 Hi, Jeff Rick here with theCUBE. We are having a CUBE conversation in Palo Alto, California today, talking about security and mobile and really, I guess, a lot of security. So we're excited to have Tom Kemp, co-founder and CEO of Centrify, stop by and give us a quick update. So Tom, welcome. Yeah, great to be here, Jeff. Super. So before we get started, I wanted to give everyone just kind of a quick update on Centrify if they're not familiar with the company. Yeah, sure. So we're a security company and specifically we're focused on addressing the problems with passwords that people have. People have too many passwords. They're right, they're passwords. Or if they have a lot of passwords, oftentimes they have too much privilege associated with those passwords as well. So we're specifically a company that does identity and access management and we give users one single sign-on and give IT a single way to control who can access what across data center, cloud and mobile. Okay, so single sign-on's been around for a long time. It's been in Nirvana. I remember selling single sign-on 15 years ago. This was the great thing. Obviously, so you've pretty much enterprise focused on your single sign-on and is it at kind of the enterprise access layer or do you go beyond that? Yeah, yes, and we go beyond that. And so what's happened over the last few years is the world's become more de-perimeterized, right? And so the fundamental question is, is that how can you secure this new world where increasingly people are leveraging mobile devices at Starbucks talking to SaaS applications? So the old world of single sign-on was focusing on-premise with SAP, doing a lot of screen scraping, shoving passwords in, but now the world is that end users are on the go. They're increasingly using mobile devices. They're talking to SaaS applications, but they also need to talk back to on-premise apps as well. So the problem is just huge in terms of you need to have the ability to talk to hundreds, if not thousands of SaaS applications to have a viable solution. You need to have a real strong mobile story to ensure seamless anywhere any device access. And you also need to tie in to legacy infrastructure as well because people still need to access that. So the problem is just significantly more complex and you need to address that, but then there's also other things you need to address as well. Right, and you guys have been at this for a while. Founded in 2004, congratulations. Just had a recent funding round, 42 million. That's a nice pop for the bank. But you've really seen the situation change, right? 2004 was really about perimeter security, I imagine. Much more about basically you just guard the door and they either get in or get out and once they're in, they're in. But now with the mobile devices, bring your own device. And as you said, not only do you have SaaS applications, but you have blended use, right? I may have Dropbox for my personal use to share pictures and then maybe I'm using Dropbox to share within the company or I just had an application the other day where we were sharing logos with a different company. So much more complexity. Oh, absolutely. And so the thing is is that, yeah, before it was always about securing the perimeter and oftentimes what happened, it was kind of crunchy on the outside but chewy on the inside, but that perimeter has completely disappeared. And so what can you protect? And so we are increasingly seeing that it's the user, it's their identity is the most important thing. So we oftentimes say identity is the new perimeter. And it's not only about giving a user a single username and password, but it's also providing additional step up level of security to ensure it's really them. And that's where you can tie in the mobile device and use biometrics or as well as additional factors to say, yes, it's me trying to access Salesforce, but based on the fact that I have this mobile device and I push my thumb against the device at the same time allows me to get in. So that's one aspect. The other thing is is that with this whole depriminization that what we're also finding is another set of problems besides end users having too many usernames and passwords is the fact that certain users within the organization have too much privilege. And now we're seeing a lot of these hacks are going after the users with their identity but they're specifically targeting the people that have access and the keys to the kingdom, to the servers and the applications, et cetera. So the problem has gotten more complex than that and users have too many passwords and there's too many passwords out there by IT people have too much privilege. Now, wasn't that kind of accounted for before in the concept of roles, right? So if you had a role, you had a particular type of a role then that's how your access was granted. So you're saying that's no longer adequate or this is a different derivation of that? See, the issue is with the whole consumerization of IT that IT has no clue what applications are being used, et cetera. So you can say, oh yes, Jeff has this role, right? But you mentioned Dropbox, there's Box. The marketing department decides to spin up Marketo or Google Analytics. And so IT, it's much more difficult to centrally control roles and rights when you have a de-perimeterized world and most computing is now being done on mobile devices as well. So you still need it but the problem is just much more complex as well. And you need to layer on additional levels of security such as multi-factor authentication, you need provisioning, you need this privilege management as well. So it's become a much huger problem and traditional ways of doing security, firewalls, intrusion detection, intrusion prevention are becoming less and less applicable in a cloud and mobile world because we don't walk around carrying a firewall when we're at Starbucks, right? So would you say then it's really a term that gets thrown around a lot in theCUBE about perimeter-less security? That's really the era that we are. Yes, and so exactly, it's that era and so the focus is now more on the user and protecting the user, protecting their identity and using their device as another means to validate it's really them. It's really Tom Kemp as opposed to someone in China that stole my username and password. Right, right. That's interesting, we did a thing with Dell and they were talking about some intelligent devices or even if you got the device and the password based on the pressure and other kind of much granular levels of detail they could figure out whether it's really me or not just in the way that I interact with my own phone. Yeah, at Mobile World Congress we actually showed the integration with the Apple Touch ID and the similar touch technology that Samsung has in their device as well. So to access a application, yes, you may type a password but then you must also have the device, maybe type a pin and then put your thumb to send the pin across as well. So that's actually three forms of authentication there as well and that may be what people want because again, if someone were to steal a password to your Salesforce or your Office 365 or your box some serious damage could happen. Right, so there's a lot of different paths we could go down here. One of them is the big data path and one of the big issues with big data or the opportunities that big data opens up is now you can not only work with the data that you control from the systems you control but you can also pull in external data. Are you using those types of sources and information to help with the authentication? Yeah, I mean the thing with Centrify is I know there's a lot of startup companies that are focusing on cloud identity and doing SaaS single sign-on. We do that but we started originally focusing on identity on-premises as well, right? And so we think we're pretty unique in that we can span across not only cloud and mobile but address the data center and provide a holistic view. And what we're seeing is that one of the biggest drivers of people still deploying systems and applications on-premises is big data. There's a greater comfort level to have their big data warehouses, their Hadoop deployments to be on-prem and customers are setting up these clusters with hundreds and thousands of systems, et cetera. They're not necessarily yet putting them in the cloud but now what you have is a situation in which the data is becoming centralized and there's more precious data in one location and it's becoming even more important to granularly control who can access that as well as to audit activity. And that's that privilege management aspect. So recently we announced partnerships with Cloudera, Hortonworks and MapR. We're really one of the first identity management vendors to provide this type of capability for big data deployments. And so the gist of that partnership is you and you putting your security layer into their system? Yeah, so we're, look, the big data vendors and if you were to talk to Tom Riley at Cloudera, John, Sherrod at AppLogs, we, yeah, Sherrod at Hortonworks, if you talk to those guys, they're very proud of the security they do. And so our message is we embrace that and extend it. We extend it beyond just doing the actual Hadoop infrastructure because people from the outside are trying to get into the Hadoop infrastructure or we also can tie that Hadoop infrastructure to their existing active directory so you don't have to have separate accounts, which makes it easier for IT to deploy Hadoop if with our technology providing the integration layer between that and active directory, providing the auditing of activity because all the key data is in it. So if you look at the recent hacks, like the recent Anthem hack, I mean there was 80 million records. I mean clearly that's like a big data type scenario and situation and someone got in and was able to do that and you really need identity management, specifically user level activity monitoring to be able to detect that. Because clearly log files were not applicable. So again the focus is shifting from traditional security be it SIM, antivirus, firewalls to focusing more on user and user level activity. So talk a little bit about the arms race, right? Because you guys are in the arms race, you've been in the business a long time and it's always that you put up new barriers and the guys work hard and try to find a hole in Weasel Inn and you put up new barriers and they try to Weasel Inn to find a hole. How does that work in the real world of what you guys do every day? How do you plan your products? How are you getting that information to kind of know where the next potential fail point is? Yeah, so I think the first thing is, is that 10 years ago when we formed the company, we initially focused on the on-premises environment. And then five years ago, we built this multi-tenanted cloud service to address cloud and mobile and so most startups in this arms race have just focusing on cloud. They kind of ignore the on-premises and again, I think especially in the larger organization, it's gonna be a hybrid environment. So I think we naturally have an unfair advantage in terms of that we can address the totality of enterprises, IT infrastructure, no matter where it's located. So it's leveraging your technology but the other aspect is that we've been focusing very much on leveraging partnerships. We've been leveraging channel partners and so right now, half our sales goes through channel partners and that takes time to build up an effective channel partner. And then we've been also focusing on strategic partners. So at Mobile World Congress just the other week, we announced this partnership with AVG. They're OEMing our identities of service offering and making that available to their customers. And we also have a great partnership with Samsung where they offer our identity technology as part of their platform towards the business as well. Can you unpack that a little bit more to Samsung? Because a lot of people obviously know Samsung, a lot of people have their phone. So what exactly does that mean? What is the benefit of that partnership to the person that's got the phone in their hand? Absolutely, so Samsung is very much focused on the enterprise these days. They see that as a, especially with the problems that Blackberry's been having, that they want to become one of the leaders vis-a-vis providing a secure mobile platform for the enterprise. And so they invested heavily in this technology called NOC. So it used to be called SAFE, Samsung for Enterprises, but they also have now added some additional technologies like containerization technology to provide a separation between work and play on the phone, right? But by itself, that's nice. They also realized they need an ecosystem of mobile management vendors, but they also understand that because the device is so closely tied to the user and that the user is increasingly using that as an access point to access Salesforce, Concur, WebEx, et cetera, that they wanted to make sure that the device itself could be managed, and then from the device that single sign-on could be facilitated with, basically, actually, we call it zero sign-on on a mobile device. You just want to click the icon and just seamlessly access to that and also integrate biometrics. And that's managed by the corporate IT. They're managing that, so they just give you the device that's loaded. So we have an OEM relationship in which we provide the Identity Access Management capabilities and some mobile management capabilities for Samsung and their enterprise offerings. And that's part of that NOx application suite. That's part of the NOx, exactly. Okay, yeah. So let's do some words 101 here. So we've thrown around some words. I wanted to educate the audience. So we've talked about privilege management, identity management, and mobility management. Okay. What are those exactly? Okay, so Identity Management is about users, what they can access, controlling the access, et cetera. So it, and, you know, frankly, Identity is not only about the technology, but it's also about the people, the process associated with it as well. So it's about giving the right people access to the right information and providing the means for people to do that. Privilege management builds upon identity management and saying, look, there's a special class of users that have access to key corporate information. And so besides giving them the right people to write access, I want to provide additional levels of control. I want to control exactly what commands they can type, when they can type it, where they can type it. I also want to audit all their activity, not just like they logged in, but I want to capture every keystroke or every mouse click, et cetera. So that's privilege management. And what are the apps and access where people apply that extra layer? Oh, well, it's core infrastructure. It's your servers, it's your routers, et cetera. What we found is that because of the increasing complexity that's happening in IT, one manifestation, which is an identity management, is that users have too many passwords. The other side of the coin is that because of the complexity, IT people are sharing too many accounts. They're sharing the root account, the oracle account. They're the gods within the organization. They can do anything. And so look at the Sony Pictures hack. They targeted via phishing these advanced persistent threats. They're going after the IT guys, the DBAs, that have the oracle SysDBA accounts. They're going after the SysAdmins with the root accounts. They're going after the email administrators. So why hack just regular Joe Blow user? You just get access to that person's email. No big deal. But if you hack the email administrator or the file administrator or the network, the guy with the router, you have access to everything. And probably the best manifestation of that is with Snowden, right? He was a SysAdministrator and clearly accounts were being shared, right? And there's no accountability associated with that as well. And then of course, as more stuff moves through the cloud, then the administrators have unbridled access to stuff on Amazon, Azure, Salesforce, et cetera. So those are the people with the keys to the kingdom where you really want to pay extra special attention to them. Much like if you go into a casino, there's an eye in the sky, right? And the eye in the sky is spending just as much attention on the dealers making sure that they're not doing stuff as opposed to the people actually at the card table as well. Yeah, it's interesting. I heard a story about where they targeted some company where somebody had set up like a charity website, kind of on the side is a do good, feel good thing. But it was the same guy that had the keys to the kingdom. So they came through, they feel good, goodness, charity thing. And that was their access point because they figured out it was the same guy. Yeah, so if they are able to get that guy's password, right, then they can get access to anything. And so if you look at what happened to Sony and the whole list goes on, it's about privileged management. So there's an area of specialization. And then the final thing about mobile management, it's clearly, mobile management has gone beyond basic mobile device management. We provide that. And the reason why we provide that is if mobile is becoming the access point, of course you wanna make sure it's not gel broken, it's a secure, you can apply policies. But mobile management nowadays also includes mobile application management, the ability to deploy apps. And what we uniquely do is that we can provision a user in Salesforce, but then also deploy Salesforce app to the mobile device at the same time. It also provides containerization technology which we instead of trying to build that ourselves or partnering with Samsung, we partner with Apple because we kind of see that's being part of the core OS. So that's what mobility management is well. And of course I think there's increasingly people realize that there is more of an identity component to mobile management because of the tie-in with the user and their device. Okay, so I wanna ask you a question about cloud and security, not specifically to your product, but more generally, which is more secure? A public cloud or your own cloud? And the reason I ask, cause I think it's interesting when we hear about all these hacks that are oftentimes accessed through an internal employee where if you've got a public cloud it's an Amazon or Azure or whatever. In theory, there's not as many disgruntled employees at my shop that have access to that data. Are public cloud secure? Are they more secure? Is it just a different type of security? What do you think? I think in general that I think increasingly public clouds are gonna be more secure just because there's that that's their business. There's just one, like there's only one, say Office 365 or Salesforce. They have a complete army of people making sure that it's completely secure, et cetera. They're getting third-party testing validation. I mean, for our public cloud that provides this identities as service, I mean, we've got Safe Harbor, you know, SAS, you know, got all the certification. We have a team of people right there. And I highly doubt that the similar levels of certification are being done by large corporations for their private cloud as well. And frankly, yeah, so I think increasingly just because the bar is so high and, you know, we haven't heard of a major hack of a Salesforce or Office 365, et cetera, but we're hearing more about the hacks of the anthems, the Sony pictures, et cetera. I think that better practices are being utilized with a lot of the public cloud. Not to say that there probably wouldn't be a major breach that eventually occurs, you know, with one of the big providers, et cetera, but the bar is higher for those guys and it's hard for 2,000 global enterprises to have that same level of bar that a Salesforce puts in place with their cloud. Yeah, interesting. All right, so we're almost at the end of our time here. I know RSA is coming up, your big show. So what's going on at RSA? What are you excited about? And then, you know, kind of what's on the agenda now for the next 12 months? Yeah, so we're doing, so we're actually going to come out with a new product line at RSA and it provides additional levels of identity capabilities based on our cloud platform. So we've really built our cloud platform to actually be a platform where we can have, not only provide single sign-on, provisioning, multi-factor authentication, but there's the ability for us to further extend it and we're going to be coming out with a new suite of products based on that. So it's going to be more cloud stuff that we're cloud-based architecture and delivery. So basically, all our new stuff is going to be based on the cloud and in addition, you know, further tying the mobile management capability. So we're going to have a big splash there and we're really excited about, you know, what's happening at RSA. Awesome, gotta put all that money to work that you got last year. Absolutely. All right, Tom, thanks for stopping by. I'm Jeff Frick. We're having a CUBE conversation at Palo Alto, the heart of Silicon Valley. Thanks for watching. Join here with Tom Kemp, co-founder and CEO of Centrify. I'm Jeff Frick. You're watching theCUBE. We'll see you next time.