The SaaS Security Posture

Episode 299

10/6/22

Episode 299

The SaaS Security Posture

How do you preserve productivity, securing SaaS data without hampering the productive sharing of information and assets? State of Identity podcast host, Cameron D’Ambrosi welcomes Adam Gavish, Co-Founder, and CEO of DoControl to this week’s State of Identity podcast. This duo dives into identifying trusted workloads for ensuring data is shared only with people who need it and only when they require it, flagging high-risk events that prevent data from moving outside the enterprise ecosystem.

Host:

Cameron D'Ambrosi, Senior Principal at Liminal

Guest:

Adam Gavish, Co-Founder and Chief Executive Officer at DoControl

Links:

Share this episode:

Cameron D’Ambrosi [00:00:06] Welcome everyone to State of Identity. I’m your host, Camryn Dombroski Ambrosi. Joining me this week is Adam Gavish, co-founder and Chief Executive Officer of DoControl. Adam, thank you so much for joining us today.

 

Adam Gavish [00:00:17] Thank you so much for having me. I really appreciate it.

 

Cameron D’Ambrosi [00:00:21] I’m really excited. And I was going to say, you know, it’s a perfect time to have you on because, you know, the kinds of data breaches that your platform is specifically designed to help interdict were in the news this week. But quite frankly, we could probably record this any week in modern human history, and it would still be just as relevant because, you know, the drumbeat of companies kind of leaving their data and specifically their cloud and SAS data unprotected I don’t think is going to go away anytime soon, you know, unless everyone who listens to the episode immediately deploys due control. So I think always, always, always a relevant topic of conversation no matter when we happen to be recording this.

 

Adam Gavish [00:01:05] Yes or no? I mean, for sure. Yeah. The threat model exists for so many years, but like a day to day security, you cannot do everything at once. They have priority. They have a security program to run. And, you know, I think now, yes, it’s a perfect timing because if you look at the last five years, everybody deployed the everybody deployed the IDP, the fastest solution, the covered. And they are covered on many different angle, except for this one. And this one hit hard, then inject pause and you could feel it. You know, Uber’s butchered and and Twitter butchered and it’s all come down to the very same principle where you have a lot of data stored in that application. And that data seems to be very sensitive. And they would call it because everybody, you know, everybody, you don’t have to push for profitability. And it covers the entire organization across any department. Each of those departments use different data. We have different data sensitivity and they also interact with different people internally and externally. And so all of those factors make this business very complicated.

 

Cameron D’Ambrosi [00:02:19] So at the risk of maybe jamming you up with more than a few questions rolled into one. You know, I think there’s significant overlap between, you know, what we would call the current state of security for SAS applications and, you know, your background personally and your career journey and how you came to, you know, have the idea to to found DoControl. So, you know, what is the current state of security for SAS applications and you know where did you see it wearing your previous career hats and what was that impetus for, for looking to found this platform.

 

Adam Gavish [00:02:55] Yeah. Had percent you know I’ve been I’ve been in security for about 17, 18 years now. I started as a network security engineer, you know, deploying firewalls and volunteers and would all monitor all of those all Troy became a flight engineer and then a product manager, most recently at Google Cloud Security Team. And they’re not only I really learned a lot about, you know, how to be one of the top security vendors, how to sell it, how to build it, how to marketed. But also, I experienced some of the treatment of myself. I was in charge of launching one of the strategic projects in 2019 that required me to collaborate right internally but also externally with consulting, with researchers, with analysts, with PR firms and marketing and so on and so forth. And what did I do? Of course, I shared information with them over Google Drive, the easiest app ever. But what happened? It later got me surprised because I was hit by security telling me, hey, you know what, removal permissions. They’re not employees. And they’re like, I know they’re not employed, but I work with them. You know, I’ve got to get things done. I got to get my FOMO. And that happened every few weeks, every few months until I got to a point where I just asked them, Hey, can you fix it? I mean, it’s your product, it’s Google Drive and you fucking Google, you dominate the world and they’re like, you know, we tried Cath Blades, which I did. We tried that. It’s super tricky. Now. I, I really was on a path. I wasn’t on a path to open a company. I was happy at Google. I had my paternal leave. I have unemployment with that point. But I got to know the high school, my CTO and my Chief Revenue Officer. Got together and talked about this opportunity. The good thing about my partner is that they know how to they know people. So we got to get there with a bunch of security people. And it’s primarily the U.S., but often Israel. And we talk to them about the earth in public and they all said, you know what, it is huge. Huge because. Near the security leader on one hand. You know, I controlled the risk and liability this company take in which result in debt exposure and all of that. But also I have to work internally and collaborate with different business unit marketing and finance and engineering and so on. And the current solution in the market, they don’t allow me to do so. They gave me the opportunity to improve security, but compromise, business, environment. And that’s something my leadership cannot take in.

 

Cameron D’Ambrosi [00:05:40] So that was that was the light bulb moment. So, you know, for I mean, I think the broad strokes are obviously there in in your previous answer. But you know if I asked you for the the quick elevator pitch of, you know, what DoControl does, you know, what do you say when you meet someone at a cocktail party?

 

Adam Gavish [00:05:57] Yeah. Basically, I tell them that we saved the ozone layer and they they they give a really loud laugh. And then at that point, no one, no real. What we do is we help organizations to understand how much data they have across that application and then how it is exposed internally and externally. Quantify the technical depth or the risk be taken and the company presented internally to the relevant stakeholders to get their buy in to the remediation plan, remediate at the highest scale possible, or in other words, reduce to attack their faith. And then the most important thing is to prevent from those threat models happen moving forward through no code workflow, which is a huge buzzword that people don’t like. But it is what it it.

 

Cameron D’Ambrosi [00:06:47] So, you know, it really feels and, you know, maybe I’m just projecting to some degree because I’m an identity guy, but it really feels like you’ve taken an identity, you know, as opposed to an end point centric approach when it comes to how you are tackling this security problem. Obviously, you know, traditional end point models that that assume, you know, you can build this ironclad perimeter and just say, oh, we’re only going to get, you know, let good permissioned things in and we’re going to not let endpoints in that are not permissioned. It really has faced a lot of challenges recently because of the proliferation of work from home. Bring your own device and just the fact that this security perimeter is, you know, increasingly, increasingly large and now incorporates, you know, multiple cloud vendors and dozens and dozens of SAS applications for the average team. Like when you were thinking about building out this product, like where did you begin to anchor on this notion of thinking about identity as opposed to maybe focusing on, you know, pure endpoints?

 

Adam Gavish [00:07:53] Yeah, 100%. I mean, the first thing is that. The thrust of the conflict changed the world. And so back in the day you had in life network protection an agenda stone between your devices and the Internet and boom, we have full visibility and full control about what’s going on. But once you move to a zero transmit network model, it all goes away. People are barred from any device, from any location to any app and do whatever the hell they want. And then we realize that we need to make between an identity based approach to a data centric approach. Why? Because organization. Now they use what we call the thatthe shared with possibility model, which is in English means you can control anything because you use that app and you are completely dependent on the kind of security tools they exposed to you. And some of them expose some phenomenal tools. Microsoft and Google really advanced, and some of them not so much. But as a result, we realized that, you know, we were going to be under the assumption that everybody was IDP to manage the identity and so that Parliament’s been much sold today. What they don’t have is a clue mapping between the identity and the actual data. How much data do you have in your back? Corporate instance, of course. How many internal and external identity? How is it exposed? By whom? From which department? For how long? Are those people leaving the company? Is the data contained by you? The vendors still work for you? You, the vendor, share with their vendor. All of those questions are not easily answered using the today’s tool. This is what led us to understand that we have to connect between the identity and the data word to provide a more holistic solution.

 

Cameron D’Ambrosi [00:09:46] So a big part of, you know, I think your approach is centered around this notion of trusted workloads and, you know, making sure that data is shareable, but specifically only with the people who need it and then only when they need it. You know, I think, you know, I’ve never been in the military, but this notion of, you know, a need to know basis feels feels very accurate here. Like, you know, there are people who might be entitled to have access to certain information, but they don’t need it all the time and they should only have that access when it’s actually required. Like, how do you think of this notion of trusted workloads? And and has it been kind of a paradigm shift helping your clients understand this concept? Maybe if they’re coming from, you know, a bit more of a Wild West approach, which was anchored on some previous security paradigms of, well, if you are a certain type of user, that means you can just see everything and anything at all times.

 

Adam Gavish [00:10:44] Yeah, hundred percent. I think it comes down to breaking down the risk into what is definitely deterministic, right. If somebody from finance is leaving the company and sharing a bunch of PII with a personal email, no question at your immediate right away and open an incident hoping to help. Right. However, if somebody from finance to champion with a vendor, nobody knows. Nobody knows. Right. It is not so easy like Starbucks when you order in and then they tell you, add them and then you add them. Yes. It not so easy. Right. You have to really provide more context around our decision making, maybe double check with the manager, maybe double check with with the legal team and maybe provide a reminder for the end of the hey, you have the data exposed. Do you still need it? Yes or no? This kind of, you know, many touchpoints through our workflow is what provide our security team the connection to the end user without the frustration between security and everyone else. Does it make sense?

 

Cameron D’Ambrosi [00:11:48] It does. And I mean, I think, you know, that notion of proactivity and touchpoints and, you know, workflow is so, so critical because, you know, nobody is trying to do a poor job of of data security. But the. There’s just so much, right? There’s so much data. There are so many places in which it’s stored. And especially when you’re talking about, you know, multi-cloud deployments and then the SAS footprint, it’s just so hard to keep up with all of these tasks in addition to the regular course of business. You know, I think you talk about preserving productivity a lot, you know, adding this layer of data security without hampering the productive sharing of information and assets. I think that is really so, so critical because, you know, there is a reason why these tools exist and why the world is moving to multi-cloud, why the world is moving to the SAS model, because it enables enables hypergrowth. It enables collaboration and the types of. Workflows that a modern enterprise relies on. You know, there are myriad, myriad reasons why this approach is fantastic. The problem is you. Taken to its logical conclusion, end up with the headlines that always start with an unsecured Amazon S3 bucket, you know, and then yada, yada, yada. So, you know, I don’t think it’s about people being negligent or bad at their jobs. It’s just like there’s only so many things you can keep track of. And people are obviously trying to hit their business objectives first and foremost. And it seems like this, really. Can almost be like the little I guess you you would probably call it an angel as opposed to a devil sitting on your shoulder like, hey, just so you know, these things are exposed. Like, Is this what you intended? And should these people have access and and if they should, we’ll keep an eye on it. And if they shouldn’t, we can cut it off, remediated and and make sure that, you know, nothing has happened on towards in the meantime.

 

Adam Gavish [00:13:48] I agree. I agree. But the problem here is that to get there. You’ve got to have the right technology to enable that. I worked at Amazon and thought I’m being watched by Jeff Bezos, who said every anecdote matter. Writing in to a reference to every customer anecdote matter. That’s what we think as well, because a lot of the existing solution in the market, they kind of thought this. But they provide you, you know, hundreds of different out of the box templates to choose from, but none of them have customizable. They’re all like very hard coded. And at the end of the day, if you are a large enterprise, it’s a very complex ecosystem. The 99% chance that you have to customize that policy to fit to your business needs. And that’s exactly what we’re trying to do here. We are creating a tool that enables the curative ticket like a scalpel based on what they need. Right. Because. Is the employee leaving the company? Just one factor. What about what SharePoint site is it for? What IP address is the user coming from? Do they have their idevice OS? Other on the team that should have the access or the privilege you’d have redacted. There are hundreds of different of conditions you can set up both on the income and workbook event from the app. The actual metadata on the file and the enrichment from your IDP and IT and an and what’s on to make sure that you’re separating between the two the deterministic policy where everybody in the company can agree with you. You can even mediate. And the non deterministic where you have to get the additional business context.

 

Cameron D’Ambrosi [00:15:45] Yeah. I mean, you know, as someone who has a head of an abnormally large diameter, both literally and figuratively, I’ll say at my own expense, you know, I always see whenever I see a label that says one size fits all, what I read is one size doesn’t really fit everybody that well it completely right. And when it comes to these, you know, templates are kind of cookie cutter approaches in many ways. I think it’s it’s dangerous because of the fact that, you know, that these are preconfigured templates that are not going to align 1 to 1 with your use case. And then, you know, again, when you start thinking about enterprise scale deployment of this, what starts off with one person who maybe picked those templates, who knows what they’re talking about and knows really well how they should be deployed? That ends up in some policies and procedures and then that filters through, you know, a couple different layers of new people coming on board or employee training. And then you end up with this, you know, one size fits all template being deployed for use cases that probably maybe even the cybersecurity team did not intend, which again, it’s not to say that there is malice there, but it’s just you have a tool that’s not fit for purpose, which creates massive liabilities.

 

Adam Gavish [00:17:02] I agree. And you know, and other creator. It’s our duty to you to look around us, you know, not just look at security, but look at intercom, look at hotpot, look at bamboo in China, look at whatever successful stuff out there. They are all customizable to the very lowest level possible because they know there’s always another anecdote to follow and they can’t force themselves on the customer to understand how they believe their vision should be. The No. One vision. The endless vision. Every company has its own vision, and especially in security. That vision changes on a bi quarterly basis, whether you have a bridge, whether you’re doing M&A, whether you have talent shift, technology shift, whatever that is, you’ve got to keep moving. You can just stay in the same place with the same policies every given day.

 

Cameron D’Ambrosi [00:18:00] So what’s next for the space? You know, I think we are moving overall to an era of increasing interconnectedness around identity. You know, we kind of anchor our analysis of the space on what we call the the consumer digital identity lifecycle, which in many ways mirrors, you know, it’s its counterpart in the B2B space around employees. How are you thinking about the types of integrations and workflows with, you know, identity and access management and other solutions that really can help enable, you know, the full granularity and depth of data that your platform requires. Are you seeing an inbound from companies looking to upgrade their identity and access management approach and and taking a more holistic approach for identity or you know, I guess put another way, what are the barriers that that you see with your customers in terms of being able to actually deploy the technology effectively? Like what are those prerequisites around how you are looking at identities across their organization?

 

Adam Gavish [00:19:06] I think in this case, data is king. So that. If you are a security team in today’s environment, you’ve got to have the right data and context to truly make good decisions. And in a fast, efficient scale, they deal with the worth of the worth every single day. And they’ve got to have the tools in place that provide enough context for the many touch points in the organization to pretty much help them reduce the overload. And remove you know, very basic stuff like I really to paying attention ask that question. I know we need to ping cos security teams to ask that question. I don’t need to get the buy in from engineering to understand that data. All of that stuff belong to the path because today the interconnectivity is driven by very simple or what integrations that provide vendors like us. The right know the right scope. Just enough scope. Of course not entirely right, but just enough scope. To provide what we call a unified data layer. So think about it. You have the identity for IDP. You have enrichment from the H4 app about that identity. You have an enrichment from the EDR about that device. And you have all of the data. Polster. And when you combine it all, we can provide some interesting insights that not me and not you even know about. Right. It’s easier to catch bad guys when they are in the bad guy timeframe, about to leave or they’re fully vested or they’ve been let go or whatever. The harder thing is to understand things that happened before, before it even visible. Understanding the old pattern just a few weeks before that realistic trigger. It what fits your part in mitigating the risk internally and externally? Right. To give you the simplest example, how do we understand when non finance members are accessing the finance folder without any permission? That’s very kind of a how do we understand that the vendors we work with actually share our data with his vendor without our permission whenever there is a security or theft on that fourth party. Right. Those things are so hidden using the native fast security tool that you only get to know them when things get really bad. And then you see the headline, oh, with our third party vendor responsible for your data. Right. But they could have prevented it with the right tools in place. But they can adopt tools that don’t make it easy to digest in the drawing board. Easy to explain internally. It going to be easy.

 

Cameron D’Ambrosi [00:22:14] Yeah. No, I think that’s so critical because again, you know, going back to I guess, you know, why are we all here? Right. You know, cybersecurity doesn’t exist for cybersecurity sake, just like identity doesn’t exist for identities sake. We at Liminal like to talk frequently about digital identity, you know, is not a what. It’s a how, right? It’s a means to an end. It’s not an end in and of itself. You don’t need, you know, a trusted identity online because you want one. You need one because you need to securely wire money overseas. You need one because you need to buy alcohol online and prove you’re 21 cybersecurity. You know, I can build a perfectly well even then, ignoring all the things you can do to get around air gaps and things like that. Like I could build a very secure system that’s just a computer sitting in a LED box. But guess what? It’s not going to do anything. It’s not going to help my business grow. So, you know, making sure that we as professionals, whether it’s identity or whether it’s cybersecurity, have a, you know, a customer centric mindset and a mindset that’s about enabling the users to actually do what they need. The technology to do for them is so, so critical. And that’s why I love that that approach has really seemed to permeate kind of every aspect of how you built, built, DoControl.

 

Adam Gavish [00:23:28] Thank you. Thank you. I appreciate that.

 

Cameron D’Ambrosi [00:23:31] To tee up our closer question here. You have your ear to the ground, obviously, both with, you know, trends in the cybersecurity spaces as well as the ears of your buyers who I’m sure telling you, you know, what they need and what they want to see next as far as the development of the platform. With that in mind, we’d love to hear your thoughts and predictions for, you know, the broader identity and cybersecurity space. What do you expect to see as far as trends developing over the next year?

 

Adam Gavish [00:23:58] Kind of percent. I think fourth vendor that two trends. One of them is good. One of them is challenging. The good thing is that cybersecurity is legit. Board deck slide today. Legit hands on. It’s a real threat with real quantified impact for the majority of the enterprise. Let’s put it this way. We put it on the map. Right. On the other hand, security, they were overwhelmed by the number of solutions they have in place because adopting a solution means they have to talk to legal compliant finance well, commit that waste a lot of their time in doing the actual job, which is improving security. So the biggest trend and the most challenging 20th year is going to be vendor consolidation. For Uthman, does it mean that we have to continuously extend our value proposition? Our differentiation points solve more critical use cases. Make sure that we provide an unheard of user experience. That is just a no brainer for security to adopt. Those are the two different changes we’re seeing from our buyer and from perspective we work with.

 

Cameron D’Ambrosi [00:25:15] I love it. Well, to bring it to a close here, what I like to call shameless plug time. You know, for our listeners who are hearing this and realizing I would love to deploy this solution, how should they reach out and where should they go to to learn more about DoControl.

 

Adam Gavish [00:25:30] To control, don’t I? O In our website you can look us up on LinkedIn and we would be happy to talk with anyone whether you want to buy or you don’t. I’m not here to sell. I have a bunch of people selling. We need to learn hand down. We need to learn from every person in the industry. Again, every anecdotal matter, every security expert has something interesting to teach us. And we are here to learn and grow.

 

Cameron D’Ambrosi [00:25:57] I love it. Well, so, so great to have met you. This is a fantastic conversation for our listeners. Those links will be in the show notes below as well. Adam, thank you so much for your time and looking forward to connecting again soon.

 

Adam Gavish [00:26:13] Thank you so much for the opportunity. And you have a wonderful weekend.

 

Episode 306

The reusable identity credential space contains a host of competing standards, applications, and different approaches to solving the fundamental challenges of digital identity at scale. In this week’s State of Identity podcast, host Cameron D’Ambrosi sits down with Nick Mason CEO of ProofSpace to discuss their unique go-to-market approach in solving these roadblocks.

Episode 305

On this week’s State of Identity podcast host, Cameron D’Ambrosi sits down with Saif Malik, Co-Founder at Keyri. This duo discusses the biggest barriers for consumers that are a driving force for the fundamental shift away from the current authentication paradigms.  

Episode 304

On this week’s State of Identity episode host, Cameron D’Ambrosi welcomes Fredrik Nilsson, CEO, and Daniel Carrillo, Product Director & Technology Evangelist at Binaria Technologies. This trio discusses Binaria’s unique approach to facilitating adoption of self-sovereign identity in Latin America and how they are cracking the “cold start” problem facing user-centric digital identity platforms globally.

Episode 303

How do you give developers the ability to build convenient and privacy-preserving authentication solutions into their products? Join this week’s State of Identity podcast with host Cameron D’Ambrosi and Dock CEO Nick Lambert to discuss their release of Web3 ID, a blockchain-based authentication and authorization system that puts user privacy first. 

Episode 302

In this month’s Investing in Identity series, we discuss Thoma Bravo’s incredible sequence of recent deals, including their third identity and access management (IAM) company this year:
  • Sailpoint for $6.9B
  • PingIdentity for $2.8B
  • ForgeRock for $2.3B
Hear from our experts as they dissect Thoma Bravo’s strategy for the identity market, its potential next move as it takes these companies private, and how to find product-market fit in a private equity investment playbook. 

Episode 301

What concepts do you think of for ‘re-useable ID’ and ID networks? Join this week’s State of Identity podcast with host Cameron D’Ambrosi and Digital Identity Net, Co-Founder and Director, Rob Kotlarz to discuss the role of banks in eID and the bankID model. They expand the idea of where bankID models have worked and why. 

Filter by Content Type
Select all
Research
Podcasts
Articles
Case Study
Videos
Filter by Category
Select all
Customer Onboarding
Fraud and Risk
Go-to-Market
Growth Strategy
Identity Management
Landscape
Market Intelligence
Transaction Services