“It is not inconceivable that in five to 10 years you might get Chief Identity Officers,” says Andre Durand CEO of Ping Identity when I meet him for coffee in London.
Durand is a serial entrepreneur who has founded and grown a number of software companies, including Open Source instant messaging platform Jabber, which was bought by Cisco in 2008. Ping Identity, which launched in 2002, arose out of the question: “What’s more important than your identity?” he tells me.
Back then “I didn’t realise it was a security question”.
Now the concept of a verifiable identity sits at the heart of much security from the wi-fi network up. This is a natural transition as, over the last few years, a slew of cloud-first companies – like Salesforce and Workday – have emerged to transform regular business process. And the whole business of everyone logging onto the cloud has created complexity and opportunities aplenty.
Ping Identity is one of a number of companies in the identity management space – along with competitors like Okta and OneLogin – which provides an enterprise solution.
“The last decade broke the entire model of security,” says Durand. There aren’t that many programs behind the firewall anymore because most of the back office, HR and other office functions are now a SaaS app.
“When employees left [the company] IT used to just take them off Active Directory,” he says. Today it is all much harder because an individual can have login details to all kinds of online systems which house sensitive company data.
This June, Ping Identity was acquired by Vista Equity Partners for $600 million and then went on to acquire Unbound ID at the start of August. The latter essentially provides the company with a data store where individual user profiles and privacy preferences can be housed.
Durand is reluctant to share a specific roadmap for the next few years. Yet he fundamentally believes we need to change the way we view security and place identity at its core.
“Passwords have lived their time and are no longer sufficient,” he says. He feels these will be gone within five years. This argument has been rehearsed for a long time now but Durand says “in the past we didn’t have an economical means of doing it”.
There were RSA tokens which generated one time passwords but these “physical tokens were hard to use and expensive”. Today there is Single Sign-On and we all have a mobile phone which utilises various biometrics to verify us. “The economics of strong authentication have improved.”
“We used to be anonymous but soon we will be authenticated by default,” he says. While he believes this notion of a verified identity will extend beyond far people and into inanimate objects – which will be checkable and traceable via IoT sensors. So for example, your fuel will be verified to prove it is not watered down.
This extended network also means different levels of authentication can be contextualised and mapped to the risk, so the system will automatically require stronger authentication for some tasks over others. This is not so different from now except it will become more effortless and seamless.
The problem that Durand sees at present is that there is a sharp divide in thinking between the security people and the identity people. “When I talk to people in security companies – who are super smart people,” he explains: “We’re talking to each other but not talking to each other. They see the world differently.”
This is because the way people have thought about virtual security has always been the same as the way we protect physical environments. It has been about putting in gates rather than verifying an individual.