Understand the risks facing your cloud & get recommendations to boost your cloud security posture.
logo

EN

Products +

Services +

Customers +

Partners +

Resources +

Using Warden IAM, Jumpcloud, BambooHR for Smooth Onboarding

The risk of account takeovers and credential compromise in the proliferation of human and machine identities today is clear as day. How much visbility is enough for security teams in order to properly manage these risks even as employees continuously onboard and offboard? Tune in to the conversation around access control security automation with Gill Langston, Senior Product Manager, MSP at JumpCloud.


Identity is the thing that ties everything together. Lose control of that, and on the one hand, you see IT help desks and security teams inundated by requests; on the other, you worry about getting hit by attacks from account takeovers. 

So what exactly is the balance? In Episode 8 of the Ask A CISO #podcast, Gill Langston, Senior Product Manager, MSP at JumpCloud talks about access control security automation and his take on why there are organizations on both sides of the spectrum of Identity and Access Management.

Transcript

Niko

Good morning, everyone. and actually it's good evening for Gill. Thanks for staying up late.

Gill

My pleasure.

Niko

I understand you are based in North Carolina. Our founder is from that area as well, and I've been there a few times. Nice barbecues. Do you have a special method to prepare barbecue?

Gill

Oh, that they do have special methods. Well, it depends. In North Carolina there's an argument there, the eastern side and the western side, and they're prepared differently and there's an which one is best. Is it vinegar based or is it more of the mustard and sauce based? Yeah, that is the whole thing. We could probably do an entire podcast about that as well.

Niko

Yeah, what I expected. Welcome, Gill, thanks for joining. So today we host Giil Langston of JumpCloud. And he's a security focused product management professional with background in marketing, sales, technical, collaboration. 

He has both hands-on experience as well as strategic knowledge - how to help companies to implement technologies company-wide, and ensure practical rollout, a very smooth rollout of these technologies. And in JumpCloud, particularly he is focusing on implementation of helping companies to implement centralized Identity and Access Management, security in a reliable way. 

And today, we will have, we'll try to have a practical conversation which can be helpful for CISOs to start approaching implementation of centralized Identity and Access Management, and also will dive into more specific conversations about use cases and getting advice from Gill (on) how to approach with implementations?

Well, we'll see where the conversation leads us to, we'll try to be more flexible. I'm your host, Niko, VP of Internal Security and IT at Horangi. Hello Gill.

Gill

it's great to see you, Niko. Thanks for having me. I really appreciate it. I'm excited to be here.

Niko

Thanks! Well, I'll like to start with a fundamental question: what is Identity Management and Access Management?

Gill

Yeah, that's I mean, that's a ... It seems like a simple question with a one-line answer, but, you know, obviously there's a lot of history behind that, but you know, if you really look at IT, in digital services in general, you know, identity is that main object that kind of is the building blocks to everything that we do, to what we access what we use, how we identify ourselves. 

You know how how we end up in groups, all the attributes that have to do with a user, kind of make up an identity. But, really, you know, I always like to talk about how  things have evolved over time, right? You know, now the focus is one hundred percent on Identity and Access Management. 

And we'll kind of get to that in a moment, but you know everything started with the old school four walls. You know, probably an active directory server. You know, and then you would set up your directory there with information about all your users. All those attributes, who 

their managers were. What groups they were in, the permissions assigned to those groups and then also machine accounts, right? It kind of stored all that information in one place, and it was protected inside the four walls behind firewalls. 

You had security installed and set up, and then over time, obviously you know, you started to get cloud resources. you started to get mobile users. You started to get a lot of different types of 

platforms, the Mac and Linux came into play. It became more and more difficult to kind of manage things the way you always had. Now, a lot of CISOs, IT professionals, you know, we're a little concerned about these cloud resources and these things coming up because they feel like they were losing control a little bit. So there was kind of this need to keep things as close as possible when it came to the identity, the core identity. 

But you know when you look at shadow IT and cloud resources, and all the things that started popping up that did not live in those four walls and weren't necessarily integrated, it became more and more important to have this one identity that could follow a user outside of those walls, wherever they went, whatever they were accessing. 

So and then we get to today where, you know, you really talk about and you see it all the time now. Identity is the new parameter, right? You see that written everywhere and it's really true because security used to be focused on the things that you used and the place that you used them in. 

But now people are everywhere. People are, you know, accessing from the cloud, going to apps that are in the cloud and Identity is really the thing that ties all those together, being able to control who has access to what, or even when, or how, right? All of those things. That is the core

 of Identity and Access Management - making sure that you can do that securely, that you have control over that. You can both provision it and deprovision it when needed very easily. 

And then also have conditional access rules and other things that are in place that kind of dictate that security model that you're following.

So worrying more about the identity is, I mean, you still have to have security. Obviously, devices need security on them. You need to monitor, you know, and log all of this information, but at the same time, you do need control in some kind of a centralized way and that's kind of where we are today is focusing more on the identity: what they're allowed to access, what they did access, and being able to control that, turning it on and off.

Niko

Yeah, totally agree, and I mean …  this is good. Everyone talks about this how, like, before we just had that data center and you connect with your laptop, and you connect with a wire. And now from a cloud  ... From the management plane, you can do anything with your physical data center, the global data center.

And I hear it everywhere. The highest threat to the current modern environment is account takeover, right, especially for this management plane. So what would your recommendation be to CISOs like how to reduce the risk for this highest threat?

Gill

Well, account takeovers are a big subject, right, in it of itself because, you know, if you think about all of the attack vectors that are used by bad actors today. It used to be that each attack, when you analyze an individual attack, you would look at the techniques, tactics, and procedures and say, Okay, this is what this type of attack does in this environment, so we need to protect against that thing. 

And then that was a cat and mouse game that the security providers played for a long time, and then in the past few years that really evolved and what it evolved into is you know, multiple stages, opportunistic type of attacks, right? 

So,  regardless of the vector, it came in through an email, you know, a smishing or SMS or something like that. The idea was we want to get credentials. For a long time. it was well, let's 

just get data on this machine. Then it turned into let's ransom this machine. Then it turned into well, wait a minute. Once I have access to a system via phishing email, or a drive-by download on a website, now I'm going to go try to enumerate all the credentials that I can find on a system, and I'm going to use that for my lateral attacks as I move either throughout a network or, more recently, throughout the cloud resources that I'm able to gain access to. 

And then you know, like you said, taking over that account, which it is a big … challenge. And it all goes back to two things: the right security mindset for the people who are implementing that security, right, the CISO, the IT security head and all of those, but also, unfortunately still, the users.

You know that is always a concern because we know that ... I always like to say humans are human beings and they do human-type things. They try to make their life easier. Most of the things they do when they try to make their life easier are kind of in direct opposition to security policies or their workarounds around the security policies. 

So you know with account takeover, with the identity being the thing that bad actors are after now, it's really important that you kind of implement a solution that it onlygives you control and visibility but improves the chances of happy adoption, I guess I would say, by your users so that they participate and they don't find ways around those things. 

I think both of those go hand in hand. And honestly, I've worked in environments where the IT and security didn't really take that into consideration. And I've seen projects get derailed by users saying this is too hard, I can't work. Which is ... That's a bad thing, right? You really don't want to be in that situation because it can derail a lot of hard work by the security team. So you know all of that together, are defenses against account takeover. 

And then, of course, as you were talking about authentication, single sign-on, kind of bringing that identity into one place, allowing you to have control over those. I'm sure we're going to talk a lot more about SSO and all of that, but you know, that is to me is the beginning because that puts the control in the hands of the people who are responsible for it.

Also gives them the visibility when they can see who's been logging in where, who's been using what resources. Those are both very important but it also makes it very easy for a user to adopt as long as you do the right things - make an easier second factor of authentication when you do want to force that second factor. Those are all things that are going to help you prevent account takeover. And you know, honestly being owned by a bad actor, right?

Niko

Yeah, totally agree. I think I really like how you put it into a very simple structure, like basically, for security professionals, have a security mindset and manage everything in one place, and for users, they are able to use it easily, so I think it's very important that security is not just like a blocker but like an enabler. So basically when you have identities all in one place, it's also easy for users like they access all the applications from one place. 

They also just log in once into main dashboard, which is very secure like with MFA. And MFA now is also very much more convenient like push app notifications where you don't need to come …

Gill

I remember I ... There are times that I remember having, I would say, maybe three different authenticor apps on my phone, right, with each one with …

Niko

It's funny, not funny.

Gill

just a list, right, I mean, it's funny, not funny. I agree, but you know and you have to name them something so you can remember which is which cause half of them have the same name for different apps and resources, and just the frustration. And sometimes if you've got a short timeout you don't make it, right? You have to go through this all over …

Niko

Yeah!

Gill

again, so that's a great example of what I'm talking about making it easier for the user. A push notification pops up and they go, yes, right? You have actually removed the majority of the objections that a user might have, or if you're doing something, like, using a hardware key or something as a second form of authentication. 

But it's something that's easy to use and easy to do versus kind of all the hoops that you make somebody jump through which make users' lives harder, and honestly would make a CISO's life harder, because who do you think has to hear all the complaints, right, from the department heads saying, my employees are not being efficient because they're too busy trying to comply with all the security policies and the pain involved in that?

Well, that's the CISO who has to hear that discussion, right?

Niko

I think, yeah, it's a nice conversation to start having already about specific implementations with MFA, right, and building a centralized identity. Maybe just for a short step back to summarize with a high-level view, right? Would you explain the Principle of Least Privilege which goes hand-in-hand with Identity Management?

Gill

Oh, it does, absolutely. And you know, least privilege is definitely something that should be kind of on the tip of the tongue of anybody who works in IT and security all the time, right? It's easy to give users of laptops admin privileges. I've seen that in plenty of companies because you don't want all the calls to the help desk about, you know, I can't install this software. I need to do this special thing. I'm special. Therefore, I need admin access, or whatever. 

But, really, it's a mindset and what that mindset is: what is the least amount of permission that I'm going to need on any set of resources, right? And that resources could be, you know, internal resources, external resources. It could even be that person on your team, that technician who's responsible for doing maintenance on the end users' machines. But either way, it's what's the least amount of privilege that I do need to properly do my job or perform a service for somebody? 

And then only elevate that privilege when it's absolutely necessary, and for, to be fair, as short a time as necessary, right? A great example of that I give is, you know, sometimes, we will have standard user accounts that somebody may use as an IT admin to log into a system to check it out, do basic maintenance. But if they need to install software or something, then you know, In a command prompt or whatever, then they're going to elevate. 

They're going to do the job and then they're done, right? So instead of leaving that admin level of credentials going for too long on that system. But, also it, you know, it goes to everything, right? You don't want to give everybody admin rights to any cloud app that you have out there. That just doesn't make sense. You're just asking for trouble. 

So it's always focusing on what is the least amount of access I need to provide somebody to do their job and then open it up where you need to, right? And that's why I say should be on the tip of the tongue because it should always be that thing that you're thinking about when you're implementing a new service, when you're implementing access to cloud apps when you're provisioning a new system for somebody. 

That in and of itself, as a practice, is going to reduce your exposure to any bad actors that you may come across. It's a lot harder for a bad actor to, you know, move laterally to gain their own increase in privileges if they can't really get out of the box that they've gotten on, right? So that user does click on something and they're not an admin, you've kind of reduced the footprint or even the reach that that bad actor could have if they did access a system.

Niko

Awesome, that's a nice summary like professor-style summary, but very understandable, thank you. And I think it brings us to this more practical question. Basically now like when we have identity management like centralized identity management and we manage permissions carefully right, like follow the Principle of Least Privilege.

So what would be your recommendation: how to implement it in a more user-friendly as well as secure way? Basically that we grant permissions to users, to identities in a way that is least privileged, but the same way like we still enable them to do their jobs, right? So how do we grant them additional permissions is more easily and when they ask?

Gill

Well, it can depend, right? I mean, you hear a lot about just-in-time requests, and privilege elevation, that kind of thing, but you know, honestly, the way I think about it, though, is that you know, if you want someone to perform an administrative action on a system that they're using, it might not be a bad idea for that to be a little guided. You know, it does depend on your situation and how many people you're supporting and what you're responsible for, but you know, honestly, you know, one of the reasons that attracted me to come work at JumpCloud was the way that they approach it. 

They have groups that you can assign people to, and then at the same time you can also have these admin groups, where essentially any system that they might log on to gives them admin when they use that particular login. So you know, it's not necessarily that just-in-time type of elevation, but it does separate the duties for the people who should be responsible for it.

I mean, there's a reason you're not giving somebody admin on their system. It's because they are in a specialized role in your organization, right, doing a job that they're supposed to do. But what's not in their title is IT admin, right? I'm not even sure ... you know, me personally, I think they should be focused on their role in executing that and you should have others who are executing those higher privileged type of actions, but, you know, that's my personal opinion on that. I'm sure there are a lot of CISOs and IT admins out there who say, I don't really have the time for all of that, but unfortunately, that's, you know, that is the security trade-off, right?

Niko

Yeah, it's a security trade-off, but it's also like an investment, right? It's very high ROI, and I really relate with you when you mention about groups, like it's very convenient. Eventually, it's like when you design groups properly, it's a very convenient, long-term, right, and very easy to give write permissions at spot right and then revoke them when they are not needed already. So we, basically you have everything in one place, all identities in one place. You're connected with this SSO to all different applications, also in one place, and then you have all groups in one place, and you can easily manage access and monitor it also like from one place.

Gill

Well, let's think about how it used to be, right? I mean you would onboard a user in some system, right, and then you'd have a ticket with IT and then they would go in and likely create that user and active directory, assign them to the right groups, which, as you know,  sometimes groups in Active Directory were extremely complex with nested permissions and all those things. They get that all set up. 

Great! Now they can log into a system, but you still have to give them access to email, and then you have to give them access to all the applications and I've been through some onboardings that were like that, that were like, Okay, send the email to IT and ask them for this. My manager will send an email to IT and asked for this and then, you know, so what? 

It's three, four days before you're fully onboarded and even have access to all the applications. And unfortunately, if there were you know, some cloud apps or non-integrated apps, you had multiple logins, right? So now I have to maintain all of these different logins which, you know, in and of itself to me is a security risk. 

Why? 

Because people are people and they do human things and they're going to write down those passwords. They're going to store them somewhere. They're going to reuse them in a bunch of places with an easy-to-remember one, right? Those are all risks. But that whole process took several days and it was pretty unsecure. Even though you thought you were being secure, keeping everything tight inside. 

Now, and with JumpCloud, that's you know, like what I was saying, that's why I joined. Because their approach is: Yes, you need a user identity, right, this entity called a user with all the attributes. You need to assign them to groups. You then can assign different SSO applications, right, with these prebuilt connectors, or you can create your own if there's not one. You know, once that is all set up, then you, essentially, you can either stage a user for starting on Monday, right?

Or go ahead and create that user. And once the user's created, they receive their instruction set. They have a portal they can log into, all the apps are already there ready for them to use. It's a much different onboarding experience when you bring that identity into one place.

And then, you know, in this case you could put an agent on the system, which means they actually log in with their JumpCloud ID right on the system that gives you the ability to then set up conditional policies based on what system they're using, right, where they're located, things like that. so that's great because you could say, you know what? If Gill is in my physical office, if he's come into the office today, then I'm not going to challenge him for a second factor because he's made it through all my physics physical security barriers. He's logged into a system. He's accessing resources. But then I can say well if Gill's not in the office, you know, I may not know who's in possession of that system. 

In a situation like that, I can say well, I'm going to challenge you with multifactor, that second factor of authentication with a push notification.

On top of that, too, you could say, well if he's on a JumpCloud managed device, I'm not going to challenge him, but if he's on his own laptop, where he's coming from somewhere else, I'm 

going to challenge him with that second factor or if he's coming from a place he shouldn't be, I'm not going to give him access at all, right? So it puts all of that control of the person, the system, the location, and all of those things in the admin's hands to decide what they're 

going to grant them once they do want to access those applications.

So when we talk about identity being the new perimeter, that's a perfect example. It's almost like you're building your own conditional access tunnels to the data that's needed without having to, you know, punch a bunch of holes back into your network and make everybody VPN in just to go right back out to the cloud.

So it makes a lot of sense when you, when you think about bringing all that together and kind of, being able to control, still grant the access, relax it where it makes sense, tighten it where it doesn't, and then monitor all of that by seeing who's been accessing what, right? That's like the perfect combination And that's when I saw that, I was like I want a joint JumpCloud, right? It makes a lot of sense.

Niko

I agree. Thank you very much for this practical explanation and very interesting insights. I think one particular point I would like to focus on is onboarding experience.

And this was a big pain point for ourselves as well, like with we're a digital native company with more than 100 different SaaS systems, and like we're also using like three major Cloud Service 

Providers, and create a lot of different accounts. So, like, accessing all these different systems and providing access to them is a big pain point, right, and now like when you have access and management from one place, right, you can just checkbox, right, provide access to specific groups and you give access automatically, or even at some point you even can auto-provision, and I saw just recently JumpCloud announced a partnership between BambooHR and JumpCloud. So maybe you can chip in here a bit about like your observation about the importance of onboarding and how IT and HR can cooperate?

Gill

Yeah, we talk ... I mentioned that earlier, you know we were talking about you can just create a user in JumpCloud. Well, the reality is that may not be where the journey starts for an onboarding. I mean, generally, you know one of the first steps when you want to onboard somebody, it's the HR department, right? You know, in the past it would be I have to send an email to somebody and then ask them to do it and include all this information in your email, 

which isn't really that secure, right?

But you know, and that takes time. And honestly, that's not what you really want your IT guys doing. You want them helping build your business and involved in other projects to help grow your business.

So in the case like this, it's so exciting because, with an HRIS system, that's the native spot where all of this data is created. So when you have a connector going in, you can create that, have that identity then follow right into JumpCloud, and then from JumpCloud, you put them in the right groups, and then they have all their apps provisioned.

You've taken that, what, five-day kind of ramp-up to getting somebody onboarded for their first day and turn it into just a few minutes or even pre-staged, right? If you know what department they're in, you have your group set up that way. All you have to do is put them in the right group and they've got the core access. They may request access for other apps later, but that's a lot easier process because you've removed all of the challenges, and remember, we talked about making it easier for a user.

Which experience would you rather have, right, when you start with a company? What's gonna increase your satisfaction with an onboarding process is when it's that straightforward. Hey, 

yeah, you know, I had a laptop shipped to me and got an email that told me where to log in. I could actually install the agent from there. Look at me, I'm logging in with my, you know, with my domain credentials. My, you know, corporate credentials in just a few minutes and I have access to what I need, so now I can focus on learning my job. 

So yeah, it's absolutely huge. You know, we're really excited about it, so thanks for asking.

Niko

Definitely, I mean, it's definitely very important to have this first impression right, like the same as you meet people and first impression is the most crucial. You just judge by for 10 seconds, right, the same as for company, like when new employees come and have a very smooth onboarding 

experience, they stay for long. 

Gill

I have had some pretty terrible onboarding experiences where everything was a challenge. I felt like I was begging for access for all the things I needed to do my job I hadn't even, you know, started doing yet. But I can tell you that with SSO, with that, you know, ability to put me in a group, like, okay, he's in the product group, here's the things that he's gonna need...

You know ... Obviously, since the pandemic, work has changed a lot, depending on what region you're in, obviously, but everyone was at home for a long time, kind of trying to figure out how to make that work. And then, as you come out the other side of this, all indications are hybrid is the new thing, right?

You see companies saying, oh we're gonna let people work remote if they want, if they are productive, it's fine. Some people want to come into the office, you can come into the office. It becomes really important to be able to have ... 

You can't have an IT guy over your shoulder walking you through setup. You know, you have an email quick setup instructions. Welcome, right? And sort of the things that's cool: we just rolled out the ability to send that welcome email to that secondary address.

So, you know, to your personal address, right? So, here you go, here's your welcome email. Now let's get you set up. Now you will have access to your corporate email, right?

So,it was really a nice experience. I was up and running in just a few minutes and communicating with my new colleagues and saying hey, thanks for the welcome on Slack. It was great!

Niko

Yeah, that's definitely very important, thanks. I think we have maybe around 10 more minutes and we already start talking about specifics, So maybe you can share a few use cases, like case studies or like from your experience you face, so ...

 

I think there are different types of companies, right, and some companies, like, are very heavily invested into Active Directory. But, like, a lot of companies, like, younger companies, right, say, have ... they start with, like, getting a lot of tools, right, to do their job. Like for HR, for CRM, for emails, and Google, and their cloud storage is Google workspace, right? And they create identities on all different places, and, like, create users separately. 

So what would be your suggestion, like how to start, like, deploying identity, maybe like, or any other use case or like experience you have, you faced, like how companies deploy identity management?

Gill

Sure, so you're telling a story that we hear all the time, right?

I mean that what you just talked about. It's the born-in-the-cloud, kind of a startup mentality. You have the ones who are deeply ingrained in the Microsoft stack, if you will. And that's what they like and that's what they use. I get that and they, you know, control a lot of those things. They deal with some of the inbound access that they have to do painfully, but they do it. But a lot of 

companies now are starting up and saying, you know everything ... We don't want to invest in a ton of hardware and technology and, you know, heavy things. We want to start working. 

So as you said, they get, you know, G-apps, or whatever, you know, a cloud email service or they might use O 365, right? With the Azure AD backing that. But then, you know, they're going to set up a few other cloud apps. They're going to use Slack. They're, you know, the things they need to do their job if you line up business applications depending on their department and all of that. So It's a very quick adoption to kind of be up and running. And, but as you mentioned, you end up with sprawl, right? 

You end up with credential sprawl and all these different logins and things, and it becomes very difficult to kind of control access and start to get a better picture of what's going on in your environment and your organization. And that's where SSO kind of becomes the glue that lets you put all of that together, right? 

You bring it all in. You get a primary identity. You synchronize what you can with that as far as the attributes. You set up an SSO, you know, with the SAML connections so that you can kind of assert some of that identity to those service providers you're connecting to, and then in that way, you can, either, you know, it depends on the app. A lot of service providers do it differently when you set up your SSO, right? But at the end of the day, you know, as long as you can get them access to that app. 

It might be just-in-time provisioning where the first time they log in that user's created. That you know, there are some that use SCIM now, which actually, you know, allow you to pre-create that user and then pass a lot of those attributes of, kind of more, two-way type of working, so that when you suspend the user, it's suspended and deleted and all of that. You get more control, right? 

But either way, regardless, the ideas that you bring all of that stuff together that you use to get yourself working, and then you get moving. 

Now I, in my experience, too, there are a lot of organizations that are in that situation where they're kind of already in Microsoft, and they say well, you know, I'm gonna come to JumpCloud for their LDAP authentication for certain devices, or either older devices or NAS, or something like that, or they like the RADIUS server service that we used to allow them to authenticate with their corporate creds into the Wi-Fi right, and then they realize the kind of efficiencies they can gain by bringing more and more of those things into JumpCloud so that they have that one place where they focus on identity of devices, identity of people, applications, control of the data, and then they end up moving into those. And I think, to your point, one of the ... we work with a lot of managed service providers as well, who are offering these services to their customers. And one of them made a comment that kind of stuck with me. Like, in this day and age, I do not want to have to tie any of my customers' users to a physical location.

And that's a strong statement. I mean he said like it was a mission statement, right, and the idea is that that is kind of the world we live in now. And he actually started with RADIUS, right? That was what he started with. But then he of expanded from there. And speaking of, I know that we did ... 

You were actually an early adopter of JumpCloud and I think we did a case study with you and I 

actually would like to hear your story a little bit about what interested you in Jumploud and how and how that expanded kind of into your identity side?

Niko

Of course, yeah, with pleasure. And the story is very similar to what you just mentioned. So we first like had a need to manage our OpenVPN server like which we deployed ourselves like in an instance in AWS. And we were looking for a solution like which does LDAP management easily in the cloud. So yeah, as you mentioned, very early adopters at the time. Like four or five years ago there were not many solutions. 

So we were comparing a few, but others were very difficult to use or quite pricey. And, you know, we started with JumpCloud and then it naturally also ... features in JumpCloud naturally allowed our engineering to use it to manage access to multiple accounts in AWS. So we like had good security practice like having different accounts for sandbox, for transaction, for testing. So, and that time AWS didn't have their own single sign-on solution so we used JumpCloud to manage it, and also like, because we were dogfooding our own product. And so we wanted everyone in the company to have access to our VPN, so we basically onboarded everyone on JumpCloud to have access to VPN

And eventually, like we just noticed that, Yeah, like it's getting very easy to manage everything in one place, and we connected our Google workspace with JumpCloud, like and synch everything from Google workspace to JumpCloud and eventually we established our onboarding process where now vice versa like we create a user in a JumpCloud, it automatic early provisions to Google workspace, and then we just check box all different groups and it has access to all 

different systems. 

And I think like what I like about JumpCloud is continuous, like, growth, development like it's grew along with our demand, like our requirements. So JumpCloud had an integration with BambooHR, right, and we are also users of BambooHR, so this is where we also connected it earlier and now they are basically … 

As he just described earlier like users are created in BambooHR by HR. This is where the process starts and then it automatically created in JumpCloud and then IT just like check all checkboxes to create, to connect to groups, and the user has access to everything.

Gill

It's fantastic and as you mentioned it, it fascinated me as well. You know, when I interviewed with JumpCloud, I asked a lot of questions about that. I wanted to understand this and when you see the whole picture yeah, it's absolutely fantastic. I feel like the founders ... The idea that they had the thought that they had ahead of time was here's where things are going, and this is what we want to support.

So it absolutely is. It's very fulfilling to know that I work for a company, that is, is that focused on helping organizations secure identity, report on that identity, and make life easier for the IT admins, and the users. It's very rare that you find all of those things in one solution.

Niko

True. It's very interesting conversation, Gill. Yeah, thank you very much, really insightful. I think different peoples, like CISOs or practitioners, can find a lot of interesting insights here. I think unfortunately we are running out of time a bit, but I know that there is an upcoming webinar between experts from JumpCloud and Horangi, I think, at the end of the month, so would you like to provide some sneak peek into this webinar?

Gill

Yeah, so as you mentioned, it's going to, I think Tyler from JumpCloud, super smart guy, is going to be joining a panel talking about least privilege, and a little bit about the LDAP authentication. How you can leverage that for legacy apps or other on-prem apps as well. I think that's kind of what he's going to be focused on, but it's always a good conversation and I make sure I go to 

every one of these webcasts that I can get my hands on, because I learn a lot from a lot of smart people, so I'll be in the audience on that one as well.

Niko

Nice. Yeah, very exciting. Yeah, and I think like JumpCloud and our product Warden goes very well, like hand-in-hand, like very good synergy. So like I use it myself, like for our compliance. Like when we, and also like practical security needs like when we do access reviews quarterly, like, I start with JumpCloud, like I review members in groups in JumpCloud, and then I drill down and go into AWS IAM, right, into a more detailed review of permissions in our Warden IAM. 

I know that they will be sharing more of these insights, and uh, practical information in the webinar, so definitely, I'm also joining it too as an audience or maybe like, will help with some questions. Yeah, very excited about this webinar. 

Anything else, Gill, you would like to add at the end?

Gill

No, I just, other than, uh, thank you very much for having me. I really appreciate the ... spending some time in and talking about a subject that we all find near and dear, and I look forward to speaking to you again.

Niko

Yeah, likewise, thank you very much, a very interesting conversation, and thank you for staying up late.

Gill

It's my pleasure. I'd do it again anytime.

Niko

Thank you.

Nikolay Akatyev

As the Vice President of Internal Security & IT, Nikolay drives the internal machine that powers Horangi's efforts in contributing to a safer cyberspace. He is a regular speaker and contributor in the international cybersecurity community, from Asia to the Carribean.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.