During a whistle stop tour of Silicon Valley, your intrepid editor visited Centrify’s Santa Clara HQ, and sat down with the identity management and security firm’s CEO Tom Kemp to mull over a typically broad range of hot button issues and current trends.
Under co-founder and chief exec Kemp’s 14-year leadership, Centrify has become one of the fastest growing security vendors in the industry, turning over US$100m in annual sales, and signing some 5,000 customers – including over 60% of the Fortune 50.
He was also instrumental in raising over US$90 million in Venture Capital financing for Centrify from some of the top Silicon Valley VC firms (Accel, Index, Mayfield, Sigma) and from strategic investors (Samsung, Fortinet, Docomo Capital).
So, let’s dive in right away with Part I
Telecom Times: Looking at the role of AI and machine learning in security firms’ forward-looking strategies, what type of focus in particular is likely to produce a leading edge for any player in this field?
Tom Kemp: Yeah, so it’s interesting that Machine Learning has historically been applied to financial services, processing credit cards, and detecting fraud.
But the same technology hasn’t really been applied to the enterprise from a security perspective. And we think that there’s a great opportunity to apply AI/Machine Learning to the whole authentication process, to really help validate if a user is really who they [say they] are.
And, not only that, but to also provide better usability because there is a great opportunity here that as end–users within an enterprise authentication to systems and applications, you can make it so that you can confirm a lot of things about the individual ahead of time based on their device, the time of day and their behaviour, that you can get to the point of almost potentially eliminating passwords.
I think there’s a great opportunity to leverage Machine Learning in the whole enterprise as it relates to security, specific to authentication.
We’re investing very heavily in doing that to provide, not only improved productivity, but also to deliver conditional access based on the user, the behaviour, the device. Taking all that data, putting it into Machine Learning and then making more intelligent decisions about whether or not the activity is fraudulent, it’s a hacker, or if it’s really the user who they say they are.
Telecom Times: It’s interesting for me to consider security as a growing, even booming business proposition in its own right. In your view, on what will this future growth, or lack thereof, depend? Any specific things come to mind?
Tom Kemp: Yeah, you know you really need to take a look at how the attack vector has
We fundamentally believe that identity is the new attack vector. There needs to be a much more significant focus on securing the user, their credentials, et cetera.
‘It’s about verifying the user and the device, limiting access and privilege.’
At the same time, as we move more and more to a cloud environment, where the perimeter has disappeared, there is really this new concept called Zero Trust Security where it no longer is about securing this dissolving perimeter, but it’s about verifying the user and the device, limiting access and privilege.
At Centrify, we fundamentally believe that Zero Trust can disrupt the broader security market, given the whole move to cloud, and given that the attack surface has really changed towards the user as well. We really think that Zero Trust is going to represent the future of security.
TELECOM TIMES: There are so many influential security experts coming from Russia and that part of the world. Would you say perhaps that there’s – there could even been sort of a national propensity for creating talent in that space that other countries could possibly emulate to some degree?
TOM KEMP: I think that there is a lot of motivation by nation states to attack Western countries. And the motivation is different, based on what the goals are of the nation state. In the case of China, historically the focus has been on Intellectual Property to help their industries get ahead of Western countries.
In the case of Russia, the goals were clearly to diminish our democracies in the West. I would not say that one country has more expertise than the other; I just think that the nation states that are doing the attacks are [aligning] those with their strategic goals and initiatives.
Unfortunately, that means that different segments of our critical infrastructure are being attacked by different countries. In the case of Russia, there is very much a focus on the election system. And that’s why at Centrify we put together this program to secure the vote by providing our technologies to US-based election boards.
But we see other countries going after Intellectual Property such as people who manufacture aircraft, and technology companies – to be able to get in. It’s a wide mix of different attacks coming in, but unfortunately we have to protect ourselves across the board given the different nation states and what they’re doing.
Telecom Times: Could you nominate some near-term goals for Centrify, focusing perhaps on the Australia and New Zealand and Asia-Pacific regions?
Tom Kemp: Yeah, sure. Clearly Asia-Pacific is a big area of focus for us. Today, Centrify sales are about 80 per cent in North America, so there’s a lot of room for growth.
We definitely see ourselves investing more in the Asia-Pacific market. We definitely want to leverage partners in the APAC region to further expand our reach and also provide additional language support.
‘The reality is, with the move to the cloud, the old ways of doing security are no longer applicable. With the old days you had this concept of the perimeter, and if you were on the inside we would grant you some degree of trust.’
So clearly a strategic initiative on the go-to-market [drive] is expanding our breadth internationally, with APAC being a big priority. From a technology perspective, we really want to further evangelise this concept of Zero Trust and implement our vision of it. The reality is, with the move to the cloud, the old ways of doing security are no longer applicable. With the old days you had this concept of the perimeter, and if you were on the inside we would grant you some degree of trust.
But more and more people are on the outside talking to cloud-based applications or trying to come in, and you just can’t have that old approach. And so you need to move to this new approach of never trusting, always verifying.
To implement that you have to have a unified solution that can first verify the user, and preferably that means not only single sign-on, but adding multi-factor authentication; you need to validate the device: Is this a device that was previously used? Does it have the most recent version of the operating system? Is it corporate owned, or a personally owned device?
From there you need to limit access and privilege and what the user can do.
Then, preferably, throughout this whole process, you have Machine Learning that provides the conditional access based on past behaviour, past device usage, et cetera, to provide a more friction-less way to provide access.