With a highly prioritized digital tranfsformation towards a composable enterprise, it will be inevitable to work with multi-cloud solutions to achieve the level of agility and flexibility required. If it was to avoid vendor lock-in or to consequently go for best-of-breed solutions - in this cloud expert panel we will discuss approaches to manage multi-clouds efficently and to avaid increased complexity.
Yes. So my name is Ann Mok and I'm a program manager at Microsoft in the RTT and security division.
I have my own. Does it work? Can you guys hear me? Very good. My John, everybody. My name is VI Tolbert. I work as a principal architect in of zero, a product unit of Okta. I've been in this space for a couple of decades, mostly focusing on developers and identity.
I'm Patrick McBride. I'm the chief marketing officer at beyond identity. Prior to that, I'm a reformed Analyst. So played, played an Analyst on, in real, not just on TV. And I've been a practitioner for about 25 years in the space.
Okay. I'm Paul Cher. I'm a lead Analyst with co Cole. I'm actually a reform journalist. So that's how I became an Analyst. I look at mostly things like privilege access management, but increasingly CEM as well.
Okay. Thank you very much now. So this is the chance for all of the participants online and physically in the room to ask questions. So I'm hoping that there's lots of questions going to pop upon on this, but in the meanwhile, may I just ask each of you to say, what do you think, what do each of you think that the number one challenge for identity management in the cloud is perhaps Paul, you can give the Analyst view to start,
Well, my not my personal view and I'm actually speaking after this panel and I'll enlarge him on it then. So I don't wanna spoil that. But my take is that at the moment, the biggest challenge is the developer community.
I, I can actually second that, and I'm gonna, I'm gonna expand on that. I, you know, being a, a reformed Analyst and being in an authentication and identities provider, the thing that worries me the most, isn't just the, the classic developer, the folks building applications. But today with a multi-cloud environment, we have C I C D pipelines and a repository that houses some of the most critical crown jewels, not just your application source code, but all of your infrastructure code. And that is right now, the soft white underbelly in security. I'm, I'm, you know, as, as with my practitioner hat, I'm very worried about that. And I think identity can, can help a lot there.
Well, I'm usually in the negative one, but in this case I have to raise a contrarian voice. I think that I'm, I'm biased by, again, my focus on developers, but I believe that developers are right now. One of the biggest opportunities we have in this space, the thing that I am very concerned about in term of multi-cloud the biggest challenge is that it's natural for vendors to create vertical stocks in which you have the features that you want adjust with a check of button, and it's, it makes it very easy, but it ties you to the platform. And so the challenge is that now you have a solution that it's very difficult to make function across multiple clouds, or should vendor decided to double your rent very harder for you to move. So I think that identity needs to sync at a better in the, in the layer, lower layer, so stuck so that we can be more fungible. And so that it's easier to move across clouds. I realized I spoke for longer than you guys, but no one stopped me. So I just kept going. Did you say, did you say fungible? Fungible? Okay. That's fine, but fungible. Okay. I am a known as skeptic on the web free space. So please don't poke me in that area.
So anal, do you have a,
Yeah. So my view is that, and I think that that also, you know, very much resonates the, the problems that we have with the developers and not problem, but I think the bigger opportunity that we have and how we have to address the requirements of developers when it comes to creating or developing those applications for a multi-cloud operating environment. Right. But yeah, I think one of the essential challenges that we are dealing with is also the visibility of your multi-cloud presence in the different business units in the organization itself. So we don't know what, who are the different stakeholders, what kind of applications they're pushing into, what kind of cloud? I think that's the more common challenge that we don't have that level of visibility. And secondly, if we have, if we can get like that level of visibility, who are we addressing with team? You know, so for example, we have got different audience. We have got developers, we have got administrators, we have got the business. So what exact audience that we are trying to address with some of these specific, you know, multi-cloud challenges and the pro you know, and the solutions that we are trying to bring in.
Okay. Thank you. So I still don't see any questions bombing in, so I'm going to ask another one. So in indeed, animal, you, you, in your presentation highlighted what is clear as an acronym soup, that there are some problems, there are some real problems that yes, that customers have. And what has happened is there is this Kaby C I E M sassy CS PM, and, and so on. So what is the real answer to all of this? And I'd be interested in, in, in the panel's view of where, where, where is the focus, which of these is the right thing? Or is it something else completely different?
I think there's no right answer to it. I think it'll, it'll be differently, you know, I have, I've got one. So the, the best thing is that you have to do overall, you know, understand where the maximum value lies for you and in specific what specific integrations that you can do to achieve the maximum effective. So I think I, I just also tried to bring all slides in my presentation was around how you can combine the power of the security tools to maximize the effectiveness of your security and exactly that's where you have to understand what specific integrations that you can achieve to realize that value. So, yeah, there's no specific answer. That's one tool and you can get all the security. Definitely. It has to be, you know, you know, keen for managing cloud entitlements. It has to be a different kind of a tool to manage end point privileges. There has to be a tool which can help you manage governance at this time. There is no, no one answer to it, but of course, you know, the world is moving towards how we can, how we can try to converge and provide a more sophisticated and easy to onboard, easy to work on kind of our platform. But I think that's still years away. Yeah.
I can give a non vendor ish and I'm not, I'm not saying that that we just had one, but you know, one of the, if I go it's first principles, what is gonna clear this up is a set of first principles, zero trust as they, you know, they've been bastardized a lot, but there's a set of really core principles. Then, you know, lots of vendors have taken it and taken a little piece here, a little piece there, but one, it reminds me of back in my early Analyst days, it was kind of at the end of, you know, traditional client server, you know, multi-tier client server in the early days of cloud computing, I wrote one of the first white papers I wrote was about baking cyber, you know, baking security controls, you know, into the, the whole coding process. If you try to bolt security on at the end, you're just never gonna get there.
And I think, and you mentioned it like with some of the scanning tools you see, yeah. In, in cloud infrastructure, you see misconfigurations and things like that happen all the time. And I think where identity can play a really, really critical role is, you know, let let's say we're using a scanning tool that we either happened on. And just kind of noticed a, a configuration issue where we're using one of the multiple scanning tools for apps or infrastructure code to look at, you know, traditional, you know, misconfigurations, you wouldn't know who you can't trace it back to anybody when you're committing code into your, your repo these days, it's not signed, you know, not in any meaningful way, you don't have any kind of assurance or traceability back to who made that mistake, how they make so they can learn from it. Or if it's a bad guy to, to be able to say that we've got a whole set of things, and I'm not talking just about application code, like infrastructure code, when we're going chef and P and Terraform and Kubernetes and things like that. You, the, the traceability isn't there. And I think it's a huge opportunity for identity to play a really important role in doing much better authentication or much better traceability for that stuff.
Yeah. I dunno why you all look at me, but I guess I'm very transparent. Also. I want to protest that my friend from Microsoft here can gesticulate because he has my mic and is Italian. I need to gesticulate, but I can't because I have to use my mic. So I feel like disadvantage. But anyway, although it's true that there are no signatures, there is a wonderful comment in it called blame, which literally can trace, who has made a particular change. So strictly speaking, like it's very rare that someone will manufacture PR required PR acceptance. So there are ways of tracing things. But to your original question, the thing I wanted to do was to blame marketing, because all of those acronyms are simply the expression of the need of people to classify these things so that you can assign a price tag to it. And so we have all those marketers about creative voice categories, which are like inevitably somewhat artificial, because the reality is that this multi-cloud thing is new.
And so we are still learning. We are still seeing in an in practice what happens. And so those things are emerging, not as much. Well, of course, to some extent, yes, but not as much as a practice and people doing things and discovering recurring patterns and saying, okay, I need a product for dealing with this particular category. But again, my impression is vendors need labels so that they can define their pricing tiers and sell stuff. And also the people that buy the software also feel the need because they have tracking list saying, okay, these, these, these, and that, I think we need a bit more of practice for actually learning what's required. What works, what doesn't, and then you'll see the inevitable consolidation of acronyms into fewer more useful labels.
Yes, I would. I would simply say on stage, I agree
As an Analyst Analyst, I think actually I think the Analyst community and the vendor community probably share some blame in this generation of acronyms. And I think that C I E M is actually a good acronym. It does actually say what it is, cloud infrastructure, entitlement management, cloud security, posture management. Well, what's that like, you know, it, what are you doing? You're not posturing in the cloud, your security's not posturing. So, I mean, that's a great example of, of an acronym that really is kind of meaningless. So as I said, I do think that life is complicated enough. And I don't think that sometimes we do what we're supposed to do, which is to, you know, walk through the, so you can just with a microphone, you, you know, try and separate the wheat from a CHF and tell the people that we supposed to be working for both of us, the vendors and the Analyst, which is the customers what's the right solution is so, and I think there are, I think a CocaCola I think we, we come up with our own number of acronyms, but I think ours are fairly good. I think other Analyst firms perhaps, you know, come up with too many, but I, I know there was a question that said pick
On the Gartner guy
Fast. Yeah. I'm not, no, I wasn't gonna say Gartner. No, you said the G words. Yeah. Yeah. But you know, there's CS P M there's cm and then there's a C N WP or something else. And cloud
Protection effectively. They're kind of the same
Thing, cloud native
So yeah, we should do more to, you know, calm this down a bit. It probably won't happen, but there you go.
Okay. Yes. Well, so as an Analyst, we have an interesting life because we have two lines of people at our door. One is vendors who tell us that they've got something, which is the next best things in sliced bread, and everybody should have it. And the other line is end users who say, there's all these people trying to sell me this stuff. What should I actually really use? Well, perhaps we we're running outta time, but perhaps each of you, and I know some of you are vendors could say, what is your advice to your customers in, in that? What should they really do in this area? And perhaps we'll start off with Admiral,
Right? Yeah, sure. So I think, you know, as, as you know, my fellow panelists have already told you, you know, there's a lot of this acronym and marketing information, which is going on in the market. So we all are wise enough to filter out the marketing and those terms from what real, what's really practical and actable in the market. So first of all, you know, try to take that assumption away, be more realistic, try to see, as I said, you know, exactly if you're talking about just multi-cloud, where is your multi-cloud presence, how you want to tackle it, what's the strategy around it and start with some basic kind of a threat assessment. That's the, that's the beginning for both your multi-cloud cloud security, posture management, and also key key infrastructure intelligence management. So that's where it stems from. And it could be, you might need CSP more, again, I'm talking about acronyms, but you might CSP more than key or key more than CSP, and that's where journey starts. So, but I think, yeah, you should definitely talk about managing security in a multi-cloud world right after this, after this session or panel.
Okay. Thank you. Very
Good to me. The crucial thing that everyone should do before embarking or while embarking in a multi-cloud journey is to, oh, I've been shot. No, nevermind. It always falls flat. I dunno why I keep trying it is to actually identify the artifacts and the concepts that are relevant to your solution and to your business and to your roadmap and have abstract representation of those so that you can work at that level before mapping it to the actual vendor artifacts, because vendors will try to make you whiteboard already using the names of the things in their offering. Instead, you should try to resist that, do something at higher abstraction level and then map it so that you do operations that can be uniformly applied across the different. And one thing that I love of identity is that we did that for you already. Like when you look at open idea, when you look at the various protocols that we've been working on for the last few years, we did exactly that we abstracted way some of the core concepts so that now you can rely on those concepts without worrying about the implementation. You just worry about whether the vendor implemented the right standard. You'll have to do the same for everything else, but for identity you are covered.
I'm actually gonna start actually, even in earlier part of departure from, from you, if you know, the old security truism is you can't protect what you don't know about. So just even backing up and knowing exactly what you have, and you're gonna be shocked. You know, there's things you know about. You've got, you know, multiple, you know, infrastructure, you know, platform as a service or infrastructure service. And a lot of the it folks know about that. They've been part of that decision with all the SAS applications or even other, you know, platform assess the service kinds of things you're gonna find, particularly in a large organization, all kinds of things you had no idea existed. So, you know, I would say, you know, number one, step one is really in a comprehensive way, take an inventory so that, and that's where you can start with, and then you jump in and then you start with your threat assessment and your vulnerability assessment, you know, to understand what, you know, what are your risks and then in the normal scenario of prioritizing those, I, I agree my, my comment on first principles, although with you, I would, I would compliment that, you know, abstract away some of the, the terms and complexity into a set of first principle, things that you need to do, you know, least privilege is a good, you know, first principle, you know, as one example of that.
So there's certain things that you, you have to implement no matter, you know, what kind of tool set you're using as an example. So I agree with that as well.
Yeah, sure. I know that we're running outta time, so I'll, I'll just agree with everything that they said, but yeah, just identify, for example, if your organization has privilege accounts, then that's something you need to manage. If you don't, then you don't need that, or you might in the future. So, but you, the number one thing is that you're gonna have identities to manage somehow. So take it right back to the core, forget about all those acronyms and just, you know, find out what you need to secure organization.
Okay. Well, thank you very much. And thank you for your participation. Perhaps we can thank the panelists.
How can we help you