Storage Unpacked Podcast - Storage Unpacked 263 – The HYCU State of SaaS Data Resilience Report 2024
Episode Date: November 4, 2024In this recording, Chris talks to Subbiah Sundaram, SVP of Products at HYCU, Inc. about the 2024 edition of the HYCU State of SaaS Resilence Report. The report surveys customers to understand the gap...s in perceived and actual data protection for SaaS platforms and the results are quite surprising.
Transcript
Discussion (0)
This is Chris Evans and today I'm joined by Sabaya Sundaram from Haiku. Sabaya, how are you?
Doing great, Chris. As always, talking with you is a pleasure.
We're going to talk about SaaS. Funny enough, again, we talked about SaaS before, but we're
going to talk about it in a very specific context and that's relating to your report that you
published just a little while ago. But before we do that, I believe we've got an award to talk
about that you received not that long ago, or at
least recognition of your company. What was that one? Great question. And it's the Gartner Magic
Quadrant. You know, for the third year in a row, Haiku has been recognized as a visionary in the
Gartner Magic Quadrant. People ask us, so why are we excited about it? You know, as a young company
who's trying to solve the next generation problem, not the past, but where customers are headed.
And look at what problems customers are having today and where they are headed.
That's something exciting to us.
And that's what a visionary is supposed to do.
And we are very happy Gartner recognized as a visionary.
And that's what makes it exciting.
Excellent.
And one of the things that you're definitely visionary for is your approach to SaaS. We've seen the way that you've makes it exciting. Excellent. And one of the things that you're definitely visionary for
is your approach to SaaS.
We've seen the way that you've approached it differently
and I don't want to sort of drag over the history of that
because we've done that in podcasts before,
but basically you have a, I would say,
unique way of looking at how to address the SaaS issue
and onboarding of SaaS.
I'll put links to all of that in the show notes
so people can go and find those
previous podcasts. So that's definitely where I think you're focused in terms of your uniqueness.
And obviously, as part of that, you've gone off and you've produced this SaaS Resilience Report.
Would you like to just very briefly tell us what it is and, you know, what it contains and what
it's about? Sure, Chris. You know, I want to probably take a step back and give a broader
context for listeners who are actually listening in, right? The key thing is that. You know, I want to probably take a step back and give a broader context for listeners who are actually listening in, right?
The key thing is that, you know, in the world, I'll start with an analogy, real experience, right?
I was talking to a friend of mine and asking him how many, who's a CIO for a company, asking him, hey, how many SaaS do you use?
This initial reaction to him was like, oh, I use like probably five.
I said, wow, you must have really
controlled your organization. Then by the time within five minutes of our conversation, he
remembered at least 13 other SaaS he remembered. Just on the top of his mind, he was rattling off.
That is the problem people have. In the world today, there are over 35,000 SaaS applications.
And so essentially the data is there. What we realized was we were
telling customers, guys, you have to look at this problem and you have to address it. Then we said,
you know what, instead of us telling, let's ask real customers what pain they have had
and let them tell about it. That's why what we did was we actually ran a survey of the entire
landscape. We talked to about, we had a survey with about 400 customers
across the cross section
from industry perspective,
as well as from different parts of the world.
Because the whole idea
of what we wanted to do
was get a true reflection
of what customers are seeing.
And that's what the SaaS report is.
I encourage everybody
to at least glance through it
and see, does it relate to you?
Because when we showed it to customers, they said, oh my God, yes, it's same as mine.
It's like, that's something I want people to have a look at it.
Okay.
Now, from the SaaS perspective, just looking at it from the way I've seen it over the last few years,
it's really interesting that I've not really thought about it until, you know,
you'd started talking about how you're protecting SaaS.
But I use things like Notion quite heavily.
I know you do Notion as a protection environment.
I think a lot of people use things like Office 365,
but there are so many little smaller components.
You know, in a certain industry vertical,
you might have a particular platform that serves your industry,
or you might be generic.
And like, if you're a developer, for instance,
you might use one of the tools to do sort of Kanban tracking,
or you might use it for online accounting of your time you know recording your time and things like that and i think that
the thing that for me is more in become interesting is how sas has become ingrained in business
process you know now that people without even realizing it suddenly it's become part of their
day it's become part of their process and if you didn't have it you would have a real problem and
you know if you're in a regulated industry that's even more of an issue sas has become really quite critical
for a lot of businesses i think totally i'll just want to add to what you were saying chris
it would be surprising people spent over 70 percent of the time today in a traditional in
enterprise in a sas so that's where all the active data, over 70% of the time, sounds crazy,
right? But that's what it is. So people, it's the data is, that's where a lot of information is
going, a lot of inner data, that's why we want to actually do this survey. Yeah, 70% is a big
number. So that's definitely something that makes you then think, you know, you need to be aware of
what the issues are. So what did you find from this report? What were the headlines that you found within this report? The first thing I'll probably tell you,
Chris, very lot of interesting findings. The first one I probably will tell you is that,
as I said earlier in the example, a lot of customers underestimate. What we realized was
people underestimate the number of SaaS they have by 10x on an average, right? Because we ask people, how many SaaS do you have?
They said 22 was the average number, right?
And on average, customers have over 200
in the spectrum of things what people actually do.
People don't recognize a lot of them are SaaS.
For example, I'll tell you this,
Simon Taylor, our CEO, tells us this thing.
He was talking to a CIO.
He said, oh, we don't use SaaS much
because we're all on-prem.
But then a simple question, do you use all 3655? Oh, yeah, yeah. That's one app
we use. Do you guys use DocuSign?
Yeah, that's only for legal, okay?
Do you use HR? HR, what do you do? Do you use ADP? There are a bunch of other
things. Oh, yeah, yeah, we do. So things like that, right? These are things which we don't
consciously think of, but it is something part of our business process there. So that's a challenge. And I think
people underestimate quite a bit. The main reason we also see this, Chris, is that predominantly
in the prior, in the world when all the data was controlled by IT, life was much more cleaner,
right? Because IT could actually see, they know exactly what applications are deployed,
where it's deployed, things like that. And they had a great insight into it. Whereas
right now, the challenge is for them, all these ads are being created by lots of different users
in the organization by different departments. That's why they sometimes underestimate,
and this is a big challenge for a lot of people today. So that was the first interesting finding
I would probably say. Yeah. The second thing I probably would have just gone to continue on that particular one, Chris, is that people underestimate, as it goes back to the point I talked about IT, right?
IT assumes that they still control it because that's the traditional model they've actually, because when they think in terms of what are you protecting, they think in terms of what they own because what they manage is what they believe.
So this is one of the interesting thing
was like 71% of the people
underestimated the SaaS usage outside of IT.
They ask, hey, what do other people use?
They underestimate it.
People say, so sometime when I talk to people,
they say, so what's the problem?
So it's not a big deal.
The challenge is that
it is not about the underestimation.
It's about the data being somewhere else
and is it protected or not, right?
That's the fundamental thing.
Because the end user, let's say you're a marketing admin,
marketing ops admin, or a sales ops admin,
backup and recovery is not top of your mind.
It's like, ah, I don't care about that.
Somebody else deals with it, right?
That is a problem.
And I think that's one of the reasons IT, or in general, the people responsible for the organization have to broadly look at
saying, are we taking care of protecting all of our data? And do we know exactly what we actually
have? That's the second big thing I probably would say. That's an interesting one, because
I think we've sort of known, and it's I think probably something that people have talked about like you know people will say Microsoft doesn't protect your data they'll recover the environment for you but they won't necessarily protect the data if you corrupt it you know if you deliberately delete something and then you know facepalm think oh I needed that they're not going to necessarily have a backup for you but if if their system crashes, they'll rebuild their system to where it was.
And I think that's fine until you start thinking about how that other SAS data is being used within your environment.
I mean, DocuSign, for example, imagine like the one you just mentioned.
Imagine you've got people signing documents all over the company and then something happens and you think, did we sign that document?
Did it get signed? Where is it?
You know, somebody agreed that one. Did we keep a we sign that document? Did it get signed? Where is it? You know, has somebody agreed that one?
Did we keep a copy of that document?
If you haven't got that, you're in real trouble.
And, I mean, that's just one example, isn't it?
You know, we could keep going on and on and on,
but that inability to say, I know where my data is from,
that SaaS application is a problem, and being able to get it back.
Absolutely.
And this is especially with things like, as you know,
things like DISA and DORA and NIST2 coming up, it becomes more responsibility for the customer to make
sure they know they have the data, they know where it is, things like that. So this just
increases the responsibility. Yeah. Okay. Next. Cool. Okay. So the other thing, which is an
interesting thing, Chris, for us is that if you think about, you know, at the end of the day, when we all think of data, at least coming from a data protection vendor, we think in terms of our customers' data is safe, right?
What we found out was with data, as you know, we have all the data breaches, which actually happen.
Over 61%, over 61% to be exact, of the data breaches happen through SaaS.
And people say, really,
why would that actually happen? It's not the case. You know, the challenge is that SaaS is very
secure. So it's not about the SaaS, which is the problem. So people mistake us. SaaS, when I say
SaaS, the SaaS vendor is secure. That's not a problem. They took a lot of care. They go through
SOC to compliance, ISO compliance, all that stuff done great. Vendor is not a problem here.
The problem, what happens is that lots of end customers sign up for the service.
And to keep the cost low, as you know, most of the SaaS vendors actually, let's take a classic example.
People decide, oh, we should actually have project tracking or we want to track issue tracking.
Let's sign up for Jira.
It's free.
First couple of people in the organization sign up. They sign up with their
own email, set it up, happily running. Then before you realize, 120 people in the organization are
using that particular one. So now it's everybody there. Is it actually tied into your company's
single sign-on? In most cases, no, because it's not part of your core IT. So people didn't sign
up. So what didn't sign up.
So what happens is that that's number one. The second case, what happens is that people
sometimes, in a lot of these SaaS, is that they have the standard, the premium, and enterprise,
and so on. Typically, the cost, the way it's laid out as a single sign-on integration happens,
the premium or the enterprise license. So most people say, ah, you know, I don't want to pay that extra money. Let me keep it cost low.
Let me start with the standard license. While it's optimal from an initial cost perspective,
the challenge, what happens is that you're not secure enough. That's one part from a data.
The second one, what happens is that because a lot of people are saying, instead of signing
for a hundred licenses, why don't five of us share the same user?
Because you're using the same tracking.
That's the other big problem, because when you start sharing the data, you try to keep your passwords very simple.
What is the problem here?
It's easy to crack him.
When a bad actor comes in, all they need is a single point of entry.
Once they are there, they can enter the entire infrastructure.
That's why SaaS becomes a big source for data breaches and data corruption.
People sometimes think we are complaining SaaS, but it's not a SaaS vendor.
It's the way the simplicity also sometimes acts against it.
And the people signing up don't always think in terms of the data security.
That's the challenge.
And I think this is something companies really have to take their control over. Yeah, I think what you're referring to there is,
you know, it's the standard phishing attack that comes from basically social engineering. You know,
the design of the system potentially makes it more expensive to use in a manner that you should
do in terms of the proper sort of process you would follow, separate IDs for everybody,
separate passwords, maybe LinkedIn to Active Directory,
and if people have been a bit lazy and haven't done that,
but also, as you said, share passwords.
I mean, for instance, you could imagine somebody
just sending a phishing email to an organization saying,
oh, I've forgotten the Jira password.
Can you remind me what it is?
And somebody going, oh, yeah, they need that,
and replying back and giving it to them,
and then realizing that wasn't from an internal person.
You can see how that sort of thing would happen.
And I think that's a real worry,
because that's down to social engineering
and possibly SaaS design of the platform.
It doesn't mean the SaaS platform isn't secure.
It just means that the licensing method is getting in the way.
And we had this years ago with things like Windows licenses,
when you had to work out,
you had a Windows licensing server. So your Windows copy internally might be licensed and
managed through a certain server. And it got really messy. So having that simple, I guess,
is good, but not all vendors have it like that. And I guess not all SaaS vendors follow a similar
process. They're all different. That's very, very true. And I think this is one of the things I think customers
have to be very conscious about,
making sure they're always tied into the corporate tech,
AD or Okta, whichever methodology they use.
That'll be so much more safer.
Yes, it's a little more money,
but it's worth it in the long term
because you never want this one attack.
So the thing which I think I wanted to actually talk about, Chris, is that the other finding, the fourth finding, I probably will tell
you in a summary highlights, I would probably highlight or lowlight in this particular case.
You know, it is surprising that even after so many years of cloud usage and SaaS usage,
customers assume that the cloud and SaaS magically protect their data.
Once they, they still believe as soon as they go to cloud, magically data is safe.
I don't know how many times you tell people it's sometimes the misinformation from the
past has trickled or at least the wrong perception is perceived.
And because one of the things, surprising thing we found out was 41% of the people respondents
even today believe it's the responsibility of
the cloud and SaaS vendor to actually recover the data in case of any problem. Well, this is
for so many of us who are doing this day-to-day, we look at all the terms of contract, things like
that, and look at it, but customers, we strongly encourage customers to actually get back and
completely get conscious that it's a shared responsibility model.
And the vendor does a fantastic job of creating a highly available service.
But at the end of the day, data is the customer responsibility, right?
Because as you and I know, Chris, the vendor can,
all they can say is that you gave me the data, I'll store it.
I'll give it back to you when you need it.
If you have accidentally happened to change something or they don't know it's
a good change or a bad change, right? So they just have to take for what it's worth. And that's where
bad things could happen. And that's why you have to protect your data and keep a copy of it just
in case something bad happens, you can actually get it back. Yeah, I think we sort of, we touched
on that when I was just saying about Microsoft and how they'll put it back and if you fat finger it and you delete something. But of course, across a large environment,
there could be all sorts of reasons why you want something back. You might have to go back
historically to look at something you know that you definitely got rid of a few months ago because
you didn't need it anymore. The issue I just said there about deleting stuff by accident.
You could have somebody, a malicious employee,
who just decides to go around and delete data randomly.
All these things happen, and we're used to normally,
in a data protection environment, being able to deal with all of that
and deal with it automatically because we're just used to that, I guess.
So it's probably not a surprise that there's a bit of an extension goes on
where people just think, oh, well, I've just bought a new service.
They'll do that as well.
But you can imagine why people think that,
even though that's not necessarily true.
Totally.
I can give you a real example.
One of our prospects and our customers,
essentially what happens in there
when they were in the past,
they had an intern during summer.
They said, oh, there are a lot of other old users,
things like that.
Can you go clean up the passwords?
And can you, sorry, clean up all the old users
and clean up some of the unnecessary items in the system?
Being an intern, it was great.
Everything was good, except accidentally,
he did not know what was related to the stuff
and he accidentally deleted stuff.
They did not recognize it till a month later.
That is a problem, right?
That's a problem.
And how would the SaaS vendor know
what is a good delete or a boundary's a problem. And how would the SaaS vendor know what
is a good delete or a boundary because it is done by your employee, quote unquote, at that particular
time, right? So that's something I think people have to be conscious about. And I think it's
strongly think of how do you keep your data safe there? Yeah, one of the things I always think with
that is the only person who knows your data in your system is your is you you know you're only
you know your own data the cloud providers are providing infrastructure and whether it's sass
or whether it's ias in fact and you know we'll talk about ios stuff in a minute but you know at
the end of the day they're only providing you a service and they provide it to thousands of people
you can't expect them from that perspective to understand the nuances of everybody's individual
environment you know
only you know that so therefore you should be the one taking the responsibility for that side of it
they take the responsibility for having the infrastructure running you take the responsibility
for managing your own data spot on spot on um i want to just actually talk about one of the other
findings uh last highlight there and then you can actually go and people would love to encourage people to read the whole report.
The other finding for us, Chris, was that, you know, if you look at the number of infrastructure people, actually, you have lots of applications, lots of infrastructure.
But at the end of the day, all of them are protected through some set of elements, which are the guarding gates, right?
Your identity management, your single sign-on, things like that, which you actually have.
It was amazing to see, or shocking to see, I shouldn't say not amazing, in this case
it's shocking, shocking to see that 75% of the critical infrastructure were not being
protected.
It's like people, the SSOs and identity management security thing, they're not being protected,
especially when they're using things in the cloud.
They assumed magically it was actually safe.
That's your keys to your kingdom, right?
This is something I think it was a shocking information to us.
And I think this is one thing we are trying to tell people, please do take care of your,
if you lose your keys to your house, there are two possibilities.
Somebody else has it, they can come in inside and do ransack.
Second thing is if you don't have it, then it'll take a long time for you to come back
and do things.
Many of the people might remember the MGM thing.
And I know it started out with social engineering and happened a lot of things.
But at the end of the day, a good mechanism could get them back quickly up and running, guarded them well and quickly back up and running well.
So things like that, I think we strongly encourage people to do. I think I'm very interested
in the identity management
and protection of credentials
and credentials management.
Because if you, I guess,
if you step back,
everybody probably thinks
that if you're working on premises,
well, most people have got typical environments,
probably put a lot of their credentials management
in Active Directory.
It's a reasonably nice structure.
You know, you can scale it out to
forests and you can have individual domains of of protection and it's quite nice from an
administrative perspective because it looks very much like an organization might look and you can
hierarchy and all that sort of stuff and then you look at something like iam and you look at the
fact that that's so much of that is driven by code, and then you go and look at, say, how Google does it, and then you look at how Microsoft does it in
Azure, which obviously is, in some respects, related to AD, but you've got lots of different
technologies that are doing things in a slightly different way with slightly different constructs.
Then you have to say to yourself, well, do I know how to back that up?
Do I know how it all works?
Do I need to be aware of the differences
in the way they work? So credentials management, I think, is a critical piece of your data
protection policy now, because as you said, if you lose that, you're in trouble. But also,
they're all very complex, and they're all very slightly different.
Actually, you bring up an excellent point there, Chris. You know, a lot of times when
you think in terms of systems like EntryID or Okta, right?
Initial people think, oh, all I have is my users.
I know exactly how many users we have.
Worst case, we can actually put it back.
Sounds very rational initially, right?
What the guys in identity management can tell more than me,
what these days, these identity management systems are so powerful,
they don't just host the user information.
They hold all the user information.
They hold all the application information regarding who, all the list of applications,
who gets access to what application.
They control every one of them, right?
Which is expected, I guess.
But it is something we start peeling the onion, right?
It actually does that.
Just not that.
They actually have all the network access controls.
They actually say who gets to use what network, when, what, all that stuff.
Contractors can access this, people can access that.
All that information is part of the core identity management system,
which they actually have.
It's not just identity.
Right now, it's your entire company's ID,
in some sense, and the controls there.
So it's very, very critical people think
of the entire set of controls you have in the system.
That's one of the reasons when they think of protecting, they should think of the entire set of controls you have in the system. That's one of the reasons when they think of protecting,
they should think of like,
they should realize the criticality of the system,
because if you lose that,
you just don't lose the user information,
which could theoretically add back,
but all the other setups you actually put, right?
All the other controls you put based on the user and the application
and the infrastructure you actually have.
That's why it's very, very critical.
And I think people should definitely consider saying, how are they protecting it?
And the thing is, the big thing for them, they should also think in terms of that when
they make mistakes, they rarely does the enter ID dies in system.
That's a very rare occurrence.
It possibly could, but it's a rare occurrence.
The bigger thing most customers make mistake, as you can allude to it, Chris, is that
people make mistakes in parts of it, right? They make, oh,
they accidentally deleted all their application configuration thing, or they drop
10 users' permission profiles, things like that.
That's the problem people run into. And it's a human error, partly.
And the second thing is that when
attacks happen those guys know how to exactly change some specific areas so they can get full
control things like that you need to have good recovery mechanism that's why protecting your
core infrastructure like identity management enter id octa things like that are so critical
i'm gonna add one in extra one in there and that's the scenario that it's very easy to assume that everybody's structure in terms of their access is going to be uniform and linear.
So, for instance, you join a team, you get permissions within that team and off you go. In every job I've worked in, I've always had some connection to another team because they've said, oh, you know, you're going to help us out with this bit of work or historically i've been maybe a liaison or a point of contact for that particular team so as a result i've got
maybe extended credentials into another system or some other access or another platform that if you
look at it on its own you'd probably think well why has he got that that doesn't make any sense
but that was a business internal business process that we were doing for me to support somebody now
imagine somebody trashes a load of ids and then you try and put all that back what are the bits that are
going to be missing you're going to be spending your time going back and going well you know i
might be ringing up the help desk every week so and now i've lost this now i've lost that and then
somebody has to go and approve it somebody has to raise a ticket to get that approval to go and put
it back so all of those sort of things that end up sort of being the slight
exceptions that sit in systems because they're part of business process if you can't restore
those back to where they were you are in a world of pain so it's not just a case of saying well i
can just put the users back like you said into the right groups there's a whole lot of historical
information that could be lost as well and i think from my perspective that's where i see the sort of
the real problem normal business churn causes a lot of discrepancies within environments that if they're lost, could be a real problem.
Excellent point you mentioned there, Chris.
I mean, the key thing to look at there, right, as you said, it's the users and what the problem is and waiting for trouble tickets to get fixed and issues.
If you look at one of the things like Entire ID and Okta, things like that,
they control all of your employees
and the contractors in the company.
And in many cases, not just that,
it also controls your external relationships.
The challenge here is that
you have a significant business impact.
It might sound like,
oh, one application is down.
But the trickle effect,
the impact on the business is significant.
And that is one of the reasons people,
I always tell people,
the entire Entire ID and Okta could probably put in your single USB and happily the
data is there, right?
The quantity of data is not that more.
It's the criticality of the data is a thousand X more than what you actually
see from the data size.
So that's something that people look at.
Yeah.
I mean, here's a comparison.
I guess if you counted up the number of characters in the entire works of Shakespeare,
then you'd probably find that there aren't many words in there,
there aren't many letters in there in total.
It's probably, you know, a few megabytes.
But it's the specific configuration of those words and letters
that create, you know, 40-odd works of literature.
And it's no different to the...
Excellent, excellent.
Interesting, very interesting one, yeah.
And it's no different to that USB stick, like you said, that's got your configuration information.
And if it's wrong, it's wrong.
There's no other way to look at it.
So, okay.
So this has been a really interesting sort of summary of the things that you found in this report.
And it's obviously, it's worrying that customers have these problems.
But this wouldn't be any good to discuss if you as a company didn't have solutions to this. So let's dig into how you're addressing some of the problems that you
found in this report. Totally. So the first one I probably will actually tell you, Chris, is that
it was very interesting to run this experiment, to see real customer feedback in a cross-section
around the world, right? Americas, Europe, Asia, back across the board, we do this thing to actually see the thing.
And the thing is, the problem is not unique to one sector, one domain, things like that.
It's a broader problem.
The first thing which we tell people is that please get to see what we said, right?
Remember, people underestimate this as but 10x.
So simple thing we tell them, please look at what you have. How do
you do that? There's a free service called rGraph. It's part of our entire rCloud service,
r-graph. People say, what is that? It's a resiliency graph. It tells you,
it automatically discovers all of your SaaS, PaaS, DBaaS, IaaS, all of your infrastructure there,
and then tells you what's protected,
what's not protected.
It gives you a holistic picture.
At a minimum, there's no cost to this particular one.
So I simple tell customers or prospects,
guys, even if you don't use any of Hyco technology,
it's okay.
Please use this thing.
It's a free service.
Get to see what you actually have.
That's the first one.
That's the first part.
Before we go into a bit more detail,
how does it do that?
What's the entry point for that
to be able to do that information?
Is that your identity management system again,
or is that something else?
That's a great question, Chris.
So we do use a lot of information.
Initially, the initial seed data
comes from the identity management system.
Obviously, we have a lot more additional intelligence
on top of it,
but it starts out with your identity management
because that's your initial entry point.
And then what we do, it's an iterative way of discovering the continuous information.
That's what we end up doing.
Okay. All right. Great.
Good. So that's the first one with regards to getting your entire landscape.
The second thing I tell people is please protect your core infrastructure.
We talked about all the Entry IDs and Octas, right?
One of the things which we currently actually protect both your
Octa and Entra ID. And if I have a double click on them,
and both Octa and Entra ID actually they are sometimes used independently,
many times used together. So we protect both of them.
Why is this critical? It goes back to everything we talked about. It is a small amount
of data. It's not a lot of money, but please protect it.
It's very, very critical.
It's your keys to your kingdom.
And I think it's an important thing to actually protect.
That's the first thing.
So we actually recently launched EntryID protection.
One of the unique things about the way we do, Chris,
is that it's not just touting our product.
It's about thinking for a customer, I would probably definitely say is that.
In EntryID, like what you said earlier, it's just not starting our product. It's about thinking for customer. I would probably definitely say is that. In EntraID, like what you said earlier,
it's just not about the users.
It tells you about all of the assets you have,
how they are all connected, all the resources,
how are they connected, things like that.
The good thing is that we can protect
the entire end-to-end for the customer.
And that is very, very critical.
It's not about just backing up users.
It's about the whole picture.
That is something very useful,
and I think that is something I encourage customers to do. This is in addition to Okta,
where we protect both the Okta workforce identity, which is all your company employees,
as well as what Okta calls the customer identity, which is all your end users.
We actually protect that too. And we have a lot of customers using that infrastructure,
and it's a true story.
One of our healthcare customers, I'm just not making it,
one of our healthcare customers, during the trial,
this is, I mean, Murphy's Law, you would say that,
they turned the service on.
They realized they had to protect their infrastructure.
Like some, as always, you know, Murphy's Law happens.
Accidentally, one of their,
they went through an internal accident happened.
Thousands of the users got deleted.
I'm not kidding.
It's a true story.
It happened.
God's grace, they actually had, they just turned on the backup last to the prior week.
They were able to quickly flip it back, get it back up and running.
And the customer was so happy.
I mean, at that time, they were a prospect, not even a customer.
But they were very, very happy that they actually did that.
This is, again, I don't want it to happen to anybody. But but if it's there you always need an insurance policy to get it back so it's strongly encouraged people to do that okay so that's obviously that's one side of uh what you're
doing to address the problem obviously you know you're telling people that they should go off and
do your sass your um our graph analysis which helps them understand how many size applications
they have there in terms of say iam you you also have protection of IAM as well. So there's that side of it too.
So I would say that you've got a fairly comprehensive coverage of credentials management
within the enterprise now. Absolutely. If you think about it, if you look at Okta and EntryID
together, that probably makes up like 90% of the, 90-95% of the entire set of things, what people do to protect their identity today.
Right. So that's, and the classic enterprise, that is something we are able to protect.
And as we said, it's the entire infrastructure, not just the single user entity here.
That is something there for people.
So, okay. So that's the IAM stuff side, the side of it and all the rest of it.
So we've talked about that, but what about the sort of general side of SaaS
and how many platforms you're supporting?
Obviously, when we talked about this at the very beginning,
we talked about the fact that you had a different approach to protecting SaaS.
You had an entire API that allowed people to be able to effectively code to that.
So, you know, what's the update on that, first of all?
And also, you know, what are the SaaS platforms are you protecting in general?
Thank you, Chris, for the question there.
So the thing, the way we ended up doing, as we said earlier, there are over 35,000 SaaS applications.
And it's just not about us protecting it.
We also want partners to protect. That's why we built this entire ArcLog platform, which allows
partners, even customers who want to build it, it's fine. If you have your own custom application,
you can add it. And we've made it a very low-code application for people
to be able to add new integrations into the platform. The first set of
things which we started protecting for customers is that, you know, the way
I think is protecting your core entry points, which is your Okta and Atlassian, that's your entry point.
The second area where customers have a lot of, then if you think about your company, where is
your value? Two other things come into picture, right? You protect your entry, one, your IP,
your intellectual property in the company, and the second thing, your customers. Those are the most valuable assets in the business.
Obviously, there's so much more, but those are the things.
So we start with protecting all of your IP.
What do I mean by that?
It's all your GitLab, GitHub, Bitbucket,
where you keep a lot of the things.
You keep your knowledge.
Knowledge is IP, right?
Where do people keep it?
People keep it in SharePoint.
People keep it in Confluence, things like that.
We actually protect that.
And the other thing is,
where do you keep all your information, issues,
things like that, et cetera,
things like JIRA, which people keep all that information.
All that is something you got to protect.
And that is something I tell people.
So the way I tell people is,
first, protect your entry point, which is their minimum three things I tell. First protect your entry point, protect your IP,
protect your customers. People say, what do you mean customer data? Customer data comes in things
like Salesforce. You've got to protect it because that's where you have all of your engagement
with customers, which is there. Are there other things customers keep in
for some customers, like people like you who use Notion quite a bit. I remember I was talking
to a customer in the architecture firm
where Notion is the most important application.
I said, really?
The reason for them is that their entire workflow in the company
is built on Notion.
That is something we protect, right?
So the good thing we have done is that we have built a platform.
We can protect all of Atlassian portfolio, things like Okta, EnterID,
things like DocuSign, things like Mundi.com, Asana, and Salesforce,
and so many more other applications. Not just this one, we are actually also working with partners
like I have managed to protect some of their legal specific applications. And there are many,
many more coming up. So we have over 80 plus integrations right now. And this is just when
you talk about SaaS, it's just not here. We also protect a lot of things in the public cloud.
When you think of public cloud database as a service,
infrastructure as a service, things like that.
So that's enough of our selling,
but I just want to share with you,
as you go through it,
people should think in terms of
what is critical for you in your business.
I know you can't protect all of them overnight,
but think in terms of,
identify the criticality and part of your business
and then start doing it one by one by one, keep adding it. That is something there.
I think you're right. I think you look at it and think, actually, when you start digging into it,
there are dozens and dozens of applications. And you certainly need to be aligning your data
protection to your process as well. And I know things like Notion have become incredibly popular,
and it's that workflow you can build into technologies now.
It's not just that static data of a load of spreadsheets.
It's the workflow that sits with it, which is important.
So excellent.
So you've got all of that covered.
But let's talk about some things where you could be going to.
And I think this is always interesting.
And the one that comes up that I think of time and time again is the ability to look at, say, IAM and those sort of things and track the rate of change and look at behavior and try and work out.
Because if you've got an environment of, say, 1,000 to 2,000, 3,000 users, and you get hacked and somebody slips in one new Active Directory domain admin, you know, do you notice that?
Do you notice that admin coming in three months ago
you know those sort of things become i think really important so what sort of things do you
think you're going to gravitate towards what can we expect to see going forward that's that's a very
good leading question there uh i'll tell you the thing was you bring up an excellent problem for
i mean a big problem for customer art excellent it's a big problem for, I mean, a big problem for customer, not excellent. It's a big problem for customers, right? The whole idea is that people want to see what's happening. Because if you look
at individual point thing, you don't know the thing. You have to look for what they call the
forest from the trees, because you can't see what's actually happening, right? So the key thing is
that, and for example, in the case of Octa, we do track changes which are actually happening.
If you see unusual things, change patterns, which are there, we look for patterns at the end of the day.
That's the first thing we could do, right? We look for unusual patterns and we want
the customer, hey, something unusual is actually happening there. That's
something we have actions for Okta and you can expect us to do something
similar for EntryID, also very related to that thing. There is a lot more we
can add in this space to exactly to answer customers' problems,
saying how do you find anomalies in their infrastructure to keep them as one other
checkpoint to help them with it? Yeah, the sort of things I think, you know, when you look at that,
you think, if I can see my rate of change, it gives me a good idea of what's going on. But also,
it may well be that somebody's job is to do that normally. So, you know, looking at when their
behavior changes, and they do something different, I think is quite important. What about things like
cross-platform? So I would say I'm not necessarily referring to, say, taking something from Azure and
dropping it into AWS. I mean, that's just not really logical to do that. But certainly there's,
you know, maybe a requirement if I was building out a new infrastructure sitting in
a different region, I might want to take all my credentials with me.
It might be logical to take the credentials set up rather than retype it in because typing it in is error prone.
So how could you help me in that example?
That's a great point what you mentioned.
So one of the things which actually comes up for our customers, one is the cross-regional mode, to your point you mentioned. So one of the things which actually comes up for our customers, one is the cross-regional move to your point you said.
The other ones
where it has actually come up
I'll tell you
is that one is seeding
when people want to actually,
I'll give you
one of our customers,
their organization
is splitting into multiple companies
in that particular case
and they want to create
separate entities
then they want us
to actually seed into that one.
Sounds like a very simple
but it's a clear use case
for them to actually do that, right? And that is something we do and also there are other people who us to actually seed it to that one. Sounds like a very simple, but it's a clear use case for them to actually do that, right?
And that is something we do.
And also there are other people
who want to actually have,
always have a test infrastructure
where they make changes first before replicating.
That's there.
So it's seeding is the way we call it our seeding.
And that is something,
the other one,
which actually from a solution perspective,
you'll see it a lot more shortly.
Excellent.
So there's lots of things coming up.
And I guess my question is um i'm guessing you're expecting to do this report again another
year's time or something like that it's going to be a repeating thing i think the interesting thing
there um sabai will be to see whether you've um got people have actually realized that there are
issues and whether those numbers go down or whether those numbers stay the same.
Because with all of these sort of reports,
you hope that you talking about it will encourage people to go away and think about it
and make them change.
So on that basis, where can we sort of point them to
to find the report?
And where can they learn more about our graph
and some of the other things you've talked about today?
Totally.
So the first thing is haiku.com, H-Yc-u.com haiku.com people can go there
they get the report i'm sure you'll probably add a link to the in your infrastructure that
is something there people can get the first one same thing is that i tell people just give it a
try don't worry about it's not about selling it's about getting you to at least use discover
your infrastructure what we call the r-graph rraph. And you can actually do it.
Again, all you have to do is go to Haiku, sign up for it.
It just takes a few minutes and you will have your own infrastructure and you can discover
your entire infrastructure as you go through.
That's again, R-Graph.
Again, there's no charge to it.
All of this is free of cost and you can actually play with it.
If you can be of help, always reach out.
We are there to help you.
Yeah, I recommend everybody does go and do that
because I think there's nothing more enlightening
than suddenly realizing that you're using services
you didn't know about.
Some other parts of the organization might be using it.
And that's probably one of the things that we saw with,
I guess, the start of the cloud.
We saw that shadow IT.
And now we've got shadow, shadow IT
because you have the IAS people and now you've got the SAS people.
So you've got sort of doubly, doubly the problem.
And it's just a fact of life, isn't it?
It's the, the barriers to entry are very low for using those platforms.
So no surprise, people go off and do things themselves, but then they usually come back
to IT and say, oh no, we've got a problem.
You need to fix it.
So I definitely think, you know, it's worth doing that.
So we'll point people to all of that and um i think we'll look forward to finding out what people say next
year with this because hopefully you've managed to help people understand some of the issues and
they will improve their awareness it's probably the best way to describe it but let's wait and
see i guess looking forward to a great result next year.
Yeah, absolutely.
Okay, so, Briar, thank you for your time.
I think it's been really interesting.
I'll point people to all of that, the links and so on.
But for now, thanks very much and look forward to talk to you soon.
Thanks, Chris.
It's always a pleasure talking with you,
and thanks to your listeners for the time.