 Live from New York City, it's theCUBE. Covering CyberConnect 2017, brought to you by Centrify and the Institute for Critical Infrastructure Technology. Okay, welcome back everyone. This is theCUBE's live coverage in New York City, exclusively with the CyberConnect 2017. It's an inaugural event presented by Centrify. It's not a Centrify event. Centrify, one of the fastest growing security startups in Silicon Valley and around the world, is underwriting this great event, bringing industry, government, and practitioners together to add value on top of the great security conversations. I'm John Furrier, your host with Dave Vellante, my co-host. Our next guest is Bill Mann, who's the Chief Product Officer with Centrify. Welcome back to theCUBE, great to see you. Hey, good to be here. Thanks, and congratulations for you guys doing what I think is a great community thing, underwriting an event, not just trying to take the event, make it about Centrify. It's really an organically driven event with the team of customers you have and industry consultants and practitioners. Really, really great job, congratulations. Thank you. All right, so now let's get down to the meat of the conversation here at the show and the hallways as General's conversation, General Alexander talking about his experience at the NSA and the Cyber Command Center. Really kind of teasing out the future of what cyber will be like for an enterprise, whether it's a slow moving enterprise or a fast moving bank or whatever, the realities are, this is the biggest complexity and challenge of our generation. Identities at the heart of it, you guys recall the foundational element of a new solution that has people have to coming together in a community model, sharing data, talking to each other. Why did he call you guys foundational? I think he's calling us foundational because I think he's realizing that having strong identity in an environment is kind of the keys to getting yourself in a better state of mind and a better security posture. If we look at the foundational principles of identity, it's really about making sure you know who the people are within your organization by doing identity assurance. So that's a foundational principle. The principle of giving people the least amount of access within an organization, that's a foundational principle. The principle of understanding what people did and then using that information and then adjusting policy, that's a foundational principle. I think that's the fundamental reason why he talks about it as a foundational principle. And let's face it, most organizations are now connected to the cloud. They've got mobile users, they've got outsource IT, so something's got to change, right? I mean, the way we've been running security up until now, if it was that great, we wouldn't have had all the threats, right? So- And all kinds of silver bullets have been rolling out, Dave and I were commenting and Dave made a point on our intro today that there's no silver bullet in security. There's a lot of opportunities to solve problems, but there's no, you can't buy one product. Now identity is a foundational element. Another interesting thing I want to get your reaction to was on stage was Jim from AT&T, he's this chief security officer, and he was kind of making fun with himself by saying, I'm not a big computer scientist, I was a history major, and he made a comment about his observation that when civilizations crumble, it's because of trust is lost. And kind of inferring that you can almost connect with dots that trust is fundamental and that email security and most of the solutions are really killing the trust model rather than enhancing it and making it more secure. So a holistic view of trust, stability, and enhancement can work in security. What are your, what's your reaction to that? So, so it's a complicated area. Trust is complicated. Let me just kind of like baseline that for a moment. I think that we unfortunately need to have better trust, but the way we're approaching trust at the moment is the wrong way. So let me give you a simple example. You know, when we go, when we're at home and we're sleeping in our, in our homes and the doors and windows are closed, we inherently trust the security of our environment because the doors and windows are closed. But realities, the doors and windows can be really easily opened, right? So we shouldn't be trusting that environment at all, but we do. So what we need to instead do is get to a place where we trust the known things in our environment very, very well and understand what are the unknown things in our environment. So the known things in our environment can be people, right? The identity of people can be objects like knowing that this is really built phone. It's a registered phone and it's got a device ID. It's better than having any phone being used for access. So like I said, trust, it's complicated. But we don't know it has malware on there though. You could have malware. You could have malware on there. But look, then you've got different levels of trust, right? You got zero trust when you don't know anything about it. You've got high levels of trust when you know it's got no malware. So known information is critical. Known information is critical and known information can then be used to make trust decisions. But it's when we make decisions on trust without any information and where we infer that things are trustworthy when there shouldn't be. Like the home example where you think the doors are closed but it's so easy to break through them. That's when we infer trust. So trust is something that we need to build within the environment with information about all the objects in the environment. And that's where I think we can start building trust. And that's, I think, how we have to approach the whole conversation about trust. When you're going back to your example, when you receive an email from somebody, you don't know if it came from that person, right? Yet I'm talking to you. I trust that I'm talking to you, right? So that's where the breakdown happens. And once we have that breakdown, society can break down as well. But going back to your device example. So there are situations today. I mean, you try to log on to your bank from your mobile device and it says, do you want to remember this device? Do you want to trust this device? Is that an example what you're talking about? And it might hit me in a text with a two-factor. That's an example. That's absolutely an example of trust. So there's a model in security called the zero trust model. And I spoke about it earlier on today. And that model of security is the foundation or principles of that is understanding who the user is, understanding what endpoint or device they're coming from. And that's exactly what you've described, which is understanding the context of that device, the trustworthy of the device, the location of that device, the posture of that device. All of those things make that device more trustworthy than knowing nothing about that device. And those are the kind of fundamental constructs of building trust within the organization now. As opposed to what we've got at the moment is we're implying trust without any information about really trust, right? I mean, most of us use passwords and most of us use the password, password. So there's no difference between both of you, right? And so how can I trust? I've never done that. I know, but how can we trust each other if we're using data like that to describe ourselves? Or using the data in your LinkedIn profile that could be socially engineered. Exactly. So there's all kinds of ways to crack the password. So you brought up the trust. So spoofing used to be a common thing, but that's been resolved with some sync holding, some techniques and other things. But now when you actually have certificates being compromised, account compromised, that's where you think you know who that person is. But that's not who it is. So this is a new dynamic and was pointed out in one of the sessions that this account, a real compromise of identity is a huge issue. What do you guys do to solve that problem? Have you solved that problem? We're addressing parts of solving that problem. And the part of the problem that we're trying to solve is increasing the posture of multifactor authentication of that user. So you know more certainty that this is really who that person is. But the fact of the matter is, like you said earlier on, trying to reduce the risk down to zero is almost impossible. And I think that's what we have to be all clear about in this market. This is not about reducing risk to zero. It's about getting the risk down to something which is acceptable for the type of business you're trying to work on. So implementing MFA is a big part of what Centrify advocates within organizations. Explain MFA real quick. Multi-factor authentication, right? Something that we're all used to when we're doing online banking at the moment. But unfortunately, most enterprises do not implement MFA for all the use cases that they need to be able to implement it for. So I usually describe it as MFA everywhere. And the reason I'd say MFA everywhere should be for all users, not a subset of the users. Should be all users, yeah. And it should be for all the accesses when they're accessing salesforce.com for concur. So all the application, all the servers that they access, all the VPNs that they access, all the times that they request any kind of privilege command, you should re-authenticate them as well at different points in time. So implementing MFA like that can reduce the risk within an organization. I buy that 100%, but I love that direction. I'd ask you that in a hard question. Anyone who's an Apple user these days knows how complicated MFA could be. I get this iCloud verification and it sends me a code to my phone, which could be hacked potentially. So you have all these kinds of complexities that could arise depending upon how complicated the apps are. So how should the industry think about simplifying and yet maintaining the security of the MFA? Across workloads, so application one through and. So let me kind of separate the problems out. So we focus on the enterprise use case and what you're describing is more the consumer use case. But we have the same problem in the enterprise area as well. But at least in the enterprise area, I think that we're going to be able to address the problem sooner in the market. Because you have the identity baseline. One, we have the identity and there's less applications that the enterprise is using. It's not Apple. Right? It's not like end points. Well, it takes Salesforce. That's as much of a pain, right? It's a, but with applications like Salesforce and a lot of the top applications out there, the SaaS applications out there, they already support SAML as a mechanism for eliminating passwords altogether. And a lot of the industry is moving towards using API mechanisms for authentication. Now, your example for the consumer is a little bit more challenging because now you've got to get all these consumer applications to tie in and so forth, right? So that's going to be tougher to do. But we've focused on trying to solve the enterprise problem. And even that is being a struggle in the industry. It's only now that you're seeing standards like SAML and OAuth getting implemented whereby we can make assertions about an identity and an application can then consume that assertion and then move forward. So even in those situations, if I may build, there's, take the trust to another level, which is there's a trusted third party involved in those situations. It might be Twitter, LinkedIn, Facebook or Google. Might be my bank. It might be RSA in some cases. Do you envision a day where we can eliminate the trusted third party with perhaps blockchain? Oh, I actually do. Yeah, no, I do. I think the trusted third party model that we've got is broken fundamentally because they have a break into the bank. That's it. That's the third party trust. But I'm a big fan of blockchain, mainly because it's going to be a trusted end party, right? So there's any end parties that are vouching for Bill's identity on the blockchain. So, and it's going to be harder to get to all those end miners and convince them that they need to change there or break into them, right? So, yeah, I'm a big fan of the trust model changing. I think that's going to be one of the biggest use cases for blockchain when it comes to trust and the way we kind of think about certificates and browsers and SSL certificates and so forth. I think you're right on the money. And what I would add to that is looking at this conference, CyberConnect. One theme that I see coming out of this is I hear the word reimagining the future here. Reimagining security, reimagining DNS, reimagining. So a lot of the thought leaders that are here are talking about things like, okay, here's what we have today. I'm not saying throwing away, but it's going to be completely different in the new world. Yeah, and I think the important thing about the past is we've got to learn from the past and we've got to apply some of the lessons to the future. And things are just so different now. With microservices versus monolithic application architectures, security used to be an afterthought before, but you talk to the average developer now, they want to add security in their applications. They realize that, right? So, and that's going to, I mean, maybe I'm being overly positive, but I think that's going to take us to a better place. I think we're in a time of need. We need you to be overly positive, Earl. No, you're a cheap product. You have to have a 20 mile stare and I think, you know, legacy always has been the thing we've heard in the enterprise. But I just saw a quote on Twitter or the internet and it's probably, it's quotes, so it's probably right. It's motivating, motivating quotes. If you want to create the future, you've got to create a better version of the past. Yes. And they kind of use taxis versus Uber, obvious advantage of a shift in user behavior. So that's happening in this industry. There's a shift of user experience, user expectations, change in internet infrastructure, you mentioned blockchain, variety of other things. So we're actually in a time where the better mousetrap actually will work. Yes. If you could come out with a great product that changes the economics and the paradigm or use case of an old legacy. So in a way, by theory, if you believe that, legacy shouldn't be a problem. You know, and I certainly believe that, having a kid who's in middle school at the moment and the younger generation to understand security, way more than we ever used to. And you know, this generation, this coming generation, understands the difference between a password and a strong password and mobile being used as a second factor of authentication. So I think that the whole tide will rise here from a security perspective. I firmly believe that. You are an optimist. Well, what about government? What about government? One thing I liked about the talk here from the general was he was pretty straight talk. And one of his points I'm now generalizing and extrapolating out is that the HR side of government has to change. In other words, the organizational behavior of how people look at things. But also in the enterprise, we've heard that a lot in our cloud coverage. Go back eight years and the Cloud Eradi hit. Oh, DevOps is great, but I can't get it through because I got to change my behavior of my existing staff. So the culture of the practitioners have to change. Yes, absolutely. New generation's coming. Oh, absolutely. Absolutely. I was speaking to a customer this morning who I won't mention and literally they told me that their whole staff has changed and they had to change their whole staff on this particular project around security because they found that the legacy thinking was there and they really wanted to move forward at a pace and they wanted to make changes that their legacy staff just wouldn't let them move forward with. So basically all of their staff had been changed and it was a memorable quote only because this company is a large organization and it's struggling with adopting new technologies and it was held back. It was not held back because of product or strategy. Or willingness. It was held back by people who are just concerned and wanted to stick to the old way of doing things. And that has to change as well. So I think there's times for change and I think this is one of those times where security is one of those times where you've got to push through change. Otherwise, I mean, I'm also believe that security is a competitive advantage for an organization as well. And if you stick with the past you're not going to be able to compete in the future. Yeah, well in bad user behavior we'll always trump good security. It was interesting to hear Jim Ruth today talk about unconventional methods. And I was encouraged. He said spoofing, we got DMARC, look-alike domains. We got sinkholes, display name deception. We can filter the incoming. And then he talked about compromise accounts and he said, user education. And I went, oh, but there's hope as an optimist. So you've got technologies on the horizon to deal with that even, right? I mean, I'm also concerned that the pace at which the consumer world is moving forward on security, online banking, and even with Google and so forth, that the new generation will come into the workforce and be just amazed how legacy the environments are, right? Because the new generation is used to using Google Cloud, Google Mail, Google everything and everything works, it's all integrated already. And if they come into the workplace and that workplace is still using legacy technologies, right? They're not going to be able to hire them. Well, I'll give you an example. When I broke into, when I go to college, I was the first generation computer science major that didn't have to use punch cards. And I was blown away, like, actually, people did that. Like, what? Who the hell would ever do that? And so, you know, I was the younger guy coming up that was like, I was totally looking down. That's ridiculous. Like, I would thank God I'm not gonna do that. So, but they loved it because they did it. I mean, I've got the similar story. I was the first generation in the UK. We were the first Mac lab in the UK. Our university had the first large Mac, Apple Macintosh lab. So when I got into the workplace and somebody put a PC in front of me, I was like, hold on, where's the mouse? Where's the windows? I couldn't handle it. So I realized that, right? So I think, you know, we're at that kind of junction at the moment as well. Bill, we got two minutes left and I want to ask you kind of a question around the comment. You just made a minute ago around security as a competitive advantage. This is really interesting. I mean, you really can't say security is a profit center because you don't sell security products if you're deploying state-of-the-art security practices, but certainly it shouldn't be a cost center. So, you know, we've seen on our CUBE interviews over the past year, specifically, the trend amongst CISOs and practitioners is, when pressed, they say, kind of again, generalizing the trend, we're unbundling the security department from IT and making it almost a profit center reporting to the board and or the highest levels. Not like a profit center, but in a way that's the word they use because if we don't do that, our ability to make a profit is there. So you put up a competitive strategy, you have to have a security and it's not going to be underneath an IT umbrella. I'm not saying everyone's doing it, but the trend was to highlight that they have to break out security as a direct report as if it was a profit center because their job is so critical they don't want to be caught in an IT blanket. Do you see that trend and your comment and reaction to that statement? I see that trend, but I see it from a perspective of transparency. So I think that taking security out of the larger umbrella of IT and given its own kind of foundation and own reporting structure, it's all about transparency. And I think that modern organizations understand now the impact a breach can have to a company. It puts you out of business. It puts you out of business, right? You lose customers and so forth. So I think having a security leader at the table to be able to describe what they're doing is giving the transparency for decision makers within the organization. And one of my other comments about it being a competitive advantage, I personally think let's take the banking arena. It's so easy to move from bank A to bank B. So, and I personally think that people will stay with a certain bank if that bank has more security features and so forth. I mean, savings, interest rates are going to be one thing and mortgage rates are going to be one thing. But if all things are even. It's a product feature. It's a product feature. And I think that, again, the newer generation is looking for features like that because they're so much more aware of the threat landscape. So I think that's one of the reasons why I think it's a competitive advantage. But I agree with you. Having more visibility for an organization is important. You can't make a profit unless the lights are on, the systems are running. If you have a security hack and you're not running, you can't make a profit. So it's technically a profit center. Bill, I believe in 100% on the competitive strategy. It certainly is going to be table stakes. It's part of the product and part of the organization's brand. Everything's at stake. Big crisis. Crisis of our generation, cyber security, cyber warfare for the government, for businesses that's about staying in business. This is the Centrify presented event underwritten by Centrify here in New York City. CyberConnect 2017 is the Cube's exclusive coverage. More after this short break.