Hello everyone, I am Saumya Saxena, and you are listening to Secure Insights – A Series of conversations with industry experts, influencers, and leaders in the IT Security space. In this podcast I have with me Brian Krause, Director of Worldwide Channels at Idaptive.
Hi Brian – Firstly thanks for taking time to do this podcast. So, let me get started by asking you a couple of questions
1. How do you think journey has been of identity management and data security over the years?
Yeah, I definitely see it to be quite a journey, especially when we look in the market place how much has really changed it seems like as more and more these threats come out are prevalent, we see breaches. Various customers that we worked with, different businesses, they’re starting to really look at identity as a forerunner of security priority where traditionally it always seems like it’s a very small budget item, something that’s very much an afterthought but as we really see this expansion of cloud technologies out there whether it’s just general cloud applications, or cloud infrastructure, this struggle, that’s been taking place is very much of. Hey, I have this on prem environment and as much as I’d like to say that it’s going to completely disappear and go to the cloud, we all know that that’s not the case so it very much becomes, well, how do I get a control of this and make sure that I know who in my work force should have access, where they have access to.
Then I think a lot of this just really has started to compound as the user that a lot of IT is responsible for securing down is no longer even just an internal company user, it’s starting to be business partners, suppliers, vendors or even a lot of their customer base is coming in and accessing various systems so that’s just where I’ve seen a lot of change. It’s now very much top of mind. It’s becoming board level conversations as customers say, hey, you know what, this is something we need to think of first if we want to continue this migration forward into the cloud.
2. Idaptive has been spun out from Centrify – what have been the results from this bifurcation, and how is Idaptive seeing the future for itself?
Yeah. the spin out has definitely been a big event for us personally. Initially, with the spinout we had our hiccups, roadblocks, that you would expect. Just how do you start to pull a business unit out of a company, how do you start to split up infrastructure that’s in place for managing both product sets but as we move past that, re-operationalize systems processes, re-engaged our sales team and product management, and all of that good stuff, what we’re really starting to see is the company come together.
We have re-engaged with many of our partners and the fact that we have a singular focus on IdaaS, really going in and putting a heavy focus in particular on helping customers that tend to have these legacy active directory environments and using that to connect to the various SaaS apps out there, its allowed us to really focus on the various products and the feature sets to build those out to deliver some of the capabilities customers have been asking about for a long time.
But as we had this broader vision when we were part of the old company, Centrify, we just couldn’t necessarily get that on product roadmaps which we can do today. And as a result, we are just seeing the product really come together and start to fit more and more advanced use cases which has been a ton of fun on a personal level working.
3. What are your views on how analytics can improve an organization’s governance posture?
I think analytics is definitely an interesting topic on there, and the reason I say that is when we look at what’s one of the best ways to stop a breach, MFA is always going to come top of mind but when you start to look at some of this idea of saying, Hey, I am going to apply MFA across the environment. We now run into a lot of different situations that become problematic that probably yes, we are mapping back to all of these great regulations out there, there’s not anyone that actually enjoys using MFA, it’s a hindrance. It slows you down in the work environment and what we really found is by being able to take Machine Learning and wrap that into an analytics platform.
We can now start to make a user experience a lot better, make it actually easier to access various applications in a secure manner while increasing security and a lot of this really gets done in kind of a unique fashion where we can take a look at a large data set, and say, hey, we see what applications you’re accessing and now taking a look at 5 different attributes, we can start to make some decisions about access. So, since we can look at what device someone comes in off of, we can look at time, date, location, geo velocity.
When you start to tie some of those data points together, you can now figure out what a user’s behaviour is so if somebody’s accessing an application in a very low risk situation, accessing during the same time of day to the same couple apps from the same device they always do, there might not be a lot of risk there, we probably don’t need to step up to MFA all the time but if all of a sudden you start popping up at odd hours, different areas of the country, there might not be a high risk but its maybe a medium score risk, for lack of better term, and at that point, maybe we want to put MFA, and if just something’s too out of bounds, and just doesn’t make sense for what you do, maybe we just completely deny access.
And then I think what this really leads to in the future is once we start having risk scores associated with individual users, it now really allows you to do some sharing across platform so maybe if you had some sort of SecOps environment, you might want to say, hey, within rough books, I would like to take a risk score and if I see an elevated risk score from an IdaaS platform, much like idaptive, and I see that there’s some sort of elevated score from maybe something like Palo Alto, Cortex product, I might want to send that event over to one of my SoC analyst to take action, and that’s really where I’m seeing a lot of the excitement happening around analytics.
4. Building on that, what advantages do you think AI and ML have to offer to identity analytics?
I think really the biggest advantage that it tends to offer is its ability to make real time access decisions across large data sets of information, that there would be no way to possibly program that into a system purely using policy. So, as we start to see the changes within an environment, now we can take action and we can actually make decisions smarter as we go along.
And I think what becomes really important about this, it allows you to truly have some security automation built into the mix and its not impacting the user in a negative manner and its allowing them to do their jobs so businesses can focus on what they do and it helps in doing business.
5. It appears that individual digital identities will evolve soon to become as multiple digital identities, how do you think the security world is prepared to take on that ?
That’s a very interesting question, I think unfortunately, that the security world in generally, probably isn’t as prepared as they would like to be. And that’s why we’re seeing so much discussion around identity management in particular and where a lot of this really stems from is, its very hard to just say, Hey, I have a single user that’s only accessing a single network and this is really where, those of us on the identity software manufacturers’ side of the house, have to heavily look and say, Hey, how can I go and share this identity information cross-platform, and figure out secure ways to establish trust in a sense that I can say, Hey, based on you being a supplier that I have a partnership with, I’m going to now trust your identity infrastructure, and when I do that I’m going to provide access into my systems based on that trust, and that’s where a lot of us are really putting our focus on, is how can we build out this so we can have that cross-communication and certainly a lot of that is just with the different APIs out there to talk back and forth.
I think over past 2 years or so, we’ve seen it get a lot better and of course everybody is always looking at this concept to around what blockchain is, to where will this finally factor in, don’t really know yet but that’s kind of what we’re seeing on the rise.
6. Now that we are dealing with individual identities how do you save that from a single point of failure?
Well, I think that is the beauty of cloud and identity as a service. The reality is when you start building products out of the likes of AWS and Azure and whatnot, you have highly connected environments that are load balanced and have high ability build all over the place and that’s truly what allows us to have the ability to protect from that single point of failure is, if all of AWS and all of Azure went down. Ok we’re all going to be in a world of hurt but its more than just an effect on individualized company.
Of course you know on that single identity, we do need to get smart when we are using authentication mechanisms of phones and there’s plenty mechanisms in place for that but, I think at end of the day, when you can start to put identity as a service, that’s what allows your individual identity to be portable and carry across the multiple environments that you may have within your organization.
7. How do you think IdaaS will make its way in the near future?
I think all we’re going to see is an increase in IdaaS consumption. I know when I first got in to working in the IdaaS space, 5 years ago, it still felt very very new at that time and there was a lot of questions just around, Hey, I don’t trust this, I’m not going to push my identities across the internet, which was a valid concern, totally get that.
But as we see all infrastructure go in to some sort of hosted solution, it only makes sense, and the reality is if you want to connect all of your different systems and applications across an enterprise, really the only scalable way to do that is with IdaaS. We just don’t have that signalized perimeter anymore that you can script some sort of system, in a data centre.
I think that’s it for this podcast, thank you so much for you time Brian, I hope you had fun. Thank you for having me on and I look forward to talking to you soon.