You very much. Thank you, Mike. And thanks.
So yeah, this is identity and polyglot cloud environments. So polyglot means multi-language, but it's a clever word.
Oh, it's not working. Thank you. So that's my agenda. I'm gonna take us on a rather strange journey between what I networks and the nature of networks, then how identities and I management fit between those, how some of this is pro thrown up. Some rather surprising results from it.
Managers, CSO, CIOs in dealing with identity in multi-cloud environments. And then I'm gonna switch tech and talk about developers. I mentioned developers on the panel just now and how I think that the, they are actually crucial to everything we're talking about here.
But as, and fellow panelists said, it's not just a negative story. So that's where we are.
So networks, this is the first example of a network air transport network. As you can see is a highly complex system and also demonstrates in the first instance here, how networks as they expand, tend to get denser and denser and, and expand outwards. And that is a pattern that you'll see in a network like this, which is a physical network. It's literally airplanes flying around the globe, but of course it's backed up by lots of other networks. Then it's more interestingly, the social network.
This is actually just one part of Facebook. Facebook is a, obviously a digital network, but it's also where we start seeing identities being brought into play as part of that network and how the identities are influencing and driving the way that network evolves and what its content is. So it's basically a human and machine network, which allows identities in, but it's also, as we know, very unpredictable, Facebook is almost like a live experiment of what happens when you allow people to network together.
And we all know that the controversies that have surrounded Facebook, it's not just in technology that we have networks, of course, human or sorry. In the physical world, in the biological world networks also appear. And they also behave in a strangely similar fashion. So we can see here, this is how a virus attacks the human body and what the virus does. Is it stimulates, sorry. It emulates the protein that you would find in the body. So that's the kind of example of identity being stolen.
So when the I, the protein, sorry, when the virus pretends, it's actually a protein, the body lets in and then of course we'll know what happens.
So the internet, this is basically the, the, the biggest network. Good. We know about it's, it's so big that it probably can't be easily mapped. Although these guys here@okta.org have actually done a very nice job of showing us how the internet has expanded from 97 to 2021. And it's actually quite a relaxing video, this, so you, I put the, the link on there.
So if you want to watch this later ago, but you can see, again, the pattern of what's happening. It's it's dense, but it continually expands outwards and outwards. And obviously it's, it just keeps growing.
So, but the thing about this network is unlike the machine network that we've talked about less. So Facebook, it is completely chaotic. It's unpredictable, it's lawless in parts. It's kind of a pulsating blob. And we often think about networks in, in, in a particularly in it as sort of straight lines like that, but actually our networks and our it environments are much more like this, which is why it's actually quite hard to manage them.
So that's the, the internet blob in away there, but let's go back now to sort of reality and a more simple network.
And I've taken cooking a coal as a good example. We're a small business. We're about 150 all altogether. We tend to use probably just three platforms, office, SharePoint, and Salesforce. So it would seem on the face of it. We're quite easy to manage. We do collaboration. We work in different locations. And of course we are actually a collection of people behind the network that are doing stuff and collaborating and creating content and those good people there. And I forgot to put Mike on here. I didn't realize he was gonna be my co-host, but he's also a very valuable part of this.
And what we're creating of course is with what we're all doing here. So it's a great example of how today's modern organization actually works in real world.
But once we start thinking about some of the other things that we add into our network, like remote working people, using their own devices, we now obviously allow customers into our network. So we have a bit of customer interaction through our website. Increasingly we have to manage data and our website, et cetera. And it's not, it's not unknown or unheard of that. At some point we might have to do some code development.
So it suddenly becomes not quite so simple. It starts to expand just like we've seen. It starts to get more complicated and more difficult to manage. And so that's where I, I call the big bang theory of it. Infrastructure. It starts off as small, but it expands outward. So the larger color blobs, there are different clouds or different servers, different databases, and then meandering through all that is all the identities that are trying to access those, those entities themselves.
So accessing services, et cetera.
So let's have a look at how identities are managed or how some of the characteristics of ID management that we have to deal with in our clouds. And this is a quote from a guy called Andrew Nash. I just found, but is actually quite, he, he said this actually a few years ago, he's no longer with capital one. He sold his business and now works as a wood, a wood maker, sorry, a carpenter. But he said that identity is the steam engine of the digital economy.
And I thought that's actually a very appropriate way of describing where we are, the steam engine, when it was invented, didn't actually have a useful application simply because it wasn't yet perfected. It was only when they realized that they could put a steam engine onto railway, that they invented the steam locomotive, and then they invented manufacturing, et cetera.
And we're kind of at the same point now with identity in that identity is becoming increasingly crucial to our environments, but we haven't yet worked out a way of, of managing it.
So it becomes that steam engine and the engine of our organization. So we are still having to manage identity in poly environments. So I've just, I'm not gonna read through this entire slide, but all that stuff in the top left is all the things that we now see in our environments.
All the stuff that I was just been talking about in, for example, co Cole, one thing that is often forgotten about everything that we're doing here, everything here at this conference is actually about the business in the end, everything that we are talking about, everything about managing identity and security is to help the organization and the business do stuff.
And the common denominator, if we start to simplify things, is identities, all those little circles and resources, all the bigger circles that are existing in all those different networks that I showed you, but identity can be, as I said, it can be easily manipulated right now.
This is probably where we are. The steam engine. We have two photographs. Both of them are of a woman taken from behind both carrying an umbrella, but one of them was taken by me in Madrid, six weeks ago.
The other one was taken by Jack Hela, who is one of the greats of photography in the earlier twentie early 20th century. Now, obviously I'm not comparing my artistry with his, but to a machine or some kind of identity management device. Those of those are the same thing. They're both a lady with an umbrella from behind, but we can see because we have cerebral intelligence that they're actually very, very different. So let's take another example. This actually I stole from Victoria who you saw on the panel earlier. It's he put it on LinkedIn.
So you actually have the, a cat scoop, sorry, a lit scoop, but it's also been marketed as a pastor scoop.
So he's actually put, sure, let's reuse this ID token to call an API so effectively what you have. There is an I identity. That's been used to do two different functions and one of them is wrong. You wouldn't really want to eat some pasta if you've been using the scoop in the kitty litter beforehand. So if you take Victoria, the author of that very distinctive man, as you saw, very bold look. So here here's a man. We a long hair and facial hair.
It's no mistake that Victoria, but he could actually also does have a passing resemblance to Frank zapper, the experimental jazz rock musician from the 1970s. And we let's take that further. We could actually say to a machine, this is also a Victoria. He's got long hair and a mustache, but clearly they're all very different people. And for music historians amongst you, those of who like Frank zer, you might be interested to know that he once played in Berlin, but all of that seriously means that at the moment, identity can be manipulated.
It can be mistaken. It can be even be shared.
So automation of, of identity in which in many cases is just a password right now. So if so, if a user says, this is my password, then we say, okay, fine.
That's, we'll let you in, but the password could be the Moez word AACH. So that brings me back again to where we are in the industry itself, some conundrums and what people are saying about their usage of infrastructure as a service or clouds call it what you wanna call it. Another example of an acronym. This is a survey from dimensional research, which is actually, I put the link on here somewhere. So when you get these slides, I would encourage you to have a look at the full report. Cause there's some interesting stuff, but 42% said that they use three or more providers.
And obviously a lot of those are gonna gonna be AWS, Azure and Google, but they also use proprietary. I am tools that come with Google and Amazon. Cetera.
The thing is when you look at, and don't worry, I'm not expecting you to, to fully comprehend all this, but each of those cloud services, not just three, each one has its own way of dealing with identity, access management. They have all their own different proprietary languages. AWS always talks about instances.
I mean, that's actually a server. Azure also has a different language and the same with Google, they do that obviously for reasons or for commercial reality that they want to, you know, dominate the market, which of course AWS does aware of. But if you add in all the other cloud providers, then you're gonna find that it's same. So they're asking what makes identity difficult to manage.
And again, these, these are, we expect them to say this stuff, 59% said the complexity and again, 40% using multiple tools. I'll just go back to this one.
Again, one of the reasons that they use three or more providers, and I think this is really important is that other teams selected different vendors. And that's kind of where we are going now that the cloud is out of control of what used to be called the sort of the it security department or, or the CIO's office or the CISO's office and lines of business to call them that, or separate departments are actually choosing cloud because it's so bloody easy.
You know, you could, you could set up a, an instance on, on Amazon in five seconds. So the crazy thing is though, after all this stuff and is much more in that whole survey, after all that, after saying that we are worried about all this, and we're worried, you know, about the complexity and we've got all these different 82% said, yeah, yeah, great.
We have an acceptable level of access of our environments. And you know, you have to think, well, no, you don't because you've just said all these other stuff.
So while that's funny, I also think it actually does show you what's what is happening in out there amongst the customer base is that they're really on the one hand, they're kind of like hoping for the best. On the other hand, they're thinking, oh no, it's really hard to manage. So that kind of on my, my story comes back to where I think devs fits into this picture. And for those of you are interested, that is still from an excellent miniseries. That was called devs, which is on one of the streaming channels, which shows what happens when devs really, really does get out control.
I recommend if you're into science fiction, that's a, that's a good watch, but dev ops for some years now, you couldn't, you can't really move at any conference or, or website or Analyst publication.
And, you know, DevOps is everywhere and it's become the new thing that Pam for DevOps, I am for DevOps, et cetera. But I think actually, and I've been looking quite a lot into what developers do on a sort of a daily basis, their culture, how they work, et cetera. And I think devs is starting to fracture a little, the idea that the dev and the ops came together so that they could help each other.
I think the ops is becoming more automated and we're now focusing much more on the devs, which is actually for me, a good thing, but what's missing is the identity management and is what's missing, is some kind of oversight. And if this doesn't show you where we are going in general Lego just announced that they they're tripling the number of software engineers.
I dunno how many they've got already, but the fact that they're tripling them means they are increasingly becoming a software business and to be a software business, you have to have really, really good developers and you have to have really, really good developers because your competitors in this space are gonna have it.
So what do I know about devs these guys? And this is from researching blogs and just, you know, talking to 'em and you know, they they're, they work irregular hours. They're often paid, you know, by result they have targets. So they're driven people.
They work in polyglot environments. So they're used to working in different languages for different things. These days, they increasingly don't work in an office or in, in a central location. They love things like slack. They love GitHub. They collaborate. They don't necessarily collaborate in, in real time or in real life, but they do spend a lot of time collaborating, but crucially, they like to solve problems and they like to innovate, but where it, it starts to worry. The old CSOs is that they don't really have much time for security.
That's not mean doesn't mean that they don't think it's important. It's just that their priority is to get stuff done. But I do think that they are now probably we also, there was a cliche about the data is a new oil.
Well, I think now I think that devs are kind of the new oil.
So where do, where, how am I doing for time? You got the time, okay. We need to rethink how we work in with our clouds and what we can learn from devs. And the progress that they've made in their environments is, is containerization.
You know, they, they discover that actually to, to build applications, it's much better to containerized break it down into small bits so that you don't have to then rewrite the entire application when you need to change stuff. So what I I'm starting to think is that we could perhaps borrow some of the, the, the ways that they work and start putting identity and access management right. In where they are rather than, like I say, why have a Pam platform sitting on premises miles from where the action Pam privilege access management is great for, for standing privileges.
It's great for stuff that doesn't need access immediately.
And then it changes access in the next hour. And I think this is kind of a controversial sort of thing to say, but I think that the, these teams, and don't forget, these teams are fundamental to organizations like Volkswagen and Lego. These teams are actually moving outside the CISO and a Cito CIO zone of influence and they're creating their own solutions. And I think, unfortunately, the CTO is becoming perhaps more of a reporting function.
So sort of like an overview of the organization rather than producing practical solutions for places like this. So we, we, we're starting to, we're starting to get there. So we're getting CEM, as I said, and dream components, which are starting to push things leftwards or north and south, depending on your point of view. But I think perhaps we need more and we need to think how we are gonna control what this is, which is a network, which is dense and expanding at the whole same time.
So I've left, I'll leave you with some thoughts and recommendations. I do.
I would say like, if you have devs in your organization, get to know what they're doing, because I think they are kind of a signal to the future, find out how they work and how, what they actually really want from identity and access management. But crucially, I think that the solution tool is, could come from these guys themselves. They're the ones that really understand how important this access is. So they may be the ones that can come up with a solution. Don't worry about this globular thing that I've ex explained.
You can't control that, but you can start to decentralize and you can start to containerize your management of it. And except, you know, the CSO as probably as a function might have to accept new centers of control. What I call zero distance identity and access management.
So identity access management is where the action is it's with those developers and other high value, high dynamic areas of the business.
And if that means that the CSO loses some control, well, that's fine because the CISO, as we all know is already overworked, but it means that there has to be a level of trust between the CISO and other areas in the organization that the devs people and, and other departments that might emerge are actually managing the identity themselves in a very good fashion and automation, as I said, it's still got a way to go. We, our faults with identity management, you know, we with the Victoria and Frank zapper, et cetera, but embrace infrastructure and a service and ops automation stop.
I, I think we are moving away from the era of dev ops, as in ops is a human driven operation. I think more and more ops will become a machine driven operation.
So the other four are also those five, those four there, which I've highlighted there, there are, I think, other key things. And just finally, I've put a link there to a company called HAA, which is a Chinese domestic appliance manufacturer. 20 years ago, this company was on its knees.
It was, its products were terrible. It, it, it couldn't compete against the other manufacturers. Now it's actually one of the leading manufacturers of fridges and washes and things like that. And it also is now owned a couple of Whirlpool and candy and other things. But what they did is, and it's called, they call it renter hay, which is probably not how you pronounce it, but they containerized the entire organization. They actually got rid of layers and layers of management. And if you take a, a, a graph of how this organization is mapped, it actually looks like containerization.
So they have thousands of what they call microenterprises. And each one of those are responsible for their own profit and loss and development, but each one feeds into the other. And I think if you read that article and I'm, I'm, I'm gonna do some more research on this, but I think there is something there about how we might see the future of identity and security in our cloud driven environments. So finally, the future is poly, but you don't have to learn all the language. So thank you very much.