#232 - Just in Time Access with John Morton of Britive - podcast episode cover

#232 - Just in Time Access with John Morton of Britive

Sep 25, 202354 minEp. 232
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

In this episode of Identity at the Center, Jim and Jeff talk with John Morton, Field CTO and Cloud Solutions Engineering Leader at Britive about Just in Time (JIT) Access. The hosts ask Morton about his work at Britive and how JIT access works, including its relationship to zero standing privileges. The conversation also covers what business problems JIT access solves, whether it's just for cloud or on-prem, and how it might help organizations that use Snowflake or in DevOps automation.


Connect with John on LinkedIn: https://www.linkedin.com/in/johnmortonnotromnhoj/.

Learn more about Britive: https://www.britive.com/


Identity Week America - use code IDAC30 for a 30% discount on your conference pass: https://www.terrapinn.com/exhibition/identity-week-america/index.stm

Use the code OKTNIDAC30 for 30% off your Oktane 2023 registration at https://www.okta.com/oktane/

Authenticate Conference - use code IDAC15PODCAST for a 15% discount on your registration fee: https://authenticatecon.com/event/authenticate-2023/


Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/


Visit the show on the web at idacpodcast.com and follow @IDACPodcast on Twitter.

Transcript

This is identity at the center. If it has anything to do with I AM, this is the go to podcast now your host Jim McDonald and Jeff Steadman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff. How are you? Oh, not so bad. Yourself. Good. I'm getting used to seeing you in your Home Office. Obviously we're on an audio only podcast, but we have cameras on so I can see you're at home. You've been home for like 2 weeks in a row. This is really weird.

Only one week. So yeah, I'm home this week. I was out last week, but I think I was able to record from home. So and then I hit the road for the next. I believe it's at least eight weeks in a row that I'll be gone. So I'm making trips kind of lower place, more in Chicago, Cincinnati. Back to Milwaukee and then Chicago, then Milwaukee, then where am I going after that? Then DC and then Austin, TX and then San Diego and then who knows past that.

That's everything that I have going for next weeks. Yeah. So what do you do? Do you have any like tips and trips tips and tricks for the non road warrior people like me? Well, like, what do you mean tips or tricks? Like, I, you know, our guest. I'm not going to announce who our guest is, but he has this camera on as well. And I see he's got some backpacks in the background, right?

And I'm thinking, like, I know when I'm hitting the road like 2-3 weeks in a row, I like to basically keep my backpack packed for three weeks, right? I don't know. Do you have anything like that? I mean, I'm coming home in between all those trips and I like to travel light. I'm a big fan of one bag travel if I can do it, so I try to. I have a quest to find the perfect one bag solution. I am somewhere around the 30 or 40th attempt of different bags

in my collection. At this point, I think it's a big benefit if you can travel and fit everything you need underneath the seat in front of you. You don't have to fight for overhead space for luggage. You don't have to worry about checking bags. I haven't checked a bag in a decade. I don't know, and that was for an international trip, so I'm not. I'm not a fan of that pack light, you know, pack what you need.

Yeah, especially if you're doing domestic US travel, you know, if you forget something, you can always find something local to replace it if you need it. Trying to think what else, find multipurpose items, so try to standardize like power plugs, cables, things like that. So you don't need to bring like 8 different power adapters. With you get a nice USBC charger, multiport with enough wattage to juice up all your

stuff. You know, get cables that can serve multiple purposes, stuff like that. And definitely if you're traveling a lot. Invest in yourself. Meaning get like an airline car, airline club card or something like that to separate you know yourself from the from the masses when you're in at an airport. Yeah, I haven't been traveling all that much really since the pandemic, but prior to that I

was traveling a lot. I think my tip would be practice the cone of silence, which is like, you can create this invisible bubble around yourself in your own mind anyway. And it's like, you can kind of like, pretend you're not there, well, you know, pretend you're not in that airplane seat, because sometimes it's like hot or cold. Maybe there's a baby right behind you crying, or there's other people just being rude or whatever. Don't don't fall into the trap of, you know, be rude yourself.

Just pretend you're not there. That you know that's a good point get and this reminds me get the best noise cancelling earbuds or headphones whatever that you can muster they may they are a huge game changer. So I travel with a couple pairs. I got my Ear Pods Pro and then I have the Bose quiet comfort to earbud things. I don't like the overheads because they take so much room so I'm not a fan of the in ear type of stuff. So if that works for people

that's another one. So I carry both of those with me and. Yeah, It was very helpful for my last flight from New York City that had a child screaming in the seat behind me. And I was, for the most part, blissfully unaware. Yeah, I know when you, when you have enough years of travel under your belt, you start hearing people travel horror stories and you're like, yeah, you travel it off. That's going to happen. And we're on the runway for five hours.

Yeah, that stuff happens. It delays all that stuff, stuff you can control, stuff that you can't. You know, I've kind of gotten just used to. It's like, whatever. I mean, it happens. If and now that I'm connecting, I used to, you know, fly out of Chicago because that's where you used to live. So everything was a direct flight. Now, living in North Carolina, out of the Asheville area, everything is a connection for the most part. Asheville, I go to Atlanta and then I go somewhere else.

So there's been a couple of nights where I've been, you know, had to spend a night in Atlanta because flights are delayed or whatever. It's a first world problem. You know, I made it. We're okay. We're fine, yeah. I get Nagri. Doesn't change the outcome any. No, doesn't do anything for me. Yeah, so it's. I guess So you're asking about travel? I got a lot of things going on. We're actually recording this a couple weeks in advance, so kind of the 4th wall down. It's September 7th.

As we're sitting here recording this, I have all these trips lined up starting next week. And we're going to kind of talk through some of that because I think some of these trips are related to speaking engagements or conferences or things that you and I are both doing. Guess the first thing coming up is really it's a tie. It's for you and me. I'm going to be at Identity Week, America, October 3rd and 4th in Washington, DC I'm hosting a panel discussion on

pass keys. We're recording this in the middle of the day. As soon as this is over, I'm hopping onto a call with my panel participants. To figure out what the heck we're going to talk about. So that is real time information of what we're doing. I'm going to be out there and we've got a discount code for folks who want to take advantage of that. For Identity Week America, it's ID AC30I DA C30 that gets you

30% off your conference pass. It works for both Identity Week America and Identity Week Asia. So if you're looking at any of those conferences here in the next few weeks, definitely come out. Say hello, I will be there, but feel free to use the code that shows support for for us. And then while I'm in DC, you're going to be in San Francisco. I'll be in San Fran at Octane 2023 is October 3rd through the 5th. We have a discount code for that one as well, 30% off using OK TNID C30.

I'll get you 30% off. You can register@octa.com/octane and we're also doing some fun stuff over there. One is I'm going to have my fancy Dancy iPhone and I'm going to take some videos and hopefully do some interviews with folks that I see around the conference. I'll have some of the new updated IDAC stickers. They're more easily peeled off and you're. Very proud of those, by the way. I mean, it's a. It's a game changer. How often can you upgrade a

sticker, right? You know, like what do you have to do to upgrade something that's been around for 100? Years now with 100% more sticker. Yeah, it's much more sticky. And then we're doing a cohosted event with our friends from Accents We're it's Wednesday night. We'll put the link in the show notes for how to register for that bad boy. Or you can look at my LinkedIn profile.

I've posted a video on it which kind of shows the last time we did an event or actually attended their event, didn't cohost that one at as identifiers, but we will for this one at Octane and our guest today may be in attendance there in Octane as well. Yeah, we'll see. And then after that we've got Authenticate conference that is October 16th to 18th. That's in Carlsbad, CA. That's the San Diego trip that I mentioned. So I'm heading out there for that.

Jim, you and I are going to be on the main stage. We're going to do a live show in front of the live studio audience of people in the in the venue, as well as streamed live to the Internet. That'll be interesting. We've got to figure out what the heck we're doing with that one too. So we got to get out on our horse about that. But we've got a code for that one as well. I D AC15 podcasts that get you

15% off. So we've got discount codes, the galore for Identity Week, America Octane, Authenticate, very appreciative of all those guys sponsoring with us and helping us get the word out for stuff that we're going to be doing at their stuff and hopefully they get the benefit of your great attendance being there. So I'll have links in our show notes too, where people can get all this information and make it easy for people to sign up and

register. Also, if you're a fan of the podcast at the Authenticate Conference, we're going to record like 5 different episodes or four In addition to that main stage one and we're going to have a multitude of guests. We're also going to have live studio audience opportunities where people can come attend, ask questions of the guests. We have to keep them in about an hour long because we're going to be on the schedule just like any other session, but should be a

lot of fun. So if you're into the show and you want to take part, being there at Authenticate is a great way to do it. And by the way, they're also having one night, which one of their entertainment nights is they're going to have out on the patio. It looks like a really nice hotel or nice resort. They're going to have food trucks. So that's how we'll be fed that night is via food trucks. I'm really looking forward to that.

I think Mexican food in San Diego is the best Mexican food you can get in the US Those are fighting wars. I know that we're going to get some hate mail over that, but I'm, I'm putting, I'm laying down. Do you agree? No, but that's only because I haven't had it in the San Diego area from a food truck. I'll be honest, I didn't really discover food trucks until about a year ago. Was never like a thing in the

Chicago suburbs. So it's like, okay, whatever you're talking about too cold there. Well. Yeah. And I guess it's just it's, you know, it's urban, I mean you know it's it's suburb and so it's just spread out everywhere. It's not like you're in the city and stuff like that. Or at least I wasn't very much now, hadn't lived in Nashville for a little over a year. There is a huge food truck scene because there are constantly going between all the different

breweries and different things. So I'm I'm all in on the food trucks. A good food truck. Chef's kiss for sure. Am I willing to go and say that San Diego area has the best Mexican food out of a food truck? I don't know. I'll take the challenge. I'll throw away the food truck qualifier. I'm just saying it has the best Mexican food. But what about, like, Chili's? We'll leave it at that, folks. Episode over.

Yeah. Why don't we get to our main topic We're going to talk about just in time access and just in time. We've got John Morton. He's the field CTO, Cloud Solutions, engineering leader at Brightive. Welcome to the show. Or I should say, welcome back to the show, John. Always happy to be here, gentlemen, and the Chili's comment that that those are fighting words. Hey, shout out to my chili heads. I work for Chili's for like 4 or five years. Made great friends, lifelong friends.

It was a great time and I'm. I'm a fan of the queso. What can I say? I travel, I go to a Chili's, I eat the queso. It's simple. I'm a simple man with simple. Yeah, with simple needs. The last time you were with us, John, was episode 115. And we talked about the cloud being different. That was way back in October 2021, now we're in September of 2023. What have you been doing for the

last two years? That is a great question and surprisingly I've been diving into exactly that, Not just cloud usage but actually like digital transformation and I've been working a lot with customers. Getting to know them and understanding what are they doing there that's so radically different that traditional tools just don't fit. So a lot of conferences, lot of, you know, customer engagements, you all mentioned some

conferences. We all may be used to an identity, but we're talking things like Google Next, a WS Reinvent, Cube, Con, a Kubernetes specific conference, DevOps days, these sort of conferences I've been attending and really just learning from customers or what are they doing. And how are they doing it? That's it. That doesn't sound very much.

Well, the objective there, the pitch I always give is what I've been working on for our company at Bright of is I bridge the gap between sales, engineering and product being an evangelist for customers. So when I gather all that data and information of what they're trying to do, how do we build our product and make it better and actually tangibly build it so and then go sell it. So that's the the summary there.

So for people who aren't familiar with Bright of what is it that you guys are looking to solve for? Yeah. So the best way I summarize it is that we do cloud access management. I know that sounds very simple and it's very easy way to put it, but that is functionally what we do. We help folks manage access to the cloud. And our claim to fame is, as you all pointed out, is just in time, meaning you get the access you need when you need it. It's the appropriate access and it's what you want.

Not to be confused exactly with authentication, more focused on that authorized authorization piece, but that's the summary. Yeah, that that's a good summary. I think what I always get hung up with on just in time access is because I think you just said what it is. But how does it really work? Like walk me through a scenario where somebody is like receiving just in time access to go do

something they need. Yeah. And so, yeah, back to that point of what are these engineers, I like to call them builders, platform engineering folks, system engineering folks, site reliability engineers in, you know, operations trying to do what they're trying to do for the most part is maybe deploy a certain piece of software literally right now, whether that's a human method or an

automated method. What they've learned over time is you don't have to have static credentials that have static permissions like a domain admin to add someone to a security group. You can actually do it pulling the levers of API. I can put Jim McDonald in security Group A for 5 minutes, he does his job and I take him out. That's the simplest way to break down some of that complexity that makes a lot of sense.

I think that you know, one of the biggest shortcomings we have is over provisioned accounts, accounts laying around that you know even if you feel like you've got all the safeguards and controls around those accounts, it's an unnecessary risk to have an account out there that has all these permissions that's not being used. But it brings me back to I think that the terminology that I was hearing a lot a few years ago is 0 standing privileges.

And my question is, is just in time access is 0 standing privileges? Are they exactly the same thing? They, they go hand in hand, they go hand in hand. So what's always tough for customers, I've been doing this now for three years specifically is everybody says they do JIT and and JIT can literally mean, hey, Jeff logs on right now, creates an account for me right now and he puts me in the group right now. That qualifies as just in time,

right? That is radically different than 0 standing privileges where you know you may have an existing user account and you get the access you need. Being put into a group for example, and taken out the 0 standing privileges there is your account has zero standing privileges. So architecture is my favorite term for that. Makes it a little confusing about the two and it's the operations team who really can break it down for even better, if that makes sense.

It seems like the council we're talking about are the of the privilege of variety makes you think of privilege access management or Pam. I'm wondering, is what we're talking about like Pam 2.0? Because we've done episodes where he said Pam is dead. I wouldn't say Pam is dead, because that hurts a lot of people's feelings. What it is, is access is being looked at in a new way, right? Why does it have to be privileged access when you can

manage access this way? A better way to look at it is, I always say from the resource up, it should be the resource that dictates the level of privilege. And you know that's a new way to kind of look at things. If you were biased like I was for a long time and I am where what I mean is like a developer may say, I need access to an EC2 instance. That's a resource. It's a bucket where you store data, ECT. They don't care how you get

there. All they care about is getting the access they need when they need it. So they're looking more at the resource itself versus some sort of account that gets down into it, right. So John, I'm gonna ask you, I'm gonna ask the question very open-ended about what business problem that solves, but then I do want to get into specifics depending on your answer. So what business problems does just in time access solve?

Oh, now that is my absolute favorite, Jeff and Jim, this is where I over the past few years working with operations and builders. I've been so relieved working with them because there are a lot of shops of yes versus working with traditional identity and security that are shops of no. What does that mean? Operations teams, platform engineering, system engineering. They get paid to do things like, you know, we're recording now. They get paid to keep the platform up, right.

They get paid to make sure when we access it, it's there. The KP I's for the business are driven by functional operations of organizations. The last thing they want is to be slowed down and doing their jobs. A lot of the KP I's revolve around and they report up to the CTO. So what we do? Is we help remove a lot of the complexity of access so they can do their job. Simply put, they are begging please remove the complexity so I can do my job.

Because when you think about things like least privilege, privileged access management, request workflows, that is complexity. The business value of what we're doing is we're streamlining that process by giving these builders a self-service opportunity that has security guardrails. So it's win, win. The builders get what they want. They do things fast and there's security involved because we have guardrails with Jet and we we really enable them to build fast. That's a great answer.

You know, I I don't, I can't think of the organization I've worked with in the past decade or said that doesn't have cloud infrastructure, cloud applications. And I think we're talking a lot about how to do these things, how to manage these privileges for the cloud. But what about on Prem? A lot of these organizations still have servers and data centers, and it might call it like a hybrid cloud, but the reality of it is is it's still on Prem infrastructure. You are absolutely correct.

So one thing I like to remind people of too, just to take one step back, is when I talk about the cloud, I really hate. It was a joke that came out maybe four or five years ago where somebody said the cloud is just someone else virtualizing your data center. That is not the cloud at all. The cloud to me when I talk about AWS or GCP is actually a new operating system. It's not somewhere where you virtualize servers. It's a brand new operating system that has its own functions.

So what they did there is they built capabilities like ephemeral access that made it easy. So the hardest thing we deal with that bright is your exact point. You can do all these fancy fun things in the cloud. Why can't you do it on premise? Well, there's certain limitations. There's traditional networking, traditional directory

structures, file structures. You have these beautiful firewalls that keep us out, so we're slowly bridging that gap back to on premise where my use case still applies on premise. Imagine if you can put someone in a security group for 5 minutes and take them out. That's the simplest way to think about it. Now you when you add on the layers to it, you have to have some sort of agent that runs in the environment that can do this job that you would have done

manually. That's where it gets a little fun, but we are seeing these capabilities expanded with certain tools like Kubernetes, with certain capabilities like robotic automated processes, things like Jenkins, things like Terraform. So the cloud world is slowly being begged to go back to the on premise world. We're just nobody's 100% there yet.

Yeah, yeah. There's just so many such a variety of use cases and legacy systems and things like that, so, so. It sounds like on Prem is a more difficult 1 to tackle in terms of the types of systems. Are we talking about apps? Are we talking about middleware infrastructure or is it all the above platforms as well? Yeah. Now that's that's still I always talk to you is another thing I like to talk about is a cloud

journey, right, a cloud journey. You just nailed it very eloquently, Jim. So a lot of folks, they will start with, let me just virtualize some of these hardware servers into the cloud, Very basic stuff, right? So at its core lift and shift, we're managing the platform. But anybody who goes on a digital transformation knows that's the tip of the iceberg. You want to use these new operating systems like I mentioned and you know, get that

going. So what we'll see is it's a really diverse set of what they're going for. Now a little bit bias here, but there are certain organizations that are on the bleeding edge of pushing operations faster. Retail for example, they get paid when you go download stuff off their app and purchase stuff through their apps. They're a lot farther in your case, Jim, of where we at, you go somewhere else like insurance. Yeah, we're lucky if we see anything in the close fed space,

very similar. So many controls and rules, they're not there. So they're different verticals that push a lot farther. But we really run the gamut of all all of those in between and I described as human problems versus legitimate automated infrastructures, code CICD problems. There's a full spectrum there.

You mentioned a couple of different verticals like government and insurance compared to maybe retail and sort of the, I don't know the the where they're at on their journey either to or from the cloud, I guess would be the right way to put it. A lot of folks out there probably have a Pam strategy. I hope they do at least of some sort and maybe it's been designed. You know that was more focused on an on Prem versus something that's more cloud focused. Does it make sense to have a Pam

strategy for both? Here is our Pam strategy for on premise environment and then here is our Pam strategy for our cloud environment. Are there parallels that could be drawn between the two to say okay as a general rule of you know, of of operating? We want to be least privileged, right? Or if we can zero same privileges, which I love, I love, I love. You know the idea of that. I think I've been using it since I heard you talk about it a couple years ago.

That's a great idea, right? That's this just in time axis type thing. If I have a strategy that was built for on Prem, how much of that translates to my Pam strategy for the cloud? Yeah, Jeff, get me excited over here asking the tough questions. So I would say almost 5% would be applicable. Here's why. Now traditionally, everyone should have an identity strategy. You guys nailed it. Jeff and Jim, you're here to hear first leaders in in the right way to think about it, right.

It should be an identity strategy. Why am I saying that? Pam to me has always been a subset of that. And about 20 years ago, some smart vendors, we won't name names, they created their own market space for Pam and they created all the rules. Well, those rules don't apply 20 years later. Trust me, I very rarely encounter anybody who wants to be held up having some virtual machine log into them as an admin user because you have to pay for more admin accounts.

So those sort of strategies, you're correct, they should be there. But what hurts the most is the mandates, the compliance, the risk, the the regulations that accompany Pam. So there's no way to escape that strategy, but it does not in any way correlate 1 to one for capabilities in the cloud. For example, you know 0 standing privileges. We once showed an auditor when we were working on our own stock two type 2. They said, hey, let's do an audit of your environment.

Bright if we showed them and they said why do none of these accounts have any permissions? This isn't even possible. Where's the privileged accounts? We're like when we use this new tool that we built and that doesn't work that way anymore. So as times evolve, the traditional Pam idea, which to me is a subset of identity, is not going to be able to keep up.

It's just not feasible. Well, I think a lot of organizations run into this struggle of the definition of what is privileged access, and sometimes it's like okay. Well, because I'm an admin, I need that admin access all the time. When do you really, I mean, you know, sometimes it's you know, one transaction, right, you're doing per day that requires it. Or maybe it is in an area where you're constantly doing things and the end up as sort of like this spectrum of different permissions.

And I think the reality if you really were able to get it down to a fine grained point in time, minute, not even minute by minute, but millisecond by millisecond in some cases, what is your actual privilege profile look like? There's probably a spectrum there. Am I thinking about that right, or is there a different way to that, that people should be thinking about that out there? You're thinking about it right? And that's traditionally how I

came into it too, right? I kind of thought about it. So this is where I ran into the conflicts, though, where I pivoted to, well, what are the builders doing? They don't care about an admin. They don't know the difference. What they care about is access to resources. So within any environment, any ecosystem, the data, the resource is what can be classified as privileged, if you will. How we get that, you know can latch on to that easier than us. So let me put it a different

way. A lot of Pam and I am teams think they ask me if I just had the context, if I knew what was privileged, if your tool could tell me I could fix things. That's never going to work. That's a never ending tale. With every new cloud added, every new resource added, we say hey, why don't you look at the resource itself and what they're trying to do. When we build guard rails around that, does that make kind of a sense around a different way to approach the same problem? Yeah, I think so.

I think it's difficult in the real world sometimes, right. It's how, I guess how responsive are your identity systems in being able to manage that. It's typically the challenge I see because the traditional method of doing this is I go into a vault. And then, you know, first of all, I log into a vault, and then I need to find my credential and then I need to check it out like a library book. Sometimes there's a form I need to fill out that says, hey Jim, am I allowed to have this

library book out? And then we're waiting for Jim to say yes or no, right? And then I get that account, and then I do my thing, whatever it is. And then maybe I keep that library book checked out for the entire day, week, month, hour, whatever it is. And then somewhere Jim, the mean privileged librarian comes along and says give me that back, takes that, takes that book back, that account back and changes the password on me.

So I can't use it. It seems like that that's not super responsive in today's world. And and I'm thinking about this this just in time, Access is very in my mind. It's going to have to be very data-driven, but it's going to really be a a different way to think about how can we actually deliver on that promise of JIT. And say, okay, well, here's here's what we've got.

And you know, your access is minute by minute, second by second, really kept up to date because I think there is something very powerful to say about, yeah, if if an account gets breached, the account itself doesn't have any permissions, which is great. It's very similar to kind of this, this idea of passwordless or and I'll say true passwords, meaning there is no password in the environment you're relying on other mechanisms to do authentication.

So if you steal the database that has the credentials in it. The pastor feel is blank, empty or just doesn't. You know, it doesn't make any sense and is of no use to people. I see kind of the same concept here. Yeah. So it's exactly that. It's just to add, like I like to say, Better Together to add to what you're saying, right.

The Better Together story is if you looked at it this way and when I talked to my customers, we don't have the content as identity practitioners of all these vulnerabilities. All the simplest way we can do it is say we have a production environment, the developers or builders have the context of

what they need. What if we allow them to have self-service to what they want with security guardrails to your point, the security guardrails being you can build your own access in this environment and you use JIT and you use our policies and you plug into the SIM and you plug into SSO or MFA. That is exactly where we're fitting. We don't know what you're trying to do. We want to give you the guardrails to build it to be the most effective you can.

That is amazing. When we, when we our customers specifically, that's what they're buying into rather than identity saying you need to explain to me all these things, Jim, why do you want this access? I'm going to give it to you for 24 hours. Instead it's saying, hey, why don't you build this, then you use it. We'll keep an eye on it. If it works, it works, everybody wins. Does that make sense? Yeah, for sure. I think there's another area that I kind of want to get into

a little bit and this is around. Data, because I think this is an area where a lot of organizations struggle. Back in the old days in quotation marks there were things like data lakes with Hadoop, things like that and it was still very much role based access to some degree, maybe some attribute based access control.

And now we've got things like Snowflake and this potentially is an area they think they could have a pretty big impact, meaning just in time access into Snowflake environments and data accesses. First of all, I guess for people who aren't familiar with Snowflake and pretend I'm a dummy, I know it won't be a big stretch for you. What is Snowflake? And then talk about the impact that something like either JIT or 0 standing privileges might have on a solution like Snowflake.

Yeah, excellent. And I love these folks. Never think anybody's a dummy. I get excited about it cuz I had to start, you know, somewhere. So when I think about what Snowflake is, so when I started out, I used to be in finance before, actually before I came to the vendor side like 1012 years ago. And everybody knows what a DBA is, right? Everybody knows what a database is. Hopefully you store data in it, you reference it, you need it for everything.

And that's how most systems, information systems work. It's not really that much different. Where Snowflake changed the game was in just charging pricing model. I know I'm not making this like a business conversation, but it's actually pretty important rather than worry about tons of storage. And this actually speaks to the difference between on premise and cloud. Most of the time when you worried about, and I I'd like to speak like a CTO, because it's

business value. When you have an application that references data and databases you used to get charged by storage. The more data you stored, the more expensive it was. What Snowflake did is they said that is a bad idea. Let's switch it where we're only going to charge you when you access data, we don't care how much of it you store. So that radically allowed applications to be built in new ways. We won't go too deep into it, but it's your idea of data

warehousing. It's still the exact same, right? You store the data somewhere and you get charged by compute. What this does though is it allows organizations to get really business analytical and think about what they're doing with the data and use it in new

and creative ways. So with Snowflake, you can store all the data you want, you can distribute it how you want, you want to protect it, but you're allowing folks to access it when when they want, and they're only charged in in that time for compute. Now why that matters? Does that kind of make sense? Yeah, I'm thinking of my simple brain, almost like a vending machine. You've got a stock of soda inside the vending machine.

And you're only paying for the things that you're pulling out of that vending machine 100% rather than paying for keeping that vending machine alive and stocked and full where you may not use it all the time. I only want a couple sodas. So what that does though from a security perspective is it's a little scary to traditional security practitioners because now you have new ways of accessing snowflake tools like Jupiter notebook that data scientists use.

So to your point earlier, Jeff, guess how they access this data? They have one set of logging credentials, they use it in these robotic processes and they fetch this data all the time. Now that's good on the business side, but on the security side, that's a little petrifying. Especially if you can run up the bill or access data sets, you shouldn't be able to access it. You do need some disparity there.

And again, it's the traditional concept of do you need global admin to access every table and every entry to run this task with one set of credentials or can we do it in a different way? Okay. So I'm sold. I need to have just in time in my environment, I need to have privileged Access management environment if I don't already.

One of the challenges that typically see this is around this concept of accountability versus ownership and responsibility of delivering these services out to, you know, the to the environment who runs Privileged Access Management. Within an organization and part of that would be things like services like just in time or 0 standing privileges or traditional Pam right? That might be like a vault or

things like that. Cuz I feel like typically infosec teams like to get their hands in there and say okay, here's my tool right? And you developers need to use this. There's another school of thought that's like, well, it's the engineers are gonna be using it, maybe they should own it and. Information security, maybe provide some guidance or you know some oversight over how it's used, right? Things like that. Maybe it's someone else. I don't know, like where do you see this, this, this.

I won't say battle, but this discussion taking place it is it is a battle. So what my best recommendation is as such. All right so and this is what I tell the boards or sea level folks the job of a sea. So in my opinion Chief Security Officer is to technically own the tools that account for risk. They own the risk. They do not need to have the context to understand what exactly the CTO is doing in Snowflake right. But he does own the risk of that access of that getting out.

So traditionally when we've seen it and you all probably have seen the same thing, I am teams even their purchases go to the see see so see so owns the product. What is a happy medium is when you do say CTO or CIO, I'm going to own the risk. Here's the tools I'm providing. They will help you enable your task, your functions, MB, O's, whatever, right The the CTO also has an objective, so does the

organization. That's what we normally see. 95% of the time the see so owns the risk, they own the products. But you have to work hand in hand with the business units. The CTO normally that's executing these functions or has

to use them. I think this is an important topic for people to really kind of understand because I ran a workshop on this actually a couple weeks ago with a client and we spent probably a good two hours talking about the racy model of the IM program in the room was information security, you know, general IT application developers, things like that. And we kind of we had discussion around Okay.

Let's talk about these services for identity that we're going to be providing and this isn't specific to you know Pam or JIT, but I think it's it certainly applies is is really understanding where do you fit within that racy matrix because I think a lot of people and I and I'll, I'll blame not blame I will I'll I'll drop this on my information security brothers and sisters out there is there is this tendency that oh it's a security tool so security should own it and operate it and blah,

blah, blah. That might not be true. You might be accountable for the tool or the risk that the tool is mitigating, but that does not necessarily mean you need to be responsible for the delivery of that service. So I think this is something that organizations really need to start thinking about. If you're if you're running an IM program or you're looking at getting one stood up, or anytime you're building out a new service, really take some time

to think about that racy model. Because I think there's a big difference between being accountable for risk. And this is where I see the SISO and the CTO having the accountability hat. And to me, accountability is like Highlander. There can only be one, yeah, you've got to have one person or one group that's that's actually accountable for, you know, the risk of the service, whatever it may be. Versus who's responsible for making sure that service is up and running.

So I think this is an area where really think about you know, do you really want to be accountable for it. Because if you are, something goes wrong, that's, you know, the group or the person that's going to be on the hook to talk to others, to figure out what happens, go to the board. Things may be now conversely, you know, typically that's the person probably going to get the recognition for, hey, the ServiceNow, hopefully that person.

That it's accountable to sharing that love downstream to others as well. But I think that's something important for people to think about is this concept of accountability versus responsibility and then of course the consultant in the informed part of that racy diagram. But really think about where do you really want to be, you know, with regards to that service you did. You said it nicely, Jeff. I was just taking it in watching the master teach.

Yeah, You didn't think you'd get out of here easy, did you, John? I never do. It's fun though. No, you know, you know I want to add something on this topic which is I think privilege access management or just in time access. This is one of those areas where you know information security, if they're delivering single sign on or identity governance and administration or what other whatever other I M services they're offering, they just assume okay, well we'll run the Pam system as well.

But what I found in my career is that Pam. As seen by engineers or whoever's being affected by it and going to have to use the tool as this is being done to me and now I have to figure out how to do my job efficiently. In light of the fact that you've thrown this obstacle in my way and I'm going to figure out ways to work around it versus the mindset, the mindset shift that can happen if you say no, actually this is your tool, you run it, and now.

You can't skip a step, which the step is if you go into an organization and the engineering team thinks, Oh well, John and Jeff have worked here for 20 years, They're my best friends. They would never. They would. They would. They would never try to rob the company or do something bad or become an inside threat. We trust each other. We share passwords. We don't. If that's the mindset, no you

don't. You don't get to run the system right and but you at least have to have like a management view within that team that says, you know, I have people come and go and you know like I can trust you with my lunch money, but that's I'm not going to trust you with the keys to the Kingdom of of the company. It's just the way it is, right? So. Jim you and I had this discussion a long time ago. I I remember this was an episode I I don't know when it was. It was a long time ago.

We talked about this is related to remember when Tesla almost got breached and basically there was this guy who was like an insider threat and he was being paid or the the I guess the the attempt was right is somebody would give him money to give him information on Tesla stuff right. And you and I had a conversation like, OK, so.

And my, my, my thought process was everybody has a number to, you know, break their oath of security or whatever, you know, privacy, whatever it may be. The number might be small, the number might be a strong astronomical, but everybody has a number. If someone came to you Jim, and said, hey, I will give you $2 billion tomo bravo, If you're listening to, you know, be part of an acquisition where they acquire the identity of the Center podcast. I think we would listen to that, right?

As much as like doing that, right. We have a number that we like, all right? That would be something like that. And I think the same goes for anything. Now, again, I'm not saying that people are bad inherently. I try to believe in the good side, but I think everybody has a number. And if you're relying on trust to be your security platform, you know, in a physical, human sense, I think you got problems. I think that's the case.

I think it's best run by the engineers because at 12:00 midnight, you know they're trying to solve a problem. You threw the system at them. Either they're going to try and work around or they're going to pick up the phone and call you. And I think information security's role is to make sure that the controls that have been put in place actually work, get tested on a regular basis. The system is doing what it's supposed to do, be accountable for the system.

In other words, the buck stops here. But that doesn't mean turning the wrenches necessarily. Right. Yeah. And just to add to that, just to add highlight exactly what you both are saying. The reason I took this role and I wanted to get closer to the customers is because I consistently see cloud teams pull away from they hear words like Pam and Lee's privilege, they pull away, they're building

these tools themselves. Every one of my large customers have built some version of the tool themselves because they don't trust. Their cohorts and information security because it's just slowing them down and we don't understand what they want. So that's if we can bridge that gap going forward. Those are the most effective customers I see out in the world.

Yeah, you talked earlier a lot about and I wanted to kind of close this out in terms of the area we've been talking about just in time Access. But shifting back to what you're talking about with DevOps, you know, you're talking about the conferences you're going to. To me this seems like that's the sweet spot for Just in Time access is you know, especially around non human accounts and not having them sitting around with privileges to singing, you know, high power groups and

elevated permissions and doing it in a just in time way. I'm wondering am I thinking about that right? What is the role for just in time access in DevOps? So yeah, So in the over 2 years I've been meeting with these folks and you know, and they love the idea and but I think again, I will say this bluntly and boldly, Identity needs to be more in DevOps or I call them platform engineering builders.

I call them builders. They're builders and their organization, the engineers, They're looking for identity solutions. And they're not finding what they're looking for. Matter of fact, case in point, literally I heard it so much we actually built a request module. Now we call it Access Builder in our own tool. Because another thing they would tell us is the complexity of requesting a simple access. Jeff needs access to XYZ. I got her to submit a service now Ticket.

I filled it out wrong. I get it back. I get the right details. He goes to someone who doesn't know what I want. I get it back. He goes to some cloud engineer to fulfill that. He doesn't know what I want. I get it back. So it's even in the complexity of requesting access that we decided to build this product and it's hitting off like gangbusters. And we're asking where is your IGA tool? Oh, way too complicated.

Where is your ITSM tool? Oh, we don't even want to use that if we don't have to. Can you just give me one line of audit that says Jeff Steadman approved this thing? That's all I need. I don't need the complexity. So they're begging. Builders are begging for these sort of solutions where they're just not happy with the current state of things. And it is them. They're the ones who are pushing innovation and making people's lives hard in identity and infosec, right?

Yeah, I and I think from a CIO perspective, you don't want to slow down like the engineers can move like at the speed of light. Now with these cloud services and just roll out new business functionality, even the CSO is minded from a business perspective. I don't want to slow that down. But at the same time just saying, all right, well I'm hands off that that doesn't take away the the necessity to ensure security controls are being followed.

So you have to find the middle ground and I think just time access can potentially bring you a long way toward achieving that. You need to have the paper trail, but you know, counting on like a service desk ticket or counting on your IGA system to provide a detective or even a preventive control, it's just too slow. It's. It's the worst break glass is always my favorite. You you all pointed it out.

There's normally two guys in every shop or or ladies, you know, two people who have the keys of the Kingdom for cloud and they have it written down in the hopefully a little safe next to their desk and they both know how to log in. And that's how they still do it, because they don't trust even a vault to get them to where they need to be. They're like, man, you and me, Jim, we're going to turn the keys at the same time and get in here.

But yeah, it's it's a tough and interesting place to be. And just finding that happy medium is what I'm trying to do. That's that's where I want identity to go. It is, to me, the biggest rough spot of all enterprises I talked to is the identity processes. Right now they're just complex, mundane and misunderstood. And they may have its place in finance, healthcare, there are compliance regulations and mandates. Hopefully those change.

But where you don't have as much retail, manufacturing, things like that, they just want to move fast, Give me what I need. We're all getting paid. Give me what I need. I love it. I think that's that's that's a good way to probably close out that part of the discussion is give it, give it to me when I want it and get out of my way. So we mentioned at the top of the show we were recorded a

couple weeks early. It's September 7th, which is a holiday in my household and maybe others, but it is opening night for the NFL season here in the US. So I'm a big football fan, been for years. I have retired from the fantasy football game. I used to run one for like 20 years. I haven't done that in a long time.

Now I can actually sit and actually watch a game and enjoy it rather than watching the little ticker at the bottom that says, you know, so and so scored touchdown or receiving yards or passing yards, whatever it may be. So here is what we're going to end On a lighter note today, we're going to pick a winner for this week's slate of games, week one of the NFL. And because people aren't going to hear this until, I think September 25th, Ish.

We're going to be able to find out right who is right, wrong way off phase. And so you know, welcome to the first ever Locktown episode of the NFL Weekly Picks with identity at the center. John, who do you have your eye on this week? Who is going to win? So I actually do compete in the survivor pool, where you can only pick one winner every week and you cannot pick the same

team. I did my research based on degenerate gambling and sports betting and I'm going to go with the Baltimore Ravens to at least get the win money line. All right, who are the Ravens playing? The Ravens are playing. Actually, that's a really good question. I'm not. Even that's probably a good. Oh yeah, the Texans. That was. That was why I think statistically the safest. Bet you are correct. Yeah. OK, Jim, who is your lock for the week? They are going to win their

opening game. Well, I I want to interrupt first with I'm not a huge NFL fan until the college football season ends. I'm a Georgia Bulldogs fan. They are going to win every week, so we can put that in the bank. I also am like super excited about Coach Prime and what he's doing at Colorado. They beat TCU last week. They're going to beat Nebraska this week. NFL wise, Eagles first.

I grew up in Philadelphia and my number two team has been The Jets because it lives in the New York metro area for a while and they sucked big time when I lived there. But now I think they're my pick for the Super Bowl, so. You think The Jets are going to the Super Bowl? I I think they're winning the Super Bowl. Wow. And they're playing the Bills, so that's a money night game. That's huge. Obviously Aaron Rodgers going to. The Jets is is a big deal and they're wide receivers really

good too, right? They're OK. I thought like the one guy was like superstar. I don't know. Like, it's not really my my cup of teas, so. You're going to The Jets? Well, you're saying you're picking The Jets of the. Super Bowl, though, Who is winning this week? They're going to play the Buffalo Bills. You're picking the Eagles over the Patriots? Yeah, that's safe bet. OK. Yeah. All right. So my two teams are the 49ers and the Bears. 49ers play. Who do the The Steelers, who are bad?

They should win that game. But this is about passion, about feeling. I'm going with my Chicago Bears. Aaron Rodgers is out of town, and the Packers are coming in to Soldier Field. I'm going Bears, baby. I've drank the blue kool-aid the blue and orange. Bears Lock it in. We're done. Wait, how many wins did the Bears have last year? I had a few I was just checking. OK, a few means three or more. They have more than that, I think. So here's here's the excitement in Bear Town.

It's we're not facing Aaron Rodgers or Brett Favre for the last 20 years. So there's actually a legitimate chance now that the I think the Bears can finally start to show some progress against. The Packers, from a win percentage, I think it's neck and neck. I want to say the Packers took over like a one or two game lead in the last couple years, but historically it's been like, you know, 700 and 700. They've played so many games against each others and it's been pretty even.

But I feel like this is the year the Bears turn the corner, mostly because they're not facing Aaron Rodgers. Again, feels like you're trying to talk yourself into this one, but that's OK. Hey, so. You're saying there's a chance? I'm saying there's a chance. All right, we'll go and wrap it up for this week. John, thanks again for coming back on the show. We really appreciate the time you spent with us.

I'll have links to your LinkedIn and to to the bright of website BRITIV e.com so you can learn more about what John's been working on and some of the cool things that the bright of solution does. We'll have links to all the different conference things that we talked about early on. So things like Identity Week America or discount codes for that, Octane or discount code for that authenticate our

discount code for that. And of course, you know, you can always connect with Jim and I if you've got questions, comments, concerns, football picks. We're still looking for people to send pictures of Whopper's candy to Jim, because that's his favorite candy. And we'll go ahead and leave it for this week. You can find us on the web, IDAC podcast.com, Twitter at IDAC Podcast, Mastodon at IDAC

Podcast at Infosec dot exchange. Hit that subscribe button, like share, you know, whatever you want to do to help us out, get the word out for identity center in the gospel of identity and access management to others is always appreciated. So we'll help. Leave it for this week. Thanks everyone for listening and we'll talk with everyone in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show.

Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on identity at the center.

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android