Screaming in the Cloud - Managing Access in Cloud Made Easy with Liz Zalman
Episode Date: November 17, 2020About Liz ZalmanLiz Zalman is the Co-Founder & CEO of strongDM. Previously she was Co-Founder and CEO of the cross-device profile company Media Armor. After its acquisition, she served as... VP of Analytics at the acquirer, Nomi. With over 15 years of experience leading data-driven organizations, she is an expert in analytics, data privacy, and security.Links ReferencedstrongDMConnect with Liz on LinkedIn
Transcript
Discussion (0)
Hello and welcome to Screaming in the Cloud with your host, cloud economist Corey Quinn.
This weekly show features conversations with people doing interesting work in the world
of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles
for which Corey refuses to apologize.
This is Screaming in the Cloud.
You've got an incredibly complex architecture. This is Screaming in the Cloud. that's simple and straightforward. No more counting hosts. You can get one user and 100 gigabytes per month totally free. Check it out at Norelic.com. Observability made simple.
This episode has been sponsored in part by our friends at Veeam. Are you tired of juggling the cost of AWS backups and recovery with your SLAs? Quit thecus Act and check out Veeam. Their AWS backup and recovery
solution is made to save you money, not that that's the primary goal, mind you, while also
protecting your data properly. They're letting you protect 10 instances for free with no time limits,
so test it out now. You can even find them on the AWS marketplace at snark.cloud slash back it up.
Wait, did I just endorse something on the AWS marketplace? Wonder of wonders I did. Look,
you don't care about backups. You care about restores. And despite the fact that multi-cloud's
a dumb strategy, it's also a realistic reality. So make sure that you're backing up data from
everywhere with a single unified point of view.
Check them out at snark.cloud slash back it up.
Welcome to Screaming in the Cloud. I'm Corey Quinn.
I'm joined this week by Liz Zalman, the co-founder and CEO of a company called StrongDM.
Liz, welcome to the show.
Thanks, Corey.
So let's start at the beginning.
What is a Strong DM? It sounds like something that involves a little bit too much salty language on Twitter when I want to speak to someone privately, but I'm guessing that's not it. That's not it.
And in fact, there is an ongoing lottery as to what the DM actually stands for. The current
winner is something called Dragon Matrix.
Oh, I like that. Or you go with the test environment called Salty DM or something
like that. It'll just go super well because no one will ever get the wrong idea. So what is it
really? StrongDM is a proxy and it enables DevOps teams to both manage and audit access
to infrastructure. And infrastructure could be
servers or databases or Kubernetes clusters or web apps or the cloud drivers themselves.
So back in the dark ages, when I was a grumpy Unix systems administrator, because it's not like
there's another kind of Unix systems administrator out there, I found that all of my access control
for infrastructure was gated by VPNs in a somewhat traditional environment. You'd have these
fleets of data centers, and then there would be a VPN server, and if you're
really clever about it, a backup VPN server, and people would connect to that when they needed
access for things. I haven't gone deep into that world since I moved
to cloud, making all of security someone else's problem to worry about.
Or at least that's what the brand marketing tells me. I haven't had to think about it since. What's changed?
So I think a lot has changed. I think a lot has still stayed the same simply because
traditional security hasn't necessarily been sort of reimagined. So many of our customers today
still have VPNs in place. But even if you have it, it's not enough. The
analogy that I like to give there is a banking one, right? Like a bank doesn't just lock its
front door. That would be the equivalent of a VPN, getting you onto some sort of a network.
There's also a bank vault, and then there's also security cameras to see what somebody's doing.
So VPNs are good, but they don't tell the entire story.
It also didn't work well with cloud in any reasonable way. Because back when I was doing
this, I would go on the AWS marketplace and spin up the open VPN appliance that was managed by hand.
It didn't cost a whole heck of a lot. And I just kept that thing as its own beautiful hand-configured
unicorn there. And after I got out of managing infrastructure, AWS finally looked at this
and saw the real problem with it that they then solved.
Namely, no one was paying AWS by the hour for this thing.
So they launched the AWS Client VPN,
which sounds like, oh good,
a managed service that's slightly less hand-configured,
more expensive,
but it still feels like the exact same approach
and exact same technology.
You're talking about something different.
Where's the delineation?
Yeah, totally.
And you can do that in AWS,
but who are the people who are actually sitting there
in the console spinning it up?
But if you zoom out,
infrastructure access used to be managed
by somebody walking into an office
and sitting on the corporate network.
And there were only a few people
that had access to that SQL server,
Oracle monolith sitting next to you or in the colo down the street.
And those boxes had Active Directory sitting on top of it.
And I think to your point, there were sysadmins managing that.
And then cloud came and you all of a sudden had a proliferation of systems, of database management systems, of server operating systems.
Kubernetes came into being in production workloads, what, 18 months ago now?
And then you have CLI interfaces for the clouds themselves.
And if you zoom out, you have now an entirely distributed workforce.
You have lots of people who need access to lots of things sitting in lots of different places.
And you actually need to sit there and say, okay, how do I actually manage access to this? Well, I can tell you AD doesn't speak Druid,
right? And Okta certainly doesn't directly speak to Sybase. And so what do you do?
You have to think about how you get people access to the systems that they need
in the fashion in which they need it. And it needs to be done in an easy, seamless way because
security is known for
spending a ridiculous amount of money on shelfware. Why does it become shelfware? Because it's so
freaking hard to deploy. It feels to me like there's a delineation somewhere. And you see this
at, I guess, most startups, even some of the unicorns that have come out of the world, where
there was a certain point in time, and this is sort of, it feels like company archaeology, where you look
at their office networks. And before a certain point, they had all their on-premises data closets
running all the local stuff. And then at some point, there's a shift where, so what do you have
at your local office network? Wi-Fi access points and maybe a printer, and that's usually it,
give or take. There's no privileged position for being on that network.
It almost forces a rethinking of what it means to get access into an environment.
You're no longer granted that access based upon what network you happen to be on, but rather who you are.
As they say, identity is the new perimeter.
Is that aligned with how you see the world, or is there still a giant missing piece? No, I couldn't agree with you more. There's getting access to the network itself,
and then there's getting access to the things that you actually need access to, and to your
point at the specific role or permission level that you need it. And then all of that has to
be done with an ability to sort of make sure nothing bad is going on, right? Having that
audit log if you need it. So that's exactly right.
We had a customer sign up with us once and they're in France actually.
And I believe they launched
and when they started with us,
they had 17 different VPNs.
That's how they were controlling network ingress.
Oh, and I've walked around the RSA Expo Hall floor
and it's clear that the answer is you need a 19th VPN.
And I would love to sell it to you.
Yes. People want to sell it to you. Yes.
People want to throw that VPN out.
They want to be able to essentially dispense with that layer
and just create that essentially a point-to-point network, right?
If it's based upon who you are identity,
Liz needs access to this particular server with non-sudo privileges.
How do we create that connection in a secure way?
So a dedicated circuit vendor just heard part of what you said
and made cash register noises with their mouth.
But that's not feasible for how people work with internet technologies these days.
Well, I think it is feasible.
That's why we started the company.
Running dedicated circuits everywhere just isn't feasible
the way that most people use the internet these days,
unless you have, you know, Google level of money.
That is true.
And I think even Google has had challenges with taking, I mean,
what is the encore, right? It's a series of white papers and research papers into how you might
create zero trust at scale. And yet how many people have actually implemented that commercially?
Google certainly hasn't.
Oh, what's amazing is you see this at conferences all the time where people get up and talk about
what they're doing at their companies.
And you're like, wow, my environment's crap.
I wish I could build something like that.
And the person next to you says, yeah, me too.
And you look at their badge and they work at the same company as the speaker.
It's conference wear.
It isn't real.
Every time I see something like, this is how Netflix does the DevOps or whatever it is that they're trying to do this week.
Yeah, and some groups and some teams, absolutely. But every environment is a burning tire fire of sadness
and regret. The only question is how honest people are going to be about that. It's true. We've had,
I mean, and especially getting a larger enterprises, the number of times I've heard,
we're using X and then you get into the conversation and there's a team to get X
implemented, whatever X might be, but they're
three years away from instantiating that. It's nuts. When people say they have a 10-year plan
to migrate to the cloud, I mean, they mean it. Oh, absolutely. One of my first jobs was working
in a university. And this was, oh, I want to say back in 2006. One of the projects I worked on the
year I was there was a wireless deployment with an eye toward getting it finally completed
sometime between 2010 and 2012.
And I'm staring at this going,
that is so far future out there.
We may not even have universities by then.
That's 2010, that's years away.
I developed something of a sense of patience since then,
but these multi-year rollouts
that seem so set in stone with a vision
that is clearly built on technologies that are still shifting and evolving and improving,
it just doesn't seem like the right path. But there's almost a level of ossification beyond
a certain point of scale where it's hard to do anything else. It's true. You know, I wonder if
you put yourselves in the shoes of the, you know, what are they? They're in innovation departments.
I mean, you have very, very, very smart people sitting in these departments and you wonder
how much they're actually able to get pushed through.
I started off as an analyst.
It was my very first job at a school.
And I was talking to my boss, who was the head of analytics.
And he said, think about what you want your next step to be because analytics has a tendency to be all
of the power and none of the responsibility. You can just put a report in front of people
and say, here's the answer, and you decide what to do. Or you can really have a hand in the outcome,
which, right, it's the same thing as consulting. And I see that tendency in innovation arms as well,
where these people are so smart and so forward thinking. And yet, to your point about ossification, can they actually go and get these changes recommended
and done in a timeframe that makes sense, right? Technology is always changing. And so what happens
in one year? Is it already now out of style? Or is there something better? Let's get a little bit
more into specifics. Let's say I go to strongdm.com. I go to your buy page. I order one
and put in my credit card information. Would I like it? Gift wrap. Absolutely. Yay. Free two-day
shipping. It shows up. I take it out of the box. What do I do with it from there? That may not be
how SaaS products get sold, but I'm still fairly old-fashioned. What happens next? What is my user
experience going through it? And what problem is it solving? That, as you said, and we've all said that VPNs don't solve problems.
What problem does this solve? How is life better now that I bought StrongDM?
You as a buyer, your problem is that you are managing access to infrastructure by hand.
Your default state is to essentially like Terraform, right? Infrastructure is code.
And you want to be able to encode access as well. And you can't do it today. So that is the gap that we're trying to close for administrators.
You should be able to hire somebody, and they should immediately get access to the things that
they need to do their job from a least privileged perspective. As a user, you should be able to
connect to the things that you need, and to not have to things that you need and to not have to change your workflow
and to not have to have friction and to not have to call your it test and say wtf this is breaking
or why can't i get onto the vpn or why is this timing out you should just be able to connect to
things and then the people who are administering it you should be able to get this up really
quickly our metric of success internally is how long does it take you to be able to get this up really quickly. Our metric of success internally is how
long does it take you to get greenlit? And greenlit means you get a gateway up. It's the entry point
to your network. You register a database or server or whatever you want to test connecting to,
and then you make that connection happen. I think the record is something like just under five
minutes. We want you to feel the possibility of what it could be without the VPN and without
the traditional methods or scripts that you've held together today. What if it could be something
different? I want you to feel that answer as quickly as possible. So it effectively unifies
SSO secure network access and a single point of provisioning. Yeah. Is that roughly equivalent?
That's exactly right.
Delegate authentication to your SSO or identity provider.
Create a secure tunnel between you
and the thing you're trying to get access to.
Never have credentials on the end user's workstation
and get them connected.
You have it exactly right, Corey.
Excellent.
So you wind up integrating with, according to your site,
a whole bunch of different technologies,
a bunch of different AWS services. You call out databases explicitly, but sadly, not my favorite database, Route 53. But you do wind up talking about a bunch of different, I and the rest. Is this really done as a item-by-item process
as far as getting it hooked up
to each one of the data stores and systems
that the company needs people to be able to access?
Or does it wind up instead being something
that lends itself to a more unified rollout process?
Because, oh, we'll give you a free proof-of-concept rollout.
Great, that's going to take me eight months of engineering time.
And once I've done that, I may as well buy it because whatever you're charging me is tiny
compared to what it cost me in engineering time. What is the rollout process and how does that look
for existing environments in our greenfield? Yep. It is easy. You either buy the product or
you don't. I'm not incentivized for you to do more or less. Oh, it's a per user per month chart.
That's kind of amazing. It's the exact opposite of an AWS billing model.
That's correct.
It is literally one price fits all.
You buy it or you don't buy it.
Everything is included.
I just went through a procurement process
with an unnamed CRM.
And I have to tell you,
I don't even know how these companies sell money.
I don't want to sit through a PowerPoint.
I want to try it on.
I want to make sure it fits my use cases.
And I want to click on the button to buy. What I think that a lot of SaaS companies completely miss is how their products or services
get tested out. If I'm trying something new and you've made a product that solves my problem,
very often because I am who I am, I'm having a sleepless night. It's two in the morning. I'm
trying to build something and see if it works as a proof of concept. And if I need to talk to a sales team
before I can ever get it involved in my environment at all,
well, you don't generally have salespeople around at 2 a.m.
I'm certainly not going to want to have a conversation then.
I'm probably going to look elsewhere.
But wow, that was easy.
The onboarding story where I can set this up
in my ridiculous twitterforpets.com
proof of concept environment.
Okay, this works.
Now I can start expanding beyond that. And okay, yeah, we're a giant company. Now it's time to do
the enterprise sales dance. But there's something about self-service that I think a lot of companies
miss out on. And it's particularly important for this buyer. Infrastructure or DevOps, I mean,
this is a closed-door community.
They have been playing Minecraft and beer pong
with their buddies,
the same buddies they've had for 30 years.
They're sitting in closed-door Slack communities.
They trade tips and tools and secrets,
and they only listen to their peer group.
They don't want any sales bullshit.
To exactly your point,
they want to click on the button,
they want to try it on,
and they are going to decide what makes sense for them. That's it. And we should honor that,
and that's what we've tried to honor. Out of curiosity, one of the things that I notice
that you emphasize specifically on what it is that you integrate with, you're all over the map. You
have things like different versions of Linux, different AWS services, but you have a particular
affinity for calling out specific databases.
Why is that? I don't want to replace or change anything that you're already buying today. So
going back to the SSO or identity provider, you've already decided that Active Directory is your IDP
of choice. Great. We're going to integrate with that. You have already purchased Sumo Logic or
Splunk. Wonderful. Here's a button you can click to send your logs to that. You have already purchased Sumo Logic or Splunk. Wonderful.
Here's a button you can click to send your logs to them.
You already use Duo for MFA.
Great.
Here's how you connect Duo.
So at the end of the day, Strong is designed, I think if I zoom out, to be an infrastructure API, right?
I want to control network access and I want to be able to introspect as to what's happening
to provide you with an audit trail, layer three and layer seven. We need to be able to natively support every single thing that you're
using today. So Strong is the only company that supports databases natively. There's no other one.
You can go to other places perhaps for SSH or RDP, but then you're just buying a point solution.
So the vast majority of companies today have old legacy stuff, Oracle, Sybase.
We just built Teradata, DB2.
And then they also have Memcache.
And they're also using Kubernetes in production.
And so you have to honor where people are at, which is they've got a hodgepodge of stuff.
And they want something which manages access to all of that stuff seamlessly.
That's what we've tried to honor as we've built the system. ridiculous by trying to throw everything at a wall and see what sticks. Their pricing winds up being a lot more transparent, not to mention lower. Their performance kicks the crap out of
most other things in this space, and my personal favorite, whenever you call them for support,
you'll get a human who's empowered to fix whatever it is that's giving you trouble.
Visit linode.com slash screaminginthecloud to learn more and get $100 in credit to kick the tires.
That's linode.com slash screaming in the cloud.
There's really something to be said for meeting customers where they are.
That's something a lot of products seem to miss, especially around the identity story, where it's, oh, you've been using your AWS account for ages. Great. Take out all of those IAM users
and use this thing instead
that is going to force a complete rethink
of how every single system
that does anything approaching provisioning
interacts with the environment.
Step two, it's one of those incredible
boil the ocean style of stories.
And God, I hate that phrase,
but I'm still using it anyway.
It feels like it is almost insurmountable. I look at how I set up my own AWS environment four years ago, and I'm looking at it,
and I put my hands on my hips, and I survey the landscape, and I say, yep, absolutely. This is
trash. What was I thinking? But I'm stuck with it because migrating to a new form of management
across multiple AWS accounts is incredibly daunting. How do you get around that
problem? Because if you don't have it, I know that because when I was doing homework for the show,
no one I spoke to wound up complaining about the onboarding. So you've clearly
solved for this problem somehow. So I think the thing is how much of a pain in the ass is it today
for the person who's managing that access? You know, I remember getting off, I got off the plane once in SFO and there was a beautiful, there was a new ad campaign
that Redis had launched. And the ad campaign said, you know, I love my slow database, said nobody
ever. It's like they've never heard of blockchain people. Please continue. And with infrastructure,
I have never heard anybody say, I love AWS's IAM. AWS is not incentivized to make IAM easy.
And even if you're using it, you're using other things that don't speak IAM, or you're on GCP,
or you have owned and operated data centers. And so the person who's managing access,
their fingers are bleeding. They selfishly want to get out of this space. And so if they see a
way to do that, to ease the pain, the switching
cost almost becomes irrelevant because they get connected and they're like, oh my God, there is a
better way. And I can see the other side. I see the light at the end of the tunnel.
One question I do have for you, this is more of a business ownership perspective.
On strongdm.com, toward the bottom of the page, there's basically a whole
section that says, and yes, you can throw out the VPN. And then there's a button with a trash can
on it and then it's labeled Trash VPN. Now, to my understanding, Trash VPN is a Cisco product.
How did you get permission to use their branding on your website?
Did you click the button?
I did. And it is amazing. And I encourage everyone listening to this
to click that button.
It is absolutely phenomenal.
Cisco, need not listen to this episode.
Right.
We were designing it and we were spitballing
and I don't remember who said what.
So I was like, wait a second,
can we actually put a trash can there?
And then it animated and it was glorious.
Oh, and then there's an emoji.
If you click it, it has a hidden Easter egg.
You need to look at this website, folks.
This is worth looking into.
When you deploy a StrongDM gateway,
the gateway is the entry point to your network,
and you can give it a DNS entry,
make it publicly available,
or you can put it on the corporate network,
or you can put it behind a VPN.
It deploys however you want.
In roughly half of the cases,
people end up asking,
well, can I just get rid of the VPN thing? Because the only reason why I had the VPN was to get into the network access itself for infrastructure, and this kind of does the same job.
So they just end up connecting the dots.
There's no line item for a VPN, right?
I don't have a line item in my budget.
It's free.
They're shitty, and they're free.
So we don't sell like that, but it's a conclusion that people come to on their own, which is why we put that in.
It's phenomenal. So other things that have come up when I was doing homework for this show,
which is kind of awesome. I don't think I've ever found anything quite this incriminating.
So we're going to go with it anyway and see if it survives editing. When you were 28 years old, you tried to become a tennis pro
and you lost your first and only match in 20 minutes,
which is a great story in its own right,
but more to the point,
I did things when I was 28,
where when I got married,
I took a new last name in order to bury it.
You are actively open about this.
So first, talk about being a tennis pro. And secondly,
why would you, I guess, not do everything in your considerable power to make sure that that story
never saw the light of day? Because I'm not afraid to embarrass myself. I'll answer the second
question first. I think life is nothing but relationships and experiences. And f**k it,
if I'm going to fail, it doesn't matter. I want it
known that I had that experience. I'm proud of it. Anyways, I was in Chicago. I didn't have any
friends to give background on the story to listeners. And so I decided to join tennis.
I'd played in eighth grade and never picked up a racket again. And I was like, man, I love this.
And then somehow I was spitballing one day and I was like, oh my God, you can actually go and register for a qualifying tournament. The prize was $10,000 if you won,
and it was essentially free to enter. And there was one in Atlanta. So I flew down to Atlanta,
a friend of mine lived there and, and I entered the tournament and I showed up having never done
this before. And I was wearing what I would normally wear when I played tennis, which was
a redx hat.
I grew up in Boston. And I get on the court for this match. And the referee comes up to me or the umpire. See, I don't even know what they're called. And she says, hey, you can't wear that
hat. And I said, why not? And she said, because it's branded with a logo, you can only wear the
logo of a company or entity that sponsors you. I'm already getting angry just listening to that
story. I know, and I didn't have another hat with me. And so the salesperson in me retorts,
well, how do you know the Red Sox aren't my sponsor? Amazing. Oh, that's fine. They can be,
but they haven't sponsored us. You've got to pay our fee. It's like the reInvent Expo Hall.
That's right, right? Paid a brand at eye level.
There's something to be said, though, in seriousness,
about embracing failure,
and especially once you, for better or worse,
become something of a role model.
And like it or not,
you started and founded multiple successful companies.
Sorry, you're a role model.
Some of us look up to you.
There's something to be said about being very open and transparent about failures,
because everyone fails, and people don't talk about it nearly enough. So when people fail,
as they invariably do, they start to worry that it's just them and it's not.
I agree. I think on interviews, I'm going to not answer the, are you a role model thing,
but that wasn't a question. That was a statement. Like it or not, you've got to deal with it.
Oh, man.
On interviews, I get asked,
what's your vision for the company?
What's your exit strategy?
Tell me what we're going to be like in five years.
And the answer that I give is I have no idea, right?
Companies get bought, they don't get sold. We had two customers who were supposed to IPO this year.
One couldn't do it because they
were in residential construction and that got killed. And the other is effectively out of
business because they were in retail. And so I can't control anything. The things that I can
control are building a company, building a product that people want to pay at least $1 for and doing
so at scale. And then based upon that, you get the ability to
have outcomes. And so what I end up saying is I will speak openly and honestly about successes
and failures. Everybody at the company knows when we gain a customer, when we lose a customer,
when we have a huge win, when we have a major loss, how much revenue we're making.
Having been a part of a team in a startup before, I want to actually see
the fruits of my labor and I want transparency in what's happening. Don't sugarcoat it.
Don't ever bring me bad news. Cool. I'll hide the thing you really need to know. It's moronic.
Corey, it's funny. My last company that I ended up selling, actually,
we were running out of money and we weren't sure if we were going to pull an acquisition over the
finish line. And I remember all the advice that I got from investors was sit down and tell the
truth. And I was terrified. My hands were shaking. And I sat the team down and I said,
we have two weeks of cash. I want you to stop working. And I want you to start looking for
another job. And I'm going to bend over backwards to get you another job. And the team sat there
and then one of them picked up their heads and says,
are you done speaking?
Can we get back to work now?
That says a lot.
Either they really believe in you, or they are freaking terrified.
One way or the other.
We'll take the charitable interpretation instead.
But no, in seriousness, that is, it took me a long time to be convinced
to go beyond just being an independent consultant,
because it terrified me to have other people's welfare resting on me. And I still don't know if I'll ever get used to
it or not. It's scary. Yeah. I mean, you put food on people's table and the same thing in
interviewing. So many people this year have lost their jobs and you're on the phone with them. And
I, it's just people at the end of the day and relationships and empathy.
Everybody is fighting a battle and you may or may not know what battle they're fighting.
And it's a scary position to be in.
And it's one that's very humbling.
Yeah, they say it's lonely at the top.
It's not because so few people make it.
It's because it's a different class of problem.
You can't talk too openly in too many fora
about these sorts of things with just anyone,
because until people have walked this path to some level themselves,
they don't experience it or live it nearly as viscerally.
It's a lonely road in some ways.
Thank goodness for co-founders.
I am in awe of people who start companies as solo founders.
God, yes.
I took on a business partner after two years of doing this,
and that was the tipping point. When Mike came aboard, suddenly, I wasn't alone anymore.
I could talk to people about NDA-ed things without, you know, breaking contracts. So,
it was nice to actually be able to vent to someone and talk through things and have the support.
It's the hardest part of business running, in my experience, has been managing my own psychology.
I agree with that.
I want to thank you for taking the time to speak with me.
If people want to learn more about you and what you're up to and what your company does and exactly how strong your DM is, where can they find you?
It's www.strongdm, that's D as in David, M as in Mary.com, not BM, like the toilet.
Excellent.
Thanks once again for taking the time to speak with me.
We'll throw links to that in the show notes while being careful of spelling and pronunciation.
Thank you, Corey.
Of course.
Liz Zalman, co-founder and CEO of Strong DM.
I'm cloud economist Corey Quinn, and this is Screaming in the Cloud.
If you've enjoyed this
podcast, please leave a five-star review on your podcast app of choice. Whereas if you've hated
this podcast, please leave a five-star review on your podcast app of choice, along with a story
about how you could have been a tennis pro but chose not to do it. This has been this week's
episode of Screaming in the Cloud. You can also find more Corey at screaminginthecloud.com or wherever Fine Snark is sold.
This has been a HumblePod production.
Stay humble.