WEBVTT 1 00:00:00.030 --> 00:00:02.250 Mathew Schwartz: Hi, I'm Mathew Schwartz with Information 2 00:00:02.250 --> 00:00:06.150 Security Media Group here at the RSA conference with the CEO of 3 00:00:06.150 --> 00:00:09.960 RSA, Rohit Ghai. Rohit, welcome back to our studio. 4 00:00:09.990 --> 00:00:11.760 Rohit Ghai: Always a pleasure, man. Thank you for having me. 5 00:00:11.790 --> 00:00:14.460 Mathew Schwartz: Thank you. It's always wonderful to get your 6 00:00:14.460 --> 00:00:20.310 impressions on the latest RSA Conference. 2023. Now, what 7 00:00:20.310 --> 00:00:21.960 would those be your impressions this year? 8 00:00:21.000 --> 00:00:21.870 Rohit Ghai: First off, it's the most exciting week for 9 00:00:21.870 --> 00:00:26.280 cybersecurity. This is a first for me experiencing the 10 00:00:26.400 --> 00:00:30.720 conference with RSA, the company not being owner of RSA, the 11 00:00:30.720 --> 00:00:36.510 conference. So I get to enjoy a lot of the side meetings and 12 00:00:36.510 --> 00:00:40.740 truly experience the joy of the community. Right. So it's been 13 00:00:40.740 --> 00:00:44.580 phenomenal. There are so many exciting conversations, you 14 00:00:44.580 --> 00:00:49.590 know, this week influences the strategy for the industry and 15 00:00:49.590 --> 00:00:53.520 sets the tone for the year that's upon us. So exciting as 16 00:00:53.000 --> 00:00:57.135 Mathew Schwartz: But did it keep you busy? I mean, you were on 17 00:00:53.520 --> 00:00:53.910 ever. 18 00:00:57.227 --> 00:01:02.282 the keynote stage, Stronger Together theme, and I think 19 00:01:02.374 --> 00:01:04.580 warming up the audience. 20 00:01:04.000 --> 00:01:07.360 Rohit Ghai: Absolutely. That's something that I always look 21 00:01:07.360 --> 00:01:10.600 forward to. It's one of the rituals to kind of get to set 22 00:01:10.600 --> 00:01:13.870 the tone and open the conference. And, you know, this 23 00:01:13.870 --> 00:01:18.370 year, Hugh Thompson had some opening remarks prior to AI. So, 24 00:01:18.400 --> 00:01:21.220 you know, it took a little bit of adjustment there. But Hugh's 25 00:01:22.300 --> 00:01:24.670 been a - he has been such a familiar face for the 26 00:01:24.670 --> 00:01:27.220 conference, and such a great champion of the community that 27 00:01:27.220 --> 00:01:31.720 it's just delightful to have him open the conference. 28 00:01:31.720 --> 00:01:33.670 Mathew Schwartz: Well, it's wonderful to have this as an 29 00:01:33.670 --> 00:01:37.990 aspect of community, and a community building aspect in the 30 00:01:37.990 --> 00:01:40.510 calendar and see all your friends every year as well. So 31 00:01:40.510 --> 00:01:44.170 it's wonderful. Well, so one of the things that's really, I 32 00:01:44.170 --> 00:01:48.910 think, surge since we last met is the concept of identity. And 33 00:01:49.120 --> 00:01:52.720 also for attackers, it's become a real primary target. So one of 34 00:01:52.720 --> 00:01:55.000 the things I wanted to ask you about is identity and access 35 00:01:55.000 --> 00:01:59.050 management, IAM, and the need now increasingly to transform 36 00:01:59.050 --> 00:02:03.220 that into what's referred to as IDT, identity theft detection 37 00:02:03.220 --> 00:02:07.180 and response or true identity security. Talk to me, if you 38 00:02:07.180 --> 00:02:08.890 will, please about that shift. 39 00:02:08.930 --> 00:02:10.730 Rohit Ghai: Absolutely. Look, you know, there are two points. 40 00:02:10.790 --> 00:02:12.110 I'll hit on number one is, you know, we must reflect on what 41 00:02:12.110 --> 00:02:18.980 the core purpose of an identity platform needs to be in the era 42 00:02:18.980 --> 00:02:22.520 that we ran. And I think that needs to be security. Security 43 00:02:22.520 --> 00:02:25.760 is the primary purpose. As much as we need to juggle security, 44 00:02:25.820 --> 00:02:28.880 convenience and compliance, it has to be a security-first 45 00:02:28.880 --> 00:02:33.110 mindset and identity. As much as it is a defender shield, it is 46 00:02:33.110 --> 00:02:36.410 the attackers target. In fact, it is the most attacked part of 47 00:02:36.410 --> 00:02:40.460 the attack surface. So it's, in fact, befuddling, to me that, 48 00:02:40.490 --> 00:02:44.660 you know, as much emphasis and focus we place on monitoring 49 00:02:44.660 --> 00:02:49.130 infrastructure, monitoring data, we don't spend any energy 50 00:02:49.130 --> 00:02:51.920 monitoring the most attack part of the attack surface, which is 51 00:02:51.920 --> 00:02:55.400 identity. And therein lies the genesis of this idea called 52 00:02:55.550 --> 00:03:00.350 identity threat detection and response. Now, this is a very 53 00:03:00.350 --> 00:03:03.110 consequential but very challenging problem for the 54 00:03:03.110 --> 00:03:07.370 industry to solve. And, you know, RSA as a company, we've 55 00:03:07.370 --> 00:03:10.640 always been known for having a security-first mindset. So we 56 00:03:10.640 --> 00:03:15.560 are doubling down on this idea and looking to kind of innovate 57 00:03:15.830 --> 00:03:16.790 in this general area. 58 00:03:16.990 --> 00:03:19.120 Mathew Schwartz: Well, so let's discuss if you will stick with 59 00:03:19.120 --> 00:03:22.000 the elements of identity security these days, I mean, 60 00:03:22.000 --> 00:03:25.900 zero trust. We've seen a huge rise in the use of zero trust, 61 00:03:26.050 --> 00:03:29.770 knowledge about zero trust, and attempts to apply zero trust. 62 00:03:29.770 --> 00:03:32.410 What are you seeing? How has it evolved from, you know, a 63 00:03:32.410 --> 00:03:34.540 definition to actual deployment now? 64 00:03:34.630 --> 00:03:37.270 Rohit Ghai: Yes, I think it's switched from being a twinkle in 65 00:03:37.270 --> 00:03:41.650 the eye of a few people to an idea that is well specified, to 66 00:03:41.650 --> 00:03:43.540 just about now getting operationalized in the industry. 67 00:03:43.570 --> 00:03:48.580 And I think what's catalyzing that shift is a couple of 68 00:03:48.580 --> 00:03:53.500 things. One is, of course, maturation of, sort of, 69 00:03:53.530 --> 00:03:56.200 everybody getting their head around. What does this mean? 70 00:03:56.920 --> 00:03:59.980 More precise definition of what an implementation would look 71 00:03:59.980 --> 00:04:04.270 like. And I want to call out CISA in terms of publishing the 72 00:04:04.270 --> 00:04:08.440 zero trust maturity model, version 2.O, which is a far 73 00:04:08.740 --> 00:04:12.190 superior version than the version 1.0, as it should be, 74 00:04:13.150 --> 00:04:15.640 you know, so that's a key artifact in the industry. I 75 00:04:15.640 --> 00:04:18.340 think the other thing that has happened is, you know, there are 76 00:04:18.340 --> 00:04:22.180 some innovations that I think are timely, that are powering 77 00:04:22.180 --> 00:04:25.630 this and making zero trust more possible. You know, the line I 78 00:04:25.630 --> 00:04:29.920 like to use is zero trust has zero chance without AI. So I 79 00:04:29.920 --> 00:04:33.640 think the kind of the invocation of AI and automation to make 80 00:04:33.640 --> 00:04:37.990 zero trust possible is going to be a key catalyzer for, you 81 00:04:37.990 --> 00:04:40.600 know, more adoption, more realistic attainment of zero 82 00:04:40.600 --> 00:04:41.950 trust strategies. 83 00:04:42.020 --> 00:04:44.000 Mathew Schwartz: Well, I want to circle back to AI and ML in a 84 00:04:44.000 --> 00:04:47.360 moment. But in terms of some of the core elements, if you will, 85 00:04:47.360 --> 00:04:50.660 of identity security. Where does passwordless play? So you know, 86 00:04:50.660 --> 00:04:54.980 pass keys. RSA, of course, heard of them before, I know, but 87 00:04:54.980 --> 00:04:57.830 also, you know, the FIDO standards, and how do we 88 00:04:57.830 --> 00:05:00.350 eventually get into this passwordless future? What does 89 00:05:00.350 --> 00:05:02.480 this look like for the future of identity security? 90 00:05:02.000 --> 00:05:07.160 Rohit Ghai: Yeah, absolutely. So, look, you know, the one 91 00:05:07.160 --> 00:05:11.510 thing that I think the cyber industry unanimously agrees on 92 00:05:11.510 --> 00:05:15.560 is that passwordless world is worth striving for. Our 93 00:05:15.560 --> 00:05:18.680 passwords are a big pain in the behind. And you know, we've been 94 00:05:18.680 --> 00:05:22.460 working at it for many years. And similar to the kind of the 95 00:05:22.460 --> 00:05:26.600 zero trust topic, I feel like even the password less sort of 96 00:05:26.630 --> 00:05:32.360 movement, I think, is at a point where I think people have the 97 00:05:32.390 --> 00:05:36.650 right level of conviction on standards like FIDO, I think, 98 00:05:36.650 --> 00:05:42.080 that is enough user sort of appetite to kind of switch and 99 00:05:42.080 --> 00:05:45.530 experience this. Because, you know, even users are tired of 100 00:05:45.530 --> 00:05:49.070 dealing with plenty passwords and clunky password policies of 101 00:05:49.070 --> 00:05:52.490 having to update passwords and assurance as well. I believe the 102 00:05:52.490 --> 00:05:58.880 assurance and the assurance that comes with it. So look, FIDO as 103 00:05:58.880 --> 00:06:02.030 a standard, I think is mainstream now. It is real, you 104 00:06:02.030 --> 00:06:05.120 know, we ourselves released the DS100 product, which actually 105 00:06:05.150 --> 00:06:10.670 codifies FIDO along with our own proprietary protocol. So it's a 106 00:06:10.670 --> 00:06:13.550 dual form factor. So it's getting adopted, and it's 107 00:06:13.550 --> 00:06:16.010 getting mainstream, and it's getting user acceptance. 108 00:06:16.460 --> 00:06:21.320 Mathew Schwartz: Excellent. Third generation identity. Is 109 00:06:21.320 --> 00:06:23.900 this a data problem? And maybe just explain the concept to me, 110 00:06:23.930 --> 00:06:26.120 if you will. We were talking about it before, but how do you 111 00:06:26.120 --> 00:06:27.740 see the evolution here? 112 00:06:28.140 --> 00:06:30.360 Rohit Ghai: Identity, the evolution of identity, the way I 113 00:06:30.360 --> 00:06:32.820 see it, Matt, is that look. You know, identity is all about 114 00:06:32.850 --> 00:06:36.390 having your actors on the network resources on the network 115 00:06:36.630 --> 00:06:39.090 and assigning the privilege of who should have access to what, 116 00:06:39.090 --> 00:06:42.630 when, where and why. And, you know, on the actor side, we have 117 00:06:42.630 --> 00:06:46.020 proliferation of machine identities post pandemic, there 118 00:06:46.020 --> 00:06:49.500 is 10x more identities on the network, both because of machine 119 00:06:49.500 --> 00:06:54.930 identities, as well as just more users using identity platforms. 120 00:06:54.960 --> 00:07:00.870 So 10x on the resource side, we have more IT resources, of 121 00:07:00.870 --> 00:07:04.170 course, but we have more granular IT resources, we are 122 00:07:04.170 --> 00:07:07.200 moving toward a microservices architecture, which makes things 123 00:07:07.200 --> 00:07:10.470 very granular. So the entitlement relationships is an 124 00:07:10.470 --> 00:07:13.710 exponentially more complex problem. It's a data problem to 125 00:07:13.740 --> 00:07:17.280 borrow your phrase, which means you need apply AI and automation 126 00:07:17.280 --> 00:07:22.020 to really tame that challenge. And that's, again, back to the 127 00:07:22.020 --> 00:07:26.070 AI point we touched on earlier. I think it's it's going to need 128 00:07:26.490 --> 00:07:28.890 technologies like AI to really tame that problem. 129 00:07:29.140 --> 00:07:31.000 Mathew Schwartz: Well, the question I had about AI and ML 130 00:07:31.000 --> 00:07:35.380 is opportunity for defenders, opportunity for attackers. Do 131 00:07:35.380 --> 00:07:37.720 you want to dive into maybe those two areas a little bit? 132 00:07:37.750 --> 00:07:41.050 Rohit Ghai: Yeah, look, you know, in general, the cyber 133 00:07:41.050 --> 00:07:46.000 industry has learned that any new technology often has this 134 00:07:46.000 --> 00:07:49.000 duality, right. It's a double-edged sword. What I see 135 00:07:49.030 --> 00:07:51.880 happening, though, is that, you know, the attackers have been 136 00:07:51.880 --> 00:07:54.730 using automation and AI for a while to perpetrate attacks. 137 00:07:55.270 --> 00:07:59.290 Having said that, I think on the good side, the adoption of AI, I 138 00:07:59.290 --> 00:08:05.200 feel, is sort pretty pragmatic. I think we are not - there are 139 00:08:05.230 --> 00:08:09.430 many issues with AI around ethics. And as well as sort of, 140 00:08:09.460 --> 00:08:12.490 you know, making sure that we are not getting too reliant on 141 00:08:12.490 --> 00:08:16.450 it. And, you know, always using human insight as a safety net, 142 00:08:16.450 --> 00:08:19.450 if you will. So I think we are adopting AI in a very pragmatic 143 00:08:19.450 --> 00:08:22.780 way where it starts from data insights to human supervised 144 00:08:22.780 --> 00:08:26.650 decisions to eventually autonomous decisions from an AI 145 00:08:26.650 --> 00:08:31.930 perspective. But it's going to be a massive challenge keeping 146 00:08:31.930 --> 00:08:34.240 up with the threat actors, because they're applying AI 147 00:08:34.240 --> 00:08:38.200 technology in spades to attack identity and other, kind of, you 148 00:08:38.200 --> 00:08:39.760 know, aspects of the attack surface. 149 00:08:39.790 --> 00:08:41.860 Mathew Schwartz: So unless we're using it on the defensive side, 150 00:08:41.890 --> 00:08:43.090 we're at a disadvantage. 151 00:08:43.120 --> 00:08:45.700 Rohit Ghai: Without good AI, bad AI will take us for the ride. 152 00:08:45.000 --> 00:08:50.100 Mathew Schwartz: And we don't want that obviously. Okay. So 153 00:08:50.160 --> 00:08:53.730 let's talk a little bit about the present and the future of 154 00:08:53.730 --> 00:08:57.810 RSA. What's coming next. And as you're speaking with the market, 155 00:08:57.930 --> 00:08:58.800 why does it matter? 156 00:08:58.000 --> 00:09:04.240 Rohit Ghai: Yes. I believe in the AI and data era, the 157 00:09:04.240 --> 00:09:08.740 cybersecurity industry and the industry at large needs an 158 00:09:08.740 --> 00:09:12.310 identity security platform, not an identity and access 159 00:09:12.310 --> 00:09:16.120 management platform. Because just like smartphones, the core 160 00:09:16.120 --> 00:09:19.270 purpose of it is not making a phone call anymore. On the 161 00:09:19.270 --> 00:09:22.180 identity side, access management, identity management 162 00:09:22.180 --> 00:09:25.270 is table stakes, we have to look at the core purpose, which is 163 00:09:25.270 --> 00:09:28.720 security. So what RSA is focused on is delivering what we call a 164 00:09:28.720 --> 00:09:34.570 unified identity platform, which is Open AI powered and data 165 00:09:34.570 --> 00:09:38.020 driven back to a point with a security-first mindset. So 166 00:09:38.020 --> 00:09:41.650 that's what we're kind of working toward. And I think 167 00:09:41.830 --> 00:09:46.000 identity is the most consequential aspect of a 168 00:09:46.000 --> 00:09:49.690 cybersecurity strategy, if we may say so ourselves. At RSA, 169 00:09:49.690 --> 00:09:55.810 we've been at it for a while, but in my view, identity 170 00:09:55.810 --> 00:09:59.320 centerstage yet again, and that's a good thing for the 171 00:09:59.320 --> 00:10:03.310 industry. And we are privileged to have the opportunity to serve 172 00:10:03.310 --> 00:10:07.120 the industry in that area. 173 00:10:07.780 --> 00:10:09.820 Mathew Schwartz: Well, it's a privilege to get to sit down 174 00:10:09.820 --> 00:10:13.510 with you and to hear what's happening with RSA as well as 175 00:10:13.630 --> 00:10:16.630 your impressions, as always, of the RSA Conference. I really 176 00:10:16.630 --> 00:10:18.130 appreciate your time and insights. Thank you. 177 00:10:18.370 --> 00:10:19.930 Rohit Ghai: Pleasure is all mine. Thank you for having me. 178 00:10:20.440 --> 00:10:21.970 Mathew Schwartz: I'm Mathew Schwartz with Information 179 00:10:21.970 --> 00:10:24.340 Security Media Group. Thank you for joining us.