Hello, everyone.
I'm Rob Otto from Ping Identity.
And I'm here today with Ben Bulpett from SailPoint.
We want to talk about the new normal of working from home.
Hi, Ben, always good to see you again.
>> So good to see you as well.
And obviously a shame that we can't be face to face in these strange times, but great to have a chat with you this morning.
>> Yeah, it does feel like a while since the last time when I saw you or anybody else in person, really, but as you say, here's hoping that.
[LAUGH] >> Yeah.
>> That we might get back to that at some point.
That said, though, Ben, I mean, remote working really is becoming the new normal for a vast majority of organizations.
Here at Ping Identity, we've obviously been speaking to a number of our customers and a number of prospects around this new paradigm, this new model.
And there are certainly challenges that these organizations face.
So I'm sure you've probably heard of some.
>> Yeah, so look, I think the statistic is something like 16% of workers prior to COVID were working from home.
I think currently, the statistics say it stands at 84%.
So the shift of that remote working challenge that organizations have had to do in the, what, three, four months has been quite phenomenal.
Are they gonna be coming back to this traditional office-based environment?
They've demonstrated that they can work from home.
They've demonstrated that they can be proficient and efficient as well.
So I think we're gonna see this working remotely, this adoption of Zoom, which has obviously now become a verb in the English language, something that's gonna be here to stay, I think.
>> This, of course, does tend to reinforce things that we've been talking about for some time.
It puts a lot of strain on some of the more traditional ways in which application access is enabled and, of course, in which applications are secured.
A lot of organizations today work on the assumption that the people who need to access things are in a known location.
They're in the office.
And as a result, you have that, if you like, that safety net of the secure perimeter that organizations can use as a proxy in order to determine who should be allowed to access things.
Obviously, we're both in the identity and access management space.
And this is a message for us that's been a part of our standard discourse for many years now that organizations really need to be focusing on the identity of those individuals.
They need a security policy that starts with a strongly verified and a strongly authenticated identity in order to ensure that the correct users are able to access the correct things, right?
>> The challenge I think organizations face is that the identity and the perimeter that they previously secured is now actually coming down to the individual identities in their organization.
You and I, Rob, have talked about the concept of Zero Trust, and I think Zero Trust has never been more appropriate in what has happened.
You need to now know who has got access to what applications, what they're doing with that access.
Is it appropriate?
And actually then be able to audit that and clearly demonstrate to the auditors and the regulatory bodies that you are in compliance and you do have control of your application and your data.
What we've seen with COVID is a bit of a break glass approach, where we've had companies just sort of give access and they've got people online to be productive.
They now have to go back and put this identity governance and this access control in place to sort of ensure that they have got controls.
Because as people do transition back into this new way of working and say, well, actually, I'm not gonna come back to work.
I'm not gonna spend time on the 6:30 train just to get into London.
I think the whole concept of identity governance and putting in a Zero Trust approach around that is gonna become critical.
And something that I know you and I have spoken about for the last couple of years as a strategy that organizations need to start to adopt.
>> Yeah, absolutely right.
So I think something you've touched on there is really important around productivity.
And obviously, in the identity security space, this tends to be one of the things that we speak to organizations about a lot is: where exactly is that trade-off between employee productivity as opposed to security?
So again, what becomes really important is it starts obviously with understanding who your users are, ensuring that you are able to correctly identify those users.
And secure their access in such a way that respects the principle of Zero Trust, respects things like least privilege access and allows you to enforce defense in depth.
So one of the things that we're seeing as becoming really important is the ability, while still enabling remote access and while doing so in a way that moves towards Zero Trust, but that doesn't make decisions based purely on the user's location.
We do still need to try and find mechanisms to improve their productivity.
Things like not always making them go through a multi-factor authentication challenge for everything that they access.
I'm not sure if you're having similar conversations to those with your customers.
>> Yeah, look, we've had a number of conversations with organizations who are sort of now engaging in a more, what I would define as an executive engagement level conversation around identity governance.
How do you get your data back?
How do you ensure that you minimize that access?
How do you ensure that you control the people who have been accessing your systems are done correctly?
So this whole concept of trust no one, don't trust the network, and don't trust any device, I think is gonna become more critical.
And I would actually say that firstly, organizations need to put a really strong access control and governance process in place.
Get control of the access, get control of the identity, put that Zero Trust in place.
So for us, our conversation is actually do more, get secure, become more paranoid, get control.
Once you've got that and you've got your staff and you've got your policies, then start to let that go.
We're not advocating in any way, shape, or form at the moment that people should let their policies lapse or sort of be lenient with them.
Because I think the challenge is gonna be as the join or move or leave process kicks in and as we probably have more leavers than we do joiners.
>> Ben, look, I think you're absolutely spot on here.
You need to be in control.
You need to be able to show those important things around access governance as you've said.
Making absolutely sure that you know who's coming and making absolutely sure that those people are getting access to the right things.
I think the other thing that's interesting in what you've sort of brought up is that organizations more than ever are going to need to be more agile in the space.
I mean, we've seen, probably for most organizations within the course of two or three weeks, an event that meant they had to completely turn upside down everything that they did in terms of how their workforce is able to do the simplest thing, which is log in the morning and access their applications.
>> I think the reality is this is going to be the new normal.
As I said before, when you had that massive shift in such a short space of time with people working from home and actually trying to be and I think demonstrating productivity.
And you've seen organizations announced by Facebook and Google, this is gonna be the way that they encourage their staff to be.
So I think this is going to be a fundamental industrial shift that we've seen.
But rather than happen over the years that we typically experienced, it took ten years for the iPhone to sort of become really embedded in today's cultural society.
This has happened in three months.
And I think organizations need to adapt their security and access control and governance policies because this is going to be how it is.
And the firewall and that controlled environment around their perimeter, around their offices are fundamentally disappearing.
And they've got to be prepared to be adaptable and agile, but also have all the correct governance, security policies, and access controls in place to give their ability to allow their users and their employees to come in.
But more importantly, to continually demonstrate to the regulator and to the industrial bodies that they're a part of that they have control over who's got access, how they got access, and what they're doing with that.
Those three questions are gonna become board level conversations that auditors and CEOs will be asking CISOs: I need to have answers to that.
Because that is exactly how I'm gonna be asked by the committees, by the shareholders.
Have we got control of that?
And do we actually know who's got access to our systems and what they're doing?
>> It's interesting, though, as you say, this becomes a new way of working.
Many of those office-based roles are transitioning to remote and are probably going to stay remote for some time to come, perhaps forever.
What this really means, though, is that any investment now in a platform or series of platforms that allows strong identity-based governance and access really does become a strategic investment for organizations.
And they're going to reap rewards from those investments in the years to come.
It is obviously really important, though, that the tools that we use and the platforms that we put in place are able to allow us that agility over time.
Our access control systems need to be adaptable, need to be agile enough to recognize their changing behavior.
And to adapt themselves so that the first time I log in from home from an IP address that hasn't been seen before, of course, I should be prompted for a multi-factor authentication step up.
But the tenth time that I do that, if it's happening every day at the same time, the application really needs to be smart enough to adapt to figure out, well, this is now a normal pattern of behavior for Rob.
So we're going to step down that friction, or we're going to increase his productivity by not making him do the fingerprint swipe on his phone every morning.
>> One of the concepts that we've talked about is this role or this capability called dissolving entitlements.
Look, if someone's not accessing a particular application or a particular file share or a particular team shared site, the application and the identity governance platform should start to take away that access.
With the capabilities of machine learning and an AI, we know what their access is.
We know what they have access to.
That can be stored into the identity governance and the access manager platform.
And then when they come back on to log onto that system two, three, four, five weeks later, they can be challenged.
And they can be, say, well, you haven't logged on to this.
We know what entitlements you had.
We know what access you had, but we're now gonna challenge you.
Because actually what we want to do is minimize and mitigate that risk.
Historically, people have logged into their machines when they've walked into the office between 9 to 5:30.
Well, now, people are working longer.
Maybe I'm gonna log in at 7:30 at night.
I've taken the dog for a walk, played with the kids, put them to bed.
And now I wanna log in.
Well, if I do that the first time, I want the system to challenge me.
I wanna be challenged by that because those entitlements that we typically see between 9 to 5 are now coming in at a different time.
I wanna challenge, I just wanna make sure who you are by asking you not only what you know, but also challenge you with something that you have.
And I think that's where the governance and the access tools that you and I talk about through Ping and SailPoint start to come in.
Which actually is we build in AI and machine learning into our platforms.
Have they got the right entitlement rights or do we need to look at the role that they're undertaking?
Is it something that we need to perhaps put a new policy in?
And I think that's where you start to see this autonomous identity, this whole capability of AI and machine learning.
That's gonna be the next evolution of this governance platform, which again, will further support the concept of Zero Trust.
Because the machines and the AI will start to put even more security around it, but actually you start to make decisions that are safe and secure, but again, fully authenticable.
>> Absolutely, the benefits of a strong security approach based on the concepts of identity and access management, of strong identity governance, of strong and adaptive access.
Not only do they allow organizations to cope with an unprecedented, if that comes along, such as the COVID-19 pandemic, which nobody really had much warning at all.
But certainly, they start to enable an organization to be a lot more agile in terms of how and where their workforce is deployed and where they access from.
And essentially, it's an investment in future proofing your business, allowing you to handle these new scenarios that might come up.
Any closing thoughts from yourself, Ben?
>> Yeah, look, I gave an interesting talk once about the free solo climb by Alex Arnold, who did the climb on the El Capitan without any ropes or harnessing.
I thought it was a fascinating insight into any individual, but very, very, applicable to our industry.
Everyone sort of looks at Alex and the way he climbed it and it wasn't that amazing.
But what people didn't realize is that he had a whole team around him.
He practiced that.
He had the best equipment available to him.
He tried, and there was even a story that the night before he climbed the free solo, he climbed up, dried some of the rock, made sure the chalk markings were on the rock for his footings.
But what was the most important thing is that he achieved that through working with the best teams and using the best tools and the best equipment that was available to him.
And what SailPoint and Ping have given and have clearly demonstrated by combining our technologies by taking a joint, combined, integrated approach.
We give people the best tools, the best equipment, the best chance of success at protecting their environment.
And for me, that's gonna be critical.
It's not about one-size-fits-all.
It's about having the best team, the best equipment, and the best integrated solutions that allow organizations to mitigate and protect themselves against this new way of working, this new norm that's gonna probably be here at least for the next 6, 12, 18 months.
And maybe, as I said, maybe we'll never go back to the 6:30 journey on the train with the trains packed.
Maybe people will start to sort of embrace a slightly more work/life balance because we clearly demonstrated that we can be as productive, as capable, and as efficient working from home.
>> Absolutely, thank you so much, Ben.
Again, yeah, really just to reiterate that, organizations can feel they'll be in really safe hands with Ping Identity and SailPoint.
Both organizations with a really long and proud track record of focus in this industry.
Ben, thank you so- >> Thank you, as always, good to see you, and catch up soon for a beer, hopefully.
>> Absolutely, let's hope so.
Do take care.
Thank you, Ben.
>> Cheers, mate, thanks, bye.
>> Bye.
