Ready to get your mind blown by the intriguing world of policy orchestration? Gain a whole new perspective as we dissect this cutting-edge concept alongside Gerry Geble from Strata. Gerry introduces us to the fascinating world of identity query language (IDQL) - a revolutionary approach to defining access rules and policies. Come along on this invigorating journey as Gerry details Strata's mission to transform the way we handle multiple cloud systems access.
The discussion deepens as we unravel how Strata is making strides to simplify identity policy complexities and mitigate risk. Find out how establishing standard access rules and implementing them across different environments can reduce complexity. Hear about the integration of risk metrics into Strata's system and how this serves to bolster security.
Josh Bruyning
Maggie Dillon
Gerry Gebel
Strata
Ready to get your mind blown by the intriguing world of policy orchestration? Gain a whole new perspective as we dissect this cutting-edge concept alongside Gerry Geble from Strata. Gerry introduces us to the fascinating world of identity query language (IDQL) - a revolutionary approach to defining access rules and policies. Come along on this invigorating journey as Gerry details Strata's mission to transform the way we handle multiple cloud systems access.
The discussion deepens as we unravel how Strata is making strides to simplify identity policy complexities and mitigate risk. Find out how establishing standard access rules and implementing them across different environments can reduce complexity. Hear about the integration of risk metrics into Strata's system and how this serves to bolster security.
Josh Bruyning
Maggie Dillon
Gerry Gebel
Strata
Welcome to this episode of Security Market Watch. I'm your host, josh Bruning, and our other host, maggie Dillon, is in the house, of course, and today our guest is Jerry Gable of Strata, and so Strata has become quite a friend of the show. We had talked to Eric Olden, who's the CEO of Strata, so if you haven't checked out that show, check it out. It was a great conversation. Actually, we talked to him a couple of times.
Speaker 1:So love to hear more from our friends from Strata and Jerry, you are the head of standards at Strata, and today we're talking about policy orchestration. When we had talked to Eric, we talked about identity orchestration, which is sort of this concept that Strata had orchestrated. That was terrible. Okay, we'll edit that out, but you're talking about a little bit more of a concept that you haven't really rolled out yet, but it's something that is on the top of Strata's list and it's something that you guys are championing going into 2024. And it's something that we're going to hear a lot more about, and so I'm so excited to probe this brand new, brave new world of policy orchestration and just see what your plans are and how security leaders and listeners can apply that to their security programs today, jerry, welcome.
Speaker 2:Thanks so much, joss. Really great to be here with you and with Maggie as well.
Speaker 1:Maggie, what's going on in your world?
Speaker 3:Well, this entire episode is tying in perfectly with what I've got going on, which is a lot of compliance creation and developing out new fire drill techniques for the cybersecurity industry, which is kind of like a pre-stress test. So I'm really interested to hear about what Strata's doing and I'm just going to turn it over to you Tell us a little bit about what you've got going on and what you're developing, Jerry.
Speaker 2:Sure thing. But, josh, as you mentioned, eric here at Strata has brought the notion of identity orchestration to the market and how we deal with different IDPs and identity providers and managing lots of different disconnected identity technologies. Well, what we're addressing with identity orchestration is primarily how do we handle the session creation? Which IDP should you log on with? What multi-factor authentication method should you use if that's needed, and so all of the steps needed to actually create a session with the business application. Okay, great, that's all fine. But once the session is established, now what happens? What can you do as a user? What do you have access to? That's where access policies come into play. Just as is the case with identity orchestration, with policies we're in a multi-cloud world where most organizations I forget the latest percentages, but it's a majority of large organizations are adopting more than one cloud platform. Okay, great, what's the issue there? Well, each platform has its own way of managing configurations and therefore access policies. Now, if you want to answer the question, who has access to what? To go back to that compliance question, well, that's more difficult because everyone does it differently.
Speaker 2:What we're proposing with policy orchestration the umbrella term, but the nuts and bolts of it is where we have proposed a new and neutral way to define access policies. We call that identity query language, or IDQL. The idea is that you can define these access rules and policies in one format and then use a mechanism to translate that into the bespoke formats of each of these cloud systems. You would have one way of managing access and then use the power of the translation to get it to the runtime systems. As part of the project, we've defined this IDQL specification, but we've also invested a lot of time and resources in an open-source project we call HECSA that does that translation that I just described. We're not just putting out a new format and saying, hey, everyone, just adopt this new format for a policy, but we're showing how it can actually be translated into the runtime so you don't have to change that runtime environment that's out there today. That's introduction to what we're up to.
Speaker 3:I love that.
Speaker 1:Very cool. Does that all sound familiar and ring a bell for you, Maggie? It sounds like compliance mapping.
Speaker 3:It does, especially because I've had the chance to see a demo that you performed or your team performed, and I learned a little bit about HECSA. I love hearing the backstory to all of that because it really clicks. I think this is genius. I don't really hear of any of your competitors doing anything like this. This is going to raise industry standards across the board.
Speaker 2:Absolutely. We're getting a mix of vendors as well as folks from enterprise organizations as part of the working group coming behind this and supporting it. It's a nice mix of people that are behind the effort. We've been trying to get the word out. We go to different conferences across the industry here in the US and in Europe. We do podcasts like this and we brief the industry analysts my old friends at Gartner, for example, or at Cooping or Coal they're covering this topic as well. We're just getting the word out, but we're still very much in the early days of the project. No doubt about that.
Speaker 1:There seems to be this Maggie, you've got something to say. I'm going to hold my question.
Speaker 3:No, go ahead.
Speaker 1:There seems to be this trend of tools vendors trying to get ahead of compliance Instead of having all of your customers do security on implement their tools on one side. Okay, are we compliant? We're not compliant. Go back to the tools. Turn on the switches, press the buttons, flip the switches. Are we compliant now? It seems like a lot of companies are now integrating their tools and their tool sets with policy. By switching to that tool, the company or the buyer would have an advantage when it comes to compliance. You don't have to go to an entirely different platform to understand how compliant you are. You've got it built into the tools. With the integrations, everything's integrating with everything. It seems like now everybody wants to integrate with Wiz because they're killing it. You can get into that ecosystem and it makes it a lot easier for the market to understand where they are in compliance. Is that what you're doing? Are you writing that trend and that wave of bridging compliance in the tool set?
Speaker 2:Yeah, I don't know if we're doing that exactly or maybe intentionally, but that could be where we end up. I mean, certainly if you have a policy structure that's human, readable or at least more readable than just, say, very technical configurations and parameters, that's a big benefit for someone who's trying to demonstrate compliance to an internal auditor, to an external regulator or whomever. So I think the whole wave to adopt policies over very technical configuration data is definitely a positive trend.
Speaker 1:So in your view, it's more of an emergent quality. It's not like you started there, but you found that it's low hanging fruit and, while you're at it, what'll emerge is sort of this unification between the tool set, the tweaks that you're making, and also where you're being compliant, because you are the control that is being measured for compliance. At the end of the day, yeah, ultimately, that's true.
Speaker 2:I mean, at least we're part of that equation. Anyway, there's a lot of complexity around us that we're not directly addressing, but yet we're making that compliance more visible, more transparent and I think that's a mission we've been on as an industry for quite some time is to make more sense of that very technical complexity that's happening just under the hood, and the industry is always looking for new tools, new ways to address that, because our world is not getting simpler, that's for sure. It's getting more and more complex. So we need better tools and better automation, for example, to manage that environment.
Speaker 1:Yeah, I'm trying to make sense of the technical complexity right now and I'm glad that we have you on the call to make it clear. All right, Maggie, take it away.
Speaker 3:Well, I'm sitting here listening and one of the top things I'm thinking of is how would the IDQL tie in for risk forecasting and if there's a way you could just in layman terms break that down. I know a lot of people that watch our shows are up and coming in the cybersecurity industry, so they're still learning. There are a lot of students that type of thing. Could you tell us a little bit about that, especially even an auditor that might be listing, and how this would benefit them?
Speaker 2:Yeah, sure, I think there's maybe a few different ways to look at it and think about risk. One is that we're trying to reduce complexity, or trying to address the complexity that's out there and make it more manageable, especially when we have applications or data distributed across multiple cloud environments. So that's inherently complex. So we're trying to establish access rules and policies in a single way, in a standard way, so that they can be consistently implemented across the different environments where that data or where those application resources are deployed, so that in and of itself you would say, well, that reduces my risk because I know that my access rules are consistent across that environment.
Speaker 2:I have a change control process in place where, if I need to update those rules and policies, I have a controlled way to do that. I can put new changes in, I can roll them back in a manageable way again, so that can address the risk from that perspective. Then you can also say, well, part of the policies I'm writing can incorporate risk metrics that come from some third party system or maybe some internally developed risk analytics module that we have. So the policies themselves can say well, transactions at $1,000 are OK if the risk score is less than three or whatever it is. So we can incorporate risk metrics, develop that runtime and to make that policy result be different based on the status of that risk metric. Does that make sense? So far it does absolutely.
Speaker 3:It sounds like forgive me, but this is a compliment Geek speak for any type of people who love analysis. I love that. I think that makes a lot of sense. Question to you and I'm really big on and I know Josh is too this is something we talk about all the time is we talked to a lot of SMEs in our industry but the amount of education that is needed across the board not just here in the United States but across the globe is there anything that Strata does to collaborate with other universities, local communities? Is there anything that if someone were watching this and they're trying to develop new curriculums or certifications that they could get on board to learn these types of things?
Speaker 2:Wow. There's few different ways to answer that as well. We do take on interns from time to time, but we're small companies that we can't take on 50 or 100 interns at once. I think internships are a great way, especially while you're in the university, to get a taste of what's happening in the real world and bring that back to your academic studies. I definitely know of a colleague in the industry who teaches at a local university near him and he teaches a course on identity and access management. He's probably one of the few out there that does that.
Speaker 2:There are folks doing that and trying to up-level and make the computer science curriculum more real world, if you will, which is a great benefit. Then I also would need to give a shout out to my friends at ID Pro. It's a relatively new professional organization and they're really trying to nurture and mentor new people coming into the identity part of the industry. They may be coming over from security or coming over from the application area or what have you. It's a great organization to be a member of individually, or your company can sign up as well. So lots of different paths to get the education that you need to really excel in this industry. Again, identity.
Speaker 1:That's a really big topic. I mean it's at the heart of cybersecurity. A lot of people think that when I talk to my friends the muggles, when we talk about security they think about hacking and sitting at the computer and breaking in and jail, breaking stuff and cracking passwords and so on. I said no, mostly it's just identity theft. Mostly they just steal your credentials. What you guys are doing, I think any kind of information that you're putting out there in the community, is moving the needle. I'm embarrassed to ask this question so late in the game, but does policy orchestration stop at identity policy or does it bleed into all facets of policy?
Speaker 2:I wouldn't say all facets, but we do have the notion that it applies that different layers in the typical stack, if you will, at the application that's typically where it's most visible and we're talking about it but also with an infrastructure layer. So how do you configure compute and storage and memory and so on? To the data layer who can see what rows in a database, or who can, or how should columns be filtered out or redacted for other people? And then even to the network. You think about software defined networks and next-gen firewalls and the whole sassy world of networking. That's all policy driven as well. So at least from our project's perspective, we do think of policy across those different kinds of domains.
Speaker 1:Okay, under one umbrella to rule them all. How does this going to work with Microsoft and all these other big, large tool sets that are already orchestrating policy in their own way and that the market is used to?
Speaker 2:Well, that's true. Whenever you're embarking on a new standardization effort, there always are incumbent interests and there's desurer standards or methodologies that are out there. It takes time to build consensus and figure out okay, is this a better way to approach it? You always have to work on the compromise between a vendor's self-interest versus what their customers or what the market is looking for. That's just the nature of bringing a new standard to the industry.
Speaker 1:Well said.
Speaker 2:Yeah.
Speaker 3:I'm learning so much. I'm such a nerd for this type of stuff, so I'm excited about this and I want to highlight you a little bit.
Speaker 3:That's all we're doing. I have a question, so I don't know if you knew this or not, jerry, I used to do a lot of executive headhunting prior to today and I don't know if I've ever really heard of someone in your position and it's very unique and I think a lot of people would have interest in doing what you're doing for companies. How did you get into this? Could you tell us just a little? We should have asked you this in the beginning. I'm sorry. How did you get into this and tell us a little bit about your background?
Speaker 2:Yeah, sure, I guess standards have been part of my world, sort of part of my career arc, for quite a while now in different capacities here at Strata. This is what I'm focusing on, the project we've been talking about. But my previous employer was Axiomatics, which is a fine grain authorization vendor based in Sweden. They were built around an authorization standard called XACML. It's an Oasis standard for extensible access control markup language and so it was focused on that and standardizing that world.
Speaker 2:And before that I worked at Burton Group where we did a lot of reporting on the emergence of industry standards, one of them that Eric Holden worked on, saml, the security assertion markup language, which was the first way to do standardized single sign on between domains.
Speaker 2:This came out as the world wide web was emerging and you had so many websites and everybody wanted an ID and password not that they don't want today, but it was a way now to integrate those domains in a standard way. So at Burton Group we wrote about those standards and others. And then, even before that, when I was in industry at Chase Manhattan Bank in New York, part of my group, part of our responsibility, was to work with the Open Software Foundation and working on standards that they were focusing on at the time, and I remember my manager, who was a great mentor at that time. He would say that it's better for us to be at the table, you know, directing and developing the standards, rather than just let Citibank and Banker trust and let our competitors do it for us. And so I guess that's sort of the career arc of where standards have been part of my roles in different capacities.
Speaker 3:Awesome. Well, and I'm sure you already know this, we're at a 3.5 deficit in the cybersecurity world and there are so many people and, josh, I never asked you this I have so many people ask me how did you get into cybersecurity? Because I don't like the industry I'm in and I feel you know, obviously, cybersecurity is all over in many different facets and so I feel that there's a lot of people you believe from in the insurance industry things of that nature that would love a role like yours. So that's kind of why I asked you that, because we need help and you would be a great mentor for that. So I was just curious.
Speaker 2:Yeah, and you don't need a computer science degree. You know, I think of a lot of my friends in the industry. There's a ton of musicians in IT in different capacities, A lot of history majors, philosophers. You know what I'm talking about out there. So it's not like you have to have a comp side degree to get into the industry. You don't have to have a degree at all, even I mean, you can go to a trade school and get your start or, like I said before, become an intern or you just find yourself maybe doing the IT sorts of things. So there's many entry points into the industry, no doubt.
Speaker 1:You want to hear something. Okay, I'm putting myself out there, this is going to be real Now. Okay, now I've played it up way too much, so I'm just going to say it. I have an English degree, right, I was a massage therapist. And, yeah, I was a massage therapist. I studied English English literature at the University of Minnesota and then I started working for a credit union in the IT department.
Speaker 1:I reported straight to the CISO. That's how I got into security and he was just hell bent on me getting a master's. So he was like you can work for me, but only if you're in school. And so he was like, okay, take on every project you want to take on. You just have to make sure that you do it securely and you have to make a business case for it. So I was like, done, I can do that. And then I went and got my master's in MIS and minored in cybersecurity. And that was my path.
Speaker 1:I mean, yes, you can be a philosopher, even the philosophers, the philosophy majors, English majors, you know fine arts and get into cybersecurity, because I've done it. And cybersecurity is not always technical, it's not always just you know the coding and the breaking of stuff, but it is also sales, marketing, customer success, understanding people. There's a whole people side of cybersecurity that, quite frankly, the technical IT folks and those SMEs sort of don't excel at. They're really good at the computer stuff, but we need more people who are better at people because, to parrot my friend Albert Whale, cyber security is a nebulous concept. It is something that lends itself to philosophy. So if you're out there and you're a philosophy major, come on in. It's a big tent, we'll welcome you.
Speaker 2:Yeah, absolutely. But I think you bring up a really good point there, josh, in that a lot of us in the IT industry are so closed-minded or so tunnel-visioned to think of the technology itself and we lose the connection to the business that we're working for. And I think that's something that can really enhance your career path is, if you, yes, understand the technology and be an expert there, great. But if you can understand what that means to the business, how it impacts the risk of the business that you're working in or not, or how it impacts the customer experience, and really understand that side of the organization, that really, I think, is beneficial in so many ways to you as an individual, but also to the company or the organization that you're working for.
Speaker 3:And I actually went to college for occupational therapy, ended up dropping out, drove my car to LA, moved out there from Indiana and got in with the DOD, with Lockheed Martin and the Restless History. So it's interesting. I'm glad we all three talked about our backgrounds, because we are all very different. I don't have a degree and I'm working with the best in the business, and here you are developing brand new standards. And Josh is over here killing the game. So Josh is the Howard Stern of the Cybersecurity Podcast. Hey now.
Speaker 1:Hey now, oh man, okay. So to wrap this up, who do you think is going to be the ideal customer for something like this? And so, if you think of it in the org chart with this, who would be the owner of policy orchestration? Would be the CISO. Is it going to get punted to GRC? What do you think?
Speaker 2:Yeah, that's where it lines up is going to vary company to company. I think probably the most commonplace might be out of the CISO office in some regard, and but also, I think, within the architecture group. You know, if there's an enterprise architecture committee or that kind of function within an organization, they would probably be very interested in this. But it also can even go down to the operations team, you know the DevOps team, the ones that are, you know, knee deep in the day to day functionality and sitting in front of all the screens. So it's going to be different through different organizations, but I think that's probably some common places where it would line up.
Speaker 1:And how soon is this going to hit shelves?
Speaker 2:Oh, I think it could hit the shelves as soon as next year, although that you can go to GitHub and the Hexa policy orchestration repo and you can test out what we've built so far. So it can, it's ready to be deployed in your laboratory today so you can do some additional experimenting with it and build integrations with different systems that we've not addressed so far. But I think for it to actually be in a product that you can buy you know, perhaps next year you might see it out there.
Speaker 1:Excellent, excellent. All right. Well, jerry, thank you so much for your time. Is there anything that we didn't ask that you're just itching to get out there? You know now's the time to do it.
Speaker 2:Oh no, you don't want to send me off in the soapbox or anything like that Now I think this has been really great. I think it's been, you know, great conversation to highlight, you know, the value of some of these standardizations efforts that are out there and you know we're plugging away at it. We've got a lot of folks interested in the outcomes and I appreciate you inviting me to the podcast today to share that vision.
Speaker 1:Really appreciate it Our pleasure, our pleasure and we know you guys are leading the charge Really appreciate every time somebody from Strata likes to stop by. Thank you so much, maggie. Anything that you'd like to say?
Speaker 3:I'm the same with. Don't give me that rabbit hole, josh. Where, if anyone wants to find out more information on what you're putting together, jerry, where should they go? Who you know? If they want to contact you, what would? What would your contact info be?
Speaker 2:Yeah, the project website is hexa orchestration dot org. Or you can just send me an email at Jerry at strata dot IO and Jerry with a G.
Speaker 1:All right, and that's our show for today. Thank you for watching or, if you're listening. Thank you for listening to this episode of security market watch. You can find me on LinkedIn LinkedIncom slash Josh Bruning. You can also find Maggie on LinkedIn. Subscribe to our newsletter. What's it? Smash that like button and subscribe. Thank you so much. We'll see you in the next one. Bye, all right, that was great, excellent.
Speaker 2:Awesome, relatively painless yeah.
Speaker 1:Yeah, we try to make it painless and fun and short and sweet, so that was excellent. I think you got your message out there. I think people understand what policy orchestration is. I understand what. It is a little bit better now. Awesome. If you guys ever want to come back and talk about anything honestly, love to have you on the show.
Speaker 3:And I want to talk further with you, and I haven't even told Josh the good news yet. I just was asked to go to DC Quantico in a month at Cyberbites Foundation and, jerry, I would love to introduce you to them. They are putting together labs and I would love to get you in front of them for an opportunity, because they're looking for very unique exactly what you're doing to add. That's not going to be common and I would just like to have a further conversation with you, if that's okay, maybe a little bit later down the road, and get out there, get to know a little bit more of what some of their strategies are for 2024. But this is right in alignment. That's why I kind of asked a little bit about that education question.
Speaker 2:Okay, absolutely Happy to get that. Yeah, get ready, jerry.
Speaker 1:Maggie is the connector. She sees, she like, has like solution vision. She's like this is the problem, this person can solve that problem and she puts it all together and you get these synergies.
Speaker 2:So that's important. Someone's going to connect the dots, yeah.
Speaker 3:Well, thank you so much for your time. This has been great.
Speaker 2:Thank you as well. Great to meet you, Maggie. Thanks, Josh.
Speaker 3:You too.
Speaker 1:All right, thanks Jerry, thanks Meg, bye Take care, goodbye.