When you hear from people who know about security, the discussion often turns to end users, who are considered the weakest link in the security chain. While IT and the powers that be struggle to secure their networks and IP, the employees are forever screwing up succumbing to phishing scams, using weak credentials and generally causing problems for the security experts who know best — or so says conventional wisdom.
In reality, it’s unfair to expect employees (or individual consumers) to deal with increasingly sophisticated attacks by a cabal of well-financed and highly trained hackers, social engineers and even con artists. These people have intricate systems in place to steal those valuable credentials and find their way inside the organization’s network and into the treasure trove of company intellectual property.
While individuals can often be the weak link by creating terrible passwords or succumbing to the most basic of phishing scams, there needs to be some checks and balances in place to provide better passwords, ensure the people are who they claim to be and remove some of the burden from the end user. Maybe identity management systems, which provide a single log-in and access across systems can help.
Taking a proactive approach to identity
We used to log onto a single system. Today with cloud services and a myriad of enterprise systems, we could be forced to sign into dozens and if we use best practices and try to use different passwords across each one, then trying to track and remember those passwords becomes nearly impossible — I speak from experience.
Luckily in the enterprise there are identity management systems to help bring order to all of that username and password chaos. Some are designed to work in the cloud, while others work on-prem or a combination. They come from companies like Microsoft, Ping Identity and Okta, but all are designed to do one thing: to simplify credentials management for both IT and users.
IT can create a secure system on which users log on once and have access across a wide variety of services, and at the same time users are freed from being password admins. What’s more they can simplify second-factor authentication such as sending a code to your smart phone or even your smart watch or requiring you to use your touch-ID on your phone.
Credentials are key
Identity integrity is the key to security, according David Cowan, who has been funding security companies since the 1990s for Bessemer Venture Partners and who started three successful security companies of his own.
“An identity management system is like the guard in your building lobby who checks the ID of each visitor to provide the tenants with a basic level of security,” he said.
“Most every major breach involves, at some point, the compromise of login credentials. For some attacks, credentials are stolen in order to steal, publish or ransom private data, [as with] the Sony attack. For others, the attackers steal administrative credentials in order to access critical servers. For consumers, the loss of credentials enables identity theft, ransomware, and account takeovers for phishing and spreading malware,” Cowan added.
Identity is big business
As it turns out, identity management has caught the attention of investors in a big way if you judge by the investment activity around two key players in this space: Ping Identity and Okta.
Okta has raised has raised over $229 million including $75 million last September that came with the magical Unicorn valuation of over a billion dollars.
Ping has raised more than $128 million. It hasn’t raised since September, 2014 when it announced a $35 million Series G round.
Ping has been busy since then. It’s made a transformation from a license business to a subscription model. Today, it claims it controls its own financial destiny, according to company CFO Mike Sullivan.
An identity management system is like the guard in your building lobby who checks the ID of each visitor to provide the tenants with a basic level of security. David Cowan, BVP
“We don’t have to raise capital again unless we want to,” Sullivan said. In fact, he says they are operating now the way a business should be, driving growth with internal cash flow versus raised capital. “We are investing our own free cash, not borrowed or raised money,” he said.
Okta CEO Todd McKinnon claims his company is in a similar position, saying they don’t need money and they are generating revenue.
“Even before last round, we had enough cash to be cash-flow break even. We did a round last summer because the funding environment was good and we wanted insurance. We continue to hit our milestones. We still control our own destiny in terms of cash. We don’t need to raise through financing or IPO,” he told TechCrunch.
Both companies could IPO, and have publicly stated a desire to do so at some point, but each recognizes that in the current investment environment, as long as they can afford to wait, they will wait until the markets gets a bit friendlier for technology company IPOs.
Business aside, this is ultimately about protecting the front door of our technology systems — whether on prem or in the cloud. While hackers can and do find their way into networks in other ways, stealing credentials is a simple way in and companies like Ping Identity and Okta understand this.
Cowan says it’s time to stop blaming end users and understand that identity management is a good place to start securing your systems.
“We must move past the idea that users just need to be smarter. Even the most savvy cyber experts fall prey to sophisticated phishing attacks, and no human being can possibly create, remember and regularly refresh strong passwords unique to every application. We need help from our technology to protect ourselves — without identity management systems to police our cyber streets, we’re in the lawless Wild West,” he said.