July 10, 2023 • 30 mins
Join Eveline Oehrlich and Topher Marie, CTO and Co-founder of Strata, to discuss Container Orchestration.
Before Strata, Topher was the CTO and a co-founder of JumpCloud. In the past, he has also been an Architect for Oracle’s global cloud identity and security portfolio and a Product Owner of Auth0. He was Symplified’s lead architect and got his start in identity at Ping back in the early days.
As part of his role, Topher travels extensively, developing a deep appreciation for local cultures, foods, and languages.
The Humans of DevOps Podcast is incredibly grateful to be voted one of the Best 25 DevOps Podcasts by Feedspot.
Before Strata, Topher was the CTO and a co-founder of JumpCloud. In the past, he has also been an Architect for Oracle’s global cloud identity and security portfolio and a Product Owner of Auth0. He was Symplified’s lead architect and got his start in identity at Ping back in the early days.
As part of his role, Topher travels extensively, developing a deep appreciation for local cultures, foods, and languages.
The Humans of DevOps Podcast is incredibly grateful to be voted one of the Best 25 DevOps Podcasts by Feedspot.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Narrator (00:02):
You're listening to the humans of DevOps podcast, a
podcast focused on advancing thehumans of DevOps through skills,
knowledge, ideas, and learning,or the skil framework.
Topher Marie (00:17):
Consumers are trying to get away from those
legacy products as they moveinto cloud infrastructure. How
do we make it so you don't haveto rewrite an application that
was targeted to one of thoselegacy products. That's
something that we do.
Eveline Oehrlich (00:33):
Welcome to the humans of DevOps Podcast. I'm
evolutionarily Chief ResearchOfficer at DevOps Institute. Our
episode title today is identityorchestration titbits, and I
have a very special guest. I'lltell you in a minute why that
guest is very special to me.Today we have with us Topher
Murray, who is CTO and cofounder of strata. I'm saying
(00:58):
that a little bit with anItalian accent for no reason
just because I like the word,but let me tell you a little bit
about Topher. So Topher is theCTO and co founder of strata
identity, focusing onintroducing identity
orchestration to the securityecosystem. Before start
identity, Topher was the CTO andco founder of jump cloud. In the
(01:19):
past, he has also been anarchitect for Oracle's global
cloud identity and securitysecurity portfolio, and a
product owner for us zero. Hewas simplified lead architect
and got his start in identity atping back in the early days. As
part of his role. Topher travelsextensively, developing a deep
(01:41):
appreciation for local cultures,food, and languages. Welcome to
our podcasts over.
Topher Marie (01:50):
Thanks, Evelyn. It's great to be here. Thank you
so much for having me.
Eveline Oehrlich (01:54):
It's great to have you with us. And again,
thank you so much for your time.I'm sure as you're in your role,
you have lots of other things todo. So that's why I'm very
appreciative of your time. Now,before we get into details, of
course, I was checking you outwith a variety of things in your
(02:14):
background, and I saw that youwent to the School of Mines, and
that there are lots ofreferences to Colorado. Am I
correct to assume that you havesome roots in Colorado with
stretch identity?
Topher Marie (02:28):
Indeed, I'm born and raised here. I have been in
Colorado most of my life. Andyes, School of Mines. I was an
undergrad graduate there. And Iwas actually a adjunct professor
there for a while to
Eveline Oehrlich (02:40):
Wow, fantastic. Life sometimes is
just a coincidence. But I thinkwe, I would say maybe are a
match in heaven to some extent,because I lived in Colorado in
Fort Collins. For 32 years. Ihad my daughter stared. And now
long, long gone. I moved back toEurope in 2018. And I miss
(03:02):
Colorado very, very, very much.So talking to you today gives me
a little bit of a homesickness.So please greet Colorado for me.
I will actually be there soon.So maybe we can meet and have a
cup of coffee together somewherein the area. Anyway. I'd love
Yes, that would be fun. I reallywould love that too. Excellent.
(03:25):
So we're not here to talk aboutColorado even so if you have not
visited Colorado you have to weare here to talk about identity
orchestration, which most likelya topic which not every one of
our listeners might be familiarwith Serato for what is identity
orchestration? And why for asecond question, why is this so
important?
Topher Marie (03:46):
Yeah, so I don't blame people for not being
familiar with the term but it'ssomething that we've really been
championing championing. It'skind of a new space in identity
over the last four years, we'vereally been pushing it, and it's
really starting to take offhere. So what is identity
orchestration? And why is itimportant? So to me, identity,
(04:08):
or identity orchestration iskind of an abstraction layer on
top of the existing identity, orI'm going to start that again.
Sorry, but let me go back to thebeginning on like, what is
identity orchestration? So tome, identity orchestration is
really an abstraction layer ontop of the other identity
(04:34):
components that a company mayalready have. So there's three
parts to this. The first wouldbe what I call distributed
identity. Almost allorganizations already have their
identity in multiple, multipleplaces. Smaller ones might have
various silos, like in SASproducts might have an HR
system, they have their email inGmail. They have issue tracking
(04:57):
and larger organizations mighthave this for fragmented across
different departments, differentbusiness units. They one
business unit might be focusedon Okta, another one might be
focused on using, let's say, ajoueur as their identity system
of record. And that's quitecommon. Another reason that this
identity fragmentation happensis just because of mergers and
(05:20):
acquisitions as a company grows,it might acquire another
company, and that company mighthave had a different focus on
their identity, where theirdirectory of identity was, and
so mixing and matching thosethings becomes difficult. And
one approach that our industryhas taken over the last, I don't
(05:40):
know two decades, or whatever isone identity to rule them all,
or a virtual directory, orsomething of that sort, where
you're moving all of theidentities into one place. And
it's time to admit that thatreally just does not work. This
mixing and matching of where myidentities are stored, has just,
if anything proliferated, andthen worse and worse over the
(06:04):
last few years rather thanmitigated by trying to have this
one identity to rule them all.So that's, that's the first part
of what identity orchestrationaddresses the distributed
identity systems. The second oneis there's a variety of tools
and implementations. variousvendors, various producers of
(06:29):
identity products, have theirfirst off like their directories
like I was just talking about,you might have some identities
in Azure, or you might haveother identities and Ping
Identity. And also, on top ofthat, you might have different
MFA providers for a long time wewere using RSA tokens is a
completely separate secondfactor that people could use in
(06:51):
order to secure their systems.We also have different
authorization engines. Now thatour back versus a back we have
identity proofing, we havegovernance, so we have a large
variety of different identitytools that we need to make work
together. And the third one, thethird component, I would say, of
(07:12):
identity orchestration is thecustomized user journeys, where
every if we were to rely just onone identity provider, that
might not be the right way forus to log our users in, that
might not be what we want to do,we might want to have a
different mix of these tools andimplementations, we might want
(07:33):
to have a different mix of evenwhere the door where the
identities are stored in thefirst place. So the Customize
User journey allows us to sayhey, so despite where their
identity might be stored, I wantthem to have the same user login
screen. And then I might want todecide which different MFA
(07:53):
provider they use based on whatthey are trying to get into. And
I might want to use identityproofing for some users and not
for other users. So to me,identity orchestration is all
about those three things,distributed identity, the
variety of tools andimplementations that we can make
work together and the customizeduser journey.
Eveline Oehrlich (08:14):
Wow. Lots of I can already kind of guess why
this is important. Why I did theorchestration is important,
because I've been in it longenough to realize some of the
benefits but love to hear it.From your perspective, why is it
that the orchestration reallyimportant?
Topher Marie (08:35):
Yeah, but so identity orchestration is very
important, because as companiesare moving to the cloud, or
multiple clouds, and I willpause there and say that most
companies don't just have onecloud. They most companies have
different departments that areworking in different clouds, or
even different products thatthey have to work with, that are
(08:57):
residing, that the compute forthose products is residing in
different clouds. And as thisjust grows, more and more, it
becomes a huge concern aboutAlright, so what am I going to
try to do here is AWS going tobe the center of my identity is
as you're going to be the centerof my identity? Am I doing LDAP
on premises? How do I make allof this work together? So as we
(09:22):
become more of a multi cloudindustry, it's very important
that we have some way of makingall of these identity systems
work together, and also all ofour identity targets. Should I
say all of the applications thatare consuming identity? How do
we make it so hey, this personlogged in from AWS, but the
actual application is residingin Azure or on premises? How do
(09:47):
I make that identity palatableto the target application? And
how do I avoid rewriting thatapplication? If I've got an old
application that was using alegacy identity system such as
one that we very commonly see asca SiteMinder, we see a lot of
Oracle products as well.Consumers are trying to get away
(10:08):
from those legacy products asthey move into cloud
infrastructure, how do we makeit so you don't have to rewrite
an application that was targetedto one of those legacy products.
That's something that we do andsomething that really, really
resonates with our customers.Beautiful.
Eveline Oehrlich (10:24):
So I heard you improve collaboration, of
course, right reuse, and withit, of course, saving time, and
hassle for all of those whoactually have to work together
and manage all of thosedifferent identities. Absolutely
intriguing. Certainly an areawhich our listeners are
extremely interested. Fantastic,super. Now, I was doing
(10:47):
additional research, you know,analysts like myself, which I
am, by nature by heart and havealways been always curious. And
your company was co founded byEric Alden, Eric Leach and
yourself and researching yourcompany a little bit, I found it
very interesting that evenbefore you all figured out
exactly how strategy would workor how it would get funded. You
(11:11):
laid out core values. And thisreally tickled me and I love
them. So the core values ofopenness, honesty, integrity,
transparency, accountability,and empowerment. This really is
very dear near to me, because Iworked for Hewlett Packard when
(11:31):
it was Hewlett Packard manymoons ago. And these types of
things were very much written inlike an HP way. So that's why I
love this so much. Additionally,in 22, you guys got voted by Ink
Magazine, in are listed as bestworkplaces and the extract from
(11:53):
a press release, it said, bestworkplaces, 2020 to 475
employers, these companies outof Florida 75, employers have
cracked the code for excellentcompany culture. Now my
question, give us some exampleson how this plays out in your
day to day work within strata.What what do you guys do? How do
(12:17):
you make this openness, honesty,all of those wonderful core
values? How do you practicethem?
Topher Marie (12:23):
Yeah, it's a thank you for acknowledging that it
was very deliberate for us tocome in, figure out what kind of
company we wanted to work forwhat kind of culture we wanted
to inculcate. So this was veryedifying to have to be
recognized a few years ago bybuy the industry as a great
(12:47):
place to work. So in our day today lives, well, first off, we
have a couple of ceremonieswhich are more weekly, but we
have a Mavericks Monday, we callit where the first thing that
happens is we come in and wejust discuss a this is what's
going on this week across theentire company. And here's what
every individual is lookingforward to. And what they're
(13:09):
going to be doing that weekreally promotes the openness
really promotes thatcommunication. Many times I've
been on those calls, Zoommeetings, I've been on that Zoom
meeting and realize, hey, that'ssomething that we've already
done like six weeks ago, let mehelp you out there, or oh, this
person might be struggling withthis, and be able to offer help,
(13:29):
that openness, that thatcommunication is very core to
us. Another thing that we do iswhat we call Aloha Friday. So we
have the Mavericks Monday thatkicks off the week. And then on
Friday, we all get together.Again, we're a completely
distributed company. So most ofus are just joining over zoom, a
few in offices here in there.But over zoom, we get together
(13:51):
and we just talk about the week,hey, here's what's happened. And
here's what I'm thankful forhere are things that I'm very
appreciative of, let me call outthis person, let me call out
this team, let me discuss, thisis what happened and look at how
they really gave their all inorder to turn something around
very quickly, or the greatcommunication that happened or
(14:13):
here's the event that a that ourmarketing department put on and
look at all the pictures of ourhappy attendees, those kinds of
things are very rewarding, justto be able to have that
communication. You know, ascompanies become more and more
distributed. As we have morework from home, it becomes
(14:34):
really easy to be isolated. Soit's important to us that we
have this open communication andwe have this ability to call
each other out for Hey, theseare great things that people
have done. Let's have theseconversations. Let's feel like a
team and work together onthings.
Narrator (14:53):
Do you want to advance your career and organization? We
can help you do that. DevOpsInstitute offers a wide range of
educational experiences for youto begin your upskilling
journey. Whether you're lookingfor a defined path to
certification, exploring thelatest in DevOps, or connecting
with the larger community, wecan help you develop the
(15:14):
specialized skills needed forthe future of it. And it won't
just be good for your career. Itwill also make you indispensable
at work with our lineup ofindustry recognized DevOps
certifications, digital learningopportunities, and engaging
events, you can connect with ournetwork of experts and expand
your potential today. VisitDevOps institute.com and join
(15:36):
our community now.
Eveline Oehrlich (15:39):
I love those. I think I'm going to, I don't
want to use the word copy. Ithink I use word leverage. I'm
going to leverage this into anew team I'm forming. I love the
Mavericks Monday, I might callit something else to be more.
That's all that's not soAmerican. Right? And then Aloha
(16:01):
Friday, everybody knows Aloha.Even we here in Europe, of
course, no Aloha. So I didn'thave those. That's fantastic.
Thank you for sharing that.
Topher Marie (16:10):
It just, it just occurred to me that when I saved
Mavericks Monday, it might not.I realized that Netflix is the
name of our main product. Andthat's why we've chosen that
particular alliteration therefor Mavericks Monday. Ah, not
just because we are alsoMavericks with K, the product
(16:30):
Maverick was actually Maverickswas actually named after a
particular wave in Californiathat is important is powerful is
great for a lot of differentsurfers, and three co founders,
we actually built the company ordecided on these core values
that we were just talking aboutas we were on a surfing trip in
Puerto Rico. So surfing is kindof I wouldn't say a core value,
(16:55):
but something that resonateswith a lot of us, so Oh, great.
Eveline Oehrlich (16:58):
Excellent, excellent. You have to come to
Nazarene or Nazareth down inPortugal, in April or in January
to watch the maverick stare.That's a fantastic place.
Excellent. All right. Let's goback to strategize. So, in your
words, why is what started usunique when we think about the
(17:19):
identity orchestration?
Topher Marie (17:21):
Yeah, great question. So recently, at the
Gartner conference here in 2023,a cube con said, vendors are
going to have to handleorchestration, or they will be
orchestrated. So to me, I see,from a consumer point of view,
great value in decoupling theorchestrations from a particular
(17:42):
vendor. Every company probably,again has multiple vendors that
they're working with, if you'rea nontrivially sized
organization, you've gotmultiple IDPs, whether you like
it or not, and orchestration canbe seen as an abstraction layer
on top of that identity. So itprevents some of the lock in and
(18:03):
gives you leverage in thefuture. When you think about
changing vendors or you thinkabout changing approaches. The
problem that I see, with everyvendor becoming their own
identity orchestration system,which you we are seeing that
every vendor is pushing intothat area is that they become
their own little sinkhole, theybecome their own little center
(18:25):
of gravity. And so it's nobetter to say, Okay, I have to
escape from the orchestration ofone vendor, in order to be able
to leverage the capabilities ofanother vendor, you're still
getting into the center ofgravity. So as a, I'll say,
neutral vendor of orchestrationthat allows us to help you to
(18:48):
not be so bound to any socoupled to any one particular
vendor. It also allows us to doa lot more customized
customizability in that we don'thave a preferred way of doing
let's say, NFA, if you are in aparticular, if you are tied to a
particular vendor, and they justwant to push you into their own
(19:09):
NFA system all of the time. Imean, of course, that's what
they're incentivized to do, themore that they can lock you into
their particular product, thebetter it is for them, but it's
not good for the consumers to belocked into any particular
product. They'd rather choosethe best of breed for for
anything and with identity,which is my main concern.
That's, that's obviously true.Let's let them choose the
(19:32):
identity directory that theyneed for any particular
application or for anyparticular user journey. Let's
then let them layer on top ofthat the MFA. Let's then let
them layer on top of that thegovernance system or creating
new customers, sorry, new usersin these directory systems. So
(19:52):
our best of breed approach andour neutral approach to how
identity systems work is reallyThe different than any one
particular identity vendortrying to get into the
orchestration.
Eveline Oehrlich (20:09):
Right. So best of breed and then the
Switzerland, right, as you saidthe neutral, we sometimes use
that in Europe to describeneutrality, which is, which is
everybody understands super. Nowas we know, there are many
organizations which are workingon moving off outdated cloud
identity providers to moresecure and flexible cloud
identity systems like Octa, youmentioned a few already
(20:31):
Microsoft assure AWS and more.And you you guys recently
announced no code softwarerecipes for application
modernisations I love the wordrecipes. I might have called
them blue books, or blue or bluebooks or Blue Book, sorry,
playbooks, blue books, just tryto sell my daughter's car. So
(20:54):
that's why I'm in love books,but playbooks for application
modernization, but you call themrecipes. Tell us what do these
recipes do?
Topher Marie (21:03):
Yeah, there are some common use cases that we
see as we talk to consumers. Aswe talk to prospects as we talk
to our customers that they havethe same problem across the
entire industry, a lot of peopleare trying to move off of some
of these legacy systems and intomore modern identity
architectures, but they don'twant to rewrite their original
(21:25):
application that was tied to thelegacy system. So for instance,
one of our Blueprints Wow, nowyou've got me doing. Sorry, one
of our recipes is, hey, here's ano code approach. All you have
to do is drop this in and we canmove you off of the legacy
application start the legacyinfrastructure, such as site
minder, or Oracle, we can moveyou off of that very simply. And
(21:48):
now you're working against amodern identity systems such as
insurer or Okta, got other ones.For instance, one common
scenario that we see is, insteadof moving, so one common
scenario is, hey, I'm movingfrom one identity architecture,
one identity framework toanother identity framework, or
(22:11):
I'm trying to move the center ofgravity or here's, here's this
one that has just jacked up theprice by five times eight times.
And so I need to move my usersout of there. But I don't want
to do the Big Bang cutover fromone to the other. I don't want
users to come in one Mondaymorning, and suddenly their user
experience is completelydifferent. So that goes kind of
(22:33):
to our, to our user journeysstory where we can have the
customized user journey thatlooks the same as before. But
another component of thisparticular recipe is we can move
the users from one identitysystem to the other identity
system, without them knowingabout that. So they're still
logging into the first identitysystem, they're still passing in
(22:56):
their username and password tolet's say, a, let's say to a
SiteMinder based application, wewill go and create the user at
runtime in Okta, or in PingIdentity, wherever the target
destination is, without them,knowing that anything has
happened there. This is also aperfect time for us to layer on
(23:17):
a second factor, if the legacyidentity system didn't have
second factors, we know who thatuser is, because they just
logged in to the legacy systemwhere we have a good handle on
their session at that time.Let's now prompt them and move
them through the process ofadding a second factor. But
again, this is a incrementalthing, just as users are logging
(23:39):
in. And you don't even have todo all users at once. You can do
individual, you 10% of yourusers one week 20% Next week,
you know, move over to thesystem gradually. So it's not as
nightmare Big Bang cutover whereyour entire infrastructure team,
all of the DevOps people arethere all weekend and crossing
their fingers on Monday morningthat something disastrous
(24:00):
doesn't happen and you haven'tlocked out 10,000 users. That's
a nightmare scenario with us.Yeah, just layer on this, again,
abstraction layer. And we haverecipes that help with this.
This transference of your centerof gravity for your identity
systems from one to the other.
Eveline Oehrlich (24:19):
That already answers. So one of the questions
What would you advise ourlisteners to do right away, it's
really take a look at theserecipes. I think this is a
great, a great idea. Now, I wantto look a little bit into the
future before we end thisbecause I want to look into your
crystal ball. From our research.We know there's a skill shortage
(24:40):
in it. Right. We also know fromGartner and Forrester, my old
colleagues there, there's a nottoo much additional money in
terms of budgets in 23 for it soit's really all about how do we
upskill rescale and save cost toget all of this done right. So
what would you say If I askedyou predictions around that add
(25:02):
orchestration 23 Oh, my goodnessis almost half over. But we
still have a few months left,but for 23 and maybe beyond,
when you look in their crystalball predictions around identity
orchestration from you.
Topher Marie (25:15):
Yeah, I think that one prediction, which has
already come true, as we'regonna see, the term
orchestration tossed aroundquite a bit, I think it's going
to become like zero trust hasbecome over the last 510 years
where it's just everywhere, itloses all of its meaning,
because we just say, Yeah, I'vegot some orchestration, I can
work with a different identitysystem, or I like to customize
(25:38):
the user journey, they reallykind of ticks tick the boxes,
but they missed the spirit ofit, I don't want to be caught up
in one identity system and notbe able to choose the best of
breed for from some otherplaces. So I would suggest that,
that listeners kind of inoculatethemselves against the buzzword.
What is it really? What is ouridentity orchestration actually
(26:01):
mean? And how would it benefitme, if it doesn't matter that
you have, if you are actuallyjust in one identity system,
then then you don't care aboutit. But I think that most
nontrivially size organizationsprobably could benefit from
identity orchestration. And whatthey should do is let's, let's
look at some of these siloedidentities that I have, you
(26:21):
know, not just my maindirectories as your or aka or
wherever I keep keep the mainbody of directories, but also
all of the other subsystems EHRsystem, the email, though,
whatever it is, how can I makethese things work together
better and think about theunderused utilities that you
already have? Maybe one smalldepartment had as a particular
(26:46):
need. And so they had to pick aparticular MFA vendor? How do I
unlock that and actually make itavailable across the entire
organization? Or how can I useidentity orchestration to choose
and make the best use of all ofthese tools that I'm paying for,
and maybe stop paying for someof the tools that I don't need
anymore, or law, getting rid ofsome of these legacy systems
that are really really jackingup the prices and getting really
(27:10):
expensive? So unlocking a lot ofvalue by allowing you to mix and
match your identity systems, thetools that you're using and to
customize that user journey.
Eveline Oehrlich (27:20):
Great advice. Super. And I love that you
mentioned zero trust shout outto my old colleague, John Kim
Novak, who is called the fatherof zero trust. So excellent,
fantastic advice. All right. Ihave one more question. It has
nothing to do with identityorchestration, sadly, but truly,
I want to know, what do you dofor fun because you live in
(27:41):
Colorado, you're a surfer, but Idon't think there was any
surfing in Colorado. But maybeyou have found some places. Tell
us what you do for fun. Dover
Topher Marie (27:50):
definitely knows surfing. Definitely no surfing
here. What I do, I think it'sone of those classic I grew up
in Colorado, I used to do a lotof skiing. I used to get up
there into the mountains fordoing that. But honestly, the
traffic is just making that kindof unpalatable. He's spent a lot
of time just right driving outthere and driving back. So one
(28:13):
of the things that I reallyliked doing is going to other
places in the mountains, not thepopular i 70 area but other
places in the mountains anddoing a lot of hiking, doing a
lot of mountain climbing. That'ssomething I've been passionate
about for decades now doingmountain climbing. I've got a
goal of doing Aconcagua, whichis the tallest peak in South
America. I've had a goal ofdoing it a couple of years back
(28:35):
but unfortunately COVID knockedout plan to the side. So now I'm
now that I'm back in Colorado,spending all my time here. I'm
able to get into the mountains,get my fitness back up and hope
to get that done this comingwinter.
Eveline Oehrlich (28:51):
Wow, great goal to have good luck. That
sounds fantastic. Thank you somuch for this has been a great
conversation. We have beentalking to Topher Murray, CTO
and co founder at Strataidentity again, thanks so much
for joining me today on humansof DevOps podcast.
Topher Marie (29:10):
Thank you, Evelyn. I had a great time.
Eveline Oehrlich (29:13):
Humans of DevOps podcast is produced by
DevOps Institute. Our audioproduction team includes Daniel
Newman, Schultz and Brendan Lee,shout out to my colleagues. I'm
humans of DevOps podcast,executive producer
evolutionarily. If you wouldlike to join us on the podcast,
please contact us at humans ofDevOps podcast at DevOps
institute.com. I'm Evelyn ilish.Talk to you soon.
Narrator (29:39):
Thanks for listening to this episode of the humans of
DevOps podcast. Don't forget tojoin our global community to get
access to even more greatresources like this. Until next
time, remember, you are part ofsomething bigger than yourself.
You belong
You're listening to the humans of DevOps podcast, a
podcast focused on advancing thehumans of DevOps through skills,
knowledge, ideas, and learning,or the skil framework.
Topher Marie (00:17):
Consumers are trying to get away from those
legacy products as they moveinto cloud infrastructure. How
do we make it so you don't haveto rewrite an application that
was targeted to one of thoselegacy products. That's
something that we do.
Eveline Oehrlich (00:33):
Welcome to the humans of DevOps Podcast. I'm
evolutionarily Chief ResearchOfficer at DevOps Institute. Our
episode title today is identityorchestration titbits, and I
have a very special guest. I'lltell you in a minute why that
guest is very special to me.Today we have with us Topher
Murray, who is CTO and cofounder of strata. I'm saying
(00:58):
that a little bit with anItalian accent for no reason
just because I like the word,but let me tell you a little bit
about Topher. So Topher is theCTO and co founder of strata
identity, focusing onintroducing identity
orchestration to the securityecosystem. Before start
identity, Topher was the CTO andco founder of jump cloud. In the
(01:19):
past, he has also been anarchitect for Oracle's global
cloud identity and securitysecurity portfolio, and a
product owner for us zero. Hewas simplified lead architect
and got his start in identity atping back in the early days. As
part of his role. Topher travelsextensively, developing a deep
(01:41):
appreciation for local cultures,food, and languages. Welcome to
our podcasts over.
Topher Marie (01:50):
Thanks, Evelyn. It's great to be here. Thank you
so much for having me.
Eveline Oehrlich (01:54):
It's great to have you with us. And again,
thank you so much for your time.I'm sure as you're in your role,
you have lots of other things todo. So that's why I'm very
appreciative of your time. Now,before we get into details, of
course, I was checking you outwith a variety of things in your
(02:14):
background, and I saw that youwent to the School of Mines, and
that there are lots ofreferences to Colorado. Am I
correct to assume that you havesome roots in Colorado with
stretch identity?
Topher Marie (02:28):
Indeed, I'm born and raised here. I have been in
Colorado most of my life. Andyes, School of Mines. I was an
undergrad graduate there. And Iwas actually a adjunct professor
there for a while to
Eveline Oehrlich (02:40):
Wow, fantastic. Life sometimes is
just a coincidence. But I thinkwe, I would say maybe are a
match in heaven to some extent,because I lived in Colorado in
Fort Collins. For 32 years. Ihad my daughter stared. And now
long, long gone. I moved back toEurope in 2018. And I miss
(03:02):
Colorado very, very, very much.So talking to you today gives me
a little bit of a homesickness.So please greet Colorado for me.
I will actually be there soon.So maybe we can meet and have a
cup of coffee together somewherein the area. Anyway. I'd love
Yes, that would be fun. I reallywould love that too. Excellent.
(03:25):
So we're not here to talk aboutColorado even so if you have not
visited Colorado you have to weare here to talk about identity
orchestration, which most likelya topic which not every one of
our listeners might be familiarwith Serato for what is identity
orchestration? And why for asecond question, why is this so
important?
Topher Marie (03:46):
Yeah, so I don't blame people for not being
familiar with the term but it'ssomething that we've really been
championing championing. It'skind of a new space in identity
over the last four years, we'vereally been pushing it, and it's
really starting to take offhere. So what is identity
orchestration? And why is itimportant? So to me, identity,
(04:08):
or identity orchestration iskind of an abstraction layer on
top of the existing identity, orI'm going to start that again.
Sorry, but let me go back to thebeginning on like, what is
identity orchestration? So tome, identity orchestration is
really an abstraction layer ontop of the other identity
(04:34):
components that a company mayalready have. So there's three
parts to this. The first wouldbe what I call distributed
identity. Almost allorganizations already have their
identity in multiple, multipleplaces. Smaller ones might have
various silos, like in SASproducts might have an HR
system, they have their email inGmail. They have issue tracking
(04:57):
and larger organizations mighthave this for fragmented across
different departments, differentbusiness units. They one
business unit might be focusedon Okta, another one might be
focused on using, let's say, ajoueur as their identity system
of record. And that's quitecommon. Another reason that this
identity fragmentation happensis just because of mergers and
(05:20):
acquisitions as a company grows,it might acquire another
company, and that company mighthave had a different focus on
their identity, where theirdirectory of identity was, and
so mixing and matching thosethings becomes difficult. And
one approach that our industryhas taken over the last, I don't
(05:40):
know two decades, or whatever isone identity to rule them all,
or a virtual directory, orsomething of that sort, where
you're moving all of theidentities into one place. And
it's time to admit that thatreally just does not work. This
mixing and matching of where myidentities are stored, has just,
if anything proliferated, andthen worse and worse over the
(06:04):
last few years rather thanmitigated by trying to have this
one identity to rule them all.So that's, that's the first part
of what identity orchestrationaddresses the distributed
identity systems. The second oneis there's a variety of tools
and implementations. variousvendors, various producers of
(06:29):
identity products, have theirfirst off like their directories
like I was just talking about,you might have some identities
in Azure, or you might haveother identities and Ping
Identity. And also, on top ofthat, you might have different
MFA providers for a long time wewere using RSA tokens is a
completely separate secondfactor that people could use in
(06:51):
order to secure their systems.We also have different
authorization engines. Now thatour back versus a back we have
identity proofing, we havegovernance, so we have a large
variety of different identitytools that we need to make work
together. And the third one, thethird component, I would say, of
(07:12):
identity orchestration is thecustomized user journeys, where
every if we were to rely just onone identity provider, that
might not be the right way forus to log our users in, that
might not be what we want to do,we might want to have a
different mix of these tools andimplementations, we might want
(07:33):
to have a different mix of evenwhere the door where the
identities are stored in thefirst place. So the Customize
User journey allows us to sayhey, so despite where their
identity might be stored, I wantthem to have the same user login
screen. And then I might want todecide which different MFA
(07:53):
provider they use based on whatthey are trying to get into. And
I might want to use identityproofing for some users and not
for other users. So to me,identity orchestration is all
about those three things,distributed identity, the
variety of tools andimplementations that we can make
work together and the customizeduser journey.
Eveline Oehrlich (08:14):
Wow. Lots of I can already kind of guess why
this is important. Why I did theorchestration is important,
because I've been in it longenough to realize some of the
benefits but love to hear it.From your perspective, why is it
that the orchestration reallyimportant?
Topher Marie (08:35):
Yeah, but so identity orchestration is very
important, because as companiesare moving to the cloud, or
multiple clouds, and I willpause there and say that most
companies don't just have onecloud. They most companies have
different departments that areworking in different clouds, or
even different products thatthey have to work with, that are
(08:57):
residing, that the compute forthose products is residing in
different clouds. And as thisjust grows, more and more, it
becomes a huge concern aboutAlright, so what am I going to
try to do here is AWS going tobe the center of my identity is
as you're going to be the centerof my identity? Am I doing LDAP
on premises? How do I make allof this work together? So as we
(09:22):
become more of a multi cloudindustry, it's very important
that we have some way of makingall of these identity systems
work together, and also all ofour identity targets. Should I
say all of the applications thatare consuming identity? How do
we make it so hey, this personlogged in from AWS, but the
actual application is residingin Azure or on premises? How do
(09:47):
I make that identity palatableto the target application? And
how do I avoid rewriting thatapplication? If I've got an old
application that was using alegacy identity system such as
one that we very commonly see asca SiteMinder, we see a lot of
Oracle products as well.Consumers are trying to get away
(10:08):
from those legacy products asthey move into cloud
infrastructure, how do we makeit so you don't have to rewrite
an application that was targetedto one of those legacy products.
That's something that we do andsomething that really, really
resonates with our customers.Beautiful.
Eveline Oehrlich (10:24):
So I heard you improve collaboration, of
course, right reuse, and withit, of course, saving time, and
hassle for all of those whoactually have to work together
and manage all of thosedifferent identities. Absolutely
intriguing. Certainly an areawhich our listeners are
extremely interested. Fantastic,super. Now, I was doing
(10:47):
additional research, you know,analysts like myself, which I
am, by nature by heart and havealways been always curious. And
your company was co founded byEric Alden, Eric Leach and
yourself and researching yourcompany a little bit, I found it
very interesting that evenbefore you all figured out
exactly how strategy would workor how it would get funded. You
(11:11):
laid out core values. And thisreally tickled me and I love
them. So the core values ofopenness, honesty, integrity,
transparency, accountability,and empowerment. This really is
very dear near to me, because Iworked for Hewlett Packard when
(11:31):
it was Hewlett Packard manymoons ago. And these types of
things were very much written inlike an HP way. So that's why I
love this so much. Additionally,in 22, you guys got voted by Ink
Magazine, in are listed as bestworkplaces and the extract from
(11:53):
a press release, it said, bestworkplaces, 2020 to 475
employers, these companies outof Florida 75, employers have
cracked the code for excellentcompany culture. Now my
question, give us some exampleson how this plays out in your
day to day work within strata.What what do you guys do? How do
(12:17):
you make this openness, honesty,all of those wonderful core
values? How do you practicethem?
Topher Marie (12:23):
Yeah, it's a thank you for acknowledging that it
was very deliberate for us tocome in, figure out what kind of
company we wanted to work forwhat kind of culture we wanted
to inculcate. So this was veryedifying to have to be
recognized a few years ago bybuy the industry as a great
(12:47):
place to work. So in our day today lives, well, first off, we
have a couple of ceremonieswhich are more weekly, but we
have a Mavericks Monday, we callit where the first thing that
happens is we come in and wejust discuss a this is what's
going on this week across theentire company. And here's what
every individual is lookingforward to. And what they're
(13:09):
going to be doing that weekreally promotes the openness
really promotes thatcommunication. Many times I've
been on those calls, Zoommeetings, I've been on that Zoom
meeting and realize, hey, that'ssomething that we've already
done like six weeks ago, let mehelp you out there, or oh, this
person might be struggling withthis, and be able to offer help,
(13:29):
that openness, that thatcommunication is very core to
us. Another thing that we do iswhat we call Aloha Friday. So we
have the Mavericks Monday thatkicks off the week. And then on
Friday, we all get together.Again, we're a completely
distributed company. So most ofus are just joining over zoom, a
few in offices here in there.But over zoom, we get together
(13:51):
and we just talk about the week,hey, here's what's happened. And
here's what I'm thankful forhere are things that I'm very
appreciative of, let me call outthis person, let me call out
this team, let me discuss, thisis what happened and look at how
they really gave their all inorder to turn something around
very quickly, or the greatcommunication that happened or
(14:13):
here's the event that a that ourmarketing department put on and
look at all the pictures of ourhappy attendees, those kinds of
things are very rewarding, justto be able to have that
communication. You know, ascompanies become more and more
distributed. As we have morework from home, it becomes
(14:34):
really easy to be isolated. Soit's important to us that we
have this open communication andwe have this ability to call
each other out for Hey, theseare great things that people
have done. Let's have theseconversations. Let's feel like a
team and work together onthings.
Narrator (14:53):
Do you want to advance your career and organization? We
can help you do that. DevOpsInstitute offers a wide range of
educational experiences for youto begin your upskilling
journey. Whether you're lookingfor a defined path to
certification, exploring thelatest in DevOps, or connecting
with the larger community, wecan help you develop the
(15:14):
specialized skills needed forthe future of it. And it won't
just be good for your career. Itwill also make you indispensable
at work with our lineup ofindustry recognized DevOps
certifications, digital learningopportunities, and engaging
events, you can connect with ournetwork of experts and expand
your potential today. VisitDevOps institute.com and join
(15:36):
our community now.
Eveline Oehrlich (15:39):
I love those. I think I'm going to, I don't
want to use the word copy. Ithink I use word leverage. I'm
going to leverage this into anew team I'm forming. I love the
Mavericks Monday, I might callit something else to be more.
That's all that's not soAmerican. Right? And then Aloha
(16:01):
Friday, everybody knows Aloha.Even we here in Europe, of
course, no Aloha. So I didn'thave those. That's fantastic.
Thank you for sharing that.
Topher Marie (16:10):
It just, it just occurred to me that when I saved
Mavericks Monday, it might not.I realized that Netflix is the
name of our main product. Andthat's why we've chosen that
particular alliteration therefor Mavericks Monday. Ah, not
just because we are alsoMavericks with K, the product
(16:30):
Maverick was actually Maverickswas actually named after a
particular wave in Californiathat is important is powerful is
great for a lot of differentsurfers, and three co founders,
we actually built the company ordecided on these core values
that we were just talking aboutas we were on a surfing trip in
Puerto Rico. So surfing is kindof I wouldn't say a core value,
(16:55):
but something that resonateswith a lot of us, so Oh, great.
Eveline Oehrlich (16:58):
Excellent, excellent. You have to come to
Nazarene or Nazareth down inPortugal, in April or in January
to watch the maverick stare.That's a fantastic place.
Excellent. All right. Let's goback to strategize. So, in your
words, why is what started usunique when we think about the
(17:19):
identity orchestration?
Topher Marie (17:21):
Yeah, great question. So recently, at the
Gartner conference here in 2023,a cube con said, vendors are
going to have to handleorchestration, or they will be
orchestrated. So to me, I see,from a consumer point of view,
great value in decoupling theorchestrations from a particular
(17:42):
vendor. Every company probably,again has multiple vendors that
they're working with, if you'rea nontrivially sized
organization, you've gotmultiple IDPs, whether you like
it or not, and orchestration canbe seen as an abstraction layer
on top of that identity. So itprevents some of the lock in and
(18:03):
gives you leverage in thefuture. When you think about
changing vendors or you thinkabout changing approaches. The
problem that I see, with everyvendor becoming their own
identity orchestration system,which you we are seeing that
every vendor is pushing intothat area is that they become
their own little sinkhole, theybecome their own little center
(18:25):
of gravity. And so it's nobetter to say, Okay, I have to
escape from the orchestration ofone vendor, in order to be able
to leverage the capabilities ofanother vendor, you're still
getting into the center ofgravity. So as a, I'll say,
neutral vendor of orchestrationthat allows us to help you to
(18:48):
not be so bound to any socoupled to any one particular
vendor. It also allows us to doa lot more customized
customizability in that we don'thave a preferred way of doing
let's say, NFA, if you are in aparticular, if you are tied to a
particular vendor, and they justwant to push you into their own
(19:09):
NFA system all of the time. Imean, of course, that's what
they're incentivized to do, themore that they can lock you into
their particular product, thebetter it is for them, but it's
not good for the consumers to belocked into any particular
product. They'd rather choosethe best of breed for for
anything and with identity,which is my main concern.
That's, that's obviously true.Let's let them choose the
(19:32):
identity directory that theyneed for any particular
application or for anyparticular user journey. Let's
then let them layer on top ofthat the MFA. Let's then let
them layer on top of that thegovernance system or creating
new customers, sorry, new usersin these directory systems. So
(19:52):
our best of breed approach andour neutral approach to how
identity systems work is reallyThe different than any one
particular identity vendortrying to get into the
orchestration.
Eveline Oehrlich (20:09):
Right. So best of breed and then the
Switzerland, right, as you saidthe neutral, we sometimes use
that in Europe to describeneutrality, which is, which is
everybody understands super. Nowas we know, there are many
organizations which are workingon moving off outdated cloud
identity providers to moresecure and flexible cloud
identity systems like Octa, youmentioned a few already
(20:31):
Microsoft assure AWS and more.And you you guys recently
announced no code softwarerecipes for application
modernisations I love the wordrecipes. I might have called
them blue books, or blue or bluebooks or Blue Book, sorry,
playbooks, blue books, just tryto sell my daughter's car. So
(20:54):
that's why I'm in love books,but playbooks for application
modernization, but you call themrecipes. Tell us what do these
recipes do?
Topher Marie (21:03):
Yeah, there are some common use cases that we
see as we talk to consumers. Aswe talk to prospects as we talk
to our customers that they havethe same problem across the
entire industry, a lot of peopleare trying to move off of some
of these legacy systems and intomore modern identity
architectures, but they don'twant to rewrite their original
(21:25):
application that was tied to thelegacy system. So for instance,
one of our Blueprints Wow, nowyou've got me doing. Sorry, one
of our recipes is, hey, here's ano code approach. All you have
to do is drop this in and we canmove you off of the legacy
application start the legacyinfrastructure, such as site
minder, or Oracle, we can moveyou off of that very simply. And
(21:48):
now you're working against amodern identity systems such as
insurer or Okta, got other ones.For instance, one common
scenario that we see is, insteadof moving, so one common
scenario is, hey, I'm movingfrom one identity architecture,
one identity framework toanother identity framework, or
(22:11):
I'm trying to move the center ofgravity or here's, here's this
one that has just jacked up theprice by five times eight times.
And so I need to move my usersout of there. But I don't want
to do the Big Bang cutover fromone to the other. I don't want
users to come in one Mondaymorning, and suddenly their user
experience is completelydifferent. So that goes kind of
(22:33):
to our, to our user journeysstory where we can have the
customized user journey thatlooks the same as before. But
another component of thisparticular recipe is we can move
the users from one identitysystem to the other identity
system, without them knowingabout that. So they're still
logging into the first identitysystem, they're still passing in
(22:56):
their username and password tolet's say, a, let's say to a
SiteMinder based application, wewill go and create the user at
runtime in Okta, or in PingIdentity, wherever the target
destination is, without them,knowing that anything has
happened there. This is also aperfect time for us to layer on
(23:17):
a second factor, if the legacyidentity system didn't have
second factors, we know who thatuser is, because they just
logged in to the legacy systemwhere we have a good handle on
their session at that time.Let's now prompt them and move
them through the process ofadding a second factor. But
again, this is a incrementalthing, just as users are logging
(23:39):
in. And you don't even have todo all users at once. You can do
individual, you 10% of yourusers one week 20% Next week,
you know, move over to thesystem gradually. So it's not as
nightmare Big Bang cutover whereyour entire infrastructure team,
all of the DevOps people arethere all weekend and crossing
their fingers on Monday morningthat something disastrous
(24:00):
doesn't happen and you haven'tlocked out 10,000 users. That's
a nightmare scenario with us.Yeah, just layer on this, again,
abstraction layer. And we haverecipes that help with this.
This transference of your centerof gravity for your identity
systems from one to the other.
Eveline Oehrlich (24:19):
That already answers. So one of the questions
What would you advise ourlisteners to do right away, it's
really take a look at theserecipes. I think this is a
great, a great idea. Now, I wantto look a little bit into the
future before we end thisbecause I want to look into your
crystal ball. From our research.We know there's a skill shortage
(24:40):
in it. Right. We also know fromGartner and Forrester, my old
colleagues there, there's a nottoo much additional money in
terms of budgets in 23 for it soit's really all about how do we
upskill rescale and save cost toget all of this done right. So
what would you say If I askedyou predictions around that add
(25:02):
orchestration 23 Oh, my goodnessis almost half over. But we
still have a few months left,but for 23 and maybe beyond,
when you look in their crystalball predictions around identity
orchestration from you.
Topher Marie (25:15):
Yeah, I think that one prediction, which has
already come true, as we'regonna see, the term
orchestration tossed aroundquite a bit, I think it's going
to become like zero trust hasbecome over the last 510 years
where it's just everywhere, itloses all of its meaning,
because we just say, Yeah, I'vegot some orchestration, I can
work with a different identitysystem, or I like to customize
(25:38):
the user journey, they reallykind of ticks tick the boxes,
but they missed the spirit ofit, I don't want to be caught up
in one identity system and notbe able to choose the best of
breed for from some otherplaces. So I would suggest that,
that listeners kind of inoculatethemselves against the buzzword.
What is it really? What is ouridentity orchestration actually
(26:01):
mean? And how would it benefitme, if it doesn't matter that
you have, if you are actuallyjust in one identity system,
then then you don't care aboutit. But I think that most
nontrivially size organizationsprobably could benefit from
identity orchestration. And whatthey should do is let's, let's
look at some of these siloedidentities that I have, you
(26:21):
know, not just my maindirectories as your or aka or
wherever I keep keep the mainbody of directories, but also
all of the other subsystems EHRsystem, the email, though,
whatever it is, how can I makethese things work together
better and think about theunderused utilities that you
already have? Maybe one smalldepartment had as a particular
(26:46):
need. And so they had to pick aparticular MFA vendor? How do I
unlock that and actually make itavailable across the entire
organization? Or how can I useidentity orchestration to choose
and make the best use of all ofthese tools that I'm paying for,
and maybe stop paying for someof the tools that I don't need
anymore, or law, getting rid ofsome of these legacy systems
that are really really jackingup the prices and getting really
(27:10):
expensive? So unlocking a lot ofvalue by allowing you to mix and
match your identity systems, thetools that you're using and to
customize that user journey.
Eveline Oehrlich (27:20):
Great advice. Super. And I love that you
mentioned zero trust shout outto my old colleague, John Kim
Novak, who is called the fatherof zero trust. So excellent,
fantastic advice. All right. Ihave one more question. It has
nothing to do with identityorchestration, sadly, but truly,
I want to know, what do you dofor fun because you live in
(27:41):
Colorado, you're a surfer, but Idon't think there was any
surfing in Colorado. But maybeyou have found some places. Tell
us what you do for fun. Dover
Topher Marie (27:50):
definitely knows surfing. Definitely no surfing
here. What I do, I think it'sone of those classic I grew up
in Colorado, I used to do a lotof skiing. I used to get up
there into the mountains fordoing that. But honestly, the
traffic is just making that kindof unpalatable. He's spent a lot
of time just right driving outthere and driving back. So one
(28:13):
of the things that I reallyliked doing is going to other
places in the mountains, not thepopular i 70 area but other
places in the mountains anddoing a lot of hiking, doing a
lot of mountain climbing. That'ssomething I've been passionate
about for decades now doingmountain climbing. I've got a
goal of doing Aconcagua, whichis the tallest peak in South
America. I've had a goal ofdoing it a couple of years back
(28:35):
but unfortunately COVID knockedout plan to the side. So now I'm
now that I'm back in Colorado,spending all my time here. I'm
able to get into the mountains,get my fitness back up and hope
to get that done this comingwinter.
Eveline Oehrlich (28:51):
Wow, great goal to have good luck. That
sounds fantastic. Thank you somuch for this has been a great
conversation. We have beentalking to Topher Murray, CTO
and co founder at Strataidentity again, thanks so much
for joining me today on humansof DevOps podcast.
Topher Marie (29:10):
Thank you, Evelyn. I had a great time.
Eveline Oehrlich (29:13):
Humans of DevOps podcast is produced by
DevOps Institute. Our audioproduction team includes Daniel
Newman, Schultz and Brendan Lee,shout out to my colleagues. I'm
humans of DevOps podcast,executive producer
evolutionarily. If you wouldlike to join us on the podcast,
please contact us at humans ofDevOps podcast at DevOps
institute.com. I'm Evelyn ilish.Talk to you soon.
Narrator (29:39):
Thanks for listening to this episode of the humans of
DevOps podcast. Don't forget tojoin our global community to get
access to even more greatresources like this. Until next
time, remember, you are part ofsomething bigger than yourself.
You belong
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.