informa
/
Operations
News

Inside Strata's Plans to Solve the Cloud Identity Puzzle

Strata Identity was founded to change businesses' approach to identity management as multicloud environments become the norm.

Multicloud is the new normal for many organizations — and it's growing fast. But while this approach brings several benefits, it also creates some hefty obstacles: Identity infrastructure often becomes siloed as a result, and applications are locked in by legacy identity management.

Related Content:

Google Invests in Linux Kernel Developers to Focus on Security

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

It's a problem that Strata Identity was founded to solve. The startup wants to help businesses bring together identity and access management (IAM) systems so handling identities is simpler for administrators and users across both cloud and on-premises systems.

Founder and CEO Eric Olden was running Oracle's security and identity division when he picked up on the pattern of large enterprise customers moving to multicloud environments. Many were asking for tools that were fundamentally different from what the market offered then. 

"They wanted a way to make multiple things work together that were never designed to work together," he recalls. Oracle wasn't interested in solving the multicloud problem, Olden says, but he began to see an opportunity in the market as more organizations adopted more clouds. 

His decision to leave Oracle and found Strata was also driven by an idea that led to the creation of the Security Assertion Markup Language (SAML), which he co-authored while CTO of Securant in 2000 (Olden later joined Oracle in 2017). SAML is a framework to enable trust between distributed companies; before it was written, there was a notion that identity is only relevant inside a company and doesn't need to be considered outside it, he says.

"As I think about where this has landed, it's really in the world of distributed systems," Olden explains, adding that "five years from now, it'll be completely obvious that the only way to make all these things work is to embrace the distributed notion and stop fighting it with "put it all in one box. Those times are past."

Today's organizations often have various clouds from Amazon, Microsoft, Google, or other companies, along with software-as-a-service applications. Many use a service like Okta to handle sign-in. Each of these systems is treated as a silo, Olden says, because they have built-in identity systems that come with the cloud. IT and security managers have no choice but to build policies and run things on Azure, then separately build policies and run it on Okta, and so on.

"That's really inefficient, and it leads to a lot of security holes," he continues. "If you can't see the forest [for] the trees, then you know you've got a problem because for each one of these things, the attackers can break into one and then move laterally. … You don't see that there's an exposure because it's too complex."

A Big Problem for Big Businesses
Rather than change the way the world is, Strata's technology was designed to work with it. The company created a notion of a "distributed identity fabric" that uses the orchestration pattern. Its Maverics platform connects to identity systems, migrates users and credentials, copies and syncs policies and configurations, then abstracts authentication and session management.

None of this is visible to the user, Olden notes. If someone is logging in to Azure Active Directory as they normally do, it looks identical. When a business uses orchestration for something like migration, he says, it's important that it's not disruptive. Changing the login screen or requiring users to do something like change their passwords could cause additional problems. Strata's approach lets companies migrate to a new system without "a big bang" and associated risk.

For administrators, Strata prioritized defining declarative policies that are human readable, which Olden says is key in DevSecOps. The Maverics platform gives admins APIs to do everything programmatically and store it in GitHub or Bitbucket, which lets them incorporate it with CI/CD pipelines. 

"For an admin, we're bringing identity into the modern DevSecOps world with these declarative policies, and the way that we manage and store those policies," he explains. "It may seem like a small point, but this is a huge thing if you're trying to figure out what is going on" or how something is configured." 

Olden co-founded Strata along with Topher Marie, CTO, and Eric Leach, chief product officer, with the mentality of solving problems from the perspective of large, complex environments. The three have similar background in working for large organizations, which made this a natural approach, but the mentality also helps create a platform that works for a range of businesses. 

"If we can solve it for the biggest banks, then we can make it work for smaller organizations with less complex environments," he adds. After all, distributed identity is a problem small and midsize businesses also face.

What's Up Next
With its latest round of funding secured, Strata is focused on growing its team.

"Now that we've raised that capital, already in the last 90 days we've doubled the size of the engineering team — more than doubled it, almost tripled it," Olden says. Overall, the company's head count has doubled, with the most investment into engineering. 

Strata's seed funding went toward building out its base platform. With the Series A and a larger team, it can begin to build more functionality into its products and provide new capabilities its customers are asking for. One of these is related to discovery, and learning what software the business has, where it runs, and how it integrates into their identity management. When a company reaches a certain scale and apps are distributed, there's no single place to look.

"If we can be that single pane of glass that allows all of this to work together, then populating that in an automated way is going to be really important," Olden says.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5