I just notched my 8th year working at Ping Identity and I'm happily starting in on the next 8 at Ping. It has been an amazing ride with rare a group of high execution, high integrity, high character, fun loving leaders...and we're really just getting started. The occasion of my 8th full year at Ping - and my 12th full year working in the Identity space - triggered some thinking about where the Identity world is at this moment in time. That thinking lead to some writing of notes. That writing of notes lead to my first blog post in a long time.
And so...
This is a picture of Richard Nixon visiting Cairo Alexandria (hat tip @stavvmc), Egypt in June 1974. We can’t imagine a US president riding in such a motorcade in Cedar Rapids, Iowa in 2012 much less Cairo!
The point:
What will never change is the necessity for presidents to travel the world to get the business of the United States done. In current times, the same level of security applied at the White House travels with the president. (Colombian prostitutes notwithstanding).
In the same way presidents travel to get the work of the US done, in 2012, the best companies are making strategic decisions about where to run core business processes. Many have decided that in order to stay competitive and win, core business processes must travel.
A business might run HR at HQ or in Hyderabad. They might build their own ERP, run a traditional off the shelf monster package, or lease ERP compute from a 6 month old cloud vendor. They can patch together open source CRM, buy pure cloud Salesforce.com, or run a hybrid from Microsoft Dynamics. In this age of radical change and radical choice around IT architecture, IT shops are tackling the challenge of how best to apply appropriate levels of security - regardless of where business leaders choose to run core business processes.
Companies large and small, leading edge and mainstream, now recognize that IT security must travel along with their business processes. The broad recognition that a new approach to security is required in the current environment is what is driving the astounding momentum behind Ping’s business . Leading companies are establishing Identity as the cornerstone of their approach to security and we are taking orders left and right to help them get where they want to go.
Why the shift towards Identity as a cornerstone? Because Identity is the only security function that can travel.
Identity can travel because over the past 10 years our industry, always lead (and often dragged) by Ping Identity, has done the heavy lifting to establish rigorous interoperability standards that actually work. Identity standards such as SAML are becoming the bedrock layer of IT security because they allow IT security to match up with what the business requires IT to look like in 2012. Business needs IT to be distributed, business needs IT to be spread across many clouds, business needs IT to be highly interoperable. Business needs IT to be highly secure.
The ubiquitous adoption of standards that provide secure interoperability between and across business boundaries is inevitable. That’s obvious to any astute observer. Ping is leading this next wave of IT security - that’s also becoming increasingly obvious.
This is why after 8 years I am more fired up than ever. We've built a platform, we've built out an amazing team, we've rolled up market visionaries and influencers as loyal customers - and we've barely scratched the surface. Look out. Let's Go!
I walked out of the Google Apps Marketplace launch last night in Mountain View convinced of a couple of things. One, Google consistently gives out cool schwag, caters well, and runs some of the best lit PR events in the tech space. Perhaps as important, with the new Marketplace, Google has extended the same degree of hospitality on the Apps front and in doing so, they have established a new standard for how business users should expect to use applications. The Google Apps Marketplace is a retail storefront and a set of APIs that enables a bundling of tightly integrated SaaS applications. The apps demoed last night represented a range of business processes from Intuit's payroll to Atlassian's product management to a force.com CRM app from Appirio - all showed seamless integration with Google Apps such as GMail, Calendar, Chat and all kept the user completely in the browser for all tasks.
From an Identity standpoint, Google has positioned Single Sign On as a default integration point.
The Apps Marketplace model lets users move into and out of all manner of secured business applications without logging in over and over. Removing logins from the flow is a huge step forward in usability. By putting SSO front and center, Google has established seamless SSO integration across multiple apps as an expected part of the user experience - other competing Cloud platforms will likely follow suit. More tightly integrated apps and less logins is all good news for end users.
On a personal note, it's great to see the vision for seamless access to Cloud applications that we have been working on at Ping Identity get mainstreamed by Google. We've collaborated closely with the team at Google to develop secure solutions that make it simple for SaaS vendors to plug into the Google Apps Marketplace. Look us up if you'd like more detail on how it all works.
The anatomy of the Twitter breach as detailed in TechCrunch speaks clearly to the lengths that a determined attacker will go to gain access to proprietary information. The specifics of the attack are complex and involve a number of ingenious inter-related actions on the part of the attacker who did ultimately gain access to a single user credential at Twitter. Although the methods used are complex and much of the post game discussion has focused on high level security risks associated with Google Apps, the fundamental architectural characteristic that makes this type of attack possible at all is the publicly available web form for collecting user names and passwords.
The attacker was able to manipulate all of the publicly available functionality that is set up to support web form authentication and gain access to sensitive information as a result. Exposing password resets, question based authentication, email notification – (i.e. all of the machinery required to support the public web form) to anyone with a browser is an invitation to serious mischief.
The Twitter breach is a teachable moment for companies adopting cloud applications. In simple terms – since the fundamental risk is having web authentication forms on the public Internet, it follows that the best place for authentication of enterprise users to occur is behind the firewall. Technology designed to make it simple for companies to leverage an existing secure authentication (that happens on a secure network ) to provide access to cloud based applications is the most secure, least intrusive, and most cost effective way of addressing security risks like the ones that were exposed at Twitter.
In my five years and counting at Ping Identity we’ve built from zero to a customer roster of over 370 companies around the world, including 42 of the fortune 100. To a large extent, the credit for Ping’s growth goes to the simple premise that there is inevitable trend that continues to move credential collection to the most secure location available. The recent news about Twitter and their struggle with authentication to Google Apps fits this pattern perfectly.
The implications of this trend for emerging cloud based Identity Provider solutions are an interesting related topic. Ultimately, credential collection can be done securely on the public Internet - but it requires well thought out layering of single sign on, monitoring, and strong forms of authentication. More on the best practices developing around Cloud based Identity Providers in a future post...
I attended the Google Enterprise CIO Summit at the Google offices in Cambridge yesterday. Dave Girouard, Rajen Sheth and Alex Diacre presented. Couple of interesting takeaways/quotes:
The momentum around the migration of enterprise IT architecture to On Demand models is undeniable...and likely to accelerate in the forecasted IT spending climate.We started planting mustard seeds in the SaaS community two years ago - it is nice to look at a snapshot now and see what we've accomplished - 130 SaaS/BPO vendors adopting Ping for internet SSO.