Everyone, I'm Gaal. I'm from plain ID and chief product officer there. It's nice to see you all. I'm going to talk about identity centric security. As you know, I typically start by explaining what is identity centric security. So that's what I'm going to start doing and then talk about the step you should consider when starting or in process of addressing identity security. We are obviously going to talk about challenges because in identity there are always challenges, but also talk about the solutions to address those challenges. And I've included a demo today.
So we are actually going to see nearly live demo of how things could be looking for you if you choose to implement such a solution. Okay? So that's the plan today. Let's get started. First of all, what is identity centric security? So as it says, it's placing the identity at the core of your security design.
Basically it means consider identity whatever you do whenever. If you are currently implementing applications or APIs, microservices, any new technology identity should be part of that need to be considered. Now when doing so, it has an impact of the overall security program. Why?
Because identity is the gate to all of those technologies. Eventually identity poses a risk. When we look at our overall security stack, when we look about at applications, APIs, microservices, and eventually the data identity is the focal point of risk we should consider and we should address. So what should we do then?
So when, whenever we look at how to get started with our overall identity security program, first of all we need to understand where are our identities. Do you know where your identities are today? There are probably everywhere. They're in applications, maybe in multiple IDPs and so on. So I identities are all over the place.
Not only they are there. Also what they can do, the definitions that connect identities to assets are also distributed in many different places.
So we first of all need to understand where all of our identities and then consider how to manage them, how to manage identities and what identities can do. And there isn't just one way to do that. That's why we need to think about how to standardize.
We need to think about a central approach that would enable us to consolidate the management of identities and what identities can do and then we can continue, we can progress to more advanced type of control that that speaks about identity security, connecting identity to the actual security controls within our technology stack, within our applications, within our APIs, within our microservices and within data. So this is actually, this is the path to getting started with identity security, but there are challenges.
So when you consider this program, you also need to talk to consider the challenges. I'm going to mention three challenges when you get started with identity security. Now the first one very obvious, where is the identity? Identity security speaks about defining trust between the identity and the control point. But do you know the identity at each and every one of the control point? If you don't know the identity, you cannot establish trust. That's a given. But that's a very, that's a very challenging point to address because in many cases the identity is not known at the point of control.
We typically work with general identities. We work with service accounts, with application accounts. So we don't know who the identity is. Identity must be known in order to establish trust. The second challenge is the challenge of enforcement. If we consider the digital journey, what is the digi digital journey?
It's the path the identity would go right after authentication, it would go to some kind of probably network control application, API and data and each and every one of those steps each, there can be a control point, A control point that would validate the user and would say, yes, proceed or no, you cannot proceed anymore. So the challenge of enforcement, where should we place those control points along that journey? That is the second one. And the last one is obviously the segmented and distributed control.
In order to address controlling a A along that digital journey, we need to have our policies defined at each and every step. And we have application policies, we have APIs, microservices policies, we have data policies, policies all over the place. So just think about as an example, a data platform Snowflake, just as an example, even a, if a user wants to access Snowflake, first of all, it needs access to the Snowflake platform, right?
Whether that's enabled by the network, SSIS solution you have in place and then by Snowflake itself.
But then once within Snowflake they need access to the data. It's not sufficient just to have access to one to the platform itself. So there is a digital journey, there is a path to considered and controls are are all over the place. They are distributed, they're segmented, very, very challenging to manage. So I mentioned three main challenges when we look at addressing the identity centric security or, or would like to implement that as part of our security program. Now let's talk about a solution.
And the solution would be by looking at the policies from top down approach central policy management in order to establish trust at each and every step of that digital journey. Now, central policy management would provide visibility, control, consistency and standardization across that stack, whether it's for the application access control or the APIs, microservices or the data.
Now I'm kind of repeating myself over and over again when I'm saying applications, APIs and data. Why is that? Because eventually that's how our identities operate.
In order to access data, they would use an application or an API would be used or a microservice would be used. There are multiple paths to the data. So whenever you, you are considering what you want to control user access to data, you need to consider all those multiple access points and that's why the path to the data should be considered the path to the asset should be considered. That's why we are talking about distributed enforcement and central management. With distributed enforcement where you can define one policy.
For example, account managers can access their own accounts and that is enforced consist consistently in our data platforms or via if data is accessed via APIs or via the applications.
Okay? And remember I'm going to show you a demo of how that is actually achieved. Okay? So here we are, we are now going to see the demo. So before I start the demo and hopefully cross my hand, cross fingers is going to start.
Before I'm going to start that I'm going to explain, we are going to look at a sample organization that is using an application as kind of a portal where they would display reports about accounts and they're going to use Power bi. Those of you know the technologies involved would know that the technology so much different between Power BI and the way applications access data. But still we are going to manage that with one central policy. So we are going to see that one policy that enables access to all accounts from all over the world, all countries.
And then we are going to the policy, we are going to disable that global policy which would leave us just with local policies.
We are going to go back to the application back to Power BI and let's see the effect, okay, so hopefully my, my video start running. So first of all, we are going to see a user accessing Power BI and a partner portal. And within those two applications he will be able to see the consumer accounts from all countries. So first of all, this would be the policy. It's a plain ID policy for those of you who don't know. And now let's access Power bi.
In Power bi we are going to see a report of accounts from all countries. We are going to see this is the user we are using is the same in both applications. So in this case the username is Alex in the report. Let's access the report. We can see just a sample report showing a lot of data from all over the world. Okay? Just build a sample report. Now we are also going to go to a sample application we have built for this demo and we are going to see the exact same data. It's the same table as you know, replicated between the two or used be within the two environment.
Again an application, same user accessing the application
And seeing the same list of accounts in a different view. Okay, excellent. Now as I said, we are going to go back to the policy management system because there is a compliance, privacy compliance policy we need to enforce. We can't have everyone see everything. We want to reduce the level of access. So we are going to go to that policy management system. We are going to disable that global policy I mentioned we saw before. And once we do that, let's see what happens. So let's disable the policy.
The policy is disabled immediately.
We are going to go back to the application to the portal. We are just going to do a refresh.
Not even, we don't need even to re-log in, just refresh. And you can see the records displayed are now filtered to include only Maryland accounts. Okay? Instant change, instant impact on the application because of the policy, because of the change in policy. Now let's do the same in Power bi. We are going to go to Power bi and again we are going to do a refresh. Let's click refresh and see what happens. Also in Power bi, the records which are part of the same report are filtered based on the user country, which is in this case Maryland.
And now the user can see same report but with limited set of data. And this is exactly what it means to have a central policy management with distributed enforcement.
One place where we can see our policies, we can manage the policies, we can govern the policies, but enforcement is distributed. Why is that? Because we have so many technologies in place, I would want to have standards for authorization policies. Unfortunately we are still not there.
We, we have started a working group that is starting to address those areas, but we still don't have a standard. And the way which you would see Power BI or Snowflake managing authorization policies so much different than the way which you would manage them for APIs or for your microservices or for your applications. Authorization space is growing, it's maturing, but still not the same as authentication.
Therefore a solution which enables you to have a central policy management solution, one place to manage your policies in a business-like manner, natural nag language, maybe like type of display as well as policy as code is very important. But the other part of that is the ability to distribute the enforcement to fit the relevant technologies which you have in play because that's where we are currently at this point in time. And I think this would take us also further on.
So that's it for now. Thank you.
Thanks very much Gil. Just a quick question before you go.
Why do you think identity security is getting more attention now than in the past? And why has ISPM become a crucial element for cybersecurity and IAM professionals?
Yeah, so first of all, identity security become so much crucial because as we know, boundaries are no longer their physical boundaries. I mean, and identity is the one point of entry to each technology stack. That's why security professionals are considering that more than before. We can see a lot of, by the way, identity security taglines all over the place just because of that. And that also reflects the security posture of identities. Because first of all, the first thing we need to know is how to, you know, where ident ident, where our identities are and also what can they do?
What are the set of policies associated with our identities in order for us to address that?
Okay, great. Thank you very much, gel.
Absolutely. Thank you.
