Transcript
00:00:00
Welcome to TechStrong TV. I’m Lisa Martin live from the show floor at RSAC. This is our 10th year covering RSAC from Techstrong. We’re going to have some great conversations all week, so stick around with us. Alan Shiml will be here and Mitch Ashley, some other great folks. I’m joined by my first guest of the day, Elvis, the CEO and co-founder of Entro Security. It’s great to have you on Techong. Yeah, thanks for having me. A little The launch was about two and a half years or so ago. I saw
00:00:27
recognition from NASDAQ. That’s exciting. give us a picture of what you saw gap-wise. You you were mentioning before we went live that you were a cyber practitioner for a long time. What gaps in the market did you see and go we can solve this? Yeah. So, Entro is a non-human identity life cycle management company. We’re helping organizations to protect their non-human identities like service accounts, API keys and so forth. So, prior to Entro, I was responsible for the internal security at Microsoft.
00:00:52
Prior to that, I was a CISO for a healthcare services company. I was supposedly breached few times by non-human identities. Yeah. So that’s what led me to start and so yeah the the main problem we’re seeing in the industry is that usually developers are the ones who are creating uh permissioning using those non-human identities and they also scatter them around like committing them into code and sending them over Slack and so forth. And the main problem we’re seeing is that security teams don’t really know
00:01:20
how many non-human identities they have and where they are. devs are working on their own without security involvement with no security oversight whatsoever. So you came on and said we can help. So are you are you bringing those the developers and the security folks together? Is that kind of one of the main things that you were facilitating? Letting development do what development are doing best, which is develop and develop best and enable the business. But we’re an overlay platform that finds
00:01:46
all of those non-human identities and then gather them doing risk assessment, abnormal behaviors around them, and basically giving visibility and risk assessment to security teams while we’re not touching anything the development teams are doing. So completely out of band. Okay. Excellent. It’s a great collaborative uh environment which is it’s essential these days. It’s not even a nice to have. It’s essential. Talk a little bit about non-human identities. What are they? Why what are some of the
00:02:13
critical functions that they handle? So non-human identities, those are uh the credentials, if you will, that applications are using in order to access and authenticate to resources those application needs. So if you have an application that needs to use a database, they need some sort of a way to authenticate against the database. And that’s the function of non-human identity, a programmatic credential basically. So they’re becoming more and more common yet they’re also opening a door from a security breach perspective.
00:02:44
Talk a little bit about a balance there. Currently we’re seeing that for every human identity like human user there’s 92 times non-human identity. 92 which is insane. That’s an insane amount. How do you even manage that? you’re unable to manage it without any sort of platform to help you do that. Yeah. And again because developers are the ones who are creating them and managing them or unmanaging them. Security don’t really have even an inventory to answer the question of how many they have and where
00:03:11
they are. So of course doing risk assessment rotating them like resetting their passwords and so forth. Those are something that organizations are really struggling to do. Yeah. this the visibility on it 92 times NHI’s versus humans is I imagine we’re just seeing AI assistants are just becoming indispensable for every type of organization how do you manage that so it’s the same problem AI it’s another application that needs to access resources within your organization and they are using non-human identities in
00:03:42
order to authenticate against the resources within the organization so that’s only increasing the current problem of non-human identities is time organizations start treating these assistants like employees. I I I believe so. I believe so. I believe that in the near future we will start seeing those non-human identities uh being used by AI agent creating more non-human identities and starting to do stuff within the organization on their own. Uh and they will be kind of an employee. Yeah, I believe so. So the challenges there from
00:04:14
a manageability perspective for security teams to get their handle on all of these non-human identities, get the developers really focused on developing code but also managing this growing probably exponentially growing opportunity/challenge. How does Entro come into the picture and and eliminate those challenges for organizations? So again the main problem is they don’t have any visibility or risk assessment around them. So what Ento is doing, we’re able to find all of them and basically automate secure their life
00:04:46
cycle. We’re treating them as if they are human identities like your on boarding human and of boarding human. We’re doing the same for non-human identities. So we’re finding all of them, giving you an inventory. So you will be able to answer the question of how many non-human identities you have and where they are. We’re then enriching them uh to a point you know which applications are using what non human identities to access what resources and other vital data around them like human
00:05:11
ownership and so forth permissions and once you have the inventory and the classification the map of what they are being used for now you can do risks assessment okay now you can do answer questions like do I have nonhuman identities with more permissions than needed are they not in a secure location and so forth and then we’re doing abnormal behaviors Which means let’s say someone from North Korea is using your nonhuman identity to access your environment. That will be probably you know an abnormal behavior. Risky little
00:05:42
risky something you would like to prevent. We’re going to prevent it for you. Uh we’re going to move them to a secure location and basically once they are no longer in use we’re going to offboard them for you. Is it also part of shutting some of them down if they are insecure or also not really serving the right purpose for the business? Yes. So usually when we’re entering environment when we’re starting to on board and throw we think that about 40% out of all non human identities are no
00:06:08
longer in use they are enabled 40% are enabled someone can use them but no one is using them anymore idle stale um and yeah that’s that means that we’re disabling all of them deleting them and basically decreasing the attack surface by 40%. Wow, that’s that’s a big number almost that’s a big number and during like the first week necessary an opening exposure to risks for organization what problem do companies come to you with I imagine they don’t know what they don’t
00:06:36
know exactly so what’s the customer conversation like when you’re talking with a prospect they say it’s we’ve got a problem like everybody is aware everybody are aware about the problem they know developers are creating permissions and non-human identity it is to access databases and storage accounts and other resources. They know it’s being done within the organization and they would like a way in order to control what control. Yeah. Control govern what those developers are doing. Uh that’s the main
00:07:07
problem. Security wants to govern any identity that can access their environment and data. And is it developers that are creating these or are there other users within organizations that are usually developers, devops, um like developers, devops, accessories and so forth. Those are the ones who are creating them and their objective is what? So again those non-human identities like service accounts and so forth are being used by applications in order to authenticate against resources like database. So the
00:07:33
objective is to enable the application to authenticate and connect to resources the application needs like storage offloading that task from a developer for example. Yes. managing that. So, what is a favorite customer story of yours yours that you think really shines the light on why you co-founded Entro and and really big uh you know reductions in these NHIS that you’re helping C companies achieve? What’s your favorite customer story? Yeah, so actually just like I think one month ago um a DevOps left an organization I left
00:08:06
the organization and he misdowned all of those service accounts, all of those non-human identities. Wow. And that was picked up by Entro by our abnormal behaviors. Um so we helped them to find everything he downloaded all of the credentials all of the non identities rotate them like replace their credentials and so forth. So stuff like that that we keep seeing really giving me and the team you know the the energy boost we need to continue on and the confidence that that you saw the right problem to solve for these
00:08:37
organizations. Correct. And is this across I imagine this is across industries including government. Including government for sure. Every organization that have internal development have nonhuman identities. Yeah. Yeah. And lots of them. It some of the stats you threw out were shocking that there’s a 92x multiplier NHIS versus humans and that 40% of them are either not usable or not necessary. So usable but not in use. They’re not in use. Yeah. Idle. Um and also you know by IBM cost of data breach probably the
00:09:09
most um the best report in the industry and Verizon report the second best both of them are saying that nonhuman identities is the second most frequent attack vector and the number one most costly attack on organization so that’s a real huge issue with huge issue for organizations wow what are some of the things that that folks here that are attending RSI can see and learn at your booth I know you guys are exhibiting here yeah they should definitely come to the booth and understand how we’re able
00:09:35
to find all of them, how we’re managing the life cycle of them, uh reducing their permissions, rotating them, assigning ownership and and so forth. They should definitely stop by and see how they can fully manage and solve the nonuman identity problem. What’s the time frame? I should have asked you this earlier. What’s the time frame by the time Entro gets into an account where you’re finding all of these NHIS and getting giving the control back to the organization? Is is this something that
00:10:01
happens fairly quickly? Yeah, very quickly. Usually on boarding takes like 15 minutes. We were able to connect like that. Wow. And then to scan for everything. Okay. So, the time to value is really short. Correct. That’s outstanding. What’s next for the business? You’re 2 and a half years old. What are some of the things that we can expect on the horizon? Anything on the road map you can share with us? Yeah, we’re continue to grow. We’re gonna um keep creating and doing lots of
00:10:27
partnerships. So, we’re already partners with WH. We’re partners with other great companies. So, we’re going to continue to expand what we’re able to do and who we can work with. I hopefully we’ll keep leading the market. That’s awesome. Is thank you so much for joining me on TechStrong TV talking about non-human identities, the challenges there, but the opportunities that Entro is delivering to your clients across industries. We appreciate your insights. Thank you. Thanks for having me. All
00:10:52
right. For Alves, I’m Lisa Martin. You’re watching Techstrong TV live from RSA RSAC. Stick around. We have a full day of coverage today, tomorrow, and Thursday.