Centrify CEO on Dropbox, KNOX, Microsoft, and the future of identity

Centrify CEO Tom Kemp. Credit: Centrify via YouTube

When Centrify got its start in 2005, Windows PCs ruled, smartphones were rare, and the only real competition was happening on the server side, where Linux and UNIX variants battled against Windows. Centrify gave enterprises a way to manage user identities across these back-end systems using Microsoft Active Directory, which many companies were already using.

Things have changed dramatically since then, and Centrify has rolled with those changes, adding mobile management and a way to manage identity in cloud services. But the changes have also brought it new competition from cloud-based purists like Okta, as well as big new partners like Samsung, who are relying on Centrify to help power its upcoming KNOX security platform.

Today, Centrify is announcing a tie-up with Dropbox to provide single sign-on and tie into Samsung KNOX, so employees will be able to access a totally secure version of the Dropbox app in a special "work container" on their KNOX-enabled Android phone.

We caught up with Centrify CEO Tom Kemp last week to discuss the company's recent deals, the future of identity and mobile data security, and Centrify's future prospects. 

Here are some highlights of our talk:

  • Soon, we'll have to add another "BYO" to the list -- BYO Identity. "I think what's going to happen is this whole BYO thing will even include bring your own identity, where you're out of college, you get your Gmail account, and that's the primary account for all your jobs that you have as well....So when you show up for your first day of work, it's expected that you bring your own phone, bring your own Mac or laptop, Yahoo or Gmail or Outlook.com account, and the company doesn't give you anything, they just grant you access to cloud resources. Then if you need applications, it will be delivered via containers....Then when you leave, they'll remove the container with the applications, you retain the device, the phone or PC or Mac, and you retain the identity.
  • Differences between Centrify and cloud-based vendors like Okta: He listed several, but the most interesting was Centrify's tighter integration with Active Directory. "Some of these vendors actually suck data out of Active Directory and create their own cloud directory. Some people are a little bit concerned or nervous about that today, as in do I want to put all my eggs in the one basket of a startup directory in the cloud? Or, do I want to leverage an existing infrastructure and technology that I already have, and have a third party cloud service provided an identity gateway or broker, as opposed to sucking all my data out of my directory and synchronizing it to something in the cloud?"
  • Microsoft vs the MDM vendors: "[Microsoft's] Brad Anderson and his team are doing a great job of extending System Center to the cloud via InTune, and trying to go after the MDM vendors, and we'll let them fight those battles and we'll see if Microsoft can be a big player versus MobileIron and AirWatch. We don't want to be in that fight right there, part of the reason is a lot of it has been commoditized, but the real reason is that we're in a different market. We're an identity provider, we're not a device management [company]. Do we do some basic device stuff? Yeah, if no one has a solution and they want to ensure the security. But if someone does have a solution, we'll gladly say don't enable that, still leverage that zero sign-on from a mobile device."
  • Possible next steps: Consumer identity and an IPO. "Could this technology that we offer for enterprise -- is there a consumer play for that? That could be a potential, especially as there's a blurring between consumer and business....Centrify is not a startup with 100 or 200 customers like some of the other vendors who we're starting to compete with. We're a pretty significant company, we have over 350 people, 4,000 customers, we're growing at a nice clip. So we're looking at how we can expand and starting to think how can we put ourselves in the position over the next year or so to potentially be a public company?"

Here's a transcript of the full interview, lightly edited for clarity and to eliminate some redundancies.

Explain how Centrify came into being? What problem were you trying to solve back in 2004?

The fundamental issue that we were trying to focus on was that as IT becomes more heterogeneous, or was becoming more heterogeneous, a whole host of problems would occur. Those problems would include users with all these different systems and applications would have additional usernames and passwords that they would have to deal with, and IT would have to deal with the issue of trying to figure out how they could centrally control who has access to what within the environment getting the control and visibility. So if you look back 8, 9, 10 years ago, ironically heterogeneity was really happening from a server perspective, with Linux marching into the datacenter, supplementing and/or replacing Unix and Windows. What we came up with was some software that tied in non-Microsoft systems and applications into Active Directory so users would have a single log in and IT would have a unified identity infrastructure to consistently apply policies, control access, et cetera.

It turns out with the whole consumerization of IT, with BYOD, with bring your own servers, bring your own applications, that heterogeneity is expanding inside the enterprise. So the same problems are occurring in that users have a plethora of passwords, IT cannot figure out who really has access to what, et cetera. So much as how Linux supplemented or replaced Windows, you now have a situation where iOS, Android, Mac OS X is supplementing or replacing Windows or BlackBerry, and you have SaaS applications replacing the traditional on premise applications as well. A lot of goodness comes from that in terms of flexibility of picking applications and devices, but there are some challenges with that, such as the multiple usernames and passwords for all new systems and applications, and IT has control and visibility problems. So the same problem we tackled 8 or 9 years ago is even more applicable today.

How does the explosion in cloud services affect your business? It used to be that most every company did everything on-premise tied into AD. Now you've got individual users and groups going outside the firewall, you've got IT with a mix of on-premise and cloud. How does that affect Centrify?

We were primarily a software play, and so we built software agents that ran on over 400 flavors of Unix, Linux, and Mac. We created dozens of plug-ins into Apache, WebLogic, JSphere, JBoss, SAP, DB2, et cetera, and tied everything into a central directory. But then, with the advent of BYOD and growth of SaaS, we had to build a new architecture to enable single login, single unified identity infrastructure.

So well over two years ago, we started building a cloud service from scratch that acts as an identity broker or identity gateway from the on-premise AD to the off-premise systems and applications that are out there. We've evolved into a full-blown cloud service provider as well as providing software. Much like we went down the path of supporting all these divergent Linux operating systems, now we're going down the path of having to support hundreds and hundreds of SaaS applications, and different types of mobile devices. We've got a good track record of doing that, in terms of building a kind of a factory model and cranking out support....

For the new technology, we've also had to change our pricing model. People expect a subscription-based model, while with our software they expect a more perpetual model. So it's changed the technology we've had to offer, it's changed the pricing model, and it's changed the type of partnerships we've had. It's been pretty fundamental and it's really been driven by the whole consumerization of IT trend that's having users or departments driving IT purchases....

What's the breakdown of Centrify customers using on-premise versus cloud versus hybrid, and how has that changed?

The vast majority started with Centrify by buying our on premise software. Increasingly, we're seeing more and more organizations move to the cloud, and obviously embrace BYOD. So it's really become a hybrid. Smaller size organizations are more quick to become more cloud-centric, as opposed to larger organizations, because it's all greenfield for them. Larger organizations tend to tackle things more at a departmental level, or an app by app basis. Larger organizations tend to have some concerns about compliance they need to address, or they need to have their data on premise....

Ironically, the reality is that people who have their Macs or their iPhones, they're at home but they bring it to the office, so they suddenly become on premise as well. So it's kind of blurring. We can address both, because we have both software that runs on the devices, and we have software and services that can tie into on-premise or cloud-based. The nice thing for Centrify, because we span data center, cloud, and mobile, is we can sell to anyone and everyone, irrespective of where they're at.

How do you contrast yourself against the cloud-focused identity management providers like Okta and Ping? Do you view them as competitors? If so, how do you differentiate yourself?

We've built up a very vibrant business of providing identity services for on-premise, and we've built up an installed base of over 4,500 customers, and if you look at those vendors, they have one-fifteenth or one-tenth or one-eighth -- much smaller installed bases. We're much bigger in terms of size and revenues than some of those people as well. But they were there first in terms of providing SaaS single sign on. Now we've entered the market.

The fundamental differentiation is we're not just pure SaaS single-sign on. We do the data center. But we also do mobile. We made a conscientious decision to first do mobile because we felt mobile was going to be the access point for cloud-based applications. So we have a very rich and deep mobile capability that they don't have....

The second differentiation is the very large customer base we have. We're already a trusted vendor for some of the largest enterprises. And I know for a fact that some of those SaaS SSO vendors, those niche players, they're getting some traction with SMBs but they haven't won over many large organizations. The majority of our sales, even though we have over 4,000 customers, has come from those large organizations. 

The third differentiation is we have some strategic partnerships and relationships. For example, Samsung is OEMing both our identity and our mobile management capability as part of this new technology they're coming out with in coming months called KNOX. We're going to be embedded in that....And of course we know that Samsung is the number one provider of mobile devices, so we are very excited about the partnership we have with Samsung. None of those other vendors have anything comparable.

Finally, if you look at our approach, we have much better and tighter integration with Active Directory. Some of these vendors actually suck data out of Active Directory and create their own cloud directory. Some people are a little bit concerned or nervous about that today, as in do I want to put all my eggs in the one basket of a startup directory in the cloud? Or, do I want to leverage an existing infrastructure and technology that I already have, and have a third party cloud service provided an identity gateway or broker, as opposed to sucking all my data out of my directory and synchronizing it to something in the cloud?... 

We're just new to their area of the market, but we've got some really strong things going for us. So if they don't see us today, objects in the rear view mirror are closer than you think.

How did you see identity management tying into mobile management in the first place? Why'd you go down that road?

There's a lot of overlap. First of all, mobile is going to become the default access point from which people access information. So the first thing is, you want to ensure that there's some base level of security associated with the mobile device, that it is locked with a PIN, and that IT has the ability if it's accessing corporate resources to wipe it and to apply some basic policies.

The second way mobile management relates to identity management is the form factor. Who has time in a smartphone to type usernames and passwords for all the applications you want to access? It's just a terrible form factor for that. What we do is by providing a solution that not only provides some base security to the mobile device, but also makes sure that the device is a trusted device, the device has been authenticated, that means when people access applications from the mobile device -- we call it zero sign-on, they click from the application and they launch it. We don't force them to type up a plethora of usernames and passwords. Even if it's the same username and password, that's a huge advantage.

The third way it ties in, if you're going to deliver a cloud-based service to a user, you want to be able to deliver the rich mobile application associated with it. So provisioning a user for, say, Dropboxox is not simply about setting them up inside Dropbox, it's about pushing the rich mobile app to their iOS or Android mobile device. That's something we do.

1 2 Page
Join the discussion
Be the first to comment on this article. Our Commenting Policies