8 Years at Ping Identity – IT Security Crosses the Identity Bridge

I just notched my 8th year working at Ping Identity and I'm happily starting in on the next 8 at Ping. It has been an amazing ride with rare a group of high execution, high integrity, high character, fun loving leaders...and we're really just getting started. The occasion of my 8th full year at Ping - and my 12th full year working in the Identity space - triggered some thinking about where the Identity world is at this moment in time.  That thinking lead to some writing of notes. That writing of notes lead to my first blog post in a long time.

And so...

 

Image00

This is a picture of Richard Nixon visiting Cairo  Alexandria (hat tip @stavvmc), Egypt in June 1974. We can’t imagine a US president riding in such a motorcade in Cedar Rapids, Iowa in 2012 much less Cairo!

 The point:

  1. The world changes in radical ways.
  2. The nature of threats change in radical ways.
  3. Approaches to security change in radical ways.

What will never change is the necessity for presidents to travel the world to get the business of the United States done. In current times, the same level of security applied at the White House travels with the president. (Colombian prostitutes notwithstanding).

In the same way presidents travel to get the work of the US done, in 2012, the best companies are making strategic decisions about where to run core business processes. Many have decided that in order to stay competitive and win, core business processes must travel.

A business might run HR at HQ or in Hyderabad. They might build their own ERP, run a traditional off the shelf monster package, or lease ERP compute from a 6 month old cloud vendor. They can patch together open source CRM, buy pure cloud Salesforce.com, or run a hybrid from Microsoft Dynamics.  In this age of radical change and radical choice around IT architecture, IT shops are tackling the challenge of how best to apply appropriate levels of security - regardless of where business leaders choose to run core business processes.

Companies large and small, leading edge and mainstream, now recognize that IT security must travel along with their business processes. The broad recognition that a new approach to security is required in the current environment is what is driving the astounding momentum behind Ping’s business . Leading companies are establishing Identity as the cornerstone of their approach to security and we are taking orders left and right to help them get where they want to go.

Why the shift towards Identity as a cornerstone? Because Identity is the only security function that can travel.

Identity can travel because over the past 10 years our industry, always lead (and often dragged) by Ping Identity, has done the heavy lifting to establish rigorous interoperability standards that actually work. Identity standards such as SAML are becoming the bedrock layer of IT security because they allow IT security to match up with what the business requires IT to look like in 2012. Business needs IT to be distributed, business needs IT  to be spread across many clouds, business needs IT to be highly interoperable. Business needs IT to be highly secure.

The ubiquitous adoption of standards that provide secure interoperability between and across business boundaries is inevitable. That’s obvious to any astute observer. Ping is leading this next wave of IT security - that’s also becoming increasingly obvious.

This is why after 8 years I am more fired up than ever. We've built a platform, we've built out an amazing team, we've rolled up market visionaries and influencers as loyal customers - and we've barely scratched the surface. Look out. Let's Go!

 

Google Apps Marketplace – Seamless is the Move

I walked out of the Google Apps Marketplace launch last night in Mountain View convinced of a couple of things. One, Google consistently gives out cool schwag, caters well, and runs some of the best lit PR events in the tech space. Perhaps as important, with the new Marketplace, Google has extended the same degree of hospitality on the Apps front and in doing so, they have established a new standard for how business users should expect to use applications. The Google Apps Marketplace is a retail storefront and a set of APIs that enables a bundling of tightly integrated SaaS applications. The apps demoed last night represented a range of business processes from Intuit's payroll to Atlassian's product management to a force.com CRM app from Appirio - all showed seamless integration with Google Apps such as GMail, Calendar, Chat and all kept the user completely in the browser for all tasks.

From an Identity standpoint, Google has positioned Single Sign On as a default integration point. 

Appslogin

The Apps Marketplace model lets users move into and out of all manner of secured business applications without logging in over and over. Removing logins from the flow is a huge step forward in usability. By putting SSO front and center, Google has established seamless SSO integration across multiple apps as an expected part of the user experience - other competing Cloud platforms will likely follow suit. More tightly integrated apps and less logins is all good news for end users.

On a personal note, it's great to see the vision for seamless access to Cloud applications that we have been working on at Ping Identity get mainstreamed by Google. We've collaborated closely with the team at Google to develop secure solutions that make it simple for SaaS vendors to plug into the Google Apps Marketplace. Look us up if you'd like more detail on how it all works.

Google Apps SSO and Authentication – Twitter Breach Creates Teachable Moment

The anatomy of the Twitter breach as detailed in TechCrunch speaks clearly to the lengths that a determined attacker will go to gain access to proprietary information. The specifics of the attack are complex and involve a number of ingenious inter-related actions on the part of the attacker who did ultimately gain access to a single user credential at Twitter. Although the methods used are complex and much of the post game discussion has focused on high level security risks associated with Google Apps, the fundamental architectural characteristic that makes this type of attack possible at all is the publicly available web form for collecting user names and passwords.

The attacker was able to manipulate all of the publicly available functionality that is set up to support web form authentication and gain access to sensitive information as a result. Exposing password resets, question based authentication, email notification – (i.e. all of the machinery required to support the public web form) to anyone with a browser is an invitation to serious mischief.

The Twitter breach is a teachable moment for companies adopting cloud applications. In simple terms – since the fundamental risk is having web authentication forms on the public Internet, it follows that the best place for authentication of enterprise users to occur is behind the firewall. Technology designed to make it simple for companies to leverage an existing secure authentication (that happens on a secure network ) to provide access to cloud based applications is the most secure, least intrusive, and most cost effective way of addressing security risks like the ones that were exposed at Twitter.

In my five years and counting at Ping Identity we’ve built from zero to a customer roster of over 370 companies around the world, including 42 of the fortune 100. To a large extent, the credit for Ping’s growth goes to the simple premise that there is inevitable trend that continues to move credential collection to the most secure location available. The recent news about Twitter and their struggle with authentication to Google Apps fits this pattern perfectly.

The implications of this trend for emerging cloud based Identity Provider solutions are an interesting related topic. Ultimately, credential collection can be done securely on the public Internet - but it requires well thought out layering of single sign on, monitoring, and strong forms of authentication. More on the best practices developing around Cloud based Identity Providers in a future post...

Google Apps SSO and Authentication – Twitter Breach Creates Teachable Moment

The anatomy of the Twitter breach as detailed in TechCrunch speaks clearly to the lengths that a determined attacker will go to gain access to proprietary information. The specifics of the attack are complex and involve a number of ingenious inter-related actions on the part of the attacker who did ultimately gain access to a single user credential at Twitter. Although the methods used are complex and much of the post game discussion has focused on high level security risks associated with Google Apps, the fundamental architectural characteristic that makes this type of attack possible at all is the publicly available web form for collecting user names and passwords.

The attacker was able to manipulate all of the publicly available functionality that is set up to support web form authentication and gain access to sensitive information as a result. Exposing password resets, question based authentication, email notification – (i.e. all of the machinery required to support the public web form) to anyone with a browser is an invitation to serious mischief.

The Twitter breach is a teachable moment for companies adopting cloud applications. In simple terms – since the fundamental risk is having web authentication forms on the public Internet, it follows that the best place for authentication of enterprise users to occur is behind the firewall. Technology designed to make it simple for companies to leverage an existing secure authentication (that happens on a secure network ) to provide access to cloud based applications is the most secure, least intrusive, and most cost effective way of addressing security risks like the ones that were exposed at Twitter.

In my five years and counting at Ping Identity we’ve built from zero to a customer roster of over 370 companies around the world, including 42 of the fortune 100. To a large extent, the credit for Ping’s growth goes to the simple premise that there is inevitable trend that continues to move credential collection to the most secure location available. The recent news about Twitter and their struggle with authentication to Google Apps fits this pattern perfectly.

The implications of this trend for emerging cloud based Identity Provider solutions are an interesting related topic. Ultimately, credential collection can be done securely on the public Internet - but it requires well thought out layering of single sign on, monitoring, and strong forms of authentication. More on the best practices developing around Cloud based Identity Providers in a future post...

Everything into the browser

I attended the Google Enterprise CIO Summit at the Google offices in Cambridge yesterday. Dave Girouard, Rajen Sheth and Alex Diacre presented. Couple of interesting takeaways/quotes:

  • Google is the worlds 4th largest manufacturer of servers – behind Dell, HP, IBM. They build them to run in their own data centers. It’s the kind of overlooked data point that helps people understand the vast resources Google can/will put behind their Enterprise IT business.

  • Google Enterprise is currently profitable as a standalone business.

  • Dave Girouard did an excellent job of explaining why continuous innovation is the key to Google’s future in the Enterprise. Right now they are innovating to make email and calendar migrations meet Enterprise requirements – but in the near near future they will be delivering differentiated apps and features and platform capabilities that will drive adoption of Google as a core Enterprise vendor. Today they differentiate primarily on ROI  – and they have a strong story there – but in the not too distant future Google will differentiate on feature/functionality (think of the role Wave can potentially play in changing enterprise communications). This should scare Microsoft.

  • The customer stories and case studies show that Google Enterprise is still in an early adopter phase. Lots of patterns and best practices are yet to be sorted out.

  • Money quote from a large customer that recently migrated from exchange to Gmail – “dumping Exchange/Outlook was a big step towards getting everything into the browser”.  “Everything into the browser” is a good way of thinking about where cloud computing is taking Enterprise IT and if Enterprise IT is moving to an “everything into the browser” world – that’s a world where Google is, without doubt, one of the winners.

Everything into the browser

I attended the Google Enterprise CIO Summit at the Google offices in Cambridge yesterday. Dave Girouard, Rajen Sheth and Alex Diacre presented. Couple of interesting takeaways/quotes:

  • Google is the worlds 4th largest manufacturer of servers – behind Dell, HP, IBM. They build them to run in their own data centers. It’s the kind of overlooked data point that helps people understand the vast resources Google can/will put behind their Enterprise IT business.

  • Google Enterprise is currently profitable as a standalone business.

  • Dave Girouard did an excellent job of explaining why continuous innovation is the key to Google’s future in the Enterprise. Right now they are innovating to make email and calendar migrations meet Enterprise requirements – but in the near near future they will be delivering differentiated apps and features and platform capabilities that will drive adoption of Google as a core Enterprise vendor. Today they differentiate primarily on ROI  – and they have a strong story there – but in the not too distant future Google will differentiate on feature/functionality (think of the role Wave can potentially play in changing enterprise communications). This should scare Microsoft.

  • The customer stories and case studies show that Google Enterprise is still in an early adopter phase. Lots of patterns and best practices are yet to be sorted out.

  • Money quote from a large customer that recently migrated from exchange to Gmail – “dumping Exchange/Outlook was a big step towards getting everything into the browser”.  “Everything into the browser” is a good way of thinking about where cloud computing is taking Enterprise IT and if Enterprise IT is moving to an “everything into the browser” world – that’s a world where Google is, without doubt, one of the winners.

Identity for On Demand and SaaS

The momentum around the migration of enterprise IT architecture to On Demand models is undeniable...and likely to accelerate in the forecasted IT spending climate.We started planting mustard seeds in the SaaS community two years ago - it is nice to look at a snapshot now and see what we've accomplished - 130 SaaS/BPO vendors adopting Ping for internet SSO. 

Identity for On Demand and SaaS

The momentum around the migration of enterprise IT architecture to On Demand models is undeniable...and likely to accelerate in the forecasted IT spending climate.We started planting mustard seeds in the SaaS community two years ago - it is nice to look at a snapshot now and see what we've accomplished - 130 SaaS/BPO vendors adopting Ping for internet SSO. 

Bailing Out – the Hoard Trade

My cousin the bond trader emailed today after the bailout bill failed and said the only trade left was to HOARD.

The situation is truly confounding. In principal, I'm against the federal government taking crap assets off the financial services companies (and paying a premium to do it). I am also leery of Republican scare tactics and the way they use doomsday scenarios to push legislation. I am also confident that if there was a reasonable solution to the crisis - it would not be sourced out of the W administration. Add it all up and it leaves me in the same camp with the ... House Republicans - WTF?!?.How did I end up there?

Net/net: Hoarding may not be such a bad call.

I think the underlying dynamic that is coming to bear is the steady increase in income inequality in the US - which has been a persistent trend over the last 30-40 years. Check the Gini Index 1913-2004



People in society at large can sense the inequality gap and so broad political support for a bill like the banking bailout is non-existent.

Another interesting historical  chart to look at is Total Debt to GDP ratio 1920 to Present:

So you can see that as inequality rises - so does total debt i.e. I want to live like Paris Hilton but I don't have the cash so I'll borrow to pay for my day spa/SUV/vacation in Vegas/McMansion etc. etc.. This debtor consumerist posture coincides with low interest rates, pick your payment loans, NINJA loans - the predatory lending all feeds on the rise in inequality and voila massive financial crisis.

If you look at those two charts and extrapolate forward- based on the fact that the former highs in both charts occurred at the start of the Great Depression - you can see hoarding is not a bad call.

Or maybe personally bailing out and moving the family to New Zealand - but then they have big earthquakes there...

Bailing Out – the Hoard Trade

My cousin the bond trader emailed today after the bailout bill failed and said the only trade left was to HOARD.

The situation is truly confounding. In principal, I'm against the federal government taking crap assets off the financial services companies (and paying a premium to do it). I am also leery of Republican scare tactics and the way they use doomsday scenarios to push legislation. I am also confident that if there was a reasonable solution to the crisis - it would not be sourced out of the W administration. Add it all up and it leaves me in the same camp with the ... House Republicans - WTF?!?.How did I end up there?

Net/net: Hoarding may not be such a bad call.

I think the underlying dynamic that is coming to bear is the steady increase in income inequality in the US - which has been a persistent trend over the last 30-40 years. Check the Gini Index 1913-2004



People in society at large can sense the inequality gap and so broad political support for a bill like the banking bailout is non-existent.

Another interesting historical  chart to look at is Total Debt to GDP ratio 1920 to Present:

So you can see that as inequality rises - so does total debt i.e. I want to live like Paris Hilton but I don't have the cash so I'll borrow to pay for my day spa/SUV/vacation in Vegas/McMansion etc. etc.. This debtor consumerist posture coincides with low interest rates, pick your payment loans, NINJA loans - the predatory lending all feeds on the rise in inequality and voila massive financial crisis.

If you look at those two charts and extrapolate forward- based on the fact that the former highs in both charts occurred at the start of the Great Depression - you can see hoarding is not a bad call.

Or maybe personally bailing out and moving the family to New Zealand - but then they have big earthquakes there...