DF: Continuing with that thought, if we go buy an app from a packaged app vendor, we try and buy so that it runs on the one of the internal platforms that we use on our internal IT. If it’s a product, we have to make sure it works across platforms, so when we use the internal infrastructure to build or test our products, we have to test it on every stack that the customer might have. It’s a funny decision tree in that our software manages the private cloud. Then the question is, when you go down, what are you running on the private cloud? It falls into two cases. Is that an internal application? For example, is it our internal portal or our employee portal? If so, we try and standardize on common technology. If it’s software that we are selling to a customer, we have to test on the small number of stacks that are required.
SM: Right, I understand that completely. For your development and test workload, you do need multiple configurations that are also the likely configurations for your customer, is that correct?
SM: I have a couple of more major topics to cover. One is security. What is your prime focus with respect to security? What are the trends and threats that you see?
DF: Well, one of our businesses is security. We sell products that do security for enterprise systems. We sell a product that is identity management – basically, we deal with deep provisioning of identities. We also sell products that do access control and audits.
SM: Yes, and you just bought a company recently, right?
DF: Yes, I will get to that in a second. If you ask what we are doing in security – independent of SaaS and the cloud – there are disciplines that you need to augment basic access, access control, and identity management. One of them is data loss prevention (DLP).
A place where we see significant interest in our customers is complementing access control with DLP. For on-premise at least, customers understand how to do access control and identity management, it is more than just deploying it and expanding it. One of the new disciplines they have to add is DLP. A second one is, it’s a discovery issue because you have to remember that when you are deploying new security technology and when you are deploying in an environment that already has security and that security grew by acquisition, basically what customers want to do is discover the existing identities and roles on the systems and then clean them up.
It is kind of a reverse engineering. These are the identities and roles that I have, and I need to clean them up because it is an exposure. So, we see a lot of customers who are doing that, and we sell a product that does exactly that. Those are some of the things that we see – actually, virtualization introduces an existing problem because you need to make sure that the person who can administer the virtual environment can’t get into the applications that are running on the virtual environment.
Just because you have root authorization on the machine that is running the virtual machine (VM) doesn’t mean that you should have root authorization for the VM. We have products that help you with this kind of access control. So it is expanding into this places I would think of as DLP, privileged user management, discovering privileged users, that kind of thing. It’s adding a dimension that diminishes risk and helps in risk and compliance. That’s one thread going to the next level in security. Security identity management and access control are not goals unto themselves. Their primary purpose is to do things like minimize risk and enforce compliance, then people are incrementally adding the other disciplines. The second thing is we have a major focus on what is sometimes called security off the cloud and security from the cloud. We showed a project at CA World a few months ago that we codenamed Voyager. It was basically a system that would do identity and access management for on-premise and external systems.
You can provision identities and access control policies to your internal HR systems as well as to Salesforce. In this hypothetical example, if I wanted to on-board an employee, I would have to go and set up the security. I would have to provision an identity into the internal active directory for the portal, I would have to provision an identity into my external benefits provider, I would have to provision an identity into Gmail, or Salesforce and I would have to provision the security I will have to support for changing it. That’s what we mean by management of the cloud. We do identity and access management for enterprises whose systems span the cloud. Because of the nature of the identity and access management products, they are based on modern architecture, so you can actually deliver the identity and access management products via SaaS. You can deploy them in the cloud and come back and manage cloud services and on-premise services. That’s what we mean by identity and access management from the cloud. Now, if you think about the case where you are doing identity management, especially for an enterprise that serves the consumers business, you have this complicated situation where your IT environment is using on-premise and off-premise systems but your end users have multiple identities, and since you are running things in the cloud you want to have higher security considerations.
What the acquisition of Arcot does is allow you to go to the next level in the security. An example of this is if somebody is using one of your applications, like using your Web self-service system, if that person goes down a specific path, you can say, OK this path requires a deeper level of authentication. It makes an out call to these cloud services that ask the user, What is your mother’s maiden name, what is your ZIP code? You can have basic authentication with user IDs, passwords, and that kind of thing. But you hit apps or parts of apps that need a deeper security, it can go out and do that challenge, get that information, and it does that challenge check. It is an ideal thing to put in the cloud because people are accessing such apps all over the place. A lot of this is in partnerships. For example, you are going through to your credit card companies, but you then punch through to your bank. The reason we did the acquisition of Arcot is that it is called strong authentication, which I find vaguely amusing because by using the term “strong authentication,” it’s implying that somebody wants weak authentication. I have never met a person who wants that. Do you want crappy authentication, or do you want the real thing? Sometimes they call it second factor, but basically you can at a certain point beef it up and then ask additional questions to challenge the person. Another thing we see when people use our product is that they have already customized the on-premise systems, but when they want the next capability, they ask, Can I get that via SaaS? People want second factor of authentication but they don’t want to deploy software on-premise, so Arcot delivers strong authentication via SaaS.