EPISODE 004 : 03/12/2021
Joan D. Pepin on Auth0 and the Future of Security
Joan D. Pepin, Founder and CEO of stealth-mode security company ZeroWall.io, is previously a two-time Chief Security Officer at Auth0 (recently acquired by Okta for $6.5 billion) and at Sumo Logic. In our interview, Joan comments on market consolidation in the IAM space, SnowShoe’s hardware-centric approach to security, and tells us that Alexander the Great used secure protocols still deployed in modern systems today. Listen for a front-row perspective on the global shifts in security and authentication.
Host: Ned Hayes and Karen Jensen
Guest: Joan D. Pepin
Listen to every episode
Topics discussed in this episode
- Employee and consumer identity access management
- Viability of a passwordless environment
- How a business can think through the implications of data breaches
- DEI and the cyber security job market
- AI and machine learning in the cyber security space
Watch Spark Loyalty’s Small Business Success Channel
Ned Hayes [00:00:09] Welcome to SparkPlug, where we talk to smart people working at the intersection of business and technology. Brought to you by SnowShoe making mobile location smarter today. Karen Jensen and I talk to Joan Pepin, founder and CEO of stealth mode security company Zero Wall. She’s previously the chief security officer at two Unicorn Security Sask. companies, Auth0 and Sumo Logic. She’s had a front row seat to 8 rounds of funding across these two unicorns. And she was part of Auth0 successful team that led to the $6.5 billion acquisition by Okta. Welcome to SparkPlug, Joan, it’s so great to have you here. I think we met each other in the startup community here in Portland.
Joan Pepin [00:00:55] Yeah, thank you for having me. Really glad to be here.
Karen Jensen [00:01:00] Yeah, it’s really great to meet you. Like Ned said, we’re excited to have you on the show to start. Can you give us a thumbnail sketch of you?
Joan Pepin [00:01:08] Yeah. So my name is Joan Delilah Pepin. I’ve been in information security for a lot longer than I like to admit, which is of 25 years now. Along the way, I’ve worked a lot of places, done a lot of things. I spent just under 10 years in managed security services. I was employed about fifty five at a company called Guardant way back in the day. Someone a few weeks ago referred to Guardant as the OG MSSOs. I thought.
Ned Hayes [00:01:39] It’s so true.
[00:01:40] Then I moved on, moved across the country to Silicon Valley and joined Sumo. Logic is their 11th employee. We were in essentially like an apartment above a bookstore on Castro Street in Mountain View. We didn’t have a CEO and we didn’t have a product yet. You know, was there two? About three hundred employees and about twenty twenty five million somewhere in there and annual revenue went on from there to take a very interesting position at Nike for about two years, where I was the business information security officer for their $8 billion at the time, I think $10 billion now. E-commerce Business Unit, which is both e-commerce and direct, you know, brick and mortar retail, the Nike Town stores for John Galce, the first CEO at Auth0, convince me to come join Auth0 and build out the security program there. I kind of picked up where I left off from Sumo. They were about two hundred and fifty employees and about twenty five million and they are when I joined, you know, was on that ride with them all the way to out to just under a $2 billion valuation and over a hundred million in revenue and 700 employees. So that was a great experience. And then in September 30th, I stepped down from on zero and founded Zero Wall, where I’ve been spending my time. The last six months is still pretty. We’re still pretty stealthy here at Zero Wall, but we’re looking to change the way that companies think about information security.
Karen Jensen [00:03:08] Great. Very nice. So of course, like everyone else in tech right now, we’re interested in the recently announced acquisition of Auth0 by Okta. What’s your take on that?
Joan Pepin [00:03:20] I think this is a really positive development for first and foremost, the customers out there, right? And secondly, I think this was a great exit for the company, and this is a this is a great outcome for employees and investors as well. And so but let me start on the customer front. So Okta and Auth0 were both able to grow quite large and quite fast and quite successfully doing similar things for very different. We’ve always not quite known whether to say they were just different use cases or if they were different market segments,
Ned Hayes [00:04:01] Different different buyers, perhaps?
Joan Pepin [00:04:03] Yeah. Yeah, it’s you know, that’s that’s for sure. The the Okta, the traditional buyer, it tends to be the CIO and, you know, they very much focused their company on workforce identity, right? And so single sign on for the workforce. If you have thousands of employees and hundreds of applications that they need to log into every day for security and productivity, you want to streamline that process as much as possible. And Okta is the right fit for that. Auth0 took a different approach to the market and focused on consumer identity access management and so Oct0 customers, a lot of them tend to be media customers, newspapers, video streaming services, etc. And so that’s not employee identity, that’s the consumer identity. Now, at the end of the day, both pieces of software take a username and password and they tell you yes or no. And they do some various other things. I’m oversimplifying, but at the end of the day, they’re both identity access management companies, and the software under the hood does very similar things. But because they focus their front end and their use case on, you know, really very different use cases or market segments or buyers or however you want to look at it, they didn’t really compete for a long time. We used to say people would ask us at Auth0, are you worried about Okta? How do you feel about you have got this huge competitor in the marketplace? And we would say they don’t really feel like a competitor. It’s not like we’re losing deals to Okta, because if you’re if you’re looking for consumer identity, then you probably come to us. And if you’re looking for workforce identity, you probably go to them. And so we were able to kind of grow and keep out of each other’s way for a long time. And then I would say in the last little over a year, we started to bump into each other more. And you start to get to those really large companies that have both problems that say, Well, yeah, we have a huge front end web site that consumers use and we need to manage that and we have thousands of employees that have to log into hundreds of apps. And why should I have to buy two pieces of software and deal with two vendors and two contracts and two tech stocks in order to solve both of these problems, which feel very similar to me? Right, right. And so about a year ago, we had both worked far enough up the market that we that we did start to see each other in deals. And I think both companies came to a point where we, we, you know, kind of decided that it was time to maybe start getting in each other’s ways. Right? Okta, started to focus on a developer focused CIAM add on to their product, which kind of looked a lot like Auth0. Auth0 had started to work on more focus, more on the workforce identity because, you know, when you have a large customer that says, Well, sure, I’m mostly here for your CRM, but you mean you can’t handle my S.O. at the same time? Well, we didn’t want to say no, right? So what started to happen, quite frankly, is I feel that each company started to build an inferior version of the other ones product in order to get it.
Ned Hayes [00:07:31] Yeah.
Joan Pepin [00:07:33] And so I think now that the consumer wins, the customer wins. Because now you can go to one business entity and sign one contract and you can get both your solutions. And you know, obviously Auth0 is going to continue to operate as an independent entity for some time. But there’s going to be, I’m certain, you know, I haven’t worked there in several months, so I have no no longer have any inside knowledge. But, you know, I would assume there will be some sort of technical merging that will probably take a number of years on the back end. But from a business perspective, as a customer, being able to go to one company and have that full suite of needs met with best of breed products, as opposed to saying, well, workforce is more important to me. So I’m going to go with Okta and I’ll get by with sort of a second class consumer solution or the reverse, you know, my consumer solutions, the most important thing. And so I’m going to go with Auth0 and I’m going to get by with a second class workforce solution. And now you can go one place and have two best of breeds.
Karen Jensen [00:08:45] So is it the same problem you’d say these are just different angles on the same identity problem, different vectors to solve it?
Joan Pepin [00:08:54] It’s it’s different. It’s slightly different identity problems on the consumer identity side, like is your subscription up to date? Are you able to read the articles beyond the paywall, right? You’ve logged in. You’re a Wall Street Journal legitimate customer. Have you paid your bill? Can you read an article? Right, right. And then on the workforce side, are you who you say you are? Can you have access to this word document? Can you have access to this file share, right? It’s absolutely the same thing, but it’s are you a media entity that’s talking to hundreds or thousands or millions of consumers who are all using their personal email addresses as their identity? Or are you dealing with, you know, hundreds or thousands or hundreds of thousands of employees who are using their corporate email addresses their identity?
Ned Hayes [00:09:50] So I know you’re using passwords as a proxy for a more secure identity system, but some security experts have begun talking about a passwordless environment in the future.
Joan Pepin [00:10:02] Some of the legitimate issues that people have with password lists is like, you know, OK, so if we’re using your mobile phone as your identity, right? And so if you are able to respond to a text message to this number, then you must be that person. Well, I mean, that’s defeatable any number of ways you can, the least of which
Ned Hayes [00:10:26] Is one way and another. Yeah, yeah.
Joan Pepin [00:10:28] Right. I can spoof your number or I can just steal your phone when you’re getting a refill on your latte at Starbucks, right? It’s. So there are challenges there right now, ZeroTrust is something that I feel I very strongly believe in, and that’s part of the name of my company Zero Wall. And so, you know, to me, ZeroTrust goes way, way, way back to long before we were calling it that a gentleman, Marcus Raynham from Tenable many years ago now. I mean, probably 15 years ago, wrote a blog post, which was somewhat revolutionary at the time, but was also common sense about enumerating badness, said, you know, block lists are not going to scale, they’re not working now, and they’re going to continue to get worse. There’s too much badness in the world, in the universe to enumerate it all. And so keeping a list of all the things that you’re going to block, just as it’s not good security, it doesn’t make sense, and it’s the way that we’ve built the whole industry. And he said, what we need to do is make allow lists. These are the things that are explicitly allowed and everything else is denied. And that’s been a philosophy that I have adhered to and tried to adhere to and tried to drive my businesses and technology units to adhere to, you know, for well over a decade now. Right. Is let’s really understand our systems. Let’s understand all the applications that run on these systems. What are the ports, TCP and UDP ports? These applications need to communicate over who are the only people who are allowed to access them. What are the system’s exact IP addresses that make up this system? Which ports should this system be able to talk to that system on and only allow that. I was very proud at Sumo Logic. I like to brag all the time that there wasn’t a single packet on the Sumo Logic production network that we did not know exactly what it was for.
Ned Hayes [00:12:35] Wow, really?
Joan Pepin [00:12:36] Yeah. And why not write that it’s funny to me that that still shocks people if your infrastructure is code, if you are in Amazon or GCP or Azure and your routing is code, your firewalls are code, your everything is code and everything can be stuffed in a variable and everything. There are an abundance of message queue services available like that are open source that you can use for free. Then what excuse is there really like, seriously, what excuses there to be running some daymond on some server that you don’t know what it’s there for?
Ned Hayes [00:13:14] Right, right. Well, this of course, brings up the SolarWinds hack. So I’d love to hear your perspective on that because because that’s one of those instances where people installed something and they didn’t understand exactly what it had access to what it was doing.
Joan Pepin [00:13:31] Yeah, and that’s just bad, OPSEC. There’s obviously a huge tension between needing to get code written. And needing to secure your code, there’s a huge tension there. There’s a huge tension between usability and security in lots of cases, right? I don’t see any tension, though, at least not any tension that isn’t worth just shrugging off around understanding what you’re installing on your systems and what it does and again, what port like? Very simple stuff security one on one. What port does this listen on?
Karen Jensen [00:14:12] So just how do we address that tension you mentioned? What’s missing? What still needs to be addressed to bridge that gap?
Joan Pepin [00:14:21] At the end of the day, you know the things that when we talk about a security breach, right? There’s two real things that we’re worried about in a security breach. We’re worried about the integrity of data or of the system, and we’re worried about the confidentiality of the data. Right. Those are the two pillars of information security, integrity and confidentiality. And so an attacker, a hacker, either a criminal, a nation state, you know, they’ve got a couple of things they can do. They can disrupt you or they can steal your data, or they can subtly change your data in ways to disrupt you, right? Like that like at all, but are really at the end of the day, all comes down to theft or disruption. Right? And so, OK, so let’s think about that. So if do I have things that people want to steal? Do I have the type of data that people want to steal well I have PII. Well, then you do. People want it, there are lots of people who want to steal that PII. Oh, well, I have, you know, source code for top secret, OK. Someone’s going to want to steal that, right? Do you have something that anybody wants and you know, most companies do. Most companies have at least something that somebody would like to get their hands on. Right, right. OK. How important is that to you? How damaging to your business, your brand, et cetera. Would it be if that data were exposed or stolen or altered without your knowledge or permission? Right? What would that do to your business? If the answer is eh, it really wouldn’t be that big a deal to my business. Mm-Hmm. Well, then that’s fine, you know, then then invest accordingly. Right? What often happens, though, is no one even asks these questions. And they assume that these things aren’t that important, and if x y z, they they think, well, it’s not, it’s unlikely that anyone even wants anything that I have, and it’s even more unlikely that anyone’s going to try and take it. And so I’m not going to slow my down, my development process. I’m not going to waste money or time or people securing this thing that I don’t even think anybody wants and that I don’t think anybody could easily take. And, you know, maybe you’re right, but probably you’re not. And that’s, you know, it’s absolutely worth doing the thought experiment, right? What would happen if my valuable data was dumped into a paste bin somewhere? Do I not care? You probably do. Right? OK. So then what steps do I need to take to to prevent that and building that into the business and technical requirements of what you’re doing? Right? It’s not. I think that, you know, there’s there’s this huge tension often between security and product management, right? Where products like, well, we need to focus our limited developer resources on building features and getting features out the door as quickly as possible. And you and your security requirements are just slowing us down. And I just think that that is an absolutely, backwards medieval, like just the wrong way to think, right, because security is a feature, your consumers, your customers do care if their data is safe with you and secure with you, right? Really, it is part of the identity of our company. It’s part of the feature set of the product. We don’t just deliver an x y z. We deliver a secure X-Y-Z.
Karen Jensen [00:18:02] Really great insights. I love your return to the basics. So as we all know, at its most basic level, security is about putting together multiple factors something you know, something you have and maybe something you are.
Joan Pepin [00:18:18] Well, I think that’s that’s one aspect of security. That’s the Triple A.. That’s the, you know, access authorization auditing, right? Like the whole IAM, right? You are you who you say you are right? And then what do you have access to? And that is a critical building block, a foundational building block of security. But there’s there’s a lot more to it than that, unfortunately, right? So let me tell a little story. Let me tell a little story. This is one of my favorite anecdotes. So imagine you’ve got a time machine and you’re able to go back, say, three thousand years and you’re looking at Alexander the Great or some similar historical figure. And they’re standing on a hill, looking down at a chariot battle down below, and Alexander wants to get a message to the chariot commander telling them to flank around to the West. So he takes out a piece of papyrus and a pen and a secret encoder ring, which they had they really had is called the citily. And he writes an encoded message on the papyrus, rolls it up and seals it with a wire with wax and bittamin and his personal seal like an engraved piece of bronze that’s really ornate and expensive and very hard to counterfeit; and seals that message, seals that scroll, hands that scroll to a trusted messenger who runs down the Hill, trust the messenger gives the message to the chariot commander. The commander looks at the seal, validating that the message is from Alexander, further validating because the seal is not broken, that this message has not been intercepted. Cracks the seal opens the message has to take out his citily to decrypt the message, thus further validating that this is a valid message from a valid sender who has the right encryption key and then to be completely careful. The chariot commander tears down the session by stabbing the messenger in the throat.
Karen Jensen [00:20:19] Wow. Yeah
Joan Pepin [00:20:20] That’s TLS that like that. Like, we’ve known everything that we do to secure a TCP IP communication today in 2021, Alexander the Great did three thousand years ago.
Ned Hayes [00:20:36] So, so is the point to that story that we have the same algorithm, it’s just instantiated differently?
Joan Pepin [00:20:44] My point is somewhat, yeah, is that the basic fundamental rules of information security have not changed and they’re pretty simple.
Ned Hayes [00:20:53] Mm-Hmm.
Joan Pepin [00:20:54] We have built very complicated systems, which has made the implementation of that simple logic sometimes complicated.
Ned Hayes [00:21:04] Right? So to bring us up to the modern era, though, today we’re seeing a lot of consolidation in Trust Idea was acquired by new star Auth0, acquired by Okta. There have been other identity and security acquisitions. Do you see that consolidation as a good thing?
Joan Pepin [00:21:21] You know, I just tend to look at it honestly as a force of nature, right? Like, there’s just something that needs to be dealt with because if we look back at the history of our industry, right? We had a math co-processor. One of my first jobs as an intern at the New England Journal of Medicine in 1991 was running around and installing, you know, 8087 math code processors in motherboards that had 8086 chips, right? Well, then we move that into software, and then we moved it back into hardware, and then we moved it back in the software. We used to do all of our video rendering and software on the CPU. Then we had a video card. Then we brought it back into the CPU, right? We had mainframes and then we had PCs, and then we had thin compute, right? We have start ups, new companies, new technologies. They get founded, they go in these various directions, they consolidate they conglomerate and then a whole new generation of new, nimble companies comes out right. And so I think of this just as sort of the breathing and you know of the whole ecosystem.
Ned Hayes [00:22:30] What’s the gap in the security industry that you see?
Joan Pepin [00:22:32] Yeah, no. The gap in the information security industry, you know, there’s there’s a lot of systems to secure. There’s a tremendous amount of software being written. There’s a tremendous amount of systems being turned up and integrated. All of these integration points, all of these, all of this software needs to be secured. And there are not enough people to do it. There are not enough people who are trained in doing it or even certainly not experienced to do it. There are a lot of people, though, who are willing to do it and who are willing to be trained and who would like to be trained and would like to learn. And so I think a big way that we can close this talent gap and information security is by opening up the tent is by making it a much bigger, more accepting and more diverse community, by bringing in people from different backgrounds and from different schools and different races and sexual orientations. And all of that, right?
Ned Hayes [00:23:37] Absolutely, John. I can’t agree with you more. Karen and I have both been very involved in SnowShoes, diversity and inclusion efforts, and we’re happy that the industry is moving that direction as well.
Joan Pepin [00:23:48] Yeah. Awesome. Right.
Ned Hayes [00:23:49] So that’s the gap and people that we really need to address in the tech industry. But as we look ahead, what’s the most exciting thing for you?
Joan Pepin [00:23:58] Yeah, I think that and it’s really it’s for me. This is really funny and ironic that I’m about to say this because this is the opposite of how I felt for many, many, many years. I think that we are getting to a point where machine learning and artificial intelligence applications to security are becoming useful and interesting.
Ned Hayes [00:24:20] Wow, that is a that is a shift because 10, 15 years ago people were scoffing at it.
Joan Pepin [00:24:26] I’ve been scoffing at it until probably a year ago. How it, you know, and I was originally someone who tried to make it work. Back when I was at MIT Lincoln Laboratory, when I was at Guardant, I believed that we could do it and it just turned out that the underlying technology was not there we were. We were too early. We were trying to use tools that we’re not ready to solve a problem that was very hard to solve. And so it never worked and people tried and people built products and people, you know, and I shouldn’t say it never worked because I think that we forget how much spam we would be reading if it weren’t for Bayesian networks. Right? Got it. So it worked in some limited cases, right? But it it didn’t work for broad like security detection and response or event classification, or being able to decide if this alert is worth waking up a customer at three o’clock in the morning to look at or not, right? The machine learning in the AI did not do that. It did figure out that, you know, 100 emails with the subject line make money fast. Probably should not wind up in your inbox.
Ned Hayes [00:25:38] Right, right.
Joan Pepin [00:25:41] And now, though I have seen, you know, over the last 20 years, the underlying technology evolve and start to become very useful in certainly in other aspects and certainly in other areas, right applications like deepfakes, et cetera, were just not possible a few years ago. Right. And so now I think the general promise of machine learning and AI technology is starting to bear fruit. And I think that now that that underlying technology is starting to really mature and bear fruit, we can now start looking towards some interesting applications in the security space.
Karen Jensen [00:26:24] Very cool. One area where we’ve been really successful in lately, SnowShoe is retail and so, does machine learning and AI have relevance for identity and security in retail?
Joan Pepin [00:26:38] Oh yeah, I think it does. Well, gosh, you know, do you have things that people want to take? Yes, you do. Is there a population of people who want to take those things? If you make a living taking those things, yes, there are right. And so like, do you have a security problem? Yes, you do. And you know, if you’re at large scale, you’ve got a large number of data points and a large number of consumers, et cetera, using the platform, then that’s really good from a machine learning perspective because it means you’ll have very large training sets. And if you know, this is sort of the other key, right, if you know what bad looks like, right, if you have examples of incidents, breaches, things like that that have happened that you can use to train these systems and you have a lot of data because you have a large lot of scale, then I think there’s absolutely, you know, at least theoretically, an opportunity for that type of technology to to be useful.
Ned Hayes [00:27:34] One thing that we’ve seen work for small retailers is having some sort of in-person validation. It’s not just online, it, it’s it’s something that the person actually shows up. So whether that’s a biometric or whether that’s a physical piece like SnowShoe produces some additional factor of verification. So small retailers seem to be asking for hardware, which I wouldn’t have expected 10 years ago. You know, it was let’s put everything online. And now they’re saying, No, I really want to see this customer. I want to know the customer was actually here. You see, that is a valid scenario?
Joan Pepin [00:28:08] I think that’s really interesting. I can certainly see both from a customer experience perspective like I really want to know my customer, right? Like all businesses, but especially retail, right? You want to know your customer.
Karen Jensen [00:28:21] Well, thank you so much for your time today, John. I have one last question for you. I’d like to know what your mission is. How do you want to be remembered?
Joan Pepin [00:28:31] Oh, my mission is to really show that a diverse team, a diverse company, diverse individuals can compete in this industry and be very successful and be a tremendous value. Add to their employers, to their customers, to the community and to the ecosystem. And so my proudest accomplishments in my career, and I’m putting that in air quotes because you’re not really my accomplishments, right? The proudest things in my career, the proudest events in my career have been the accomplishments of people who have reported to me or people who I have mentored. And so the fact that people who have worked for me have gone on to amazing careers. That’s what I want to be remembered for is that I helped a generation of of all types of diverse people, young people, women, queer people, black and brown people achieve their career goals, achieve success. And that and hopefully that we’re teaching the industry that these are valuable employees and valuable assets and valuable people to the community.
Ned Hayes [00:29:52] That concludes our conversation with Joan Pepin, formerly CSO at Auth0 and now leading her new startup Zero Wall. Tune in next time for a conversation with Skip Newberry at the Technology Association of Oregon. Thank you, Karen. Have a good one. Thank you. Thanks for listening today to the SparkPlug podcast hosted by me Ned Hayes and brought to you by SnowShoes Snow.sh For smarter mobile location. Spark Plug is a wholly owned property of SnowShoe all content and copyright 2021 Spark Plug Media.