In this conversation, Phillip Wylie is joined by Ron Nissim, the CEO of Entitle. They delve into the dynamic world of authentication and privilege access management, exploring the significance of automation and simplification in securing our digital landscape.
They dive into the future of authorization and how innovative solutions like Entitle are reshaping the way we protect our data and systems.
Plus, get a glimpse into the fascinating world of networking and events like Black Hat, where industry leaders connect, collaborate, and envision the future of cybersecurity. Prepare for an enlightening discussion that unravels the complexities of cybersecurity and provides valuable insights into securing your digital world!
Check out the episode below, followed by its full transcription.
Catch the episode here
Phillip Wylie
Hello and welcome to another episode of The Phillip Wylie Show. They have Ron Nissim joining today. We met during RSA. Actually, it's kind of interesting story because my CMO, one of her former colleagues, works for Entitle and he wasn't able to be there to meet me. So he invited me to the dinner. So I'm fortunate I got to meet Ronnie some and some other interesting folks at the at the dinner. It was one of the highlights of the dinners that I enjoy that I attended there at RSA was a lot of fun. So. Welcome to the show, Ron.
Ron Nissim
You got the second best. Dean is always our leader. And then when he is unavailable, I feel a.
Phillip Wylie
That's a that's good. When you have the CEO back it back you up.
Ron Nissim
Thanks for having me. I'm really excited to get started.
Phillip Wylie
Yeah, it's good to have you. So why don't we start out with sharing your background, kind of how you kind of get started in the industry, you know, education. On up to like what you're doing today.
Ron Nissim
Of course your thing. So where should I start? Actually grew up in Dallas. We just did that one plus one a year also in the area and then group in Dallas moved to Israel in high school and enlisted in unit 8200, which is an intelligence unit in the Israel Defense Forces and did a cybersecurity there for many years.
Ron Nissim
I like to joke that I don't add a lot of diversity to Israel's founder pool. It's very much cookie cutter, right. Everyone that went to the same units, or at least say they went to the same units, but I didn't cover security there for many years and research, development, that kind of whole side of things is to say low level development, which means kind of like, you know, more detailed development.
Ron Nissim
But then I realized that people think low level meet sounds like mediocre and not like, you know, more detail that I'm like, stop saying that. But anyways did the development for many years and that's when I met Avi, my co-founder. We’re both really great friends. We managed to squeeze in a trip to Vietnam right before COVID. We were super, super lucky, came back right before the skies shut down.
Ron Nissim
But when we finished our service, we knew we wanted to do something together. You know, we knew that there was a lot of opportunity and permission management had a kind of appeal to it. I think honestly between us, like, it's just that it felt weird that everyone was starting companies around all this next gen AI stuff and like the most basic stuff of like in admin and having too much access is still uncovered.
Ron Nissim
And that's what the major, the major compromises or attacks that happen, you know, an Uber and Rocket and many others over the last two or three years were all like very basic stuff. Some developers or my guy having too many permissions. And and basically we tried to figure out what we could do there because it's not a new problem.
Ron Nissim
It's something that Bank of America had 30 years ago and we were fortunate. We spoke with a lot of security professionals and honestly, we reached out to it and DevOps guys originally too. But again, between us, it's funny to say this on a podcast between us, but it kind of feels intimate when I'm talking to you. We spoke with i.t guys.
Ron Nissim
We're like, oh well, you know, we'll talk to them and then they'll introduced us to the security team, but we asked them what their challenges were and they spoke to us about permission management too. And that's kind of when we realized that permission manager has two sides to it. One is governance, which is kind of the more visibility, retrospective interrogation, these privilege or access reviews, compliance that's kind of more more stereotypically the security hat.
Ron Nissim
And then there's provisioning, which is the operational day to day. Like you join a company. What is a process that you go through to gain that access? You change positions, you need access temporarily. There is some sort of process in place or whether it's an onboarding, onboarding process or a change management policy as to how you get that access.
Ron Nissim
And that process is very manual. Even the most forward thinking companies, a lot of really large cloud centric companies, developed internal solutions to automate this process. And that's kind of when we really had a start, the more conservative kind of hard core access management solutions that we're all familiar with just weren't really a fit for cloud permissions in cloud organizations.
Ron Nissim
And that's kind of what led us to what we're doing today. So that's kind of a quick background, but positive. Quick, as a long winded answer.
Phillip Wylie
Sure. That it's interesting how that spaces evolve because, you know, when you mentioned it's some of these less complicated things that people see, like configurations, issues as usually where threat actors get in through, you know, all sorts of things like that are very basic and is like pen testers. And one of the ways that people get a foothold a lot of times is just finding simple credentials that a developer has shared, put on his shared folder that are maybe, you know, a shared folder, his personal folder and anyone has access to it, can have access to those credentials.
Phillip Wylie
They've got an interesting story where I have a a good friend of mine and former colleague. He was doing a pen test for a school district and he had done the penthouse for the school district a couple of four times. They weren't remediating the items they wanted, the credentials they wanted, the passwords that he was able to intercept during the penthouse.
Phillip Wylie
They told really he kind of warned against that. But he said, okay, from give these to you, you need to put them somewhere secure. One of the students of the school found that along with the Penthouse report and gained access to everything, he had a blueprint on how to hack all this stuff. Someone else already did it. It wasn't remediated.
Phillip Wylie
Here's all this stuff, and it wasn't like it was a big hack for him to get into it. He had a blueprint for it along with the credentials to do that. And I think sometimes people really think some of these hacks are really elite, you know, elite hackers that are doing this stuff and it's sometimes operating it opportunistic.
Phillip Wylie
And you need to really reduce the opportunities for these potential threat actors.
Ron Nissim
Well, it's an amazing story. I've actually a similar story, but we'll save that for another day. And how. Yeah, we'll save it for another day.
Phillip Wylie
So what you're doing, though, is, you know, a lot of companies have I am products or or processes and you know and Pam but it's interesting that I guess a lot of these legacy type of PAM products probably only addressed the on prem environments, I guess.
Ron Nissim
Yeah, well, and that's kind of what, what, where we're at today and what we're focused on. And what we've learned basically is when you look at even companies that have bought IGAs like Sale Point or Privileged Access Management Tools, you look at who buys that product and it's often the corporate governance person in the company, and that person often it's not priority for them, the US environment or the databases or the dev infrastructure inside the large companies.
Ron Nissim
And so the permission management infrastructure for these very large companies often covers their corporate stuff but doesn't really cover their dev stuff. And when I say they've never used that kind of or close that very widely, right, it's even just the SAS applications, even Salesforce, right. Sometimes even integrated just because it's perceived as the cloud side of things and south side of things.
Ron Nissim
And so basically what we realized and that that was one side the other. The other part is that permission manager projects are well known and notorious for dragging out indefinitely and companies never seen value right? Like a two year implementation time and an indefinite amount of cogs and basically the are objects basically what we realized is that by taking a cloud centric approach, we're able to provide a lot of value out of the box.
Ron Nissim
So quick time to value quick implementation is something that's kind of unheard of in the position management world. It's everyone's used to buying through with with multimillions of dollars through Deloitte or something. Not that I have anything against Deloitte but but but that's just kind of what the the, the, the, the world was used to. And when we come around with a cloud native approach that's simple to deploy, then all of a sudden you are able to resolve the issues that are in a cloud environment in a much more natural way, in a much faster way.
Ron Nissim
So yeah, that's kind of how what we saw.
Phillip Wylie
So you you also do on prem as well.
Ron Nissim
Yeah. And I think it's it's you know, I'd be naive to say that the whole world is, is cloud and that's that's kind of the be all end all. The world is a bit more organizations are more complex and nuanced than that. The every company has an on prem environment and a lot of companies have an unproven in cloud environment.
Ron Nissim
And what we've been focused on is providing very, very quick value out of the box for your cloud environment, your on prem event. We can support to like we have an SDK, we have infrastructure, we have kind of an open API, we have an on from deployment to for compliance reasons. It's often important to companies. It's just that it's, it's kind of both.
Ron Nissim
But for the cloud side, we provide a very quick fire engine for the on prem. We do it so that you can add your applications and maintain a centralized source of truth.
Phillip Wylie
Very interesting. And I would I would assume, too, from, you know, being cloud based cloud. So a cloud centric solution that, you know, you're going to have your configurations and all that for your your solution backed up to the cloud. Whereas some of the solutions there are totally on prem or on prem focused. Then you have to make sure to plan that for your your business continuity planning and disaster recovery in case something happens.
Phillip Wylie
You don't lose that database in the configurations for your authentication.
Ron Nissim
Yeah. Well, Phil, I'll give you another concrete example. Updating the system, right? Like updating an access manager tool. You see companies walking around with access management tools from 20 years ago because the update process is so complicated. And again, creating a cloud centric approach, you get a lot of the benefits that we all are familiar with in SAS applications.
Ron Nissim
But to your permission manager infrastructure, which again I think that I think is pretty cool.
Phillip Wylie
Yeah. The EAS updating is good because I've I've remember solutions from the past, not necessarily access management related, but sometimes it's just more of a hassle you have to basically reinstall. In a lot of cases, people aren't updating because they don't want to have to go through the headache of reinstalling their solution.
Ron Nissim
Absolutely. Absolutely.
Phillip Wylie
So as far as you know, some of these solutions are very expensive and not cost effective or, you know, accessible to other companies. So how accessible is your product to different sized businesses?
Ron Nissim
So it costs between 2 to 3 kajillion dollars depending on as. And that's kind of again, the beauty of a cloud centric approach. We take the pricing model we're all familiar with. I think a lot of it is again, it's upfront implementation costs and then pricing for integration and poor resource and kind of a ton of different caveats.
Ron Nissim
We've been religious about keeping our pricing very simple on a per user model. And that way you have a lot of clarity as to what this is going to cost you. How does the rollout look and you're able to silo your your rollout as well. A lot of a lot of our customers choose to begin with a narrow rollout, maybe start with their customer success team or their dev team or their admins and then expand from there as they see value and then kind of be able to manage costs accordingly.
Ron Nissim
That, that and also by maintaining clause in approach, we're able to keep our own costs low. Like we don't have a lot of upfront implementation costs, we don't have a lot of professional services we need to sell with every implementation because you can do it yourself there guys. And obviously if you want, then we'll help you. But our customers success seems frickin awesome, but a lot does amazing work there.
Ron Nissim
But just the ability to to manage it on your own like we're all used to, I think one of the companies that we've been learning from a lot is Okta and how they became leaders in their side of the world, that the authentication space is providing a cloud centric simple to deploy solution to an industry where, you know, Active Directory was kind of the be all end all you needed like a seven person team to manage that tool.
Ron Nissim
OCTA came around built a simple to use solution. Now you can you know one i.t gal can do it in the backyard of a house while she's on vacation. And that's kind of the idea is bring that bring that same, same ease of use to the permission manager world.
Phillip Wylie
And it seems like one of the advantages to say, like if you've got support, you had an on prem solution. Sometimes getting vendors access to that environment, a lot of cases that they come onsite unless they get some VPN access. But at least with your solution, you know, they have access to it in the cloud and makes it a lot easier to provide that support than just a solely on prem solution.
Ron Nissim
Yeah. And, and, you know, again, you can sell it on your own. It's like a health chart or terraform simple to to deploy one liner. You have it up and running and very interesting.
Phillip Wylie
So for people someone that wanted to get start a career in Iam or Pam someone is wanting to be like a practitioner role. What is some advice that you have?
Ron Nissim
Wow, I wish I could have gone. I can talk to Ron. It's three years ago before he got the access in space. It's like the more we get into it, the bigger we realize the world is this. This challenges of access. Management is just it is it is frickin huge. It's insane. It's probably one of the most biggest and most complex aspects of cybersecurity and I.T. And I think that for curious people, that is amazing because there is there is a endless amount of knowledge, an endless amount of of it for it's stuff to be learned and expertize to be built.
Ron Nissim
And but I think that if you're looking for kind of an easy way, you know, an easy way to become an a security there or an IQ leader, then that's probably not the place to start. There are kind of other places where you can get your footing, but permission management neither are there are some leaders in the industry that I respect immensely just because of their their experience.
Ron Nissim
Do you go back to your question more pragmatically? I think that networking and talking with other leaders of the industry has helped me in time. And what I've been fortunate to learn is that people are very open, people are very happy to take, explain and teach and help because they're all empathetic. They were all were there. I was there a few years ago, you know, and every every leader in the industry, every person that has gotten very far and now leading huge teams, they still have that big.
Ron Nissim
You still have that excitement of teaching and staying on the cutting edge and so for us, I reached out to some of the most prominent leaders on LinkedIn and just ask for their help and guidance. And they were really, really happy to. I mean, even you I had you just like you said, we were put in touch and I've learned a ton in these types of relationships, cultivate and expand and really drive your network over time.
Ron Nissim
It also becomes a flywheel, right? You meet one person, introduces you to another, those to introduce you to, to more of those to introduce you to. Six more. And all of a sudden, you find yourself that it's also it's a friendly, very friendly and intimate community. You go to Gardner I am right then diverse. There you see these are conferences that like people know each other, people go from Boost to Booth.
Ron Nissim
It's like, Hey David, how are you doing? It's like the go to conference year over year. What our our product leader has been to identify is I think like ten times at this point just, you know, every year. And so it becomes somewhat of a family and people reunite in Vegas to get drunk together.
Phillip Wylie
Yeah, it's it's it's amazing how there's a lot of people spend a lot of effort into networking on on LinkedIn, but they don't take it to the next step in person. And, you know, while online is critical, you make some initial connections. But it really seems like until you really start getting to meet with these people in person, that you really start to see the real value.
Phillip Wylie
I mean, it's just really hard to connect with people in person online because during the pandemic I did a lot of virtual presentations, spoke a lot of different conferences, and even when I worked for a vendor last year, I did some demos of their product and some of the irons events. An interesting difference between the virtual and in-person is just amazing because no one's really asking questions online, but you get there in person, you're able to connect with people, you're able to read the room and see who's interested and just just the connection you make in general, people that come up and and speak to you after you give a presentation or workshop or something
Phillip Wylie
or just being an event, people coming up talking to you, the the connection that you make there, that's just a lot more difficult online.
Ron Nissim
I totally agree. Totally agree. That's why I've been flying around a lot. Every person that's willing to meet me, if you guys are listening to this podcast and want to meet me, shoot me a message. Happy to happy to take you out for drinks.
Phillip Wylie
Yeah. So look forward to seeing you again. A blackout. So that's coming up pretty short shortly. So you guys plan to have a booth there? Our events.
Ron Nissim
Are huge. We're hosting a dinner. We're going to some some some some shows together. So, I mean, Phil, you and I are going to go, but everyone's kind of welcome. Should be our message and happy to invite you to all the events that we're sponsoring and putting together.
Phillip Wylie
So yeah, it's pretty, you know, going back to the topic of authentication and stuff, it's amazing how the management of that has evolved because whenever I started my career in 97 as a sysadmin, everything was decentralized. I remember when like the Code Red Virus and Lambda came about, the remote access tools, you could just RTP into a system.
Phillip Wylie
There weren't any kind of tools that you could push patches down or or go in and try to clean the systems without actually access the system. And then when you throw in the picture Unix and Linux authentication, you know, some of those aren't so easily to manage remotely. So even the authentication piece and you know, was one of the big sellers with one of the things that really helped Microsoft was back before Active Directory, it was little more difficult to administer privileges and stuff.
Phillip Wylie
And now once Active Directory came about, it was easier. So it's nice to see that the world is evolving into something that's more easy to to administer, but also seeing the solutions, third party solutions such as yours to to administer the authentication and privilege access management.
Ron Nissim
Yeah. I mean, first of all, as an attacker, are you always jealous of those days? Right? Like, you know, we'd be reminiscing on the days before there was like memory and all of these things that are important for the world in cybersecurity. But to your point, I think that we're in the middle of another kind of general relational shift in the access management permission management authorization authentication space.
Ron Nissim
A lot of things are changing very rapidly. I think much thanks to a lot of other innovative companies in the space you know teleported amazing work in the authentication space for for a developer purposes and I can give plenty of other examples strong team also in that space and you have companies that are more on the other kind of permission management as a service building it into your products like clean ID and others.
Ron Nissim
And you have this generation of products that are just making it much easier to manage permissions correctly. And I think that's rooted in the fact that people understand that the basis of any security program is a good permission management posture program. And it's kind of like the last the last level of security, right? The most basic what can you access is, you know, in the in the Army call it they call it need to know.
Ron Nissim
But in the real world. In the real world, they it's it's basically the understanding of what is your blast radius, right? Things that are going to happen. It's just a matter of what is the risk associated with what is going to happen. And the more people have access to more resources, the bigger the risk. And as companies take on themselves to to own more and more information, especially in the age of A.I., where owning information has become a huge resource, that becomes something that you need to protect even more.
Ron Nissim
And so accessing that data, accessing those that those permissions, those sensitive applications became really huge. The other thing that I think is changing is that whole the whole dynamic of privileged access management versus cloud security versus identity governance versus administration. And like these are all different pillars, right? Even ITSM like there, if you draw like a Venn diagram, I always joke that it looks kind of like the Olympics, you know, like we're in things like one that's the other that's connected to the other that's connected.
Ron Nissim
But if you think like the two ends, if I ask you like, what's the relationship between ITSM and cloud security, I'd be like, not so much, but it's like ITSM to administration, administration to governance, governance, campaign to it. And then you draw that line and all of a sudden transitive you've gotten from one side to the absolute other.
Ron Nissim
And the reason I say all that is I think that forces us as vendors to be very collaborative with each other, because as as a buyer, when you're a company and you're looking at how do I want to build my stack, you know, they're often as historically, I'd say, like, hope it's okay, I'm name dropping companies, but like hopefully they'll pay me for my free marketing that I'm giving them.
Ron Nissim
But you know, if you look at you mentioned you mentioned 97, right? You looked at like what was what was the stock of a of a company in the early 2000? There was, um, you know, a permission manager excuse me, a user manager tool like Active Directory in Kerberos. And then you have on top of that a, you had on top of that a an ig a tool I think like a vekselberg big maybe that's a little bit before this time.
Ron Nissim
But like and then you had on top of that it privileged access management tool. I guess today's cyber is one of the big ones. And when you look at what that stock is going to look like in 2030, I think that's going to look very different even in terms of like what are the different categories? And you see that with like Arctic building out workflows and you see that with Active Directory building out privileged access management.
Ron Nissim
It kind of everyone's kind of expanding in their spot. I think that what that leaves us as a startup is really interesting as well because that gives us the opportunity to really help define this new category and hopefully emerge as the leaders. Right. Because there's basically it's kind of it's kind of like it's a it's rolling the dice all over again.
Ron Nissim
It's giving it's a shuffling of the chairs to keep. The companies that were crowned as leaders in the last decade are now having to prove themselves almost from scratch. And that gives a lot of opportunity for startups to really prove themselves and work their way up the ladder.
Phillip Wylie
Yeah, one of the things I see is that advantages to be able to administer those environments because back when it was just Active Directory that you were managing your environment with, you know, you had to understand Active Directory how to set up users and stuff you could create, you know, scripts for people that work in the helpdesk or some companies had IAM teams where basically all they did because the company is so busy they were creating IDs, decommissioning IDs and such a manual process.
Phillip Wylie
But then even just going into Active Directory and giving permissions was was not something really simple. And it seems like when you can simplify things, you make security easier. If you make you take a lot of the guesswork out of it and you don't have to be a rocket scientist to do it, then I think you're going to kind of reduce some of your risks.
Ron Nissim
And that's also another shift that's happened is the tolerance for manual work has gone down significantly. People are always looking to automate themselves out of the manual work, and I think that's an amazing thing that's happening in the world, right? That frees up all of our time, all these amazing human beings that could do incredible stuff from doing the manual day to day work and all of these jobs.
Ron Nissim
Speaking to a company yesterday that their HRT isn't integrated with their identity provider. And so every when when you put up a hire someone, someone manually goes in and it and creates the user inside Active Directory and like you guys realize that the to have like a sync it's like a button that you have to press and then it pushes the users and they're like, Really?
Ron Nissim
I didn't know that. And it's like these simple things, these simple things that like all of a sudden you free up a, you know, they're hiring almost ten people a week. You free up a person, you free up like ten to do other stuff. And I think I think the thirst or hunger for companies to be more efficient, especially in these days, to be more efficient, to utilize their manpower in the right way, put their chips on the right areas.
Ron Nissim
Again, just just makes emphasize the importance of of automation.
Phillip Wylie
So it's been kind of a hot topic. So what how do you feel about the Passwordless authentication? Do you feel like solutions like yours are just going to help accelerate that process?
Ron Nissim
Well, first of all, let me start by saying amazing. The fact that I still have to remember passwords is so 1997, as I. So it's definitely, definitely something that's it's something to be super excited about. Just another example of how the stock is going to be totally shifted and changed in ten years and how we interact with our tools around us and our computers.
Ron Nissim
Biometric authentication, obviously a lot of work in that space. Just to be very clear type of authentication. Authorization, I think are two very siloed issues that are tackled separately, and that's very much on the authentication rights, like what is the right way or is most the most secure way to authenticate into your system? And that that's where MFA comes in and all these other things.
Ron Nissim
I think when you take a dynamic authorization model, you can now, for example, instead of using buzzwords, I'll give you examples I want to control who can access which table is inside MongoDB Great. That's a that's a permission. That's an authorization issue. Right? Who is authorized to access which resources? That's a policy that you can define. The other side of that is maybe you want to invoke an authentication because you want a person to want to get you want them to prove that they're actually the right person in that it's not they're not compromised.
Ron Nissim
No one stole their session. No one stole their cookie. Like all these attacks that were rampant over the last ten years, all of a sudden won't be available because now you want to request, you want to access something that's very sensitive. I need to reoffend decanting to prove again that I am wrong and I can actually authorize to to access this resource.
Ron Nissim
And it's not a password that I copied or you know saw from felt fell from a truck you guys use that we used to say when you want to say you've got something and you don't you don't want to disclose it. Friends, I fell off a truck.
Phillip Wylie
Yeah, yeah. I've heard that term used a lot, so. Yeah, I really, really enjoyed this discussion. I appreciate you joining us. Is there anything you'd like to mention before we close out the episode?
Ron Nissim
Well, first of all, thank you for having me. Really enjoyed our session today. Specifically, Black Hat would love to either meet you at our booth or meet for coffee. Shoot me a message. Sure, and read me some order code and title and yeah, thank you.
Phillip Wylie
So I'll thanks everyone for joining and we'll see you on the next episode.
