 Live from New York City, it's theCUBE. Covering CyberConnect 2017. Brought to you by Centrify and the Institute for Critical Infrastructure Technologies. Hey, welcome back, everyone. Live here in New York, just theCUBE's exclusive coverage of Centrify's CyberConnect 2017 presented by Centrify. It's an industry event that Centrify is underwriting that's really not a Centrify event. It's really where industry and government are coming together to talk about best practices, of architecture, how to solve the biggest crisis of our generation in the computer industry. And that is security. I'm John Furrier with my co-host, Dave Alontair, next guest, David McNeely, who's the vice president of product strategy with Centrify. Welcome to theCUBE. Great, thank you for having me. Thanks for coming on. I'm really impressed by Centrify's approach here. You're underwriting the event, but it's not a Centrify commercial. This is about the core issues of community coming together, the culture of tech. You run the product. That's some great props from the general on stage. You guys are foundational. What does that mean when he said that Centrify's could be a foundational element for solving this problem? Well, I think a lot of it has to do with, if you look at the problems that people are facing, it's the breaches are misusing computers in order to use your account. And if your account is authorized to go gain access to a particular resource, whether that be servers or databases, somehow the software and the systems that we put in place and even some of the policies need to be retrofitted in order to go back and make sure that it really is a human that's gaining access to things and not malware, running around the network with a compromised credential. So we've been spending a lot more time trying to help customers eliminate the use of passwords, try to move to stronger authentication. Most of the regulations now start talking about strong authentication, but then what does that really mean? Because it can't just be a one-time passcode delivered to your phone. They've figured out ways to break into that. Certificates have been hacked and data just came out. It's our story that's, even before Stuxnet's certificate authorities are being compromised even before the big worm hit and that kind of, he closely had a bomb of malware. But this is a new trend that we're seeing is that the independent credentials of a user is being authentically compromised with the Equifax, all these breaches were all personal information out there. This is a growth area for the hacks where people are actually getting compromised emails and sending them. So, how do you know it's not a fake account if you think it's your friend? Exactly. That's the growth area, right? And the biggest problem is trying to make sure that if you do allow somebody to use like my device here to gain access to my mail account, how do we make it stronger? How do we make sure that it really is David that's logged on to the account? If you think about it, my laptop, my iPad, my phone, all authenticates and access the same email account. And if that's only protected with a password, then how good is that? How hard is it to break passwords? You know, so we're starting the challenge a lot of base assumptions about different ways to do security because if you look at some of the tools that the hackers have, their tooling's getting better all the time. So, go ahead, sorry. Finish your talk. I'm just going to say that, you know, their hash cat can break, you know, passwords like millions and millions a second. So, it's kind of- You're hacked basically out there. When you talk about eliminating passwords, are you talking about doing things other than just passwords or are you mean eliminating passwords? I mean eliminating passwords. So, how does that work? So, the way that works is you have to have a stronger vetting process around who the person is. And this is actually going to be a challenge as people start looking at, okay, how do you vet a person? We ask them a whole bunch of questions. Mothers made a name, where you lived, other stuff. All this data that Equifax has. We ask you all that information to find out, is it really you? But really the best way to do it now is going to be to go back to government issued IDs because they have a vetting process or they're establishing an identity for you. You've got a driver's license, we all have social security numbers, maybe a passport. That kind of information is really the only way to start making sure it really is me. This is where you start and then the next place is assigning a stronger credential. So, there's a way to get a strong credential onto your mobile device. That the issuance process itself generates the first, the key pair inside the device in a protected place that can't be compromised because it's part of the hardware, part of the chip, the processor that runs the phone. And that starts acting as strong as, I would say a smart card. In the government they call it derived credentials. But it's kind of new technology. I mean, NIST has had described documentation on how to make that work for quite some time, but actually implementing it and delivering it as a solution that can be used for authentication to other things is what's kind of new here. A big theme of your talk tomorrow is on designing this in. So with all this infrastructure out there, I presume you can't just bolt this stuff on and spread it, you know, peanut butter, spread it across. Exactly, right. So how do we, how do we solve that problem? It's just going to take time. Well, that's actually. New infrastructure modernization. So Dr. Ron Ross is going to be joining me tomorrow and he's from the NIST and we'll be talking with him about some of the security frameworks that they've created. So there's a cyber security framework. There's also other guidance that they've created, the NIST 800-160, that describe how to start building security in from the very start. So we actually have to back all the way up to the app developer and the operating system developers and get them to design security into the applications and also into the operating systems in such a way that you can trust the OS. Application that's sitting on top of an untrusted operating system is not that very good. So, you know, the applications have to be sitting on top of trusted operating systems. And then we'll probably get into a little bit of the newer technology. I'm starting to find a lot of our customers that move to cloud-based infrastructures, starting to move their applications into containers where there's a container around the application and it actually is not bound as heavily to the OS so that I could deploy as many of these app containers as I want and start scaling those out. So separate the workload from some of the infrastructure. You're kind of seeing that trend. Exactly. And that changes a whole lot of the way we look at security. So now your security boundary is not the machine or the computer, it's now the application container. So you run the product strategies. You like to have the keys to the kingdom of Centrify, but also we heard today that it's a moving train this business. It's not like you can lock into some of the eight calls with the silver bullet, it's hard to get the silver bullet in security. How do you balance the speed of the game of the product strategy? And how do you guys deal with bringing a customer solution to the market that has an architectural scalability to it, right? So, because that's the challenge. I'm a slow enterprise, but I want to implement a product. I don't want to be obsolete by the time I roll it out. I need to have a scalable solution that can give me the headroom and flexibility. So you're bringing a lot to the table. Explain what's going on in that dynamic. Yeah, there's a lot of, I mean, I try as much as possible to adhere to standards where they exist and push and promote those. Like, you know, on the authentication side of things. For the longest time, we used LDAP and Kerberos to authenticate computers to active directory. Now, almost all the web app developers are using SAML or OpenID Connect or OAuth2 as a mechanism for authenticating the applications. And just keeping up with standards like that is one of the best ways. That way, the technology and tools that we deliver just have APIs that the app developers can go back and use and take advantage of. So I wanted to follow up on that because I was going to ask you, isn't there a sort of an organizational friction in that you've got companies, if you've got to go back to the developers and the guys who are writing code around the OS, there's an incentive from up top to go for fast profits, right? Get to market as soon as you can. But if I understand what you just said, if you're able to use open source standards or things like OAuth, that maybe could accelerate your time to market. But help me square that circle. Is there an inherent conflict between the desire to get short-term profits versus designing in good security? Well, it does take a little bit of time to design and build, deliver products. But as we've moved to cloud-based infrastructure, we're able to more rapidly deploy and release features. So part of having a cloud service, we update that every month. So every 30 days, we've got a new version of that rolling out. It's got new capabilities in it. Part of adopting agile delivery models. But everything that we deliver also has an API. So when we go back and talk to the customers and the developer at the customer organizations, we have a rich set of APIs that the cloud service exposes. If they uncover a use case or a situation that requires something new or different that we don't have, then that's when I go back to the product managers, engineering teams, and talk about adding that new capability into the cloud service, which we can expect the monthly cadence helps me deliver that more rapidly to market. So as you look at the bell curve in the client base, how does it, what's the shape of those that are kind of on the cutting edge and doing them by definition? I shouldn't use the term cutting edge on the path to designing in as you would prescribe. What's it look like? Is it 2080, 199? That's going to be hard to put a number on. We do have a, you know, most of the customers are covering the basics, you know, with respect to consolidating identities, moving to stronger authentication. I'm finding one of the areas that the more mature companies have adopted is just in time notion where by default, nobody has any rights to gain access to either systems or applications and moving it to a workflow request access model. So that's the one that's a little bit newer that I would say fewer of my customers are using, but most everybody wants to adopt because if you think about some of the attacks that have taken place, if I can get a piece of email to you and you think it's me and then you open up the attachment, at that point you're now infected and the malware that's on your machine has the ability to use your account to start moving around and authenticating the things that you're authorized to get to. So if I could send that piece of email and accomplish that, I might target like a system administrators or database admins and go try to use their account because it's already authorized to go log on to the database servers, which is what I'm trying to get to. Now if we could flip it and say, well, yeah, there's a database admin, but if he doesn't have permissions to go log on to anything right now and he has to make a request, then the malware can't make the request and can't get the approval of the manager in order to go gain access to the database. Now again, I want to explore organizational friction. Does that slow down sort of the organization's ability to conduct business and will it be pushed back from the user base or can you make that transparent? It does slow things down. I mean, we're talking about a process. So it's a choice that organizations have to make. Do you care about the long-term, healthy your company, your brand, your revenues or do you want to go for the short-term problem? And that is one of the biggest challenges is just, we describe it in the software world as technical debt, some IT organizations may as well. It's just the way things happen and the processes by which people adhere to things. We find all too often that people will use a password vault for example and go check out the administrator password or their dash A account that's authorized to log on any Windows computer in the entire network as an admin. And if they check it out and they get to use it all day long, it's like, okay, where did you put it? Did you put it in clipboard? Malware knows how to get to your clipboard. Did you put it in a notepad document stored on your desktop? Guess what, malware knows how to get to that. So now we've got a system by which people checked out a password and malware can get to that password and use it for the whole day. Okay, so maybe at the end of the day the password vault can rotate the password so that it's not long lived, but see the process is what's wrong there where we allow the humans to continue to do things in a bad way just because it's easy. The human error is a huge part and the mad administrators have their own identity systems have a big problem. We're here with David McNeely, he's the vice president of product strategy for Centrify. I got to get your take on Jim Ruth's seat of the chief security officer for Etno's on stage. Oh yes. Great presentation. Awesome. He's really talking about the cutting edge, things that he's doing, unconventional, he says, but it's the only way for him to attack the problem. He did do a shout out for Centrify. So congratulations on that, but he was getting at a whole new way to reimagine security and he brought up civilizations crumble when you lose trust. It's a huge issue. So how are you guys seeing that help you guys solve problems with your customers? I mean, is Etno a tell sign for which direction to go? Absolutely, I mean, if you think about the problem we just described earlier where the CIS admin now needs to make a workflow style request to gain access to a machine. The problem is that takes time and it involves humans and process change. It'd be a whole lot nicer and we've already been delivering solutions that do this machine learning based behavior based access controls, right? And we tied it into our multi-factor authentication system. But the whole idea was to try to get the computers to make a decision based on behavior. Is it really David at the keyboard trying to gain access to a target application or a server? And the machine can learn by patterns and looking at my historical access to go determine, does that look and smell and feel like David? So machine learning for example. And that's a huge part of it, right? Cause if we can get the computers to make these decisions automatically then we eliminate so much time that's being chewed up by humans and putting things into a queue and then waiting for somebody to investigate. What's the impact of machine learning on security in your opinion? Is it massive in the sense of, no it's going to be significant but what areas is it attacking? Speed of the solution, the amount of data it can go through, unique domain expertise to the applications. Where is the aha moment for the machine learning value proposition? Well it's really going to help us enormously on making more intelligent decisions. If you think about access control systems they all make a decision based on did you supply the correct user ID and password or credential? And do you have access to whatever that resource is? But we only looked at two things, the authentication and an access policy. And these behavior based systems they look at a lot of other things, right? He mentioned 60 different attributes that they're looking at. And all of these attributes we're looking at where's David's iPad? What's the location of my laptop which should be in the room upstairs? My phone is nearby. And making sure that somebody's not trying to use my account from California because there's no way I could get from here to California at a rapid pace. A final question for you while we we've got one couple seconds left here. What is the value proposition for Centrify if you had the bottom line than the product strategy in a nutshell? What? Kind of a tough one there. Identity, I mean stop the breach is the tagline but is it the identity, is it the tech, is it the... Identity and access control. At the end of the day we're trying to provide identity and access controls around how a user accesses an application, how we access servers, privileged accounts, how you would access your mobile device and your mobile device accesses applications. Basically if you think about what defines an organization, identity, the humans that work at an organization and your rights to go gain access to applications is what links everything together because as you start adopting cloud services as we've adopted mobile devices there's no perimeter anymore really for the company. And identity makes up the definition and the boundary of the organization. All right, Dave McNeely, Vice President of ProgStrike at Centrify. More live coverage here in New York City from theCUBE at CyberConnect 2017 inaugural event. Cube coverage continues after this short break.