>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angle media >>and welcome back. You're ready Jeffrey here with the cube. We are a day four here at the RSA conference in Moscone Thursday. We've been going all day Monday, Tuesday, Wednesday, Thursday. It's a huge conference over 40,000 people, you know, kind of the first big us conference after the mobile world Congress thing with a coronavirus. So we were all kind of curious to see how it would work out. There was some companies that pulled out but you know Rohit and the team stayed the course, they got the support they needed from the city and it's turned out to be quite a show. So I'm sure there's a lot of people all over the industry kind of watching this as an indicator of how do you execute a conference and these kinds of crazy times. So we're excited for our next guest. He's Andy Smith, the senior vice president of marketing for Centrify. >>Andy, great to see you. Good to be here, Jeff. Doing great. So you said you've been coming to this show for a while, you're a seasoned veteran of the industry. First off kind of general impressions of this show versus versus other kinds of RSAs you've been doing in the past. It's super interesting to watch. It ebbs and flows of the security industry, right? I mean I've been 15 years over the past 25 I've been at this show and you've seen it be big and then shrink down, you know, to one hall and then the two halls again. I mean what's interesting the last couple of years is it's, it's big again, like security is hot. We know budgets are going up, a breach, cultures out there. And so, you know, the IC, the RSA show is a reflection of what's happening with the industry when you look at the size and number of attendees. >>Right. The other kind of theme this year was the human centric, uh, boat. And we had row head guy on just a little bit earlier in his keynote. I thought it was really interesting. It was not about security per se. It was not about threats and detection. It was really about stories and narratives and peoples and kind of taking that back as an industry. I wonder, you know, kinda your impression as this kind of human centric theme as we're surrounded by tech tech and more tech. It is, if you think about human centric, it's a, it's a big piece of your, your security strategy, right? I mean, uh, what, there was just this morning, uh, one of the sharks got fished, right? Lost $400,000. One of the, yeah. And so, uh, you know, educating people about looking out for fishing attacks, right? Uh, uh, looking at insiders who are one of our biggest threats and you know, they're, they're a huge piece of this is not technology at all. >>Right? I thought Wendy's keynote was great too from Cisco. Talking about everything we do on computers is about clicking. And yet we tell people, you know, click the download the patch, but don't click on anything else. And really, you know, kind of taken an approach that people need to be part of the solution. They're not these horrible people that keep clicking on the wrong things, but you really need to integrate them into your strategy. Yeah, absolutely. I mean, it's about educating your workforce. It's about educating consumers, right? Whether you're talking B to C security or whether you're talking to me to be that human element and educating to be diligent right to you, you got to know a little bit about how to look for something that might be suspicious and know what is, what you should be clicking on, what you shouldn't. There's, there's not a lot of technology that can solve that for you. >>It's getting out and, and, and making sure people are educated. And unfortunately, the bad guys have been working hard on their grammar and, uh, and doing all the AI on the background. So, you know, it's not, a lot of things today are not easily identifiable like they used to. They've gotten, that's no longer really kind of a baseline, a hope not to click that thing. They've gotten way better. Right? So rather than these attacks that are spray and pray, they're going after, you know, just going after anybody. They can, they're targeted now. Right? So spear fishing, right. And uh, and so specific individuals. And that's why one of the things that, that is a little bit coming up at this show and something that we talk about is identity centric security. So that you've got a tie, that kind of human element to your security. >>You know, there's network centric, but getting identity centric and tying that human element to your security aspect, making sure the security, the identity technologies and the security technologies are working together. That is brings that human element into your own security strategy. And when you, when you talk about identity, how should people be thinking about identity? Because clearly we see the kind of the rise in multi-factor now, right? We have to do, we have to go to the, our phones all the time with the code. Now we're hearing people, you know, can spoof identity, they can Smoove faces. I guess identity is not a face, but you know, some of these indicators of identity. So when you help people think about identity, what are some of the factors they should think about? What are the things they don't but they should be thinking about? Yeah, yeah. >>I mean some of the things that we talked a lot about is multifactor authentication. So although yes, right, real sophisticated people can have ways of getting around that, but most attackers and hackers are lazy, right? They're going to go for somebody who's got no multi-factor in place, like even doing the basics is way better than doing nothing. I mean, the statistics bear out that you do a little something right? And then you can always step it up and get more sophisticated where you've got tokens that you have to put your finger on, right? And you know, you can get smart cards and all those kinds of things. You can get much more sophisticated, but multi-factor in general works. I mean, you're just going to take it a far bit above. But what's interesting about identity, because we always think of humans, right? But when we talk identity, where this market is going is identity is machines. >>You have to give a machine an identity, you have to give a service account, an identity, you have to give a microservice identity. And these more and more, this is just completely automated world. This isn't humans logging into things anymore. This is microservices talking to each other. Each of those needs an identity needs an authorization cause they have accounts that can be hacked also. Right? So the you need protect those just as much as needed to protect those human accounts. It's funny cause we, we cover a lot of RPA shows, right? And the whole talk of, of of people that do RPA, right, is that they're, they're, they treat them as people, right? They treat them as kind of like your little assistance, your own little bot to do little tasks that you assigned them to do. So treating them with kind of an identity protocol. >>Then that gives all the authorizations and you kind of leverage all that back end is the way to integrate them into the workforce. Absolutely. It's all about access controls, authentication, authorization. Those are the controls that have been there forever. You're supplying these two new types of identities and you know, the, we're in the privileged access management space, so it used to always be a windows admin or a Unix Linux admin logging into a physical box, right? And so it was about protecting those accounts. But more and more it's about giving a machine and identity and a microservice and identity and how are those things talking to each other? We're protecting, that's all completely automated with dev ops. You think about if I have a, as I moved to the cloud, I want to be able to scale out dynamically, right? Uh, horizontally, vertically. So all of a sudden new servers, virtual servers or containers just popping up automatically. >>You have to be able to control the access to all those automatically, dynamically on the spot, and then they shrink back down. You need to get rid of all that, right? So the automation that's come into our space, although the same, I'm still trying to do authentication, authorization, same type of privilege access controls we've been doing for 30 years, but how they're applied in this new world is much different right now. What about then you layer you layer on top of that zero trust, so I definitely want to identify, but I have zero trust and I'm presuming at some point in time you might end up either being a bad guy or some bad guy's going to come in via your credential. How does the zero trust piece fit on top of the identity kind of management? It's really why we're talking about identity centric security now is because you can't, you, you have to assume somebody on your network. >>You can't trust all those perimeter controls that are there. The reality is they're going to get in and so that identity centric security starts at that access layer and not not trusting just because you got onto the network that, Oh, sure, here you go. You can, you can do whatever you want. That's where zero trust comes in. I don't, every time I want to get access to a piece of data or a system, et cetera, I need to do that F indication that authorization apply, that multi-factor. Those are all identity centric controls that result in this, this journey towards the zero trust world. It's, it's funny, uh, I've sat down with Mike and Caesar, uh, for scout and you know, he talks about when they do the little sniff on all the little devices that are plugged into the networks and it's usually multiples back of what people think are on the network, especially remote location. >>People are plugging stuff in. But then too, you know, like you said in the machine, identify, you know, what should a logic cam do and how should it act. And as soon as it starts acting and asking for things in accounts payable, maybe that's not necessarily what a lot to take camera wants do or should be doing. Yeah. Yeah. And so first there's like knowing what that device is giving you an identity so he know what it is, know what it should be doing. It has a role, it has specific access and authorization rights that are granted to it. So the logic camera, if I know what that camera is, you have an identity. I know what it's supposed to be doing. I should be able to restrict the access it has to just what it needs to do. Right. Rather than it's got root account to do whatever or some God account to create, you know, like those are the kinds of controls we have in place. >>And it's just logical identity management controls that have been there forever. But you're a, once you can identify those devices connected, you can, you can give them those, you know, limited. There's talk about least privilege, right? That's again, a 30 year old control, but giving at least privilege on just what it should do and nothing more. And do you see in the future just more and more kind of multifactor, uh, validation points that we'll have to get added to the, to the process as we move from single factor to factor, however many factors is going to take? For sure. Yeah. I mean, so the multi-factor, cause there's one thing are you authenticate yourself at the front door, right? So that's what most authentication is, but there's this concept of continuous authentication. You're the trust in that, uh, that initial authentication degrades as your session goes on. >>Right? So the longer I've had a session open, you know, is that still that same person or that same service that is clicking away at the keyboard there? There's cool stuff, wrong continuous authentication where there they can tell it's still the same person based on the cadence. They click on the keyboard, other biometric methods, the swiping I do on my phone and stuff like that. So there's ways to have continuous concepts now called continuous authentication. Right? And so I absolutely see that those behavior based, uh, types of, uh, of authentication. You're going out through a user's entire session. So I want to shift gears a little bit. One of the things that amazes me about this show, and I don't know when it was small, but it's been big ever since I've been coming. It's right, there's so many vendors here, there's so many companies in this and there's so many kinds of stories that a lot of really enthusiastic people work in booths that are screaming at you to come over and tell you all the great things they do. >>From a marketing point of view, you're, you're the SVP marketing. How do you, you know, kind of package your messaging, how do you kind of break through the clutter? What advice do you give to, to buyers, um, to help them kind of navigate what is a, a very large, loud and complex system? Yeah, it's a, it's a complex battle, right? So you have to be able to, because there are so many different technologies here, uh, in, in the security arena, uh, we're all fighting for the same share of wallet in a sense. Right? And so first you have to identify yourself with something people recognize a market that people recognize like identity, privilege, access management, endpoint security, you know, et cetera. But then you have to differentiate yourself within that market, right? So you've got to add something to the market space I'm in to that gives a little twist. >>So for us, it's identity centric, privilege access management and that, you know, we suppose that against Balt centric or you know, something else that we've tried to put the other bets. So you try to, in your message, you got to categorize what's the space I'm in and how do I differentiate? And in something as short and brand-able as possible. And then you got to have this kind of ongoing solutions, partnership relationship with, with your clients, right? Because this is not something you're going to be switching things out that frequently and, and, and, and the landscape and the threats evolve and change so rapidly. I think we've had a number of people come on to publish this report or that report, his report, he's come out every six months and there's actually the online version so he can keep up with what happened today or what happens tomorrow. >>So not an easy, uh, not an easy kind of marketing challenge to stay relevant, stay connected and state stay really in people's mind. Well, and you know, there's, there's awareness aspects to it and it is really just what really helps is you just create as many happy customers as you can. Right? I mean, you're amazed at the how connected this industry actually is. I mean, the attendees that are coming to this conference, they know each other. They've been coming here from here. It's just like we have. Right, right. And a word of mouth between people who have used your technology, they share that with something else. I mean the security industry as big as it is, it's, it's super interconnected. One person goes from one company to the other and so tons of business just comes from word of mouth, referral, etc. So the happier you can keep your customers, the more uh, you know, mind share. >>You can get up there. Okay. Last question before I let you go. We just like to say we just had row hit on one of the topics was they just got bought by a symphony. I think it's symphony, a private equity firm. Um, we met the other night at a, at a cocktail party put on by Tom Thoma Bravo and you were at Centrify before they came in. And after, you know, I think some people are kind of confused, you know, what is private equity, how does it impact the company? So wonder if you can kind of share, you know, how that transition has come along and you know, kind of give us an update on what's going on at Centrify and where you guys are going next. Yeah, so we were acquired about a year and a half ago now, uh, by private equity and you know, they basically, they take later stage companies and uh, help them get, uh, profitable, uh, they increased value and then they look for going, taking that company IPO or selling it off, et cetera. >>Right? But it's really about looking for opportunities, uh, in existing market with larger companies, the venture capitalists will go after smaller, much larger risks. These are bigger dollar amounts, right? Larger companies. But then they, they look about how to optimize. They're very sophisticated on how to run a B to B business. Tama Bravo happens to have a huge investment in security and it comes like eight or 10 companies there the other night. Yeah. So they, they realize that this is a hot space right now. So they've, if they can take a company and create value that they realize that there's more stuff popping up. There's probably money being invested in. And one of the things that, but not all private equities created equal. Yes, they are about all about kind of optimizing, increasing value. But what we really found with Tom or Bravo is they're interested in investing in that company, looking at other folds and acquisitions, et cetera. >>And that's a part of a strategy for me as a, as a manager and an I'm part of the executive team. When you're backed, they don't have the money to go after acquisitions. Uh, like that they, you know, they make these smaller investments. We're talking about Bravo actually does have the capital to look at other things that can be immediately accretive and add to your value. And that's a, a real part of our strategy now that didn't exist before we were owned by PE. I think they spun out a whole nother, another company out of what your technology say. Correct. Exactly. So one of the unique things about our particular acquisition is Centrify was both a privileged access management. And a identity as a service. And I Daz a company and they looked at what we were doing and they said, geez, you're really selling to two different markets and it's two different sales cycles and two different business models. >>We could actually create more value if we split these up and each of you focused on your individual markets. And so that there's a, there's an MQ and a market segment and a wave for IDASS and there's an MQ and a wave, you know, et cetera for Pam. But there's not anything that does both. And that's what Centrify was. So they actually, we, we completely divested of our IDASS capabilities spun off in an entirely separate company called adaptive. And so over the last year, that's was a lot of the work that was going on. It was, was splitting this company, uh, uh, into two. But it really provided us a much more focused to go after the market that we were going after. Well, they wouldn't come in if they didn't see some opportunity to, uh, to pull some more value out that wasn't really being unlocked. Absolutely. Right. Andy, we'll thank for taking a few minutes and uh, and great to catch up and best you for the rest of the show. Awesome. Thanks a lot, Jay. He's Andy. I'm Jeff. You're watching the cube where? At the RSA show in San Francisco. Thanks for watching. We'll see you next time.