Black Hat USA 2024 | Tarun Thakur | Veza

theCUBE.net

Clips
News
More from Black Hat USA 2024

AI solutions lead the charge in tackling identity security challenges

As businesses increasingly adopt cloud services and software-as-a-service solutions, the need for stronger identity security solutions has never been more critical.Organizations are grappling with the growing complexity of managing data access and permissions, often struggling to ensure that users have only the access necessary for their roles. This situation underscores the necessity for advanced AI-driven solutions capable of efficiently handling permissions and entitlements, offering unparalleled visibility and control, according to Tarun Thakur (pictured), co-founder and chief executive officer of Veza Inc.Veza’s Tarun Thakur talks to theCUBE about identity security solutions

AI solutions lead the charge in tackling identity security challenges

As businesses increasingly adopt cloud services and software-as-a-service solutions, the need for stronger identity security solutions has never been more critical.Organizations are grappling with the growing complexity of managing data access and permissions, often struggling to ensure that users have only the access necessary for their roles. This situation underscores the necessity for advanced AI-driven solutions capable of efficiently handling permissions and entitlements, offering unparalleled visibility and control, according to Tarun Thakur (pictured), co-founder and chief executive officer of Veza Inc.Veza’s Tarun Thakur talks to theCUBE about identity security solutions

play_circle_outline Navigating Permissions and Entitlements Challenges While Addressing Principle of Least Privilege for Data Security

play_circle_outline Collaboration with JP Morgan and focus on least privilege access

play_circle_outline Customer adoption across various industries and organization sizes

play_circle_outline North Star mission of AI-driven access request and least privilege access

play_circle_outline Revolutionizing Cybersecurity: Expanding Customer Base and Democratizing Identity for a Secure Future

Info
Transcript

Tarun Thakur | Veza

In Las Vegas, Nevada, Day two of Black Hat, John Furrier and a guest discuss the hot market, funding, and growth of startups. Tarun, a serial entrepreneur, talks about VEZA, a company focused on principle of least privilege for data security. The challenge lies in understanding permissions and entitlements at scale. With the rise of AI and machine identities, the problem becomes more complex. VEZA's Access AI offering aims to provide visibility and intelligence for organizations to maintain least privilege access. By using AI to define role recommendations, V... Read more

explore Keep Exploring

What is the problem with understanding permissions and entitlements in the context of identity and access management systems? add

What process did your company go through in partnering with JP Morgan and how did this partnership help in the innovation of your product/service? add

What type of organizations and verticals would benefit from using VEZA? add

What is the North Star mission and how do we define it? add

What is the importance of not having identity as a siloed function within a security team and instead democratizing it across different owners within an organization? add

bolt Powered by CUBE AI

Tarun Thakur | Veza

search

>> Good morning security fans and welcome back to Las Vegas, Nevada. We're here steaming through day two of Black Hat. My name's Savannah Peterson, excited to be joined by John Furrier and a fabulous guest for this segment. But I got to ask you, John, are you loving Black Hat this week?

>> I mean, the conversation has been great. We had a wide-ranging set of conversations from experts, from companies making the news. Obviously the funding is still hot and we've got more startups popping out. So a lot of growth, a lot of company's growth-

>> Lots of growth,

>> A lot of product sprawl, but still there's a lot of problems to solve.

>> Yes.

>> But it's a hot market.

>> It is a super hot market. And who better to talk to us about that than Tarun who's been on the show multiple times over the last 10 years, serial entrepreneur, total G, very exciting news and things going on at VEZA right now. We can't wait to hear all about them. How's the week been for you? Big week of announcements.

>> Excellent. It's always good to be back at conferences like Black Hat where you get to meet so many customers and really sort of opine and get their feedback and use that, but also just a lot of energy.

>> It is a good energy show.

>> A lot of energy in the show. And so though I would say I didn't realize Black Hat had grown into that size.

>> It's very nerdy show too. You got a lot of technical people, Cecil's here with their teams. You got a lot of conversations in the product side. A lot of technical product conversations, not so much business transformation.

>> Yeah, teams want to get into demos, teams want to talk about, hey, can we see this in action? Rather than just data sheets.

>> Well, let's get into your company. Obviously a serial entrepreneur, your last company, you sold the rubric, you've been in the space, you know data, obviously your background. What is this company's story about what was the motivation four years ago to start this company and give us the update? Also, the news was out this week on the funding extension, which are JP Morgan, congratulations, but great success. What's the motivation? What's the purpose? What's the mission?

>> Yeah, thank you, John. That's a question that we sort of keep front and center, which is why did we start this company? What was that insight and intuition? And it was just when we were starting the company back in early 2020, we're literally just going around with a piece of paper. And the question that I was asking and we were asking is like, look, if you think of what's top of mind when it comes to securing the most important asset in your organization, which is your data, employee data, customer data, third-party data. And this feedback that we were hearing is like, look, we operate in defense in depth. We have operated secured our endpoint, we secure our network, we secure a front door, but yet we haven't cracked this nut of principle of least privilege. And it's a little heavy term. So it's like, okay, what do you really mean by that? And explain that. So we got this problem statement, John, back four years ago. It's like, look, I have every security tool with me. I still cannot answer this question. Who's Savannah and what can she delete in Snowflake or who's Joe and what can he delete in Salesforce?

>> This is such a... Standing on the outside, it sounds so silly, but why is this such a complex challenge for businesses?

>> Thank you. Thank you for asking this question. Exactly. What is our point of views? How can it be that this problem has not been cracked?

>> It sounds like such a... Like obviously you're the painkiller in this situation, but why is that so systemic?

>> Yeah, no. So I think, look, what has really happened over the last two decades, if you see movement, it started with the adoption of cloud, adoption of SaaS, and every time anybody gets access, John gets access to Salesforce, John gets access to Snowflake, he's essentially getting access through permissions and entitlements, not really through his identity. And so the principle of least privilege as we cracked, we have lived in the last two years or last two decades, sorry, in this world of identity, which was nothing but an active directory, trees built on top of trees. John belongs to a group of finances, his role as a CFO. Well, that doesn't mean much. John gets access to Salesforce. John gets access to Clary and he gets access through permissions and entitlements. And so our observation was that if you really want to go after the problem of principle of least privilege, which says you should get as minimal access as possible, that is rooted in ability to understand permissions and entitlements. Permissions enable access, not necessarily your identity. That was the insight. How come we have not cracked the problem of who can take what action on what data to intuition that in spite of it being a simple problem, nobody has really cracked understanding permissions at scale. You have access to 50 systems, Google Drive, Slack, critical systems and your identities across all those business-

>> So the fragmentation of privilege-

>> Correct.....

>> is the main issue. Databases are driving it. You're an entry in a database relative to that specific thing.

>> That's exactly right. John has access to Oracle and it's your privileges that allow you to perform certain apps.

>> Talk about why Gen.AI highlights this problem and why it's needed. Because obviously we've been saying on theCUBE prior to your other company, we were talking about data as an operating principle. Data's everywhere now and it's also kind a runtime generative.

>> Correct.

>> Applications are going to generate a response, which means it's not known. So data needs to be available.

>> Correct.

>> And then the app needs privilege.

>> Correct.

>> And then the person in the app, is that right?

>> That's exactly right. So if you think of why SaaS caused a lot of tailwinds, cloud caused a lot of tailwinds. And if you look at Gen.AI now, these are all machine accounts. These are machine identities. If you think of an AI app or an open AI, that's nothing but a non-human, a machine identity, you spin up a compute instance in the cloud and you want some... What is AI? At the end of the day, it's a three-legged stool. It's training data, it's compute, and it is the data that on which the training model is running. The compute is nothing but a non-human identity. And so AI is actually making the problem a lot more worse and a lot more severe, if that makes sense. \.

>> It totally does.

>> So how does your announcement combat that? How does access AI help that?

>> Absolutely. So what we announced, and we're very, very excited to announce our sort of access AI is what we're calling it, a brand new offering in our product portfolio. Again, going back to the problem, Savannah, which is why did we start this company. In spite of all the cyber tooling, every week we hear a news about a breach and ransomware. For the first time ever in the last six months of 2024, a first billion dollar breach. The first billion dollar breach in our history happened this year. And the root of that is back to principle of organizations don't operate to principle of least privilege, right? We want to help organizations strive towards that. And if we say, look, we want to help organizations strive towards principle of lease privilege, then we have to go understand fragmentation of permissions and privileges spread all over the place. You cannot do that with humans. You need machines, you need computational models, you need algorithms, you need data set. So what we've announced with Access AI is a set of chat GPT-like interface, it's most canonical thing that every all of us associate with. So we've announced the Access AI essentially now you have a capability, a chat GPT-like interface, a GenAI powered interface. You can ask a question on VEZA control plane, what does Savannah has access to in Nike? Imagine you having that capability like a Google search for your enterprise. Who's John and what does he has access to in Snowflake? What can he delete in AWS? And this essentially is what we announced. And the second part of the access AI announcement, Savannah, was around every day we need access to things, go back to the AI, open AI as a compute instance needs access to some data that it can run as a machine. That means you need access to a system and that access to the system is I need to recommend you a role. The way we get access to Salesforce, I get associated to a role and that role gives me a set of privileges that I can perform certain actions. Well, instead of human deciding, what does John get associated with? Let access AI define. And so we're calling it road recommendations, which is very powerful interface.

>> So identity has been always been a hot area and the hackers have been attacking that as a vector. It's been a big part of where hackers go after because the laziness of either the companies or not knowing who has what, the person might've left the company or maybe just ignored an update or whatever, given someone privilege or they get in. How do you guys guarantee that security piece? Because this is going to come up a lot with CISOs. What's been the reaction? So I love the idea of least privilege. If everyone does their homework, you start from the minimal position and then add it. You have intelligence and reasoning. What's the security posture for you? How do you give that confidence?

>> Great question. Great question, John. And I think look, identity, our point of view is the second reason why we wanted to start the company is identity needs to go from IT-specific function to a critical fabric of cybersecurity. And now the question is how? How does VEZA approach that? So the way we approach the topic of bringing identity to be a security posture-centric is you start with that visibility, that intelligence layer, we call it access graph. Identity graph, who's drawn and what can he go delete in Snowflake, we give you that visibility and then we help you understand is that access good, bad by a machine, by a set of critical findings. And then the way to bring it into the security context like a SOC or like a security engineering team is you say, okay, that's my baseline. My baseline is Bill has read access to Salesforce. I want to define that baseline. I want to create a rules and set of policies around it. And if that access drifts, it goes from read to write, it goes from read to delete. If a drift happens or a creep happens, you want to get notified to the security team that can take immediate action like an on-demand. Let's say I report to John, I got my access go from read to write. John gets notified through VEZA. Through a webhook notification that "Hey, one of your employees just got your access elevated. You may want to go validate that." And that's how you go into from visibility intelligence to remediation, monitoring, revocation. And that entire thing is about security engineering, security architecture.

>> On the customer side, obviously your news, you got the JP Morgan invested in you guys.

>> Thank you.

>> Which was part of your last round, extension last round. That's notable because they don't do a lot of investments, but obviously they must be a customer. I'm just assuming they're a customer if they're investing. They're good. I mean they have great team over there. What's their reaction? Why are they so excited to work with you? Can you share anecdotally or specifically how they approach this and what's been the outcome for them?

>> No, thank you. First of all, we are very grateful to partner with an iconic institution like JP Morgan because as you rightly said, John, there are customers and there are customers you want to in this sort of first seminal ages of the first four or five years of the company. You want to partner with organizations like the biggest bank in the world that can help you think about use cases that you're not even thinking about. So one, I think we got introduced to them about three years ago, really partnered with them on how we are thinking about this space. And that kind of an organization is thinking about architecture. Not speeds, feeds, features, right? Are you thinking about this problem for first principles, visibility, intelligence, access graph? Because they're all about innovation, right? Not me too. So we partnered with them about three years ago, really worked very hard over the course of 24 months as you can imagine working with such an organization. But their primary use was like, look, JP Morgan, like an institution is embracing cloud as they very openly talk about-

>> And they're doing least principle.

>> Least privilege.

>> Least privilege, I'm sorry, least privilege philosophy.

>> They want to institute top down look data as our most critical asset. We want to make sure as we move our data to the cloud, that least privilege access is maintained in the cloud. And that starts with who has access to what. Governing that access we were talking about before the session. I want to govern that access. I want to monitor that access and I want to maintain that baseline and I want to maintain that baseline over a period of time.

>> Yeah, I can imagine a lot of people do that. And looking at speaking of customers, looking at the customers you have here on your website, really across the spectrum, everything from Mattel to we're here in Vegas, you've got the win as a customer, quite a lineup. Have you noticed adoption of VEZA is vertical specific? Is it really general? Who's jumping in first?

>> My view, as I shared with the teams internally, everybody's going to be needing VEZA over a period of time.

>> Yeah.

>> It's just a matter of time. But thanks for that, Savannah. We have customers across all three verticals, financials, healthcare, pharma, life sciences, big tech, manufacturing, and all the way, what we call is internally is a bi-modal go-to-market, meaning organizations in mid-market from 500 employees to 3,000 employees. And really enterprise when you go 3000 employees and above. So I would say broad go-to-market adoption all the way from early stage to late stage organizations, commercial to enterprise to large enterprise, but also across lots of verticals where all these customers care about the data that you have.

>> Yeah. Oh, of course they do. And they've got a variety of data both on their employees as well as customers.

>> Exactly right.

>> Are they all an equal level of chaos and invisibility?

>> Oh, it's such a good point. It's shocking. The first look, our core innovation is around this concept data model. We call it VEZA access graph, right? We turn it on, let's say we turn it on for theCUBE and John will be able to see whose Bill and what can he do in Google Drive. When you see that graph, it's like something that you've always wanted.

>> It's like somebody turned the lights on.

>> Humanize. I love that word.

>> The database kind of back office kind of tables and like schema.

>> Yes, I always knew that somebody had access but I never had a view to it. So that visibility, that empowerment they get by getting that visibility of who has access to it.

>> So I have to ask you on your vision confidence. I mean, we were talking yesterday about how intelligent applications are going to need to have access to data and that data security has to be traditionally built in from day one, governance and doing all this least privileged kind of stuff. So the question is that will it identify things I might need access to or do you see a future where apps can on the fly intelligently say, this person should have access or doesn't have access any given notification?

>> I love it, John. It takes me back to our 2016 days. You're absolutely right. So look, the act one or act two about visibility intelligence starts there. You take it to the next level of actionability with remediation, revocation, and monitoring to the earlier point of how do you take identity into security? But what's the North Star, right? What's the North Star mission? Which is where you're going. And the way we define the North Star is like, look, access request has to be built as an AI machine. I need access to something. The machine should say, Tarun should get access to this app through this least privileged role, seamless and least privileged from day one. And that's a North star. Can we take, and now why are we in that position to go achieve that North Star is because you've spent last four and a half years understanding the sprawl of permissions and the defragmentation of the permissions spread all over. And so we recently launched state of access as our first seminal report as a thought leadership. We have about 10 million identities in our graph now, and that just gives us that amount of data set to train to understand and then go recommend. To your point, I'm about to get access to something, I better get a least privilege access.

>> And you're unifying through not a rip and replace complete destruction and rebuilding of identity. You come in and offer the basis to kind of aggregate existing systems. That's an important point.

>> No, exactly. No, absolutely. Look enterprises, John, as you know from years, for them to trust a startup to come and replace day one, you're not going to make any friends. And so you have to own your right, you have to own your respect. And so we started with, look, we'll come in as a compliment to your existing tooling where we'll give you the visibility intelligence, but it's become also very clear, John, given platformization, given pressures on macro headwinds, you have to replace an existing budget line item. And so what we realized as we went into this market, identity has three key pieces. Access management, which is your all active directory you're paying, your Okta. Number two is your privilege access, which is like Cyber Arc or Beyond Trust or Delinear. And the third big pillar was IGR entity governance, sale point . And so you go after the weakest, we have a phenomenal product in next to an IGA space. We are winning a lot of good Fortune 100, Fortune 500 customers. We use the frame work, something new, something old. Something new is that visibility that you've never had, which you needed. And use that as to go after the mundane business process of IGA, access reviews, access recertifications, join or move or lever. I'm joining an organization, I better get access day one or I'm about to transition an organization. You as an organization should not have any access debt because access debt will come.

>> You make it easy.

>> Well, not only easy, but bringing AI to that. Of course, if you want to go be a 10X to that existing product for an organization, there's a lot of readiness we feel in the market to go look at a modern IG solution. It was a great tool that was built over the last two decades for the era of Oracle. We are not in the era of Oracle. We're in the era of SAS and cloud and GenAI.

>> Well, great opportunity. Obviously the funding and the endorsement for the investment and then just overall traction. It's a great market.

>> Thank you. Appreciate the opportunity.

>> Yeah, I mean, what interesting market timing. I just got to point out because we were calling out and I saw that he's your angel. Joe Montana is an investor. He called on LinkedIn. So you start from that level at the earlier stages now to the biggest bank in the world participating, who's your next stream investor?

>> Time will tell, time will tell. Thank you so much. Thank you. Thank you. So thank you so much for saying that. Bringing Joe on as an investment team and a part of that extended team of ways has been very humbling.

>> Do you throw the ball around ever? I got to ask.

>> I just feel humbled and privileged to pick up the phone and have a conversation with him. But thank you for saying that. And JP Morgan, we're very grateful for their trust and belief. These are iconic institutions that can help you build an enduring company is how I see it, right?

>> Absolutely.

>> If you want to go build something evergreen, if you want to build something enduring, you need such partners around you.

>> And they replace very .

>> on behalf of get this investment going.

>> I just want to come to the barbecue.

>> We want to go do a company get together and have him come and meet 200 people and their families. What an event. So working on that.

>> Congratulations.

>> Thank you so much.

>> Last question for you as we wrap up because we could talk all day. You're an absolutely fantastic guest. What do you hope to be able to say when we have you on the show next time? Let's not make it six or seven years this time, let's call it next year at Black Hat. What do you hope to be able to say then that you can't say now?

>> It's a good question. Good question, Savannah. Look, our North Star mission, I go back to customer love, customer ambition, customer obsession. Be grateful to come back and say, we went from JP Morgan to probably the top 10 banks. All of those banks, five years, 10 years, a year from now. Hopefully not five years. But I think that what gets me fired up or what gets me excited is I think identity is a foundation of cyber security.

>> Absolutely.

>> And can we take this year and not... Let's not have John, identity, be a siloed function. Can we make identity in the hands of an app owner, in the hands of a data owner, in the hands of a DevOps owner? Rather than it being a siloed function within the security team. If we can democratize identity where a snowflake owner, a Salesforce owner, a open AI, ChatGPT owner can do least privilege, I think we have made a significant impact forward.

>> I love that. Well, we look forward to celebrating that.

>> Thank you so much.

>> And your newest celebrity investor when you're on with us next time. Tarun, thank you so much for taking the time.

>> Thank you so much for the opportunity. Appreciate it.

>> John, always a pleasure. Fantastic questions and thank all of you for tuning in wherever you might be on this beautiful rock. We're in fabulous Las Vegas Nevada at Black Hat. My name's Savannah Peterson. You're watching theCUBE, the leading source for cybersecurity news.