Centrify CEO on Dropbox, KNOX, Microsoft, and the future of identity

Centrify CEO Tom Kemp. Credit: Centrify via YouTube

When Centrify got its start in 2005, Windows PCs ruled, smartphones were rare, and the only real competition was happening on the server side, where Linux and UNIX variants battled against Windows. Centrify gave enterprises a way to manage user identities across these back-end systems using Microsoft Active Directory, which many companies were already using.

Things have changed dramatically since then, and Centrify has rolled with those changes, adding mobile management and a way to manage identity in cloud services. But the changes have also brought it new competition from cloud-based purists like Okta, as well as big new partners like Samsung, who are relying on Centrify to help power its upcoming KNOX security platform.

Today, Centrify is announcing a tie-up with Dropbox to provide single sign-on and tie into Samsung KNOX, so employees will be able to access a totally secure version of the Dropbox app in a special "work container" on their KNOX-enabled Android phone.

We caught up with Centrify CEO Tom Kemp last week to discuss the company's recent deals, the future of identity and mobile data security, and Centrify's future prospects. 

Here are some highlights of our talk:

  • Soon, we'll have to add another "BYO" to the list -- BYO Identity. "I think what's going to happen is this whole BYO thing will even include bring your own identity, where you're out of college, you get your Gmail account, and that's the primary account for all your jobs that you have as well....So when you show up for your first day of work, it's expected that you bring your own phone, bring your own Mac or laptop, Yahoo or Gmail or Outlook.com account, and the company doesn't give you anything, they just grant you access to cloud resources. Then if you need applications, it will be delivered via containers....Then when you leave, they'll remove the container with the applications, you retain the device, the phone or PC or Mac, and you retain the identity.
  • Differences between Centrify and cloud-based vendors like Okta: He listed several, but the most interesting was Centrify's tighter integration with Active Directory. "Some of these vendors actually suck data out of Active Directory and create their own cloud directory. Some people are a little bit concerned or nervous about that today, as in do I want to put all my eggs in the one basket of a startup directory in the cloud? Or, do I want to leverage an existing infrastructure and technology that I already have, and have a third party cloud service provided an identity gateway or broker, as opposed to sucking all my data out of my directory and synchronizing it to something in the cloud?"
  • Microsoft vs the MDM vendors: "[Microsoft's] Brad Anderson and his team are doing a great job of extending System Center to the cloud via InTune, and trying to go after the MDM vendors, and we'll let them fight those battles and we'll see if Microsoft can be a big player versus MobileIron and AirWatch. We don't want to be in that fight right there, part of the reason is a lot of it has been commoditized, but the real reason is that we're in a different market. We're an identity provider, we're not a device management [company]. Do we do some basic device stuff? Yeah, if no one has a solution and they want to ensure the security. But if someone does have a solution, we'll gladly say don't enable that, still leverage that zero sign-on from a mobile device."
  • Possible next steps: Consumer identity and an IPO. "Could this technology that we offer for enterprise -- is there a consumer play for that? That could be a potential, especially as there's a blurring between consumer and business....Centrify is not a startup with 100 or 200 customers like some of the other vendors who we're starting to compete with. We're a pretty significant company, we have over 350 people, 4,000 customers, we're growing at a nice clip. So we're looking at how we can expand and starting to think how can we put ourselves in the position over the next year or so to potentially be a public company?"

Here's a transcript of the full interview, lightly edited for clarity and to eliminate some redundancies.

Explain how Centrify came into being? What problem were you trying to solve back in 2004?

The fundamental issue that we were trying to focus on was that as IT becomes more heterogeneous, or was becoming more heterogeneous, a whole host of problems would occur. Those problems would include users with all these different systems and applications would have additional usernames and passwords that they would have to deal with, and IT would have to deal with the issue of trying to figure out how they could centrally control who has access to what within the environment getting the control and visibility. So if you look back 8, 9, 10 years ago, ironically heterogeneity was really happening from a server perspective, with Linux marching into the datacenter, supplementing and/or replacing Unix and Windows. What we came up with was some software that tied in non-Microsoft systems and applications into Active Directory so users would have a single log in and IT would have a unified identity infrastructure to consistently apply policies, control access, et cetera.

It turns out with the whole consumerization of IT, with BYOD, with bring your own servers, bring your own applications, that heterogeneity is expanding inside the enterprise. So the same problems are occurring in that users have a plethora of passwords, IT cannot figure out who really has access to what, et cetera. So much as how Linux supplemented or replaced Windows, you now have a situation where iOS, Android, Mac OS X is supplementing or replacing Windows or BlackBerry, and you have SaaS applications replacing the traditional on premise applications as well. A lot of goodness comes from that in terms of flexibility of picking applications and devices, but there are some challenges with that, such as the multiple usernames and passwords for all new systems and applications, and IT has control and visibility problems. So the same problem we tackled 8 or 9 years ago is even more applicable today.

How does the explosion in cloud services affect your business? It used to be that most every company did everything on-premise tied into AD. Now you've got individual users and groups going outside the firewall, you've got IT with a mix of on-premise and cloud. How does that affect Centrify?

We were primarily a software play, and so we built software agents that ran on over 400 flavors of Unix, Linux, and Mac. We created dozens of plug-ins into Apache, WebLogic, JSphere, JBoss, SAP, DB2, et cetera, and tied everything into a central directory. But then, with the advent of BYOD and growth of SaaS, we had to build a new architecture to enable single login, single unified identity infrastructure.

So well over two years ago, we started building a cloud service from scratch that acts as an identity broker or identity gateway from the on-premise AD to the off-premise systems and applications that are out there. We've evolved into a full-blown cloud service provider as well as providing software. Much like we went down the path of supporting all these divergent Linux operating systems, now we're going down the path of having to support hundreds and hundreds of SaaS applications, and different types of mobile devices. We've got a good track record of doing that, in terms of building a kind of a factory model and cranking out support....

For the new technology, we've also had to change our pricing model. People expect a subscription-based model, while with our software they expect a more perpetual model. So it's changed the technology we've had to offer, it's changed the pricing model, and it's changed the type of partnerships we've had. It's been pretty fundamental and it's really been driven by the whole consumerization of IT trend that's having users or departments driving IT purchases....

What's the breakdown of Centrify customers using on-premise versus cloud versus hybrid, and how has that changed?

The vast majority started with Centrify by buying our on premise software. Increasingly, we're seeing more and more organizations move to the cloud, and obviously embrace BYOD. So it's really become a hybrid. Smaller size organizations are more quick to become more cloud-centric, as opposed to larger organizations, because it's all greenfield for them. Larger organizations tend to tackle things more at a departmental level, or an app by app basis. Larger organizations tend to have some concerns about compliance they need to address, or they need to have their data on premise....

Ironically, the reality is that people who have their Macs or their iPhones, they're at home but they bring it to the office, so they suddenly become on premise as well. So it's kind of blurring. We can address both, because we have both software that runs on the devices, and we have software and services that can tie into on-premise or cloud-based. The nice thing for Centrify, because we span data center, cloud, and mobile, is we can sell to anyone and everyone, irrespective of where they're at.

How do you contrast yourself against the cloud-focused identity management providers like Okta and Ping? Do you view them as competitors? If so, how do you differentiate yourself?

We've built up a very vibrant business of providing identity services for on-premise, and we've built up an installed base of over 4,500 customers, and if you look at those vendors, they have one-fifteenth or one-tenth or one-eighth -- much smaller installed bases. We're much bigger in terms of size and revenues than some of those people as well. But they were there first in terms of providing SaaS single sign on. Now we've entered the market.

The fundamental differentiation is we're not just pure SaaS single-sign on. We do the data center. But we also do mobile. We made a conscientious decision to first do mobile because we felt mobile was going to be the access point for cloud-based applications. So we have a very rich and deep mobile capability that they don't have....

The second differentiation is the very large customer base we have. We're already a trusted vendor for some of the largest enterprises. And I know for a fact that some of those SaaS SSO vendors, those niche players, they're getting some traction with SMBs but they haven't won over many large organizations. The majority of our sales, even though we have over 4,000 customers, has come from those large organizations. 

The third differentiation is we have some strategic partnerships and relationships. For example, Samsung is OEMing both our identity and our mobile management capability as part of this new technology they're coming out with in coming months called KNOX. We're going to be embedded in that....And of course we know that Samsung is the number one provider of mobile devices, so we are very excited about the partnership we have with Samsung. None of those other vendors have anything comparable.

Finally, if you look at our approach, we have much better and tighter integration with Active Directory. Some of these vendors actually suck data out of Active Directory and create their own cloud directory. Some people are a little bit concerned or nervous about that today, as in do I want to put all my eggs in the one basket of a startup directory in the cloud? Or, do I want to leverage an existing infrastructure and technology that I already have, and have a third party cloud service provided an identity gateway or broker, as opposed to sucking all my data out of my directory and synchronizing it to something in the cloud?... 

We're just new to their area of the market, but we've got some really strong things going for us. So if they don't see us today, objects in the rear view mirror are closer than you think.

How did you see identity management tying into mobile management in the first place? Why'd you go down that road?

There's a lot of overlap. First of all, mobile is going to become the default access point from which people access information. So the first thing is, you want to ensure that there's some base level of security associated with the mobile device, that it is locked with a PIN, and that IT has the ability if it's accessing corporate resources to wipe it and to apply some basic policies.

The second way mobile management relates to identity management is the form factor. Who has time in a smartphone to type usernames and passwords for all the applications you want to access? It's just a terrible form factor for that. What we do is by providing a solution that not only provides some base security to the mobile device, but also makes sure that the device is a trusted device, the device has been authenticated, that means when people access applications from the mobile device -- we call it zero sign-on, they click from the application and they launch it. We don't force them to type up a plethora of usernames and passwords. Even if it's the same username and password, that's a huge advantage.

The third way it ties in, if you're going to deliver a cloud-based service to a user, you want to be able to deliver the rich mobile application associated with it. So provisioning a user for, say, Dropboxox is not simply about setting them up inside Dropbox, it's about pushing the rich mobile app to their iOS or Android mobile device. That's something we do.

Finally, there's the whole concept of providing additional security by providing multifactor authentication. One factor is the username and password. The second factor is something you have. And everybody has a mobile device.

Frankly, this is not an original concept. When Microsoft built Active Directory, not only does Active Directory provide authentication, but it also does Group Policy. Because you want to have the concept of both users and devices in a central directory where you can apply policy, you can authenticate the user and the device.... The cool thing with Centrify is if someone leaves the organization, we now have that linkage between the device and the user as well, so we can deactivate their devices. So there's just tons of synergy there. Samsung saw that vision and saw the synergy with providing not only AD-based management of their devices and container, but AD-based SSO, that's why Centrify was very unique in the market, we were the only vendor who could offer both. That's why we have this OEM relationship.

Microsoft has some presence in the management space with products like SystemCenter, InTune, and so on. Do you worry about running into them?

We've been partnering with Microsoft for 8 or 9 years, and we've never been in a competitive situation where the competition is Microsoft. We're doing joint things together all the time. For example, our recent SaaS announcement was around Office 365 and Microsoft was very supportive of that. Microsoft actually validated our technology and we were part of the Works With Office 365 program. There's a lot of collaboration right there.

What Microsoft is trying to do in the cloud vis a vis device management is via InTune, providing the reach out to mobile devices. Frankly, over time there could be a little overlap with some of the basic device management capabilities that we offer that InTune may catch up to. But we're only doing that capability just to ensure that the device is secure as an access point. If it turns out that someone wants to go down the InTune path, or use an AirWatch or MobileIron, great, go for it. Don't use that part of our capability. Our sweet spot is unified identity services. What SystemCenter and InTune is about is unified device management.

So there's a big difference. Brad Anderson and his team are doing a great job of extending System Center to the cloud via InTune, and trying to go after the MDM vendors, and we'll let them fight those battles and we'll see if Microsoft can be a big player versus MobileIron and AirWatch. We don't want to be in that fight right there, part of the reason is a lot of it has been commoditized, but the real reason is that we're in a different market. We're an identity provider, we're not a device management. Do we do some basic device stuff? Yeah, if no one has a solution and they want to ensure the security. But if someone does have a solution, we'll gladly say don't enable that, still leverage that zero sign-on from a mobile device. We'll continue to partner with Microsoft -- they've announced some really interesting stuff as part of "Blue," Windows 8.1, and we'll continue to collaborate.

Tell me about that service for Office 365? What are you offering that Microsoft is not able to offer itself? How did that deal come about?

Microsoft built a technology about 8 years ago called Active Directory Federation Services (ADFS). ADFS was basically built pre-Azure, pre-Office 365, pre-Windows Azure Active Directory. It's an on-premise solution to do federation. What happened, fast forward, Microsoft has come out with all this cloud technology. The biggest application platform is Office 365 that runs on their Platform-as-a-service and infrastructure-as-a-service, Azure. So they're trying to attract people that want to move to the cloud. Say you're a small or medium-size enterprise and you have two Exchange servers. Instead of having you move to Google Apps, Microsoft wants to have you move to Office 365.

Then users are going to say, "I expect when I double-click on Outlook, I'm going to silently authenticate just like I did from on-premise." No, actually you have to implement this capability called federated identity. So then Microsoft said "to use your solution, you have to deploy ADFS." The problem with ADFS is that it's very much more of an on-premise hardware-based approach. To set up ADFS, even for a small environment, you need to put two ADFS proxy servers in the DMZ, you have to install an additional two servers on premise, then you have to install a directory sync server. So you have to set up five servers on premise to move to the cloud to get functionality that you had before.

So a customer will say to themselves, "I thought I was moving to the cloud to decommission servers, so I get to decommission two Exchange servers, but to get there I have to replace it with minimum five ADFS servers?" Microsoft realizes that is causing some friction. It's a historic product that they've already supported, so they're going to continue to support it. And of course it's a good solution for people who have already deployed ADFS, which typically are larger organizations. But maybe the small and medium-size organizations, they don't want to pay $25,000 or $30,000 in hardware, which is greater than the cost of Office 365.

That's where our architecture comes in. You just need to put a small piece of software in, somewhere on premise -- we call that the proxy service -- it doesn't have to be in the DMZ, you don't have to poke any holes -- then the heavy lifting is done via our multitenant cloud service that acts as the gateway broker. You could spend two weeks setting up ADFS or you could spend 5 minutes setting up Centrify.

Are Microsoft people upset that we could be an alternative? No, because ADFS was never a chargeable item and they never got paid for hardware sales, and frankly the two weeks of slowdown just adds friction to the whole deployment and sales process.... Microsoft is more interested in our solution because we leverage AD, and we don't replace AD with our own proprietary technology. So our architectural approach is not only better for customers, but it's more friendly to Microsoft because we're not trying to compete with Microsoft with an alternative directory in the cloud like other vendors.

It seems crazy that Microsoft would roll out these cloud services without cloud-based federation. That seems like a must-have.

It's tricky. It's a question of prioritization. The nice thing is, we not only support Office 365, but we also support other applications. So we can seamlessly plug into Salesforce, even into Google Apps. Or WebEx, Concur, the list goes on. The reality is that if Microsoft were to build something cloud-based, then the customer would say, "that's great, but what about all these applications?" So it's a complex problem, and I think they just want to do a good job of winning the cloud app war, and if they can get a partner like Centrify to address this issue in a better way, they can focus on their core competency, which is winning the Office war, or the app war, as opposed to tying into 400 operating systems and 1,000 applications.

So it really ties back to your core value proposition of supporting heterogeneous environments.

People have a mix of on-premise servers, they're rolling out servers on Amazon or Rackspace or Azure, they've got Mac OS X, they've got Windows, they've got iOs, they've got Android, and we can credibly go in there and say "look, wherever the point of pain is, wherever the itch that needs scratching...we have a solution that can tie that stuff into an existing directory infrastructure." ....

What are you announcing with Dropbox today?

A: We're doing something very comparable to what we announced with Microsoft, which is ensuring that Dropbox can seamlessly work with Active Directory, and they recently came out with SAML support. We support that, we have that tie-in, we've tested it with them and validated that. But we're going a little bit beyond what you get with some of these other SaaS SSO vendors....This is in the context of both vendors' partnership with Samsung. So within Samsung KNOX there's a container and the Dropbox application, Dropbox wants people to run that in the container. And that's a rich mobile app. So what Dropbox is doing, they're right now working with our mobile authentication services SDK, which we licensed to Samsung. So they're going to enable their rich mobile app to have this zero sign-on experience.

So the partnership we're announcing is not only at the cloud level in terms of providing SaaS single sign-on, but it's also working with them with their rich mobile application, and having them tie into our mobile cloud service to get that zero sign-on experience with their rich mobile app. Again, that's the differentiation that we offer in that we have software that runs on Android. And we're part of the KNOX container. When you're in that business container, you've got these rich mobile apps -- you just want to click them. And you want to launch them. You don't want to click them and do a log-in prompt, who's got time for that?

What's going on with KNOX anyway? Samsung announced it at Mobile World Congress in February, but it seems like it's taking longer than expected to come out.

I'm not a representative of Samsung, but we work very closely with the team. I think in hindsight it probably wasn't clear in terms of setting expectations in terms of when it comes out....The good news is it will be coming out relatively soon, and they're doing a great job of QAing the product. We're running it here. I even posted on YouTube where I gave a live demo of it as well. It is rock solid and it's really going to disrupt the market here. So we're very bullish on KNOX, because it's really taken this container technology and put it in with the core OS. Then you combine it with what Samsung offers with SAFE MDM in terms of all the controls, and then the fact that they're embedding technology such as ours, it becomes a really powerful solution....

There's definitely a hunger for better Android support in the enterprise.

It addresses the biggest knocks against Android, the whole malware thing, then the whole data leakage and all that stuff. Those are big concerns and that nails it.

The BYO phenomenon has gone way beyond BYOD. We hear about bring your own service, bring your own infrastructure, and more. How do you think that changes the overall IT landscape, and how does Centrify capitalize on that?

I'm going to add another BYO -- bring your own expectations. People are going to have similar-type expectations for their corporate IT that they have for when it comes time for them personally to have an application or buy a device or whatever. I think what's going to happen is this whole BYO thing will even include bring your own identity, where you're out of college, you get your Gmail account, and that's the primary account for all your jobs that you have as well. So people could temporarily grant access to an email address to applications, then when you leave an organization, they decommission the use of your identity, but they obviously don't turn it off or deprovision it....

So when you show up for your first day of work, it's expected that you bring your own phone, bring your own Mac or laptop, Yahoo or Gmail or Outlook.com account, and the company doesn't give you anything, they just grant you access to cloud resources. Then if you need applications, it will be delivered via containers. And the containers will not only be on your devices, they'll also be on your PC or Mac, and so everything inside the containers are all the business applications you need, and you'll let IT manage those containers for you. Then when you leave, they'll remove the container with the applications, you retain the device, the phone or PC or Mac, and you retain the identity. That furthers this kind of synergy between mobile and identity, where this container technology is also extended to Macs and PCs as well. You may even be in this situation where your own personal Mac or PC has multiple containers. It has a container for your job, a container for your university or school that you're taking part-time classes, there may be a container for a volunteer organization that you participate in. And each of the containers has its own apps, and the IT organizations manage those containers and push things to you. So it's very exciting where things are going with consumerization, and I do think containerization and identity are two key technologies moving forward in a consumerized IT world.

Where does Centrify go next? What can we expect in the next couple of years?

A: Could this technology that we offer for enterprise -- is there a consumer play for that? That could be a potential, especially as there's a blurring between consumer and business.... As the world becomes more consumerized, is there a Centrify for consumers solution? The other area of interest is from a mobile device perspective, how can we better implement multifactor authentication, so in the end you just have one password but that's not the only factor. How can you better utilize mobile devices to provide multiple levels of authentication for you? ....

The third thing is, Centrify is not a startup with 100 or 200 customers like some of the other vendors who we're starting to compete with. We're a pretty significant company, we have over 350 people, 4,000 customers, we're growing at a nice clip. So we're looking at how we can expand and starting to think how can we put ourselves in the position over the next year or so to potentially be a public company?  

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies