Matt Topper, President of UberEther on DIY Cyber Guy

Episode: #86: Are You Drowning In Account Sprawl, And Don’t Know It?

About Matt Topper

Matt Topper is a recognized leader in cybersecurity with more than 20 years of experience architecting next-generation Identity and Access Management (IAM) solutions that power digital transformation and protect mission-critical assets. As President of UberEther, Inc., Matt leads an elite team of cybersecurity innovators delivering secure, scalable solutions for some of the most complex cloud and hybrid environments in the world.

Matt’s Links

www.uberether.com
https://www.linkedin.com/in/matttopper/

Summary:

The discussion focused on the challenges of account sprawl and the importance of centralized identity management solutions to enhance security and streamline access management. David W. Schropfer referenced a report from the Cloud Security Alliance, while Matt Topper highlighted how organizations often create multiple independent accounts, complicating onboarding and increasing security risks. They emphasized that many organizations can leverage existing identity providers like Google Workspace and Microsoft Entra to centralize access to SaaS applications, which can be configured easily without coding experience.

The conversation also addressed the financial implications of software management, noting that centralization can reveal unused licenses and help organizations cut costs. Matt shared insights about his company, ubereather.com, which specializes in identity and access management, and they concluded with plans for future collaboration.

SHOW NOTES:

In the Cloud Security Alliance list of “Top IAM Priorities for 2025,” the findings are alarming.
Multi-cloud identity management is falling behind. “Substantial visibility gaps exist that hinder effective identity management,” the report warns, pointing out that many organizations simply cannot see who is accessing what across their different environments.
The more SaaS program you use, and the more employees you have, the more you have to track accounts

SOURCE: https://cloudsecurityalliance.org/blog/2024/10/30/top-iam-priorities-for-2025-addressing-multi-cloud-identity-management-challenges#

Think about it—if your systems cannot verify every login or detect a privilege escalation in real time, you are handing the keys to your network over to whoever asks the right way. That is not just an enterprise issue; it is a risk for small IT teams and even individuals managing multiple accounts across platforms.

Here with me to discuss all of this today is, Matt Topper

Matt is President of UberEther, a company that manages both cloud and hybrid environments for its clients. He has spent over two decades designing and deploying identity solutions for federal agencies and Fortune 500 companies.
Q: What is account sprawl, and why does it sneak up on IT people?

TRANSCRIPT

0:00 – David W. Schropfer
Welcome back, everybody to DIY cyber guy. This is Episode 86. Are you drowning in account sprawl and don’t even know it. So the Security Alliance. So the Cloud Security Alliance published a list of top IAM priorities in 2025. And we’ll have the link in the show notes. And the findings were So multi-cloud identity management is falling behind. I think we all know that. But one of the things the article said was, quote, sustainable visibility gaps exist that hinder effective identity management. And the report warns, it goes on to warn that organizations simply can’t see who’s accessing what across many different environments. So environments can be a lot of different things. But in this case, we’re really talking about the combination of network assets, and SAS assets. So the difference between the things that your employees use every single day, or you use every single day in your home versus the Salesforce that you log into, or the Workday account that you log into, or any SAS product at all. And so I mean, if you think about it, your systems can verify every single login and detect every privilege escalation in real time if you’re not handling the keys in a centralized way. And if you don’t, you’re going to wake up one day and realize that you really don’t have a handle on exactly who’s logging into what, who has access to what. And then when somebody leaves the company, maybe on good terms, maybe not, and you all of a sudden need to very, very quickly shut down the access of that person, you might realize in a bad way that you don’t have a way to do that systemically and do that easily and very quickly see what access that person has or had, so you can shut it down. So here with me to discuss all of this today is Matt Topper. Matt is the president of Uber Ether, which is a company that manages both cloud and hybrid environments for its clients. Matt has spent over two decades designing and deploying identity solutions for federal agencies and Fortune 500 companies. Welcome, Matt.

2:36 – Matt Topper
Thank you. Thank you. Appreciate it.

2:39 – David W. Schropfer
Let’s start with let’s let’s start with the basics. What is account sprawl and why does it sneak up on people?

2:50 – Matt Topper
So sadly, this is a problem I see in organizations of all sizes, whether it’s a solo entrepreneur that’s by coding a new app right now and it out and getting some traction, or it’s fortune 50 companies that have been around for a hundred years. But we all start with maybe a Gmail domain for a Google workspace, or we’ve got our entree tenant. So we’ve got some email, we’ve got office. And okay, well, I’m a solo, then I’m going to go get a SAS solution, because I’ve got to manage all these great new CRM solution, because I’ve I’ve got to manage all these new customers. So maybe I go buy a bike drive, and I’ve got an account there. Well, it’s a little too much extra time or work to integrate it to my Entra or my Google Workspace. So I’m just going to create an account there. And then, oh, I’m too busy building. I’ve got to go do, or I’m too busy building. I got to hire a salesperson. Well, I’m just going to go create them accounts directly. And then, oh, I hired a dev. Now I’ve got more than my Amazon account for my AWS cloud that this is running on. And we’ve got all these different points and essentially independent identity providers that aren’t integrated. Or on large organizations, you’ve got 20, 30 years of legacy tech debt that, oh, we’ve got our on-premise AD infrastructure and we’ve got our on-premise infrastructure that we’ve never fully migrated away and shut down the on-prem. And, oh yeah, we had that pilot where we went and bought Okta or Ping, and I’ve got apps connected to all of those all over the place. So account sprawl is this idea that while you could centralize the accounts, and yes, it does take more work up front, you’ve got accounts being independently managed everywhere, and they’re not centrally governed. So when you’re going to, like, someone leaves the company, you’re hoping at your Excel spreadsheet or your notepad that you said, oh yeah, I created David an account on A, B, C, D, E. You hope you didn’t forget to write down F. And then you hope that when you are off boarding that person, that when you got between C and D, that the kid didn’t scream and you ran out of the room and you forgot. And then that account stays open, which honestly what we saw with a couple of years ago with the pipeline that shut down on the East Coast.

5:23 – Unidentified Speaker
That was literally an they let go that they forgot to shut down his VPN account. It wasn’t him that came in, but they had compromised credentials of his. And that’s what let these hackers in.

5:35 – David W. Schropfer
So what, you know, other than if you run a pipeline and all of a sudden it’s not a pipeline anymore, what, what are some, what are some of the indications that people bump into that, you know, the, the title of the, of the podcast is, are you drowning in accounts for all and don’t even know yet? What are some of those moments that you’ve seen professionally? That people call you and say, hey, guess what I was doing this morning? And I realized I’m not only drowning, but I’m already dead effectively at the bottom of the lake. It’s so bad, I don’t even know where to start to fix it. What are some of those events look like,

6:09 – Matt Topper
Yeah, so those are, there’s patterns you start to see, right? A lot of times it starts with the help desk, even if you have more than one person on the help desk, but it’s a, okay, what happens when you hire a new person? How, where do you even know to go create accounts for them? Or is it like, or are you creating all of the accounts or is it, Oh, people in the sales team have their own set of tools. And then, right. You got them their email account, but then that person’s not useful to the organization because you’ve got another part of the org how to create accounts for this piece. So that’s a lot of it is just the, how do you onboard people and how do you get them working quickly? And when you look at those processes and people are just drowning of like, oh yeah, we had a government customer where they didn’t expect someone to be like truly useful for six weeks after onboarding, because it took that long to get through all the processes and procedures. After about six months, we got that down to three days. Um, which like the cost savings with the number of contractors they had a year was well into the millions. But so that’s one of the big ones we see. Um, the other one we see is. Especially with the rise of SAS services and people being able to buy right on a credit card, like, Oh, this cool new AI tool came out to make my sales presentation so much better.

7:37 – David W. Schropfer
And it’s only 30 bucks a month and I’ll just buy it.

7:41 – Matt Topper
And then, Oh yeah. Presenting with that and someone else on your sales team is like, Oh, that’s cool.

7:45 – Unidentified Speaker
I want it too. And that sales person’s like, okay, I’ll just add you to the team in this account. And now you’ve got three, four or five people.

7:53 – Matt Topper
And then that person who bought it originally goes, Oh shit, this is becoming a full-time job. Do your help desk, your problem now. And you start seeing those patterns coming back in. And at that point, it’s like, right, you got to get your arms around it and start really paying attention to how that’s centralized in government.

8:14 – David W. Schropfer
So some of the listeners right now are going to work at companies that have a CISO, have a help desk, have that number taped to their telephone in their office that calls straight to the IT department if there’s a problem, if there’s suspect phishing and that type of thing. Some of them will be the vibe coder in his bedroom, Pounding Out Code, who’s at stage two and a half of what you described. And then we have everybody in between, with varying degrees of IT people that they can even call on. And I guarantee that about two thirds of the listeners kind of froze when you talked about, okay, well, just consolidate it all in this thing that I don’t understand. How do I do that? And is it going to cost me more than the company revenue per year. So talk through some of the some of these systems and and the expense of some of those systems and some of these processes that can just take the worry out of their heads.

9:21 – Matt Topper
Yeah so the is I would say probably 80 90 not higher percent of organizations whether you’re a solo or you’re a thousand people a Google Workspace that is tied to a domain, or you have a Entra tenant that is tied to your Office 365 licenses. The good news is those come with a free, air quotes, right, because you’re paying the bill every month, but as part of the service, an IDP, which is an identity provider that can be centralized. So anytime you’re on the web and you see the button that says log in with Google, log in with Microsoft, that is essentially, at that point, sending you back to the identity provider for your organization. And you’ll see most applications, most SaaS providers have that option. And in your configs for those things, there’s an option that says, essentially, only use Federation or log in with whatever your provider is.

10:26 – David W. Schropfer
And those configs are real easy to do.

10:29 – Unidentified Speaker
It says, turn off username and password login.

10:34 – Matt Topper
So now you’re reducing your risk that says, all right, I’m going to move as many of my SASSes into this. And each one, depending on how hard, is probably 10 minutes to an hour to bring together.

10:50 – David W. Schropfer
And remember, that’s not per person. That’s just bringing in that SASS product itself.

10:58 – David W. Schropfer
the SAS product is part of that IDP, then everybody in the organization that uses that SAS product is going to be using the same identity provider that is tied to Google or tied to Microsoft. And they’ll be able to access that, that SAS product using one unified product using one unified IDP.

11:22 – Unidentified Speaker
And then as you hire a new person, right, already linked. Don’t now have to go over to that product and create an account. You might have to give them permissions. And do that integration again.

11:34 – Matt Topper
You might have to give them specific permissions if they’re a salesperson versus a sales leader, but that’s a lot easier to manage and govern. And then at that point, if that person changes or leaves the organization, all you have to worry about is shutting it off in Google or shutting it off in your O365 tenant And then all of those other tools that you’ve integrated with are also shut off. So now you’ve reduced that blast radius of someone being able to say, Oh, they forgot to shut off this account for me. I can still write, I went to work for the competitor. And now I can go to my old SAS CRM product and know all the big sales they’ve got going on.

12:17 – David W. Schropfer
And, and, and borrow a few email addresses and phone numbers, which is, which is not good.

12:25 – Unidentified Speaker
pretty well. They just heard two things, free and 10 minutes. So these numbers are real, and they do make sense.

12:35 – David W. Schropfer
So if you’re an organization that has, say, five SaaS products, the first one is going to take you more than 10 minutes if you’re not a coder, you’re not a developer. But there are resources that we could point you to that would help you do that. And once you’ve done one, the rest really will take you about It’s not it’s not that difficult to do once you get started. So Matt, give the listeners a couple of keywords maybe that they can Google if they wanted to find out how to take advantage of the free IDP that comes with the Google Suite or the Microsoft Suite that they’re already paying for to walk them through, let’s use salesforce.com as an example, how to integrate or how to mandate that all of their existing users start using the Google IDP to log into Salesforce as opposed to a suite of usernames and passwords?

13:29 – Matt Topper
Yeah, so majority of applications at this point that have either, right, they’ll call it login with type integration, federation integration, right, these are kind of keywords you can search around. But most SaaS apps, it’s as simple as saying, how do I integrate SAS product name with Google Workspace or with Microsoft Entra? And your top five results, I guarantee two of them are going to be that SAS vendor’s documentation for that integration. And the second one is going to be that vendor, Microsoft or Google’s, documentation with that vendor. And chances are, you’re going to have of both of them, because they both have new product features and releases. They’re updating the documentation in real time, but that should get most people there within that 10-minute window.

14:31 – David W. Schropfer
And this really is one of those cases where we’re saying documentation, we’re saying integration, and those things are accurate terms for this. But it’s not like integrating your 25-year-old Oracle data base with the terminals that you inherited in Section 5. It’s not going to take a professional coder developer or somebody with of experience to do

15:02 – Matt Topper
The beautiful part is a lot of these are click-through at this point. It’s just the instructions of knowing where to go in the app to find the configuration setting and then It literally is a, like, if you’re in the SaaS product side, a, okay, here’s the button. Then it’s going to give you a list of providers. You’re going to click on the provider. Then you’re going to hit the next and you’re going to hit the next. Then you’re going to go over to your IDP and say, I approve. And you’re done, right?

15:30 – David W. Schropfer
Like it’s all browser based.

15:33 – Matt Topper
You’re not going to be command line. You’re not right. You might have to do some mapping that says, right. My email address on the Google site is this. In the SaaS app, I want it to be mail, right? But that’s just a simple one for one. But yeah, that’s way easier than trying to write bash scripts or PowerShell scripts and PL SQL in the good old days of integration.

16:00 – David W. Schropfer
The good old days for some. I was one of those people that would, depending on the documentation or how well it was written, like AWS is one of those I would have to close the doors, pull down the shades in the windows, put on headphones, and just focus word for word for word what that documentation was telling me to do anything. Just to create a simple integration took me hours at first, until I kind of understood it. But to this day, if I’m trying to do something I haven’t done before in AWS, I close the door and pull down the shades and focus on it. Until I get it. And it takes me a while. But you’re absolutely right that once you get into the right place on both sides, the SaaS vendor that tells you how to integrate with Google, the Google side that tells you how to integrate with the SaaS vendor, it can be as simple as a few clicks. And trust me, for all the CEOs that are listening of small companies who would really take it upon themselves to do all this for their employees, it’s not as hard as you think. And the first way one is doable within, say, half an hour, depending on how complex your system is. And after that, it’s just going to get easier. But it’s an exercise that doesn’t take a lot of time. It’s free. And you’ve got to do it. Otherwise, you’re going to drown in that sprawl that we’ve been talking about. This prevents the sprawl, right?

17:31 – Matt Topper
And it does a great job centralizing the calendar. The credential management, it allows you to start saying, oh, this person hasn’t even logged into this app in 45 days. Do I even need to pay for that license anymore? I always joke on the Microsoft side, you always have that project where someone needs Visio. But they only need Visio for like two weeks out of the year. But you have the manager that gives you the approval to give them a Visio license, and then it sits dormant for 11 and then a year from now, they open it up again. Well, why don’t I just give it to you for a month and then immediately pull it away, right? But it gives you that visibility centralized now to know, are people actually still using this SaaS product or not? Or is it one dude that still loves it to death, but we should really kill it? And then you are going to have longer term problems and concerns where you need to manage roles and groups and permissions within those things, but at least by getting it centrally, And you know, from a risk perspective, it’s on or it’s off and they can log in or they can’t. And it’s binary versus hoping and guessing what’s out there.

18:44 – David W. Schropfer
Well, that’s something my listeners also respond to, which is, wait, this can save me money. This can show me things that I can turn off that I’ve just been paying for every single month and not thinking about it. So yeah, I can really trim down if you’ve got somebody coming to you saying, I need access to this. Well, you haven’t logged in in nine months. So I’m gonna argue, no, you don’t actually need access so much. That saves real dollars and real cents for, I mean, today happens to be the first of the month. So the first of the month is when a lot of those SAS bills hit, which is good timing for somebody who wants to cut down those prices a little bit. And centralizing it handles that as well.

19:24 – Matt Topper
Yeah, and I will say, at least in the last two years, I’ve seen a lot of organizations recover a lot of costs because, right, there’s a, with all the AI tools coming out, right, there’s a, when ChatGPD first rolled out, right, there was a lot of, like, upload your PDF and we’ll read your PDF and help you interact with it. And, like, you had to buy that as a separate service or, like, generate images or generate PowerPoints that are better. Well, six months later, that was a big deal. In as a native chat GPT thing. Well, they went and spent 10 people on that one product. Now you’re like, you need that anymore. We already pay for a chat GPT for all those people. Kill it. And there’s a lot of that churn going on as these tools are moving so fast and a lot of expense going out the door that we don’t know if we should or shouldn’t recapture if you’ve got an accounts for all situation going on.

20:23 – David W. Schropfer
Matt, it’s been great. Having you on the show.

20:25 – Unidentified Speaker
I really appreciate these insights. These are going to save money. These insights are going to save money for the listeners. It’s going to take a lot of worry out of the lives of the listeners.

20:35 – David W. Schropfer
And most importantly, give them a free, that’s free, F-R-E-E tool, assuming that they’re using one of these other products that we talked about already to make their lives easier. So that’s the exact kind of advice that we like to do on DIY Cyber Guys. So thanks for that. Matt, where can people find out more about what you do?

20:54 – Matt Topper
Yeah, so you can find our company at ubereather.com. Not to be confused with Uber Eats, because we do get that call on a regular basis for our offices near a major airport. So we get a lot of people that are trying to find their drivers, but ubereather.com. We really specialize in kind of this identity and access management realm, but also cybersecurity infrastructure. So if you have critical workloads where really your piece of the kingdom, right, all of your treasurer and data is needing to be stored in security there for yourselves, your customers, you provide some very strong pieces there. Find me personally, Matt Topper, all one word on LinkedIn is probably the best. I’ve fallen off on the Twitters and that side of the world.

21:45 – David W. Schropfer
So that’s where you get the most updates from me. In LinkedIn.

21:52 – Matt Topper
Well, it’s been great having you on the show.

21:53 – David W. Schropfer
I hope to have you back on for some more great advice for my listeners.

21:57 – Matt Topper
I’d love to. Thanks for having me. Thank you, Matt.

Published by

Unknown's avatar

David W. Schropfer

David W. Schropfer is a technology executive, author, and speaker with deep expertise in cybersecurity, artificial intelligence, and quantum computing. He currently serves as Executive Vice President of Operations at DomainSkate, where he leads growth for an AI-driven cybersecurity threat intelligence platform. As host of the DIY Cyber Guy podcast, David has conducted hundreds of interviews with global experts, making complex topics like ransomware, AI, and quantum risk accessible to business leaders and consumers. He has also moderated panels and delivered keynotes at major industry events, known for translating emerging technologies into actionable insights. David’s entrepreneurial track record includes founding AnchorID (SAFE), a patented zero-trust mobile security platform. He previously launched one of the first SaaS cloud products at SoftZoo.com, grew global telecom revenue at IDT, and advised Fortune 500 companies on mobile commerce and payments with The Luciano Group. He is the author of several books, including Digital Habits and The SmartPhone Wallet, which became an Amazon #1 bestseller in its category. David holds a Master of Business Administration from the University of Miami and a Bachelor of Arts from Boston College.