 This is your host Abhinav Bhartya and welcome to our Let's Talk. Today we have with us Gyal Homsky, CTO and co-founder of PlainID. It's great to have you on the show. Hi, nice to meet you. Nice to be here. Thank you for inviting me. Since this is the first time I'm talking to somebody from PlainID and you also happen to be a co-founder. So I would love to know a bit about the history, the story of the company. When did you create the company and what is specific problem in this space that you wanted to address because when we look at the security space, it's kind of a solved problem but security is not a product, it's a process. So talk about it. Yeah, absolutely. Thank you. So I founded the company with my co-founder, Oren, and we both come from both cybersecurity and specifically identity and access management space. We decided to start with PlainID because we identified a gap in the identity and access management market. So generally speaking, if you look at this market, it speaks about or it manages the identity itself, the users, the user authentication, and then also the user authorization. However, authorization was the least handled area. There was a very big, still there is a very big gap in that space. Many organizations are required to develop their own solutions to find some way to handle authorizations and authorization is eventually what leads the business because it enables users to access resources. It's a representation of the business logic that you want to convey within your technology space. So we decided to focus on that area. We decided to found PlainID and provide the best solution for authorization, management, and control, which is what we are doing today. I want to also quickly talk about the evolution of security space from traditional IT world to the modern cloud-centric cloud that you were because the rules have also changed. Security is no longer silo. Developers have more access. I mean, we can talk about DevOps, DevSecOps, SREs, Platform Engine, all the personas there. But I do want to talk about how this evolution has kind of changed because we are giving access to people who may or may not need, you know, everybody has access. So talk about it from that perspective. And of course, we can bring in the whole concept of why zero trust concept came into the picture. So I just want to understand the evolution of security from your perspective. Absolutely. And this is a very, very relevant question because we see the rise of identity security. So if we look backwards, identity wasn't a core component of the security overall solutions. The organizations were relying a lot on perimeter security. So, you know, firewalls, antiviruses and so on. They were the focus point of many organizations in the past. But as the technology expanded organizations have started using more of cloud services, expanded their perimeter outside of the traditional organization space, the importance of identity has grown. Identity security is now top priority for many security leaders. Why is that? And the reason is because identity is the last perimeter to protect your most important assets. Identity is what gains access to information, to resources within the organization and therefore the identity itself and the identity journey should be secured, should be protected. That is the core aspect of identity security. It ties very directly into zero trust and identity for security and maybe some other marketing term that needs to join this, you know, this party but eventually they all speak about the same. Identity is what you should verify, continue to verify throughout the journey all the way from when the identity opens whatever device is using and tries to access the most important assets of the organization tries to operate within the organizational technology space. That is identity focused security understanding that journey, securing that journey providing solutions that can actually address the risks that are part of that identity journey. Does that make sense? It does make sense and it also kind of leads to another question which is that if organizations have very good posture when it comes to identity management or access control authorization does that enable their developers to work in a more efficient way because that instead of building gates blocking them you are building kind of guardrails so it allows them the flexibility to do the innovative things that they can do without restricting them. So can you talk about sometimes when people look at it they look at it more of a restriction but we can also look at actually enabling developers to do a lot of things more freely. How do you look at that? Yeah, absolutely. I think it's very, very important to understand that as well if in the past we saw developers preferring to build everything by their own authorization is considered part of the business logic of the applications. Today we see there is a change. Developers are even looking for externalized solution to externalize that logic. I mean, when you build something it needs to focus on the business functionality. Authorization is supporting that business functionality the same as authentication. You wouldn't go and build an authentication solution, right? That's already there very mature in the market. The same goes for authorization and it's very tied to the change in technology. If in the past the technology was mostly big monoliths today we see more usage of microservices. The design pattern is more fragmented and therefore it calls for centralizing the authorization management and control. So you would get consistency in decision, in enforcement and obviously in management as well. How much awareness is there among organizations? Because when there's organizations they're different sizes, they're different age. Some are like new, some are old, some have CSOs, some have the whole security teams, some are smaller teams. How much awareness is there where they do see the benefit of these practices or you feel that we need to do a lot of things to educate them so that they know these practices, the benefit of these practices. There's certainly an improvement in the market. Organizations today are much, much more aware. The difference between just managing the identity, handling the authentication process and authorization. I wouldn't say it's fully mature yet. I think there's still a way to go in regards to educating the market. What authorization is, how authorization can support your business initiative and what's the best practices to actually implement authorization in the best way? There are also multiple methods in the market, multiple solutions, but for sure there is much, much better understanding than there was a few years ago. You can also see a lot of open sources in this space and that for me it shows that this area is maturing towards being a commodity, the same as authentication, by the way, but there's still a way to go. It's not yet there. Sometimes when we look at security and open source, we don't see them coming very close together because most of the security companies are most proprietary, but at the same time now, almost, I mean, I will not give a number, but like 80 to 90% code base that we use is open source. Companies may realize it or not realize it and when you use open source, you have to deal with the whole software supply chain. I mean, they're just like cars assembly. So it really becomes very, very important to have a very good security posture. So let's just talk about, since we are talking about the evolution, that how open source is kind of also enabling affecting security and let's talk about what does open source mean for plain ID as well. Developers prefer open source. I think we can agree to that, right? And also open source once adopted, they build a community and there's a lot of traction around that. And that is relevant also for authorization because authorization is much more tied and influences developers and what developers do. Therefore, there is a place for open source as part of the authorization space and there are some leading standards, for example, OPA and CIDR and so on. There are several open sources within that space. Plain ID works with them, plain ID supports them because we understand the significance of open sources in the space. However, we also understand the disadvantage of open source which is management and visibility. Authorization eventually is about how you manage the business logic within your technology space and therefore we need to handle both the management, the visibility, the governance of authorization decisions in addition to how they are consumed. And that's what plain ID brings to the table, the combination of both, supporting both the organizational requirements in regards to management, governance and visibility and the usability of authorization, whether it's open source or other development related tools. Let's break access control down a bit. The different practices can be there, policy-based access control, role-based access control. Is there any right or wrong practice because we are not just talking about data center on premise, we are talking about cloud and we are not just scripting cloud, we are talking about multi-cloud and we are not talking just multi-cloud, we are also talking about Edge which is not those tiny IoT devices we are talking about which is kind of data center near user. So the whole landscape is much more wider and complex than the old days of just one system, one system and dealing with all the security policies there. I think you would find that those are all an evolution rather than a replacement of methods. What do I mean by that? As any space, as any technology, there needs to go through some process in order to get to what's the best way to do stuff. And when we talk about authorization, the level of complexity is very, very high. We need to consider that for authorization there is how you manage authorization and then how you enforce and control. So those methods which you mentioned are primarily around management. So how would you manage authorizations in an application or a technology space, access control list, role-based access control, attribute-based access control or policy-based access control? Eventually, I see them as evolution of one another. Policy-based access control today is considered the most advanced way because it kind of overlays all those methods with a business layer. It represents the business logic. It enables the usage of attributes, roles or whatever is needed in order to provide the right authorization decision. It enables organization to optimize the way authorizations are managed because it takes under consideration multiple factors, not just who the identity is, but also what the identity is trying to access. And additionally, when the context of access, right? Which is very important going back to our first topic, zero trust and identity first security. So today, policy-based access control is considered the advanced way, efficient way to manage authorization policies and it support multiple enforcement options as well, not limited just to one. What are the kind of popular practices which are there and do you see that they are enough? As you are like pointing out that we need a mix of these? I think we will need a mix of this because the technology is so expanded. I mean, just consider the way which you would want to enforce access within a database repository and how you would want to do that for an application or APIs or microservices. There isn't just one answer for all, right? It needs to be, the solution needs to consider the underlying technology which it supports. That's why, again, I'm coming back to policy-based access control. Within policy-based access control, you can actually define a statement. For example, account managers can access accounts within the region and then translate that into the relevant enforcement for data which leads to data filtering according to location, APIs which leads to possibly a permit deny based on what the API is providing, application level access which leads to a set of specific functionality within the application. But that's the advantage of the policy. The ability to consolidate the management of all those different variations of authorizations. So I see, by the way, I see more and more technologies moving towards policy-based, understanding the advantages of policy-based, embracing that, which is a good indication from my perspective, still a bit of a way to go though. How do you see Genitive AI from the perspective of Genitive AI for security? Of course, we can talk about it, but security is a big field. Or security for Genitive AI workloads? That's a very big question. And I think there are two aspects here, right? First of all, we know the risks associated with the Genitive AI. We know it poses a high risk. And I saw a discussion around how do you enforce controls on that? Like the results should come from trustworthy sources rather than generating, and there's nothing there today, right? Nothing limits the responses for that. So for sure, organizations, and by the way, vendors that are adopting those type of technologies should consider how to place controls. Authorization comes very well into that play because the dynamic variation of controls they can provide into the feed to that type of solution. Additionally, I would say authorization by itself can make use of Genitive AI by suggesting to the customers possible policies, right? This is something plain ID is for sure testing with, and hopefully next year, we'll have some good news in that area as well. Today's modern cloud native world is already very complicated. If you look at just Kubernetes, and those technologies were not meant to be easier. We are talking about technology that Google was using internally. When we throw security also in the mix suddenly, and we are also talking about shift rate movement, we are moving a lot of things in developers' pipeline. Developers should have all the time available to focus on writing that business application that adds value to that business. Just security and all those things are important. So when we look at this complexity, how are you folks, plain ID, making it easier so that the teams, organizations don't have to compromise with security. They don't have to take time away from developers, and yet they still have very good security posture. Plain ID has embraced the notion of central management and distributed enforcement in order to support that. We understand the different technology requirements and needs, and that they are not the same between the different teams. Therefore, distributed enforcement, you can choose how to control authorizations, the way which fits the underlying technology that you want, whether it's Kubernetes, microservices, APIs, data applications, and so on. However, the business requirement is to consolidate the management to have that single visibility, kind of single pane of control, and therefore that's the central management that we provide. That's the essence, eventually, of our authorization platform, central management with distributed enforcement capabilities to be able to accommodate exactly that, exactly what you say. What does your offering look like? Is it software that people can download? Is it SaaS? Just talk about your solutions. So our solution is a SaaS-based solution. It's an authorization platform that you consume as a service. We also, of course, have an hybrid notion because in authorization, security and performance are very highly considered aspect. So the enforcement component can be localized based on the customer requirements. But essentially, we try to provide the best solution that would not compromise security, performance, and the usability of our solution. Management in the cloud, fully SaaS service, and enforcement can be chosen to be an hybrid localized component. Security, as we were discussing earlier, is not an end product. It's a process. Also, security is more or less like cat and mouse game. The good guys have to be right 101% time. The bad guys have to be right only once. What advice do you have for organizations so they can build better security posture with right access control in there? And also, why they should do that? I would advise organizations to consider their identity, security first of all. They need to understand, need to recognize the importance of identity as a core component of the security, overall security posture. And then ask themselves what should be done in order to secure not only our identities, but also the identity journey. Because eventually, that's the core aspects of any security program, securing the identity journey. That's the way to reduce risks and that's the way to strengthen the overall security. Our identities are the gate to all of the risks that are associated with the organization. They have the access. They can see data, they can change stuff. So let's understand that path. Let's understand the risk in that path and let's address that in the right way. And maybe not one solution fits all. That's fine. But map that out and understand the importance of your identity security to your security posture. It's a bit sensitive because you're based in Israel that a lot of wars are going on right now in the world in the Middle East, of course, in Eastern Europe as well. There was a point where we were also worried about the cyber warfare. What are you seeing, what is happening right now? And also, how once again, organizations like Plain ID are helping protect some critical industries, companies, organizations to be operational even during this time of conflict. Not sure it relates directly to the conflict, but our customers, organization that have chosen to use Plain ID are implementing dynamic and fine grant controls for their most important applications and data assets, which basically means that what users can do change based on context, whether the user is working from the US, from Europe or from Israel, whether they are operating at one point of time or at another point of time. Providing those capabilities to your underlying technology, fine tuning access based on context, not static decisions, that is what enables you to strengthen your overall security posture. So I would say that our customers are benefiting from higher level of overall security just because of that. Well, thank you so much for taking time out today and talking about the company, the whole evolving landscape in terms of access management. Thanks for all those great insights and I would love to have you folks back on the show. Thank you.