Your Identity is the Key to the Cloud: Optimizing Identity Access Management in a Cloud-First World

Shawn: Amazing conference so far, I believe so. I've been having some great conversations with fellow colleagues and with Steve as well as we pontificate of the future, information security and specifically business risk management. What we would like to do today is to take you through a conversation and a journey that I was very fortunate to observe based upon a vision that the Levi's senior leadership team, Steve and Colin, developed around how they were going to approach information risk management, and business alignment, and the context that that then enabled them to achieve, and the value that they deliver to the business based upon an identity first approach.

For the next 40 minutes or so we'd like you to join us on this journey and see how it's been done so successfully over at Levi's through the leveraging of completely different views into the risk management space business alignment, and also how technologies and approaches has resulted in an amazing set of results. With that, let me introduce Steve. Steve, you want to say, "Hello?"

Steve Zalewski: Sure. Good afternoon. I have some cheat sheet notes here, so I hit all the points. Don't mind me. My name is Steve Zalewski. I work at Levi Strauss. We make jeans. Yes, these are Levi's. Hopefully, you're all wearing Levi's. I would like to see that. Let me talk about myself for a minute and what we want to accomplish here between Shawn and I. The objective for me today is not to talk about technology. It's not to have a conversation around identity access management. It's not to talk about the specifics of what we did. Shawn will do that as the practitioner because he went through the journey with us. My job today is to simply tell you about Levi's. Why are we doing this? At the end of the 40 minutes hopefully what you'll understand is not just what technology is or how we did, but why we're on this journey, why we have to do this, and that you'll be able to make an equivalent set of decisions in your companies based on our learnings. I'm here to share.

I'm going to have two perspectives here, if you notice. One is as the architect. When I joined three years ago I joined as a chief security architect with Colin Anderson as the CISO. The job was to lay a security practice into Levi's. It was compliance, but they really didn't have the necessary infrastructure to protect the company especially with e-commerce and a lot of the work that you're going to see. I'm going to bring that perspective about from an architect. What does that mean?

The second part, and it's something I want to highlight, is about a year and a half ago I took over the threat intelligence and the incidence response teams globally, as well. That definitely colored my perspective of what a good security roadmap would be and highlighted where there were key gaps that many security architects don't consider. You're going to hear from me then those types of practitioner views of how we had to put the company where it is today, so that Shawn, and you'll see with all of his passion as an expert in architect as well, will be able to talk about the practitioner implementation that he was on the journey with me over the last three years with, which is why today we wanted to come up and end today. The last thing I'll say is we're between us and Obama, so we got 30 minutes to hold your attention while you're all thinking about going to see the ex-President. Hopefully, we'll do okay there.

The first obligatory slide, which is who is Levi's, or what is Levi's? We make jeans, like I said. Many people don't realize, and I didn't when I joined, we have the Levi's brand, the Dockers brand, the Denison brand, the Signature brand. Dockers are not jeans. They're the semi-formal wear that they thought up for men to wear, the khakis. We do business around the world. We are 74% wholesale, 26% direct to consumer, meaning stores and e-commerce. We're a $5 billion company. We have 5,000 trademarks, 12,000 employees, 50,000 retail doors, 110 countries, and about 2,800 dedicated stores, meaning owned and operated by us or franchisees for us. That consists of the retail component. Wholesale is up selling to the big vendors.

One of the things I learned when I came in, what I really wanted to title this conversation was not so much I am, but Levi's makes jeans. How hard can it be? How hard can it be to make some material, sew it, put it in a store, and sell it to you? That's all there is, a weaving factory, distribution center, and a retailer, and yet here we are talking about identity, and access management, and understanding why we're trying to do this. It didn't make sense to me. It's like, where's the complexity associated with that? My first takeaway was it seems simple, but let's go learn the business. As any good practitioner knows, and you understand, the more you know the business, the more you're going to understand what it's going to take to protect the business or secure the business.

I leave you with something as simple as that across the global footprint, across the e-commerce, in-store point of sale systems. What we have is simple, is we have weaving factories around the world. We have sundry factories that provide the rivets, that provide the red tag on the back. We send them to factories to cut and sew, not necessarily in the same factory. Depending upon what the rules are for finance and what the back taxes are, we move that inventory around to do it. We then have to ship it trans-ocean, plane, truck, anywhere around the world. We get it to distribution centers. We have 19 around the world depending upon where we're selling into.

We then have staging points depending upon the countries because we can't go direct. Sometimes we have to stage. Then we finally get it to the sales fort, be it our stores, or a customer store. It could be a storing store. It could be in essence one guy with a 10 by 10 somewhere like in China. That's what our distribution looks like. If you notice at that point, a lot of what we do is not us anymore. It's a giant orchestrated distribution system that we're simply orchestrating. Lay on top of that the finish that's done by hand. Lay on top of that the fact that we're not using lasers to be able to support the finish, in order to be able to make it more efficient to be able to sell jeans.

Then I say the last part that was interesting was okay, I get all that. Three years ago the company made a decision to outsource most of IT third party because it wasn't a core competency three years ago for us to have a strong IT because we sell jeans. What transpired in that three years though, however, was we are an IT company. We are a technology company. If you notice, this 3PL, is we are a giant orchestrated distribution network to sell jeans. From the source of the weaving factory to the retailers, we don't do anything. Your IT systems, your technology systems, your point of sale systems, your stylists that are in the stores with the phones to be able to work with you to order everything is all technology. It's exploded. The use of lasers and the transfer of our digital prints to the lasers around the world to factories in China, to factories in Japan, it doesn't make any difference. That's what we are. You realize what started out as a very simple concept from our perspective got pretty sophisticated. I'll say that.

Technology aside, Levi's is a brand. That's what we are. You can buy jeans from anybody anywhere. We order our manufacturing from the same place the Gap and others do as well. A $5 billion brand every year on jeans. If you damage the brand, that's a $5 billion potential hit. We live and die by the brand and the image. What that means, as I understood, is we're like the Coca-Cola of jeans. We want that lifestyle. We want you to be able to believe that it's good to wear the jeans. We also have transitioned over the years to be one of selling jeans to men, which are pretty straightforward to a fashion brand to women, selling jeans to women. That is a very different market segment.

What does it mean then to be a high fashion brand and trying to protect the company? It's not about securing the company. I'm protecting a brand. The people that make up the company are what they call creatives. These are people that live with material. They look at design. They think about thread. They think about the style, the cut, the holes. That's who they are. That's what they do. These are not high tech people. These are not tech savvy. They don't want to be. It's not what we are. The stylists in the stores, they're trained to understand physiology. They're trained to understand the buying process of females and men, so that we make it as comfortable and experienced as we can for you to come in and try on jeans and feel good about the experience because buying jeans is an emotional experience for many people.

Then lastly, think about research and development. When I went up to our research and development labs, it was fascinating. These people have blue arms up to here. Their fingernails are blue because they're dipping their hands in the dye because they want to feel the material as it's being dyed to understand how long it needs to be. I stepped away, and I said, "Okay, that's what I have to protect." Know the business. What does that mean?

Now we get to the security part and where Shawn is going to start to kick in. How do I then with Colin come into a company who has limited security and that that's what we are? We have to ask ourselves as the security architect, how do I think? The exercise here is I'm taught to think two ways. I'm thinking about how people use, and then I'm thinking about how people abuse. I have to think evil for an environment that's a family brand where everybody trusts each other, and it's about this lifestyle brand.

Then the second thing I have to consider is my job to secure the company? It's a private company. It doesn't have a lot of compliance. It doesn't have a lot of IP. It's not finance. It's not health data. The intellectual property is limited, so how do I balance the business risk versus just installing a bunch of technical controls and making the company secure? Am I really accomplishing the right thing for the company, which is I just want to sell jeans?

The security strategy in the room back then is driven by a couple of thoughts. I leave you with how do you think about the problem? Do you bake security in, or do you bolt it on? Both are legitimate ways to protect the brand or secure a company. Which way is the best way for you? Do you want to secure the data, or do you want to secure the resources? Is the intellectual property most important, or am I trying to protect my people because that's the avenue the bad guys are coming in? Then, am I here to secure the business, or protect the business? Those are very foundational ways of thinking about the problem that you have to take a step back and go, "This is the way you're going to approach it." A business risk reduction.

I leave it as two sample mission statements that I ask for you, which is for your company and you, which of these two mission statements is more important, or drives the conversation better? The one on the left is a very IT, technical driven mission statement. The one on the right is a business driven mission statement. It's talking to the lines of business about what we're trying to do as opposed to talking to the CIO about the controls we have and the evidence we can demonstrate and the measurement that we can show to be able to see what we're doing. With that, I'm going to turn it back over to Shawn.

Shawn: Now I remember the first time I walked into Steve's office. This is about two and half, three years ago, something like that. I walk in, and he says, "Hey, listen. I'd like to share something with you." I'm like, "Okay, this is cool. I just met this gentleman." He brings me into the back. What he's got is all of this highly confidential stuff that he's put away. He brings it out. What it is literally the roadmap that he had been working on since he had joined Levi's that included every aspect of what you would imagine in an information security program. I've been doing this, at the time I was doing it about 16 years or so. That was the first time in my career that I'd ever seen such a comprehensive approach and plan. To this day, I still speak about how impressive that was. Now why that matters is because they-

Shawn: Now why that matters is because they got it in a way that very few organizations either have the flexibility, perhaps the risk appetite to approach it in that way. When you think about how we start each one of our security programs of how it all interfaces into the how and the what often what gets left behind is the why. If you think of security programs and how they develop and how they move through an organization they kind of start, "Hey, do you know security?" "Oh, yes. I've worked on the firewall." "Great. You're the security architect now." Then, "Oh, have you ever done something fancy like set up a VPN?" "Sure, I've got it set up at home." "Awesome. You're now the network security architect." It just continues going down this path.

When you think about it from a pure discipline stand point well, what really is the discipline? The discipline actually is getting back here to getting to this business aligned approach where what you're doing is that you're going in with the end in mind and that is ultimately driving every single decision that you want to be able to, not just articulate, defend, but ultimately execute upon from your overall risk posture.

Now, that doesn't mean however going into this space and going into operating models that are challenging the status quo in terms of how services and capabilities are delivered. That does not mean that it happens overnight or that it happens easily. When you talk about this idea of digital transformation and how things move forward, specifically how things get consumed the ways that information are now accessed and all these data, depending upon you're utilizing from a mobile device or you're accessing it from home. The use case looks very much like the consumer use case. The challenge is that unlike a private individual that is dealing with protecting his or her information organizations like Levi's have to be concerned with the entirety of not just their supply chain, but also their up and down stream partners and any organizations that they're doing business with.

Now, when you think about the context of clouds though you automatically have to think of one thing. That has to be loss of context. Why does that matter? Because when I was a network engineer I remember I could tell you exactly which switch port I could up link and down link from one data center to the other. If that thing got pulled out the network would literally go down in one half of the building. I can't tell you that in a SaaS  environment. I'd have no idea. I wouldn't even necessarily know where I could possibly even go find this because in a lot of cases workloads are completely distributed across multiple data centers. If I believe that that's the case and by the way that's true, how on earth then would I be able then to provide contextualized access control, contextualized enforcement in this world where that context is effectively disappear. Plot twist is that it's very difficult to do and there's only a handful of ways that it can actually be fully accomplished.

Now, when you think about an organization in terms of they're moving over into the cloud and adopting it and everyone says, "Yes, we're going cloud first or we're really excited about bringing the cloud into our environment." Usually the way we find out about it as security and IT professionals is, "Hey, did you hear we have Workday deployed in HR?" Or, "Hey, I was just working on someone's computer and they have a deployment of a random storage." Meanwhile the corporate standard might be box, but they're utilizing something else. How on earth would you be able to know that, that is actually there and is actually in place. What makes it really hard is the way that we used to ferret this information out, finding out how things are used, where they're accessed from required that all of the information that is being accessed upstream and downstream flow through our infrastructures.

Well, if we believe for a minute that, that's no longer the way that data is actually moving our idea of centralized security control, centralized perimeter, the way we've understood it for the last 20 years has effectively created a variety of different blind spots. Most importantly, the language of cloud is not the language of TCPIP. Granted that's the transport, but underneath if you're looking at a transaction that's occurring from a service provider down to your agent, excuse me, which I find that every single cloud, the way it communicates, the way it actually interacts with your end users, the way it interacts with your data is completely different. The idea of trying to sit there and do something like as course and fairly difficult to manage like IP address filtering, which back in the day used to be the way that you would just secure access to unwanted sites. That doesn't work because when you're talking about the scope and scale of CSPs is somebody going to say that they're literally going to be able to lock every single address. You're talking about hundreds of millions of addresses. Can you imagine even trying to process that on a legacy technology like a firewall. Some people try that by the way. It doesn't work. Plot twist.

When Steve and I first started about kind of his approach was going to be he literally said, "You know what, this is what we want to get to. I have a really good sense of where we're at right now." The challenge being however, that as we start adopting cloud this problem that we just touched upon became front and center, which is this idea of and it's not dissimilar from what we've had in kind of our old way of approaching things, which has been where are my assets? Anyone here have a solid asset inventory for their IT systems? Uh huh. Okay. That's fairly common response, right. Do we know where the systems are at? Do we know where the data is at? Or if we've gone through one of those exercises of trying to do a data classification project. As soon as you get a policy in place and then how do I then effectuate that policy via technical controls. Well, how do you do that policy implementation when you don't even know where the data's actually at.

In the context of cloud this becomes an exponential problem. It's not from, oh, it's sitting on server A and it should've been on E. They could literally become it's sitting on cloud A, which happens to be accessed by five million potential users. The problem is completely shifted. Knowing where the data actually resides is absolutely critical. Then when you think about this identity based approach that was developed over at Levi's what they said is I know that for a fact as we continue to move down this path and adopt more and more capabilities what we must absolutely do is ensure that every piece of access that is being provided, provisioned, back from the beginning of the process, from the provisioning all the way to the end of that life cycle, that it's always contextualized. I always have an understanding of what that identity and anything that's provided to this identity is fully well understood.

Now than when you start thinking about another challenge you say, "Okay, cool. We've now solved for pieces of that by understanding where the data's at and then creating capability and insights through a centralized approach via something lie Octa. Now, what on earth do I do about the stuff that's already there that shouldn't be there.

I'll give you an example of how things used to be solved for back in the day. If you're dealing with like L3, L4 based technology stacks or you have something like a fairly straightforward web proxy. Well literally you might see something like, hey, no private information should be able to reside on this cloud. You go through the process and you force it up your stack and you prevent everyone getting access to it. Then you find out that actually that was approved by your boss. Now you've blocked a business process. Well, the problem with that is that given the crudeness of most of the tools that are kind of out there and the approaches architecturally that are available you got no other choice. You either enable it for everybody or you disable it for everybody. You're kind of stuck.

Keeping in the vein of enablement, velocity, capability and speed from a business context was a really critical thing and ensuring that the access to the systems and data was performed in a way that was completely consistent with their architecture.

Then something that is really dangerous and something that isn't often discussed. For the last seven years I've been responsible for the creation of the industry standard for information security controls in cloud. This CSAs cloud control matrix. When we were working on version three of that document this idea of vendor lock in was still fairly nascent. The concept that was discussed among the working group, well, wouldn't I want to leverage everything that one cloud provider provides. Would I want to do just 100% through that CSP? Well, as we all know it's difficult to actually do that because capabilities across clouds are completely different.

Number two, if you were somehow able to achieve that most likely it's being done by custom development, which kind of defeats some of the purposes of being able to leverage multi clouds. But let's just humor that for a minute and say that now you've fully invested into one stock and everything around contextualized security controls is now fully owned, operated via that CSP. What happens if the relationship goes south? What happens if performance isn't where you need it to be and now you need to move away? What if there's a change of leadership and all of a sudden one of the organizations that you're actually doing business with hosting and providing cloud services is now a competitor. I know organizations where that's happened by the way. They say you now need to walk away. That's really difficult. It is ... I mean if you think about back in the day when folks were doing active directory migrations that was fairly hard. Yeah. Now talk about all of your underlying business processes, which for the most part were fairly intact in that kind of legacy migration approach. In this case you're ripping everything out so you need to have something in place that it works across everything.

When we think about the changes then what does this really mean? This is where I think Steve really thought about this problem in a very different way in terms of how it was prioritized.

Steve Zalewski: We have 14 minutes left between us and Obama so we have a few more slides, just letting you now. We've done a lot now of laying the context of what Levi's is. We've done a good job with Sean of explaining, well that's where we're going. Nothing's slowing us down. We got to meet the business, and these are the challenges.

The next piece that we had to look at was all right we agree that to take this company where it needed to be business risk reduction had to be the driving focus which is if we were going to spend money on a security control the reduction in risk to the business had to be more than the cost of the people process and technology to put the control in place. Otherwise why bother? But the challenge obviously is well then how do you talk about business risk reduction? How do you talk to the business like the business not talk to the business like an IT security guy because that's not effective. In essence we had to put ourselves into the line of business and speak their language first and map it to what we were trying to do and have that conversation. Now, normally you can do that by talking about security controls. IM, DLP, network security, firewalls, right. It's the stuff we all know. The second way you can do it if you're up the maturity chain is you can talk about detect, prevent, recover cybersecurity risk so that you can try to do it.

The third level, which is where we took it and where we started from is we simply said how do we protect the brand? What you see here is the alignment of business risks to every one of our stakeholders, right, our retail, our wholesale, everything was done this way. We said, "Look, we have to protect the brand. That's the first thing we have to do. That's the most important thing." How do we do it? Protect the brand reputation. Protect the core, okay, is information in the brand? Then protect the consumer data no matter where it's located. That's the brand. If you compromise the consumer data, if you compromise the eCommerce site that's it. It's five billion dollars. We said, "If it does this, if it fixes this you can understand now why the business would make the investment."

The second area was protect our workforce. I don't know about you but fishing is the vein of my existence because we have stylists, because we have creatives. Lot of these are moms, they're kids out of school, designers. They don't think about IT. They don't think about computers. They do email. If you could see them work in a normal day they'll have their screens up and they'll be editing jean designs, or they'll be doing something, selecting what they want to be able to order. There's 10,000 garments just spewed throughout the building. These women just got clothes all over them. Looks like my daughter's closet. That's what they do.

What we said was, "We got to protect them." That means endpoint protection. That means identity protection and that means email protection. Stop the fishing. Stop the malware. Let them work wherever they are around the world. We make the investments there to protect our employees and there's an interesting byproduct of that which is those same controls and security awareness and everything else doesn't just protect them it protects their families. We made it a very family approach. In protecting yourselves you're protecting your family and you're protecting the family of Levi's.

The last area what we said was our ecosystem. What people have to understand is we're a giant supply chain now. Advanced monitoring of our cloud infrastructure, AWS, Google, Azure, everything, we have to see where we're moving all of our business processes to as well as what are we doing for network protection?

Steve Zalewski: ... as well as what are we doing for network protection because we're relying on all these third parties to provide information to us and out bound? How do we know that they're safe? We're counting on them now, that if they're breached, we better know how the systems can be decoupled because we're counting on all of that.

And then underlying all of that is the internet containment and recovery. We have to design for CAI which everybody understands, but what we really have to design for is maximized business continuity in the event of a business-disrupting cyber event. If it doesn't disrupt the business, who cares. I have time. And I use this as an example, if my financial system gets impacted or my distribution center to get jeans to my stores is impacted, which one is more important? Easy. If I don't have jeans in the stores I'm not making money. If my financial systems are impacted, yeah, that's a problem, I may not know how much money I'm making, but I'm making money. That's what I mean about understanding what's core to the business and don't get confused with a whole of people thinking that their business processes are the most important to the company. It's what's important to the company. And make sure that what you build aligns to one or more of those so that they implicitly understand the investment that you're making to do that.

And the last major slide I have is, so we have data centers. We moved aggressively into the cloud because the company simply said, data centers is not our core competency anymore, get the stuff into SAS, get it into IS, get it into PASS, make the company go faster. Your job is to help us sell jeans as fast as we can. So the business processes got to move, but security cannot fail. So now how do I put security into an infrastructure where what I'm really doing is trying to take insurance policies on my investments to reduce the key business risks to selling jeans. That's the conversation.

I put this up because identity and access management is our most important function in the company. It's the thing we invest the most money in for security, it was the first thing we did, it's our highest investment, because it's all about identity. And this is why. I went from having physical data centers to having a hybrid orchestrated data center. It's wherever it is, and I've got to glue it together and I can't tell the business, "no", because we're here to sell jeans. And so I use this as an example to be able to say, here is, pragmatically, where your commodity clouds, your consumer facing clouds, my enterprise facing clouds, my security services, my functional services that your enterprise architects all have. This is it. This is what I have to do. And I can't say no. I have to make it as fast as I can, realizing that many of the security controls in the cloud don't exist yet, and many of the business applications are now being sold directly to the business, they don't have to come to IT. Because if you don't have to touch our old Legacy Data Centers until you have an integration, the business doesn't care. So get with it. And that was what we were trying to do.

Shawn: So when we think about distilling the work that's been done across the last three years over at Levi's, and we say okay, so what were the secret ingredients here that made you so successful in terms of this approach. And when we get down to it from a pure play kind of technology based view, so now we're getting down a little bit lower where before we were talking about specifics of aligning to the business. It really came down to these things. Where the idea of building capability to meet and help exceed the current velocity necessary to conduct business at the highest possible level of quality with the least amount of friction, it required leading with the identity approach and then ensuring that across every component of their architecture was being reflected in the actual results that the business was then experiencing.

And what did that mean, then in terms of how this was done? It meant that they aligned with Okta as the basis of their entire architecture to really help bring together all of the key components and provide that contextualized based security that could then be leveraged across. They looked at the entire way that they thought about networks and said, "You know what? This idea of V-landing, kind of the way we did it back in the 90s and the early 2000s, that's cool." But what if I was to look at each different segment and ask the question, "Should this actually communicate with anything else? Is it necessary to conduct business?" Whether you're looking at it from a pure play, zero trust, or if you're actually trying to leverage your existing business process and workflows and architecting down to the minimum standard for the purposes of protection.

And then, they adopted a platform to ensure that there is capability across all of these multi-clouds because as we talked earlier about this, the idea of having a single pillar of one cloud providing every capability in the context of business is not realistic. So they needed something that was flexible and powerful enough to be able to achieve all of this, and that required a mind shift which is this idea of relinquishing some key controls from who actually builds it versus actually operates it, which still is very much Levi's. And then simply looking at the entirety of the space and asking the question, "When it comes to a business process and data flow, does it make sense that the control follow it?" And almost always, the answer as, "Yes." And very much in line with Levi's approach towards their business, constantly innovating, constantly pushing towards how do we do what we're doing now, better and continue achieving great results for our customers?

Steve Zalewski: This slide is to now try to take the why that we've taken you through, and the use cases in what I'm up against, to show you kind of demonstrate where the security controls or the security services, which is what I call them, pragmatically came out. So this is a snapshot in time. So if I look at protect our brand, application protecting of our e-commerce site, we were getting hit with bot attacks and so we went and invested in some technology in order to be able to defer the bots. Did the business have a problem with that? No. Because managing the reputation of the e-commerce site absolutely is the best, and if we're getting attacked by either slow attacks because they're trying to get credentials, or bot attacks because they're trying to scrape the sites, we got to knock it down. That is brand numbers one. Business said you absolutely are right, here's the money, go do it, because that is hundreds of millions of dollars at risk with these bots doing it.

If you look at mobile threat protection, we have mobile devices that are proliferating throughout the world, both in the stores and our execs. BYOD. The challenge we have was, if you look at our end points, we have anti-virus, we have malware, you have advanced threat protection, you have all this stuff. But on an iPhone, or another mobile device, a pad, you got nothing. And so we're deploying the first generation of an equivalent anti-virus on the phones to at least be able to tell you if you're hitting bad websites, if you're hitting bad cell sites, if you're hitting bad wireless sites. So, therefore, we can stop it in order to be able to protect you. That's brand.

If you get to our workforce, endpoint protection. Identity and access management is the core. Why? Because we're going to a zero trust model because they don't have a network edge. Why? Because I'm going to an identity-based deny when something goes wrong. And then email protection for phishing is the problem we have. I will share with you that in the last nine months we have had to do two global password resets as a result of phishing attacks that in order to guarantee we cleared it out, you do a global password reset. Now I ask all of you, okay, tomorrow you have to do a global password reset for your company. Think about your help desk. Is it ready? Think about your communication teams. Are they ready? Think about your IT infrastructure in order to be able to do that. Do you have the communication methods necessary because your email systems are potentially compromised?

So under that guise, as soon as we do it once or twice and the execs get a taste for that, that's a bad thing. So we don't have a lack of money, per se, what we have is an ability to make sound investments from an insurance perspective, on the key risks relative to the capacity of the company to accept the change to people and process. We don't have a technology problem.

And then if I look at our ecosystem, I have advanced monitoring, cloud flares, the rest of those that are get into the cloud, give me the same level of visibility that I have with my physical infrastructures that for 20 years we figured out how to build out, and then the network protection around security zones and in particular my risk assessments of my third parties. So that is practical ways of how we have now translated that and identity and access management is foundational to all of this. I would suggest with no time, that you ...

Shawn: So when we think about kind of the way that this all plays out in real life, that alignment to business is the most critical thing, but the architectural decisions that were made early on by the Levi's architect team, their leadership, was foundational and absolutely critical to the success that they're seeing now. And when you think about how Okta helped enable this, Netskope, we also did as well. And we continue to partner with them in terms of helping to expand and add more speed and velocity. And what we do is we provide the agnostic security layer, the meta security layer per se, to secure all clouds in real time. We're the leader in the space. Literally, the leader. We transact five times more than all of our competitors combined. And there's a reason for that. It's not only because of the capability, but it is also about the value that organizations like Levi's receive when they implement Netskope along with technologies that are also leading and innovating like Okta.

So in summary, the world continues to shift, we know this. We can talk about it all day long. But the question is, will we rise as information security professionals to think about the problem differently? Approach it in a different way, very similar to the way that Steve and Collin did when they said we cannot do it the way we did it before, we want to continue to innovate and align to our organization. And then asking yourselves, "What really is my mission? Do I know how I get paid?" I have had folks ask me that, how do I figure this out? How do I get on the path that Steve laid out? Start with figuring out how that paycheck gets cut and followed it all the way from the point of origination. And the time for doing this is now. The ability, the tooling, the drive, is not only there in the hearts of many security practitioners, but it is a necessity if we want to remain relevant in our discipline.

It's critical that we think about the information security challenge in a very different way and we think about approaching it from a technology controls perspective also.

Thank you very much for the time today. Appreciate it.