In this theCUBE + NYSE Wired: Cyber Security Leaders interview, Nancy Wang, chief technology officer of 1Password, joins theCUBE’s John Furrier to discuss the critical shift in cybersecurity from network perimeter defense to identity assurance. Wang explains how the rapid adoption of artificial intelligence and autonomous agents is redefining the threat landscape, effectively moving the primary attack vector from system penetration to identity compromise. She details 1Password’s strategy as the "picks and shovels" provider for the AI revolution, focusing on securing the credentials of digital coworkers and ensuring that non-human identities operate within strict zero trust guardrails.
The conversation delves into the complexities of securing ephemeral AI agents and the necessity of binding identity to intent in a world of automated workflows. Wang highlights 1Password’s approach to solving shared credential challenges through features like Unified Access for non-SSO applications, ensuring organizations maintain visibility and control. Furthermore, the discussion explores the convergence of physical and digital security at the edge, where AI-driven decision-making requires robust device trust and granular permission management. Wang outlines how 1Password is extending its privacy-first architecture to govern the machine-to-machine interactions that will define the future of enterprise resilience.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
theCUBE + NYSE Wired: Zero Trust Cyber Series. If you don’t think you received an email check your
spam folder.
Sign in to theCUBE + NYSE Wired: Zero Trust Cyber Series.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For theCUBE + NYSE Wired: Zero Trust Cyber Series
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for theCUBE + NYSE Wired: Zero Trust Cyber Series.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
theCUBE + NYSE Wired: Zero Trust Cyber Series. If you don’t think you received an email check your
spam folder.
Sign in to theCUBE + NYSE Wired: Zero Trust Cyber Series.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to theCUBE + NYSE Wired: Zero Trust Cyber Series
Please sign in with LinkedIn to continue to theCUBE + NYSE Wired: Zero Trust Cyber Series. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Nancy Wang, 1Password
Inna Tokarev Sela is the CEO and founder of Illumex. The platform enables companies to extract value from structured data, creating a virtual semantic graph for users to interact with in natural language. Illumex focuses on contextualizing data in real-time and offers built-in governance features. By partnering with major data platform providers, Illumex has increased data usage for customers. The company has raised $13 million and has a diverse workforce. Inna's leadership style is described as empathetic. Illumex envisions a future where data interactions are seamless and efficient. Overall, the company aims to lead the industry towards a more streamlined application-free future.
GM, AWS Data Protection + Founder/Board chairAdvancing Women in Tech ( AWIT)
In this theCUBE + NYSE Wired: Cyber Security Leaders interview, Nancy Wang, chief technology officer of 1Password, joins theCUBE’s John Furrier to discuss the critical shift in cybersecurity from network perimeter defense to identity assurance. Wang explains how the rapid adoption of artificial intelligence and autonomous agents is redefining the threat landscape, effectively moving the primary attack vector from system penetration to identity compromise. She details 1Password’s strategy as the "picks and shovels" provider for the AI revolution, focusing on s...Read more
exploreKeep Exploring
What are the key factors contributing to the current excitement about AI compared to previous technological advancements?add
What is the significance of identity verification in preventing unauthorized access and potential data breaches?add
What attracted you to the role at 1Password and how is the current market affecting that experience?add
>> Welcome back here. I'm John Furrier with theCUBE, here at theCUBE's NYSE studio on the East Coast. Of course, we have our Palo Alto studio connecting Wall Street, Silicon Valley, tech and money. The technology is the market. If you look at it these days, everything's happening. This is part of our cybersecurity leaders series. Nancy Wang is here, CTO of 1Password, CUBE alumni. Welcome back to our new studio here in New York.>> Thank you for having me. Yeah, what an incredible location.
John Furrier
>> . Yeah. I mean, it really is the confusion. The NYSE wired program, one of our new CUBE original programs, is really targeted at the intersection of technology and capital markets because as I was saying on my opening, this market, CNBC, the market, technology is the market. If you look at Davos, you got politics and tech. Jensen Wong's a political figure. So you're seeing technology is the market. The board on the options here is Tesla, NVIDIA, AMD, all tech companies. And AI brings that tech into all aspects of life. The physical AI coming together with digital, cryptocurrency, real world assets on chain. We are living in a fully converged tech world.>> Absolutely. I mean, I have not seen this much excitement about what AI or tech can do since the cloud. And speaking of the cloud, that's, I believe, when you last covered me was when I was still with AWS.
John Furrier
>> Yeah, yeah. And the cloud scale set the table for the scale we're seeing with AI. And in fact, Dave Vellante and I were talking about this on our last CUBE pod. The acceleration of change. I'm like, "This is a 10 year cycle." It actually might be five. This generational shift from AI to autonomous is happening. 1Password you guys nominated on a TechForward award with SiliconANGLE. Congratulations.>> Thank you.
John Furrier
>> You're at the heart of it. I want to get to that, but I'm more intrigued by your new role as CTO in 1Password. VP of engineering is a CTO. Congratulations. What's that mean?>> . Yeah.
John Furrier
>> What does that mean? Tell us.>> Sure. Well, that means being able to kind of see what's ahead. And to your point, the world is changing so quickly. I actually spend a lot of my weekends now playing with the new AI tools that are out there in between meetings, maybe building some agents on the fly. But all of that to say, just how we're thinking about building products, even developing software has changed tremendously, not just in the last five years, but really in the last six months, 12 months. If you think about how AI is being used today, we went from chat interfaces, chatbots to now, hey, I have a procurement agent that's going to go end to end, for example, get a contract signed, get it paid for me, get it recorded in the bank account for me. Wow, how incredible is that?
And so how we're thinking about AI, especially at 1Password is, well, AI is going to become your digital coworker. And so when it has the same access, the same permissions as you do, let's say John, well, we need to be careful about that because you can't just give machines or automatons keys to the kingdom and say, "I trust that you will do the right thing." Who are you trusting? So that goes to context, understanding what it's allowed to do, who gave it that right to access those sensitive systems, and how can you bake in those permissions, that right level of access down to the credentials level? And this is why, for 1Password, we are the picks and shovels provider for this AI evolution.
John Furrier
>> Talk about 1Password. I was just in an interview this morning with a health tech company that I love called DNAnexus. It came out of Stanford. They're doing a range of supercomputing applications for optics. And they have so much storage. And so the storage industry, memory, the supercomputers are dealing with all this data. And on the hacker side, it's shifted from penetration of the network or the access to identity access. And so identity is now the number one target for hackers because it's easier.>> Yeah.
John Furrier
>> Don't hack in, log in.>> Exactly.
John Furrier
>> So identity has become not just the bolt-on system, "Hey, I'm running a little clusters or siloed," identity becomes the key piece. And then if you factor in agents that need identity and trust, take me through what 1Password is doing because I think you guys are at the nexus of those two things of identity as a practical thing and identity as a core construct for all AI.>> Yeah. Well, you just summed it up super well, John, which is, well, why need to hack it if you can just pretend to be, let's say, John Furrier of theCUBE and have people believe you and act as John? How much simpler would that be to then just exfiltrate data, make payments, maybe extort folks. And we're hearing this happen real live with, for example, just the volume of let's say North Koreans who are applying for jobs today in tech companies. I'm hearing this across many, many CISOs I talked to. It's a real problem. And it boils down to identity, which is how do we know, without a shadow of a doubt, that you are who you say you are? And so today, that's really where I would say 1Password has a unique strength because we store over a billion in change of credentials. And credentials are a way of proving your identity. Because if you are truly John Furrier, well then you would have John's access to, let's say Wells Fargo. You would have John's access to his X account. And so that's one way we can prove our identities. And so if you extend that strength from humans credentials to machine credentials, and many folks today already have service accounts that they've created with 1Password and now extend that to developers, and then if you extend that from the assumption of developers are the ones building with AI. They're building agents. And so now you're extending those credentials and our unique strength all the way to agents.
John Furrier
>> I've heard stories, Nancy, of agents having root password and okay, well, just hack the agents.>> Exactly.
John Furrier
>> So if I have my own agent, I've been hacked, but I'm not ... So you have to have that trust and the delegation of trust in the agent era. So take me through what that means, because a lot of people are seeing agents. We've heard quotes here on theCUBE and certainly Marc Benioff, when he was on, he said there'll be billions of agents. And I think Matt Garman said, we expect billions of agents, agents of agents.>> Of course.
John Furrier
>> There'll be all kinds of derivative, but they're basically machines and software.>> Absolutely.
John Furrier
>> So you have the non-human and human. What is the key in this wave to manage this? Is there a blueprint? Is there a playbook?>> Yeah. Well, that would be the billion dollar question. So I think you're absolutely right in the sense that it is an evolution of non-human identities. And we saw an explosion in non-human identity governance and non-human identity visibility in the number of startups just in the last 12 months. And so agents are a form of non-human identities, but in the sense that they tend to be ephemeral. So for example, they can be spinned up, spun down. They can be, for example, let's say ended when they've completed their workflow. And so that brings a new dimension of complexity to this problem of machines. And so, for example, when you bind an identity to a machine, and traditionally that has been done through maybe third party certificates, PKI, for example. But here, once you enroll an agent, it's really about that intent behind that agent. Who's controlling it? Who's asking it to do what? And so the identity of the agent itself might actually change based on what it's doing at that point in time.
John Furrier
>> So I want to ask you about the deployment side of it. We just were covering NRF Retail Week last week here in New York, and I keep bringing up this MIT study because I thought it was just the worst. But sample size is off, but they were, "Oh, the number of agent projects are failing," with some stat about ... It gave the impression that agents were failing all the projects. Well, first of all, there's experimentation, so when you have experimentation, things do fail.>> Of course.
John Furrier
>> But one of the soundbites from one of the CEOs at the NRF was, and I interviewed him a year ago here at the NYSE, he said, "Since we last talked last year, we have record revenue, record profits, all because we were in early on agents and really thinking about it intentionally." And so that's consistent across. So we started to see real world examples of where people who did it right, workflow management, managed the compliance, got the identity right, saw massive uptake and top line revenue. So can you share your thoughts on how you're seeing these real world experiments, experimentation convert into real world deployments?>> Sure. And certainly there's definitely still real world experiments going on. And this is where, for example, you see the plethora of sandbox approaches with agents, which is how can I control the environment variables to which this agent is acting and then be able to measure the output versus the intended output? And so going back to this evolution, agents are here. We can't just put our heads in the sand and say they're still chatbots. They're here, they're real. They're doing end-to-end workflows now, whether it's programmatic agents, whether it's agents also in the browser. And because, as 1Password, where a lot of our business happens in the browser, we see that on the day to day. Spinning up, for example, remote browser agents to be able to book airline tickets for you now, be able to, for example, reserve restaurant bookings. All of that is happening in real time. And so what this means is the context. The intent becomes that much more important, especially when you remove that human decision making from the loop. And so how can you trust that agent from start to finish if that agent is touching, for example, sensitive systems? And this is where, for example, you often hear the term that agents are probabilistic. Just because you give it the same input doesn't mean the output's going to be the same. However, the important distinction we like to make at 1Password is the actions that we'll be doing to the underlying systems. So whether it's your production Postgres database or your, let's say Databricks cluster, for example, those systems themselves are impotent. And so you got to make sure that the agent actually knows what it's doing, or rather, in this case, the human behind the agent knows what that agent should and should not be doing.
John Furrier
>> As you sit at that center of the identity with the agents, is there, I won't say level of IQ or where ... I guess my question would be, is there a certain tiering between use cases that are more predictable, less risky than some of the more dynamic ones where you really want to look at outcomes, maybe apply some machine learning to it or AI to it? I know Databricks last year, at their conference, really looking at the results, the output of the agents, because the things weren't clear. Are there levels of like, okay, this is lane one, easy agents, know the workflow. Less deterministic, more variables. Is there a world where this is being classified like that? Or what's your take on that?>> Yeah. We see this evolution with, in fact, actually as you bring up this cyber segment. We've seen with AI SOCs, for example, right, starting out the software at handling tier one, tier two escalations and moving their way up to more complex cases. Certainly with agents as well because if you're not touching bank account information, if you're not touching payroll, for example ... If you're, for example, a email summarizing agent or a calendaring booking agent, those have less of a blast radius. But with that said, we can't just assume that there's going to always be a ceiling. At some point, in order to really realize the efficiency benefits of agents, we have to allow them to do more. And this goes back to root identity that you brought up. This goes back to permissions. What is this agent able to do? And also guardrails. How do you put essentially guardrail safety belts around this machine to make sure that it doesn't just go rogue and start charging people?
John Furrier
>> Yeah, exactly. All right. So the market is hot. We just laid that out. Let's talk about the business side of it, your business model. Obviously, password and authentication, access with credentials, clearly the top area, and I would consider the top area in my opinion. What's your view inside the organization? How are you guys engaging? Take us through a day in the life of 1Password. What's going on inside your customer and how are you guys engaging and what are some of their challenges?>> Absolutely. So let's bring up actually a near term example. So a couple days ago, we just announced a public preview of our Unified Access managed credentials capability. Why that's important. So if you think about all of your applications behind SSO, well, great, they're protected. With that said, there's a growing class of applications that are not behind SSO for a variety of reasons, whether it's cost or simply the application itself does not support SSO. So how do you remain protected? Let's use X. X is a great example of an application that is not behind SSO. And so if you have a X account at the organization level, you have a set of credentials that logs you into that X account. Who owns that? Who manages that? Is that the social media team, marketing team? Is it a single person? What if that person leaves the company? This is why this is so important to secure those credentials. And so this is what we often hear from our customers is that they see us as being that single source provider of credentials across, let's say, SSO'd apps, non SSO'd apps, as well-
John Furrier
>> So is X the customer?>> Well, we're actually working with quite a few AI companies.
John Furrier
>> So I didn't know they weren't SSO. So you're seeing they have sharing of accounts.>> Yes, exactly.
John Furrier
>> And the benefit is what? Explain the benefit of having that. Because if someone leaves->> Exactly....
John Furrier
>> it's not tied to an email account or phone number. Or it kind of is, but it's not bounded. Is that right?>> Yeah, exactly. So this becomes our definition of admin managed credentials at the organization level. So let's say for theCUBE. You probably have a single account that you're doing daily tweets on. The credentials for that, I'm sure it's very sensitive. You don't want just anyone going on there and saying, "John endorsed ..."
John Furrier
>> Jim is always asking for access. I think I gave it to him, but it's a nightmare for me because now I have to manage admin and be great if someone else could manage it.>> Exactly. And that could be managed at the company level. And so through the company's 1Password account and at the admin level, only the admin sees those credentials. And so let's say if you're someone on theCUBE's marketing team, we'll simply just autofill those credentials when you're on the X website and you'll never have to see them. You don't have to worry about them as the employee. And so this is where the separation of usability, also admin control comes into play. And this actually represents quite a bit of what we're hearing from our enterprise customers.
John Furrier
>> All right. Say I'm sold on this. Okay, Nancy, tell me what to do. What's the playbook? How do I roll this out? What's the take? Is it a huge transformation project? I want to have really strong identity. I want to have all kinds of multifactor authentication. I want biometrics. Let's say I want it all. What do I do? Take me through the progression.
John Furrier
>> Sure. So I would say the easiest way to describe this is the right user has access to the right application on the right device. And so if you think about the product portfolio of 1Password today, the right user, well, that comes from our enterprise password manager and our most secure encrypted vaults. And I can go to all the nerd math behind that of cryptographic proof of power.
John Furrier
>> There's a lot of math proof involved.
John Furrier
>> Exactly. Zero knowledge. We don't even see credentials ever. To the right application. And recently we made an acquisition about 12 months ago, this company called Trelica, now SaaS Manager. That tells you what applications your employees within an organization are accessing, how often they're accessing. And then also the device footprint. And why that really matters is, if we think about where AI used today. If you, for example, build applications using Cursor, that's on your local laptop. A lot of work now happens on the endpoint. And by the way, the browser is also a form of the endpoint. And so with this other company we have also acquired, now renamed Device Trust, we have visibility into what's happening on your local machine. Also through our browser extension, we know what's happening in your browser at any given point in time.
John Furrier
>> You're really nailing it. It's right into our wheelhouse. One of the things I'm going to be talking about at MWC this year is a thesis I'm putting out called the Hyper Converged Edge. And the thesis also is AI factories will live at the edge. It could be a small box like this size from NVIDIA, but plugs in, turns the radius into a mesh, collapsing license and unlicensed spectrum. That would give untethered access to the network. Okay. What that means is I could just get in and get ethernet backhaul. So what that means is I might be able to go across the network to my home PC, come into my apartment via spectrum here in New York, and go look what's in my inbox on my PC or go to the cloud. So all of these contextual identity based decisions that were once regulated to hit the database, what part of the network are you on? Is it the app? So you're starting to see the blending of identity crossing these sacred thresholds that were, in tech, were like, "Whoa, whoa, whoa, not my system."
John Furrier
>> Exactly.
John Furrier
>> Or I could be a business user on AT&T, go into a business environment and be a user and go to Nordstrom's, but see different things. AI will help us there. Do you agree with that premise?>> Yeah, for sure. I think AI is going to, well, first exacerbate, probably, the problem and then help us solve that problem. And in terms of exacerbating, well, in fact, I was just speaking with a founder of a network security company where actually their thesis is largely also a lot more activity is going to happen on the endpoint. And so the traditional gateway method of blocking specific URLs may no longer be sufficient in protecting the endpoint and protecting employees. And so this is where AI could also help in the sense that it can correlate so much more signals than a human brain can to determine what is malicious, what is not malicious, and something that we're also hearing more from our customers, which is insider risk. Again, going back to the problem of someone assuming your identity and then doing all the things that John Furrier would do.
John Furrier
>> All right, so I have to ask you a tech question or a nerd question, but I think this will feed into the data side of your background. The more data you get, the better AI gets. So if you have 1Password, I'm imagining as you get more signaling of user behavior, whether it's observability data or actual network traffic, whatever you're getting, does it make it smarter? How do you see that? What's your vision around, as the tech deploys ... I mean, distributed computing in a heterogeneous environment throws off a lot of content and data.>> Absolutely. Data should make us smarter. Now, with a strong caveat, and my engineering team would appreciate me talking about this, which is we take our users' privacy and trust extremely seriously. Which means that as we're then taking telemetry of what sites they're accessing, what they're accessing with, there's this huge separation of control going back to what we talked about earlier, which is we never look at your credentials as 1Password. So then how do we know your suspicious login activity or be able to monitor your security health score, which is a feature that many of our customers use and like within our 1Password Watchtower, for example.
John Furrier
>> On the question of scale, so it comes up a lot on a lot of these pilots experiments, you're starting to see stuff roll into production, cloud native conversion with AI native. What are the blockers to scaling the AI with 1Password or that you guys help? Because we hear a lot, I got it in production, but I'm going to then scale it across, but then it's a scalable technology. How do you guys see you guys participating and accelerating scaling out AI?>> Yeah. So if we can be that central trust layer, goes back to trust. Do you trust your agent fundamentally? Do you trust that your agent is going to do the right thing if you give it sensitive credentials? And so if we can be that backer of that trust for that agent, then we can have an amazing, for example, role in helping companies scale out their agent fleets.
John Furrier
>> Nancy, I have to ask a final question, personal question. Been following your career since you've been last on theCUBE. You're back in an operating role. What's it like? And why? What was it about 1Password that attracted you to that role and what's it like now in this market?>> Yeah. Well, when I first started talking to the 1Password team, we were still thinking about AI as largely chatbots or voice agents. Now, of course, it's so much more. But even back then. My fundamental thesis is identity is the most important problem we can be solving this decade to really realize the effectiveness or efficiency gains from automaton. And so what better to solve it with than a company that has such a strong track record in trust and privacy with human users, and now we have that ability, opportunity to extend that to machines and AI agents.
John Furrier
>> Put the plug in for the company. If you could share the key value proposition or what people should know about 1Password. Again, you guys are a finalist in the Tech Awards, TechForward Awards with SiliconANGLE. Congratulations. Obviously doing well, you got a great tech solution. What should people know about 1Password? Why? What's the value?>> We are the enablers of a safer, more simpler digital security.
John Furrier
>> Well, thanks for coming on our cyber series of leaders.>> Yeah. Happy-
John Furrier
>> Great to see you. Again, identity is at the center of the value proposition because that's the keys to the kingdom. It connects the compliance, it connects the scale, it connects to the AI growth and agents. And as physical and digital come together, our identities will span across and up and down the stack. Of course, we're doing our part to bring you the action here on the queue. I'm John Furrier, the host of theCUBE. Thanks for watching.>> Thanks so much for having me.
John Furrier