So, yeah, thanks very much for the introduction. So yeah, Jonathan Neil, I'm the director of solutions engineering for Saven in the international region. And in this session, we're gonna be talking about identity and security for your cloud strategy, and hopefully focusing on some of those key points that were raised during the intro, right? So in terms of cloud strategy, transformation, I mean, this is something which is obviously a very high priority agenda item when I'm out in the field and I'm talking to CIOs to CSOs, to chief digital officers.
And what kind of resonates with me is, you know, they all have this kind of agreed understanding and consideration that, you know, having a well defined strategy is gonna be fundamental to the way these organizations shape the way that they do business within the future. It's also kind of mirrored that most of those organizations have some kind of cloud first strategy, but cloud first strategy really does vary from organizations to organization.
So if you consider at one end, you've got organizations that are looking more of a cloud new scenario and cloud new means that they're looking at their existing application estate, looking at those legacy systems and where they don't meet the demands of either current or future business requirements, they're going out to the SaaS market.
And when they're going out to the SaaS market, if they can find a solution that meets not only the functional requirements, but also the security, availability and scalability requirements, then they will always adopt that SaaS application before looking to implement something in a more traditional legacy way within an on-prem data center at the other end of the spectrum in the conversation that I have with these organizations are companies that are looking to remove themselves completely from the legacy data center space. They see them as being obviously very costly overheads.
They're very expensive to run, operate, and maintain. And they're actually in the process of migrating those workloads, those legacy applications from the data center into a cloud solution. And that is typically across a multi-cloud strategy.
So AWS, Microsoft is Azure, Google cloud, Alibaba, and others.
So if you think about the sort of application landscape today, and if you consider that somewhere around 65% of applications are either SaaS or hosted in infrastructure as a service, but what does that really look like from a journey perspective? What a lot of customers that I speak to have kind of made their first journeys into adopting cloud by maybe looking at something like a HR transformation program, they've taken a legacy HR system that doesn't necessarily operate within this kind of new model world.
It doesn't necessarily handle anything beyond the employee. It certainly doesn't know how to manage things like non-human identities. So robots O T you know, and other types of non-human identity. So they've gone out to the market, they've looked at options and they've implemented something like a Workday or a success factors. A lot of other companies are going office 365.
They're going to your ad SharePoint online.
And in fact, what we've seen over the last two months with the COVID epidemic with the, the work from home scenario is that we've also seen a huge explosion of organizations that are delivering different collaboration tools out to their employees, but also more importantly out to their business partners.
And a lot of organizations have tended to, you know, build that capability or deploy that capability first and foremost, to maintain a level of business and a level of business continuity, but not necessarily fully understood the implications of collaborating, not only with employees, but with business partners, but more importantly, the types of information, data that may be shared within those collaboration tools.
So that again brings a whole nother aspect of, you know, what is required from a secure and well governed, you know, cloud strategy, a further paradigm shift, and you alluded to this right at the beginning is, you know, companies are going from managing their crown jewel applications, their finance systems, their ERP platforms from those from an on-prem data center.
And they're starting to either migrate those into cloud, or they're completely migrating to a new cloud solution.
So whether that's orally RP cloud, whether it's SAPs for Hannah, whether it's Microsoft dynamics 365, the fact that they're now starting to move those, you know, crown jewel, financially sensitive business applications into cloud, you know, exposes a whole nother, you know, threat landscape that they need to manage. And it also introduces some other governance considerations that they need to consider in that journey.
So once we sort of fully believe, you know, the cloud transformation does increase business agility, it certainly increases the ability for companies to move at the speed of business. And it also offers the opportunity to potentially lower total cost of ownership or operating costs for managing these applications and systems by removing them from the data center and move them into. Cloudent believes that an identity based set of security controls is really key to addressing, you know, this rapidly increasing threat surface.
That's now being introduced by moving all of these different applications and platforms into multi-cloud strategies or SaaS providers.
So what we sees really is three core tenants to be able to operate and, and manage that journey is in a very sort of secure cloud strategy or, or secure counter information program. And ultimately the center of everything. We always see the identity. And we'll go on and explain a little bit more about each of these three core as we go through the presentation.
But essentially one of the first things you need to do is to gauge visibility or to gain visibility about what assets you have across those different cloud infrastructures, that different SaaS applications. So what tenants do you have? What subscriptions, how many accounts, how many projects within those environments, how many workloads, how many cloud databases, you know, how much serverless code do you have running in those, that environment? What about your dev sec obstacles? What did that ecosystem look like?
How can I bring all that information from those disparate disconnected platforms together into one, easy to consume visibility framework. Now, once we've brought all that information in to an intelligent identity hub, then you have the ability to start being able to govern appropriately the assets that you have within those cloud providers. And being able to do that in a uniform manner, which allows you to move at scale and to really secure all of those critical assets, whether they are applications, data, you know, identities or infrastructure components.
So once we have the visibility, once we have the opportunity to start implementing continuous compliance or governance controls against all of those cloud assets, you can start to develop techniques, which will allow you to maintain a level of security, maintain security that is balanced, that is in real time. And that is also driven by, you know, a proper risk assessment and risk insights across different platforms.
So what we're gonna do is drill into each one of these and see how that particularly operates.
So getting visibility, I kind of alluded to some of this already, it's getting insights into, you know, what do you have out there in terms of your cloud assets? What do you have out there in terms of human and non, you know, and, and non-human digital assets. So part of that initial visibility is to do that sort of discovery process.
You know, what is out there in my cloud systems? What types of services do I have running? What types of databases, what types of data do I have?
You know, what types of SaaS applications do I have deployed? You know, how many tenants, et cetera. And then once we've been able to, you know, discover all those clouds assets, we can then start to leverage, you know, industry standard controls and industry standard controls allow you to apply that continuous compliance mandate, you know, across all of those assets.
So you may be looking to, you know, be compliant with something like, so you may be looking to become compliant with something like N 800 dash 53.
You might be looking to be compliant with CIS standards, or you might be looking to be compliant with P C I DSS. So having a set of industry recognized controls that are easy to understand, easy to audit that helps kind of simplify the identification of any risks and more importantly, any compliance failures that you may have across those cloud assets. And of course, once you've been able to discover those compliance failures, you also have the ability to, you know, remediate or mitigate that risk accordingly.
What is sometimes also a little bit more difficult to do is to discover things like privileged users. So for example, you may have gone to, you know, cloud services like salesforce.com. You may be looking at things like Workday financials or Microsoft dynamics, 365. How do you get visibility of what are the identities within those systems that may be having high levels of privileged access in perpetuity they're people that are maybe the business owners or the technology owners of those platforms that have high levels of privilege?
You know, it's fundamental in order to provide, you know, that secure and compliant experience, to be able to identify those people that are carrying, you know, very privileged levels like developer access in salesforce.com, who has the ability to download a complete list of all of my customer information. And then once you've done that discovery, you can also then start to identify who are your riskiest users, who are those people that may have excessive levels of privilege in relation to the type of job function that they carry out within the organization?
How can you assess what levels of access that person should have in terms of a normal range when comparing to comparing them to other people that do the same kind of job, and then underlying all of this is really identity analytics and access intelligence, being able to take into consideration multidimensional risk factors from sort of static policies like industry controls from dynamic policies, such as, you know, peer group analytics and things like that.
You know, that visibility really is the key to being able to bring all of those disparate assets together into one umbrella, into one pan of glass to in, you know, in order an organization to start becoming compliant and to delivering a secure cloud experience.
So once you've done that, you know, we talked about, you know, governing consistently applying policies that allow you to govern all of those cloud assets.
And again, this could follow one number of different, a number of different tasks or, or modules, if you like. So just in time, access provisioning, you know, only ensuring that people have the level of access to those platforms, to those systems, to those stats applications, you know, as, and when they need access and only as, and when they need access only to the level that they need access. And let's take the example. I just gave recently that someone had maybe high privilege developer access into your salesforce.com.
You know, you don't want that to happen. You don't want 'em to have that in perpetuity because that effectively increases the, you know, the attack surface. There's always an identity there that could be compromised that could be leveraged for somebody to get access to your most important, you know, customer data.
So being able to manage that user, being able to provide them just enough access, however, when the person needs to perform some development functions, you need to give them the ability to request either a privileged access or request access to a privileged identity in a, in a secure way, in a way that is auditable, that has the appropriate levels of approval in place so that you can, you know, provide that elevated level of privilege to that person for the period of time that they need, you know, to carry out that particular piece of work.
So those compliance checks are happening all the time. And obviously, you know, because we're doing privileged elevation, we are time boxing, everything to ensure that once the user completes the privilege task, the maintenance, the development, whatever they're doing in that cloud application is that we can also revoke the access in a timely fashion as well, which basically takes us right back to having just enough access, you know, at the right time to those right systems.
So we talked a little bit about assured compliant, you know, sure.
Compliance is really having that underpinning audit trail. It's having the ability to provide evidence to anybody that wants to understand why a certain user had access to a cloud asset SaaS application, an EC two, a cloud database, a console at any point in time.
So having that single paint of glass, that single umbrella in which you're managing all of these cloud assets, again, allows you to deliver an assured compliance solution whereby you have everything, you know, available in one screen that conforms to all of those industry standard controls and is easy to demonstrate the evidence around those controls and safeguards to either internal or external audit checks. And then finally, you know, we can use a lot of this intelligence and analytics that we have within the platform to deliver, you know, anticipatory experiences.
You know, I understand that you are gonna need to have this certain level of access every given Friday, because that is our maintenance window. That's when we have the ability to perform certain tasks within those applications.
And then finally, really looking at how you secure your multi-cloud ecosystem, you know, enforcing that least privilege model, having those controls, those safeguards in place, the control, the management of the provisioning of the lifecycle management of people that are requiring access into those systems, you know, leveraging those multidimensional risk models.
I talked about everything from sort of static security policies and analytical controls to things that are more dynamic shift in workforce shift in sort of depart departments shift in job functions and how that could have an effect on whether or not an access that was right for you yesterday may not be right for you today. And how, again, we can make that visible and you can remediate and mitigate that access, you know, accordingly rapid response to violations.
So not just being reactive when you spot a violation, which is maybe critical against your this 853 or your PCI compliance, but be able to take preventative controls immediately to be able to remediate any risk that might be associated with somebody's access, you know, to those systems. And really this extends all the way down to the whole cloud ecosystem. So not just looking at your infrastructure as a service, your SaaS applications, but also looking at how you apply policy, how you apply governance and security across your DevSecOps processes.
So that you're ensuring that any development of any code that you're pushing through those cloud applications are already compliant with your security policy rather than waiting to see them deployed into production. And then trying to sort of.
