The Passwordless Future of Work | Arun Singh from Ilantus

DISCLAIMER: Below is an AI generated transcript. There could be a few typos but it should be at least 90% accurate. Watch video or listen to the podcast for the full experience!

Arun Singh 0:00
So if you look at the focus of identity and access management solution is to enable a right people and right devices to have access to the right data for right amount of time.

Alexander Ferguson 0:16
Welcome to UpTech Report. This is our Applied Tech series UpTech Report is sponsored by TeraLeap. Learn how to leverage the power of video at teraleap.io. Today, I’m excited to be joined by my guest Arun Singh, who’s based in Plano, Texas, he’s the CEO of Ilantus. Welcome, aroond. Good to have you on.

Arun Singh 0:34
Hi Alex, thanks for having me today on the call.

Alexander Ferguson 0:37
Absolutely. Now your product, it’s an identity access management solution. So for those out there, if you’re a chief information security officer, say CIO, or VP of application management, this might be in a platform you want to check out on your site around you, you actually state very simply here compact identity and talk about in today’s world of technology and trying to manage your identity online, your employees and abuzz business overall helped me understand what was the problem that Atlanta set out to solve and how has that changed in your involvement in cyber security space? How has that changed over time and where we’re headed?

Arun Singh 1:14
Yes, so that’s a very good starting question Alex. So let me answer it in two part first that what all these IBM products are trying to solve and then what especially we are focused on so if you look at the focus of identity and access management solution is to enable right people and write devices to have access to the right data for right amount of time. And to solve this problem okay, people have initially started with simple solutions, okay, where each device can be managed separately. And then in the past 20 years if you look at the entire identity and access management space evolved into multiple different technologies, there are currently about 100 plus different technology elements Okay, which exist, okay in this space. And broadly, you can put these technologies into three specialized camps, like one set of technologies which focus on just helping to control the access which we call access management solutions, the second set of technologies which are for identity governance and administration kinds of activities, and the third set of technologies Okay, which are more focused on controlling the access of privileged users like system administrators and you know, people who have got higher privileges to control that and now, island has actually looked at this problem in detail and notice that to solve this simple problem of providing right access to right people for right amount of time any organization need to you know, invest into multiple different tools on an average they need to buy five to seven different technologies and then spend time to integrate them together to solve this particular problem. So we came out with the very unique idea of compact identity where we can compact all different elements of IBM into a single platform and solve this problem in a very unique manner.

Alexander Ferguson 3:14
For this sweet spot for you guys, what size of organization and and scope where making a compact is becomes very helpful because obviously if you’re a small business, someone small, you’re going to go out and use LastPass or something did manage a couple year passwords here and there, but to what size of an organization where you have X amount of employees or X number of devices, does it make sense to then compact all the different utilizations of identity,

Arun Singh 3:42
but I so So Alex, if you look at that identity, and access management is such a fundamental requirement like you know, the moment you need to access any of these IT system, you need to have user ID and the password everyone is familiar with that. And what is happening is that large enterprises, okay, they have already invested in multiple technologies and going to them saying that, hey, you throw this technology because we have some better product is not possible. Now, that actually created a space for us that if you look at across the board, so the mid market is the one Okay, which is kind of fastest growing because they had been lagging behind in choosing the technology. And they are the one who don’t want to now buy multiple different tool and spend energy to integrate them together. So they became our obvious choice to you know, approach to the mid market there we can say that, look, you don’t have to buy many tools and this compact identity platform, which can help you converge all the Iam requirement into a single tool and direct fits very well. So to answer your question, our focus market segment is mid market where we are driving it more strongly.

Alexander Ferguson 4:53
making any shift as as a leader and with technology. I’m trying to imagine The hurdles that is in someone’s mind here like wow, okay, bringing in more applications more technology versus using what I already have. What? Why would they decide to choose something like you guys have versus just staying with what they already have?

Arun Singh 5:14
Yeah, so that’s a very good question. So what happens that, you know, the center spaces are evolving. And many of these old technologies, they pose multiple different kinds of challenges. I’ll tell you that, you know, the COVID 19. And, you know, the recent crisis had also forced people to move to the cloud environment. And many of these old technologies they are unable to, you know, like, they can’t move seamlessly onto the cloud. And organization taking the cloud first strategy, they are finding, you’re totally handicapped, that with their core security solution cannot be enabled on the cloud. So that is one driver, sometimes what is happening that you’re the threat landscape itself is expanding so much, I’m pretty sure you might have heard this recent news in Florida, that somebody tried poisoning the water, okay, by hacking the, you know, the water management system and increasing the use of fluoride. So, you know, that’s another area, okay, which is falling under this operational technologies, and these operational technologies, opening up new challenges, okay, so to be able to cover your logical security, as well as, you know, IoT devices, or expanding it to cover the OT environment. That is also some of the key driver for people to look at the new solutions, which can seamlessly cover your on premise, cloud, IoT, and ot all of that together. So those are the driver, which we see.

Alexander Ferguson 6:44
What do you see is the biggest challenge that I see. So as someone who has to manage all of this moving forward in 2021, and beyond, what’s the biggest challenge, you see that they’re going to face and need to address?

Arun Singh 6:57
The biggest challenge is to, you know, get the right visibility. So what happens, you imagine that there are, you know, hundreds and 1000s of people who are there in the organization, okay. And if you look at midsize organizations, so 10,000 to 30,000, you know, on an average, that’s the range, okay, we our employees are there. Now, who is doing what, whether a person has got access to the, you know, like the person who is accessing the confidential information, is it, you know, is he really authorized or not, that’s a big mess. And organizations, they struggle to get the visibility, first of all, you need to know that who is accessing my information, whether they are authorized people or not authorized, and that is one area, okay, we are Iam solution, the automated identity and access management helps in terms of not just, you know, uniquely identifying each and every person, authenticating them that they are the right people. And then beyond that, okay, doing the certification of their access rights, that periodically using this tool, you can certify that we guess, this month are certified, all right, people have got access to my application. And next month, again, that is just not possible without having this kind of solution.

Alexander Ferguson 8:14
Being able to scale, and have that visibility, there’s no way you’re gonna manually be able to run that or create your own solution, you know, that exists. For for this new world, where people are gonna be working from home, more and more people gonna have their own devices going from places, how do you see the shift or any changes coming up in management of security when it comes to work from home environments?

Arun Singh 8:40
Yes, so that’s a very pertinent question. And the work from home had certainly expanded the threat landscape. And earlier, people used to come inside the organization, it was easier to control them. But now people are bringing their own devices, people are logging in from their mobile phone, their personal devices and trying to do the office work. So the challenge is compounded by this recent, you know, work from home culture. And my feeling is it’s not going to go away soon, okay, it is going to continue for some more time. And in these scenarios, the fundamental requirement of security is to ensure that right people are accessing the you know, the enterprise a high value assets. And that is where the the role of identity and access management is changing. And people are saying that you’re This is a new kind of saying in the market, that identity is the new firewall. So in place, what do you mean by that? So it’s like earlier, they used to have a firewall device to be able to everybody need to go through that to be able to control you know, all the x’s, but now people are accessing the data over the cloud, multiple different type of cloud, they are having VPN connection and all that and these VPNs have got inherent weaknesses. So what is being Coming up the fundamental requirement is the identity and you know controlling the user activities or user behavior is of paramount importance to be able to provide the right level of security

Alexander Ferguson 10:14
how much of this management and tracking of individuals were access accessing from different places Can this be automated and should it be automated versus having a dashboard and a team of professionals that has the visibility can see themselves or service provided by you guys versus just it totally automated and it tracks by itself what’s where’s the balance.

Arun Singh 10:37
So, organizations they are going for total automation because it is a fundamental requirement. So if you look at that, how the entire cycle works. So this identity lifecycle starts at the time when the person or the new employee is joining the organization and you know, at the time of registering you’re not joining itself okay from hrms system, you’re not that directly triggers that what are the birth right you know, entitlement can be provided to the person. So, birthright is basically based on the role if you are joining as a you know, analyst you are joining as your shop floor manager So, these are the systems which are your birthright access which is provided and then as you grow in the organization you move from one department to another, okay then your access privileges need to be fine tuned your entitlement need to be adjusted and then when you leave the organization that is the most important time then you need to be immediately D provision from all those systems because even after leaving if you are having access, that’s a big big security threat. So the joiner mover lever okay all the processes need to get automated okay through these solutions. Now, the biggest challenge unexcited tell you that you know, organizations they are facing is not setting up this IBM solution, but you know, onboarding all their applications onto this IBM platform and you will find that even though the base solution is easy to install configure but the biggest challenge is that organizations have in 1000s of applications, how to integrate those applications onto this IBM platform

Alexander Ferguson 12:14
I want to know tell me, how do you do it? So typically

Arun Singh 12:17
organizations they actually take 8020 rule like 20% of the applications which are mission critical which are regulated which hosts you know, sensitive data, they prioritize those applications to be first getting on boarded and then remaining one based on the business need they try to onboard because it’s a cost and money involved into that. So that’s where the risk management element comes in that how many applications are really critical that need to be immediately integrated? And for remaining you can take a little differentiated approach to be able to you know, manage that most of the time Yeah.

Alexander Ferguson 12:51
Are we curiously so basically what are our top if we’re if we’re having hundreds of different applications that all need to have access management across it for our employees? Let’s look at the top 20% of the mission critical focus our energies there and then the others you just don’t worry about

Arun Singh 13:07
no so the others you actually still deal with the manual processes like many times what happens that you know, you have a small team of you know, operational team they can actually enable the access into those applications because they don’t have you know, core sensitive data or they are in inward facing

Alexander Ferguson 13:25
applicant an example of like one that is generally like a mission critical and then if you can from even one of your clients, but like a mission critical one and then one that isn’t typically

Arun Singh 13:35
Yeah, so mission critical one will be where you are hosting your you know, financial data, okay, we are like, for example, if you are in the retail industry, so all the credit card information, which are you know, is stored into different systems, they all qualify for this, you know, the top end application, so can which required to be integrated. Many organizations, they also go by the regulatory compliance, what they need to meet, for example, Sarbanes Oxley is one of the famous regulation. And the Sox compliance drives that okay, out of 100 applications, they have 60 of them falling under Sox compliance. So organizations, they first take all those applications, they want to integrate it first. And reaching out to the 100% applications, everything is on boarded. I don’t think that of any organization had been able to achieve that. Most of the time, they go till 80 90%. And that’s a good enough benchmark for them to be able to generate the value

Alexander Ferguson 14:31
area 90% that are managed that that that’s good enough, when it comes to managing passwords, do you think we’ll ever get to a world where in an organization 100% of all applications and passwords are all safely managed? will that happen?

Arun Singh 14:47
Yes. So, what happens the problem is broken down into you have to dissect it based on the risk management. So what happens for access is 100% control IGA which is you know, provisioning D provisioning of That is where you have some of the elements which are you know still manual and part of that is semi automated you know technique that is how it happens but access management is one area where or the privileged access management I’ll say both of them okay organizations they strive for 100% compliance with that so crucial for organizations to you know, protect their critical data

Alexander Ferguson 15:23
when when someone’s wanting to start using I am solution and they have all their applications what is that process? Like? Is it sounds like a baby or a beast to manage or even think about getting it all that switched over to using it?

Arun Singh 15:43
Yeah. So your that’s a very good question. So, what happens that whenever we start an engagement The first step is to be able to see that you know, whether each and every user is uniquely identifiable or not many times people say user ID you know, the employee ID is you know, becomes a unique differentiator many organizations they started with you know, social security number as a unique differentiator but then social security number is again it’s you know, sensitive data requires protection. So, the step one is that how you are uniquely identifying each user and then you know, what are the processes whether those processes are optimized or not optimized. So, you imagine in this way that you know if there are 1000 application each application has got its own way of provisioning de profit provisioning and approval workflow okay then it will create so many different variation is it really required so, bringing them into an optimized process says that you know, the joiner lever mover all of that is coming into the standard you know, process framework okay that is the second step. The third step okay we are we required to also identify the roles the role engineering is a big area that what are the rules which are associated with these people and you know, doing an analysis and exercise to be able to you know, identify that what are the right number of roles which are needed for the organization all of that form part of the initial strategy part and once that strategy is ready then after you can deploy the you know, full blown Iam solution and that can actually help automate the full process

Alexander Ferguson 17:23
gotcha looking forward into this year and beyond any upcoming features that you’re really excited about or anything that you can share on the on the roadmap.

Arun Singh 17:34
So I tell you that one of the feature which everybody loves to hear about is you know, zero factor authentication okay. So you have heard about this login id password okay. And which is two factor then you go for multi factor authentication where you have the token to authenticate now people are talking about password less authentication Yeah. Because okay remembering those password okay is such a nightmare each and every person actually deals with that that okay hey you know, I have so many passwords Is there a way I can get rid of these passwords. So, there are a lot of advancement which is happening into the market and you know the solution which are you know, coming up and what we are also you know, we have also released is based on a blockchain based general identity. So, what it does that way it uses the government issued credentials or your personal data in a manner which is totally decentralized and using this blockchain technology, okay, we actually authenticate each person and you know, do the identity proofing that with the person who is claiming to be how we can verify that and what happens that when you have to log into any of this system, you just scan a barcode or you know, kind of the QR code and then after Okay, you just do your face authentication, like look at your phone. So your phone number

Alexander Ferguson 18:59
your phone then is becomes the device that allows to unlock it.

Arun Singh 19:03
So the phone becomes a user ID and your biometric becomes the password to log in anywhere just scan the code okay on the phone and look at that blink your eye It will also ensure you’re alive you’re not dead. Okay. And then after it will let you get in so it is solving multiple problems together that are in place are remembering the password and all that just like what people are now getting used to iPhone and many of these mobile phone doing this. Live authentication is the same way. Okay, any website you need to log in just to scan the code look at your phone and you are in

Alexander Ferguson 19:40
it now this is this a separate app and effectively that they would download and have on their their phone or does it is that a web page or how does that work?

Arun Singh 19:47
So that is a technology the passwordless authentication which is getting rolled out it is very hot in demand and many organizations they are talking about rolling it out. So there is definitely some engineering effort required to be able to implement this technique. But once it is implemented it takes away the problem of user ID password okay which people need to remember the passwords are stolen and already it is proven weak system 20 year old system okay which no one wants to use it but still we are forced to use so I think this is something which you should definitely watch out that more and more organizations they are going to move towards zero factor authentication or password less authentication.

Alexander Ferguson 20:28
The finally the applications the software that we work with can recognize us as humans like other humans do and say oh I know you you look like so and so and I can see that that’s true and then I checked

Arun Singh 20:41
exactly the direction where it is going and there is another dimension also Alex I’ll tell you that one of the biggest problem of current access management solution is that they authenticate you only once like when when you are entering inside the system the authenticate and then the trust on you that you are now you are inside okay you will do everything right. So, the the industry is moving from one time authentication to continuous authentication and there is a term which is becoming very popular in the industry called zero trust you know model of zero trust framework. So they say that we trust you when you came in but again after a while, I need to again re establish the trust which means continuously authenticating the person okay such that okay after getting inside Okay, somebody is watching the users and their behavior that they are indulging into the right behavior and not stealing the data or not stealing the information out of the organization so that’s another advanced area okay we are organizations are moving towards

Alexander Ferguson 21:44
I imagined the as we become even more Alliance and are more online especially working remotely from home the opportunity for issues when it comes to security I don’t know if there’s another word for issues that that I’m sure you get you can speak to over your 20 years of experience in cybersecurity over 20 years I think if you had to just as for fun hear anything you can share of probably the biggest cybersecurity issue or more interesting one that you have faced and saw in the past that you can share just just for fun I’m curious

Arun Singh 22:22
so cyber security issue one I remember like okay, which was really very interesting that we were working for a retail organization and you know, the FBI knocked at the door and said that Okay, do you know that okay, you know, some of your servers are you know, already compromised. Okay? So it was kind of you know, they

Alexander Ferguson 22:41
acknowledge or they’re like, hey, by the way your servers are compromised, like yeah,

Arun Singh 22:45
people are trying to sell the data of your organization okay on the dark web okay. In the underground so that was kind of you know, one of the very interesting moments that okay we were kind of really surprised that you’re all these Gen servers are well protected okay they are you know, the access and the identities are properly guarded and all that’s what happened and after the you know, quite a good amount of effort to be discovered. Remember that 8020 rule which I said the organization had taken only the you know, the sensitive servers into the account and they were some servers lying there in the organization they were you know, supposed to be not having any of this information and people forgot to delete the information from that and hackers got into it. So it was such a you know, kind of interesting moment that okay even though your policy everything is right but you know one mistake okay is actually you know kind of exposing the entire organization again and if you if you look back you know Alex the biggest fear as a cyber security professional what people have is you know, what we need to be really careful about is the human is stupidity okay there is there is no solution stupid but yeah and people are going to make those you know kind of mistakes and there will be some stupid mistake and you know, all your technology wise you are good process wise you are good but one silly mistake and you’re you’re again compromised. So that’s the biggest fear what can

Alexander Ferguson 24:18
a cybersecurity professional do to protect an organization against human stupidity?

Arun Singh 24:27
So there are some new solutions coming up in the market like people actually do this assimilate those phishing attacks, okay, so they you know, kind of train the people and you know, like in instead of, you know, the hackers or adversary trying to hack you, they try to simulate the entire environment just like you know, the hackers and filter out that okay, out of all the employees, okay, who are the one okay who are not paying attention, and they are tempted to click onto the link

Alexander Ferguson 25:00
White Hat hacking your own people to see okay which person is most vulnerable to just these human tendencies of being a security risk

Arun Singh 25:09
exactly like some people they are by nature okay they are so curious they want to click on every link okay they don’t want to think twice okay and just click and you know then you are compromised. So, you’re these solutions and the attack simulators are now actually creating a new dimension to be able to check and the second area is like sometime it is by mistake sometimes it is deliberate like the internal you know threat what people are dealing with. So people that disgruntled employees okay they also kind of tend to do those kinds of stuff. So user and entity behavior analytics okay which is driven purely from the identity data is another core area of you know with which we are actually building up the complete automated you know, approach for that. So, we are the user behavior monitoring and seeing that okay what are the kind of your other variations in the behavior which are happening and people who are disgruntled Okay, monitoring their activities little bit more closely. Those are the techniques which people are using

Alexander Ferguson 26:13
correct. some closing thoughts here as a cybersecurity professional many years looking forward, what are you most excited about or interested or see in the future when it comes to this field and they could share?

Arun Singh 26:27
Yeah, so we, we are most excited about you know, a new space which is getting created called converged REM and this converged Iam is basically like, you know, creating the convergence of multiple different Iam solution Okay, into a single platform. And that’s where we are most you know, kind of by native euro design, okay, we are situated there. So if you look at some of the leading analysts like Gartner, they are predicting that in next 24 months by year 2023, okay about 45% or more than that Iam deployment will be asking for conversa Iam solution where all these sophisticated approaches need to be bundled together into a single platform and then offer to the client. So you know, we are very excited about converged Iam as a future of identity and converged Iam because our product compact identity is uh, you know, one of the market leader in converged IMS space. So that’s something which is very exciting. We are looking forward to tap into the full potential of this space. And as the sophistication is, you know, coming into the market and how things are evolving, how we can offer best in breed you in a world class solution to our customers.

Alexander Ferguson 27:45
Room, thank you so much for your time and also some fun stories to be able to hear when it comes to cybersecurity. For those that would like to hear more, you can head over to a Ilantus.com and be able to get a trial of their platform and there are there I am solution. Um, you can also go to Uptechreport.com. Get the full interview of this and descriptions. Thanks again for your time. It was good to have you on and

Arun Singh 28:10
it was pleasure to speak to you and look forward to our further conversation. Thank you.

Alexander Ferguson 28:15
Alright, everyone, enjoy the rest of your day. Again, this is our applied text series for UpTech Report sponsored by TeraLeap. Learn how to leverage the power of video at teraleap.io. We’ll see you all next time. That concludes the audio version of this episode. To see the original and more visit our UpTech Report YouTube channel. If you know a tech company, we should interview you can nominate them at UpTech report.com. Or if you just prefer to listen, make sure you’re subscribed to this series on Apple podcasts, Spotify or your favorite podcasting app.