Oktane19: What’s in a Name? How BMC Software Built an Identity-First Cloud Security Strategy



Joel Bruch: Joel Bruch, I've been with BMC for approximately 20 years, in the service security area. So I've got a lot of bumps and bruises to show for my time there. And thank you for your time.

Joel Bruch: So for an intro, BMC is the seventh largest software company; 10,000 customers, serving 92% of the Forbes global 100. Kind of the take away for this slide is, I work in a company that has a lot of people that don't like me very much.

Joel Bruch: So the challenge for us, BMC very early on made the transition to cloud services. So we had a lot of the traditional capabilities you would see in most companies. Rogue system detection or network admission control or things that would generally try to make sure that services were only accessible from devices that we trusted, that we could manage the configuration on. So as that started to grow and our business started pushing for services that were internet accessible, all of those traditional capabilities and protections we had in place just sort of, disappeared. And once people found out you could access these services easy, obviously that spread like wild fire. And then everybody wanted to take the same approach. There was a lot of pressure internally from business units to make services internet accessible, that were internal only. And all of these things were for very good reasons. It did improve accessibility. It did get a lot of the complexity and challenges from the security space, out of the way. So it did improve productivity.

Joel Bruch: We also went through iterations with BYOD. In our particular company, we allowed for mobile phones and tablets. Mobile device management solutions do a pretty good job of covering our needs there, both management and protection. On the end point, it's prohibited for us. That went into a lot of legal reasons why; supporting trade secret protections, customer obligations around data. Obviously privacy is a much more critical aspect of that. Legal hold obligations versus computer trespass laws. So we went through a lot of turn there. I think technologies will continue to evolve. I'm sure our policies will evolve, as well.

Joel Bruch: But irrespective of what we wanted to see from a business perspective, users still want to do the things that make their lives easier, where they can address the risks that they're accountable for on making sales quotas or meeting deadlines for product development. Anyway, the net of this is just industry change led to us taking a lot of risk on, we didn't really have solutions to get out in front of it at the time.

Joel Bruch: We've been through iterations as well, doing ad hoc solutions to try to provide protection in the interim, things like white listing from egress IPs. But ultimately that leads to a fractured user experience. And that approach is really not sustainable in my view.

Joel Bruch: I think with that, I'll turn it over.

Tony Kelly: Alright, thank you Joel.

Tony Kelly: Again, my name's Tony Kelly, I am with Netskope. Been with Netskope for about two and a half years. I've been in the networking and secure networking industry for 29 years. I know that's hard to believe. I look really young, but been out there for a while.

Tony Kelly: I think we've lost our slide. There we go.

Tony Kelly: All of you are working through this new digital transformation that's been going on for years, right? It's everyone's moving to the cloud whether they like it or not, right? What we've learned at Netskope, being in the industry now for six and a half years, helping enterprises understand how they're using the cloud, but more importantly, how their users are using the cloud. It's been very eye-opening.

Tony Kelly: So, the shadow IT is rampant. Folks are used to their smart phones. And they want applications at the enterprise to work just as well and just as easily as the ones they can secure on their phone or their tablet or their personal device at home. And they're bringing that into the enterprise. So there's a lot of drivers for this digital transformation that are occurring. And the enablers are mobility, the smart phone. I think Steve Jobs just created a massive change in the industry for all of us. But also, clouds. So innovators from the early days for sales force, AWS, they've really led this enormous transition in the industry that is really still just gaining speed. There's a lot going on but much, much more to come.

Tony Kelly: If you'll hit the next slide ...

Tony Kelly: At Netskope, we're a cloud application security broker. That's kind of the first use case of our cloud security platform. And we've done literally thousands of cloud risk assessments for enterprises. And what we've found is, on average each enterprise is actually already consuming 12,000 cloud applications. There's actually 33,000 out there today, and it continues to grow. And so the challenge is, is how do I get awareness of those cloud apps? How do I start to secure them, especially when 98% of the cloud consumption is driven by the users and the departments? So for an IT organization, how do they get their arms around that? And we were able to join with BMC and start to help them begin their journey of, how do we secure their environment?

Tony Kelly: If you go to the next slide ...

Tony Kelly: So the big thing is, as you're now consuming all these cloud apps and starting to recognize that, the cloud apps that you're driving as an IT organization but also all the other cloud apps that folks are either using personally or to be more productive in their current jobs, you've got to start working about identity sprawl. And how do we extend your corporate identity out to not only your sanctioned apps, the apps that you'd like your enterprise users to use, but maybe even establish that identity with all of the unsanctioned apps that they're using. Even an app like AWS, there may be a sanctioned instance of that for your corporate usage, but generally 50% of your users also have a personal version of that same app. So how do you start to establish and tie back your corporate identity to all the cloud apps that you want them using, as well as the ones that maybe you need to be aware of and start to think about how you secure that?

Tony Kelly: The thing here that we've recognized is Okta is a fantastic identity provider that we love teaming with at Netskope. They can federate, or extend, your identity out to four to five thousand cloud applications today. By integrating with Netskope, where we fully understand all 33,000 cloud apps, we're able to help extend that identity out to all of those apps. So kind of a big thing for all of you guys that are interested in identity.

Joel Bruch: Okay, on the strategy side, these principles won't be dramatically different. We kind of went on our own journey early on but they're things you would see with BeyondCore. And fundamentally, the question was what are the capabilities that we need to put in place to facilitate the accessibility, user experience from any untrusted network? So as this extends out, at least we get consistency. And we can maintain certain capabilities we need, still even as things sort of move out to the cloud. So secure transport, that's a given for most applications, pretty easy. Strong authentication, certainly more than single factor, but we're looking at with different variations that are also supported by having a device trust layer, that can improve user experience as well. And then a presentation publishing capability for internal applications.

Joel Bruch: So one thing I'd like to point out here, in our traditional VPN we had a lot of cumbersome requirements. And we took the opportunity to go back through and assess what's really required. So at BMC, as we deploy device trust, I had a lot of IT service areas knocking on the door saying, “Hey, we really want our software to be a requirement for access.” And the more you stack in there, the higher risk you've got for impacting productivity where your employee base or users may not be at fault. And that's something you need to balance out your own journey. The IT service areas are going to look at this and say, “Hey, my job gets really easy if you just make my software requirement for access to this service.” The counter question there immediately should be, what are you doing today to monitor the health of your service? And make sure that you're going after those sort of issues. And if all you hear is crickets, if you have that in, you're facilitating lazy IT service management.

Joel Bruch: I will say there are, in the last slide there are additional requirements as well. These are just high level principles. But certainly, make sure that you have the ability to set and define policies for both string authentication, be it MFA or something else, and device trust that allows you to distinguish those requirements between both, at a user level and a service level. Because you're going to have a lot of applications that do have shared user types potentially customer as well as employee. So watch out for that.

Joel Bruch: So scope, we've gone over a hundred SaaS applications. Again, we've adopted heavy use of these so what we're doing here impacts every part of the business. And that we've got approximately 7,000 employees; many, many customer accounts. Again, just make sure that when you go through this that you account for all of the variations across your services. And I'm aware that some of the device trust solutions as well as some of the MFA solutions would have global policy settings, where by you could have one application that has some sort of an issue where you can't enable that and you'd have to disable it globally for individual. So take care there.

Joel Bruch: So our approach for device trust; so standard federation, SSO, SAML2, access control of network zone, and client access rules. So when we implemented device trust, we wanted to focus primarily on the risk area which had to do with employees using portable devices. So laptops, Macs, PCs. If we were to implement this for, say our r&d labs or other areas where you don't really have that portability risk, you've got the potential to burden the business in ways that probably you don't intend and risk undermining your overall effort. So make sure you can again, carve up those variations as needed and then focus in on those high risk segments to start. You may have global exceptions for some of these requirements again, depending on business need and risk.

Joel Bruch: I will also say that Netskope aligned very well with the requirements that we wanted and referencing some PKI based solutions. I need to know that I've got a level of administrative control, visibility, I can still do incident response and things like that for end points. So I wanted to go above and beyond the way that I'm seeing other approaches of profile devices.

Joel Bruch: Device trust, as well as buying us some flexibility to improve user experience. People were able to circumvent corporate policy, use personal assets for work, access services. Again, even with MFA, it's just not good enough. Particularly with the regulatory pressures. Customers are always asking where can our data end up and what are you doing to protect it? It comes up every time we do a sales side agreement. So we want to cover these things but the user acceptance challenge has to be addressed. And device trust affords us some flexibility to use what I would call, weaker authentication methods in conjunction with it that facilitate more seamless user access to services.

Joel Bruch: So this is what it looks like. We bundled up a combination of Okta Mobile along with the Netskope device trust capability. And so, where our sales guys would be out trying to use concur application, they would have to punch in a password every time and log in to go submit expenses of that nature. We can now provide a seamless experience to all of our applications be them external, internet facing, as well as internal. Again, a unified, seamless experience.

Joel Bruch: And so, Touch ID and Face ID are essentially local authentication right to a phone that is a wrapper for a credential manager. It just stores username and the password. But the authentication's pretty secure, but if you use it for seamless access, then you're leaving your internet facing services exposed to single factor credential compromise. Not great. With device trust, we're able to leverage that and leverage that local authentication to facilitate access to services in a way that, if somebody gets my username and password, they still can't log in to anything. And so this is really ideal. And this doesn't differ beyond what you would see if you just did Okta Mobile but it also addressed some risks associated with Touch ID and Face ID. So now it's launch of Okta Mobile, point your phone at your face, use your fingerprint and boom, you can access and jump between all of your federated applications be it external or internal.

Speaker 3: So I want to talk to you a little bit about the implementation for Netskope at BMC. So BMC, just like any other organization, is adopting cloud app more and more faster. And it's for good reason. They help our employees to get the job done more quickly, easily, flexibly, and compared to any traditional software. So whether it's Session or Shadow. Cloud user is growing and we need to monitor and enforce our security policy consistently across all of the cloud apps. Now environment, as well as on-premise app, we allow internet access for our employees.

Speaker 3: So on top of that, we also need to report on their compliance. And we need to do this thing while enabling our user to move fast with the cloud. So with the combination of Netskope active platform and Okta single sign on, as well as MFA, adaptive MFA, BMC can achieve both goals. So as you can see, Okta SSO and adaptive MFA will provide us the authentication and sign on capabilities. Network zone allowed integration with Netskope active platform device classification to perform the device check. Either mobile, laptop, desktop, that our employees use to access BMC apps and services in the cloud or external on premise apps. Whether they are in BMC office or on the road to enforce BMC managed device policies.

Speaker 3: So to implement the Netskope active platform, Netskope active platform has a Netskope client. It's a liveway agent that needs to be deployed at end point to all our BMC devices. With BMC client management, that's one of the products that we have at BMC. It's our largest service management solution. We are able to deploy desktop client to all BMC window devices seamlessly. BMC policy compliance component is also used to enforce Netskope client at the end points. For all mobile device, we implement Netskope integration with AirWatch. That's BMC used for MDM solution so Netskope can deploy on demand vme vpn profile can be configured and deployed to these mobiles. We also take advantage of Casper JAMF Pro Solution to deploy Netskope client for Mac devices. So once it's deployed, Netskope client at the end points would communicate with Netskope platform on the cloud for device classification check based on blocks, alert, policy that's set up for specific apps that we configure in BMC's steering configuration.

Speaker 3: And I should emphasize that when you implement Netskope active platform, you want to make sure that you have your own specific steering configuration so that you can move slowly, one app at a time, for a particular user in group and then growing from there to make sure that we don't interfere with the business transaction. Netskope client can also be upgraded automatically when you enable that option in Netskope admin console. Netskope also provides you a way, that they call Netskope checker, so you can allow employee to install Netskope client SSL service through Okta integration.

Tony Kelly: Alright, maybe go back one slide. I would love to just talk a little bit about the architecture here.

Tony Kelly: Quick question, how many of you have heard of Netskope before? I know one person has. Okay, great.

Tony Kelly: One of the things that we look at, in terms of, as I'm doing this digital transition to the cloud, I need a new architecture for securing the cloud. One of the first, most important elements is a single-sign on identity provider. So Okta did that with BMC several years back. Really, the next step though is how do I now have a platform for enforcing policy. And so that's where Netskope comes in. We are a cloud security platform. CASB is sort of the first use case for us.

Tony Kelly: But the initial use case at BMC was really very interesting because instead of just simply understanding what cloud app were we using, how could we also use your cloud platform to help us understand thE posture of our devices. Because we want to know that the user is a valid user, but we also want to know that their device is trusted. And trusted meant we were going to check for, did they have BMC's correct version of McAfee AV running? Was that device in the BMC domain, joined in that domain? Did it have a BMC certificate? And a few other steps that we would check on. And as we did that, we established that this device is managed. If its not managed then they don't get access to the sanctioned cloud apps that BMC has to offer for them.

Tony Kelly: So it's a really interesting solution. We are seeing more and more of our customers being very thoughtful of the devices accessing their cloud resources, especially their data that's in the cloud. Because if it gets pulled down to a personal device, you now no longer have any visibility where that went so BMC recognized by having device classification, they could really ensure this is an issued device from BMC, it's got all the right credentials on it to make sure that we're going to be secure and be able to give them that access moving forward.

Tony Kelly: To me, one of the really interesting things that we can do to establish device classification if you're concerned about it is, does the local device have disk encryption and is it enabled? So we can check for that too, as a part of that device classification. Any of those, criteria you can use just one of those to establish this is a trusted device, or you may have all of those. Its got to have every one of those categories and only then will I say that device is trusted and managed, and we'll allow them access.

Tony Kelly: But, a really interesting use-case, in general for securing your cloud, we absolutely think you need that identity provider and Okta's one of our favorites. They're a cloud based offering just like Netskope is. And then that cloud security platform with a company like Netskope.

Joel Bruch: In summary, in BMC I encountered a lot of resistance. Again, people were doing things that were driven at its core, by friction that had introduced by old legacy IT practices and security practices. And anyone that is going down this journey, I would challenge you to not fall back. These control points are strong enough to take us back to that era. And I would say, certainly balance things out with the potential business impact, whatever you're going to do to load these up to profile.

Joel Bruch: And get out in front of leadership within the business and make sure they understand. And if you can, try to provide some benefit, seamless access, something along those lines so its not just going to be pain and suffering. Because they come from a scary place. They used to have to VPN in all the time, it was slow, it took forever, just a lot of hoops to jump through to do their job. So if you can get beyond that, there's a happy medium where the business benefits and we can reign in some of that risk again. Certainly, keeping the right support personnel engaged early on in the project, so they're aware and they understand how to handle everything.

Joel Bruch: You know, I will say one of the big benefits here with Netskope is, we're able to do deployment, understand the profile, how many assets would be out of compliance and things like that before we did any policy enforcement so it allowed us to get in front of some of the posturing within areas that didn't necessarily want this deployed. We were able to go in and say, we're going to do a deployment and we can expect no issues, we've already run those down over the past couple of weeks.

Joel Bruch: On the communications side, the FAQs, make sure the employee population knows what's coming. The why's, certainly get into the legal aspects, policy portions. Again, emphasize the benefits to them and their productivity and seamless access.

Joel Bruch: I already covered number four. And as you go through the deployment, prioritize lesser used applications and work your way up to the broader deployment. Again, that will do a good job of undermining any pushback. It's hard to say the sky is falling when you're starting with an application that's only got 100 users or something like that. The profiling is all the same so as you go across each individual service, you're working through any potential issues, by the time you get to the big ones, it's push a button and nothing's going to happen. So I think that ...

Tony Kelly: I would say that one last take away for me is that, you want to recognize that your folks are consuming the cloud and then have a good strategy with how do you want to handle that on that policy side. How restrictive do you want to be? How open do you want to be? At the end of the day is, is how do you enable those users to consume the applications that they want to do their jobs effectively, in a productive way and have a great end user experience while still falling within the policies that you have as a company. I think some of these newer solutions, Okta and Netskope in this case, help you do that and do it in a way where it's not very intrusive to the end user. That has been a big part of allowing the users to not rebel, at the end of the day.

Tony Kelly: Any questions we want to take at this point?

Tony Kelly: So are you all using Okta today? I'm sure federating apps. Anybody out there federating more than 100 apps in their enterprise?

Speaker 4: Not with Okta.

Tony Kelly: Not with Okta, someone else. Okay.

Tony Kelly: Any of you out there using a CASB or even better yet, Netskope?

Speaker 4: Yes, Netskope.

Tony Kelly: You've got Netskope. Okay, good.

Tony Kelly: Alright, well appreciate the time but if you guys have any other questions and just want to chat at the end of the session, we'll be here for at least another 15, 20 minutes.

Joel Bruch: Thank you, everyone.

As data increasingly migrates from on-premises servers to the cloud, an effective identity and access management (IAM) strategy is critical to ensuring the security of that data. In fact, recent Netskope research indicates that IAM is enterprises' top concern for IaaS/PaaS deployments. Join Tien Dinh, Senior Manager, IAM & App Security at BMC Software and Sean Cordero, Head of Cloud Strategy at Netskope for this interactive session where attendees will learn the core components of a cloud IAM strategy, why identity is always the starting-off point in any cloud adoption journey, and how to best integrate your IAM strategy across all of your cloud services to ensure proper data protection in a cloud-first world.