Customer Spotlight: How Caesars Deployed IAM and CASB to Enforce Security



Speaker 1:  We've got Les Ottolenghi. He's Executive Vice President and Chief Information Officer at Caesars entertainment. Les is responsible for shaping and implementing Caesars technology agenda across all company platforms. Prior to joining Caesars, Mr. Ottolenghi served as the Global Chief Information and Information Officer for Sands corporation with a focus on modern scalable IT network in software infrastructure and application architectures. And we have Srini Gurapu VP of customer solutions at Skyhigh. Srini brings 20 years of experience in networking, security virtualization, mobile and cloud security markets at several successful companies such as BlueCoat, Neoteris, Facetime, RingCube and several others where he led in product management and strategic alliances and helped to drive their vision, strategy and execution. Please welcome Les and Srini.

Srini Gurapu:  Thank you. Good morning everyone. Les we are so honored to have you here to share your journey about your own Caesars cloud journey. What we're going to do this morning is, I'm going to start with a quick overview on cloud security and how identity and access management and Cloud Access Security Broker solutions play a major role in cloud security and then now have Les talk about the Caesars' cloud journey and how Caesars is using Okta and Skyhigh as part of their cloud security strategy. Towards the end we're going to leave it some take aways and we'll also open up for some Q&A in the end. 

If you look at the security market in the last 20-30 years, every major disruption at IT, caused new breed of security companies to emerge. Initially about 20-30 years ago, the shift from main frame to PCs resulted in new end point security market with companies like Semantic and Microfeed. And then the internet revolution happened and that gave rise to new perimeter security companies such as check point and the Palo Alto and the BlueCoats, and the focus was to protect organizations from internet born threats such as malware or science boxing or URL filtering. Now, we're probably in the greatest IT shift and that's the cloud. 

By cloud, what does cloud usually mean? Your applications and your data, now we're hosting on somebody else's premise, and we all have to pass on that. Until now, we owned our infrastructure, we owned our perimeter, and we were doing very much what we call the infrastructure security. Securing the end points, securing the perimeters. But move to the cloud, you don't own the perimeter. You don't own the infrastructure, yet you're responsible for your data and your application. What that means or that gives us a great opportunity to do the security right, to focus on the identity and the data. We no longer have to worry about the edges. This transformation from infrastructure security to information security, gives rise to the new type of security companies like the Oktas and the Skyhighs. 

If you look at the cloud, every organization, the cloud has three primary manifestations. The first one is what we refer to as shadow IT, by shadow IT what we mean is your employees or your partners are bringing in their own personal cloud services like the Dropbox, or their personal slide or the eVendor. The second biggest manifestation, something that I'm very excited about, like companies like Caesars, they are signing up more and more cloud services to run their business, like Office 365 for email, Salesforce for CRM, or Box for collaboration and the service now and this is probably the most growing the cloud segment. 

The third one, is about your own apps that you're hosting on one of the public cloud providers like the AWS or Azure or Google Cloud computer. If you look at the three types of the cloud and how they're been used. Number one, your applications on the data is being consumed by many different types of users; your employees, your partners, your customers, and your service providers and so on and so forth. And at the same time, these users are no longer accessing the cloud just from within your perimeter. They're accessing the cloud from inside and outside, and also from a variety of devices. What that really means, and if you look at the data how this data is flowing, majority of the data is flowing among the cloud providers laterally, East West. What that means is, our traditional perimeter security solutions, which are looking at the data as a traversing your perimeter, they suddenly do not work in the cloud world. 

What that means is, we need a different approach to secure the cloud with a unified security and control point that's looking at all the data that's moving North South and the East West across all devices, all users, and all locations, and this is the new cloud security control point architecture that with factor, identity and access management and Skyhigh cloud security broker, together provide the complete security for the cloud. 

Now, let's dig deep into some of the use cases. When I talk to customers, and when they're approaching the cloud security, they often get overwhelmed. They don't know where to start and where to end and in working with customers like Caesars and many other customers, we've actually simplified the cloud security architecture into four pillars, and those four pillars are, identity, application, user activity; what actions the people are doing in the cloud, and then the data. Then if you look at the four pillars, you're no longer talking about the IP addresses, or the zones or the locations or the end points. Al that stuff is lost. 

Now let's look at identity and we are at the biggest identity conference at Oktane and we're all familiar with all the use cases but some of the key use cases about providing single sign-on, providing adaptive multi-factor authentication and providing identity governance. This is something that Okta identity access management solution deliver. If you look at the next pillar, which is the cloud application, it's all about discovering all the applications that are in use and at the same time, we also need to understand the risk that each cloud provider brings to the organization from a business. How they are handling the data, where they're backing up the data, are they encrypting the data at first.

And again, discovering the cloud usage and providing the risk assessment is the applications centric use case and if you look at the most recent breaches that happened on AWS like the horizon and so on and so forth where majority of the compromizers are happening because people are misconfiguring their AWS infrastructure. And again doing a configuration audit and providing the right security controls and the configuration. Is the application centric use case. 

The next thing is about the activity. If you look at applications like Salesforce, majority of the time you need to monitor what people are doing. If your employee just before leaving the organization, if they're downloading all the customer contacts and siphoning the data, and again that's kind of insider threat. For many of you, if you're familiar with user behavior analytics, the UBA, and again activity monitoring and providing security analytics for insider threats and compromised credentials is another use case that's on the activity pillar. Then, once you understand the activities, you want to be able to provide the contextual access control depending on the device or the location and the type of role, you may only want to view the content in office 365 but not download it. 

Again, these are activities centric stuff. The last pillar is the data, probably the most important pillar along with identity. Ultimately, it's all about your data, and understanding the data and who is it being collaborated with and to be able to control the sensitive data and make sure that it's only being exchanged with authorized parties is one of the biggest use cases in the cloud security. Also, to be able to encrypt the data with your own keys and this jurisdiction key ownership has become such an important thing even to tackle some of the advance use cases like the GDPR. This applies not just for your file content but also for the structure content like the fields within Salesforce and service staff. Again, to be able to encrypt the data with your own jurisdiction key ownership is again another top use case. 

The last but not least I sometimes see things like DRM or the RMS is another use case to secure your data. If you approach your cloud security across these four pillars: identity, application, activity and the data and again you have a simplistic framework to secure your entire cloud. It doesn't mean that you always have to start with identity or app, you may start any one pillar but eventually you're going to cross all the four pillars. The most popular cloud provider that everybody is dealing with including Caesars is Office 365 and here are the top five use cases that I see. 

Number one is about Office 365 is home to the sensitive data, make sure that it's only being shared with authorized parties and make sure that your sensitive data is not uploaded to some of the public folders and Office 365 SharePoint, that's the second use case. The third one is, ability to make sure that your data is not downloaded to personal devices, again that's the popular use case and the activity monitoring understand who are all doing what activities across the entire Office 365 group portfolio and to be able to do the incident responses under the use case. The last but not least is to detect compromised credentials on your Office 365 ecosystem. Again these are the top five use cases and Gartner rightly calls that CASB is a required platform for all your cloud security and along with identity access management and the prediction is that about 90% of the companies are going to use solution like Okta and Okta is a leader in the IM quadrant. With this overview, I'll hand over to Les to share your Caesars cloud service. 

Les Ottolenghi:  Very good. Thank you. I think that is a fantastic summary of where sort of the state of the art is. How you need to think about this in terms of the business, and ultimately why Caesars went to CASB identity access management. Thank you to Okta, thank you to Skyhigh for being at Oktane and for having a few moments to explain what our cloud migration has been like at Caesars and why we did it. When I look at sort of CASB and identity access management, I think about our next generation infrastructure and what are the drivers. What we have just done, I think it's just been explained properly. The how, the level of technical detail if you would like a dissertation on that, meet me outside, that's fine, that's great but I'm assuming you're here because you know some of the how. The why is the important driver. In my history, I've had the wonderful privilege of being part of a major cyber attack, and actually pushing it back and defending it and stopping it. 

One of the other gentleman in the room with me here today went through that actually two years. The gentleman went through that with me over the Las Vegas Sands. We were attacked by the nation state of Iran and they tried to take us out and we stopped them. They never got to the Crown Jewels of the company, they never got to MAQAO they never got to Singapore, we stopped them. We stopped them only because we had some force side around business purpose and that's really the driver around CASB. That's really the driver around identity access management and as you move to the cloud it's actually some of the motivation to go the cloud. You're going to be more secure, and that wasn't such a popular notion even three years ago right?

But what are the drivers today? Security of course. But what's the business purpose? How do you actually articulate this in terms that the rest of the company will understand and not just the people in this room? And that's been the challenge for Caesars and that's the journey we've taken through the cloud. The technical piece, yes of course. The security drivers and priorities, absolutely. But the business drivers, and these are the business drivers. Today Caesars acts as an integrative resort and entertainment company. But, does anyone know using the term disruption, companies that are going to stick around that have been really great at what they did five years ago or even ten years ago. Largest film and cinema company in the world is Netflix right? Largest taxi and logistics company in the world is Uber. They don't own any taxis, Netflix doesn't own any cinemas. 

We own casinos. We own hotels. We own a lot of Brick and Mortar. Now we don't want to look like Blockbuster, so we've been thinking about what is our migration path? What are the drivers? Well, it's not to be an IT company. It's not to manage a data center. The old saying "Friends don't let friends build data centers" right? You're not in the cloud business, you're in the business of getting to cloud services for your company, for the things that your company needs. Now what we have done deliberately at Caesars as this has been reported when I do presentations for Wall street analysts, is that we are moving to a platform. We are moving as a company away from being sort of a pure Brick and Mortar to a being a platform business enabled by technology, and much of what you see here on this slide going from left to right is that journey that companies are taking from being really good at customer engagement and marketing. 

Starbucks, go to see their reports, their public information about what they spend. They spend more money on cloud and technology than they do on new beverage products. There's a reason. That's because their chairman says they happen to be a software logistics company that sells coffee and tea. We are a casino and hotel operator who really looks at our customers as an experience. Something that we provide to them, and that has to be very seamless, fast, secure and available all the time and the only way you get there is through cloud and cloud security, so that if you look at the bottom part of this slide, you'll see our journey is very basic. We offer an experience to the customer, the customer engages with us. We then grab hold of that information that they have just engaged with us through the experience and we provide them more and better experiences. As a company, that's exactly where we're headed. 

As was mentioned, we are moving to the cloud and I'll walk you through some of our cloud enablement that's going on, but these are public cloud steps that we're taking. I'll talk about some of the stuff that's hybrid in just a moment. But we're moving right now fully to the Salesforce platform. We started off with multiple applications, maybe even 100s of applications to store customer data on prem. Doesn't sound so modern, doesn't sound so 21st century. So we took a look at what would get us the best customer engagement with a single profile view at the customer, and we decided it would be Salesforce, we made an announcement earlier this year. Marc Benioff on CNBC went and fully described it, we've told our analyst about it as well. 

But essentially what we have said is, we will move from our present systems for our customer information to cloud basis. That means we're also going to move our property management systems, which we're moving to now info from now on prem system, and by the way we have a contest in our call center right now where because of our system, which was deployed originally in 1989. All of the call center operators have a contest to se if they can open up all 11 screens faster, who does it fastest right? Who can do it in under 12 minutes because the have to look at all these green screens in order to go switch between the different ones in order to do reservations. We're just blowing all away. We're not going to a better on prem solution, we're going straight to the cloud so that we can deploy configuration across all of our properties, all of our call centers, all of our team members who need access to our hotel management system instantly. 

We're moving our human resource system, we've already launched our GL and AP. How many people have had the joy and pleasure of putting an SAP or any operating system, just raise your hand. It's a lot of fun isn't it? We did it in less than a year and we did it with no tickets. So we've had no outage, no misses, nothing. We did it because we went to the cloud, we worked with Oracle. Any people from Oracle in the room? Raise your hand. Okay, good. Because Oracle is not always the easiest to work with, right? I won't overstate the obvious but they're always easy to work with and what we found was that we could work with them better if we used their cloud platform which a work in progress and we would authentic that really it was cloud platform. But the great part of it was they provided a lot of security with that as they have with their HCM product and we're rolling off as 365, which is sort the Gartner notion I challenged. I challenged the Gartner notion that O 365 is your real reason to go to the cloud and get security.

It's the obvious reason because why? Because everybody communicates in PowerPoint, right? When did everybody start like actually writing a memo to each other or an email? You just send somebody a PowerPoint slide right? What does your CEO want? A PowerPoint slide. Hey Dave, give me that PowerPoint slide. My wife by the way she asks me for PowerPoint slides. So we communicate, it's the most effective way by the way, we never argue. It's in the PowerPoint honey. These are the basic technology stacks we're going through and as you can see and major systems are moving into the cloud, but as you see here at the bottom, Okta and Skyhigh are really the key and essential part because we're moving all what is the traditional infrastructure in systems, in everything we have, to the cloud. We want to be out of that business. 

We want to be out of the application management business. We want to be in the configuration and services business. We want to move from asset management as an IT enterprise which can be really rock solid, the only problem is you get stuck behind the rock over to a service that's very nimble for the business, that aligns to new business models that meet customer expectations for experience. We move rapidly through the services and deploy them and start to look more like dev ops when we actually deliver our services and we do it in a secure manner by going to the cloud and having all the proper security around it, right? Part of that journey right now frankly is also Internet of Things, everybody talks about it, we're actually doing it. 

We're putting all essentials around our properties. We're putting in a whole new infrastructure, in fact we just deployed a whole new network infrastructure, now we're doing the on prem infrastructure components, which includes beacons and sensors and so on and it ties to wearable devices, it ties to your mobile device, all those sort of things because we've seen an acceleration in our customers demand for our mobile apps. They're downloading more of our mobile apps. We had another million people download the mobile app recently. And we think this is a part of our mobility for strategy which is obvious to any other industry but very new to the casino industry to move in this direction but because the enablement wasn't there, we didn't have public cloud, we didn't security, we couldn't get to what our customers need, and we're now moving there, and we're actually going to this idea of smart buildings. Real time offers and gamification. If you follow Caesars you've heard our CEO talk about a casino of the future, we're moving to a full casino of the future which is an entirely new gaming platform if you will. 

Part of that is because you put in the infrastructure. You put in the cloud, you put in the security and then you can change the gaming physical gaming floor. And in fact they can look more like frankly East board, and I don't know if this is active or not, I'll just try it out real quick, see if it is. is that live? No, it's not live. Well, I'll tell you about it. This is a screenshot apparently with a little thing at the bottom where I could play it which is of our first East board event, which was held with Amazon about eight months ago. Since then we've held two events with Xbox and this event had somewhere around seven million dollar on hourly basis watching what we were doing. Three million people we could authenticate they were watching the event. We did it for six and a half hours, it was a mobile game app finals and we had 500 people in the audience but the total spend for Amazon was pretty significance. It was like a million and a half to do this but because they were able to sell skins and do other things they made two and a half million dollars in that period of time. 

We didn't have any betting with it but what we've correlated as you might imagine since there is a gaming lounge here at Oktane and then you go down at the casino floor here in ARIA and this is not an knock on ARIA and it's empty but that gaming lounge is full, is it people like to play video games, right? If you add up all the dollars that are between the gaming and casino industry and video games, they're about equal. The audience has moved to video games and then when we did our events with Xbox, you could see there were two to three million people constantly streaming here through twitch of mixer, and with those people, they were buying skins. So like for Dota 2, does anyone play Dota? No, yes. Got one guy here he's like yes I play Dota. Cool, so 20 million dollars and skins for Dota 2 in our last big event during the streaming. 

What you have to think about is, if there's a business driver here it's all this new opportunities, and you want to get out of the business of the on prem. You want to get into the public cause as fast as you can and then focus the rest of your security and cloud security on your high value high return areas in your business. So, the technical strategy was driven to replace this environment here, which is something I have shown to again all Wall Street analysts so I'm not disclosing something that's confidential. That was the Caesars application environment I found when I arrived at Caesars. Looks pretty good huh? Average age of systems 18.1 years at that point of time. General ledger was installed in the 76 so it was nice. Jimmy Carter was president and we started to move through this very rapidly. How can we decomplex all of this? 

How can we make it simpler and easier and move towards the cloud and get out of the fragility and the expense and the security headaches, although I must admit your latest and greatest bad guys, they don't know how some of these systems work. Here's the secret. They can't figure out what the database is. They're like "I don't know what this is. Here's 400, place that." So we've gone to this instead and obviously this is oversimplified reference architecture but essentially it says what we do. And at a level of complexity reducing the number of systems, reducing the applications, reducing the overhead, reducing all that management allows our teams to focus on the important stuff like quickly delivering services that generate revenue through better customer experience. So becoming Uber. Becoming Netflix, becoming the next version of that here in this industry. And then, from an infrastructure point of view, this is sort of where we've been moving. These are all the steps we've been taking, nothing remarkable other than to say hey, we're going to the cloud, we're moving our legacy and when it comes to data, we've really had to move because our data right?

You saw that complex picture. Can you imagine we have a common data model? No, probably not. So, to get there and to have speed and market, you've got to actually move to the cloud. That rationalizes things and simplifies it, but that data has to be protected, that data model has to be secure and everything that we do with that data needs to be authenticated. As we are looking at all of our environment, it moves towards this type of a picture. It moves to this, if you will, security coverage for all of our cloud services. And in essence, what we've done as a company is a deliberate strategic choice. It's not just about security. It's not just about systems, it's about enabling the business to do very big things. What we love about Okta is, we can think about behind the firewall and outside the firewall with Okta. And with Skyhigh, we can think outside the firewall for certain, because the two work together to enable maybe a trust brokerage with our customers, in a way that then speeds up all these digital services. 

If you think about the casino of the future in the platform on the casino floor, if you could authenticate and identify everybody, you're not putting them into some directory that you have to manage internally and kind of like do all these funky things and build up a stuff in order to make sure that they're the right people, then you've actually created a trust brokerage for new business services and experiences, and if I had another hour or so, I'd walk you through what that customer journey is but I assure you, that's where a company like Caesars needs to be and will be going forward. So, I'll turn this back over. 

Srini Gurapu:  Thanks Les. Thanks for walking us through that wonderful cloud journey. As Les walked us through the cloud journey and we are very fortunate that we have many there customers in different verticals who've taken on the similar winning journey and moved to the cloud to transform their business in their respective verticals. 

Some of the takeaways that Les and I want to share with you, number one and again cloud security is not an overall main complex task. Bring it back to the four pillars then you will have a successful cloud security journey. Some of the things that we believe, number one, if you're still hesitating about moving your assets to the cloud, there are many people like Caesars, they're already in the cloud. Please partner with your peers and move to the cloud. The second thing that I'm really excited about is, something that Les and many other customers have told us is that move to the cloud, it can actually give you better security and this is something that's a big change. When two years ago everybody said we're not moving to the cloud because of the security but many customers like Les and Caesars they're now telling us that cloud is actually more secure than being on prem because now you're focusing on the crown jewels duals identity and the data. 

Understand the shared security responsibility model. When you move to the cloud, you don't get automatically all the security. The cloud providers are responsive for the infrastructure security, but you still own the identity, you still own the application risk assessment. You still own the activity and the UB and the data security control, understand that. The last but not least is about take a risk centric approach and this is something that I learnt from Les. Security is not about all of nothing. It's all about risk management. And in that framework, there is a framework that Gartner put together called cyber resiliency. This is what we believe is our ultimate collective goal in the cyber security industry. It's no longer about blocking and tackling a threat. It's about achieving cyber resiliency. How many of you read this paper? There are about six principles. It starts with the people centric security means you need to take care of the identity, and understand the data flows, and understand the data across all your applications and users. 

And the third one is make risk based security approach and focus on business outcomes. Security is not about blocking and tackling. Security is all about facilitating and enabling your business. Again, these are the six principles and using a solution like Okta and Skyhigh with the identity and access management and the cloud security broker will ultimately help us to achieve cyber resiliency. If you want to take your risk assessment on any of your cloud asset so the shadow IT, please talk to any one of us and we'll be glad to do a free security assessment. With that, Les any closing thoughts from you?

Les Ottolenghi:  No. I think exactly this and I know that if we had more time we'd go through a few more things in terms of our transformation but as you saw we were just in interest of time and respecting your time, speeded through one or two slides here, I would just add that this idea of resiliency and risk approach is kind of the two key lenses you need to take in order to assess where you need to be in that journey and the sequence in that journey of moving to the cloud and what you do to be secure, and that is where you should start if I were to give any advice. It's where we started and that's actually how we've had very secure outcomes. 

Srini Gurapu:  With that, we'll open up for some question and answers. If you have any question please come to one of these mics because this session is been recorded, you know about the identity and access management or the CASB or Caesars. We welcome any questions. 

Audience:  How may applications do you have today and how long did it take for you to implement CASB, to extend your perimeter security to the cloud?

Les Ottolenghi:  How many what? First I'm sorry.

Audience:  Apps, sands based.

Les Ottolenghi:  Apps. Gosh, we're de-complexing that right now, so apps originally range is 600 so we're collapsing that down to 80. 

Audience:  How long did it take for you?

Les Ottolenghi:  It's not a complete journey. We just started with the Skyhigh components but I have a previous experience with sands having done this so I know what that pathways looks like. It's a completion through 2019. 

Srini Gurapu:  Just to add to that, again, look at the four pillars. The application risk assessment and then the data and some of those things you know also requires your own policies, but I've seen some of the customers that rent from the CASB journey that tooK about 30 days in about three months is kind of the typical journey to secure the four pillars. 

Les Ottolenghi:  And I think from a mechanical point of view that's correct. Those are accurate timelines. I do believe the policy and governance components become important so what we've done is elevated the cyber security function to the board level, and I know a lot of companies have done that. They want the CSO present at the audit committee and so on. We have two CSOs, two deputy CSOs and they present to the audit committee and we have a working group and we actually moved the policies along much faster. The problem is, policies typically are fragmented they might be legal, they might be finance and so on so as a working group, you consolidate that, you map it back to your product, you map back to your product deployment roadmap and that's typically how you get the acceleration. 

Srini Gurapu:  One thing along those lines is something that I learned in the cloud security journey is, it's a continuous life cycle. As we said, the risk assessment never stops. It's not like when you understand the risk and then you deploy it and then you're done. It's not, part of the governance as Les talked about, it's a continuous process and one thing that we have done at Skyhigh is, we work with our customers on a monthly basis, we actually go and assess the risk and we then go and tune your policies and again to get to your desired level of business outcome, so this is what you should ...

Les Ottolenghi:  And I think some of that does that mapping back to your business model as a company is your business model if it's a cloud first strategy at a technical level, building to a business platform based on a technology platform, if that's your model, and you're running multi-sided markets as opposed to a supplier, a distributor, retailer, consumer business model if you're running the other now there's your Uber rather than taxi company, then you end up doing different things and it runs a lot faster. A lot of it is the shift and change to that different business model which accelerates our path to security in the cloud. 

Srini Gurapu:  Any other questions? 

Les Ottolenghi:  We've left you standing silent. I can see that. There's a lot of things that go into the sort of technical mechanics of this and when I think about the resiliency as well as sort of the risk, it's risk against each one of those business models that you're trying to produce or trying to promote. 

Audience:  What were some of the like hard sales that you had, Caesars just in convincing them to move to a more cloud based or mobile centric and how did you overcome those?

Les Ottolenghi:  Great question. Hard sales these days are probably a lower huddle and threshold, because if you look at how most corporations are starting to manage or articulate their value to the public markets, particularly publicly-held organizations. Probably all of you know that Caesars had a division that was in bankruptcy and all of that gets completed October 2nd so all of our companies are going to be rolled back into one public traded out of bankruptcy. So even higher huddles in that respect, but the cost of doing business on a cashflow basis with the cloud, if you have proper security is lower than the total cost of ownership and cashflow and capital and Opex, it's required if you try to manage it yourself. It becomes an articulation of financial decisions, so you literally need to go through and build the obvious business case but help your line of business partner, build that business case for the total Return on Investment. How much are you going to take out in operating cost or automation? How much are you actually going to return in yield, that you can quantify realistically around your customers experience?

Marry those two and put that in with the IT cost and then you have a good business case. It was not a hard sale, ultimately. Frankly, some of it was all joking aside, showing that very complex picture, saying do you think this is going to be easier or this is going to be easier and how much money is associated with it. 

Srini Gurapu:  There are no other questions. With that, thank you so much for your time and go for cyber resiliency. 

Les Ottolenghi:  Thank you.

When you’re in the gaming industry, nothing is left to chance, especially security. And that extends beyond the casino floor all the way into the cloud services that the business runs on. In this session Les Ottolenghi, CIO at Caesers Entertainment will outline the pressing cloud security use cases they identified around identity, apps, and data and share lessons learned as his team deployed IDM and CASB together to enforce their security, compliance, and governance policies across O365, Salesforce, Google, Box, ServiceNow and other cloud services.