In this episode of Security Matters, host David Puner sits down with Eric Olden, co-founder and CEO of Strata Identity, and a pioneer in modern identity management. Eric shares his career journey, from founding Simplified to leading Oracle’s global identity division, and discusses the critical importance of resilience in identity systems.<\/p>\n
Discover how organizations can eliminate single points of failure, test their backup plans and ensure their digital operations remain robust even in the face of unexpected outages. Eric also delves into the concept of identity orchestration, explaining how it can unify multiple identity systems and enhance security.<\/p>\n
Tune in to learn about the latest trends in identity management, including the intersection of AI and identity, and gain insights into how businesses can proactively assess and mitigate risks associated with identity outages.<\/p>\n
Don’t miss this engaging conversation filled with practical advice and forward-thinking strategies to help safeguard your organization’s identity infrastructure.<\/p>\n
You are running late for a meeting. You log into your company portal\u2014nothing. You try again\u2014still nothing. Your workplace communication platform\u2019s down, your VPN stalls, no access to files. You assume it\u2019s temporary, but 10 minutes later, you hear someone down the hall holler, \u201cEverything\u2019s offline.\u201d Turns out your identity provider failed\u2014and there\u2019s no backup.<\/p>\n
This isn\u2019t theoretical. Our guest today recently worked with a major company that accidentally deleted 5,000 Active Directory groups. No backup, no rollback. Just panic. In another case, hurricane season knocked out cloud connectivity for retail stores. The stores still had power, but without identity access, operations ground to a halt.<\/p>\n
Today, Eric Olden, co-founder and CEO of Strata Identity\u2014and a pioneer of modern identity management\u2014joins us to talk about resilience. Specifically: how to fail gracefully, how to eliminate single points of failure, and why it\u2019s not enough to have a plan B\u2014you need to test that plan B before disaster strikes.<\/p>\n
You\u2019re right on time for this one. Let\u2019s get into it.<\/p>\n
David Puner:
\nEric Olden, CEO and founder at Strata Identity\u2014thanks so much for coming on the podcast. Welcome.<\/p>\n
Eric Olden:
\nThanks for having me, David.<\/p>\n
David Puner:
\nYou\u2019ve had an extensive career in identity management\u2014from founding Securant and Simplified to leading Oracle\u2019s global identity division\u2014and lots of other interesting and notable experiences along the way. So to start things off, how did you come to be known as the father of modern identity management, and how did you come to co-found Strata Identity?<\/p>\n
Eric Olden:
\nMost things start, in some way, as a happy accident. In my case, I was in college when the web had just come out in 1994 or 1995. I was looking around thinking, \u201cWow, this internet thing\u2014there\u2019s something here.\u201d Early on, people were saying it was going to stay academic and wouldn\u2019t turn commercial, but I didn\u2019t buy that. Eventually, I figured the number one thing people would need was security\u2014you need a way to have confidence and trust.<\/p>\n
Early web applications didn\u2019t have any of what we take for granted today, like sessions that recognize it\u2019s you from one click to the next. So one of the first things I was trying to figure out from an engineering standpoint was how to create a dynamic website\u2014and what that would look like if you could maintain a session. Once we figured out how to do that, we could create access control systems.<\/p>\n
My best friend and I started a company in our twenties, and one thing led to another. We had really found something people needed. Next thing you know, we had a 300-person company. We were about to go public around 2000\u2014then the dot-com crash happened. People still needed security, though, so instead of an IPO, we were acquired. That helped kick off the identity management market. At first, we didn\u2019t even call it \u201cidentity\u201d\u2014we called it web access management. People didn\u2019t really start using the term \u201cidentity management\u201d until the early 2000s.<\/p>\n
I was the CTO, and I\u2019m proud of our work on the SAML standard\u2014Security Assertion Markup Language. That was also sort of a happy accident. We had big bank customers that needed a way to recognize a user from New York, London, and Tokyo as the same person. Early tech couldn\u2019t handle that, so we helped co-author a standard to make it possible.<\/p>\n
Eric Olden:
\nThat showed me that if you want to make a big difference in an industry, you look at how you can influence it\u2014make things easier through standards. So, those are really the two main ways my career started: first on the technical side, then building products and contributing to standards.<\/p>\n
After that first acquisition, I took some time to catch my breath. When my non-compete expired, I wanted to start another company. That became Simplified, because around 2005\u20132006, people were moving to this new thing called software-as-a-service. I figured if they were going to use SaaS apps, they\u2019d need the same level of confidence and trust they had with on-prem systems\u2014but built for the cloud, starting again with standards. That was the whole promise behind Simplified.<\/p>\n
Coincidentally, Simplified was acquired by the same company\u2014RSA\u2014that had acquired my first company, Securant. After that, I found myself at Oracle, sitting on the other side of the table, so to speak, at one of the world\u2019s biggest software companies. It gave me a new lens\u2014when you\u2019re trying to help hundreds of thousands of customers do things, your approach changes. I had a great experience at Oracle.<\/p>\n
But as cloud adoption continued, I started thinking about multi-cloud\u2014not just Oracle Cloud, but Amazon, Azure, on-prem, all at once. From the customer\u2019s perspective, the question became: how do we make our apps work securely when they\u2019re spread across all these environments?<\/p>\n
That\u2019s when I realized nobody had figured that out. It was a really hard problem\u2014but incredibly rewarding from an engineering perspective if you could solve it. So we built a company around that challenge.<\/p>\n
That\u2019s how we started Strata\u2014to build the VMware of identity. The idea is to make it easy to use whatever cloud you want, whatever identity system you need, and have it all just work.<\/p>\n
David Puner:
\nThank you for taking us along that career ride. I think if there\u2019s anything we\u2019ve established here at the top of the episode, it\u2019s that you\u2019ve got foresight. So I\u2019m looking forward to seeing what\u2019s in your crystal ball later in the episode.<\/p>\n
So let\u2019s turn to identity infrastructure and resilience. What are some of the critical dependencies in identity systems that organizations need to be aware of to ensure resilience?<\/p>\n
Eric Olden:
\nOne of the big things people often overlook is just how critical identity is to digital operations. If you think about it as a Tier 0 service, identity is right up there with electricity and bandwidth.<\/p>\n
For decades, people have had backup strategies for the data layer\u2014how to ensure a transaction doesn\u2019t get corrupted, how to implement redundancy. But they haven\u2019t applied that thinking to the identity layer.<\/p>\n
That\u2019s partly because most organizations are all-in on one identity provider. But that\u2019s always felt untenable to me. As someone who\u2019s built a lot of distributed systems, I know you have to avoid single points of failure. If you design with redundancy from the beginning, you\u2019ve got a real shot at achieving resilience.<\/p>\n
That\u2019s why we built a product to make it easy to fail over from one identity provider to another\u2014without compromising security or trust in the application.<\/p>\n
Eric Olden:
\nA lot of times, people think about single points of failure only after something breaks. Take the CrowdStrike outage from last year\u2014it wasn\u2019t directly an identity issue, but it exposed the danger of having just one way to operate. When that system failed, suddenly businesses were offline and had no idea when they’d come back. Airlines couldn\u2019t board passengers. Movie theaters couldn\u2019t sell tickets.<\/p>\n
That really made a lot of C-level executives ask, \u201cWhere are we exposed?\u201d So in that mindset, you start tracing through your operations and identifying those single points of failure.<\/p>\n
Step one is identifying them. Step two is recognizing that not all risks are equal\u2014you have to triage. Organizations typically operate under constrained budgets. They can\u2019t solve everything at once, so they have to decide what to protect first. Risk modeling becomes essential.<\/p>\n
And finally, you need to avoid a false sense of confidence. By that I mean: having a plan B doesn\u2019t help if you haven\u2019t tested it. I\u2019ve talked to CISOs and CIOs who said they had a backup plan\u2014but never ran it because simulating an outage would\u2019ve been too disruptive. Then, when the real outage hit, they realized it would\u2019ve been cheaper to test it than to clean up the mess afterward.<\/p>\n
To fix that, test your assumptions. Document your backup plan. Validate it. If you\u2019ve already seen what happens in a failure scenario, you\u2019ll be far better prepared from a risk perspective. Much better than saying, \u201cWell, we paid a vendor, and they gave us an SLA.\u201d SLAs aren\u2019t a safety net. Maybe you\u2019ll get a refund on your compute costs, but what if the outage costs you $12 million in lost ticket sales?<\/p>\n
That\u2019s why you want to get ahead of it.<\/p>\n
David Puner:
\nWhat are some other industry-specific examples of identity infrastructure outages that have impacted businesses? What are some common cases you see\u2014or just notable examples others can learn from?<\/p>\n
Eric Olden:
\nThere are a few common ways outages happen. First, everything\u2019s connected today, and a lot of times the problem is downstream\u2014caused by a vendor or someone in your supply chain.<\/p>\n
Human error is another big one. We recently worked with a company that accidentally deleted 5,000 Active Directory groups\u2014and didn\u2019t have a backup. That\u2019s a stressful realization. You\u2019re thinking, \u201cIf I could just go back 30 seconds and undo that click\u2026\u201d<\/p>\n
These errors aren\u2019t usually malicious\u2014they\u2019re accidents. But they\u2019re still costly.<\/p>\n
Weather is another factor. We\u2019ve got customers in retail, especially in the Southeast U.S., who deal with hurricane season. When that happens, you really see how connected everything is. In those cases, it\u2019s often not the cloud provider that goes down\u2014the data centers are secure and hardened. It\u2019s the connectivity that fails. The route to the cloud breaks.<\/p>\n
So when that happens, it\u2019s important to have a fallback\u2014to be able to fail over on-premises so your store can keep running. Whether that means selling cleanup supplies or just staying operational, that resilience really matters.<\/p>\n
David Puner:
\nObviously these organizations learn the hard way when these things happen. But what about the ones trying to be proactive? How can they approach assessing the financial, reputational, and regulatory risk associated with identity outages?<\/p>\n
Eric Olden:
\nThe best-case scenario is you plan with the assumption that an outage will happen. You\u2019re not planning to fail\u2014you\u2019re planning for failure. It\u2019s a mindset, kind of like the \u201cassume breach\u201d concept in zero trust. In this case, it\u2019s \u201cassume outage.\u201d So: what do you do when it happens? How do things continue to work?<\/p>\n
That kind of resilient mindset is key. Document the plan. Run tabletop exercises so it\u2019s not just one person who knows what to do\u2014get different teams involved. It\u2019s like red team exercises, but instead of looking for vulnerabilities, you\u2019re testing resilience.<\/p>\n
You also want to structure your software so it has no single point of failure. Make sure your critical systems can be monitored, and if something goes wrong, you can remediate quickly. That might mean a person stepping in and saying, \u201cSystem A is down\u2014we\u2019re switching to system B.\u201d Or it could be automated, depending on the circumstances.<\/p>\n
Sometimes you want to wait and see if something recovers on its own. Other times, you need to act instantly. It depends.<\/p>\n
And there\u2019s the reputational aspect. People think their brand is strong and users will be forgiving\u2014but that\u2019s not always true. If you\u2019re a bank and customers can\u2019t access their money, that\u2019s a crisis. People get upset fast because it triggers this basic human emotion: \u201cI need this thing\u2014and I can\u2019t get to it.\u201d<\/p>\n
That\u2019s why making that stitch in time isn\u2019t just about saving nine\u2014it could save you nine million. So take it seriously, and get ahead of it.<\/p>\n
David Puner:
\nYou mentioned having a plan. You also mentioned failover. What are failover mechanisms, and how do they work in identity orchestration? And what exactly is identity orchestration?<\/p>\n
Eric Olden:
\nIdentity orchestration is a new way of managing multiple identity systems. It\u2019s built on a concept called an identity fabric.<\/p>\n
Let\u2019s start there. Your identity fabric is all the different identity services you use\u2014authentication mechanisms, access controls, risk signals, all of it. Historically, those were all siloed\u2014different systems in different places.<\/p>\n
Identity orchestration lets you unify them under a common abstraction layer. Think of it as a control plane that integrates those systems and allows you to orchestrate how users move through them in real time.<\/p>\n
So for example, a user could authenticate with Microsoft, check access with Oracle, and then use passwordless login via HYPR\u2014all in one flow. The orchestration system ties all of that together.<\/p>\n
Eric Olden:
\nTo the end user, it looks seamless. Let\u2019s say you\u2019re opening a new bank account. You want it to be easy, but the bank needs to verify that you’re a real person\u2014not a bot\u2014and that you\u2019re allowed to open an account based on location or other criteria.<\/p>\n
With orchestration, you can create a multi-step onboarding journey. Step one: collect basic user info\u2014name, address, etc.\u2014and save it in an identity system. Step two: use a tool like OneCosmos to verify the user\u2019s human\u2014using bot detection, CAPTCHA, or even liveness validation in this AI era. Step three: if those pass, the system creates an account and issues credentials\u2014maybe even passwordless ones.<\/p>\n
That whole process spans multiple systems. Orchestration stitches them together and manages the flow.<\/p>\n
Now, in terms of resilience and failover\u2014this orchestration system can monitor identity providers in real time. Before sending traffic to one, it checks if it\u2019s available. If it\u2019s not, it routes the user to a backup provider. That\u2019s the failover part.<\/p>\n
The orchestrator acts as a smart proxy, dynamically sending traffic to the best available identity provider. And that\u2019s key\u2014because this logic isn\u2019t built into the identity provider itself. If your main provider goes down, it\u2019s not going to reroute anything. The orchestrator can.<\/p>\n
So that\u2019s how orchestration supports both the identity fabric concept and resilience across your identity systems.<\/p>\n
David Puner:
\nAnd not to be too much of a homer here, but identity orchestration can be part of identity security, correct?<\/p>\n
Eric Olden:
\nAbsolutely. Most of our customers\u2014including some of the world\u2019s biggest banks and retailers\u2014use orchestration to power zero trust, continuous access, and continuous authentication.<\/p>\n
Those architectures are usually made up of tools from different vendors. Orchestration is what helps them work together\u2014so yes, it\u2019s a critical piece of identity security, especially when you\u2019re managing multiple identity providers.<\/p>\n
David Puner:
\nSo then getting into the human factor of all this\u2014how important is it for organizations to regularly simulate identity outages, and what are some best practices for conducting these simulations?<\/p>\n
Eric Olden:
\nThere are a couple of ways to approach it, and it really depends on your level of risk and what downtime would cost your business.<\/p>\n
For very high-risk, high-cost applications, you can set up the orchestrator to do load balancing between two identity providers. So if one goes down, the other one is already handling half the traffic\u2014and you can immediately route everything over to it. That\u2019s called active-active.<\/p>\n
For most Tier 2 apps\u2014business-critical but not mission-critical\u2014you might go with active-passive. You have one primary provider, and if something happens, you fail over to the secondary. These are the apps where being offline for a few seconds or even a few minutes won\u2019t sink your business, but still matters.<\/p>\n
And of course, your failover system itself shouldn\u2019t have any single points of failure. You can run your orchestration software on a Kubernetes cluster behind a global load balancer, which gives you redundancy across the orchestrator proxies too.<\/p>\n
Testing is critical. If you\u2019re doing active-active, you\u2019re basically testing constantly because traffic\u2019s always flowing to both systems. With active-passive, test it at least once a quarter\u2014once a month is better. Best case? Have the ability to run ad hoc tests. Simulate a \u201cbreak glass\u201d scenario on a Tuesday before a big system upgrade on Friday. Make it a normal part of your ops.<\/p>\n
Because let\u2019s be honest: not testing is like skipping rental car insurance thinking, \u201cWhat are the odds I\u2019ll need it?\u201d And then boom\u2014someone backs into you. For 20 bucks, you could\u2019ve avoided a $2,000 problem. Same idea here: invest in the test.<\/p>\n
David Puner:
\nAre you always getting that extra coverage when you rent a car?<\/p>\n
Eric Olden:
\nI do. Maybe I go overboard, but yeah. I use a credit card that offers coverage by default\u2014and then I buy the extra rider on top of that. Knock on wood, I haven\u2019t been in an accident. And I\u2019m not trying to tempt fate.<\/p>\n
David Puner:
\nDuring an identity outage, how can dynamic policies help prioritize critical roles and automate enforcement to maintain operations?<\/p>\n
Eric Olden:
\nA big part of managing availability is understanding what an outage looks like.<\/p>\n
The source of the outage could vary\u2014it might be a storm, a cut fiber line, or a malicious actor. So the first step is understanding what counts as an outage. For example, if your identity provider returns a 500 HTTP error, that\u2019s a clear sign the server is down.<\/p>\n
Then you\u2019ve got to decide: do we fail over, or wait it out? That\u2019s where dynamic policies come into play. Let\u2019s say you have a shipping application, and it can tolerate a five-minute outage. You may configure a rule: \u201cWait five minutes, then take action at six.\u201d If it\u2019s still down by then, odds are it won\u2019t resolve quickly\u2014so the system fires off an alert or initiates failover.<\/p>\n
Sometimes it\u2019s better to wait\u2014maybe the server\u2019s just re-indexing a database. But other times, you have to move fast. Let\u2019s say it\u2019s a trading application and your system slows down\u2014not even fully down yet, just slow. That latency can have huge downstream consequences. In that case, you might want to fail over before the full outage hits.<\/p>\n
So it\u2019s not always black-and-white. You need nuance in your definitions of what an outage is\u2014and different protocols for different scenarios.<\/p>\n
And whatever you do: log everything. Audit everything. After an incident, you\u2019re going to want to dig into the logs to see what went wrong. If those logs aren\u2019t detailed or complete, it\u2019s incredibly frustrating. Without knowing what caused the outage, it\u2019s much harder to prevent the next one.<\/p>\n
David Puner:
\nSo, speaking of nuances\u2014or lack thereof\u2014let\u2019s talk regulatory standards. What strategies can organizations adopt to keep their identity continuity plans current and aligned with evolving regulatory standards?<\/p>\n
Eric Olden:
\nRegulatory issues are a huge part of our world. Most of our customers are large, multinational corporations, which means they operate across multiple jurisdictions. A company based in the U.S. might have operations in Europe, for example\u2014so when you think about regulations, you have to consider where your users are, not just where you are.<\/p>\n
In Europe, they\u2019ve led the way with identity-related regulation\u2014most notably GDPR. American companies realized that even if they\u2019re based here, having French users, for instance, means you\u2019re handling their data\u2014and it needs to be protected under European rules. Non-compliance can lead to fines, and nobody wants that.<\/p>\n
More recently, there\u2019s a regulation out of the EU called DORA\u2014the Digital Operational Resilience Act. It focuses specifically on ensuring resiliency and minimizing disruption. It\u2019s essentially asking: do you have a plan? What are you doing to avoid outages? And if they happen, how do you respond?<\/p>\n
While DORA originates in the EU, it\u2019s having a ripple effect. American companies are paying attention because it\u2019s not just about legal risk\u2014it\u2019s a good idea. Even if the regulations aren\u2019t enforced domestically, the principles of resilience are worth adopting everywhere.<\/p>\n
David Puner:
\nYou mentioned earlier that you’re known as the father of modern identity management. What we haven\u2019t mentioned yet is that you also authored Identity Orchestration for Dummies, published in 2024. As a pioneer in the field, how does identity orchestration differ from traditional IAM approaches, and what benefits does it offer?<\/p>\n
Eric Olden:
\nI can\u2019t really claim full credit for being \u201cthe father of identity\u201d\u2014success has many parents, and failure\u2019s an orphan, right? But I do take pride in being part of the early work, like helping define SAML and now this push into orchestration.<\/p>\n
The key difference with identity orchestration is that it\u2019s an overarching layer. That\u2019s actually why we named our company Strata\u2014\u201cstrata\u201d means layers. Just like the stratosphere contains all the clouds, Strata\u2019s orchestration layer helps manage what happens inside all your clouds.<\/p>\n
Orchestration and identity fabrics give you a way to make everything work together\u2014on-prem systems, cloud platforms, legacy tools, and modern solutions. It\u2019s like virtualization for identity, and to me, it feels like everything\u2019s coming full circle.<\/p>\n
David Puner:
\nReally interesting. So, to wrap things up on a broader note: what emerging trends in identity management are you most excited about? How do you see them shaping the future of IAM?<\/p>\n
Eric Olden:
\nI\u2019m really fascinated by the intersection of AI and identity.<\/p>\n
David Puner:
\nCan\u2019t believe it took this long in the interview to mention AI. That\u2019s probably a record for us.<\/p>\n
Eric Olden:
\nRight? The hype\u2019s been off the charts. But this one\u2019s different\u2014AI is evolving fast, and it\u2019s changing things in real ways. Originally it was machine learning, and now it\u2019s generative AI. The Turing test\u2014Alan Turing\u2019s idea for distinguishing humans from machines\u2014is becoming harder to apply.<\/p>\n
Humans are identities. And protecting against threats\u2014like someone pretending to be a human when they\u2019re not\u2014is becoming more complex. We\u2019ve got phishing, deepfakes, and AI-driven identity impersonation. Passwords just won\u2019t cut it anymore. AI can brute-force passwords or replay credentials.<\/p>\n
One of the wildest recent examples? A deepfake on Zoom that mimicked a CFO. The attacker convinced someone to wire $25 million, thinking they were taking instructions from a real person. It worked because the fake looked and sounded real.<\/p>\n
So now we\u2019re at the point where we need to detect whether something is a human or an AI\u2014not just in login screens, but across systems. And we also have to secure our APIs and data when AI systems like ChatGPT or LLMs are accessing them.<\/p>\n
This is just the beginning. The landscape is shifting fast, and identity management is right in the middle of it.<\/p>\n
David Puner:
\nAnd teaser alert for our listeners\u2014by the time this episode drops, our new Identity Security Threat Landscape Report will be live. And spoiler: machine identities now outnumber human identities by more than 80 to 1. So yeah, there are a lot of identities out there.<\/p>\n
Eric Olden:
\nThat\u2019s for sure.<\/p>\n
David Puner:
\nEric Olden\u2014a man with many plans\u2014thank you for coming on Security Matters. Really enjoyed speaking with you.<\/p>\n
Eric Olden:
\nThanks for having me, David. It\u2019s been great.<\/p>\n
David Puner:
\nAll right\u2014there you have it. Thanks for listening to Security Matters. If you liked this episode, follow us wherever you get your podcasts so you can catch new episodes when they drop. And if you feel so inclined, please leave us a review. We\u2019d appreciate it\u2014and so will the algorithmic winds.<\/p>\n
Got comments or questions? Want to suggest a guest? Drop us a line at securitymatterspodcast@cyberark.com.<\/p>\n
We\u2019ll see you next time.<\/p><\/div>\n","protected":false},"featured_media":213783,"template":"","class_list":["post-209835","podcast","type-podcast","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"\n