it's a process that gets run programmatically and it doesn't have a necessarily a human on the other side executing it right? And I think there's fundamentally different challenges from the identity side around that, right? Like with humans the you know the pattern of usage is much less predictable because we're humans were doing different things. Right? Important thing when you talk About identity and managing.
These machine identities is is much more around the observability. Right? What is it doing? Is it doing something different? Because it's a machine, it should be doing the same thing for the most part. It's, you know, it's understanding its understanding that as an important factor in securing that identity much more than, you know, looking at, you know, you know, the having that extra MSA or whenever right. It's, it's, it's a, it's an interesting space.
And then, you know, No, kind of bad as we talked about, I think the day ultimate goal is really to get machine identities to start using, you know, ephemeral credentials, things like, you know IDC instead of a token Ray and and or you know generation of a session token and STS token, when they need to connect because you know, ultimately anytime you have standing access keys on these machine identities, it's a massive risk because again, it's not associated with human, it's
hard. Find the owner of that machine identity sometimes. So you know I think those are some of the how I there's probably much more gym than what you asked about, how do I Define it, but I think that's kind of how do I Define it in? Also, what our, why is it fundamentally different way of thinking about them? And why is it posing a challenge for the traditional? I am teams who are now being charged with, you know, managing and controlling these identities, you know?
It's a it's a It's just a New Concept to learn about and understand J. When I was talking, what kind of introduced the idea? I was talking about, you know, the sea so perspective that, hey, the cloud is really just an extension of my it environment. Another words are another way to look at it is, I've got certain business objectives to achieve. I need to do this compliant, you know, I have to be compliant, I have to be secure, not only in my internal data center, but
also my cloud data. Enter or by my cloud infrastructure, whatever you want to call it. Sometimes people correct me when I call it a cloud data center is a so different, but my business objective is kind of the same and then when I, you know, kind of put on my controls hat. I think about detective controls and preventive controls.
I kind of feel like this, you know, team technology is really helps us on detective side, identifying accounts that are over-provisioned roles that are Not being used things like that accounts that are not being used that potentially can go out there and just acts that access, right? But that's happening as, you know, months after its kind of like, the accounts been sitting there and over-provision state and, and the issue with that from again, C.
So hat. Trying to make my environment, more secure Rich. My business objective is no, I've got an expended attack surface. All right so what can I do preventatively to make sure I don't have over provision to counsel in the first place or where the tools or processes that I can put in place. So one, you know, am I right? In terms of where Keen fits in and then from preventive Sandpoint? What's the best solution? Yeah, no I think you're
absolutely right on Keen, right? That's really where we're team was born. It was about understanding, right. The entitlements in The accounts in really being able to not only visualize, but, but better understand and have some recommendations about how to reduce that over privileged in that risk. I think dream really kind of brings the preventative side of it. It's, you know, it's Sookie, Ms.
That first step. It's I need to understand right and that's really important for these identity teams, right? I need to understand what's out there so that I can move towards
kind of that dream. Space of the dynamic resource entitlement, they removal of these, you know, standing accounts, as you said, they came side, you know, is important to understand what's out there, but by the time I understand what's out there and I've done my 90-day, you know, assessment of this, you know, privilege or account. As, in bit used, that's 90 days of potential risk. Whereas a dream says, okay, let's start actually moving to and it doesn't happen overnight, right?
Nothing. Happens overnight. But let's start moving to an idea where we're dynamically provisioning access in it with a short-lived credential or through privilege elevation. There's different ways to do it, but anytime we need to provide an identity access to a resource, let's do it in a dynamic.
And in a short-lived or an ephemeral fashion because as you said, then your risk, you know, factor is dramatically reduce, could you don't have these singing accounts and it and that's a pretty big Challenge in devops right developers whether they like to do they like to develop right well it's part of that, right? It's you know there's a lot of these in keep this is why Keynes important is a lot of these for Finn to counts out there. All right we'll provision in a
kennel will run the job. Will develop something. Maybe even if it's under Deb environments, you know they're still valuable data, they're still risk there. In those environments that are well managed and and so that's where I think team and dream kind of coming together gives
you Both sides of it, right? And ultimately getting to that, that idea of, you know, the dynamic provisioning of access rather than the traditional, you know, even even when you talk about the traditional just in time, you know, a lot of times it was we're going to worry too V an account that has standing Privileges. And when you need it just in time, you kind of check it out and you check it back in. But in the end that account, lived permanently and it was
provisioned permanently, right? Rain is really about getting to the point where either the account is a is dynamically generated and expired or the permission is Diet. You know, is just in time elevated and then removed at the end. There's no standing privilege to compromise, you know, in the end and you know, yeah. I think the the, the Crux of the problem here is the
over-provisioned account. I think if you're in this scenario where you've got a lot of over-provision accounts, or Be looking at some kind of cleanup process that needs to take place but if you don't have to Evergreen processes in place to prevent it from happening again, you're going to be in a lifetime of cleanup mode. I think again, kind of when you think about over-provisioning the existing, I am tools should be able to do a large part of, you know, for a human beings
preventing over-provisioning. Right to do the things necessary to stop rubber-stamping of Access to enable managers understand and remove access to users, no longer need, but it's these machine identities that when they get over-provisioned it's very it's a new ballgame, the Ballgame. And I think, you know, I think the scenario where you're just
going out to the cloud. Now, you're lucky, you can get in front of this and you can start to say to your developers, like, hey, let's set up a partnership to make sure. Sure that we don't end up in the state where we have over provision accounts all over the place. Unfortunately, a lot of times projects been up like, hey, we have to move our entire data center to the cloud by the end of the year. So it's lifting shift City and GSD, just get the stuff done and we'll clean it up later.
And that's where you end up with so much, over-provisioning problems. But I want to get to this question around, you know, it's really the developers that, you know, in my view Or my experience of working with my clients, who, you know, I've gotten to the cloud and now have all these over provision accounts. It's primarily, you know, developers have driven the drive to the cloud and kind of left. I am behind a little bit. So they, I am practitioners now, saying, where do we fit in?
And so I'm almost wondering, like one is, do you see the same phenomenon happening and to like Like how do the C. So now get his his or her arms around this this issue and, you know, create move to that partnership and not slow down development but get a more secure and compliant environment. Yeah, it's a really good question and I think you're spot on right. I mean the cloud just kind of took off and you know, so you mentioned the, the identity team and it's not that the developers
are don't Of an iron security. It was just, you know, I think that that the way the identity team was was engaged with was, you know, not until after the cloud had already been well matured and most of these organizations. And so I'm definitely seeing today that, you know, that the ccos role is is a you know, it's more of a partnership at least where I'm seeing successful implementations you know of
security and identity. And In Cloud its approach much more from a partnership with security and the devops team. I do feel like you know, been in several situations where you know the security team really loves rate what, you know, the idea of going to Dynamic resource entitlements and just in time, ephemeral credentials, but it absolutely right to be successful. You have to get that devops team
engaged in onboard, right? That Kind of the think the idea of, you know, security, I remember back in when I first started my career, I was just, you know, an internal architect and it was like, you know, the security team you'd go and present Your solution and, you know, hope and pray that that security team would bless it. Like they were the authority,
right? I think Security in my opinion has changed, whereas, you know, security is front first and foremost, but it can't be at the expense of productivity. Of those developers. And so you know, I do think that being able to, you know, partner with the devops team, right? I've even seen situations where where the large organizations have actually started to merge somebody from the devops team
into the identity team, right? Because it is a leap, It's A New Concept and into into kind of, you know, accelerate the learning in the Option of identity practices in the cloud, they take it actually a cloud, you know, as sorry. Who knows how the cloud Works. Naturally brought them over to
the identity team. So I'm starting to see this kind of, you know, um, definitely collaboration and in in Partnership from security and identity with the devops team, because if if an identity or security team tries to go in and I think impose their will on the debates teens these days, I'd Seen it fail several times, right?
So I do think it's important to understand, as you said, the business objectives understand how those Dev Ops teams are working and ensure that what you put in place either makes our life easier, right? That's the best case or at a minimum. Does it complicate what they're doing while improving security? Yeah, I think it's a, it's a delicate balance. If you are now trying to, you know, if you're the, I am practitioner, you haven't been
fully involved or your the sea. So do you do really, you know, this this Cloud infrastructures kind of like, take it off without your oversight. What you don't want to do, is just try to go in and heavy-handed and like, say stop, right? I think the other thing is like, what works in the Enterprise for human identities? Might not be the right solution in the cloud, especially for machine identities, right? Just so I think you have to take
a caution approach tonight. I don't think the only answer is that you just have policy and you just make sure that the policy is being followed. Even though I think that's the What you're trying to accomplish. I think you can do more, but I think you have to proceed with caution that you don't take processes that work.
Well, for human provisioning for Enterprise services that you have control over in in your traditional, it infrastructure at, then, heavy handedly say hey if you want a machine Identity or you want to create a roll, open up a service now. Ticket. And then five days later, maybe you'll have it or maybe Be somebody will pooh-pooh it. Like that is just going to the extreme other end and it's going
to, you know, kill productivity. So that's, that's my feeling on it. Is that you've got to try to find that right balance and wade into the pool, especially if your organization is a lot further, along in there in the cloud Journey. Yeah, yeah, that's right. On in, you know, you think you touched on like earlier terraform right? Like I think it's as important.
As you're looking at solutions for kind of managing and provisioning identity and access in the cloud, it's as important to ensure that the solutions you're going to propose or bring to the table, really sit well with the kind of infrastructure as code. Write automation it. You will find, you know, when you talk to devops engineers and you know, you talk to, you know, Sr, he's those guys only want to
touch a console. Like you told they have to go somewhere and log into you know into a web browser somewhere in Click a mouse, it's like Kryptonite right? They love to automate, they love to script. So I think as you look at these tools, it's making sure. Even if honestly Jimmy - it is a human user, who wants to get access to a resource in the cloud, right? Making sure that even provisioning that access in an
ephemeral aesthetic sense. Making sure it Integrates well with the tools, they're using whether that's python or terraform or you know, a CLI, AWS CLI G, she'll like making sure that that the way that they access those resources and utilize the identity that you're providing, has to be very much, you know, integrated with the tools are using today from an automation standpoint, this concept of of this ephemeral Identity, or at least permissioning it.
It sounds all awful. Like zero standing privileges, which is what John Wharton. Last time he was on the show, kind of talk through, is it the same thing or is it an evolution? I guess, you know what I'm looking for? I guess, part of my question is, what are the solutions? Because we've talked an awful lot about. Here's all the problems, right?
So how do we fix it? I think the idea of having zero standing privileges makes a lot of sense, but I would imagine there needs to be technology back. Ending that to actually make that a reality. Or is it just another script? They that that runs and then
takes it away immediately. After you end up with like, you know, a whole bunch of different scripts, doing very specific tasks, which could be probably a nightmare challenge, but I'm wondering if that if that ephemeral linkage, 20 sending privileges holds up workers something else to it. Yeah I think it's good question. I think it's fundamental. I mean honestly I think zero standing privileges to goal and ephemeral credentials is the mechanism to get you there,
right? They had the ability to generate an ephemeral Credential, what does that mean, right? It's you know a developer you know, needs access whether it's human or non-human developer or workload needs access in Amazon, you know, to get to an S3 bucket, let's say to scrape some data, or to post some data, right? Rather than having a credential that has static access, that is long-lived, okay, that can be compromised, it's moving that that 20 standing privilege saying.
We'll give you the mechanism. The end of summer roll generated credential when needed but in the end, right? At the end of the time that you're done with a credential, it's expired. So I look at it as they're they're they're at into each other, right? Zero standing privileges to goal that is the the ultimate state of, you know, not being able to, you know, compromise standing privileges by cheating that to the mechanism of a platform that can provide and generate a femoral.
Tools that make sense? Yeah, yeah, I think so. And I think it leaves me space. The second part of my question which is all right, so I'm sold right. Let's go to zero standing privileges but I've opted very automated your scripting environment and I'm wondering. What would that look like in realize that sort of scenario where yo containers may rise and fall based on scalable
workloads? Or you know, whether it's just in time provisioning or privileged access management like those, those sorts of things. Hi. You see that sort of zero standing privilege idea come to come to life. Yeah, I mean it's really integrating, right? The you know as part of the pipeline integrating the you know the interaction with the platform. In this case, what started while bride of right?
It's about right integrating? Almost, bright it into your pipeline, you know, when I need access when my job or my workload needs access to a particular resource, Search across multiple clouds and that's really where it gets difficult, right? And when you have to have a solution that needs to reach into an access multiple cloud, service providers, you know, data as a service providers like
snowflake so on and so forth. Right, what that means is instead of them having it, you know, in access to you in gcp, that gives me access to a particular project that gets either hard coded or honestly, even, you know, even vaulted where you Do is instead instead of having the call to, you know, go to the bolt to get it, you can actually make a call to a solution like braided to say, hey, you know what?
I'm running my job, right? I you can use things like oh, a DC or workload Federated identity to connect a pride of in. It says hey I need access to run this job. Give me this profile which gives me access to you know this project to do these things, right in that case, right? Friday will generate that credential real time pass it back. Back through code to the workload. And now it's along its merry way, right?
So it's really just enabling those devops teams and those developers, whether again, they're doing it through their own scripts as a human or restore workloads having a mechanism or a framework where they can, you know, get a credential generated. And then, you know, we take care of, you know, essentially removing access when the job is done, right? So there's no standing access at all the It seems like a very Dynamic sort of Shifting
environment. Certainly, an interesting approach to kind of put in place for managing that acts. As I think it's I think it's a cool idea. I'd love to see set of more organizations to take advantage of that especially for some of those automation use cases where you can kind of set it and forget it and the Securities built-in. It makes a lot of sense.
So I think it's I think it's certainly a good approach to think about at least consider, if you're out there kind of managing, especially multi-cloud environments where you are having to Translate between weight as your does, things gcp, does things AWS, you know, x, y z, whatever cloud is out there. There there's, there's that translation layer. I know that we are running short on time and I want to make sure I'm respectful of that. But it wouldn't be a show.
If we didn't get into something silly towards the end and you and I are Chicagoans or at least I am former since I haven't moved there, but we were talking a little before he recorded, I noticed that I actually lived in the town next door to you. For years. And you know what?
A small world it is. But here's my, here's my my challenge to you Jay. So Jim is the odd man out here, he is not familiar with the Chicago, area's as you and I like be. And what I want you to do is sell Jim and others who are listening not familiar with the draw of Portillo's. And why is it just so popular for Chicagoans and I think probably want to start his? What is Portillo's for people who are on?
During, and why is it that it was the first meal that I had when I flew back into Chicago, for first and meetings, after having been away from from the area for a couple months now? Yeah, well, that's a great question and I am a huge Portillo's fan as you are. I don't know, honestly, many people in the Chicago area or many people that have visited the Chicago area. I've introduced super till has who are not big fans of Portillo's, you know, and it's a
really good question. I mean, I think, you know For till has, it's good way to put it. It likely is the best, I won't. I guess we could call it fast
food. It's got a kind of drives through right, but it likely is the best fast food around at least in this area and, you know, it's just such an experience, you know that anything from the Italian beef, you know, and I love the way that that you can get a choose-your-own-adventure there, you know, you go in and you get your beef and They have everything from a beef and cheddar on the course, Allah, which is, it is a treat every once in awhile there just to their their, their traditional
Italian beef, but you can get it. You know, I think I can remember the exact terms. I think it's like dipped wet in something else, but it's like, do I want a splash of the others you on it? Do I look the entire sandwich actually dipped in the odds you and then, you know, so it's just an amazing sandwich to begin
with that's what I recommend. You're going to go there the first time, there's a lot of other good stuff there to burgers are great as well by the way, but but then you I think that the thing that gets everybody else if your chocolate cake fan right there, chocolate cake is to die for. So I always make sure whenever I bring, you know, my colleagues into town, or my family into tone, it to make sure that they
not only try the Beast, right? You can but also the chocolate cake to the point Jim where you can get a chocolate cake shaped Eight, right? No, I actually take bits of that chocolate cake, and, and blend it into the shape. So, it's a, it's a really great experience.
And, you know, just, uh, I actually have had people where, you know, colleagues will come in will be doing meetings downtown Chicago, and it's like, you want to go to this nice steak house, or do I go to purtill O's and it's like, let's go to Portillo's right? What's that tried it? So it's a it's a lot of fun and that the last plug on maker Portillo's is there. I've through efficiency is the most amazing thing I've ever seen.
They will probably have 30 40 cars in the Drive-Thru and, you know, normally you would be like throwing your hands up and go somewhere else they had they got about seven or eight people work in that line and it's the most efficient thing you ever seen. You will get through that wearing probably faster than a typical drive to that had six people in it. So it's really good experience. Really great sued, I started to see they've moved out of Chicago.
So they're going in Arizona, and kind of where a lot of the Chicago transplants are going. Sadly, they are, they're moving on. But if you're here, you gotta try it. And you're right. Jeff? What? People come back. It's one of the first meals that hat. So that chocolate cake is absolutely legendary, absolutely, 100%. I've heard a rumor and out of his true or not.
That really, what makes it so good as they used mayonnaise in it. I've heard that it's some of the kids see if it does just like the Chicago folklore that you get into when we start talking about. Yeah. I guess / to Lowe's is like it's like fast. Casual I guess, but as I guess it's described as like Chicago Street food, Italian beef sandwiches hot dogs, hamburgers, fries onion, rings, you know, cheese dip, all the healthy things that you want in your
life. Jim based on that descriptions. What are we thinking? And do you have something comparable? And well, you gotta in your thinking is this episode of the identity of the sender pot gracias, mi amor, you lie Portillo's. And what came to my mind, first off. Audio Only podcast, but if you can see the look on Jay's face when he's talking about, purtill owes, you have to go there like you would you'd be sold I'm completely sold.
I want that chocolate cake. Yeah, I mean it sounds great and I don't think we have anything at that level at in Augusta Georgia but we do have is a lot of good food here. I would say the best place. I've been for food is Las Vegas but they have really good food. In almost in most cities you have really good food but I definitely wouldn't next time I'm in Chicago. I'm going to, I'm going to try /
tillers, it doesn't know. And the other thing that made me think of was remember that Saturday Night Live skit where they're like bears and they would always like, oh, heart attack. Heart attack. Okay, I'm all better. Now, that sounds that sounds about right? For sure.
I think, you know, having been away now for a few months, Portillo's is so good and so efficient and so consistent, like you said this, every this this episode not brought to you by portals but we're definitely fans at least j&i you could actually get purtill has shipped to your house.
So, one of my brother sent me Italian beef, kind of kit that has like the Italian beef near the, the the fresh French rules for to make the sandwiches, the, I'll do all that kind of stuff, and you can also get the chocolate cake ship too. As well. And I discovered in my investigations of you know how can this be?
Is they actually have a Portillo's 365 subscription because here we are 20 22. Everything is the subscription where basically every month you get something shipped to you from purtill owes it could be. Okay, could be like a hot dog hamburger kind of, you know kit. It could be the Italian beef. I mean, what a time to be alive, right? Yeah I'm getting a subscription to death though. I mean, I just bought a truck and it's like they were 25 bucks
a month for their app. I'm like, you got to be kidding me. Software is eating the world and twenty five dollar sounds like a pretty good deal. For some of the stuff that it's not that that I use. Alright, let's go ahead and start to wrap things up. Ju been really great with your time but what I give you kind of a final, let's just take pass around the room real quick here.
You know, what are some final thoughts that people should take away from our conversation about identity and managing those in the cloud and anything else it won't pull away or should we just Keep talkin purty lows, that's fine too. You know either way is good for me. But now we'll yeah I mean you know I think I think its first off and you had a whole episode on this with my colleague John but you know, it's okay to accept identity in the cloud is
different, right? And that's that's good to recognize up front and, you know, I think it's important to embrace that and you know want to as an identity team want to learn about that. You know, I've seen multiple ways to Achieve that, as I mentioned, you know, I've seen groups kind of meld and you know, come together and we're adding Cloud expertise to an identity team, you know, has
helped. But I think that, you know, if you want a successful project of, you know, from an identity team, being able to understand and control a meet your goals of, you know, protecting identity in the cloud, I do think going in and Partnering with that devops team, right? Is a really going to be a really important part of that, right? And, you know, starting with, you know, understanding a little bit of how they work and how to meet their needs.
And then again, in looking at both, we talked about it that the visibility side understanding. And then ultimately getting to a point where, you know, you can you can Implement that those ephemeral credentials only because that's the way the cloud Works in general, right? Out in of itself is a femoral so that kind of understanding those Concepts and really going in with it with a wits goal of learning and understanding first.
I think it's going to get you to the end and you know get your program implemented much more successfully. It's okay to get smarter and I'm glad you were here to kind of help educate myself and hopefully others. Jim final thoughts for this week. Yeah I hope it didn't come off as - on the king space, I think what Kim does is terms of the Of control in the analysis of your
accounts. Entitlements is very important on the detector side of it. What I was trying to point out was is not the whole picture, right? There's the preventative side which I got into as well. And I also wanted to point out kind of one of my life mottos is, don't let Perfection be the enemy of better. So, you know, I work with a lot of clients where they have a lot of over-provisioned accounts already. If you can start to eliminate a couple, Richard over-provisioned
accounts or get them right size. You reduce your attack surface and that's important. And it only takes the one account. That's over provision to cause the problem. So, if you can eliminate a bunch of them by doing a cleanup project, assisted by Hakeem platform, then you're better. And, you know, I think that's the game in cybersecurity, right? Is there is no perfect, you're never going to be Bulletproof. Proof your another words you're never going to be 100%
risk-free. So it's about managing the risk and about reducing the risk. So if you can go and do a cleanup of over-provision accounts, I highly recommend doing that. That's pretty good. Pretty good tips there. It's a journey. Right security and it's never-ending you've got to get it right? Every time people who are looking to do bad things only have to get it right once. So trying to put as many layers of, you know, thoughtful risk mitigation is probably the waiter.
Watch it. But all right, let's go ahead and leave it there for this week. I'll have links in our show notes where you can connect with j-jim myself, which you've got five questions, concerns, you know looking to get more information, upper 20's, whatever it might be. Right? I'm sure the three of us will be happy to talk. Well, maybe not Jimmy so much about this point you towards me,
but why look? So that we also have linked to Bright of Bri tive.com so people can check out what those guys are doing and thanks to you for being part of the show, we're on the website or on the website. Our website is is identity at the center.com so you can find out more information about us including our snazzy. New listen page, that is joined the year 2000 and now has all of our episodes and and show notes and links and stuff like that. And then we're on Twitter at
idac podcast. So with that, we'll go ahead and leave it for this week. Thanks everyone for listening, and we'll talk with everyone in the next one. Thanks for listening to the identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web. Identity at the center.com.