#trusted
partner
Who's In Your Cloud?
Who's In Your Cloud?
Episode 4: Identity and Access Management
/

Episode 4: Identity and Access Management

Nov 17, 2021 | CYBERSECURITY, Who's In Your Cloud?

Who's In Your Cloud Blog Header Image

Welcome back to Who’s in Your Cloud? 21 Steps to #Secure, Reliable, Trusted Technology. I’m Lauren Lev, Marketing Manager for TechOnPurpose and this is Episode 4 Identity and Access Management.

Last week, our partners from Intelisys, LastPass, IDAgent, and Keeper helped us close out National Cybersecurity Awareness Month with a topic of complex passwords and password management. You can find that episode and catch up on all our episodes on demand on LinkedIn, Facebook, or YouTube. You can also catch all 23 episodes on Spotify. For direct delivery to your inbox, sign up for our blog at TechOnPurpose.net/blog.

If your organization is truly committed to achieving secure, reliable, trusted technology, IAM or identity access management is the real getting serious cybersecurity onramp. Today our cast of experts will walk us through a short list of IAM topics including MFA, SSO, PAM. But first, please join me in welcoming our powerhouse cyber expert cast for today from LastPass, Cisco, Intelisys and JumpCloud.

Don’t forget we’ll be releasing a new episode every Tuesday, starting 10/20/21 through late spring of 2022 with brief time off for holidays with family & friends.  We’ll also follow each Tuesday episode release with subsequent Wednesday, Thursday, and Friday posts highlighting our (3) contributing solution partners from that week’s episode.  We hope you’ll find this an immersive, hopefully simple, educational and enjoyable experience.  So how do you tune in?

To easily follow the journey ahead we’ve diversified your access options to all (23) of our coming episodes.  You can follow long here on our blog, or by any of the following methods:

  • Email Newsletter: sign up at techonpurpose.net/blog and have each episode delivered direct to your inbox when released.
  • LinkedIn:  follow here
  • YouTube:  follow here
  • Facebook:  follow here
  • Podcast:  follow here

Buckle up – it’s time to hit the road to #secure, reliable, trusted technology!

 

Lauren Lev
Welcome back to “Who’s In Your Cloud? 21 Steps to #Secure, Reliable, Trusted Technology”. I’m Lauren Lev, Marketing Manager extraordinaire from TechOnPurpose. Can you tell I make my own scripts? Anyways, thanks for joining us for Episode 4 Identity and Access Management. Last week, our partners from Intelisys, LastPass, IDAgent, and Keeper helped us close out National Cybersecurity Awareness Month with a topic of complex passwords and password management. And if you turn that episode into a drinking game for every time I said complex passwords and password management, I’m sure you had a great time, so you’re welcome. You can find that episode and catch up on all our episodes on demand on LinkedIn, Facebook, or YouTube. You can also catch all 23 episodes on Spotify. For direct delivery to your inbox, sign up for our blog at TechOnPurpose.net/blog. If your organization is truly committed to achieving secure, reliable, trusted technology, IAM or identity access management is the real getting serious cybersecurity onramp. Today our cast of experts will walk us through a short list of IAM topics including MFA, SSO, PAM, and no doubt several other acronyms I personally have never heard of. But first, please join me in welcoming our powerhouse cyber expert cast for today from LastPass, Cisco, Intelisys and JumpCloud. First up, I am deeply honored to welcome back a Who’s In Your Cloud? VIP past favorite, Ivan Paynter everybody. He is the National Cybersecurity Specialist from Intelisys. Welcome back, Ivan.

Ivan Paynter
Howdy!

Lauren Lev
Alright, please welcome repeat cast offender, from LastPass, we have Channel Evangelist, Sid Castle. Welcome Sid.

Sid Castle
Glad to be here. And as you said, I was very offensive at Channel Partners this week, so my voice is a little off.

Lauren Lev
Nice. Well, hopefully you can redeem yourself today.

Sid Castle
Thank you.

Lauren Lev
Alright, we have Chase Doelling, the Director of Strategic and Technical Alliances from JumpCloud. Welcome to the show, Chase.

Chase Doelling
Thank you so much for having me.

Lauren Lev
Of course. And we’re also pleased to welcome first time cast member Andrew Griffin, who is Cisco’s Technical Solutions Specialist. Say Hi, Andrew.

Andrew Griffin
How’s everyone doing? Yeah, it’s a pleasure to be here.

Lauren Lev
Awesome. Yeah, we’re lucky to have you. And last, we have TechOnPurpose Founder and CEO, Matt Tankersley.

Matt Tankersley
Welcome back, everyone.

Lauren Lev
Yes. So, I know all of you guys are joining us hot off the streets of Channel Partners in Vegas, so we’ll try to take it a little easy on you today. But, let’s start with Matt. First, talk to us about identity access management, give us a brief intro into what it is, and explain to our audience why they should care about it.

Matt Tankersley
Well, thanks Lauren. And if you guys are relying on me to make this a simple conversation, I’m the wrong guy. That’s why we’ve got the rest of these folks here. That’s for sure. Let me, let me tell you this, right. If there’s a soapbox for cybersecurity soapboxes, this is it. Right? IAM is such a deep topic. We’ve got the right folks here to have that conversation today. If you’re listening in, and you’re familiar with the term IAM, that’s great, right? We’re hoping you’re going to hear lots of new stuff today that will help validate what you may already be doing, and what you may already know to be true in your environment. But hopefully, you know, you’ll you might learn a few new things as well. I think that’s the goal. And for those of you that are new to IAM, it’s gonna be a fun conversation as we break down some basics on why this is such an integral foundation for all that’s to come and in your journey to secure, reliable, trusted technology, and frankly, this entire series. So, if we had, you know, cybersecurity, 101 and 102 and 103, we’re jumping deep into 201 here today. And so, Lauren, I say let’s go around the room and meet our cast before we get any further down the road.

Lauren Lev
Perfect. Let’s do it. So I introduced them, but let’s give them an opportunity to introduce themselves and their company. So, we’ll start with you, Ivan. Ivan, tell us about Intelisys and what your role is there.

Ivan Paynter
Hey everyone, Ivan Paynter, I’m the National Cybersecurity Specialist for Intelisys. I’ve been with them for, for just shy of three years. I have been in cybersecurity for about 30 years. I am a Certified Ethical Hacker. I have a CISSP and I got a whole bunch of other letters behind my name that says I’m still paying $20 for a cup of coffee at Starbucks. And so, therefore, I study every single night. Just about every night, unless Tequila is involved one way or another. Thank you Channel Partners, that’s why the voice is a little deeper today, right? So, what I do at Intelisys is to advise our partners on the best possible solution for their particular client. We really do a deeper dive to understand exactly what the client currently has in place to understand where they’re trying to, what they’re trying to accomplish, and how they’re going to move forward. I’m of the nature to never rip and replace, always utilize what is theirs. So, the CFOs keep at best utilization for the bang for their buck, right? So that, to me, is the most important thing. But I do believe, stringently and making sure everyone is secure as possible, and really follow the guidelines, the best way we possibly can.

Lauren Lev
All right, Sid, you’re up next. Channel Evangelist, that sounds like the most interesting job title I’ve ever heard of, but can you tell myself and our audience a little more about your role there and how LastPass fits into the conversation about identity access management?

Sid Castle
Sure, sure. So LastPass is part of LogMeIn suite of products, you know, everything is software as a service or an “as product”. We’re identity access management as a service. So, you heard Matt mentioned Single-Sign-On, MFA, password management, that’s what we’re all about. And similar to Ivan, my voice is a little rough today because if somebody hands you something that’s called an Inteli-tini, don’t drink it. And after six of them, you’ll, you’ll forget about the first one, and you’ll keep going. But, you know, everything is about passwords and managing those endpoints and making sure you are who you are. So, those three letters don’t keep coming back over and over as MFA. And that’s really what I want to talk about today. And I prefer to almost call myself now the sommelier of the UCaaS, who’s, you know, identity access management, because we pair so well, with everyone else, you know? You could have an Octus solution, you could be using Duo as an MFA, LastPass works with those. We actually sell our products to those same companies, so it’s kind of an interesting conversation.

Lauren Lev
Alright, let’s turn it over to JumpCloud’s Director of Strategic and Tactical Alliances, Chase Doelling. Why don’t you tell us a little bit more about yourself?

Chase Doelling
Yeah, absolutely. So within JumpCloud, we really think about the directory kind of housing all those identities, and then doing some really fun and interesting things with those. And so, I’m fortunate enough to hang out with a lot of our partners that extend a lot of those use cases, right? So we’re thinking a lot of where those identities are coming from, what can we do with them, and then doing everything with a layer of security, right? And so, you’ll hear, you know, MFA being one, right, and passwords and Single-Sign-On and kind of all of those different areas, the way that we think about what an identity should have, kind of following those laws of least privilege and all those best practices when you’re thinking about just setting up your structure in the first place, right? And so, because we usually serve as that, as that home for identity. So, it’s really important to us to kind of understand, working within that ecosystem, and everything else to let people get their jobs done, right. And so, we kind of help enable a lot of the remote work scenarios that a lot of folks are dealing with right now.

Lauren Lev
Okay, and join me in welcoming first time cast member, Andrew Griffin. Andrew, tell us more about your role as Cisco’s Technical Solutions Specialist?

Andrew Griffin
Absolutely. Yeah. Sounds like I missed out on the party last week. So, I’m gonna use my voice loud and proud here since it’s in full force. But yes, my name is Andrew Griffin. I am a technical solutions specialist from Cisco. And what I do is I support all of the southern region across our broad SASE architecture to help clients and businesses and end users be protected, right? So the big, you know, kind of movement towards SASE, and Cisco approach of, you know, leading this network and security functionality in a single cloud native service to help ensure that access wherever users are, are those users and wherever the applications reside, they’re there, right? So, it’s really just making sure that those users are who those users are, you know, via MFA, and SSO and some other acronyms that we’ll, you know, just throw out, right? And we’ll explain a little more. So, just holistically, providing that full kind of SASE protection to end users.

Matt Tankersley
I think everybody’s heard me say this, right, generally, you know, one of our goals is to make sure that all of our clients and prospects have access to multiple vendor portfolios for each of the solutions that we talk about. And once again, you know, we work with all three of these companies all day every day and you know, some of them become necessary evils and some of them again to do some things and some new and exciting ways, and Ivan, I know you and I like to have a lot of fun in what we do. And I don’t know how familiar you are with the JumpCloud team, but I can tell you we’re pretty excited about these JumpCloud guys and what they’re doing in the space. And so, hopefully you’re gonna learn some more about them today, as well. And Andrew and Sid, we couldn’t do any of those things without both of you doing what your companies do. So great, so grateful to have you.

Sid Castle
Thank you. I’m a, I’m a Sun Devil. That’s where I graduated from, so I’ve never been accused of as a necessary evil, but I’ll take it, Matt.

Lauren Lev
Without further ado, let’s get into it. Now, for someone like me, who is the farthest thing from a cybersecurity expert, I can’t even help but notice how the common widespread use of more advanced password security has started to come up in the marketplace. So, right? First, we were using our fingerprints to unlock our iPhones and now we’re using facial recognition. So, growing up for me, using something like biometrics for identity access management, seemed something more out of a fantasy, futuristic, sci-fi movie, or even a Jason Bourne movie. But now, it’s so widely used and has become such a basic component of identity access management. So because of this, it only makes sense for it to take the number four spot on our best security practices matrix. Now, Matt, before we get into the nitty gritty, and turn it over to our cast members, do you have anything else to add?

Matt Tankersley
No, you know I don’t, I don’t think I do. I’m anxious to hear what our team has to say. I say we just jump right in. And let’s let our returning VIP cast member Mr. Ivan Paynter take front and center. And Ivan, what are your general thoughts on the topic of IAM to get us started? And you know, how do we simplify and prioritize this deep subject for our listeners?

Ivan Paynter
So you know, every time we do this Matt, you know, I always look at it from from an unusual point of view. I like to look at it from maybe a hacker’s point of view, right? How can I break into something? Or is that, does that possibility exists? So, with facial recognition, you know, we’re talking about multiple points, or maybe 1000s of points, that a camera or device is going to pick and choose off a particular individual. So, we know it can’t be a flat image or even a 3D, but we found some printers that might be able to do it. The same thing with a thumbprint. You know, we’ve seen some of the movies out there, and not that I watch a whole bunch of movies, where they might cut off a person’s finger, you know, and utilize that, or to pluck out their eyeballs for retina scan. But you know, that’s an interesting thought or concept. Right? So, I wasn’t around for the detailed password thing that you had before, but my entire theory about this is I think passwords are obsolete, and we shouldn’t be using them. We should probably never have started using them. But so be it, and I’m glad we do, because I’m employed for life right now. Right? So, at the end of the day, identity access management, it is the necessary evil. And it should always be something you have, something you know, right. So, we all carry around these, these high end multiple devices, multiple caliber devices where they play music, and they entertain us on all types of different levels. But they also are a very strong, valuable entity, when it comes to a form of identity management. It’s something that we have, it’s in our possession. And done correctly, they should be able to identify who the user is on the other side of that, right. So, that’d be uses of identity, or if it uses a fingerprint or thumbprint or maybe a retina scan, or palm reader. I think those are wonderful things, right, that’s a great way to prevent somebody from accessing. The key here is not to allow a bad guy to be able to replicate that, right. So, if we think about how that can be done, there are possible ways to do that, especially with some of the 3D printers that we’ve seen today. Might be a little out there right now, but I think it might be coming further down the line. So as technology evolves, you know, so do the bad guys, right? So, right now, it’s a great way to flow. I think further on down the line, we might be looking at something else. But it’s the best thing that we have at this moment. So, I’ll stick with it. But unfortunately, I think sooner or later, it too shall be in the past.

Matt Tankersley
You know, this, it dawned on me while you’re speaking. And we’re constantly striving, obviously, as folks that are trying to lead the conversation about better security for better productivity, and you know, those in risk mitigation, right. There’s so many. I mentioned early on this is a soapbox. It’s a deep topic. One of the things that we’ve recently done is enter into what’s called context aware security, right? It’s not just that, you know, you’ve got that device there and I’ve got this device here, which you can’t see but it’s that, you know, how does it know that it’s my device? Right? And so, I think that one of the things that we love about the developing IAM technologies that are out there is that we can say, not only can Matt Tankersley access Google Mail or Microsoft 365, but he can only do it from these devices. And then what happens if Matt Tankersley tried to access that from another device, or someone who happened to compromise Matt Tankersley’s credentials, tried to access that from another device? There’s so many layers of context aware security that we can layer into IAM, which is why this is such an important topic in keeping your environment secure. So-

Ivan Paynter
You know, Matt, let me ask you a question since you brought that up. So, how many layers are we using right now?

Matt Tankersley
Are we talking OSI layers? Or what are we talking here? IAM layers?

Ivan Paynter
Whatever layers you’d like to pick on. Honestly, to access, to access your, some of the most sensitive data that I have, at my purview, I haven’t really seen much of it. And the thing that somewhat bothers me right now, there are so many individuals that are being compromised, or so many organizations that are being compromised, when we talk about, you know, identity access management, but at the same time, are we really focusing in on it, right? So, there’s so much that that’s occurring. Look, we can talk about ransomware. We can talk about malware, we just talk about some of the scams that are going on right now, at the end of the day, I don’t really see enough of this being implemented. And I’m really glad I love the industry here because I know that that’s one of the product lines at Intelisys that we have. I would just like to see more people who utilize really good tools moving forward. I mean, to me, that’s more logical than anything else.

Matt Tankersley
Yeah, that’s the whole point of what we’re trying to do here with this series. And in particular, this topic, and you asked about layers. And I think to your point that the primary layer of IAM that people are using is a single layer of a password. And so, what we’re talking about here is it’s so much more than that. If you, if you’re, if you’re serious about keeping your money where it belongs, and your clients happy and be able to run your company because you can still access your systems. If your cybersecurity is based on one layer of a password. Hopefully it’s a complex password. Because that’s not going to keep you for long, right. All right, great way to start us off. Ivan, I appreciate that very much, Lauren, how would you like to go forward and kicking the ball around the conversation?

Lauren Lev
Right, next up on my Hollywood Squares is Chase. So Chase, talk to us about IAM in general, and at a high level, the role of the various components, like SSO and MFA. And share your thoughts on simplifying the conversation for our listeners, and those who are actually serious about achieving the brass ring of secure, reliable, trusted technology.

Chase Doelling
You know, I think for us, when we’re thinking about identity, like let’s start at a very basic level, right? I think for most of us, especially kind of just looking at the screens around me, right? A lot of our identity starts when we open up the lid to our laptop type in our password, right? Like, you know, and in passwords, they say it’s our secret creed, right? Like I made it up, I think I know it, right. I’ll try to remember it. But what we’re doing there is that we are now starting that kind of that chain of trust. Right? Okay, like, Okay, I’m going to login. That’s my device. And when we do that, you know, we’re thinking about, can we take that identity and put it into a couple different places, right. So for JumpCloud, we think a lot about identity living in the cloud. And so, like coming back to your point earlier around, you know, biometrics, and do we need an eyeball and kind of other things to get into the system, that is from a mentality when you’re thinking about where important information used to live, right? It was down in a vault somewhere, someone’s got to get to it, secret agent type stuff. But now, the reality is, is all that information is much closer, and it’s everywhere, right? And so, when we’re thinking about remote access, it’s all of those different components, right? We’re all kind of super secret agents at the end of the day, trying to access the most important information that we can. And so, then we’re starting to think about, Okay, now what can an identity do, right? Because if you have an identity hanging out, and it doesn’t have access to anything, like does it exist? Right? Very similar to a tree farm in a forest, no one hears it. But as soon as you start giving it access to all those different pieces, then you can start to think about can I govern that identity? Can I add in layers of security, like MFA, right? And so, we have the ability to kind of say, Great, we’re coming from a trusted device. Is there another conditional access piece that we can add into that and be like, well, if they’re still kind of getting into AWS prod environment, and we want to really want to make sure that that is, can we have an additional challenge there based on what that user is trying to accomplish? Right. And so the, the hard part now is, is skating that line of security and making sure that you always know who you’re talking with without constantly frustrating the people that are trying to get information done, right, because we all want to achieve great things. We all want to build stuff within our lives in our careers and we don’t want things to get in the way of that. And so, that’s why you have a lot of technologies like pushing that they in other areas and Single-Sign-On where you’re continuing kind of that chain of trust, like, even though it could always be improved. But if we’re managing that identity, that device the, the network access kind of all of those big components, then you have a really good sense of what people can do. And then final carrot is auditing all those things, right? Making sure that just because you had access to it, did it really happen, did someone access it that wasn’t supposed to who led that kind of change in authority? All those good pieces, right, that help a lot of folks just get a better understanding of kind of their, their baseline, when they’re thinking about how do I set up an organization and how can I authenticate into all these things, since they, that’s kind of a lot of the areas that we think about when we’re talking about, you know, kind of IAM in a broad level, right? It’s just, what can you do? What do you want to do? And can you do that in a, in a secure manner, that can be easily elevated or demoted? Or, or kind of, and then also adding in thinking about states, right, of a user like we, we are static people? You know, we do a lot of things, right? And so like our identities, when we’re thinking about accessing all those points, also have different levels, right, and kind of what we can do?

Matt Tankersley
Yeah, you know, you brought up an interesting point, we talked about elevation of permissions. And I know that your team is going to join us back when we have our conversation about zero trust. And that’s obviously a topic that comes up very much in our zero trust conversations is how can we, we’ll talk a little bit about lease privilege when we get there, right? And so, how do we extend the least privilege and simply enable continued productivity through simplified escalation, but it’s all part of the IAM conversation. Glad you brought that up.

Sid Castle
I thought, zero trust is what my wife had for me in Vegas, so she was tracking my phone. She tracked my phone all through Channel Partners.

Matt Tankersley
Did she put up a fence where she knew you got outside of it she’d get a special alert?

Sid Castle
Yeah, she geo fenced me. So there’s a lot of red zones.

Lauren Lev
Alright, Sid, I see you chomping at the bit to go. So, we’ll let you take the lead. How do we prioritize identity access management and simplify this complex conversation?

Sid Castle
Thank you very much. I mean, Ivan, Chase, Matt, you guys have teed me up. Yeah, humbly this, this is what I do. This is what LastPass is all about, you know, identity access management. The key thing is we want to make this frictionless. You have to balance, safety versus use because if we make this so complex, so hard, so difficult, your end users will find a way around everything. They’ll do the most horrible things just to make it easier for them. You know, privilege access management is wonderful. But that’s for a key select few. The word itself is referencing privileged. Everybody needs identity access management, everybody remembers SolarWinds and the intern incident. So, you got to view it as such. You know I’m, I love movies. I’ve been watching forever, my whole life, so the Jason Bourne reference is incredible. But I want to take you back 28 years ago, there was a movie with Wesley Snipes, and Sylvester Stallone called Demolition Man, and they didn’t use an MFA with somebody’s face. They used a pen with an eyeball from the warden to get out of prison and get access to the entire computer system to get all the data. But so, we joked about that 28 years ago. The truth is, as Ivan even mentioned, people are doing that. They’re, they’re doing 3D rendering of facial faces so that you can lock down that facial recognition. But that’s why when Ivan mentioned points, how many points, and Matt, You are 100% correct. Most of us run 1 point, one, that password. LastPass, you know, idea is the last password you ever have to remember, I challenge you to go one step further. Don’t know any passwords. Your MFA, your face could be your tool into your SSO, into your enterprise, into your password manager. That’s how I log into my computer. It just says hey, it’s Sid logging in. And we joked that- you joked about geo fencing. If I try to log in from somewhere I’m not supposed to be or the time I’m not supposed to be, and then I’ll get a little kick to Ivan here, the iOS or the operating system, the IP address, the MAC address, we could keep going deeper and deeper. All these things could be in play and if one of those key features isn’t right, it stops it. I do a great demo where there’s red dots all around my neighborhood and everybody goes, Why can’t you login from there? I say that, those are places I can go fish. My boss won’t let me fish and work. And then, I flipped the video off and guess where I am? I’m at the lake and I got a fishing pole in my hand. So, we work from anywhere. So, Chase was talking about static. We are static in what we do, but we’re not static in where we’re at. I do demos from cars. I do it from airports. I did them in Vegas. I do it here in Arizona. I do. I do them from my boat on the lake and it’s hilarious. People will hear honking in the background and I don’t mean cars, I mean geese. And they’ll ask you, where are you? I turn the camera to show my background, show those it’s a flock of geese. They’re winter visitors from Minnesota coming to Arizona that enjoy the 75 degrees winter weather that we have. But we have to be secure of this, we have to make it easy. Because I’m as guilty as everybody, I get lazy. I want to go faster. Part of why I love the MFA is I don’t have to type in my password. I just show my face and make sure it says that’s where I’m at. But I love this stuff. I’ll talk all day any day. That’s my voice. Like my voice sounds like this for the last three, four days. You couldn’t get me to shut up.

Matt Tankersley
Well, I know we’re going to Andrew next. But you know, you said something, Chase implied it, right. It’s, it’s got to be a balance between security and usability, right. It’s so imperatively important. And I’m afraid. I fear that a lot of times if our security teams were leading the nation, we put way too much emphasis on the security to the point that we make it too hard for people to do their jobs. And then what happens is they find workarounds that either diminished productivity, like nothing’s happening, or you know, it’s just impossible to do your job. But it’s important. We got to, we guys, security experts that are listening out there, this security stuff if you didn’t know, we’re serious about. But it can be done, it can be done and it can be done in a way that it’s not not knocking people out of productivity. So-

Sid Castle
But Chase had a great, another point that we all need to follow up on is reporting and accountability. Just because I have this MFA, I need to have a record of who was doing what, when and how. And even if it’s just denying me and I never knew it, but it was somebody else as s threat actor trying to be me, then somebody needs to have that report to say, Okay, wait, why was this coming from a red zone at two o’clock on Sunday morning? You know, who’s trying to do that and from where?

Matt Tankersley
Yeah, that’s brilliant. By the way, I you know, I love when we can actually see our security work. Lots of times, we just have to assume that it’s working the way it’s programed, but how do you break it? How do you know when it’s not working? Right? And not tell you those analytics. And those logs are just helpful as can be. Sometimes we want to get outside of that, right? just to test it. Absolutely.

Lauren Lev
All right, let’s let Andrew get a word in. We know at Cisco, you have a strong focus on the MFA side of the equation. So, what are your thoughts on simplifying this conversation? And the priority role of MFA in the IAM conversation?

Andrew Griffin
Yeah, that’s a great question. So you know, I always like to take it back to, you know, the wonderful commercial the Tootsie pop, right, like how many layers does it take to get to the center of the roll of tootsie pop? Right? That’s, that’s the one I always like to use, because, you know, for just relying on a simple password, it takes one layer, right? Going back to what Sid, and Ivan, and everyone else, and Chase was saying, and you know, when you add these additional layers of protection, well, you know, that not only relies on, you know, human and, you know, just relying on a password too, yet there’s multiple stances that come at this, right? Is that from an end user standpoint, they have to have a password, they have to remember that password. Like if you think about password management, and how many times people forget passwords. I mean, you know, that costs businesses a lot of money, there’s a team that’s specialized for that, storing that password, right. And introducing these other kind of MFA complexities to where, you know, kind of what Sid was saying, was that, okay, we know, John is logged in to his windows device from eight to five, Monday through Friday. But, you know, Thursday, we detected that there was a log in, you know, on the other side of the world, you know, are there multiple John’s? You know, how was that, was that login successful? How did they, you know, figure that out, you know, MFA can get that deep to where if it detects that login, on the proactive side, it’s going to go ahead and let the legit John know, saying, Hey, let’s go ahead and update your password, right, just to be on the safe side, those proactive measures go so far, and a lot of what MFA offers is just that extra layer of protection, right. And you can go, you know, very deep into multiple layers, were going to have extra layers, you know, so it really just depends, but, you know, the, the data aspect, and all of that is just full on security. I mean, if you look at a couple of the other major hacks that have recently happened, you know, MFA could have prevented it. You know, a very simple security mechanism that a lot of people look at as complex when it’s not that complex. That could have prevented so much which, you know, keeps your reputation from being tarnished. Keeps the trust in your customers, your employees, your business that that you interact with, just holistically, right, a simple added layer can really make the difference to a lot.

Matt Tankersley
Yeah, absolutely. And guys, this is this has been, as I expected a fantastic conversation time fine a little faster than I would have even anticipated. So, I want to give everybody, Lauren, an opportunity to talk about their particular approach beyond anything we may have discussed. So I do have to ask Andrew a question first, you’ve never seen a Tootsie Roll, Tootsie Pop commercial, have you?

Andrew Griffin
So I know, I know, I’m gonna date myself here, right? And you guys can throw some guesses if you want. But I have. Those were always one of my favorite commercials that have come on. And I’ll date myself even a little more. Right. So, when I was working on campus at my university, I was one of the computer guys where you know, if a professor had a computer issue, most of the time, they couldn’t turn on the computer, right? So, I just go in and turn the monitor on because it was off. You know, a professor was like, Hey, I forgot my password. And I’m like, Oh okay, we can just come right here and reset it. And he’s like, Oh, well, I need to remember my password in order to reset the new one. Okay, okay. You know, like, do you have it stored anywhere on anything. He’s like, Well, the sticky note that I kept under my keyboard, I guess the custodian removed it. And I really sat there and thought that this is a classroom that has multiple professors, you know, there’s so many students that come in and out. And that’s really what kind of made me think like, okay, yeah, you know, maybe we shouldn’t just rely on a password. And it kind of sparked that security conversation for me to look deeper into, you know, the whole IAM holistic view, MFA, SSO, that kind of stuff. So, yeah, just to date myself a little here, you know.

Sid Castle
It’s interesting that’s how lazy people are, and that’s one of my security systems going off. But when I was in office equipment, I used to have to go around and reset workstations and do things with them to set up scanning and document management and printing. And that, the IT guy goes, Let’s do it over lunch. I mean, we tell everybody “stay logged in so we can walk around”. And you know, half the people would still lock up, log out of the machine by habit. He’d go, Oh crap, Sid I’m sorry, this is gonna take longer than I thought and I go, No, it’s not. And I flip the keyboard on, I turn, you know, different things upside down, I’d reach underneath the desk and feel around every, I’d reach under the seat, and 80% of the time, I’d find a post-it note somewhere, or a little black book that had all these spreadsheets, a spreadsheet on it, you know, print out with, with passwords, it was easy. We’re not so bad today, but it is still, we look for the paths of least resistance. You know, as I said, I use MFA because it makes my life easier. Yes, I want to be protected. And then I’m that guy that keeps saying, Okay, I’m glad we protect your business. But how about personally, because I thought Andrew was going to tell me that the reason he needed his password was because he wouldn’t be able to get into something he needed for his own personal use, and he’d be locked out. So, that’s why he was looking. People do it all the time. You know, my dog 123. The elementary school I grew up at, my mother’s maiden last name, plus this year with an exclamation point. And it’s across all these sites. So personal and professional need to be locked down. But it has to be frictionless or they don’t use it.

Andrew Griffin
Yeah, that’s, that’s a great point, Sid too. And just to add on, right, you know, as as a business as a security entity, you know, let’s try to control what we can control. Right? You, you know, humans are humans, everyone has their niche or their way of doing things, or I’m gonna put a password here, there. That’s okay. If someone gets a hold of that, you don’t want that to be the only thing stopping a malicious actor from getting in. And adding this multi-layer authentication or other aspects, allows them to be like, Oh, I can’t get in, because I need, you know, a push to phone I need a call to, you know, a different phone or an email, something else that adds the security parameter into where it’s not just a single point of entry.

Ivan Paynter
I heard earlier that we were talking about, well, time of day and location and things of that nature, you know, so I mean, my favorite time of the day to work is anytime after midnight, you know, yeah. The house is quiet, nobody’s there. Well, my company shuts me down at 11 o’clock. You’re not going to get any work from me at all. So

Sid Castle
Well yeah, Ivan, just call me. I’ll reset your geo and time of day parameter so you could do it.

Ivan Paynter
At the end of the day, they’re never going to see me because I’ve never gone through the front door. I always go through the side window because it’s always open.

Sid Castle
Oh yes, lock your door and lock your windows.

Ivan Paynter
Absolutely.

Sid Castle
Everybody needs to be secure in an organization because you might think of the privileged people as all the doors and you forget your windows. That’s, this is a, this is a game to them. But you know what? This is also, cyber criminals are like you and I, they’re lazy. If you were walking through the mall, when we used to be able to do that, the mall parking lot, and you’d see all the different cars and you saw something with a red flashing light on it, that there was an alarm. And then there was one without, and I was thinking the stealing one of the cars, I’m going to go to the car without the flashing red light. So you say, Cisco’s protecting you. You say LastPass is protecting you. You say you have all of the great tools that our panel has here and TechOnPurpose can provide you, they’ll start to look at and go, Wait a minute, no, no, there’s easier targets elsewhere. There’s so many other people who are doing the single point, identity access, and you start giving them multiple points, they walk away.

Ivan Paynter
And that’s, that’s that low hanging fruit that everybody’s going for. Right? Oh, absolutely. That’s what you do. It’s like walking through the woods. You know, all you need to fend off a bear is a BB gun, because you just need to shoot your buddy in his leg. Now I’m faster than he is. That’s the bottom line. It is. As long as you’re not the low hanging fruit, it’s okay. Look, it should always be something that you have, something that you know, right? No matter what, but at the end of the day, I’m not going to ever come into the front door. You know, we talked about that, you said parking lot. It’s my favorite thing in the world to do. Go sit in a parking lot and look for an SSID, I guarantee that you’re gonna find a default password and user ID, it’s right there. It’s right there because somebody was lazy enough not to change that password on that HP printer. I guarantee.

Lauren Lev
Andrew, how does Cisco security stack and MFA solution help our listeners to optimize their identity access management experience?

Andrew Griffin
Absolutely. Yeah. And, you know, I think this is the whole, the whole conversation that we’re having here, right? It’s that, it’s making a what seems to be complex kind of topic or integration installation simple, right? Easy to manage, easy to install, and easy to use, right, from an end user standpoint, and a business standpoint. Right? So, you know, for Cisco, we have Cisco Duo and then we have integrations. You know, just like Sid was saying with LastPass, you know, works hand in hand in our SASE architecture, right? You can implement SSO, which is the single-sign-on to any of our security solutions, right? So, it’s making them very simple. And not only is it providing the multi-factor authentication, but it’s really taking it a step further, right? To where, okay, you know, you have Duo on your device, you know, your phone, and all this kind of stuff. But it also lets you know, if Hey, I’m on a Windows device, and there’s a new update, you need to update, right? Or, you know, if you’re on a Mac device, hey, well, this application, it’s out of date. So, let’s update it, right? So, let you know that, you know, there may be other aspects where people can get in and try to get into your device that you would not be aware of, but it’s just taking it that step further to really let these users know, these businesses know that, hey, we want you to be secure and this is the way to do it. Right? So, those proactive approaches are nice, along with, you know, a lot of what’s already been mentioned, which is, you know, the reporting structure of, you know, John number two, trying to log in from China at 2:30 In the morning, you know, trying to hit one of our internal sites for some reason, right. But we know John number one is on the west coast, and he’s asleep. So, you know, we know that that, you know, kind of users not there and, and having those reports and having all that noted and, you know, going back to the old AAA, right, who, what, when, where, why all that kind of stuff at your fingertips, right? And from a very easy to read standpoint, right? A lot of these logs can get super complex. And, you know, if, Joe, if Joe wants to come in, or you know, there’s a CISO, that’s like, Hey, I just want to report, we can just go and click a report and show it from a very easy to read. standpoint.

Matt Tankersley
Right. Hey, Chase, I think Lauren’s got you up next. And you know, we’ve talked about literally I said, we said it early on, we happened to mention PAM, you know, privilege access management, we happen to mention SSO, we haven’t even talked about that. The one thing I haven’t heard anybody say, it’s implied in our entire conversation, is directory services. And the role of the directory services plays in this entire thing. And you guys are absolute my pain as an old guy. I’ve been pushing buttons for a long time, you guys are really leading in the marketplace. We love what you do and how you do it. Tell us more about JumpCloud, the origins of JumpCloud and how you guys are approaching this, this topic?

Chase Doelling
Yeah, absolutely. I think one of the areas that we think about is hey, come back to a previous example, kind of like where’s it all, the important stuff’s kind of like elements of PAM and SSL but really, that’s it’s access to all those things. A lot of people have viewed directory services, right? Where does an identity for an organization live? Typically that was in an AD server somewhere in the closet, right? Which is great if you’re coming into the office and you’re thinking about keycard access, getting on the corporate network, kind of all of those elements that reinforce that notion of physicality, right of kind of an identity. But as we are now all remote and kind of as organizations grow in or as organizations, even if they weren’t there already global So, you’re kind of understanding that nuance for JumpCloud, we take that identity, put it in the cloud. But then one of the things that we like to do is like, come back. And I was like, great. Now, what can we do with that? And so, because we’re owning the identity, we can do a couple interesting things. Because we are also managing those devices, we take a pretty agnostic view. So, we work across Windows, Mac, and Linux, right? So you can kind of take your flavor. But then what we’re able to do is, hey, when you open up your laptop, you’re logging into that local account, right? That’s managed by JumpCloud. And because that device is managed by JumpCloud, we can see that so then you can actually just hit on your, you know, your user portal, you’re automatically authenticated in, and now you have all of your SSL applications. Right, great. So now I can actually authenticate into even further of what I need to do to get my job done. But in each of one of those steps, there’s, you know, a checks and balances of a, was a certificate given here? Was a user login given here? How was that captured and authenticated? Right? And then come back and make sure that it’s audible of all those good things. But what we’re really trying to do is centralize saying, We’ll take your identity from anywhere, right? If you started on Office 365, or G Suite, or even, even an Active Directory server, right? We’re able to pull that identity in and then kind of give it superpowers, right? But when you’re doing that, you’re also doing it from the notion of best practices, right? You’re, you’re adding in people into groups, you’re adding in people of groups of devices. So, one of the important things that we like to focus on is kind of like, you know, the life cycle, onboarding and off-boarding people come to join an organization, how can I get access to everything I need really quickly? And then on the reverse, when I win the lottery, right? Or, you know, I fortunately, everything is shut down gracefully, right? In like no access is given, right? Because that’s usually on the tail end to because a lot of people are changing organizations like hiring someone right now is just crazy sauce. So, there’s a lot of people leaving organizations, and so it’s on that tail end, like how do you make sure that that’s secure, that’s authentic, so you don’t have a lot of people take the stuff with you. So, we really tried to democratize a lot, I’d say a lot of the elements when you’re thinking about what you can do with an identity where it can go.

Sid Castle
So, you know, Chase, you hit a lot of great points. We’re no longer behind the moat in the castle where we felt really secure and everything was really tight and it was difficult to get in and difficult to have any threats acted upon us. We’re now all out in the fields, doing our things, working as effective or more effective than ever. But there’s all those different doors and layers that we need to build to protect ourselves. So, you’re 100 percent correct there, and that’s where I think LastPass is that great partner. You know that password manager, when it’s needed single-sign-on, the MFA, or you take one part of our solution and pair it with somebody else’s solutions. You know, I’ve worked with many other MFAs, and you hit on something that a partner came up to me at Channel Partners of all places, to express a concern. Off-boarding, they had an employee leave. They had a couple of employees leave and before they were truly done finished off boarding. I don’t think they had federated a lot of things so when they wanted to come out of one thing you didn’t take them out of everything, so your product would be an immeasurable help here if they have had it. But they were having a rampant issue where things were running around from the back in. So, it’s like what Ivan said about locking your windows, I joke all the time about that. Everybody needs one product. I have because don’t leave a window unlocked once I’m inside the house, I have unlimited time and space. And if I hide myself well, I could slowly pick at you lock, at your vault, or I could dig a hole underneath where it’s the thinnest metal or I could figure out a way to get into your vault that you have 100 secure, armed security guards sitting outside but I’m three layers in already, and you don’t even know it. So, that reporting and seeing that activity and hearing something, you know, a lot of our products do that and your products and the rest of the products, but everything needs to be paired. You can’t just use one of our products and think you have everything. So that’s why somebody like an Ivan, who wears the white hat and can go in and disrupt your business and go back and say, OK, LastPass here, JumpCloud there, Cisco here. Let’s make this a total solution and Matt will tell you how much your monthly spend is. And it’s a lot less than getting compromised. So that’s where it all has to come in.But that’s where I step off my soapbox and let you guys finish it out. But thank you again. It’s been a pleasure.

Matt Tankersley
Let me, let me just say to Sid really quickly. I love, you hit it about twice now and both your platform and a lot of people might not know this, right? LastPass has a lot of integration, not unlike JumpCloud, right? To federate those credentials in such a way that I can shut it down in one place and it’s shut down everywhere. And so, we’re obviously, love to take advantage of those in the partner you were talking with is probably looking for that same thing real quick.

Sid Castle
If any of you ever been an IT manager, you know, I used to dread- today’s Friday. A lot of people loved it. I hated them because this is the day that the owner would come by at 4:30 and go, *knock*I’d be like, not here. And Matt they go, Sid, you’re here and I’d go, No, I’m not. I said, OK, Matt, take my cell phone, call my wife and tell her why I’m not going to date night just because you decided, Lauren. It’s Lauren’s last thing And Lauren, I’m just kidding. That’s not happening, right Matt? But things, I’d spend hours off-boarding you. Deep provisioning, going through all these things scared I’m going to forget one thing. So, I go over it three times. Now I’d laugh, with JumpCloud, with LastPass and federate you with Active Directory users and other things. Click, click, click. I’m done. I’m gone. I’m having a ribeye with my wife laughing about why, why Matt let Lauren go, you know, just because she said she didn’t like his hat. You know, not the white ones it’s going to be the full ones. It got worse

Ivan Paynter
And somehow, someway, somebody, somebody put a white hat on my head. I don’t know. I think it’s a little bit more of… on the grayer side, but that’s OK.

Sid Castle
That works, too. As long as it’s not a black one, full, full bad. You could be a little bad. There’s a black one in the corner somewhere, you know, I think, I think Sid that, that first of all, I think you all really hit a lot of things out of the park here, but you talked about the one thing that we all need to really hear the cyber. And that is the golden bullet or whatever you want to call it truly doesn’t exist, right? And it’s a layered approach. And we all know this already, but we have to reinforce that. There is no one magic bullet. It will never happen. But if we do utilize a layered approach, right, that we think about, not the way everybody else is thinking about a password, but we have to think a little bit differently. Let’s put that gray hat on, and let’s think about how the bad guy is really looking at this because at the end of the day, you know, just like you said Sid, you’ve got all the time in the world, that dwell time you just sit there banging at it, and unless someone is paying attention to those logs. Unless somebody is paying attention to all those alerts that are going on, i.e., target. You’ll never see it going, you’ll never see it occurring. So, at the end of day, not only do we need to be vigilant and to how we provide those defenses, we use multiple layers in those defenses. We have to understand that privilege access of that user and only allow that user to have that level. But we can look at time of day. I’m kind of iffy on time of day because I like to work when I want to work, at the end of the day, it’s multiple layers. We use multiple technologies and we have to make sure we train the individuals not to be trusting and not to write things down in stupid places. Got sticky notes were great value that 3M gave us? It’s probably the worst value that we can ever have for passwords, right? So, we have to be smart about how we approach it, and we really have to pay attention and we have to teach, train, measure and reteach again. And that’s really going to give us a level of security that we need. It’s great stuff.

Matt Tankersley
Absolutely, Ivan. Thank you as always for being here. Listeners, IAM is an important topic. It’s a deep topic. It obviously has a lot to do with passwords, it has a lot to do with MFA. It has a lot to do with SSO, which is hopefully simplifying your productivity as we’re taking our directory services and we’re integrating all of these things together in such a way to keep you secure and keep people productive. And Chase, any last words for our listeners today?

Chase Doelling
No, I mean, I wish I had something more insightful, but I think a lot of what has been covered has been really important, right? And I think again, taking a room with layers, how to think about things differently. I think just, you know, more often than not, a lot of people in organizations just don’t start secure, right? They just don’t think about it. They’re trying to run a business or other components that, you know, are kind of top of mind. And you kind of forget this lingering asset, right? So, I think if you take all of the recommendations from everyone here, you’re already in a better spot and it’s a journey, right? There’s, there will be new layers that are soon to be discovered, right? [

Matt Tankersley
Absolutely, yeah, yeah. Thank you Chase so much for being here. Sid you mentioned movies, we’ll give you final thoughts. Did you see Ready Player One?

Sid Castle
Yes I did, that was a, that was a nostalgic rundown of history for me. Oh my goodness. But you know, we joke about movies here and that, you know, Clint Eastwood had a great one with Dirty Harry. And, you know, do you feel lucky punk? You know, you talk about this magic bullet. The thing is this, that was effective for what he did, but that’s just one tool out of many that a police officer could use, should be the last tool, hopefully. But the thing is, is you need to look at all of our aspects, Ivan and Chase just dwelled on this over and over and it’s correct. So, reach out to your wonderful, wonderful partner called TechOnPurpose. Get Matt and the whole team involved, and then they’ll bring the rest of us. You know, I learned one day that I wasn’t as smart as I thought I was, and I got tenfold smarter when I said, You know what, when I don’t know certain things, stop trying to do it. Get Chase involved. Get Ivan involved. Get Matt. Matt is the orchestra leader, he gets all the little players in. I’m blowing a horn. Ivan’s got the bass. Chase is on the drums. There we go. Let’s get going. And Lauren, I think you probably got the best vocals of us all, so you’ll be the singer.

Lauren Lev
Oh, I’ll be on the triangle.

Sid Castle
More tambourine, more tambourine.

Lauren Lev
Or a backup dancer, you know, one of those.

Ivan Paynter
I thought Lauren just got fired.

Lauren Lev
Oh, no! All right. Well, now that you all have rehired me and demystified the world of identity access management, we’re ready for next week’s episode on security patch management. What is it and what is its role in securing systems against attacks? For those listeners interested in learning more or about getting underway with the free trial from any of our solution partners, send an email to FreeTrial.WhosInYour.Cloud, You can also sign up for our free cybersecurity assessment by visiting WhosInYour.Cloud today. Once again, I’m Lauren Lev. I think I’m still the Marketing Manager for TechOnPurpose, and we hope you all enjoyed today’s episode. Special thanks to all of our subscribers and viewers for following the Who’s In Your Cloud? 21 Steps to #Secure, Reliable, Trusted Technology journey. Remember, you can catch each episode of Who’s In Your Cloud by following TechOnPurpose on LinkedIn, Facebook, YouTube, and now Spotify. You can also sign up for our blog to have episodes delivered to your inbox weekly at TechOnPurpose.net/Blog. So, join us next week and we are happy to have you. Goodbye, everybody.

 

Ready for your free cybersecurity survey? Discover potential vulnerabilities for your business and get a copy of our #TOPcyber21 Best Security Practices to help get you started on the road to #secure, reliable, trusted technology!

Subscribe to our blog to get episodes of “Who’s In Your Cloud?” delivered direct to your inbox weekly.

Claim Your Free Cybersecurity Sruvey