#370 - RSM & IDAC Present - The Intersection of Cloud Security and IAM

This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. I'm feeling well. Last episode you actually gave the banter a topic which was the 1,000,000 downloads. I think that was great news. But back to me and this time, if you don't mind, I'm going to put you on the spot. So topic we didn't prepare for, but they give me just some thought.

And I think everybody as part of their maturity of, you know, learning the space and communicating what we do to executives and people that really aren't in identity is taking this thing that we understand and explaining it in business speak. And I'm wondering kind of what tips do you have for our listeners? What do you do? What has your journey been like to take these complex topics and turn them into business speaks that other people can understand?

Well, I mean, there's so many topics to cover there. I think I have to break it down simply so I can understand it, first of all. So I think that helps, you know, I don't know, I think without an example, that would probably be helpful for me to kind of say, OK, how would I approach that? I think the most important thing is knowing your audience. Who are you talking to? Are they a technical group?

Are they not a technical group? Is it, you know, executive speak, which is a more polished version of baby talk just for for some folks, right? Stuff like that. It's just use simple language and I think try to use analogies or examples. That'll be probably my, you know, tip, I guess without really having a topic to explain. I think analogies and examples are great, but sometimes I abuse that. Sometimes I start trying to come up with an analogy on the fly

and then it doesn't work. And sometimes it can even be embarrassing. Couple of the tips that I use is talking about outcomes, talking about objectives, Just trying to kind of boil it down to like, all right, give me the headline, give me the story in, you know, something I can relate to and something that just gives me the the answer doesn't walk me through all the the details because I think as identity people, we understand all the details.

And that can be a little bit dangerous, right? If we dive into details because that's our comfort level, then we're going to lose people who really don't care about those details like we do. There's a time for details. There's a time not for details, and you need to be able to answer the So what question? So what if I don't do this thing or So what if we do do this thing, right? Whatever that is. What is the So what? That is part of that message. Absolutely.

And I think, you know, final thing that I'll say is that I think practicing over and over and you know, practice with the people that are in your life, practice with your Co workers. Another great thing is like if you go to conferences and you talk to people who are in the industry who maybe do understand the details, practice with them. Start talking about things in terms of what is the overall story?

What are you trying to get at? What are the objectives or the outcomes that you're driving for the business? If you can do it in that environment, you should be able to do it anywhere. Yeah, that's a good tip. I think there's a lot of practice that takes place behind the scenes. Know your know your content. If you know your content, you can confidently answer questions. Yeah, that's probably the biggest thing. I think everyone has their own speaking and communication style.

You'll you'll kind of figure that out eventually. But know your know your stuff and it's going to be a long way. Rather than kind of, you know, fake it till you make it. It's a lot harder to to get a, you know, have a good decent conversation if you're constantly scrambling or Googling behind the scenes. Right. Like, what does that mean? Right. That kind of thing. Well, in terms of like

summarizing stories and talking about conferences, one thing that we normally do is go through the laundry list of all the discount codes. But I think we're entering the peak season for conferences and rather than spending 20 minutes just going through all the codes, what should people do? Yeah. We have way too many conferences that you and I are going to be at in some, some way, shape or form. So we're going to talk about just at a high level, but go to the website, idacpodcast.com,

Scroll down. I've got all of our discounts there. More coming soon, but we are in the thick of it. There is 2 official cybersecurity summits that I'm going to be at. I'm going to be in Chicago, going to be in Philadelphia. Then we've got the authenticate conference that is coming up. That's going to be in October. So we've got some fun things we're going to do. I am happy to say that Fido Feud

is coming back to authenticate. So I have been cleared to to say that I am working on the questions and Jim will be a team captain. Megan is going to be the returning champion from Fido Lions. She's going to take Jim on again with a whole new team. So I'm looking forward to that. Bigger, badder, better than we did last year. But that's very exciting. Fido Feud was a lot of fun, the most fun had at the conference.

Let's see then we've got Infosec World, that's a new one that we just signed up for within the last week or so. So that's coming up also in October. We've got Ideniverse in Washington DC, that's in November. And then to kind of cap things off the end of the year at Gartner, I am and we're going to be doing a new game show there tentatively called Majority Rules. But a lot of audience participation, people playing their phones.

Jim, you'll be up there on a stage with me and probably Rebecca from Gartner and kind of doing our thing. But yeah, we're kind of doing like this whole, you know, game show stick at different conferences and people seem to enjoy it quite a bit. Yeah, it totally gets old. Why not keep going with it? I mean, people seem to enjoy it. We have fun doing it, and hopefully it continues to draw a

crowd. I think we'll keep doing it as long as people keep wanting it. Yeah, it's a little counter probing I think to some of the conferences where you, you know, it's like, OK, I am or security talk all day long and say, all right, let's have some fun and, you know, kind of get the pulse of people. So I like doing weird and interesting things and you know that that scratches that itch for me. Let's just put it that way. Yeah, You know, I, I love what we're doing with this episode

today. Kind of something we started in the beginning of the year, which was they're trying to take other areas of cyber and talk about how they intersect with identity. And we're continuing that conversation today with two of our colleagues from RSM. Yeah, We're going to cover the intersection of cloud security and identity and access management. This is, I think, Part 5 in a series.

We started early off in 2025, started off the year with Ghazi in January. We recorded that one at last year's Gartner. And you can go back and look at Jim and his cowboy hat and cowboy attire. So that's, you know, the hook for that one. But yeah, you and I work with some just really smart, good people, which is one of the strengths, I think of our organization. And so let me go ahead and take

a second here to introduce Justin Devine. He's a cloud transformation director. Welcome, Justin. Thanks, Jeff. Appreciate it. Yeah, I'm glad to have you here. And then one of our colleagues in the digital identity practice here at RSM, we've got Vishnavi Vadi, Nathan, she's a Digital Identity Director alongside Jim and myself. Welcome Vishnavi. Thank you, Jeff. Hello, Jen. All right, so we have tradition

around here. First time anyone joins us, we talk about their backgrounds, you know, how they got into identity, in this case, maybe how we got into infosec kind of at large. Vishnabi, I'm going to start

with you. How did you get into the wonderful world of identity and access management? Yeah, at 10 years ago, I began my journey in the identity world with the basic authentication and authorization. At that time, most of the organization relied on custom built solutions or tightly coupled identity modules with

the legacy applications. My work centred on building the login workflows, directory services, moving towards the governance identity and governance world where automating from the manual account creation to the automated provisioning, road based access controls, audit

compliance. That's how my journey began 18 years back and gradually I progressed towards the privileged access management with governance under waiters spotlight gradually shifted those days from to the high risk accounts, administrators, privileged accounts. So I evolved my focus into the area and automated password rotation. That's where I sharpened my skills from the authentication authorization or access management gradually to identity governance, then to the

privileged access management. And also I have seen the journey of identity world from custom and legacy to the next Gen. identity solutions, heavily customized identity world ID and systems, on premise systems and directory services, hardcoded role, role models to the next Gen. SAS, first identity platforms, pretty much all the key players in the market. I have been part of the evolution and the journey adaptive authentication, password less. That's how my journey has been

for the 18 years. That's a lot of stuff to cover. Do you have a favorite? I am technology or you know, I am vertical? Like is it IGA, is it Pam, is it authentication? Like, what's your favorite part of identity? Access management is something that always excites me because it gives the flavour of login, password layers, biometric the I've seen how access management has evolved 18 years back where we had everything custom developed login modules, we and it was all the traditional

directory services. Many most of those ages we had everything as an L dab directories. Now things have evolved a lot. I come from a generation where I've seen everything in the passwords. We used to make sure that protection, everything is taken care of as part of customization. Now everything just happens with the click or a small configuration. So that really excites me.

And consumer access management is also something that I always enjoy working coming from a financial organization background in the past where that B2C part of the world plays a very important role and that's where most of the business lies for the financial organization or healthcare organization or be

it retail organizations. So I really enjoy that side of the world and all the tools that are in the market really excites me. And I have had wonderful experience in this 18 years working with almost all the top leading products in the Gartner quadrants. So does that bug you as much as it bugs me? When you go to like as a consumer, you go to a website and they just have a terrible identity experience and they're like, Oh my gosh, come on, like fix this thing.

Just want to reach through like, all right, why does my, you know, the, the password is probably the most classic example, right? OK, my password's not working and let me go to reset it. New password can't be the same as old password. What what is going on here? Like, it drives me crazy. Does it drive you similarly crazy, or are you a little more cooler and calm with it? No, no, I would say sometimes it's both.

As a consumer, sometimes it is really frustrating when I'm asked to reset my password or do certain things, but when I view my identity hack it saves me. No, this is right. You have to do this. You have to configure your MFA, you have to make sure it's secured and you reset, or you change your password frequently, or go with the biometric, or go with the certificate based authentic. It just, it just prompts me to keep up with the standards.

Well, I'm glad that you know it. It similarly drives you crazy, but it seems like you got a little bit cooler approach to it, which I could appreciate. All right, Justin, let's hear about your background. How did you get into information

security? And do you consider yourself an identity and access management person? Are we going to have to, like, award you an honorary title here as part of this conversation? Yeah, I think, I think you could deputize me. I, I, I guess I would say that the first time I touched identities is probably the, the local user accounts on the computers I used to take apart and put back together as a, as a kid to my parents dismay.

And then that moved on to a lot of Active Directory as I supported a lot of application implementations. And then as I got into cloud, when cloud was being born, it was about Active Directory migrations into the cloud, into

other identity providers. And that now that I'm mostly involved in cloud transformations and cloud security transformations, I, I generally run into an interface with identity as a prerequisite or a dependency that we need to solve before we can transform some things in the cloud, before we can do migrations, things such as, such as that. So I'm not a, I'm not a dyed in the wool identity pro the way Vishnavi was. There's no way I can follow

that. But I have written that e-mail about a website that doesn't work right and then sat in shame about writing that e-mail because I know it just goes to some some poor person who is is not going to not going to be able to do much with it. But it feels good to vent a little bit, right? Like, all right, fix your process like this is not a good user experience. And look, the, the identity space is a, a warm, inviting place, you know, come on in. It's great.

You know, Jim, and I've been doing this for a long time, Vishnavi as well. So, you know, I'm going to, we can start the, you know, the one of us chant if we want to do that. This is why I team up with the three of you though. It's because I know that in order to make cloud migrations and transformations go well and to keep things in the cloud secure, I need folks like yourselves who are pros to, to help me get into all the gory details that you were talking about.

And at the beginning of this call, right when you were talking about how you translate for, for business users. I know I need AI need a a diagonal wool identity pro like yourselves to to work with to make it go well.

So there shall be, you know, one of the things that Jeff and I talked about when we decided to come up with an episode to connect cloud security and identity is, you know, what is the the right approach? Is it to have your identity strategy or cloud strategy or do the both of those at the same

time to make sure? The cordon seems like it's the latter, but it seems also like a lot of times those pieces kind of run separately until there's a problem more until something needs to be done about it. And then it's like, OK, well, we need to fix this. What is the approach that you

recommend? Great question, Jim. Cloud and IAM are inseparable in today's enterprise because cloud amplifies both opportunity and risk and IMS the control plane for governing that risk while enabling business agility. That's how I look at it in simple terms, if you want me to explain it, what I can explain like why I, why cloud and IM must be considered together. Cloud expands widely and the traditional IM was focused on primarily on employees accessing

internal system. Whereas cloud introduced SaaS, Paas, IAS, each with their own identity layer without central IAM identity sprawls, policies, fragment, attackers exploit weakest links. All this actually brings in or in or gets embedded into the cloud migration. So according to me we have to we should consider both cloud and IAM together. I would call it like identity becomes the new perimeter in because in cloud there is no

firewall around everything. The perimeter is what identity is. So when we think about cloud migration, we should also think about IM together. Cloud agility definitely requires IM agility to when our developers pins up workloads or SAS tool at speed just and can definitely add on top of this, IM must automate the provisioning governance federation, MFA and how to handle the privileged accounts like administrators and

everything. And also with cloud and IM getting together, compliance and zero trust plays a very important role that can be definitely achieved. When we think or bring in IM flavours with the cloud beat, we talk about GDPR, HIPAA, PCIDSSCC, P/E, everything that could be cannot go separate. It has to bring together with cloud migration, but we have to bring in IM as well. That's all I think about. It yeah, I know that's very thoughtful. And Justin, I think the same

question to you. I mean, you probably, but by the time folks are already talking to you, they're like, all right, we need to do some kind of migration to the cloud. We need to get the cloud right. Is there kind of an education process or some kind of readiness evaluation that you go through from an identity perspective?

Absolutely. So generally when I've, I've LED cloud migrations and, and transformations, we have kind of readiness checklist and identities always a big part of it. Because I, I have seen multiple instances where a client, for example, wants to migrate an application and then as they dig into it, it turns out, oh, it's using an authentication method that we haven't extended to the

cloud yet. So it's definitely something you have to knock out early, right, to make sure that you have all of the capabilities you need where you're going, not just where you are. And then that often influences migration, sequencing, grouping, things like that. So one thing that Vishnavi said that I, I keyed up that I, I really, it really resonated with me was about the opportunity and

the risk, right? And I always tell clients you're not going to be able to keep up at the speed and scale of cloud without automation. And identities are really great example of that because every time you're spinning something up in the cloud, you're creating identities, sometimes privileged ones. And you you really need to get that under control early or it will get out of control and you'll have a a very bad, very bad time in cloud.

So let's stay with that speed question real quick, because I think that is something that is so prevalent among cloud services. You're talking about services that spin up and down sometimes with a milliseconds, right? Or even shorter nanoseconds. What are some tips that people might out there to think about? And I don't, we're not going to solve all the problems now, right? Because it's too much. But speed is the problem. How do we How do we, you know, contemplate or think about?

That my the, the the most straightforward answer I can give you is leveraging automation and standardization, right? Because you can't keep up with that speed as a human. You can't, you can't have an army of humans doing access reviews on or entitlement reviews on every identity in your cloud. But as you said, Jeff has things, identities are created, destroyed, left, left and right or every last thing you spin up has an identity right, it has an identity.

And that identity has privileges sometimes across your, your cloud. So that's probably the number one thing I would say is the quicker you can get a system in place that doesn't rely on humans double checking everything. The happier you'll be and the less of a mess you'll end up in, and you know, the more secure you'll be overall. So this sounds an awful lot to me like orchestration and being able to say, hey, let's pull together some sort of identity infrastructure.

Vishnavi, I guess this is an area that you're probably have a lot of, you know, experience with. Is this kind of idea of how do we, how do we address the speed, right? We need automation. Like to Justin's point, humans there, it's it's we're too slow. Unfortunately, even if we're the Usain Bolt of identity and access management, it would still be too slow. So how do we look at things like orchestration and especially in this type of area where we're in like hybrid modes, right?

So we've got on Prem AD and then Entra and then Octas and pings and all kinds of stuff like that. How do you address that? Yeah, I can start with giving an example Jeff, since it is very. This answer would also add flavors to the previous question which me and Justin tried to answer. I was part of one of the major migration, cloud migration which involved IAM concepts or IAM

components as well. It was for a financial organization where they decided to lift and shift some of the critical applications into Azure and AWS. It was the conscious choice they made for both. They they left the access management to the cloud native IAM without integrating it with the corporate IAM. So it was like leave it as it is, take it, adapt a new.

At some point we saw a user had a bitter experiences specifically with duplicate across accounts, across environments, orphaned accounts getting piled up. Auditors started flagging certain violation when it comes to least privileges just to speeding up the process. The decision was taken light, just leave it and shift it, lift and shift and leave things behind. We had to take a pause there, make a right decision like let's consolidate IAM for the organization.

Be it you have cloud, you have partially on Prem if it is 5050% or 8020% or 3070% whatever percentage it could be, but bring it as a centralised IAM. We Federated their on Prem with cloud platforms. There are now we have lot of orchestration products available in the market or skin is very commonly seen in the market. We used it for SSO, automating, automated provisioning, deprovisioning, enforced MFA

across all cloud services. To give you a quick statistics that reduced 80 percentage of the issues we faced immediately after the migration, just take a pause and unify the IAM for both since we started about this. Definitely for organizations, orchestration plays a very important role when or when they are caught up as part of the transformation, we will have legacy and modern cloud. We definitely need a connective tissue to unify them without breaking the business

operations. Yes, it becomes very difficult for the business and also the technology team be the cloud team and our IM team or the so-called service desk feed will be piled with tickets. So identity orchestration is the integration layer that connects the IEM system. It has an ability to talk to the legacy directories, home grown provisioning engines, cloud IEM platforms, SAS apps, privileged access tools in and act like a cohesive identity fabric.

I usually name it like bridging old and new models, automating identity workflows, abstracting complexity away from the end users. This is exactly what the middleware or the orchestration layer does. And there are now we have N number of orchestration layers or the tools that are available readily available for us to pick up and embed it into the system for as part of the migration. So what I'm hearing is that it's not a technology problem per SE,

right? There's plenty of tools out there that can kind of do the thing. So now I'm thinking maybe this is a governance thing. And Justin, I kind of want you to weigh in on this is if I'm looking at things from the cloud perspective, I am pulling at a whole bunch of new services, right? That could be AWS, Azure, GCP, you name it. And those are just the platform providers, but I probably have a whole bunch of other SAS solutions, right, that I'm using

from that. I imagine governance has to be part of this as well. Say, OK, what are the rules of the road that we're going to follow here? Are we going to agree on, yes, everything should be single signed on through, you know, whatever, right? Talk to me a little bit about the governance approach because what I got from Vishnavi, and feel free to contradict if you want or or or emphasize it is that the technology isn't the problem. There are plenty of tools that

will do this. It's the people in the process that needs to come along with this as well. I mean, I think it depends on where you start, right? I've been a part of a couple cloud transformations and a couple cloud security transformations where the clients had significant legacy identity entrenched providers. I was with one client that I think had eight or 10 authentication methods that they had let their apps use.

And they kind of had to do an approach where they sequenced what they were moving very, very much back to one of the earlier questions with how do you consider these things? They had to sequence things out to say, OK, we're going to get down from 8 authentication methods to 4, right? That's the big plan. But we can't do that all at once, right, 'cause we have apps using them, we have to move them off. We have to update those apps. And some of them were just, we're just, we can't update.

We just got to live with keeping, you know, one or two methods open because they're crown jewel apps. But they actually took the identity road map and the cloud road map and, and I, I helped them sequence them right so that they could move the apps that use the authentication methods that would be available early on. And then as they deprecated some and modernized some, they could

move, move those. So I do think sometimes technology can be the problem, but I think that's more often true when you're trying to rationalize an existing kind of untangle a knot right, where you might have hundreds of apps, then sometimes the tech can be an issue and you have to figure out your path forward, right? I think if you're fortunate enough to be in a Greenfield, then then that's less true because you the tools are available, right?

You just pick them up and and use them and start from a a nice cleanish slate right from the beginning. I think it depends. Where I think it depends where you're starting is a typical consultant answer it it depends. You know, I'm glad you called me out on that one because I, I certainly hadn't, you know, I meant to talk about, you know, difference between Greenfield and legacy. And I think that definitely is a part where, you know, legacy

technology is, is a pain. It may not be worth doing anything with it because it is such a pain. So I think we have to know when to say, you know, sayonara, see you later. We're not going to do that. And that might be either getting rid of it or it might mean that's just something we don't want to tackle and doesn't make sense to like incorporate as part of the plan. That's always going to be an exception or a one off or

something like that. This idea of saying goodbye and knowing when to move things around and you know, when to, you know, take what you've got. Everyone would love to have the Greenfield, but that's not the real world, right? For the most part is you're dealing with legacy decisions that were, you know, I'll be generous and say they were probably a good decision five years ago, 10 years ago, we hope, right? But things change.

And so we need to get better. How do you have a conversation, Justin, with those people that need to make that decision? Because sometimes things aren't broken or they don't appear to be broken. So why fix it? Like, how do you have a conversation behind the scenes to say, hey, we do need to change this and here's why? Well, I I can kind of pull on that. The same example I was mentioning before, a lot of it came down to supportability, right?

If you're supporting 10 legacy things, it is an enormous drag on your IT and cloud and you know your innovation, right? You're just not going to be able to innovate. A lot of your bandwidth, your velocity is going to be tied up with supporting 10 legacy things. So I, I mean, I guess I kind of jumped right into how I, how I've encouraged clients to, to do this, but generally that's

the driver, right? It's your, you're not going to be able to really take off and go at cloud speed like you want to while these 10 things are hanging around your neck, right?

It's it's tough for it's tough for your team to support you. You, you have people on your staff that they're on your staff just 'cause they know this, this one thing, for example, right? Or, and, and they could be repurposed to do, do better things. So maybe you get down from 2:50, right? Maybe you can't get down A11 IDP or authentication method to rule them all, right, because that may be too ambitious for a, a very large enterprise.

But you try to show them how getting down to a couple could really free up a lot of resources and unlock a lot of innovation and velocity elsewhere. Yeah, that's a that's a really great point.

There's a whole area in the identity space called identity orchestration. A big part of that is making these different generations of identity technologies kind of

work together. One of the things that I find, and I'm going to take it back to Vishnabi here to get her take on this, is that the practitioners who are, you know, experiencing this rapid movement from the traditional on Prem data center kind of approach to the cloud is they've got identity tools that were built for the traditional approach, OK?

And now they're trying to stretch the functionality to do this thing to treat the cloud a lot like traditional, one, because that's what they know, But two, it's also how the tools were designed. Is that the right approach? How far can you get with that approach Vishnavi?

As part of when we talk about identity and cloud transformation and legacy and the new modern tools, definitely that's where the identity modernization also plays a very important role, Jim. So when we speak about identity modernization, identity as cloud moves fast, identities with the modern IEM model, who gets in and how, when, with what privileges, the cloud adaption becomes more easy to handle.

The shadow ID or orphaned accounts and complaint risk cloud requires modern IEM capabilities. So we should definitely think about IEM modernisation. Having legacy tools can be accommodated using orchestration layer or whatever. But definitely IM modernization is required. When an organization starts thinking about cloud transformation, it is OK to hold on to legacy IAM as a directory specifically, that is something we cannot within over a very short frame.

We cannot come out of Active Directory or any anything as such moving away from the legacy directory structures or the Federated mode SSO models or it could be even and header based or cookie based applications. It is very difficult to just get away with it, but identity modernization is required.

We have to think about solutions that will serve both dear cloud as well as hybrid or an on Prem environment effectively keeping the focus that the organization has taken the cloud journey and they are going to adapt the cloud to 100% in at least in the next 5 years. So I would say take start the identity modernization. Yeah.

Justin, I, I kind of wanted to pull you into the same kind of topic here because one I wanted to clarify, right, I'm not talking about old vendors versus new vendors. It's not really about the vendor, it's about the technology, but also the approach. Can the approach be the same for managing the cloud as you took with the on Prem? And I think identity kind of follows technology, so clouds the advancement. And does identity need to change to support that advancement?

I, I think it does, you know, fortunately there are a lot of tools out there now to help manage the complexity that gets introduced via cloud. But one thing that I heard from Vishnavi that resonated with me and I wanted to point out is I think the more sophisticated, the more leading edge your cloud implementation, the more important your identity becomes to have solid beforehand, right? So I, I was thinking about this

while I was listening to her. And for example, if you're just lifting and shifting some VMS, well, the identity universe isn't that complicated. If you're in a all Terraform, all infrastructure is code land, automated landing zone subscription or account isolation where developers have to interact with CICD pipelines and the pipelines touch assets and do deployments. I mean, just from how long I spoke, think, think about everything in that sentence

having an identity, right? So what I've seen really be really important is getting your RBAC rolls down in cloud is one thing that's super important, especially when you have this multi persona cloud program, right, where you have end users who mostly just interface through whatever endpoint the app has, like a web page, which is the most the most common,

right? And then you have architects, engineers, developers, and they're all interacting with potentially pipelines and cloud infrastructure directly. Well, things just got a lot more complicated, right, because you need you, you need those developers to have the roles they need to do their work. And you want to try to make that as frictionless as possible with some kind of self-service. Well, now you've got something you need to set up and manage.

And hopefully the way you do that is make it as easy as them for as easy for them as possible without introducing risk to the organization, right? So you they can move at at cloud speed. Yeah. I think a lot of that resonates with me because I think every organization does some element of kind of lift and shift and then it really becomes a matter of, OK, I am as middleware is

very infrastructure sensitive. But if you update the IP addresses and things like that, the firewall rules, generally you can get things working in that model. But when you talk about kind of re engineering the way you manage that infrastructure, which is what I think you're getting at. And that's where and almost every organization ends up there, right? Because it's like you're not getting the true value of the

cloud. You're just paying one bill instead of the other if you're just lifting is shifting, right? But it's when you can like optimize that infrastructure, when you can do infrastructure as code is, you know, I know that's kind of a buzzer, but it gets to the point of we're dynamic and we're not doing things the way we did them in the old days. You'd need different IAM tools, right? Because all that nothing happens

without identity and access. I mean, I agree very, very enthusiastically with what you said about lifting and shifting. I call it, you know, data center C like you just moved into a new data center. You're not getting the value of cloud. But if you want to introduce those more sophisticated engineering approaches, you are taking on a, a burden of managing them. And identity's a huge, a huge part of that.

And you need to be, you need to have a fulsome understanding of what you're taking on, especially from the identity perspective to, to really get the ROI from that, I think.

One thing that I'm not sure how familiar you are with this identity security. So it's not just that all of a sudden we're calling ourselves identity security. To me, it implies something which is that kind of this merger of cybersecurity and identity. And really it's the incorporation of identity into a lot of cybersecurity tools. At least that's how I see it manifesting. And these tools are very data hungry. They're very data dependent,

including logging dependent. I mean, primarily logging dependent and having logs that support what they need from an identity perspective so they can start to correlate. OK, Justin Devine is in the system and he's doing all these things and that doesn't match with his normal access patterns. And maybe we've, you know, maybe the Socs should look at this. And I think the next generation is going to be maybe we need to shut off the Justin's access for a little bit because his account

may have been compromised. I guess what I'm, I'm getting at with that question is, you know, I, I, I kind of feel like on the cloud side, it's kind of more easy to set up monitoring. But on the other hand, it's like the amount of monitoring that you can do and you should do is starting to explode. I'm wondering kind of what those implications are that, you know you're seeing today and like how are you advising people in terms of setting up their monitoring to kind of support everything I

talked about? Well, I do think that there's a lot of truth to something that was said earlier, you know, on the on the pod, which is that identity is kind of becoming the new perimeter, right? If you look at all the big hacks that take place, it's a lot easier to get in by getting a password than, you know, going super hacker and hacking the

firmware on a firewall, right? It's a, it's a lot easier to just convince someone to give you their password 'cause they think you're from the help desk, right? And I also think that the next generation of identity tools, it is going to incorporate a lot of AI.

And we're working on something like that right now using AI to analyze one of our clients authentication data and provide the kind of thing you were talking about where oh, this doesn't look right, this doesn't match the user's previous

pattern. I would say in the cloud, one thing that's good is if you're using one of the major CSPS, the ability to do certain things is. Easier sometimes because they have those capabilities you just flip them on right you say, OK, I've decided doing this is worth it right like automated access reviews. I'm, I'm just thinking of some of the, the features in Entra or you know, I am right, for Azure and AWS respectively. So it makes it easier to kind of get started, which is a good thing.

The complexity comes when you go multi cloud and add other platforms in, right? That's when you probably, you often end up going back to some of the more third party solutions that can cut across a layer across multiple platforms and clouds. But I do think it's a good thing that the set of capabilities that are available to people running in the cloud from an identity security perspective

grows all the time, right? Every couple of months, Microsoft and AWS are adding some, some secure identity security features to their stack, right? So I think, I think overall that's a positive thing that they're within reach and and sometimes fairly easy to enable. Now, the CSPS can't help with the complexity of your situation, your enterprise, but at least they're there and and I think that's very useful and probably a good thing for

identity security overall. I feel like in the beginning of

our conversation, we're kind of at the point where we're recommending, yeah, you should have this identity strategy and you should really put together your identity tooling and processes in advance of going to the cloud, right? So that when you go to the cloud IT you can take advantage of these great things. I'm sure there's practitioners listening to the podcast right now like, yeah, wouldn't that be

nice? Because probably the voice on high says we're going to move everything to the cloud in 12 months, so get her done. And so I think it's kind of the classic dilemma. I guess my question. Let me start with Vishnavi. So is that, is it realistic to do these things in parallel or given that reality of the situation they just laid out? And, and feel free to disagree, but in that scenario, you know, what should the practitioner do? Is it? Take these things on, be

pragmatic and try to do both. Yes, when an organization decides that they have to start their cloud journey, they should start thinking about identity access management as well. So make a decision. I would look at it or I would recommend. This is how I have been recommending my customers when I didn't. Cloud transformation has to happen. Think about identity transformation. Start the identity transformation little earlier.

Decide on how your identity fabric has to be, how your data, where your identity data sets, how it is going to be in future. How is your application landscape? How are the application currently secured? Be it authentication or authorization, they will be definitely having a fine grain authorization or a coarse grain authorization. It could be a custom authorization. However it is think about all this. How is the privileged access then start the journey? I would call it more like a

foundational cloud IAM approach. When we start with the cloud journey, the foundational cloud IAM also should dig in, date, federation, MFA, RBAC. I'm not talking about ABAC at this time. Just think about the RBAC and least privileges, segregation of duties, life cycle, automation. These are like the are the foundational cloud IAM that will make the cloud journey more successful.

Then we can talk about advanced cloud IAM approach like just in time, conditional access policies, service accounts and API key management. Because many times we do not speak about API key management, but just in would agree to this. When we speak about cloud, API plays a very important role. API key management has to be taken care of. So with advanced cloud IMAPI key management is very important service accounts, then most importantly continuous

monitoring and analytics. The next level I would say is cloud governance and compliance layer. This is adding on top of what Justin also spoke about. That's why I wanted to bring this. This is how the three stages of transformation cloud when it, when we speak about cloud governance and compliance layer, that's where our access reviews, certifications, compliance mapping and the commonly heard term now is CIEN cloud entitlement management that comes in as part of the cloud

governance and compliance layer. When we are able to achieve all this, our design is zero trust. So cloud and IAM can be called or encapsulated under the perfect zero trust model. This is how I recommend. So just I kind of feel like sometimes people feel like I am consultants or consultants in general living in their ivory towers and cannot get pragmatic. I don't buy that. I think we are very pragmatic.

The practitioners who listen to this podcast are the ultimate pragmatist because they're living these unrealistic expectations for identity and for cloud. So kind of same question to you. You get through in this situation like all right, we've got we've been under invested in identity, but we need to get to the cloud in 12 months.

Can you do both? So I mean, I have, I have real world experience in, in this situation, right, where the CIO is saying we got to get this app to cloud by, you know, 2026, right? And oh, but it, it requires an identity update. So I would say I think everyone in IT has had this situation before where someone's asking you to do something. And the truth of the matter is, is, is you're going to create tech that if you do it the way you'll need to do it to meet the timeline, right?

To me, there's two ways to handle this. The first is be upfront about the tech debt. Don't bury it. Make sure that the people asking you to get things done by a certain date are aware of what they're going detect that they're going to incur and the costs, you know, and the challenges that that's going to

create. You know that that's that's number one, right, Because sometimes when the boss says you got to get up there by 2026 because the data center is shutting down, sometimes you got to do it. Sometimes you can't make everything perfect before you move everything. That's that's just the reality. And I've seen trying to make everything perfect and perfectly clean before moving to the cloud, like completely stall and cause failed cloud cloud transformations.

The other piece of advice I I would have is don't make your life hard. Don't pick the app that needs for authentication providers to MFA providers and a bunch of other IM words that I I can't pull off the top of my head, but Vishnavi and you 2 could. Don't pick that app early you you're just setting yourself up for pain.

You know, set pick, pick apps early in your cloud journey where the authentication and the I, I and the IM support you need is already in the cloud and you can just flip on those those switches. And then like Vishnavi said, hopefully if you started thinking about I am early, you have two product Rd. maps running in parallel and one's ahead of the other, right. And you're, you're adding this feature and then you say, OK, we edit that feature.

That means we can move apps 712 and 13, which we couldn't before we added that, that capability. But, but my, so you know, it really comes down to tell the truth about tech debt and don't make your life hard. Pick good pilots and pick, pick good sequencing in your cloud journey to make your life easy and learn as you, as you go. Don't don't take on the you know your your crown jewel app that you know will bring down the enterprise if something goes wrong as your first as your

first cloud migration. Well, you're taking all the fun out of this, Justin. I mean, come on. Whereas, you know, no guts, no glory. What if the crown jewel app is the one that has to move? I have been told that, right? If you got to get done, you just kind of deal with it, right? All right, last question for both of you. And Justin, I'm going to stay with you and I'm going to give Vishnabi the final world after you're done. But let's make this actionable

for people who are out there. What can people be doing over the next 6090 days, let's say the next quarter, whatever that looks like, where they can actually improve either their cloud security or their identity and access management or ideally both? So Justin, I'll start with you and then Bishnabi will let you have the final word.

So the number one thing you need to be doing in cloud that we don't always see is you have to be running automated scanning on your cloud and you need to have people looking at that dashboard and responding to misconfigurations just like you do in a sock for anything on premise. If, if you're not doing that, if you're not running, that's the the basics, right? Even before you have a big plan for cloud security, flip on your CSP Ms. and start burning down

risk. It may not be the most elegant solution, but whenever I talk to a client and they're not doing that, I, I say, leave the room and go flip on the CSPM and start addressing the top things on the list from a risk perspective. And then we'll figure out the long term plan. Because if, if you're, if you're not doing that, you really are leaving yourself exposed. And it's it's sometimes surprising that those features aren't turned on when we when we go to all our all our clients.

So just so we don't lose people, you said CSPM, cloud security, posture management. For people who aren't familiar with what that is, give me the 32nd definition of what CSPM is. It it it. It depends on whose definition you'd like to use, but generally there's two capabilities.

The first is a tool that scans your cloud configuration, meaning how it is configured right now, it generally pulls that, you know, via APIs, it comes over in Jason or, or something like that, and it scans them and compares them to known good states, right? It often compares them also to compliance frameworks like CISPCI, things like that. And it's often a layer that when people are early in the cloud, they don't think about the configuration of their cloud

infrastructure, right? Some people also include what's called preventative scanning, or static code analysis on infrastructure's code, where you can actually scan the code before anything ever exists in the cloud and pick up potential vulnerabilities that way. Sometimes the definition include one includes one, sometimes both, depending on whose website you're reading. That's fair. All right, finish. Now the final word for we get to some wider note conversation here.

What's something that people could be doing over the next quarter to improve their identity security? Yeah, from identity and access management, I would take considering three key towers we have from access management, I would say start with password hygiene. If you're still using password, look out for the next two auto guidelines and make sure we have you have the right password

hygiene. Next, enforce MFA that is very important and go to fishing resistant if possible at least for the admins taking to the privileged access management start enforcing least privileges just in time is readily available with most of the tools that everyone are using as of today. Try to leverage that and the last that the identity governance start enforcing

access reviews. If they are not doing it at least for their business critical applications, that is easily doable in the 1st 60 to 90 days. MFA, all the things and then make sure people have the appropriate access. You know, 0 standing privilege is probably great. You know, you want to get there, but to get to there you have to start to whittle things down, right? Things like that. Yeah. OK, so let's go to lighter note time. I'm going to ask you guys to

bury your your music souls here. And Justin, you've had a little bit more time to think about this. So as you're kind of thinking here, what is the last song that you added to a playlist to your music library, whether that be Spotify or Apple or whatever it may be? What's the last song you added? Well, as you might have noticed, all the things behind me are are music based. So I'm kind of a a music junkie. So I'm always adding stuff.

I think the last thing I added was the new album from the National. If you're familiar with that band, they're one of my favorite bands. And I think right before that I added the new Tyler, The Creator album. So as you can tell, my tastes are extremely diverse. So I'm, I'm always, I'm always adding things, but those are two of the more recent things I can, I can remember adding. Oh, and then the new Chance the Rapper came out recently and I I think I added that too.

OK, all right, that's a that's that's a pretty, pretty healthy mix there. Vishnavi, how about yourself? What's the last song or album that you added in? I just took the latest 2025 and I I added the top 25 list was there. That is what I started just recently a few weeks back I added and espresso is something that I I liked it and I think one of the girls is something that I've been constantly hearing it. OK, so I'm not familiar with either of those, either of those

artists. What's the style of music that that is? I think both are kind of. It's a mixed feel. I get it. It's not a particular genre at least I could relate it to. It's more of a a very happy kind of it. OK, kind of like a pop type music type. Uplifting. Feel good. Yes, and I'm more of an instrument person, so I like to I I go with a lot of classical genres. I try to hear instruments because I feel instruments. I relate more with instruments rather than the words.

OK, that's interesting. So I'm, I'm, I'm similar, except more on the electronic music side of things. I, I prefer electronic music. Jim, how about you? What's the last song or artist or album that you added to a playlist or your library? So I wouldn't have mentioned 2, so I'll give you the last one. And little back story is, a couple years ago I thought, OK, now I'm in my library.

I have every song I like. The only time I'll add songs from here on out are new songs that come out that I like, but I still like. You'll be at Applebee's or Chili's or something like that. And hero songs like, Oh my God, I haven't heard that song in so long. And this one was still the one by Orleans, so I added it. All right, but here's one for you, Jeff, because I know that you're a grunge guy. Yellow Ledbetter by Pearl Jam.

How is that not already there? Man, Come on, that's sacrilege. Well, no, I'm thinking it probably was, but maybe. You know, a lot of times there's like 10 versions on Apple Music. I am an Apple guy. But here, I want you to do this, Jeff. I want you to listen to that song in your car cranked up, and I want you to put the words on your phone. So you're like looking at the words and you're thinking to yourself how the Eddie Vedder look at these words and come up with this way to sing them.

Like he's some kind of musical genius that I just could never think like that. I mean, he is obviously blessed with that voice, but he's also a musical genius to take those lyrics and like, figure out how to sing them that way. Like it's off the charts. That's like saying what rhymes with orange and then Eminem goes off and names like 8 different words that he would do with that. So definitely a skill and a talent.

I think. I mean all right, so let me do my I'm going to do 3 just because you know, I'm I'm the one who called the shot. So Go by The Chemical Brothers have been on a Chemical Brothers kick recently. They've been around for a long time, but go has been a good one. I'm looking at my my Spotify right now. Nobody's real by power man 5000. So now we're, you know, stretching genres a little bit.

And then a cover that I discovered recently that I enjoyed of like a prayer by a band called dogma. So it's kind of like a rock goth version of like a prayer from Madonna. You might actually like that, Jim. So that's those are my. 3. Yeah, OK, so this has been just a, a, an action-packed, chock full episode of information. I want to thank Vishnavi and Justin. Thank you both for being part of

this. I would say, you know, we'll talk to you later, but it's probably Mike, I'll see you online on teams or meetings and stuff like that. So we'll leave it there for this week. I'm going to have a bunch of links in our show notes for people to check out. So both Justin and Vishnavi's LinkedIn profile. So spruce those up, go out, feel free to connect, either share stories on identity or cloud or, you know, be polite around musical tastes, right? Things like that, suggestions, etcetera.

And you can always connect with Jim and I and LinkedIn. And yeah, I think that's it. So don't forget the website has all discount codes, all kinds of stuff. I'm constantly updating it. There's just too many to list right now. But idacpodcast.com like and subscribe and do all that fun stuff to help us great get get great guests as it's easy for me to say like Justin and Vishnavi. And we'll go ahead and leave it there for this week.

Thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.