Managing a Remote Security Team

Cameron D’Ambrosi [00:00:00] Hey, everyone. Cameron here. I hope you’ll stick around for today’s episode. Joining me today is the head of I.T. and security at Zapier. We dove into what it takes to build an identity-centric connectivity platform, fundamentally what it takes to scale a remote-only organization from an identity perspective, as well as some great and candid talk about the state of the authentication space today, including standards adoption. All of the burning questions, data breaches, deployment of of U2F and Totp is all the fun stuff. It’s another great episode. You won’t want to miss it. Stay tuned. Welcome to State of Identity. I’m your host, Cameron Ambrosi. Joining me this week is Attila Torok, head of I.T. and security at Zapier. Welcome to State of Identity.

Attila Torok [00:01:00] Thank you so much, Cameron. I’m very happy to be here.

Cameron D’Ambrosi [00:01:03] So a lot to unpack. You know, I think we have a few really interesting areas to take this conversation. You know, one of which is really anchored on Zapier is business itself. And then another kind of anchored on your role within the organization and how Zapier as an organization is is handling some of these challenges around identity. But maybe to bring our audience up to speed, both in terms of, you know, familiarity with you as well as familiarity with Zapier, the platform. How did you find yourself as as head of it and security at Zapier? What’s a little bit of of your background and experience that brought you to to leading the IT security team?

Attila Torok [00:01:41] Sure. Thank you for the question, Cameron. I started my career way back as a as a developer, actually, and then, you know, slowly progressed into security. Before Zapier, I was running security at the company called LogMeIn. You know, they have products like LogMeIn itself and LastPass and go to meeting. And it was it was a lot of fun. And actually, we used Zapier there within my team a lot. And so when the recruiting team from Zapier reached out to me, I honestly went into the discussion kind of curious, like, okay, how does Zapier treats my data? You know, what do you do with all that stuff that I’m funneling over to you? So that’s kind of the funny thing, how the whole conversation started. But really the culture and the people I talked to during the interview really got me, got me thinking. And I felt like, you know, there’s a lot of alignment between Zappos values and my own values. So I ended up here three years ago, and I absolutely love it. And it’s kind of, you know, maybe sound interesting that i.t is under security here. And honestly, I think that was it was a great decision because, you know, in many places when security comes up with a policy or whatever, they’re all that i.t. A separate team has to implement. Well, many times it takes the blame for that, right? Well, you know, security is just what washes their hand in and go away. Well, here, you know, if I want to implement something in the right environment, well, I also have to take the blame for it. So that’s just, you know, starts every project from a completely different perspective and really putting the the employees, the people in the center with instead of the process. So I think it was a pretty good decision. Yeah. So I absolutely love it. Here we have we have five teams on there in the is a security zone. That’s what we call it, you know, application security, cloud security detection and response compliance and of course, I.T..

Cameron D’Ambrosi [00:03:41] And for folks who are not familiar with the Zapier platform and what you’re about, you know, I, I think commonly describe it as, you know, you are almost like a, you know, universal connector that kind of can let anything talk to anything else. Am I doing the concept justice?

Attila Torok [00:04:03] Yeah, I think that’s a that’s a that’s a pretty good explanation. Cameron, when I explain it to to my non-technical relatives, I always say, like, Zapier is kind of the glue of the Internet that glues all the different applications together. So it’s really we all use everywhere all kinds of different cloud applications that we have data in one of them. And it would be really awesome to well, if something happens, if an action or event triggers, it would be so cool to have that data in a completely different place. And many times, if the two things are not talking to each other, if there is no integration between them, then you basically have nothing to do. Well, except with Zapier, you can connect like more than 5000 different applications together and and really just, you know, shuffle data from one place to another based on all kinds of different, you know, triggers and events.

Cameron D’Ambrosi [00:04:56] And what, you know, to, I guess, bridge the gap for folks who are thinking, well, this all sounds really cool, but what in the hell does that have to do with digital identity? You know, I might boil down the challenge of how do I make platform a talk to platform be as fundamentally an identity challenge, right. Which is what is the identity of the account or the user who is logging into platform to pull the data out? And how do I bridge that gap between platform B, authenticate that user and safely and securely manage that connection point? Again, you know, connecting those two different authentication together in a meaningful and protected way. You know. From that perspective, how big of a piece of Zapier stack would you say that, you know, identity and authentication place.

Attila Torok [00:05:52] Yeah. Identity is is an ID is really like like a central piece you said it’s very right camera like in order for to make Google sheet talking to slack while we need to authenticate you into you know both of those applications. Well obviously we kind of just have that that and authentication data just laying around. Actually, the security team has a security engineering like SOC team who owns what we call security kernel and that that that is the thing. That is a piece of code that is completely separated from everything else. That’s what that’s what’s doing, you know, the storing of your auto cancel credentials and making sure that we only, you know, allow access to them when it’s, you know, on behalf of you, I’m authenticating you into Google sheets so we can grab the data that you want to push from Google Sheet to Slack. So we then authenticate you into Slack and put the data there again in under your behalf. So there are some some really sensitive things that we’re dealing with here. That’s why it’s a whole separate system only maintained by the security team. Yeah, this this is this is really the key to be able to do things on your behalf. And that’s that’s what all automation is about, right, to, to switch from a manual task to, you know, and make a machine do that. But in order to do that, that machine has to pretend that it’s you. Right?

Cameron D’Ambrosi [00:07:24] And from a standards perspective, you know, there’s a lot of fantastic work that has been done around, you know, harmonizing some of these standards, making them communicate with one another more broadly across the Internet. How critical was that to the success of Zapier? And, you know, I’m sorry. Zapier and and, you know, from a tech from a practitioner’s perspective, like, do you think there is still work to be done on the standards front? Or is it really down to driving adoption among the kind of laggards who who have not adopted the good standards that we have already?

Attila Torok [00:07:59] You know? Well, you know. Information technology or security. There’s always improve on things, right? There’s always a way to improve on things. But as things are today, the a lot of, you know, the auth framework is really solid. I think whenever an application supports authentication off tokens, that’s what we encourage our users to use. That’s what that’s the default that, hey, you are connecting Google with Slack. Well, please just authenticate you. Just give us your off token and then we will authenticate in your name. And you know, you can always just revert and revoke that off token on your end so there’s no risk involved at all. So that’s like if every application under the sun would support all that and we forget about, you know, API keys and whatnot, you know, other kinds of kind of old school authentication is that it is just so much better. So that’s really the key. Wherever it’s possible we are, we are following the old standard.

Cameron D’Ambrosi [00:09:07] And in in moving towards, you know, the future of the space, obviously a tremendous amount of noise kind of from a consumer facing perspective around, you know, Fido two and Web often kind of gaining purchase across a ton of platforms, moving to this passwordless future. You know, obviously, I think you guys are for the most part, maybe dealing with a more enterprise focused audience, not necessarily as consumer facing, although I know, you know, I’m a consumer who uses your product and some of my nerdier friends, no offense to those are listening our users as well. You know, are you seeing a convergence of the trends that we’re seeing hit kind of the consumer authentication space impacting you at at Zapier as well? Or do you think that those are going to kind of remain fundamentally different kind of problem sets when it comes to the authentication space?

Attila Torok [00:10:05] Yeah, unfortunately, it’s it’s more on the later like where we’re not improving this as fast as as it should be. And the interesting thing is, you know, Zapier both has like larger companies as our as our customers, but we do have a lot of like individual consumers. And also which is interesting, we have quite a few like very small companies like startups who built their business like almost on on Zapier, almost an automation, you know, because the whole thing about automation, as I said earlier, is just, you know, to replace some manual work and make a machine do that for you. And and of course, you know, you don’t have to pay the machine as much as you would have to, you know, pay for on an employee, which means if you’re a small company, you’re just, you know. Establishing your foothold and you might not have, you know, the you might you might not have the money to to hire somebody to do that job for you, then. Well, automation can come to the rescue. So there’s, there’s our consumer and customer base is quite diverse. I just wanted to add that there. But again, going back to your original question, yes, I don’t think we are we’re quite as far as well. Honestly, I hope that we will be by by 2022 as an industry around around identity and Fido is specifically.

Cameron D’Ambrosi [00:11:31] How does this you know set of questions that that we’ve been unpacking I know you know in your role you’re also responsible not just for protecting the data and, you know, identities for to some degree of of your users, but also your employees. And I understand from our previous conversations that you guys have taken a fairly, you know, remote centric approach to your workforce. Like how have those challenges been similar in your mind and where have they been different? Or in some cases is identity just identity? And that kind of doesn’t matter who’s an employee and who’s a customer.

Attila Torok [00:12:10] Yeah, that’s a really great question, Marilyn. So, yes, that is true. Or since Zapier was Zapier was founding in 2011, we were always being 100% free and we never had an office. So that was that was pretty cool to build up a company with that mindset. And right now we are over 700 people and I think 40 or maybe even 50 different countries. So it’s really diverse and spread across the globe and obviously without without offices as well. We don’t have a bunch of problems like, you know, office networks and printers and whatnot. But on the other hand, we have the problem of identity, like how can I identify, you know, somebody coming, you know, trying to log into our system across the globe? Well, identity is is is a really important piece here, not just for authentication. I mean, there’s a big part of identity that is equally or maybe even more important, which is the onboarding and onboarding. Right. If we can come down to a single identity system which which we have at Zapier, I mean, there’s no secret about behind that. We’re using October, we’re doubling down on Okta. And that means that when you join the company based on your roles and and, you know, group membership, you will get an account and you will be provision to a bunch of systems. And the same thing when you leave the company, those accesses and and the account itself will be revoked and and demolished. So that is, is super helpful to be able to scale. Right, especially at a fully remote company like scaling is really important when we can do as much as possible again by automation and we don’t have to do that manually and on on the terms of, you know, how does this differ around like how, you know, employee identity is different to, you know, the identity that we have in Zapier, the product. I mean, they are similar and different at the same time, if that makes sense. Because, you know, here or when we’re talking about employee identity, it’s really about, you know, I’m identifying myself to the to the system once and then I use that identity pretty much everywhere. While at Zapier, that authentication is like happening for while your zaps are running. You know, values by your automation workflow is running. We authenticate you there and once you’re done, we just close that connection and you’re not authenticated there anymore. So there’s there’s that big of a difference, I think, between the two. But at the same time, there are a lot of similarities, you know, that we want to store your identity in one single place. We want to make sure that it’s secure and separated from the other system.

Cameron D’Ambrosi [00:15:00] So what keeps you up at night? You know, you’re kind of on the the proverbial wall, right, when it comes to keeping this entire platform safe, which by definition is about, you know, exposing endpoints. We talk about. Right, endpoint security and securing the perimeter. You might say that the entire reason d’etre of of Zapier is exposing more perimeter, enabling more connections. You know, what keeps you up at night from a from a security perspective?

Attila Torok [00:15:34] Yeah, I would say there are there are two separate and distinct things. You know, when we when I and I think about our product, Zapier as a product, it’s really making sure that these authentication that that our authentication tokens that our customers trust us, trust with us. Right. That that we we we can store them. We can, you know, authenticate in their behalf, like making sure that is completely separate and has as many eyes as possible on it. So if anything wonky happening around that, we will be alerted in an instant. I mean, that’s really our crown jewels. So that’s the number one thing is making sure that we have as many eyes on that thing as possible and keeping them encrypted. So it’s really make that that hard to be able to access. Right. So that’s that’s one thing. And on the the infrastructure on the company side, well, it’s it’s really access control, right. Because as I said, our employees are spread across 50 different countries. So how can we make sure that whoever is accessing is that’s that’s the right person? So again, that goes back to identity, making sure that, you know, whoever is authenticating they are authenticated previously themselves into the the central identity system. And then the second big piece is, is zero trust, right? Like it doesn’t because we don’t have an office network, we don’t have the illusion of of a of the office network is secure. Right. Which is an absolute illusion. So which means that every incoming connector. Shouldn’t we? We treat it as with zero trust. Like you have to authenticate yourself. You have to make sure you’re coming from an actual company, laptop, etc. and that can be achieved through, you know, focusing on end point security, but making sure that your laptop is, as you know, fully secured, under control and under monitoring, and then tying that back to again, the identity system. I think there’s there’s a really important connection between identity and and device trust, which which can they can enable that the fully remote access to be trusted.

Cameron D’Ambrosi [00:17:48] I couldn’t agree more. I love that line about the connection between identity and device trust, you know, towards that line of discussion. Obviously, we’ve had some big news in the cybersecurity space with, you know, this Twilio Hack, some of the related fallout organizations that, you know, were taking steps that I would consider to be fairly prudent from a cybersecurity perspective, including the deployment of, you know, totp passcodes to secure employee access, were the results of data breaches that in some cases compromised the integrity of those, you know, top totp tokens. From a technology perspective and looking to the future, like, do you think that this is going to spell the end of, you know, usage of Totp as a second factor? And do you think this is going to hasten the adoption, for example, of, you know, Fido to pass keys as opposed to other potentially more vulnerable mechanisms of multifactor?

Attila Torok [00:18:57] To be honest, I really hope so. I I’m a I’m a big fan of of, you know, Fido two keys. In fact, that’s how we build up our part of our remote access. You know, when when you accessing the remotely because, you know, every access is remote that’s a remote company. So when you’re accessing our production environment like there is a separate Fido two step that you have to jump through with with an actual hardware key. So that can really bump up your your protection, your, your security there. So I really hope that, you know, things like this can can push the the industry towards Fido two and an actual Fido two keys in one hand. What this means is I mean, if you think about if you look at look at the market like Uber keys are still kind of expensive, right? Like, sure, if you buy one that’s affordable, but if you want to buy Uber keys for, you know, a 500, 700,000 employee company, you know, costs can really add up fast. So I’m really hoping that with this push towards Fido, too, we can actually get more affordable, you know, hardware, keys that that will be easier to deploy, especially, you know, again, going back to Dubai is like most of the time you don’t even need it’s not even enough to have one ride because what if you lost that while you kind of have to have a separate as a as a backup? So that’s kind of what I’m hoping for, is that it will be just more accessible. I guess that’s what I’m saying. This this pushes the the industry to to have more accessible Fido two keys.

Cameron D’Ambrosi [00:20:35] What would you say to folks? And, you know, look, to some degree, this is somewhat of a straw man, but I think it’s a a fine exercise. You know, I think one of the biggest risks that we face in the cybersecurity space today is, you know, whether you want to call it apathy or whether you want to call it fatalism, you know, this notion of look like nation state actors and advanced cyber gangs are going to get me if they want to get me. And, you know, to some degree, there’s no sense in, you know, keeping up with the arms race, you know, why is that a dangerous point of view? And, you know, what do you say to those folks who are kind of reluctant about spending what it takes, whether that’s in money or whether that’s in, you know, an investment in your team and personnel and technology to get your cybersecurity practices, you know, up to snuff as an organization or an individual.

Attila Torok [00:21:31] Yeah, that is such a great question, Cameron. It really you know, when when I hear somebody saying that and when I when I think about that, well, of course it’s true. Like, if, if a nation state will come after me, will would come after us. Well, of course they can get in. But that’s that’s the point, Nick. You just need to assume that eventually somebody somehow will be able to get in, maybe by just pure luck. Maybe it’s like a targeted nation state attack. So what is important is, well, try to put that that point of time as far into the future as possible, which means you invest into protecting your assets, protecting your network, but even even more or equally importantly, like you just get ready when this happens, because like we’ve seen companies all over the place, you know, going to a massive breach and surprised they didn’t go out of business. Well, some did, but the majority did not go out of business. What this means is like you don’t want to fully avoid a breach. You want to be able to respond to that. So if there’s a major incident is coming in, you need to have the right monitoring in place and more importantly, the right processes in place. So somebody from your security team, you know, who who knows what incident response is, is able to jump on it, a drive on air process, and then really be able to get to a point when you quickly able to restore operations. Right. So you just you just need to think about that. Yes. This will happen eventually. Hopefully, again, it will be sometime in the future, but it will happen. So just get ready for it. Prepare, exercise. You know, we do at least once a quarter a small table doing a tabletop exercise within the team when okay, let’s imagine there’s a breach. So what are we going to do? And then, of course, you know what, at least annually we do like a more wide and involving, you know, communications team, the legal team, the executive team. Like, let’s imagine that this is happening. What are we going to do with those two things? Is is really how you can you can keep going.

Cameron D’Ambrosi [00:23:48] I love that. Yeah. I mean, it’s somewhat of a macabre analogy, but in some ways it’s like, you know, presuming that you’re young and that you’re never going to die, so you shouldn’t have a will. It’s like, well, that’s, you know, that’s all well and good. And but even if you lock yourself in your house and you never leave, you know, you could have a heart attack or, you know, your house could catch on fire. Who knows? Who knows what could happen, you know, not to send us into too dark of a place in the, you know, the shadow of a pandemic. But yeah, I think there’s what’s the what’s the cliche? I’m I’m I’m thinking of, you know, it’s not paranoia if they’re if they’re actually out to get you and, you know, in the cybersecurity realm, they are out to get you. We know they’re out to get you. And, you know, to the degree that automated tools have made its that your attack surface does not even need to be, you know, a target in the traditional sense of a word of somebody recognizing you or seeking to target you out. Like a lot of these vulnerabilities can be found in automated and systemic fashions to the point where security through obscurity is not really much of a defense at all anymore either.

Attila Torok [00:24:54] Oh, yeah, yeah. And percent. I agree with you on that.

Cameron D’Ambrosi [00:24:57] Awesome. Well, you know, normally I ask folks for their crystal ball predictions, but, you know, glad to broaden that out to just, you know, general thoughts like as we close here, you know, what are what what are you excited to see over the coming year in the digital identity and authentication space? And maybe, you know, what are some things that you hope to see, if not necessarily things that you believe will come true? Maybe some aspirational goals for cybersecurity and identity practitioners as a whole.

Attila Torok [00:25:26] As as I mentioned a little bit earlier, I really hope that the adoption of Fido two somewhat thanks to these these recent breaches will will be increased and keep increasing and will be, as I said, more available and, God forbid, cheaper. That’s really what I’m hoping to see. You know, the industry is pushing this password less logging for, I don’t know, probably ten years now. Like I think I saw the first article about this ten years ago, maybe even more. And we’re still not there. Like in my one password, I think I have a thousand passwords saved from all kinds of weird places like we are so far from from being Baskervilles. So I really hope that I, I live the day to see when I don’t have to answer enter passwords anymore. So, but as things go right now, I don’t know if I will. I will be alive by that.

Cameron D’Ambrosi [00:26:25] I love it. Well, you know, I hope that we will both enjoy, you know, many more years orbiting the sun together. But, you know, I suppose nothing is is certain, especially in this day and age. I tell a question, or I should say shameless plug opportunity for folks who are interested to learn more about Zapier, whether it’s to maybe, you know, join me as a member of the team or to deploy Zapier for their personal or enterprise use. What’s the best place for them to go?

Attila Torok [00:26:57] Well, that’s super easy. You can go to just Zapier dot com. That’s a B R dot com. And you can you can get an account for free. And actually, there are quite a few things that you can do that for for free. And well, there there’s actually a job site listing which, you know, within the whole company we are we are massively hiring. Thankfully, we are the position when we we’re still able to to hire people. You know, we we’ve seen many companies kind of putting hold on on hiring, but thankfully we’re still able to to keep the team growing. So definitely go there, look at places. You can also check up my on my LinkedIn profile on the under Attila Track. I regularly post content there and definitely post job listings there as well.

Cameron D’Ambrosi [00:27:52] Amazing. Atila, thank you so much for your time. Greatly, greatly appreciated. A fantastic and enlightening conversation and please be well. Hopefully we will connect again soon.

Attila Torok [00:28:03] Thank you so much, Cameron. I really enjoyed our conversations.