In July 2017 I first met with ScaleFT, the startup aiming to bolster security using the "zero trust" approach
modeled after Google's BeyondCorp framework. The
company had just closed a $2 million funding round and launched a new product
based on the core principles of BeyondCorp for securing access to internal
company web apps.
I recently caught up with the ScaleFT CTO and co-founder Paul
Querna to get an update on how customers are responding to new security
paradigm built on the premise the perimeter defenses are increasingly obsolete.
Querna had some insights into how the user experience is critical to effective
security.
VMblog: What's broken in security
today?
Paul
Querna: We need to make security easier to adopt and use. Organizations face two
challenges. For too long, companies have invested a lot of money in a wide
range of different products that offer varying levels of security. But few
products solve for a security
outcome.
They fix one issue, not the architecture problems. The other challenge is that
too many products make users miserable. They can't get their work done
efficiently. Both problems discourage adoption so no one is adequately
protected. When you have the user on your side, when you're helping them be
more successful at their job, it makes security more effective.
VMblog: What makes a good user
experience that is still secure?
Querna: In many ways, it's all about better security through UX. The core part of our
world at ScaleFT is about combining a user and their current device at a point
in time to build a session profile that can be effectively authenticated and
authorized. If everything adheres to the access policies, you just navigate to
web apps or login to servers just as you normally would. You might have
2-factor in place, which you do in the morning, and then you're set for the
day. That's the user experience we strive for whenever possible, because that's
what you want to do. You never want to log in 14 times during the day.
VMblog: How does
Zero Trust look from the CISO perspective?
Querna: CISOs spend a lot of money on a lot of different products. We can help them not
just on security, but also managing the proliferation of security products to
setup and manage. We eliminate or replace the spend on things like VPNs and
endpoint protection. Because of how the product and this architecture
integrates with everything, you have a real-time view into everything that's
going on. You have audit logs continuously coming in of every page view and
every action someone takes on a server. You have a very information-rich
environment.
We
also recognize the importance of helping customers embrace this new paradigm
for security. How can we make it easier to adopt? Our objective is to take
these core ideas and make them more consumable, more incrementally adoptable.
Even within Google, it did take them 6 or 7 years to do the full transition,
but they said they tried to do the 80 percent of easy apps first. And that's
our same perspective with our own customers: Let's migrate the easy stuff
first. We're not going to get rid of your mainframe tomorrow, but let's move
some of your easy web apps that are already in the cloud.
##