ESG's Doug Cahill discusses the impact of remote work on Identity Access Management (IAM) priorities with Greg Keller of JumpCloud. This is Part 1 of 2.
Watch more in this series:
Read the related ESG Blog(s):
Doug: Hi, Doug Cahill here. And I'm joined by Greg Keller, the chief technology officer for JumpCloud. Hey, Greg.
Greg: Doug, it's good to see your face again, although we're not in person, but this is the best that we got.
Doug: Hey, we have what is an awfully expensive topic, which is to discuss how the impact of cloud adoption has impacted identity access management priorities. But first, let's just start by hearing a quick thumbnail on JumpCloud.
Greg: Thanks for the opportunity, and it's good to talk with you again. JumpCloud is a Directory-as-a-Service. So, what's that? If you've put your mind on the target of something like an active directory or an LDAP, which are the traditional on premise sources of identity and authentication services for companies, we saw a different vision of that, which was to put this all up in the cloud, enable an employee to access any resource, not just the vendor-specific resource and do this from any location, from any device on planet Earth.
Doug: So, the headline here is, of course, how the broad adoption of cloud services has impacted identity access management programs and an obvious place to start given the pandemic and the surge in remote work is how that surge in remote work has impacted identity access management and accelerated the further adoption of cloud services. Greg, I'm wondering what you're hearing from JumpCloud customers, you know, really, how has remote work impacted how they think about identities?
Greg: We're seeing a lot of suffering in many ways, but purely, speaking from an IT and security architecture perspective, the companies that are sort of flooding in are those that didn't have a game plan, meaning they were sort of beholding to these traditional perimeter-based security architectures, where ethernet and firewalls and everything could protect what went on, these would be competing inside of those brick-and-mortar networks. What we're seeing really from the field are those that are desperate in order to have an employee that certainly is on a network that isn't necessarily trusted by the IT team that set it up, meaning within their brick-and-mortar confines. So, they're battling, you know, with how do we make sure that the data's being transferred back and forth from an endpoint, and then finally, the devices themselves, right? So, many were not prepared. The machines themselves were not prepared. Many were purchased, handed to the employee, and they say, "Great, set up your account.You're good to go.Everything is sort of, yeah, in the cloud." But IT and security experts have no idea if those machines can be trusted from those locations.
Doug: You know, we conducted some research at the end of last year with some simple questions on how the impact cloud adoption, you know, has sort of necessitated changes in identity programs and almost half the respondents said, yeah, our organization's adoption of cloud service either has or will have significant impact in how we think about identity and access management. More specifically, you know, with sort of areas around, hey, we want to start using them at bay, maybe adaptive auth, want to extend SSO to more cloud properties. And then fast forward to, you know, late spring when we started to conduct research around work from home. And in addition to finding things like, you know, most organizations are experiencing increase in cyberattacks, increase in phishing around using COVID-19 as a lure. We're finding priorities to really secure remote users include things like updating access policies, but also to your point, you know, securing new mobile devices. Because, you know, increasingly more of us now are using devices that we weren't using before to access corporate resources. And so, devices are now part of how you establish trust, and dare I say zero trust. So, just to wrap up this first video, give us a quick perspective on how you think about the role of device in a zero trust context?
Greg: Even prior to COVID, there are more sophisticated customers and the IT directors and security people that would, you know, evaluate us and purchase us. They had already moved on from the concept of BYOD. Absolutely, positively, not a way to keep your company secure. I mean, half these people are working on their son's, you know, gaming laptop, riddled with malware, and they're trying to access corporate resources from it. So, you can't necessarily guarantee that you'll be safe. So, a corporate managed machine, we had already seen a massive trend towards that. We're now living the reality of a domainless enterprise. I mean, the domain is elastic. It is exactly where you and your device are. We want to put that emphasis on where the device is, who is accessing and currently logged in with a valid session on that device, what security policies exist on that device, what applications, be it approved or nefarious and the applications and files, live on that device. And frankly, what is the security posture overall for that device? And this is what JumpCloud has become prior to COVID too. Change that password from within the confines of that box, let the machine receive that securely. You can't phish a session inside of your box, especially if you're looking and have the appropriate security controls, looking for key stroking, etc. Let the machine assert your identity and those password changes back to wherever it needs to be securely.
Doug: Yeah. Greg, you bet. I mean, great points. These are all attributes of identity in today's remote work reality and really thinking, you know, going from a domain view to a user perimeter view. So, hey, great conversation. Suffice to say, we've just scratched the surface. We look forward to sharing with you some more thoughts on how cloud and remote work has impacted identity access management priorities in the next video in this series.