Jon Freeman: The next design principle is that it has to be based on proven security technology. You can’t be inventing an authentication system or adopting authentication systems that haven’t been tried and tested. You have to be able to demonstrate that this software and the solutions and the services that you’re bringing forward are, essentially, industry strong. There’s no initialization of a startup with a decision to say, I have a better way of doing encryption, and this is my encryption. It needs to be able to be demonstrated that it has adhered to and has been developed around industry best practices and standards. Things like SAML 3.0, XACML, SPML, these are all of the underlying security technology standards that need to be incorporated.
The next component is that it’s got to embrace the concept of agility. It’s got to be something that can be consumed easily and quickly and not require a substantial professional services engagement in order to be operational.
The next tenet is it needs to be able to scale dynamically. Security products in this space, typically, experience the ebbs and flows of usage based on user behavior. If you’re looking at a system that delivers self-service password resets and the system sits idle for 20 to 30 days a month, you’re going to, at some point, based on your password reset policy, notice that for at least one or two days a cycle, you’re going to have a lot of users logging in to do password resets or do certification or attestation campaigns. The system needs to be able to accommodate that. It cannot remain static in its ability to scale up. It needs to have the ability to dynamically scale, and potentially be able to return those resources to the pool. But the important thing is that it needs to be dynamically scalable.
The last piece is that it has to be tied to an organization that provides the ability to change in the system quickly. What we find is that no security is ever finally implemented. Security systems change organically because systems come on line and they go off line. Users come in and out of the environment, policies change. You need an organization that is able to stand behind this service and make the appropriate changes to the environment in order to accommodate the specific requirements of the organizations. Those are the tenets we’ve built our solutions around.
Sramana Mitra: You said you are working with Fortune 500 companies, and what you are doing is completely mission critical, right?
JF: That’s correct.
SM: If you were to go down, nobody would be able to log in.
JF: That’s correct.
SM: Is your cloud identity solution powering Fortune 500 organizations, or are you doing Fortune 500 in your professional services organization and the cloud identity solution is just starting out?
JF: We have Fortune 500 customers as well as mid-cap size organizations that are using the cloud solution. If you look at the evolution of who those customers are, they have obviously started out as professional services organizations and have begun to migrate over as their infrastructures become outdated or their desire to maintain these environments becomes less appealing to them. They’ve all looked at alternatives to maintaining and hosting solutions within their own four walls. To that point, we also offer a solution that allows us to monitor and maintain the security services within a client’s own data center. So, we have the ability to project an end-point solution into an organization to provide the same set of services so that the implementation is dedicated specifically to that particular customer.
SM: I’ve discussed cloud strategy with numerous thought leaders and major CIOs. That’s what I’m hearing from the Fortune 500 side. For mission-critical stuff like what you are doing, I think the interest is more going to be in a private cloud implementation as opposed to a software as a service public cloud implementation.
JF: Yes, I couldn’t agree with you more. We don’t have any requirements for multi-tenancy or … all of those things are great buzz words when you’re talking about Salesforce.com. But in the security space, people want their data segmented. They don’t want any combing of virtualization stacks all the way up. Private cloud seems to be the initial, targeted entry point into this. The real question we deal with mostly is, where does the physical infrastructure actually exist? Does it exist within the customer’s organization, in a service provider, or within our facility?