THE PLATFORM: THE GREAT BALANCING ACT
It is becoming increasingly important to use specialized security solutions. In this masterclass we will update you with Jasmit Sagoo from Auth0. He is a specialist in the field of identity and access solutions.
How do you secure an online platform and keep it easily accessible? How do you apply the available security standards to your environment? How can you quickly implement an I&A solution and create a scalable solution at the same time? In the Platform podcast series The Great Balancing Act, Jas Sagoo, Head of Solutions Engineering, international @ Auth0 and Mike Veldhuis, Partner @Nalta, will dig into these topics. Listen to learn and for a bit of fun too!
Want to know even more and ask your own questions? Then register for the (English) online Masterclass, with by Mike & Jas
Episode Notes
The Platform Website: https://www.nalta.com/theplatform
The Platform on Youtube: https://www.youtube.com/naltatube
All Nalta Blogs: https://www.nalta.com/blog
Host, Mike Veldhuis
https://www.nalta.com/mikeveldhuis
Guest, Jasmit Sagoo
https://www.linkedin.com/in/jasmit-sagoo/
THE PLATFORM: THE GREAT BALANCING ACT
It is becoming increasingly important to use specialized security solutions. In this masterclass we will update you with Jasmit Sagoo from Auth0. He is a specialist in the field of identity and access solutions.
How do you secure an online platform and keep it easily accessible? How do you apply the available security standards to your environment? How can you quickly implement an I&A solution and create a scalable solution at the same time? In the Platform podcast series The Great Balancing Act, Jas Sagoo, Head of Solutions Engineering, international @ Auth0 and Mike Veldhuis, Partner @Nalta, will dig into these topics. Listen to learn and for a bit of fun too!
Want to know even more and ask your own questions? Then register for the (English) online Masterclass, with by Mike & Jas
Episode Notes
The Platform Website: https://www.nalta.com/theplatform
The Platform on Youtube: https://www.youtube.com/naltatube
All Nalta Blogs: https://www.nalta.com/blog
Host, Mike Veldhuis
https://www.nalta.com/mikeveldhuis
Guest, Jasmit Sagoo
https://www.linkedin.com/in/jasmit-sagoo/
You are listening to the platform. A podcast to learn about our digital world. I am Mike Veldhuis, partner at nalta.com.
Jas Sagoo:Hello, I'm Jas Sagoo.And I'm head of solution engineering and professional services at Auth0 International.
Mike Veldhuis:Welcome in the second episode, Episode Number10 that I'm talking with Jas of Auth0. Welcome Jas.
Jas Sagoo:Hey, Mike, good to see you again.
Mike Veldhuis:Absolutely. And we had a lot of fun recording the first episode where we really set the stage for this new theme, about the great balancing act of security. And we talked about our front doors,that we have to lock them with a lot of keys, but still keep it convenient. And I think it was really insightful, and we kicked it off. And today we're going to talk about buy versus build strategies. So actually, it's about implementing a solution,whether you buy it from a vendor, or you build it yourself, right?
Jas Sagoo:Absolutely. And look,there's no right or wrong answer. But there are pros and cons of which approach.
Mike Veldhuis:And it's kind of exciting to talk with you about this topic, because you're clearly in the, in the league and in the in the team Buy because you're working for Auth0, but you are in the industry for a very long time as well. And we've seen a Yeah, a continual process of the solutions that pop up that really enable you to buy a stack of solutions to build even bigger and better platforms.Right?
Jas Sagoo:True! It, it's a big,I would say, you know, it's a decision that you have to make.And the decision is needed needs to be backed up by, you know,the approach that you want to take, it depends on what you're trying to establish. And also it also depends on I would say, is the extent of the project and program that you're trying to create. If you know if it's if it's a single application or one off, then maybe you can get away with the building. But if you're going to go and integrate multiple applications across multiple geographies and so on,then, you know, my approach would be that you probably want to consider Buy. But look, we get into the detail through the session.
Mike Veldhuis:Yeah. And what is the purpose of this session is not that we want to people after listening to this 15 minutes podcast, okay, I'm so stupid. I built the stuff myself. Buy is the only way like you said it's the choice. But it's a very interesting topic because it's something we had to learn at Nalta as well. When we started20 years ago, even 21 years ago.It was like we're software developers, right? We build the stuff that our customers are asking us to do. And you really have to learn and get in the mindset that for a lot of solutions, it's better to buy it. For example, we are a Boomi partner. We're working a lot with Boomi. We talked a lot about Boomi in the podcast series. And it's clearly a Buy strategy. We don't want to develop every interface ourselves, sometimes it's the best thing to do. But in a lot of cases we just don't want to build a for instance Salesforce adapter or connectivity to Salesforce. We want to buy it and that's what we want to talk about today. And actually the story of Nalta with Auth0 is kind of cool. Because it were developers that came to me that said Mike, we are starting to look into the Auth0 portfolio and we really want to learn more we we implemented it on several locations and wouldn't it be smart to have a partnership Auth0 like we have with Boomi and that's where it kicked off for us you know, and so we want to be specialized on Auth0 but today we want to discuss those both areas. The when do you buy when do you built. Is that a clear cut?
Jas Sagoo:It's not that clear cut. And all I would say is when we have to look at is you know i think is important to understand the advantages of both approaches, we need to understand the disadvantages of both approaches. And also, when we talk about the advantages and disadvantages of different approaches, we have to talk about also, you know,investment, the investment required for, you know, either approach, build or buy. And not only the investment to do the first project, what happens when you do the second project, the third project? What about? How do you determine the scope of what you're trying to do? Is it better to build that scope yourself? Or is it best to buy that scope yourself? You know,when you're buying, you know,are you at the mercy of the vendors and the functionality they provide? So, there's a lot to take in and consider. So let's, let's take it away,let's, you know, try and understand some of the some of some of these considerations.
Mike Veldhuis:Could we start like, really, at the start of the journey for a customer, they decide to build an application,maybe you have a good example of a customer you've been working on, that needs an identity management system that really needs a module in their stack?To make a safe environment to to have this safe front door?
Jas Sagoo:Yeah, so. So yes. So imagine this requirement to have to have an identity identities,you know, a logging box, let's separate simply into into your application. What one has to consider is, in some instances,is fine. How quickly do they want it? You know, is it? Is it easier? Is it cheaper, easier to go and build something yourself?or using maybe some open source technologies? or start from scratch? Or is it easier to go and buy something? Again, then you need access to budget, but not normally? What one has to consider when they're thinking around? Build versus buy? Is if you're gonna go and build something from scratch? What could end up? What would you have to consider is, first of all, you have to have the skills in house to go and build that.And Mike I do not even talked about whether we've gathered all the right requirements yet,right? Because that's a whole different topic. You know, if you ask everybody in the organization, they will, by the time they finish finished, it will have a list of 100requirements.
Mike Veldhuis:That sounds familiar. Yeah.
Jas Sagoo:And you can have scope creep at that point,right. So let's focus on let's focus on, if you're going to build it, if you're going to build it fine. You've got the development team, you've got the engineers, we're going to build it. The question I would ask is,are the experts in security experts in identity? Okay,that's that's one thing to consider. Assuming they are,you're going to build a solution. Very quickly, you get to a point where you need to start understanding how you're going to deploy that solution is it going to be on premise, is it going to be are you going to procure hardware? Or is it going to be virtualized? Are you going to then deploy that the solution you've built on the cloud? How are you going to scale it as your users increase? Actually,who's going to maintain that?How do you build resiliency into that solution? And now, after I've talked about some of the challenges that come up, but maybe a solution you've built,tightly integrates into your application really well, you've provided the right experience,you are taking into consideration your application requirements versus the identity applications. But you get my point, at some point, the responsibility gets big, huge.Are you prepared to take that responsibility to scale out your solution?
Mike Veldhuis:Yeah. Which is crazy. Because I think in the head of a lot of developers or people that want to build certain applications, just username and password, right?Correct. But there is so much,
Jas Sagoo:so much beyond that.Yeah. Right. So So that's,that's what I say, Do you have the skills? Do you really understand identity? Right? It's not about a user's username and password. It's much more beyond that. And probably probably means you discuss them in a different session. You know,what, what it means what, what happens after you Oh, please
Mike Veldhuis:do yeah, it's here. Yeah. Please explain.
Jas Sagoo:Typically, you know,there is there's a, there's a there's a flow. Now, normally,you know, what happens is your traditional system, not, hey,here's a user and here's the password. And let's see if these credentials match what we have stored in the database. Now,they haven't even considered thinking about breach credentials. So, you know, how do you have the access and the vast knowledge around credentials that have been stolen, they have breached So,so when you when you look at technologies or vendors who are experts, and they all they do day night is focus on the access, identity access management into any application.They create, you know,provisions for making sure that if your username and password is breached, they have they know about it, so they prevent access to that application. But also they look at things like, hey,this user five minutes ago,logged in from Egypt. And now and now they're logging in from South Africa, you can't travel,you know, within five minutes from one location to another,okay, so these are all clever technologies that, you know,experts, you know, putting into solutions that you go and buy,because they have the investment at the time they have the skills and the focus, you have to put that additional functionality in. So it's not just about entering a username and password and checking those credentials against the database. And then there's a whole kind of vast kind of area around. Once you do have access, you want to go on through the front door, what can you do? Which other rooms can you access? Right? And how far down the corridor you can travel. So there are all these all sorts of other considerations that have to come into mind. But let's go back to build versus buy. You know, if you if you get to that we got to a point where we talked about I think one of the main challenges would be you know, how do you scale? How do you create resiliency? How do you create?How do you maintain and manage the system? That's one element.But the other element is, as we talked in the last podcast,security is always evolving, the threats are always evolving. How do you stay ahead? How do you keep your system enhanced? Not only maintain, but how do you enhance it. So again, these these are important considerations that you have to make when it comes to you know,building your own solution. Now,I'll tell you what's happened a few times what I've seen is organizations go out and do build a solution. And then years later, they get breached. And their names are all over press.Now it's embarrassing. It is but you don't want to get to that situation either. Now I'm not I'm not scaremongering, but I've seen this happen. And then they go out there very quickly and say, right, we need to do go and consult the experts. But then look, they are the organizations that have seen have done very successful projects, they know that the scale is not going to be an issue, because they're not going to have that many users,they know it's going to be a single application that they're going to use. So in those sort of instances, yes, these cases very simple. It's very manageable, and you can go and build your own solution. But most organizations here are, you know, I think are building digital services that they want to monetize. They want scale they want everyone using those services don't monetize them.That's the business model. So that's what you have to consider, you know, do you do you? Can you the solution that you need getting scale, you know, can it provide you with all the functionality you need today, but also in the future?Because, look, what we're seeing is very quick trends, the market is we're seeing that the user experience is very important.You don't want to have eight clicks, to register, and then another four clicks, that makes it you know, 12 clicks before your access service, people want the Amazon experience, you know,by with one click, that's the experience everybody wants. So,you know, in order to, you know,make sure that you're you are,you are, you know, providing the right level of experience with your consumers of your services,you have to make sure that sometimes there is enough investment and effort gone into some of these technologies. And that's where vendors come in. So that whatever the advantages being buyer comes in, now, when you look at technologies from a buyer perspective, there are many technologies there. So I'm still
Mike Veldhuis:looking forward to these advances, by the way,and I'm listening to you and I think, and I agree, and that's,that's difficult to ask questions, because I agree. It's like you're solving a part of the security stuff right at the front door. You know, there are a lot of ways to protect an environment. But it's makes so much sense to protect and make,sure you focus on the core of the problem and that's what you're addressing right now. But at the same time, there must be some disadvantages right, like,vendor lock in or the security system itself being a single point of failure, or maybe building it yourself. It's more flexible.
Jas Sagoo:Yes, you're absolutely right. So when you when you're looking at vendors,obviously, there are many considerations you have to take,hey, there's so many vendors out there. Which one do you choose?First? Yeah, we totally go for.Second one is if you do choose a vendor, and as you said, rightly said, Are you locked in with that vendor? Right. And, and locking means, you know, as that vendor not using standards or standards based approach, so standards are very key, right?Whether you're even building your own system, or you're buying another system, make sure that they is the technologies you're selecting are based on standards. The reason standards is important. So there's no locking so you can move, you know, between technologies. But something that comes up very often is, you know, the scope of your maturity in this space. Are you now completely dependent on the vendors chosen? What if their rate of I would say innovation is not as fast as you were?
Mike Veldhuis:Exactly! Yeah.
Jas Sagoo:Right. So what do you do then? Right. So that's,that's something that I think you have to do a lot due diligence beforehand. Now, doing due diligence, maybe you don't have the expertise in house,maybe you're relying on external consultants to do this due diligence. So again, you know,how good are these external consultants that are doing the due diligence for you. So that's, again, a lot big factor,you have to think about it. But then again, all this is, is expensive. Mike, it gets expensive, and very quickly,you're wondering whether, you know, would have been cheaper for me to build the solution myself for our selves.
Mike Veldhuis:I think that sums it up, right? There is this trend in it that a lot of solutions get standardized,still part of a stack of a vendor, but gets standardized.And maybe a way to look at this is that 20 years ago, you build your own computer, right? You didn't buy an Apple or a Dell or
Jas Sagoo:You're completely right. And you know, I can't an HP, there were a lot of people that bought their own co puter. Even in the gaming indust y, they're probably no longer buying modules and build th ir own computer, they got a sta dardized, tailor made, focus d product that's very good for g ming. And that's a trend we se in software development as we l, whether it's in data integ ation, like Boomi, or the secur ty space, we're talking right now in identity manag ment, people are more and more elying on specialty produ ts, because it's becoming so co e to their business. And it's ot a one on one, it's not that have my front door for one a plication. Now most of the time,it's the front door for a whole set of applications. And, and t at makes it even more criti al. I'm still very caref lly looking at vendor lock in. A d that's the reason why I menti ned it. And I think our liste ers, and people should be very ware. But there are stand rds like you you shared, and I share a little secret Auth0 com lies to those standard, which always enables you to r ach out to another vendor o build it yourself. And there is this quote from a colleagu of mine. I prepared the e episodes with my colleagues a well, are the questions y u want to be answered. A d he told me, Geert, everyb dy is capable of building his fi st application. But are you abl to run it in a scalable and ma ntainable and a secure fashion ver the years to come? That's a otally different ballgame. And m
advice would be:is focus on th core of your application. A d that's probably something to d with your business. And hat's probably the reason why you wanted to build the appl cation in the first place an leave security and a lot of o her spaces in the stack to the pecialists. That probably tha would sum it up for me.disagree with that. The only thing I would add to you is you know, we talked about it in the first podcast. The threat is ever evolving is getting more complex. And you know a solution that identity solution that.Like for example, for Auth0, it what it does is it removes, it takes around all the abstraction from complexity. So what you see is something very simple,something it's very easy to work with and use. But all the complexity around identity is built into the platform. So whoever is using this sort of solution needs to only worry about the integration points,and not about the identity and security points.
Mike Veldhuis:So focus on the core of your application and leave the heavy lifting of security to others.
Jas Sagoo:Exactly.
Mike Veldhuis:Thank you, Jas,wonderful episodes. And looking forward to episode number three,where we're going to look at the future of security. Thank you for listening. See you next time.