So good morning, everyone. I only have my introductions. So my name is UN Mo I'm a program manager at Microsoft in the area of security compliance and identity.
And yeah, today, the, the talk track is hybrid multi-cloud and I'm gonna talk something about how you should entangle the basics of key. Again, it's a mouthful of word, cloud infrastructure, entitlements management. You can call it a number of different, you know, terms and terminologies, but essentially how you want to manage your access permission and entitlements in the multi-cloud and hybrid world that we are, we are increasingly adopting.
So I'll talk about demystifying it, that means I'll just try to take slowly through the concepts of how it works, how, what you should look for in a key solution, if you're trying to evaluate or deploy an organization. So this how our agenda will look like next 20 minutes, I think I have to rush through it because we don't have, we have a lot of content, but not enough time.
So yeah. Talk about the cloud challenges that we have followed by why, what key promises. So what are the very key tenants of multi-cloud security or key that you should look at?
There's a lot of confusion in the market about, you know, what essentially key does unique, you know, as compared to a lot of other cloud security tools, right? So there are cloud security, posture management tools. There are cloud workload production tools, and a lot of other, you know, kind of subset of cloud security tools. But what value does ski provides you in addition to those tools? We'll talk about that.
And also, you know, lot of question that come in is, you know, I have already Pam or I have got privilege management. You know, what additional value is, you know, key tool going to provide me or offer me. So we'll also talk about that.
Finally, we'll talk about how we, how should we approach multi-cloud security multi-cloud for maximum security with key. So how essentially you should use key for strengthening your multi-cloud security. And finally, of course, you know how we can operationalize it for maximum benefits or ROI.
So, yeah, to begin with the world is multi-cloud again, we all know it, that we, in some way or the other, we have got multi different type of cloud adoptions, right? We don't have just one. We have Azure, we have somewhere AWS, we have somewhere GCP. And as we go on to adopt cloud, our multi-cloud presence is only going to expand.
So yeah, this is one stats says 91% of decision makers say their organization uses at least two different cloud providers. Now quickly taking you through the market drivers here, cloud migrations, we all are going through some more, some other kind of cloud migrations cloud onboardings. Our onboarding teams have a time and budget, right? They don't care about managing security in the cloud. They are trying to move your workloads as fast as into the cloud, with what entitlements, with what permissions, they have very limited expertise and visibility into that.
Neither we, right.
So most of the cloud onboarding teams do not care about access privileges. And if you're trying to do some automation, most organizations have achieved. Some kind of automation rate comes to cloud onboarding when they do that using templates and blueprints, you actually invoke or include a lot of standing privileges, which, which with which those applications and workflow are going to run in the cloud, increasingly there are also more number of machine identities that we are talking about and including as part of those automations. So those machine identities also operate in the cloud.
So we are, have very limited set of intelligence and information about how those, how those, you know, workloads and applications are offering the cloud and with what access privileges.
Second one common cloud misconfigurations it's often talked about when we talk about, you know, having different, configuring different type of clouds in your environment. There have to be some sort of misconfigurations happening here or there, you know, somebody created a wrong VM in a different region. Somebody created, you know, a VM or, or a database with different kind of ports open.
These are very common misconfigurations, but what's the problem is that these misconfigurations only have a problem when they're attached to wrong privileges, it becomes even worse. And it's a chicken and egg problem. Misconfigurations mists lead to problems in privileges and privileges make them even worse, right? Wrong privileges, make them even worse. So we have to manage how we can use or tackles part of MIS misconfigurations. Even through key implementations,
Expanding cloud attack surface.
We are, we are adopting more cloud. As we, as we adopt more cloud our attack cloud attack surface only expense, right? Our multi-cloud SPRA goes new cloud attack patterns are emerging.
And yes, most of our CSPs that we talk about, they have limited native authorization capabilities. I think limited. They might, they might be working on those capabilities as to how to grant those specific roles to those resources or permissions in the cloud. But also they're very inconsistent, right? So for Azure, there might be different admin roles, a role for AWS administrator, a role for managing, you know, creating VM or whatever, or read, write. But if you go to AWS, there's set of resources and tell it different kind of roles and tell it different kind of authorizations.
So, you know, it's very difficult for us to come to a common authorization model that we can, you know, use to implement in the cloud.
And yes, of course, we, we don't talk about effective permissions. We talk about only standing permissions and privileges into one specific resource or the cloud, how the combination of those resources, those permissions is going to is going to have a more accurate effect on the overall role of the user. That's something which we don't even care about. We don't even correlate those permissions.
So let's say a user has specific permissions in Azure, a, B and C, and he has D E and F in let's AWS. We don't see how a and D when they combined create a very toxic combination right. Of permissions. So the user can, can go deploy a new application into AWS and also, you know, perform some specific function, which is he's not allowed to. So the correlation that correlation and effectiveness of the permissions is also something that we have to, we have to look at visibility in governance.
We don't have at this point in time, a single pan of glass, kind of a interface where we can go and see, okay, I have these users, these admins in Azure, these admins in AWS, these admins in GCP, whatever, or at any other, you know, VMware or Alibaba, whatever cloud are you using. So there is a lack of visibility into permissions across the cloud. And also there's no common governance platform, which helps you to manage the life cycle of these access permissions or entitlements.
So when they're assigned to a person, when they're taken back, are we going to change those permissions, how we are changing them, who they're assigned to what's the life cycle? Are we doing any access reviews of those permissions in the cloud? So all of that is something that we are not tracking as of now. And we have like a overall governance for those privileges as well.
So again, some numbers here, I think these are more important. 95% of granted cloud privileges are unused. They remain unused.
And this is a common stats that we have found for multiple number of our customers out of these 95%, more than 50% of these cloud privileges are high risk. And that's exactly where, what we want to target and see how we can actually manage those privileges.
And yes, as told, you know, as we are moving to the cloud, we are creating automations. We are creating, you know, new ways of application to application, you know, service to service communications. There's increase more than 50% increase in the number of machine identities. So there's some stats from, from industry, right?
So yeah, entitlements management, I think what, what Kim does, what key promises us is essentially the end to end life cycle management of these entitlements in the cloud, right?
So this essentially is the life cycle management of those entitlements. How key actually helps to discover these entitlements in the cloud. So it starts begin with discovering those entitlements of those resources. It can go to a detailed extent, understand what those resources are, what permissions are granted.
And it's pretty granular in terms of discovering those resources and permissions, which are attached to those resources, threat assessment. Again, it sort of analyzes and tells you where your threats and risk lies in your environment. Then of course, there's a Scality, which is more important as to we can see what are those privileges and you can right size them, right? Size means you are trying to fit them for the purpose. So you can take out those, the exiting or, you know, excessive permissions or over permissions out of those roles.
And then what's really important is the automated remediation.
So you can take those policies and you can push them to whichever cloud that you are, you know, you want to manage.
So, you know, okay, these are my highest permissions in AWS or GCP, or with Azure, I take them because it discovers them. You have interface where you go and see these excessive permissions, because you already have the recommendations from the threat threat assessment. You take them, you take out excessive permissions and you deploy them back. So that's what actually the automatic remediation means. You can even create policies, which says, okay, any of the highest permissions attached to these roles and these permissions should automatically be re remediated.
So you can also create those specific policies and finally monitoring governance. It, once you have said those policies, it actually continuously monitors for any of those excessive permissions being used. And if you want to, if you want to immediately, you know, take those permissions out from the user that can be done, basically, it's more about the usage patent behavior monitoring. And of course the governance, which, which key tools are still trying to address, but they're not there yet.
Yeah. So I think just to summarize again, these are the specific key, critical capabilities.
This is more detailed, you know, slide from the previous one. It actually tells you exactly what different kind of capabilities you should look at when you're trying to evaluate your team.
So again, the intelligence discovery where you have discovery identities associated with entitlements, I think you should also try to see if they support the different IDPs that you may have. So they have different ID providers. It can also do a, it can also do a discovery of your identities from any of your IDPs, like Azure ID or ping, or even Okta, and then try to relate what permissions that they have in any of those cloud providers.
Audio is, and past platforms, what here in the, in the, I think the other color, which is yellow, there are, there are some capabilities which should, should be there, but they are not there yet.
For example, when you talk about discovery, the only discover infrastructure permissions, they don't go the detail of discovering business or SAS application entitlements. So I think key because it says infrastructure, it essentially only is focused on managing infrastructure entitlements. It's not there to manage any of your SA or applications, you know, entitlements. Yeah.
So these are different cablet threat assessment. I think the one to call out really hit would be the net effective permissions. So how we can combine those net effective permissions and see if there's any specific threat, those, those combinations are creating the privileged right. Sizing something, which is, which is also talked about is just as privileges. So that's how the policies, that's how the policies that you should monitor.
So I think, yeah, these are some of the, you know, details of the critical capabilities and a quick comparison, because, you know, as I said, you know, we, we have this kind of confusion in the market.
What other tools do, why, why key? Why should I use what unique value proposition?
I, I know I, I have in the market with key. So yeah, these are some of the specifics cloud security, you know, posture management helps you to do bit of a, you know, a bit of a privilege like sizing a bit of a threat assessment, but yeah, more, it's more focused on monitoring. But if you look at this one cloud infrastructure element management team actually does, all of it definitely is a little weaker right now in governance and also monitoring.
But otherwise it helps you with all the capabilities like threat assessment, discovery, pulse enforcement, automated remediation, and all of that Pam and IG tools. Yes, of course, you know, they are also there, but again, they're not sufficient enough as of now to manage these permissions in the cloud.
So now I think what, what we should do to gain the maximum, you know, security effectiveness using key. So first of all, we should gain the visibility and control of our environment. So how we can navigate across multi-cloud environment with Microsoft emission management.
That's the, that's the product that Microsoft actually acquired from cloud NOx. The name is still, you know, in, in a little food cloud knocks for mission management or Microsoft emission management, but yes, this is exactly how you can span it across your cloud presence and navigate across the cloud presence. Identify what are the entities, what are the over permissions, what the different actions, which are being taken on these permissions and, and resources.
So I, I think these are some of the very specific findings that the threat assessment that can, can bring you. The other thing that you have to do is also enable the least privilege for cloud.
We talk about, you know, zero trust, a lot of time, and one of the principles of zero trust is implementing least privilege. So how we can extend your least privilege into the cloud using the, just in time and just as privileges yes. Combine the power of your security tools. So of course there are different single tools that you're already using.
Essentially, I would say integrate key with your seam solutions when the alerts and monitoring can send those alerts to the, you know, your sea solution. Also try to integrate with your PIM and also governance tools for, for entitlements management lifecycle.
Yes. Then focus on the technology differentiators to enable the team.
So there are different kind of, you know, technology and tools in the market, but you have to look exactly what differentiate, what differentiates you based on what a specific business needs for implementing key and managing our, you know, navigating through a cloud multi-cloud adoption. Your discovery should be good enough to the level of generality that you want to discover. You should get up, you know, enough comprehensive visibility of what are the threats in your, in your organization or in your multi-cloud estate activity. Monitoring is important remediation. So lot of tools are there.
They provide you remediation, but it's not automated. And sometimes they don't even do it for other top providers or resources. So you have to see that they all are, are in the right, right place when you try to they're the right fit for you when you're looking at automated remediation capabilities.
And yes, finally, what's the deployment scenarios, how you can deploy them. What's the overall ROI that you can bring through these deployments, finally, how you want to deploy key organization. I think this is quite generic, you know, steps that you do anyway for, you know, other services and, and, and products as well.
So do the scoping of your overall cloud security requirements, what resources you have, where you have, what kind of permissions you want to manage are, what are the different kind of workloads are they being, you know, are you using any templates, blueprints, are they specifically, you know, invoking any, you know, over permissions and excessive permissions in the cloud. And also if you have any cloud specific compliance requirements, strategize, try to understand what are your overall multi-cloud security cable that you'll need and what kind of implementation that you want.
So evaluate your key market and technologies, and try to create a good enough business specification as to why you will lead key and what kind of challenges and problems that you're gonna manage through key decide as to what are immediate, you know, use cases.
There are different use cases that Kim can address cloud onboarding, managing authorizations authorization in the multi environment. And finally also see if you have enough security skills in the in organization to, to that can address the key requirements very well. So I think, yeah, with that go for execution.
And finally, I'll just quickly take you to the final slide, which tells yeah, managing is also a good way for you to understand whether you are on the track. Are you able to provide enough value to your business with implementing key? So what's the overall effective ROI, how key accelerates your overall cloud enablement process, because that's what we are implementing key for. So this is the model key deployment where you can see how you want to scope strategize site plan, deploy, and, and expand. Yeah. With that. I think we have covered all on the agenda and yeah, Mike, thank.
