11:11 Systems Director of Cloud Market Intelligence Brian Knudtson is joined by guests Matt Vogt, Ivan Dwyer, and Chris Williams for a conversation about how users are identified and granted access to applications and data. They discuss the familiar aspects, as well as how it applies to cloud applications and new methodologies. While there are a variety of technologies to assist in getting access management correct at the ground level it all starts with procedure and policy.
[04:02] Many administrators are familiar with technologies like Active Directory for managing identity and authorization and the use of ACLs and permissions to control access. Is that basically identity and access management or is there more to it?
[10:37] Give us a brief overview and any recommendations you might have on how to use some of those, like single sign on, like multi-factor authentication, like biometrics that are out there that people may not know how to properly use to secure applications and data in the cloud.
[20:04] What technologies, procedures, information should those teams prepare in order to set up the proper user security controls in the cloud?
[01:19] “My thoughts on cloud access and identity management is that it’s difficult. It can be hard to get your first feet into the process. But once you’ve gotten a good head of steam going, things get easier and smoother as you progress.” — Chris Williams
[04:38] “It’s high time we start talking about metadata around users” — Matt Vogt
[05:48] “And the link between authentication and authorization isn’t always as obvious.” — Ivan Dwyer
[06:48] “There’s basically three things that you need to answer: Who, is number one; can access, is number two; and what, is number three.” — Chris Williams
[11:54] “One of the things that I think is often missing, that missing link, is around lifecycle management, you know, so how are you actually handling, you know, provisioning, de-provisioning accounts?” — Ivan Dwyer
[14:32] “Every system, every environment, whether it’s an infrastructure as a service or software as a service, is going to have its own form of access controls to deal with.” — Ivan Dwyer
[16:18] “I think teams struggle with classifying their resources so they have no way to write unified policies because they don’t know the difference between the workloads and the data.” — Ivan Dwyer
[22:04] “There’s a science to it and there is an art to it as well.” — Chris Williams
[25:27] “If you’re able to get to a world and paradigm where you can define policies and control based on metadata, it doesn’t matter if the system even exists anymore. Because the rules are based on the type of thing the service was, the type of data that was in the table. The type of network you’re trying to get access to rather than the component itself.” — Matt Vogt
Never Trust, Always Verify
It should come as no surprise that innovative IT organizations are working to adopt more comprehensive security strategies as the potential damage to business revenue and reputation increases. Zero Trust is one of those strategies that has gained significant traction in recent years.
This paper discusses:
- What is Zero Trust?
- The core tenets of 11:11’s security capabilities and contribution to supporting Zero Trust.
- Security and compliance as a core value