RSA CEO Rohit Ghai on Authenticating Users to Mobile DevicesHow to Defend BYOD Devices Without Installing Software or Creating Friction
The long-standing divide between mobile app detection and identity and access management has fueled cyber incidents and breaches as remote work has expanded.
Workers using personal smartphones don't want to install corporate endpoint management products but still need to ensure both user and device are protected while carrying out business functions, says RSA CEO Rohit Ghai. To solve this common vulnerability, employers need technology that can safeguard personal mobile devices without involving the company's security operations team or interfering with the user's experience, Ghai says (see: RSA CEO Rohit Ghai: 'Disruptions Catalyze Transformation').
"If this is not a company-managed device, you don't have as much assurance about whether the device has been jailbroken, if it's been compromised or if it's in the possession of the actual user you're trying to authenticate," Ghai says. "That lack of assurance creates vulnerability in terms of authentication, because this compromised device could potentially be used to access sensitive data in the corporation."
In this video interview with Information Security Media Group, Ghai discusses:
- What's changed about detecting threats on mobile devices;
- Drivers and opportunities for passwordless authentication;
- The most in-demand services for RSA's authentication products.
Prior to the September 2020 acquisition of RSA by Symphony Technology Group, Ghai served as president of RSA during its tenure as a Dell Technologies business. He previously served as president of Dell EMC's Enterprise Content Division, where he revitalized the portfolio for the digital era through strategic partnerships and acquisitions. Ghai was responsible for all aspects of the ECD business, including sales and services, channel strategy, product development, marketing, finance, support and customer success. He joined Dell EMC in December 2009 to run product development and was chief operating officer of ECD prior to becoming president. Ghai joined Dell EMC from Symantec, where he held a variety of senior engineering and general management roles. Previously, he worked at Computer Associates in a number of senior management roles in the BrightStor and eTrust business units, and he led the CA India operations as chief technology officer. Ghai joined CA through the acquisition of Cheyenne Software, a startup in the backup and data protection space.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Rohit Ghai. He is the CEO of RSA. Good afternoon, Rohit. How are you?
Rohit Ghai: Hey, Michael, very well, and glad to get into discussion with you.
Novinson: Of course, we're happy to have you here. Why don't you start off by talking a little bit about your recent launch of RSA Mobile Lock? What's the significance of this product? And what will it mean for customers?
Ghai: Yeah, I think, as you know, security is a very fragmented market. And we kind of looked at different parts of the attack surface and kind of tackled it in a siloed basis. What Mobile Lock does is it brings and breaks down some of the silos and remove the middleman, I like to think, right? So, typically, you know, we live in the world of hybrid work. And mobile devices and identities are two places, which are, perhaps the root cause of many cyber incidents and breaches. And what we've done through Mobile Lock is taken, you know, mobile threat detection, and combine that with identity and access management. So, you know, we measure, I guess, the level of threat activity and the level of compromise on the device. And based on that, we are able to adapt the authentication and access management capability to step up or down as the need maybe. So we believe that this is a game changer, because, you know, customers are grappling with this idea of BYOD, where, the users of the devices don't want any corporate endpoint management solutions, as such, combining all of that into one identity access management solution to protect and assure not just the user, but the device that the user is using is a game changer. And I'm really excited. We just launched it just a couple of weeks ago, and getting great reception from our customers.
Novinson: What are the biggest differences about trying to detect threats on mobile devices versus more traditional client devices, especially if it is personally on mobile device?
Ghai: Yeah, you know, when it's personally on mobile device, there are some restrictions. You want to assure, you know, sort of the data privacy - you cannot have a solution that is monitoring, you know, more intrusively and getting in the way of the customers' user experience. And as such, you know, the other thing you don't want to do is you don't want to have the security operations teams involved. So in this case, what we've done is we've bypassed that middleman, which is the security operations team. Effectively, what you do is you have your threat detection capability on the mobile device. And only, you know, it does not talk to any human being at all, anytime it detects a level of threat, the only party it's talking to is our identity access management solution on the mobile device themselves. So all that analysis never actually leaves the endpoint device, right? So the customer or the user is assured of their privacy. It's not intrusive, it's not getting in the way of their experience, and yet protecting them against the cyberthreats that you know, abound these days.
Novinson: And from an authentication standpoint, what's different about trying to embed secure authentication on a personally mobile device versus a corporate on device or client device?
Ghai: Look, you know, you could think about authentication, we've all heard about the different factors of authentication. And with mobile device, what we use it for is, you know, one form of authentication is what you have, which is your mobile device. And the other is typically what you know, which is either a password or a one-time password, etc. So if this is not a corporate-managed device, you don't have as much assurance about whether this device has been jailbroken, or if it's been compromised, or, you know, it is indeed in the possession of the actual user that you're trying to authenticate. So that lack of assurance, I guess, creates vulnerability in terms of authentication, because, you know, if you have a one-size-fits-all authentication model, then this compromised device could potentially be used as an access path to, you know, sensitive data into the corporation. And that's what we're trying to block and prevent by making sure that through Mobile Lock, you have that level of assurance of the device. And based on that, we are able to step up or down the level of authentication that you need.
Novinson: I wanted to talk a little bit about passwordless authentication, especially given RSA's history with the physical access token. What's your view of passwordless and what are you attempting to do with DS100?
Ghai: Yeah, great question, Michael. We are very excited about passwordless. We've been on the board of FIDO and have been actively involved in innovation on the passwordless front. And we are excited - we announced earlier this year, this capability called the DS100, which is our newer, you know, physical token. And it's a multi-function device. So in addition to the classic SecurID-based one-time password authentication, it offers a FIDO-based authentication, which can offer passwordless experiences to users. So if you think about user, you typically log into your devices, your laptop, your PC, your mobile device, or you log into applications. And, you know, what you want is you want to experience where you're not constantly being asked to provide a password because that creates fatigue, that, you know, kind of inhibits the user experience. So passwordless, I think, is a game changer, not just in terms of security, because you're not vulnerable in terms of like, less sophisticated passwords, but it improves user experience. And finally, the third thing it does is it reduces the cost of managing these passwords. Passwords are very expensive to manage in an enterprise IT environment. So reduce costs, improve security, improve user experience, that's why passwordless is great. And DS100 is the first FIDO-based device that we've introduced that offers passwordless experiences to our customers.
Novinson: Want to get a little bit more color around the relationship between RSA and Federal Alliance, because I realize with SecurID, you've had your own one-time password offering, you've been in this space for a while. FIDO has come along with their own authentication, or their own passwordless standards and protocols. Are they a competitor? Are they a partner? Is it a bit of competition? What's the interplay here?
Ghai: Yeah, our view is that authentication is - you know, the MFA does work with, the acronym itself says multi-factor authentication. We believe that there'll be multiple protocols and multiple factors that will be in the marketplace, Michael, and, you know, there'll be different authenticators that will be appropriate for different use cases. So as we fully embrace FIDO, we don't think of it as a competition. It's just not the protocol that we need to support on our back-end server. And, you know, we all have always taken pride in serving the security-first or security-sensitive organizations. And these organizations, what is typical about them is that they are very complex in terms of the added complexity of their IT estates. And they're very complex in terms of the different variety of users that are in their IT environment, right? Its employees, its contractors, its suppliers, or third-party vendors, it's also customers now. So assuring the identity of these different spectrum of users in a very complex IT estate requires multiple protocols and multiple authentication solutions. So we on the RSA side, you know, we want to offer identity and access management platform that offers a broad variety of authenticators, including FIDO as well as our own SecurID one-time protocol.
Novinson: Got it. Shifting gears a little bit. Wanted to talk about security as a service. And I know when people think historically if RSA and SecurID, it's really a product-centric notion, what do you see services fitting into the equation going forward?
Ghai: Yeah, you know, we are executing on a very, you know, first of all, we're seeing great business momentum in our independent configuration. And a key source of our growth, Michael, has been the shift from a product-centric, one-time perpetual software-based selling motion to a software-as-a-service selling motion, as well as a managed service capability in the marketplace. We fully understand that, you know, talent is a huge problem in the cyber industry. You know, we talked about it every year at the RSA Conference. And as such, we want to mitigate that issue by offering software as a service where the task of operating the software is RSA's responsibility as opposed to our customers'. And then we've also got our IGA offering. It has started to offer a minute service offering where we go one step beyond, we're not just operating the software, we're actually configuring it on behalf of the customer and fully operationalizing it in their IT environment.
Novinson: Let's get a little bit more color around managed services. What are some of the more typical managed services that you would wrap around the RSA products? What our customers need from a services standpoint?
Ghai: Yeah, you know, the huge area of demand in this area in terms of managed service, Michael, is in the area of IGA or governance and lifecycle. And this, by the way, is a hot area in the identity and access management market. You know, just to give you a sense, you know, in the last several conferences, including the Gartner Identity event that we were at, we noted that, you know, IGA sessions were standing room, only there was huge amount of customer inquiry, we have seen a surge of demand around IGA. And why is that? Because IGA, if you think about that capability, you know, we are hearing a lot these days about zero trust that you need to embrace this model where there is no perimeter-centric thinking, there is no inside or outside, you have to trust no one. And that requires, you know, the core principle of that is what is called the least privilege principle, which means every user or every entity should have only as much privilege as they need and no more, right? And how do you assure that? You assure that through your governance and lifecycle or IGA capability. Your authentication solution, or access solution is only enforcing that privilege, but when you configure that privilege is the IGA offering. And what does that require? That requires you to look at, you know, all the users and entities that you have, and all the applications, devices and resources that you want to protect that you have, and then make sure you are providing just the right level of privilege for each user, or each machine actor or entity that is going to access those resources. This is a very complex problem, especially because we live in a very dynamic cloud, you know, cloud-based environment where workloads are up and down all the time. So, you know, again, IGA, which is this very dynamic problem, requires a managed services approach, because, you know, it just is very intensive and, you know, operationally very intensive and very hard for customers to get right, and requires a certain level of expertise and knowledge, not just about cybersecurity, but about, you know, the best practices in terms of how to configure security for all these applications. So that's where we're stepping in and helping our customers with this, you know, very hot area and we've had, as you may know, we've had IGA capability for many years at RSA. So that heritage of experience is really helping us serve our customers.
Novinson: Shifting gears a little bit to the U.S. government market, what would you say are the biggest green fields for RSA when it comes to serving federal customers and agencies?
Ghai: Look, again, going back to like our sweet spot, Michael, is security-first organization, security-sensitive organizations. And what better example of that than the federal government of the United States. We've always enjoyed kind of a great relationship with governments around the world, especially the federal sector here. We have, in fact, made several investments and innovation. So, as an example, we got FedRAMP certified and a cloud-based offering ID Plus, which we launched earlier today, we have made massive investments in terms of, you know, advanced capability for the federal government. We have the right certifications, we have cleared resources that are required, you know, give citizens capabilities, so we can make sure the federal customer bases appropriately served. Now, you know, financial services and federal are the top two growing verticals for the business here at RSA. And, you know, we are also, I think, enjoying all the tailwind because of some of the recent moves by the federal government executive order by the President in 2021. And, you know, the Office of Management and budget this year, you know, laying out a zero trust-based directive for all governmental agencies to implement zero trust, which basically feeds right into the capabilities that RSA is able to help with, including MFA, including some of our other businesses on the NetWitness side or Archer, you know, all those businesses do think of the federal government of the United States as a big growth area, a big priority, and we're certainly seeing, you know, great business outcomes in this current fiscal year.
Novinson: Your role in RSA - you wear two hats, you're, of course CEO of RSA, the identity and access management business, but you're also the general manager of the RSA Security business group, which includes Archer, NetWitness, Outseer as well as the RSA Conference, all of which are either wholly or partially owned by Symphony Technology Group. Want to get an update in terms of those other assets that are part of the RSA Security business group. What are some of the major activities or developments across Archer up to your NetWitness and the RSA Conference?
Ghai: Michael, at the highest level over the last 18 months, Michael, we've done a lot of work to carve RSA out of debt, make it an independent business that no longer leans on the IT infrastructure from Dell. In addition to that, we have basically stood up these five separate companies, independent companies, so that each of these can focus on their respective area of innovation and move faster and on a more focused basis to serve the customers. So as you know that I wear two hats, I wear the group CEO hat, overseeing these multiple businesses, and then I am the CEO of the identity ProQuest RSA business. In terms of the innovation agenda across all of these business areas, there are so many commonalities, right? One of the common areas is the shift toward SaaS and a cloud-based offerings. Increasingly, all of these businesses are seeing tremendous growth in the SaaS or the cloud portion of their business and have doubled down in terms of cloud-based capabilities, in terms of helping customers migrate from their on-premises deployments to a more SaaS-based deployment model. So that's a common area. Outside of that, I would say that, you know, each business has their own kind of competitive landscape, has their own, you know, strategies that they're executing on. But, you know, at the highest level, all these businesses are fortunate to be in the cyber risk space, which is, despite the economic slowdown, the area of robust investment and growth. So that's kind of the summary at the overall group, RSA, alone.
Novinson: Is there much partnership per interaction, engagement between each of these five arms? Or is the go-forward strategy, really, for each to be able to stand on its own?
Ghai: It absolutely allows and empowers each of these to stand on their own. You know, where appropriate, we partner across the sister companies as we would with any other area. But again, we want to make sure we empower each of these to be completely standalone and completely viable, and independent from the other sister companies.
Novinson: Focusing back here on the RSA identity business, what's on the road map here? What should customers be watching for from the organization as we head into 2023?
Ghai: No, absolutely. So look, you know, at the highest level, we were on-premises authentication player with SecurID, which is one of the product lines within RSA. The other big product line that we've launched earlier this year is ID Plus, which is our identity and access management platform, which combines, you know, capabilities on the application side, access management, as well as identity management, which includes things like governance, lifecycle, orchestration, identity, verification, etc. So the strategy is to basically broaden our platform capability. And that's what we have been doing in this current year. So what customers can look forward to is more and more and faster innovation on the ID Plus platform side. And you know, the DS100 Mobile Lock, or just ProofPoint are examples of that. In fact, later this year, we will be unveiling and releasing a capability in the area of risk-based adaptive capability where customers will have the ability to have a dial between security and convenience, where you can configure the system to the appropriate level of like, if you're a DEFCON 3, you might want to elevate your level of friction in order to assure security. So, you know, at the highest level, this is about a platform that our customers can use. The analogy we use internally is that we were a great swimmer in the past, but the market or the competition has moved to being a triathlon and therefore we must broaden and learn these other skills and be a great triathlete in the market that we play in. And we are well on our way to do that and, you know, looking forward to serving our customers with all the innovations in the identity space.
Novinson: I like the analogy, Rohit. Thank you so much for the time.
Ghai: Absolutely. It was great to talk to you, Michael. Thanks.
Novinson: Of course. Yourself as well. We've been speaking with Rohit Ghai, he is the CEO of RSA. For Information Security Media Group, this is Michael Novinson.