WEBVTT 1 00:00:00.120 --> 00:00:03.080 Okay, so start with a mental image. Let's say you're 2 00:00:03.120 --> 00:00:05.799 the guardian of a castle, right, I mean, in the 3 00:00:05.839 --> 00:00:11.720 medieval model, security was incredibly straightforward. You had thick stone walls, 4 00:00:12.199 --> 00:00:13.199 a deep moat. 5 00:00:13.119 --> 00:00:17.719 A heavy drawbridge. Yeah, that's the classic perimeter defense. It's comforting, 6 00:00:17.800 --> 00:00:19.199 it's visible, and in the. 7 00:00:19.120 --> 00:00:23.079 Modern world it's completely obsolete, totally absolute, right because the 8 00:00:23.120 --> 00:00:26.719 castle has well, it's effectively exploded. The treasury is in 9 00:00:26.760 --> 00:00:30.480 a public cloud, your armory is on an employee's personal 10 00:00:30.519 --> 00:00:32.960 iPhone at a coffee shop. 11 00:00:32.759 --> 00:00:35.280 And the throne room is a zoom call exactly. 12 00:00:35.759 --> 00:00:37.880 So the question we're tackling today is how do you 13 00:00:37.920 --> 00:00:40.759 hand out keys to a castle that's everywhere and nowhere 14 00:00:40.759 --> 00:00:41.479 at the same time. 15 00:00:41.640 --> 00:00:44.799 That is the fundamental paradox of the modern workplace, and 16 00:00:44.840 --> 00:00:47.840 it's exactly why we're taking a deep dive into OCTA 17 00:00:47.920 --> 00:00:52.039 Administration up and running. This isn't just about software, it's 18 00:00:52.119 --> 00:00:54.280 really about the architecture of trust, and. 19 00:00:54.240 --> 00:00:56.280 This book it really feels like a manual for that 20 00:00:56.359 --> 00:00:59.600 exact shift. It's moving us from securing the network to 21 00:00:59.640 --> 00:01:03.560 secure the identity. They're basically arguing that Identity Access Management 22 00:01:03.640 --> 00:01:05.239 IAM is the new perimeter. 23 00:01:05.400 --> 00:01:05.959 It has to be. 24 00:01:06.200 --> 00:01:09.799 But before we get into the heavy technical lifting, and 25 00:01:09.840 --> 00:01:12.000 we will, we have to talk about the name. I've 26 00:01:12.079 --> 00:01:15.560 used Octa. I've seen the logo, but I honestly just 27 00:01:15.560 --> 00:01:17.359 thought it was a made up tet word A lot 28 00:01:17.359 --> 00:01:17.879 of people do. 29 00:01:17.959 --> 00:01:21.120 But there's a great bit of trivia there that actually 30 00:01:21.200 --> 00:01:24.959 explains their whole business model. Okay, So the founders, Tom 31 00:01:25.000 --> 00:01:27.959 McKinnon and Frederick Karras, they both came out of Salesforce 32 00:01:28.599 --> 00:01:30.560 and back in two thousand and eight, right in the 33 00:01:30.560 --> 00:01:33.920 middle of the recession, they made this huge bet that 34 00:01:33.959 --> 00:01:37.599 the cloud wasn't just for giants but for everyone. 35 00:01:37.879 --> 00:01:40.799 And the name okta, that's not random, not at all. 36 00:01:40.799 --> 00:01:43.120 It actually comes from meteorology. 37 00:01:43.159 --> 00:01:45.640 Meteorology, Yeah, cloud cover. 38 00:01:45.519 --> 00:01:47.519 Is measured in units called oktas. It's a scale that 39 00:01:47.560 --> 00:01:50.439 goes from zero to eight. Zero okdas is a completely 40 00:01:50.519 --> 00:01:51.359 clear blue. 41 00:01:51.159 --> 00:01:53.719 Sky, and eight octas would be eight octas. 42 00:01:53.400 --> 00:01:55.560 Is completely overcast total cloud cover. 43 00:01:55.799 --> 00:01:58.599 So the company's entire mission is hidden right there in 44 00:01:58.640 --> 00:02:01.319 the name. They want to provide total cover for all 45 00:02:01.359 --> 00:02:02.120 cloud access. 46 00:02:02.159 --> 00:02:04.840 That's actually pretty clever and it connects directly to their strategy. 47 00:02:05.040 --> 00:02:07.959 The book describes Octa as the Switzerland of identity. 48 00:02:08.199 --> 00:02:10.479 I like that analogy because when you think about the 49 00:02:10.479 --> 00:02:15.360 big players like Microsoft, Google, Oracle, they all have identity solutions. 50 00:02:15.759 --> 00:02:18.759 Microsoft has untri id, Google has its own thing, but 51 00:02:18.800 --> 00:02:21.719 they also have these massive ecosystems they want to lock 52 00:02:21.759 --> 00:02:22.120 you into. 53 00:02:22.400 --> 00:02:27.039 Precisely, Microsoft wants you an Azure but Octa. They don't 54 00:02:27.039 --> 00:02:29.800 have an email server or a cloud storage platform to 55 00:02:29.840 --> 00:02:32.800 sell you. They are purely the identity layer. They're the broker, 56 00:02:32.919 --> 00:02:35.599 so they're neutral ground, right. They have over sixty five 57 00:02:35.639 --> 00:02:38.360 hundred pre built integrations. They don't care if you use 58 00:02:38.400 --> 00:02:41.960 Aws or Azure, slacker teams. Their only job is to 59 00:02:42.000 --> 00:02:45.400 connect them, and that neutrality is a huge competitive advantage. 60 00:02:45.479 --> 00:02:47.759 Okay, so that's the who. Let's get into the how. 61 00:02:49.080 --> 00:02:52.879 The book leans so heavily on this idea of zero trust. Now, 62 00:02:52.919 --> 00:02:56.039 to me, that phrase zero trust, it sounds like a 63 00:02:56.080 --> 00:02:58.199 bad relationship. Trust no one. 64 00:02:58.439 --> 00:03:01.800 It is cynical, but it's a necessary cynicism. The old 65 00:03:01.840 --> 00:03:04.639 castle model assumed that if you were inside the firewall, 66 00:03:04.719 --> 00:03:06.639 you know, you plugged an Ethernet cable into the wall 67 00:03:06.639 --> 00:03:09.159 of the office, you were trusted by default, You're one 68 00:03:09.159 --> 00:03:09.800 of the good guys. 69 00:03:09.879 --> 00:03:10.080 Right. 70 00:03:10.280 --> 00:03:13.960 Zero trust just flips that completely says never trust, always verify. 71 00:03:14.120 --> 00:03:17.280 So even if I'm the CEO in the headquarters building 72 00:03:17.520 --> 00:03:18.680 plugged into the wall. 73 00:03:18.639 --> 00:03:22.439 Doesn't matter. The system verifies you, your device and your 74 00:03:22.479 --> 00:03:25.680 context every single time. And the book breaks this down 75 00:03:25.719 --> 00:03:28.439 into a maturity model because you don't just, you know, 76 00:03:28.639 --> 00:03:31.240 flip a switch and become zero trust overnight. 77 00:03:31.319 --> 00:03:32.639 I think a lot of people are going to recognize 78 00:03:32.639 --> 00:03:34.840 their own companies in these stages. Let's walk through them. 79 00:03:34.879 --> 00:03:39.719 Sure. Stage zero is fragmented identity. This is the legacy world. 80 00:03:39.879 --> 00:03:43.520 You've got on premise, active directory, firewalls, VPNs, and. 81 00:03:43.560 --> 00:03:47.400 A sticky note on your monitor with five different passwords 82 00:03:47.479 --> 00:03:48.639 for five different. 83 00:03:48.319 --> 00:03:52.680 Sites, the sticky note of doom exactly. Then you move 84 00:03:52.719 --> 00:03:57.000 to stage one, unified. I am this is where life 85 00:03:57.039 --> 00:03:59.240 gets better. You introduce a single finn on. 86 00:03:59.400 --> 00:04:01.719 As SSO one log in for everything. 87 00:04:01.439 --> 00:04:05.360 And you start using basic multifactor authentication MFA. That's the 88 00:04:05.400 --> 00:04:07.039 code on your phone, the push notification. 89 00:04:07.159 --> 00:04:08.919 Okay, that's pretty standard now it is. 90 00:04:09.120 --> 00:04:13.000 But stage two is where it gets really interesting. Contextual access. 91 00:04:13.280 --> 00:04:15.360 The system stops just looking at who you are. It 92 00:04:15.360 --> 00:04:17.439 starts looking at where you are and what you're using. 93 00:04:17.519 --> 00:04:19.759 Give me an example of context okay. 94 00:04:19.519 --> 00:04:21.519 So you log in every day from London on your 95 00:04:21.560 --> 00:04:25.319 corporate laptop. Suddenly your credentials pop up from North Korea 96 00:04:25.560 --> 00:04:27.959 at three am on some random iPad. 97 00:04:28.079 --> 00:04:28.279 Right. 98 00:04:28.519 --> 00:04:31.360 Stage one security might let that through if the hacker 99 00:04:31.360 --> 00:04:35.360 has your password. Stage two, contextual access says, wait a minute, 100 00:04:35.480 --> 00:04:37.360 the context is all wrong. Block it. 101 00:04:37.360 --> 00:04:39.680 It's spotting the anomalies. So what's stage three? 102 00:04:39.879 --> 00:04:43.879 Stage three is the adaptive workforce. This is high level automation. 103 00:04:44.279 --> 00:04:46.560 Your security tools are all talking to each other. So, 104 00:04:46.759 --> 00:04:50.360 for example, if your endpoint protection software finds a virus on. 105 00:04:50.279 --> 00:04:52.480 Your laptop, CrowdStrike or something. 106 00:04:52.240 --> 00:04:55.639 Yeah, exactly, it sends a signal to Octa automatically, and 107 00:04:55.720 --> 00:05:00.160 Octa instantly revokes your access to salesforce to slack to everything. 108 00:05:00.319 --> 00:05:03.519 So the laptop basically snitches on itself to the identity provider. 109 00:05:03.680 --> 00:05:05.680 Yes, no human has to wake up at two in 110 00:05:05.720 --> 00:05:08.480 the morning to click a button. The system just heals itself. 111 00:05:08.560 --> 00:05:11.319 That sounds like the dream. But to build any of 112 00:05:11.319 --> 00:05:15.040 that you need a really solid foundation. The book spends 113 00:05:15.040 --> 00:05:17.399 a ton of time on something called the universal directory. 114 00:05:17.680 --> 00:05:21.959 It's the single source of truth. In most companies, user 115 00:05:22.040 --> 00:05:24.600 data is just a mess. You've got records in an 116 00:05:24.759 --> 00:05:28.920 HR system, logins an active directory, email accounts somewhere else, 117 00:05:29.519 --> 00:05:34.639 Universal directory or UD pulls all that together into one unified. 118 00:05:34.279 --> 00:05:36.160 View, but they don't all come from the same place. 119 00:05:36.439 --> 00:05:39.399 The book lists three user types, which seems like a 120 00:05:39.399 --> 00:05:41.360 really important distinction oly critical. 121 00:05:41.600 --> 00:05:45.399 First, you have octamastered users. These are people you create 122 00:05:45.519 --> 00:05:47.800 right inside the OCTA admin console. 123 00:05:47.519 --> 00:05:49.879 So that could be like a contractor who doesn't need 124 00:05:49.920 --> 00:05:52.079 to be in the main HR system exactly. 125 00:05:52.399 --> 00:05:57.079 Second, directory master users imported from a server like active directory. 126 00:05:57.319 --> 00:06:01.319 And third application mastered these users come from an app 127 00:06:01.399 --> 00:06:02.720 like Workday or Salesforce. 128 00:06:03.000 --> 00:06:05.879 And why does it matter so much where the user lives. 129 00:06:05.879 --> 00:06:08.800 Because it determines who has the power to change the data. 130 00:06:09.319 --> 00:06:11.759 If a user is directory mastered, you can't change their 131 00:06:11.800 --> 00:06:14.160 password inside Octa. You have to change it on the server. 132 00:06:14.399 --> 00:06:17.120 It prevents these data conflicts. 133 00:06:16.680 --> 00:06:18.720 Hight, and that leads to this concept I found really 134 00:06:18.720 --> 00:06:20.920 interesting in the book, a tribute level mastering. 135 00:06:21.319 --> 00:06:25.560 Yes, it's like building a Frankenstein's Monster of a user profile, 136 00:06:25.879 --> 00:06:28.519 but in a good way. Okay, you can tell ACTA, Okay, 137 00:06:28.800 --> 00:06:31.120 I want the user's job title to come from the 138 00:06:31.279 --> 00:06:35.199 HR system because that's official. But the office phone number, 139 00:06:35.639 --> 00:06:39.040 pull that from active directory, and let the user update 140 00:06:39.040 --> 00:06:41.399 their own secondary email for password recovery. 141 00:06:41.480 --> 00:06:44.079 So OCTA sits in the middle playing traffic cup, grabbing 142 00:06:44.079 --> 00:06:47.000 different bits of info from different places, and then presents 143 00:06:47.040 --> 00:06:49.160 one complete profile to all the other apps. 144 00:06:49.519 --> 00:06:53.160 Exactly. It solves that data fragmentation problem. And once you 145 00:06:53.240 --> 00:06:56.360 have that data flowing, you can enable something called just 146 00:06:56.439 --> 00:06:59.519 in time provisioning or jiit JIT. 147 00:07:00.000 --> 00:07:01.720 It's in manufacturing. 148 00:07:01.319 --> 00:07:05.199 Kind of imagine a new employee starts instead of an 149 00:07:05.240 --> 00:07:08.800 admin manually creating an account, JIT creates at the very 150 00:07:08.839 --> 00:07:11.519 first time they try to log in ocases they have 151 00:07:11.879 --> 00:07:14.920 valid credentials from say active directory, and says, oh, you 152 00:07:14.920 --> 00:07:16.920 don't have an account here yet, let me build one 153 00:07:16.920 --> 00:07:17.560 for you right now. 154 00:07:17.600 --> 00:07:19.639 And that gets rid of the bottleneck where new hires 155 00:07:19.639 --> 00:07:21.759 are just sitting around for days waiting for access. 156 00:07:21.800 --> 00:07:25.480 Precisely, it keeps the directory fresh without all the manual work. 157 00:07:25.759 --> 00:07:29.959 That's efficiency. Let's talk about managing all these users. You 158 00:07:30.000 --> 00:07:32.480 can't do it one by one. You need groups. And 159 00:07:32.519 --> 00:07:35.800 the authors put a huge warning label on one specific group, 160 00:07:36.279 --> 00:07:39.920 the everyone group. It sounds so harmless, so inclusive. Why 161 00:07:40.000 --> 00:07:40.680 is it a trap? 162 00:07:40.759 --> 00:07:44.560 Because it's hard coded. Every single user account in your 163 00:07:44.600 --> 00:07:48.959 system is automatically in the Everyone group. You can't rename it, 164 00:07:49.000 --> 00:07:51.439 you can't delete it. The trap is when a lazy 165 00:07:51.480 --> 00:07:54.040 admin assigns a sensitive app to. 166 00:07:54.000 --> 00:07:56.439 That group, because then everyone gets access. 167 00:07:56.199 --> 00:08:00.360 Everyone, the CEO, the summer intern, the external contractor. Oh wow. 168 00:08:00.439 --> 00:08:02.360 So if you assign the corporate credit card portal to 169 00:08:02.399 --> 00:08:04.800 the Everyone group, you've just given a credit card to 170 00:08:04.800 --> 00:08:07.759 your external vendors. It's a disaster waiting to happen. 171 00:08:07.800 --> 00:08:10.720 So the advice is basically, just don't touch it for 172 00:08:10.720 --> 00:08:12.160 anything important, Treat. 173 00:08:11.920 --> 00:08:15.279 It with extreme caution, use it for low risk things, sure, 174 00:08:15.560 --> 00:08:18.560 but never for anything sensitive. And the authors give a 175 00:08:18.560 --> 00:08:20.800 great little life hack here for naming your other groups. 176 00:08:21.079 --> 00:08:22.120 I loved this tip. 177 00:08:22.160 --> 00:08:25.639 It's so simple it is. It's because octagroups don't have 178 00:08:25.759 --> 00:08:29.800 folders or any kind of hierarchy. It's just one long, flat, 179 00:08:29.839 --> 00:08:34.480 alphabetical list. The tip is to use numbers to force a. 180 00:08:34.519 --> 00:08:38.679 Structure, so like zero zero dot all employees, or something exactly. 181 00:08:38.440 --> 00:08:43.720 Zero zero dot organization, zero one sales, zero two dot marketing. 182 00:08:43.919 --> 00:08:46.759 By putting a number at the front, you force the 183 00:08:46.799 --> 00:08:50.159 list to sort. Logically, you're basically mimicking a folder structure 184 00:08:50.200 --> 00:08:51.360 where one doesn't exist. 185 00:08:51.440 --> 00:08:53.159 That is one of those tips that only comes from 186 00:08:53.159 --> 00:08:55.679 someone who's actually been in the trenches for sure. Now 187 00:08:55.679 --> 00:08:58.039 what about push groups? That sound a powerful but also 188 00:08:58.120 --> 00:08:58.799 a little risky. 189 00:08:58.960 --> 00:09:02.120 They are so normally you import groups from an app. 190 00:09:02.519 --> 00:09:04.600 Push groups. Let you take an Octa group and force 191 00:09:04.639 --> 00:09:06.200 it into an app like Slack or Box. 192 00:09:06.440 --> 00:09:09.279 So I create a sales group in Octa and poof, 193 00:09:09.480 --> 00:09:11.200 a sales channel appears in Slack. 194 00:09:11.360 --> 00:09:15.279 Yes, but the risk is the sink Octa is the boss. 195 00:09:15.639 --> 00:09:17.840 If you go into Slack and rename that channel to 196 00:09:17.879 --> 00:09:21.080 global Sales, Octa doesn't know you did that, the link breaks, 197 00:09:21.559 --> 00:09:23.759 or worse, Octa sees the name is wrong. It just 198 00:09:23.799 --> 00:09:26.320 pushes a new sales group. Now you have duplicates. 199 00:09:26.399 --> 00:09:28.759 So the rule is if OCTA's pushing the group, don't 200 00:09:28.759 --> 00:09:29.720 touch it anywhere else. 201 00:09:29.799 --> 00:09:31.320 You have to respect the source of truth. 202 00:09:31.519 --> 00:09:34.000 We've been talking a lot about the cloud, but the 203 00:09:34.000 --> 00:09:37.559 book is realistic. Most companies are still hybrid. They've still 204 00:09:37.559 --> 00:09:40.159 got that server room with active directory running. 205 00:09:39.879 --> 00:09:43.120 The hybrid reality. Yeah, companies have twenty years of history 206 00:09:43.159 --> 00:09:45.879 baked into active directory. You can't just rip that out. 207 00:09:46.240 --> 00:09:48.320 So Octa uses agents. 208 00:09:48.480 --> 00:09:49.600 Not secret agents. 209 00:09:49.759 --> 00:09:53.399 No software agents, little services you install on your internal 210 00:09:53.399 --> 00:09:56.879 servers that act as a bridge. The AD agent sits 211 00:09:56.879 --> 00:09:59.759 behind your firewall and talks to the Octa cloud. 212 00:10:00.320 --> 00:10:02.679 But doesn't that mean punching a hole in your firewall? 213 00:10:03.039 --> 00:10:04.600 Security teams hate that. 214 00:10:04.600 --> 00:10:07.679 That's the beauty of it. No inbound ports are required. 215 00:10:08.159 --> 00:10:11.960 The agent makes an outbound call to Octa over standard HTTPS. 216 00:10:12.480 --> 00:10:14.279 It phones home. It's very secure. 217 00:10:14.399 --> 00:10:17.159 And there's one feature that uses these agents that sounds 218 00:10:17.200 --> 00:10:18.759 almost like magic for the user. 219 00:10:18.919 --> 00:10:23.360 Desktop sso Desktop Single sign on. It's a seamless experience. 220 00:10:23.399 --> 00:10:25.559 If you're at the office, you log into your Windows 221 00:10:25.559 --> 00:10:28.240 PC and the agent basically vouches for you. When you 222 00:10:28.240 --> 00:10:29.759 open a browser to go to Octa, you don't have 223 00:10:29.799 --> 00:10:30.200 to type your. 224 00:10:30.120 --> 00:10:32.559 Password again because the computer already knows who you are. 225 00:10:32.840 --> 00:10:37.200 That's it exactly uses IWA Integrated Windows Authentication. It passes 226 00:10:37.240 --> 00:10:41.399 a cerbero's ticket in the background. It removes friction, and insecurity, 227 00:10:41.720 --> 00:10:42.799 friction is the enemy. 228 00:10:42.879 --> 00:10:45.159 If you make it too hard, people use sticky notes, right. 229 00:10:45.159 --> 00:10:47.000 If you make it invisible, they'll comply. 230 00:10:48.240 --> 00:10:51.120 So speaking of friction, let's get into policies. This is 231 00:10:51.159 --> 00:10:54.639 the logic layer. The book really stresses that the order 232 00:10:54.679 --> 00:10:56.080 of your policies matters. 233 00:10:56.440 --> 00:11:00.600 This is probably the most commonplace admins make mistakes. Evaluates 234 00:11:00.600 --> 00:11:05.039 policies in a top down numerical order. Think of a 235 00:11:05.080 --> 00:11:07.840 bouncer with a checklist. Okay, he reads rule number one, 236 00:11:07.960 --> 00:11:10.879 does it apply to you? If yes, he does what 237 00:11:10.960 --> 00:11:13.000 it says, and then he stops reading. 238 00:11:13.159 --> 00:11:14.559 He doesn't even check rule number two. 239 00:11:14.600 --> 00:11:16.559 It never gets to rule two. So if you put 240 00:11:16.559 --> 00:11:19.120 a really broad rule at the top that says allow everyone, 241 00:11:19.399 --> 00:11:21.840 and a strict rule at the bottom that says block hackers. 242 00:11:21.639 --> 00:11:24.320 The hackers are getting in because they matched rule number 243 00:11:24.320 --> 00:11:25.399 one first exactly. 244 00:11:25.440 --> 00:11:28.240 You have to structure your policies like a funnel. Specific 245 00:11:28.279 --> 00:11:31.440 restrictive rules go at the top, the broad cash all 246 00:11:31.519 --> 00:11:32.559 rules go at the very bottom. 247 00:11:32.639 --> 00:11:35.919 And you apply this logic to what password policies and 248 00:11:35.960 --> 00:11:36.919 sign on policies. 249 00:11:37.240 --> 00:11:39.559 Those are the two main ones. Password policies are what 250 00:11:39.600 --> 00:11:42.879 you'd expect, you know, length, complexity. But the book mentions 251 00:11:42.919 --> 00:11:45.279 password history, which is important. 252 00:11:44.919 --> 00:11:47.399 To stop people from just changing the number at the 253 00:11:47.519 --> 00:11:48.519 end of their password. 254 00:11:48.679 --> 00:11:52.200 It stops the winter twenty twenty three then Spring twenty 255 00:11:52.279 --> 00:11:55.799 twenty three cycle. You can tell octat to remember the 256 00:11:55.919 --> 00:11:59.120 last four or five passwords and forbid the user from 257 00:11:59.120 --> 00:12:00.039 reusing them. 258 00:12:00.039 --> 00:12:02.279 And sign on policies. That's about access. 259 00:12:02.399 --> 00:12:05.279 That's about access. This is where you grade the log 260 00:12:05.279 --> 00:12:08.600 in attempt. You set up risk factors. Is the user 261 00:12:08.639 --> 00:12:10.919 on a managed device? Are they coming from a known 262 00:12:11.039 --> 00:12:12.200 corporate IP address? 263 00:12:12.720 --> 00:12:14.639 And based on that you make a decision. 264 00:12:14.840 --> 00:12:17.919 Right, And the decision isn't just allow or deny. The 265 00:12:17.919 --> 00:12:19.919 most powerful one is prompt for factor. 266 00:12:20.240 --> 00:12:22.120 So ask for the MFA code. 267 00:12:22.320 --> 00:12:24.600 Correct. If you're in the office on a corporate laptop, 268 00:12:24.679 --> 00:12:27.120 maybe we trust you enough, no code needed. If you're 269 00:12:27.120 --> 00:12:29.879 at Starbucks on your personal phone, we don't trust the network. 270 00:12:29.879 --> 00:12:32.559 Prompt for the code. That's contextual access in action. 271 00:12:33.039 --> 00:12:35.519 It all connects back to that zero trust idea. It's 272 00:12:35.559 --> 00:12:36.639 not a simple yes or no. 273 00:12:36.799 --> 00:12:38.159 It's a sliding scale of trust. 274 00:12:38.399 --> 00:12:40.679 I want to circle back to one thing about importing users. 275 00:12:41.159 --> 00:12:44.320 The book mentions import safeguards. This sounded like a panic 276 00:12:44.360 --> 00:12:45.320 button for admins. 277 00:12:45.360 --> 00:12:47.000 It's more of a don't get fired button. 278 00:12:47.080 --> 00:12:47.320 Yeah. 279 00:12:47.440 --> 00:12:50.039 Imagine you mess up a query and active directory and 280 00:12:50.080 --> 00:12:52.559 suddenly it looks like you just deleted five hundred users. 281 00:12:52.639 --> 00:12:56.519 Oh no, if OXTA sinks that change, it would deactivate 282 00:12:56.559 --> 00:13:00.399 five hundred accounts instantly, Half the companies locked out. The 283 00:13:00.480 --> 00:13:04.799 help desk phones would literally melt chaos. The import safeguard 284 00:13:04.919 --> 00:13:07.399 monitors the percentage of changes. You can set a threshold. 285 00:13:07.639 --> 00:13:09.879 If an import tries to delete more than, say, ten 286 00:13:09.919 --> 00:13:13.039 percent of your users, Octa just pauses the sink and 287 00:13:13.120 --> 00:13:16.519 sends you an alert saying, hey, this looks really drastic. 288 00:13:16.559 --> 00:13:17.519 Are you sure you want to do this? 289 00:13:17.720 --> 00:13:20.480 It stops the automation from driving off a cliff exactly. 290 00:13:20.919 --> 00:13:23.440 Automation is great, but you always need guardrails. 291 00:13:24.039 --> 00:13:26.120 So when we step back and look at the whole picture, here, 292 00:13:26.200 --> 00:13:28.960 what's the big takeaway? We've gone from this fragmented mess 293 00:13:29.200 --> 00:13:33.399 to a unified directory covered by eight octas of cloud. 294 00:13:33.559 --> 00:13:35.679 I think the takeaway is the evolution of the IKE 295 00:13:35.840 --> 00:13:39.000 admin's role. In the old days, the admin was a gatekeeper. 296 00:13:39.279 --> 00:13:40.879 They started the drawbridge and said. 297 00:13:40.679 --> 00:13:44.039 No, a reactive job, very reactive, very manual. 298 00:13:44.279 --> 00:13:47.559 Now the admin is an architect. They're designing a system 299 00:13:47.559 --> 00:13:50.799 of logic and policies that basically runs itself. They're building 300 00:13:50.840 --> 00:13:53.960 a zero trust environment that actually makes the user experience 301 00:13:54.000 --> 00:13:56.000 better while making the company more secure. 302 00:13:56.399 --> 00:13:59.320 So they're not guarding the castle anymore. They're designing the 303 00:13:59.360 --> 00:13:59.919 invisible for four. 304 00:14:00.720 --> 00:14:02.600 That's a great way to put it, and they're doing 305 00:14:02.600 --> 00:14:05.000 it in a way that can scale. You can't scale 306 00:14:05.000 --> 00:14:07.759 a drawbridge, but you can scale an identity policy. 307 00:14:07.919 --> 00:14:09.519 I want to leave you with a final thought to 308 00:14:09.600 --> 00:14:12.559 chew one. We've talked about how the perimeter is gone 309 00:14:12.720 --> 00:14:16.559 and identity is the new firewall. But as we move forward, 310 00:14:16.639 --> 00:14:20.720 identity isn't just about people anymore. The identity of things exactly. 311 00:14:20.799 --> 00:14:26.159 We're integrating bots APIs billions of IoT devices. If your 312 00:14:26.279 --> 00:14:29.279 smart fridge or your factory robot has a more complex 313 00:14:29.440 --> 00:14:32.360 excess profile than you do, how does that change the 314 00:14:32.440 --> 00:14:35.200 architect's job. Are we ready to manage a directory where 315 00:14:35.279 --> 00:14:36.840 humans are actually the minority? 316 00:14:36.960 --> 00:14:41.000 That is a terrifying and fascinating question. Managing the identity 317 00:14:41.039 --> 00:14:43.519 of a toaster is definitely a topic for another deep dive. 318 00:14:43.639 --> 00:14:46.639 Indeed, it is. Thanks for listening, Stay secure up there.