Smarter Access Through Zero Trust Model

Danny Kibel is the CEO of Idaptive, a company focused on next-generation access. Idaptive officially opened its doors on Jan 1 after spinning off from parent company Centrify. The company--which was recently named a leader in Forrester's Q2 Wave for Identity as a Service (IDaaS) and a Top 10 cybersecurity company to watch--started life with about 150 employees and 2,000 customers from the Centrify split. Kibel, formerly the vice president of engineering for Centrify, spoke with ITPro today about Idaptive's focus on IDaaS and the benefits of a "zero trust" model for access.

ITPro Today: Why did Centrify decide to spin off Idaptive into a separate company?

Kibel: Centrify had two very different focuses with two primarily different user bases. One was privileged access management, which provides least access to privileged users, and the other was access, targeting end users like employees, partners and customers. Splitting out the access part allows us to focus solely on identity and access management as a service.

What made the timing right for the spinoff?

Companies are transforming the way they do business by moving workloads to the cloud and making as much available to their users via the cloud as possible. As part of that transition, companies know they need to give end users--whether they are customers, partners or even their own employees--the best experience and interaction with their systems. There isn’t much tolerance today by users for anything less than a clean, fluid experience. Think about how customers expect to get a mortgage today. Instead of waiting weeks for approval, they expect instant approval online. In the old days, the mortgage company would spend weeks verifying the customer’s information. Today, they want to have integrated connections with all of their partners. That way, they can approve or deny the mortgage very quickly, and their customers get a fast, straightforward experience. Companies that continue to do it the old way are losing ground.

How can you ensure security with that kind of integration?

It’s about finding a way for companies to control access in a very secure way, but also in a way that isn’t intrusive to the end user. We do that through something called zero trust access. It makes sure that every access request and every interaction the user has is verified. It verifies that users are who they claim to be, that the devices they are using are fully validated, and that the devices have all of the security features required by the administrator of the accounts. The system will allow access only if all of these things are verified. For example, it might verify that the laptop being used to access the system has the latest antivirus update, or that the mobile device is protected by a passcode at the level the company requires.

What about how intrusive all of this can be to users?

Most of the security precautions companies take today are intrusive and annoying to users.  Multifactor authentication, for example, is a good way to ensure user identity, but it can create a horrible user experience. Users have to take their phones out and validate their one-time password every time they try to log in or switch between systems. That’s where we are focusing: on a next-generation access solution that securely validates users, verifies the devices they are using and connects them securely to systems they have permission to access.

What exactly is intelligent access, and how does it fit in?

Along with verifying users and validating their devices, it’s critical to be able to limit and grant access based on user patterns and behaviors. We believe the best way to do that is by using machine learning and artificial intelligence to learn user behavior patterns and make risk assessments based on those patterns in real time. For example, if users go beyond their normal use pattern, such as using a system at an unusual time or logging in from an unknown location, it will be flagged as suspicious behavior. That can either trigger an automatic lock-out or multifactor authentication to double-check that users are who they claim to be, depending on how the administrator sets it up. Administrators also can choose to manually block users.

Aren’t there already solutions out there that can do these types of things?

Sure, but many of them are older systems that are difficult to use, aren’t optimized for the cloud, and don’t have support for on-premise applications so companies can easily connect applications whether they are on premise or in the cloud. There are also more modern identity management solutions, but we think our focus on a frictionless approach that makes it easy for companies and users makes a difference. For example, the machine learning and artificial intelligence built into the system ensures that users aren’t prompted with multifactor authentication if the IP address or location is known, but would be prompted if a user using the same machine tries to log in from a public network.

So, secure access is a major use case for IDaaS. Are there others?

Definitely. When employees join an organization or suppliers join a company’s partner network, for example, they have to have access to relevant systems to perform their functions. If employees switches to a different division, they might need access to different systems. When they leave the company altogether, it’s important to make sure they no longer have any access at all. If a supplier chooses to leave the partnership in favor of a competitor, it’s important to cut off access to everything right away.

If this isn’t done right, it’s quite possible that even a few years after leaving a company, former employees may still have access to multiple corporate systems. All of this may seem pretty straightforward, but you’d be surprised at how many companies have very challenging manual processes around these things. With a next-generation IDaaS approach, companies can provision and deprovision users automatically. They can also see which users have access to which systems, and are notified if users haven’t accessed specific systems for long period of time. That could be a trigger to disable access.

Does every company need a next-generation approach to access management?

For companies to remain competitive, they know they have to adopt new ways of doing business, new ways of approaching their customers, and new ways of working with their partners. If they want to create those seamless user experiences safely and securely, they have to make sure all of those systems interconnect in a very seamless way. Access management is at the heart of all of this and will continue to be.