Securing access to the infrastructure, tools, and applications that DevOps teams use, enabling elastic application configuration via secrets, and authenticating applications and services with high confidence and in automated fashion is often counterintuitive to enforcing identity and access management best practices in these types of environments.
Security is often not the main focus for DevOps, as traditional methods of securing developer environments involve manual interventions and restrictive controls that significantly impact the agility of development and operations. Adding to the complexity, non-human identities assigned to machines, APIs, and microservices nowadays represent the majority of “users” in many organizations.
This webinar explores how DevOps owners can layer identity security into their environment without impacting agility, leaving them to focus on what they do best. Our expert speakers discuss best practices to:
- Protect DevOps infrastructure and CI/CD pipelines from access-related risks by maintaining continuous visibility into identities, their entitlements, and usage.
- Provide identity independence across on-premises and cloud environments (public or private).
- Centralize authentication across applications, DevOps tools, and critical workloads.
- Modernize DevOps application-to-application password management approaches to simplify and centralize credential management.
- Assure programmatic access with federation authentication.
- Scale containerized software up/down in minutes to suit your needs.
- Centralize authentication for all your apps, resources, and critical workloads.
SPEAKERS
Tony Goulding, Cybersecurity & Product Evangelist, Centrify
Tony brings over 30 years of experience in security, software, and customer relationship-building to the Centrify team.
Andy Smith, Senior Vice President of Marketing, Centrify
Smith’s expertise spans twenty plus years and he will drive Centrify’s identity services security products and platform strategy.
Loren Russon, Vice President of Product Management, Ping Identity
-
Andy Smith (00:09):
Wonderful to have everybody here today. Really happy to have Loren and Tony, speaking, our experts on today's panel. We’re going to be talking about best practices for layering identity security into DevOps. Many of you are going through digital transformation, going through re-architecting your applications, and identity is a very important aspect of that. Obviously, not only do people have to get into the applications, but people also have to be able to manage them. Services need to be able to talk to each other, et cetera. We're going to talk about how to embed identity in a seamless way and how two companies, like Ping Identity and Centrify, can work, can put a better story together, about embedding identity into those applications. So, really excited to have everybody on board, you know, when you, when you do move to DevOps, it is not always combined with the digital transformation effort, -and almost always combined with a move to a cloud.
Andy Smith (01:25):
So, it is a very complex move, with a lot of things to think about. So, as you go through your digital transformation journey, you are likely moving to the cloud. You still have on-premises; you are re-architecting your applications for DevOps. You are maybe going to containers. If not already microservices, obviously you've got servers and network devices, et cetera. It is a complex environment. You're thinking about the end-users. You're thinking about the IT administrators, you're thinking about the workstations people are using to access all those things that come together that have to be, have to be considered when you're looking at your security model. So, there is definitely increased complexity, when you're going through digital transformation, as opposed to the days when everything was in your data center, these monolithic applications, et cetera, much more entry points, many more attack surfaces that you have to deal with.
Andy Smith (02:18):
There are stages in your maturity. Let's see, get to the next slide. There we go. Stages of maturity. So, pay attention to the slide because I'm going to ask you where you're at and just a few slides from now, but many companies start with lift and shift. They take the existing applications, maybe the test and Dev environments, move those to the cloud. But really aren't re-architecting those applications, just trying to take advantage of, the cloud resources, for the infrastructure below the applications. The next step many organizations take is they redesigned for elasticity. So, they've got a web tier, a server tier, a database tier, et cetera, those talk to each other, but you can scale those out independently. And that allows you to redesign, for that elasticity.
Andy Smith (03:07):
And that is a big, complicated step, but it provides a vast improvement for it. And then where we're talking about today is that you know, getting onto that third tier where you’re re-platforming the entire application into microservices and containers, you can add zero-time upgrades. You've got lots of flexibility for scaling up and scaling out, you totally are redesigning those applications. So, pay attention to those, come and ask you where you are on your journey in just a minute. So, when we think about identity embedding into these applications, you need to think about it, traditionally in the center here, everything in the data center, you think about customer identity. So, these are customer consumers or citizens that have to log into applications. And very often this is, Ping has served these, these types of identities for years on the bottom.
Andy Smith (04:04):
There's the workforce identity. And that traditionally over the long-term, that's been active directory, you manage all your employees, et cetera. That's very traditional. You're doing single sign-on, maybe multi-factor authentication and you have workloads in the center of that. Those have traditionally been servers. And so, when you think about those workload identities, you're thinking about IT people logging into those windows or Unix, Linux servers, et cetera. And that's kind of the place where Centrify has been, traditionally, so infrastructure people and services as we move forward. And we start to, let's see, it's going to build one more time here. We start to go through that digital transformation. You still have those divisions, but you have this concept of workload identity, that, that comes into the picture. And so not only are humans logging into these, servers but now you have services that need to talk to each other.
Andy Smith (05:03):
And each of them has to have an identity, the same traditional controls take place where I need to authenticate. I need to authorize, but it may not be a person anymore. Machines are talking to each other, services are talking to each other, but some of the same controls in place. And you get, you get identity providers like Ping, and Centrify working together to cover embed security into all these layers of your application, that the customer identity, the workload identity and the workforce identity. And so, we're going to talk about all those different identities today and, and how Centrify and , can come together to, to meet your identity needs for those applications. So, I told you, I was going to ask you a poll question, here we are. You should be able to, where are you on your journey of your digital, your cloud transformation, your digital transformation journey.
Andy Smith (05:53):
Have you started yet? Maybe you're planning on but haven't started yet. Maybe you have no plans I'm sticking in the data center, or, or not. Are you at the lift and shift stage redesigned for plasticity, or are you already re-platforming your applications for DevOps and microservices, et cetera? So, please go ahead and answer. We're trying to get a feel for the audience. So interesting. Most of you are on your way, but, interesting. Not many people yet re-platforming, that's jumping up as we let this go a little bit longer.
Andy Smith (06:54):
Interesting. Yes. Okay. Very helpful. My peers on the line. I don't know if you guys are watching it coming in, but, I'm seeing, 10 percent-ish are both in the, have not started or no plans to move to cloud. 30% addition lift and shift 30% descent, redesigned for less elasticity and 20 percentage, re-platforming. So, you know, there's still lots of work to be done, for many of these organizations, which is not surprising. So, I'm going to go ahead and share the results with the audience here. We can see, as I said, about 10%-ish, both either have not started or have no plans on moving, 30%, are lifting, and then lift and shift stage 30% in the redesign for, and almost 20% re-platform for containers. So, I don't know if that's surprising at all Loren or Tony, or about what you guys expected.
Tony Goulding (08:08):
Yeah. From, from my perspective, Andy that's, that's kind of in line with what I'm seeing. Certainly, in our customer base, we have the, I mean, we've got what 30, 60, 78%, are actually engaged in data transformation. So, no big surprise in that combined number. I'm a little surprised we have so many doing the re-platform for containers, but I guess if, if you're gonna commit the engineering resources and the budget to go to the cloud, and you've got a very critical set of business apps, Hey, you might as well go the whole hog. That's very encouraging.
Tony Goulding (08:43):
Yeah. If you're attending a webinar that's identity for DevOps, hopefully, you're starting to think about that at least. Yeah. We recently did a poll when we were finding that out of our existing customers and new deployments.
Loren Russon (08:56):
60% are over 60% are actually in that re-platform containerization of their identity stack. So, consider that's one of the first foundational things you need to be able to then move your application. So, numbers are a little lower perhaps than what we experienced, but good, good statistics.
Speaker 4 (09:15):
Great.
Loren Russon (09:16):
All right. Hey, thank you for the introduction. Appreciate you being here, Loren, I'm going to hand it off for you to tell the audience a little bit about Ping and, and what you guys are doing, with the customer and workforce identities. That's great. So, I did want to thank the Centrify team for allowing us to participate in this. It's been really great experience to prepare, and I think, in taking advantage of this relationship, hopefully out of this presentation, you'll see why the combination of both Centrify, and Ping really provides that best practice solution for you, um, to be successful with your DevOps initiatives. Now, one thing I wanted to state that at Ping, you know, we really are focused on securing digital business initiatives through identity. Its really identity is that new perimeter business initiatives are really deployed and secure through identity.
Loren Russon (10:12):
We do this by really helping you through that digital experience for all your employees, partners, customers, and things. And that's really about securing them as well as making access to them seamless. And then how do we do it? We really then provide secure access to cloud mobile and on-premises applications and APIs. And we were also managing secure, sensitive identity and profile data at scale. So, if I move on to the next slide, you know, this is really, you know, looking at how Ping represents our products today. And so, Ping delivers a modern, IM services platform, something called the Ping identity platform. This platform is composed of four layers from a single administrative portal. You see at the top, solution packages really are the combination of our software, as well as our SAS services combined together to solve a particular problem. And then a little later we're going to talk about one of those packages, the individual products, and services that we find many customers just want to consume services, or they want to establish, you know, really kind of an anchor or a LAN and certain capabilities. And then last is ensure that there's a set of common platform services that we'll go into the next slide.
Loren Russon (11:31):
There we go. With Ping ID platform, it provides this unified portal, and it provides access for administration of SAS and software components. So, one place to be able to administer, visualize, be able to provide updates and upgrades all through one unified portal, integrated solutions. As I said before, really composed cloud software and hybrid products. And we find that many of our customers are either wanting fast deploy. They want to just quickly and more of an express deployment, achieve MFA integration for example. And so, we've had customers that have been able to implement MFA for their entire workforce through this last pandemic in roughly two weeks for a very large population of over 25,000 users that are involved. So, that's really those express use cases, but we also have many that have more long-term visions or very advanced use cases, either brought up a number of remote users that have very unique device needs others that are looking for legacy or application to legacy application,
Speaker 5 (12:36):
Remote workforces, et cetera. Okay.
Loren Russon (12:38):
The next layer is really products that deliver critical identity and access management capabilities. Those can be consumed standalone so you can consume just MFA, or you can consume them in a platform or a solution package. And it's really that combination of bringing cloud services as well as software services, gateways, and agents, to be able to enable you to, support modern applications, as well as legacy applications. These services are really built on that platform. That's a common foundation, really of core services for common logging, licensing, notification, data lakes, administrative services, all the things there to help support the operations and best practices in utilizing those services from them within that platform. That also includes DevOps automation of the software components in containers, as well as non-pre-configured orchestration tools to really help streamline the deployment and maintenance of that.
Speaker 3 (13:36):
Now, if we translate how this fits then is, you know, Ping provides the services, you need to really build this strong identity layer that we talked about. And so, you look at what Andy described as far as companies that are migrating their data center to these multi-cloud environments. And really what does it take to make that a wrap reality and in building this strong identity layer, it's about building the authentication on the authorization that customers and workforce users need to access the valuable resource that you need to protect that identity layer is then supporting customer identities by providing self-service tools. And that's everything from login, user registration, self-service account recovery and password resets, and strong authentication for a host of users, devices, and mobile applications. The identity services layer also supports the workforce by providing them a single, more seamless, single sign-on experience across multi-cloud.
Speaker 3 (14:30):
I talked to one customer and they said, you know, to enable their entire workforce, they have 400 plus applications that they want to achieve at a single sign-on or seamless access experience. They also need to do that across, the multi-cloud hybrid applications, so that SAS applications, those that have been lifted and shifted to, cloud platforms as well as then their legacy data center. And this is supported by adding multi-factor authentication to support passwordless flows, as well as them providing adaptive access to ensure a positive, secure experience for users, because it really, you've got to be able to, enable them to do their job, but you want it to real-time assurance that the resources that you need to protect are protected and that the user access to them are who they are.
Loren Russon (15:21):
So we look at then.
Loren Russon (15:21):
You know what that means? This identity layer is really provided in something that he calls an authentication authority and that authentication authority, unifies access control by first centralizing policies for how identity information can be shared with the various applications, either be these modern SAS or else legacy applications. And it's also then ties into a variety of identity systems. Some of them are, your modern, open ID connect, cloud-deployed IDPs. You've got also legacy applications and data stores. This includes them as support for a broad range of authentication types that you see on the left side of the slide. That's everything from legacy protocols to more modern protocols that you see enabling a broad range of decision types. And that's really about leveraging contextual data that's available as well as then, gathering risk as well as behavioral signals to be able to help make decisions in real-time. And also, then support of aggregation of identity data from multiple data sources, being able to, not have to unify everything at once, but to be able to aggregate on a, just in time, just, an access approach to be able to give those legacies, as well as those monitor systems, what they need. And then also, that ability to provide a whole host of out-of-the-box integration services for your SSO or authentication flows, as well as your data sync flows.
Loren Russon (16:48):
And so, if we translate that then into the authentication authority really then becomes that single source of truth as for any application type for any cloud deployment integrated with any identity store. And I think it's important to realize that need to, for large enterprises to be able to support a variety of application clouds and stores as well as then, is that ability to support any user and the device they need. And that's done by providing, but Ping blades is the most comprehensive adherence to these standard specifications in the market. And it's very important that standards are there.
Loren Russon (17:25):
So, a few more slides. And then I am going to ask you a question. So, I'd like you to be thinking about, you know, the, the next few sections, and listen for that, that question that I'm going to ask you. So the first thing then is we take that authentication authority and we apply it to your multi-cloud environment and by doing so, you're going to establish this anchor. It's really this point or centralized control that does a few things that boost your security without adding any friction. Cause really, you're sitting in the middle of adjudicating decisions of, you know, I've got to use their tie. If it's at a kiosk with a certain context that they're in a public environment, you change, you adapt to what that need is. You have other cases where you're balancing security and productivity to all resources, maybe you're inside the firewall, they're VPN in.
Loren Russon (18:11):
They have high level of clearance, you know, who they are making that a very seamless experience to access provides that productivity without getting in the way and to stop us that you may have a case where you need to strengthen and, raise the security and then require a little bit of friction to make sure that the user is who they are. And then last is by centralizing around the sophistication authority that unifies the controls and gives you visibility beyond just the application into each layer of your enterprise, API, solicitor data stack. So, some of the best practices, and we'll get into this a little more later on is that, when you look at what comprehensive security needs, it's important just to look at some of the current challenges. Today, quite often, our systems are built on rules and policy centric deployments.
Loren Russon (19:00):
And that really is just, you know, we've created a lot of rules and a lot of policy-centric environments to get control. I talked to one customer and they had over 600 plus access controls for their various applications. And in analysis, they found out they only needed about 19. There was so much duplication, because they, they had created a rule for every single scenario. There's also this definition of reserve consumption models. But often we have companies talk about internal and externally guys versus public and private. That's used the same structures for both public and private versus distinguished between what's external and external. We also have seen many companies that are leveraging existing tools that are very separate systems, really meant for only web and only API and only data. Now, some things to look at for best practices start to unify and find vendors that can support access controls for all of these, which I think both Ping and Centrify do very well.
Loren Russon (19:55):
And then also a lot of the things of the past and some of the challenges you face as you're maintaining disconnected, layers of security, really looking at this patchwork almost of different tools. And so some of the best practices that we recommend are really about building out this comprehensive security platform across all organizations. I believe that you need to first essentially baseline your security layers and then require additional security beyond that. Some of the things that you can consider is to start to leverage our artificial intelligence, really look at machine learning to help automatically adapt to the different behavioral patterns and anomalies that allow us to establish, and generate policies and rules leveraging these capabilities versus having to constantly maintain these static rules. We also need to make sure that it's identity-centric, this notion that implementing step-up authentication and MFA for the right users to get access for not only web mobile API and data access is very important.
Loren Russon (20:56):
Allow, organizations to securely access organizational data, but remain compliant with the various regulations that are out there. It's interesting. I've had many companies say if I can achieve GDPR if I can achieve, FedRAMP, that really provides me a framework or a foundation to be able to ensure that I'm compliant across the board and I can handle. And future-proof the other regulations that may come to bear. And the last is to ensure that you have complete visibility into those environments. And so, on that, then some of the results are really then you increase the protection. You're able to defend against a lot of the common attack factors. You know, you can really enable and secure your organizational data and be compliant and not be put your customer's data at risk and then provide that unified, view that's there. And so, if I take these best practices and talk about really why Ping and Centrify together, and it is about, enabling single sign-on to Centrify’s privileged access services and really reducing the administrative burden that's required to provide, a holistic or comprehensive security platform.
Loren Russon (22:10):
Next is about managing authentication via privileged credentials. And so, consider if I can add multi-factor authentication or I can adapt, to, support privilege credentials, you can then secure access for administrators, developers, and operating teams across that, all of the layers or all of the stacks within your environment. You're also then gaining additional layers by adding step up or multi-factor authentication to Centrify's password secret vault, its enabling things, identities, adaptive, MFA, leveraging the Federation capability and radius server to support the Centrify password secret vault. And the last is then looking at, providing continuous monitoring and secure access control to all the resource types, regardless of if it's web API, mobile, and data. All right. So polling question, but I wanted to ask though is then, so how does an authentication authority provide an additional layer of security against attacks? And I'd like you to pick one, you've got everything from step up authentication, maybe it is just about centralizing access control of everything in one location. Do you really need adaptive access behavior? Or can you move forward or is it a combination of all of the above
Loren Russon (23:37):
Can I give you a few minutes here? Okay. A hundred percent. I'm glad you're all were listening. It's a hundred percent all of the above and you're right. All of the above. I think you need to look across the gamut and those are, I think, best practices in all cases, around how you can secure those environments. All right. So, I'm going to move on, Tony, I'm going to let you take over and I appreciate the time.
Tony Goulding (24:01):
All right. Thanks very much, Loren. First of all, before you drop off, can you hear me okay. All right. Good, good, good, good. All right. Hello everybody. A pleasure to be here. So, let me begin by talking about Centrify and what we do as an organization. So Centrify focuses exclusively on privileged access management or PAM or PIM as it's sometimes called as well. We'll stick to PAM. So, we focus on PAM software and that is to help our customers prevent identity-based, uh, data breaches. Now here on the screen, I have our mission statements and, very often I think mission statements get skimmed over, but I want to highlight some keywords and phrases here that will help you better understand what we're trying to achieve for our customers. So, the first is, enabling digital transformation. And Andy mentioned that right at the very start, most of our customers are involved in some kind of digital transformation.
Tony Goulding (25:04):
They're embracing the cloud. And also, in his intro, he highlighted this with the slide that showed the lift and shift, and the infrastructure is code in the middle of the containerization on the right-hand side. So, at Centrify, we're enabling this from a security perspective. Now, next here, we're enabling, we're enabling this transformation at scale. So now more than ever before, we need a PAM solution that can scale beyond the traditional confines of the data center. Next, we have privileged access across hybrid and multi-cloud, this is becoming more and more critical as we see from, from our customers and certainly, legacy 10 years plus, PAM technology that was originally designed for the data center just doesn't cut it anymore. Now, back in 2015, Centrify was actually the first PAM vendor to provide our customers with a SAS fault that was cloud-native.
Tony Goulding (25:58):
It was specifically built from the ground up to address this kind of modern hybrid and multi-cloud use cases. And then lastly, on this mission statement, identity-centric, PAM based on zero trust principles. So, this is how we do it. So, a vault is still a critical part of PAM, but modern enterprises need an identity-centric focus, one that relies or leveraging zero trust principles, as well as least privilege instead of relying, purely on a vault-centric approach to privileged access management. So hopefully that helps you understand what it is that we do as an organization. So, moving on then, revisiting this, that both Andy and Loren put up, it is an important one. I'll spend a bit of time talking to this now, as we've already heard, Ping identity plays a critical role in managing both the customer and the workforce identities, but at Centrify, our focus is on workload identity.
Tony Goulding (27:03):
So that's when a customer is building their own applications, they're running them in the cloud. They're running them on virtual servers or in containers with microservices. So, the first thing is, what do we mean by workload? Excuse me, what do we mean by workload identities? So, I guess broadly speaking, it's the identities used by the IT department, by developers, by the Ops teams, as they're engaged in supporting and building and deploying and operating the business applications that they are responsible for, but they're also identities used by these applications and services themselves to talk to each other. And then finally, they're also used by machines and I'm going to talk a little bit about machine identities, Later on. But it used to be the norm that workload identities were almost exclusively accounts that were stored and managed within active directory. This might be an account for a human, it might be for a headless application or a service, or a machine; but moving to the rights in this diagram to a more, more modern scenario where customers have migrated their application logic to the cloud.
Tony Goulding (28:19):
Again, either in VMs or in the traditional three tiers, of web compute and data, or perhaps more advanced with containers and microservices during this transition, they may want to continue to use an AD on-premises for identities. And in that sense, they can leverage Centrify's cloud-based identity platform to enable AD-based login to the instances that are in the cloud without having to replicate AD infrastructure in the cloud. So, they're still got AD infrastructure on-premises in the data center, but now they want to enable their IT admins and others to log into those resources. You know, how'd you bridge that gap without replicating, the AD stack to put it bluntly, other organizations we talk to, want to switch that AD stack off completely and in doing so, they're able to use, our Centrify platform to assign the identities, to issue ephemeral tokens in more of a federated authentication model and also to control access between the various actors.
Tony Goulding (29:28):
And since our platform is SAS it's available from anywhere. So, issues of, of tunneling into the data center to access active directory, if you still desire to use that as an identity provider, issues of, excuse me, expensive site-to-site VPN or issues of, of taking a bunch of that AD infrastructure and replicating it with, my trust and read only the main controllers in the cloud, all of those issues can go away. So that streamlines and reduces a lot of that friction. Now, as you see on the slide there in the second bullet, we mentioned secrets management. So, in regards, uh, secret management customers deploying that traditional three-tier application architecture, they tend to be concerned about how to leverage the cloud to maximize, operational agility. In other words, how can they react quickly, to scale their service up or down based on things like customer usage during Black Friday, which is just around the corner.
Tony Goulding (30:32):
And so, the Ops team needs to ensure that as those tiers automatically scale up, leveraging things like the native cloud auto scaling services, that the configuration data is identical for each instance of let's say the new web servers. And then of course, those web servers need to be able to talk to compute and compute data. So, there's this need for, a consistent set of centralized secrets that those layers can access as well as authentication up and down that stack and hence the need for identities because you can't necessarily authenticate in a reliable fashion without an identity. So that's where we can leverage, the Centrify vault for access to those identities, or even Ping identity as an IDP to serve up, ephemeral credentials, such as oauth or open ID connect, JWT, SSH certificates or PKI certificates. But back to the configuration data, it is critical to maintain centralized configuration data in secrets, in a vault where they can be consumed, programmatically and more, most important importantly, where they can be consumed quickly. We can't afford to wait for ops to manually instantiate new instances and configure them, human intervention. We'll just break that model. So then if configuration parameters change, you change them centrally within the vault and then developers don't have to worry about updating their code. So, the secrets get updated in the vault and or all the dependent apps can fetch the latest data. So, then the last bullet in that workload identity section, is machine identity and, delegated machine credentials.
Tony Goulding (32:23):
So, moving on to the next slide, hopefully that has, pushed to the audiences, as you might imagine. Certainly, at Centrify we talk to a DevOps teams a lot, and one of the biggest hurdles for us as a privileged access management vendor is getting DevOps to incorporate PAM into their daily routine. In other words, if PAM introduces too much friction and it slows down productivity and agility, then they're going to bypass it. They're going to figure out alternatives and that will result in increased risk. So, at Centrify, we developed a technology at Centrify called delegated machine credentials, and we did that in response to these issues of adopting PAM as part of the, the CI/CD stack.
Tony Goulding (33:28):
We wanted to make it consistent within that pipeline. We wanted to make privileged access management of first class citizen, but at the same time, without sacrificing security, because there's the traditional, sort of productivity at the expense of, of security model. So, we wanted to improve both. We wanted to get that adoption while improving security and actually reducing the overhead on both the developers and the ops teams. So, on the screen here, what you see are some of the main use cases where delegated machine credentials can benefit DevOps. And I've been talking about workload identities and how applications and services need them to authenticate to each other, but where do they get the credentials, they need to do that? We want to make sure they're not embedded in code. So that's the first thing they, they can't be on the desk because attackers are going to find them.
Tony Goulding (34:24):
There's going to be a data breach. It's inevitable. So programmatically, they need to fetch them from the vault, but before they can do that, we kind of have chicken and egg situation that they need to log in to the vault. And they need an identity and a credential. They need a service account in the vault. And therein lies one of the biggest challenges that we had to overcome that for every application and microservice, they need to authenticate to the fault they need an identity. They need a service account. So identity is everywhere. Every identity, as we all know is a potential vector of attack. It just increases the attack surface tremendously. Every identity though means that there's a lot of work for the ops team to create and maintain those accounts. So typically, in a vault scenario, the ops team will have to go into the vault, configure a service account for the application or the microservice.
Tony Goulding (35:15):
It's gonna log into the vault to fetch secrets. It's probably going to have to set up roles and rules and policies that will try and constrain what that application the microservice is allowed to do. And it's probably going to have to set up some kind of like an OAuth client or something that the application can then use in order to communicate effectively with the vault, to get a bearer token, to do whatever it is that it needs to do. That is a lot of manual efforts. That's a lot of work. And with a delegated machine identities, we basically overcome 95% of that. It's essentially a single call to enroll the machine in the cloud. And I'll get to that in a second. I'm kind of jumping the gun a little bit here. So, this is even more of an issue though, when customers rebuild their monolithic, kind of data center applications for the cloud, unless they're doing just the lift and shift.
Tony Goulding (36:07):
So, if they are doing a redesign, these apps can easily comprise hundreds, if not thousands of microservices. And sure, you can kind of share an identity between a lot of them, but, probably more on, on the Linux side than the windows side, there's going to be individual service accounts within the vault for those applications and those microservices. So that can be a huge amount of work, a huge amount of effort for the ops team. So, moving onto the next slide then, basically we solve this with, as I said, delegated machine credentials. We have a Centrify clients service that's running on the machine and that client service is used to enroll that machine in the Centrify cloud platform. And of course, that can be automated. So, in an auto scaling scenario where you're spinning things up and down that process of enrolling that machine or that content into the cloud platform, it's automated and very, very quick, it establishes a strong trust relationship between the two.
Tony Goulding (37:14):
So now we have a machine, we have a strong trust relationship with the Centrify platform, the Centrify platform issues, the machine, its own identity and a credential that that machine can use to authenticate to the vault. So now it has the means of communicating directly with the vault. So, when an application or a service running on that machine needs access to the vault, the machine can use its own identity to log in to the vault on behalf of the application or the service running on in a container. And it cannot obtain again on behalf of that application, it contains an OAuth bearer token, and it hands that back to the application, or the workload, and that then uses it subsequently to make API calls to the vault. Now, of course, this token has a lifetime, so it's not going to persist indefinitely, which is a benefit, but now the applications off to the races and also that that token is scoped.
Tony Goulding (38:14):
So, we can, in fact, in advance, we can set up roles that can scope certain tokens to using certain specific vault API. So, on a per application or per microservice basis, we can put them on enrollment, into roles that constrain what they're allowed to do, and we'll issue off bearer tokens that are limited in that scope. So, the net-net here, hopefully you've seen what we're up to instead of potentially hundreds or thousands of workload service accounts and the vault, there's one per machine. And that can lead to a massive reduction in the attack surface in administration and in risk. And from an Ops perspective, it means that their job is, is way more constrained. And as I mentioned earlier, and I'm not going to get into this in this presentation, but we do have others that get into more detail. It's a single CLI call from that machine to enroll the machine in the cloud, to set up the roles and rights, to establish the trust relationship, to create an auth client within the vault that the application can then leverage and to, establish all of the scoping.
Tony Goulding (39:28):
So, all of that is automated. It allows us to be part of that, CI/CD pipeline, and it reduces a ton of that friction. All right. So, moving on then. So, this slide represents, I don't think it's a build, it represents, what a typical customer deployment might look like in a data migration scenario where infrastructure is typically hybrid. It's now split across on premises and in the cloud. So, developers working on projects in different clouds. So again, it could be a multi-cloud scenario in different VPCs. They can all access the SAS fault. It's a hub and a spoke mechanism, as you see. So, the platform and the vault that runs on it represents the hub and those little round Centrify icons, the Centrify gateway connector, they're the spokes, and they're very lightweight services. And you can just drop one in place.
Tony Goulding (40:30):
If you, if you spring up a new project, a new VPC, irrespective of the cloud provider, you can deploy one of those Centrify connectors on a windows box, within that VPC. And then use that enrollment that I just mentioned for the instance that it's running on, or it could be in a containerized environment. And then that enrolls into that hub, into that platform. And then you're off to the races. As you can see with this kind of modern architecture, we're not monolithic, we're not the old legacy data center vault. We are truly a SAS based vault that's accessible from anywhere. And your DevOps teams can spring up projects, literally anywhere and programmatically hook into the platform and the vault to obtain a ephemeral tokens, to obtain secrets, to store secrets, to basically get whatever it is they need from the vault at any time from any place. So that connected based hub and spoke architecture is, is a dramatic change in the way that we do privileged access management in a hybrid and modern hybrid cloud environment. And of course, all of the access control policies essentially managed by us in the vault. So, that can be shared across the ecosystem.
Tony Goulding (41:54):
Okay, then. So, I think we have here. Oh, actually I think I might've advanced one too many. II think I have a slide missing well that's okay. No problem. What I was going to talk about is, before I move on to, the poll question is what sets us apart from other vendors. It's really across three dimensions and we will make sure that this invisible slide is actually part of what we make available for you folks to download, but it's really three things. One is that we're platform based. So, we're very modular. We match your needs. We're trying to minimize the amount of silo-ed point solutions that you typically have to maintain to address all of the different use cases associated with, with PAM and with DevOps. And by having this platform based approach, then work you've done for one kind of use case can easily be applied to another use case.
Tony Goulding (43:01):
And it shortens the time to value. I think that slides at the end of the deck, you can go to the end and come back if you want, Oh, is it now, let me just see if I can push that to the audience. All right. Well, spotted. This is a meaning to show basically our platform where we sucked a lot of this common capability into a single platform. And we build on top of that platform, that vault being an obvious addition to that environment, then we're multi-cloud architected. So basically, our solutions are very flexible. And again, our native cloud solutions allow us to be more flexible than if we were just kind of a monolithic vault on premises. You may have different business needs. It can range from a pure on premises vault, if that's what you desire, where it's customer managed, it's in a private cloud.
Tony Goulding (43:56):
We also moved to FedRAMP. I mean, we have FedRAMP authorized SAS offering. We even offered me to services. We have an AWS marketplace, with the vault that you can subscribe to from there. And we also, because we're, we're SaaS-based and we leveraged the cloud economy. We have massive scale and performance, so that's kind of unrivaled. So, you know, you wouldn't really experience any difference between a version of our vault that we have on premises versus hosted in the cloud. And then finally we're client-based. We have this client technology, that's it, it really enables that that's ability for us to be a first class citizen of DevOps and the CI/CD pipeline. We can establish that trust that the server has with the platform and leverage all of those benefits of the delegated machine credential to satisfy those use cases, in a much more effective way.
Tony Goulding (44:59):
Let me go to the poll question there. What best represents the number of applications and microservices you're running in the cloud today that require service accounts for authentication? Now, of course, some of you on the line, maybe larger organizations or smaller organizations, and I'm sure the bigger ones are probably doing a lot of different things. If we go back to Andy's slide, I think it was mentioned in the comments, the larger organizations are likely to be dipping their toes in the lift and shift as well as the redesign, as well as the re-architecture, silos there. I'm expecting an interesting outcome here. We'll give it a few seconds to populate and, I actually have a follow-up poll question, so please don't drop off just yet. And we've also got some Q and A, so we'll just give it a few more seconds. See if I can hum a tune to myself.
Andy Smith (46:05):
We definitely have more wonderful insights from Tony and Loren as we go forward. I've got some questions coming in and, I've got a couple of prepared also, so we'll have some lively banter,
Tony Goulding (46:20):
I think they should probably do it. Let me push and let's see what we've got. 23% have not yet migrated data apps to the cloud. I think in the last poll, Andy, we had out 15% who are not considering, a data migration. So that's sort of aligned with that, that a few dozen or less it's 46, almost 50%. I'm quite surprised with that, but that might suggest that there's more of a lift and shift than there is, a redesign or, a migration to microservices. But it's interesting, we've got 15% too many to count, and I'm also willing to bet that there's a lot of people that don't really know any, really out there that, relying on, on maybe AD hosted service accounts. But that's, that's an interesting outcome. Let me move to the next one, which is somewhat related. And that's, where do you expect that number to be in the next 12 to 18 months? If any of you are only just researching or engaging on a data migration project, maybe in the next 12 to 18 months, if you're thinking about how you're re-engineering or re-architecting your application logic, you may have a better sense of where that's heading and whether or not a proliferation of service accounts is going to become an issue for you. So again, we'll give that a few seconds and, waiting for a green light from Katie.
Tony Goulding (47:57):
All right. Let's see how this thing works out. So, that's interesting. Well, certainly the, too many to count has crept up a little bit more to 25%, but now we're seeing a lot more population, into the, around a hundred and a few hundred categories at 15 and 10%. I would call that trending upward. And I don't think it's, it would be a surprise. I don't know what you guys think, but certainly as data migration projects evolve, I think we are going to find more and more organizations really, especially their core application, their business applications. They're really going to rethink whether or not it's just lift and shift or redesign the whole thing from scratch, if it's possible to do that. All right then. I think that's probably the end of my session over to you, Andy.
Andy Smith (48:53):
All right. Awesome. Thank you very much. Hey, really appreciate it. Both Loren and Tony, lots of good questions, coming in. So, I'll go ahead and ask, one of those that's probably, directed to you first, Loren. It was a good question, from Glenn Mahoney, this sounds a lot like what Azure AD is trying to solve. You know, can you talk a little bit about how, what Ping does and what Centrify does, differentiates from, Ping, what Azure AD is providing for customers?
Andy Smith & Loren Russon (49:40):
If I, look at the various use cases, and so we've got that remote workforce, I look at Azure AD, storing credentials, being able to provide conditional access. They have intelligence signals for their environment. It works very well for that very closed environment. We have many customers as an example that, are moving a lot of their identity data. They're moving it to Azure AD platform, but they're looking for us to integrate with that platform to support either these legacy applications be able to aggregate additional data sources that may not be an Azure AD, and then be able to work with, solutions like Centrify for providing support for privileged access. And I would say our, our strategy with Azure, is that, we have many customers that, want us to co-exist with them or to leverage their identities, you know, service that they look to us to be able to, aggregate additional identities, adapt authentication events, and work with companies like Centrify to provide that, higher level of security for not only Microsoft apps, but for our legacy, I'm sorry, Microsoft apps, but also other third party vendors.
Andy Smith (51:00):
Awesome. Thanks a lot. Another very good. Thank you, Loren. Another great question, Tony, I'm gonna address this one to you. It's a Centrify one. Is there any cloud formation template that can be used to install central by agent to new AC two instances joined AD, you know, Excentra automate the whole thing?
Tony Goulding (51:29):
Yes, there is. So actually, I would probably need to double-check cloud formation. I believe we have a Github repository. If you go to github.com/centrify, there you'll find, a fairly sizable and growing collection of scripts that we've been developing and populating and to get hub. I believe we have things like, CloudFormation templates. We have Terraform scripts, we have chef and puppet. We have, auto-scaling scripts and all of these, doing exactly what you're talking about, which is automating. For example, pulling our bits down from, from a repo, installing them, configuring them, joining them to AD or joining them to the cloud service, establishing that trust, et cetera, et cetera. I would encourage you to pop over there. Again, it's github.com/centrify. If you don't find what you're looking for, then by all means reach back out to us because one of our product managers at Centrify for Fabrice is responsible for getting more and more and more of that stuff deployed. And I know he's got stuff in the works, so if you don't find what you're looking for, absolutely reach out and, we'll, we'll certainly do our best to help you.
Andy Smith (52:50):
Great. Just want to reshare again. Loren kind of went over some of the use cases when you go to the right-hand side of this, slide you can see how Ping and Centrify are working together today, to log in to Centrify utilizing the Ping One technologies are that the nice move, login or your administrators just like they're used to doing everything else. And then in addition to apply multi-factor authentication so that you can have one, provider of multi-path factor authentication across all your various services. Tons of resources available, blogs, solution brief, demo videos, et cetera, you can see the technologies are working together, really excited about the partnership, between the two companies. So, Loren would love for you to share a little more insight. Can you just give a couple of tips as, as this audience is moving towards, towards DevOps, moving towards cloud transformation, moving towards digital transformation, what would be your, your top one or two tips that you would give from your years of helping customers do this?
Loren Russon (54:05):
Yeah, and I'd love to, I remember talking with a group of CSOs during the customer advisory board, and I asked the question of your transformation to the cloud and how long is it going to take? And I loved the answer. It was five years to never, and it really was admitting, that we have to accept that hybrid multi-cloud is the new normal. I think by accepting that you're able to then be able to plan for it, design for it and manage it. Also, a lot of the input we get is for protecting our resources. So, it's, you know, don't look at it, it's just an API initiative or maybe a mobile initiative. You need to provide a platform that supports, access controls for web mobile API and data down to a very granular level.
Loren Russon (54:52):
And then last is just, I remember like in the same advisory board, a customer shared with us, they're, essentially their discovery and how they mitigated a breach that they had dealt with. And they emphasize that, you know, there's always technology fits, but best practice is that we need to invest in organization. We need to invest for success. We need to organize around planning. You need to have the whole company plan. So, it's not just an IT issue. It's a CMO issue, a CSO issue, it's a CFO issue and a CEO issue, and then be able to constantly, test and then improve your deployment. So, it isn't just to maintain it anymore, but security is something we live
Andy Smith (55:36):
Awesome. Hey, appreciate that. Loren, Tony, you know, same to you, you've talked with a lot of customers and attended our customer advisory boards. Also, the top one or two tips that you would give as customers and prospects; this audience is moving through, moving to cloud digital transformation, moving to DevSecOps, et cetera.
Tony Goulding (56:05): Yeah, sure. So, well, a few observations and things that, that we've experienced that can help, kind of remove some of the friction. And again, I'm steering this more towards a kind of a DevOps in general type of audience, but we, a lot of our conversations have revolved around the subject of secure remote access and specifically VPNs. So, while…
Tony Goulding (56:24):
Certainly a lot of organizations were familiar with using VPNs prior to the pandemic. It was, it was kind of restricted to a small subset of the end user workforce. But when, of course everybody ended up working from home, all of a sudden IT had to extend that to everyone. So, we were hearing that, that that was a lot of challenges from the perspectives of, of cost infrastructure, logistics, new VPN servers to handle the increased load, additional software licenses. And IT, you know, hustling around to make sure everybody had a VPN client installed and configured on the workstation. But aside from that, they also discovered security implications. And so, VPNs, they will increase your risk exposure. They're very beneficial to allow you that to get remotely into your systems, but they increase your risk. So, your workstation becomes, network attached.
Tony Goulding (57:17):
So if you have viruses or malware that can spread, they also open up access to systems in an entire sub-net. Instead of only the single machine, let's say that that an ops team member needs to log in, to configure or deploy some software or to do something manual. So, there's the risk of a threat actor not being constrained and able to move laterally. So, what we heard from our customers is secure remote access, VPN less remote access is a capability that will really serve them well. And the second thing is DevOps. They've got enough on their plate, especially the developers. And so, you know, remote access can easily get in the way and slow them down. So, you know, when they were in the office and they're on the network, it was a really quick and easy for them to use their local RDP or SSH clients to log into infrastructure, that were also inside the firewall.
Tony Goulding (58:10):
They could easily connect using a host name, but with all that infrastructure being remote now, technically, and, and stuck behind firewalls, there's no direct line of sight to those systems. And so native clients, can't resolve host names into an IP address to get to those servers. And so, the threat actors realize this and they're taking advantage of it. What we need is some kind of clean source that with a, a jump host that can enable us to surgically place these users on a server and limit, lateral movement. So that was a second thing that customers are looking for.
Andy Smith (58:50):
Great. Thank you, our time's up. Thank you, Tony. Thank you, Loren. Really appreciate the discussion. If we didn't get to your question, thank you for asking, we will answer it afterwards. Of course, the recording will be available, as you can share it with your peers, really thank you all for your time today. A good, lively discussion. Check out both, Centrify and Ping. And we look forward to talking to you again in the future. Take care.