Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/25/2021
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Inside Strata's Plans to Solve the Cloud Identity Puzzle

Strata Identity was founded to change businesses' approach to identity management as multicloud environments become the norm.

Multicloud is the new normal for many organizations — and it's growing fast. But while this approach brings several benefits, it also creates some hefty obstacles: Identity infrastructure often becomes siloed as a result, and applications are locked in by legacy identity management.

Related Content:

Google Invests in Linux Kernel Developers to Focus on Security

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

It's a problem that Strata Identity was founded to solve. The startup wants to help businesses bring together identity and access management (IAM) systems so handling identities is simpler for administrators and users across both cloud and on-premises systems.

Founder and CEO Eric Olden was running Oracle's security and identity division when he picked up on the pattern of large enterprise customers moving to multicloud environments. Many were asking for tools that were fundamentally different from what the market offered then. 

"They wanted a way to make multiple things work together that were never designed to work together," he recalls. Oracle wasn't interested in solving the multicloud problem, Olden says, but he began to see an opportunity in the market as more organizations adopted more clouds. 

His decision to leave Oracle and found Strata was also driven by an idea that led to the creation of the Security Assertion Markup Language (SAML), which he co-authored while CTO of Securant in 2000 (Olden later joined Oracle in 2017). SAML is a framework to enable trust between distributed companies; before it was written, there was a notion that identity is only relevant inside a company and doesn't need to be considered outside it, he says.

"As I think about where this has landed, it's really in the world of distributed systems," Olden explains, adding that "five years from now, it'll be completely obvious that the only way to make all these things work is to embrace the distributed notion and stop fighting it with "put it all in one box. Those times are past."

Today's organizations often have various clouds from Amazon, Microsoft, Google, or other companies, along with software-as-a-service applications. Many use a service like Okta to handle sign-in. Each of these systems is treated as a silo, Olden says, because they have built-in identity systems that come with the cloud. IT and security managers have no choice but to build policies and run things on Azure, then separately build policies and run it on Okta, and so on.

"That's really inefficient, and it leads to a lot of security holes," he continues. "If you can't see the forest [for] the trees, then you know you've got a problem because for each one of these things, the attackers can break into one and then move laterally. … You don't see that there's an exposure because it's too complex."

A Big Problem for Big Businesses
Rather than change the way the world is, Strata's technology was designed to work with it. The company created a notion of a "distributed identity fabric" that uses the orchestration pattern. Its Maverics platform connects to identity systems, migrates users and credentials, copies and syncs policies and configurations, then abstracts authentication and session management.

None of this is visible to the user, Olden notes. If someone is logging in to Azure Active Directory as they normally do, it looks identical. When a business uses orchestration for something like migration, he says, it's important that it's not disruptive. Changing the login screen or requiring users to do something like change their passwords could cause additional problems. Strata's approach lets companies migrate to a new system without "a big bang" and associated risk.

For administrators, Strata prioritized defining declarative policies that are human readable, which Olden says is key in DevSecOps. The Maverics platform gives admins APIs to do everything programmatically and store it in GitHub or Bitbucket, which lets them incorporate it with CI/CD pipelines. 

"For an admin, we're bringing identity into the modern DevSecOps world with these declarative policies, and the way that we manage and store those policies," he explains. "It may seem like a small point, but this is a huge thing if you're trying to figure out what is going on" or how something is configured." 

Olden co-founded Strata along with Topher Marie, CTO, and Eric Leach, chief product officer, with the mentality of solving problems from the perspective of large, complex environments. The three have similar background in working for large organizations, which made this a natural approach, but the mentality also helps create a platform that works for a range of businesses. 

"If we can solve it for the biggest banks, then we can make it work for smaller organizations with less complex environments," he adds. After all, distributed identity is a problem small and midsize businesses also face.

What's Up Next
With its latest round of funding secured, Strata is focused on growing its team.

"Now that we've raised that capital, already in the last 90 days we've doubled the size of the engineering team — more than doubled it, almost tripled it," Olden says. Overall, the company's head count has doubled, with the most investment into engineering. 

Strata's seed funding went toward building out its base platform. With the Series A and a larger team, it can begin to build more functionality into its products and provide new capabilities its customers are asking for. One of these is related to discovery, and learning what software the business has, where it runs, and how it integrates into their identity management. When a company reaches a certain scale and apps are distributed, there's no single place to look.

"If we can be that single pane of glass that allows all of this to work together, then populating that in an automated way is going to be really important," Olden says.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...