For Databricks, Zero Trust Means Putting End Users First
In October 2023, Databricks’ Director of Enterprise Security, Michael Tock, sat down for a conversation with Kolide’s CEO, Jason Meller. In this conversation–which took place at Oktane, Okta’s annual security conference–the two discuss how security teams can get buy-in for Zero Trust by taking a collaborative, user-centric approach.
It’s been a banner year for Databricks–just weeks ago, it was named the 8th most valuable private company in the world, following a $500 million funding round.
Databricks has been among the first companies to meaningfully and maturely harness AI to analyze their customers’ data and drive business outcomes. Since Databricks’ business is their customers’ data, they place a major emphasis on practicing good security. They’re implementing a Zero Trust architecture and investing in tools to mitigate the risk of compromised credentials and unmanaged devices.
But, as this far-reaching conversation shows, neither Michael Tock nor Databricks as a whole wants security goals to be at odds with employee experience. In fact, Tock shares that his strategy for driving adoption of security tools is to center user experience.
“The path to zero trust is a security win in my view, but it’s also a path towards a better user experience.”
Please enjoy the video, or read the transcript below.
We’ve divided the following transcript into timestamped sections for easier navigation, but we left the conversation unedited, so please excuse any errors!
Databricks, Okta, and Planning for the Future (00:08-01:29)
Jason Meller:
Michael, thank you so much for being here at Oktane 2023.
Michael Tock:
Thanks for having me.
Jason Meller:
Really appreciate it. And I’m just curious, what are you hoping to learn a little bit about from an Oktane perspective? You guys have been using it for a while at Databricks.
Michael Tock:
Yeah. No, totally. I mean, Okta, for us, it’s right at the heart and the center. Every application, you’re going through Okta, as you would expect. For us it’s really seeing, where do you take that? For something–a single sign on, MFA, these aren’t exactly new this year. It’s not generative AI, there’s no LLM. I mean apply AI to everything, but it’s what exists today, what’s the strategy, where is it going? And there’s so many opportunities and things out there. It’s really looking at, okay, where’s the market going? And for us, any large company, you’ve got to be that step ahead. Even if you’re not implementing it but thinking about it. How would we implement this? What would we do? So you’re building blocks there ready, a couple of steps ahead. So when someone goes, “Hey, can we implement this?” You’ve already got a path in your mind for how to get there and it’s not taking you by surprise. And you’re like, let me quickly search around and find an answer.
Jason Meller:
Right. And as somebody who’s the director of enterprise security at Databricks, you’re not thinking about that from the perspective of, “Oh, we’re just going to try it out and we’re going to roll something out.” You have to think about this for thousands of employees, you guys just raised half a billion dollars. More growth is on the horizon.
Michael Tock:
Yeah.
Balancing Security With End User Experience (01:29-03:01)
Jason Meller:
I imagine that context must weigh on you as you think about any change that you want to make to being any part of the security stack at all.
Michael Tock:
I mean, any change comes with friction and it’s that value proposition, it’s the why are we doing it? And if you can’t answer the question, why are we doing it? Why are we doing it at that point? I mean, it’s a fair question to ask. And sometimes it might be a really good, “Oh, it’s great for security.” I’m like, “Sure.” But what do my colleagues say when it’s like, oh, no one can do any work now. Or it’s like, wow, we really upped the game on security but at the expense of productivity, usability.
It’s not just… security isn’t the driving factor, we have to make it secure but usability and user experience is such a key part of everything we do. And at the end of the day, a lot of the company wants to do the right thing. But if we make it hard to do the right thing…
Jason Meller:
You want to be an enabler, right? Not someone that’s-
Michael Tock:
Exactly.
Jason Meller:
…forcing everybody to have a miserable experience.
Michael Tock:
Exactly. Exactly. And that’s front and center, that’s the hearts and minds. That’s looking at every opportunity. What can we do to improve security, obviously, but improve user experience. If I can get a better user experience, both for my colleagues and improve security, it’s a much easier sell internally. And honestly, it’s better for the company all around. User experience and security. That’s the real win. If you’re picking a security product which damages its user experience…
Jason Meller:
It’s not going to last very long.
Michael Tock:
There might be a really good reason for it, but can you do it in a way which doesn’t harm the experience? That’s the golden ticket.
The Impact of SaaS Apps on Enterprise Security (03:01-06:14)
Jason Meller:
Now you’ve been doing this for a little while, 13 years, you’ve been sort of a professional security practitioner.
Michael Tock:
Yep.
Jason Meller:
Most of us have been doing it for a while. Started well before we were doing it professionally. You mentioned usability, and one of the things that I thought of right away was how much my experience has changed just working for other companies, building my own company, what the day-to-day experience like, the classic experience of I have to log into the VPN and then I have all of my apps.
And then SaaS really took hold and we kind of got slow boiled to a world where the VPN just sort of faded away as a critical component. Some large companies still heavily rely on it. What is your thoughts just around how SaaS has changed the mental model of how you think about security?
Michael Tock:
Yeah. So I think VPN’s a really interesting one, I’ll come back in a minute. But SaaS is kind of a great example where in the 13 or so years that I’ve really been sort of involved heavily, it’s gone from, “Ooh, we don’t really do SaaS. No, we’ll do on-prem. Thank you.” Because we have a data center on-prem or multiple data centers. To, “Why do we have data centers?” And it’s like, oh, you’re a cloud first vendor or you host it in the cloud. So that’s the norm now. And I think it really comes down to two things to me. One is risk, one is the appetite towards risk, and one is the economics of it.
So if it’s your most sensitive data, your crown jewels, do you feel comfortable with the risk of putting it in the hands of someone else? Well, it might depend who that someone else is. If it’s a large company with a lot of experience, you might go actually, that’s a sensible path. So the risk model. And secondly is the economics. If it’s going to cost me a lot more to do that versus hosting it internally, where’s the trade-off? And security and user experience are always in that equation. But economics, you’re accountable for what you spend.
Jason Meller:
Yes.
Michael Tock:
And also security, it has to be secure. And a lot of security is effectively around risk. So that’s probably the biggest shift. Whereas going back 10 years, it was no cloud, no SaaS-
Jason Meller:
You had the luxury saying of no because you always had the option.
Michael Tock:
Right. Whereas now, especially for a company like Databricks where it’s all in the cloud, both our product, the services we use, it’s much more around the risk modeling. Where is it? How is it managed? Who’s doing what? And there’s a lot of controls you can do with that, put guardrails in place. And that’s I guess the whole purpose of my team is to help with all of the office conversations to get the guardrails and find that balance and ultimately enable the business. And you know you’re in the IT or security team when you refer to everyone else as, “The business.” It’s enabling the rest of the company to succeed. Because that’s why we exist, for the company to do their best.
Jason Meller:
If you don’t do that, they’ll eventually learn that you say no to everything and then now you’re out of the process entirely.
Michael Tock:
Exactly. If you’re not at the table, you don’t want to be in a position where things happen and there’s no guardrails, but you want it to be a dialogue and see, cool, okay, that’s what we’re trying to do. How can we make it secure? How can we say yes and not only give a great experience but a secure one as well? And that really is the heart of it. You can nail that, you have happy internal users and you have great products and it works for everyone. As soon as you’re saying no to everything, people will find another way and it may not be the way that’s secure. And that’s kind of worrying.
Identity vs Endpoints in Data Security (06:14-07:28)
Jason Meller:
And do you find now that you’ve been doing this and we’ve made this transition, that you’re thinking more as a security person, a lot of your time is being spent thinking about identity and access management and all the things that go into it, whereas maybe in the past you’re really almost thinking just really about endpoint or telemetry?
Michael Tock:
So endpoints are going to exist. Absolutely. But really it’s where are the choke points? Where can you control the data? And it’s easy for us to say it Databricks being a data and AI company, but data is the heart of everything. And I don’t think that’s just because we’re a data and AI company. It’s true for any company. What’s the sensitive stuff, the financial data, the customer data, the health data? It’s data.
It’s all about data irrespective of company industry. At which point endpoint’s a great way of putting guardrails in place, but where is the data? And for most companies, the endpoint isn’t the primary source. Sure, people download stuff or save stuff, but in most cases the data is going to live in the cloud, it’s going to live in a SaaS application, it’s going to be somewhere else. And that’s where you’re trying to protect it. And the endpoint is just one easy place to collect it. But actually identity is really the gateway to that. Who’s accessing it? And then ultimately where from and how.
How Do You Drive Zero Trust Adoption? (07:29-13:12)
Jason Meller:
So one of the things that I’ve always been impressed with when we even just started talking is right from the get go, you guys were very bullish on entering the world of zero trust and device trust and you were like, we know we need to do this. How did you get to a place internally where you could get everybody on the same page? How did you sell that concept? The security team knows that it’s the right thing to do. And I know there’s a lot of companies out there that are going through this internally as well. It’s like we see this transition needs to happen. We can’t just wait for an incident to occur that puts us on our back and then now we react and we have to rush through it. How do you get folks to proactively start thinking about this before something bad happens?
Michael Tock:
Sure. So I think you…really it’s turning it around. Why would the business want to do something like zero trust? And if the answer is it’s more secure, yes, that’s true. Great. You’re still a security practitioner at that point. If the answer is a better user experience, oh okay, now I’m interested in terms of how do we make it better for our staff? Because if our staff are happier, they’re more productive, that’s better revenue and that’s a better company.
So the path to zero trust is a security win in my view, but it’s also a path towards a better user experience. And at that point, that’s really the value proposition. And sure there’s a security win there. Let’s not even try and hide that, but it’s how do we make the business a happier and better place for everyone? And that really is the mantra. And take a product like Kolide in particular, however big a company is, you are never going to have one-to-one an IT department. IT department is never going to be one-to-one people matching every employee. It’s just not realistic.
So you have a ratio of support staff to people working in the company. How can you keep the rest of your colleagues happy, keep them up and running, get what they need so they can go and do business and ultimately make the company successful? When you have a lot of engineers or really talented colleagues, how can you empower them to fix some of the basic things that honestly, it’s easier for them just to fix than it is to raise a ticket, get support, they’ll reach out, set up a meeting, do a screen share, go, “oh yeah, it’s quick fix.” That’s it.
Jason Meller:
Right. Or write some convoluted automation that’s going to work 90% of the time and then these 10% of configuration actually makes it worse or something like that.
Michael Tock:
Exactly. So that’s the beauty. And coming back to the cause, how do you drive the adoption? Well if you can find a zero trust approach and model which improves user experience, it’s an easy one for everyone to get behind because if someone doesn’t want to back that and support that, are they saying they don’t want a better user experience in the company? That’s a difficult thing to sort of argue for and it makes it a much easier conversation because it’s not a security product now, it’s a business enabler which brings good security as well. And that’s the magic formula.
And I think for me personally, there are a few products that really do that. And Kolide is one of the really obvious ones given it’s so user-focused, smart people can often fix these problems themselves. With a little bit of guidance and a little bit of help, they’re onto it, they don’t need to raise a ticket and however good your IT department is, it’s not going to be as fast as a user just doing it themselves there and then, middle of the night whenever it is, they can just fix it. And that enabling–you are enabling business.
Jason Meller:
You don’t want to incur the costs that come with blocking people. They don’t know why, they’re coming to the IT team. And now suddenly you have to weigh the options of like, all right, there’s a real cost to have rolled out a device posture checking apparatus, is this worth it? Now we’re really incurring costs. You have the IT team, they’re asking us to hire more folks to handle all the inbound tickets. You can avoid that entirely. Now it’s all upside. And that’s a financial reason. And then the reasons why, I imagine you guys weren’t even thinking about that. You’re trying to, because you actually care about the user experience as you said.
You mentioned you were an enabler. Tell me a little bit more about your journey poking around the space, because it’s a space that’s in its infancy. We’re one of the few out there that are trying to do this today. What was sort of your experience like and what were the things that you wanted to make sure were right before you even decided to make a decision?
Michael Tock:
So I think going through it’s that horrible word, requirements. Everyone goes, ah, where’s your requirements document? What is the purpose? Why are we doing this? And if you can’t answer the question, why are you doing it, there’s your alarm bell. Why are we doing this? I don’t know, we’re just doing it. That’s never going to fly. Someone’s going to ask that question down the road. So coming back to the what are we trying to do? Why are we trying to do it? Capturing the requirements, understanding the problem we’re trying to solve. And at that point it became quite apparent that a lot of companies, Databricks included, made big investments in different security tools, things like Yubikeys, stronger identity management products. But if all of that can be bypassed by simply accessing it from personal devices, then it’s undermined as investments.
Jason Meller:
Totally. Yes.
Michael Tock:
So at that point, it’s pitching it as a better way of the user experience, getting more value from the investments we’ve already made elsewhere. Those two combined dictate a selection of products. And you’re right, there aren’t many companies in this space, but the ones that are there, when you apply those additional factors, the user experience being the biggest one, I think, it really narrows down very quickly to one company. And that makes it an easy sell. By capturing these requirements, you can go into a scorecard against other vendors, other solutions [inaudible 00:13:05] options. And it’s very hard to find a competitive product which really embodies that self-service and enablement.
Build vs Buy in Device Trust (13:12-15:56)
Jason Meller:
The thing that we’ve had to fight the most is we often catch people who have gone through that process, they didn’t know about us, and then they’ve actually started building their own thing and then now they have to make a decision, do we want to back out of that? And then they often are like, well, that’s the bar that this vendor had. We weren’t even shooting anywhere near there and they’re making it. Was that on the table for you guys as well? If you couldn’t get this, were you willing to go out and actually build a bespoke solution internally?
Michael Tock:
It is always tricky. The buy versus build is, I mean there’s a lot you can do, especially for things like osquery, it’s readily available and it’s not a secret. It’s open source, it’s there, it’s out there, but it’s the time and the effort to build a solution. But critically, once you’ve built it, it’s got to be rock solid because there’s the leading authentication chain. If there’s an outage, yeah, that’s a bad day for everyone. It’s a big deal.
So at that point, sure, building a prototype in an environment to test with, not too bad, but do you have a team around the clock that has a skill test to support it? Can you maintain it? Can you add features? And honestly at that point it’s a lot harder. The buy versus build, it’s not as clean cut. And that’s really where it comes down to. Sure. Could you build a prototype? Could you build something that gets the point across? Absolutely. Do you want to productionize it?
Jason Meller:
Right. Do you want to be up at night one night, one day before the macOS, Sonoma rollout just gut checking, is everything going to work tomorrow when everybody magically upgrades?
Michael Tock:
Exactly.
Jason Meller:
Nobody wants to do that. It’s not fun work.
Michael Tock:
And I think also the other big aspect to it, certainly from my side is we have an amazing team internally. I have some new fantastic colleagues, but there’s a whole world of other people out there that have amazing ideas as well, and where you find a really good partner that can bring other ideas to the table. “Oh cool! Never thought of that, but now you mention it, that’s a really neat idea!” So you get the innovation for free almost because you bought into it, you have a partner who’s also having other customers that bring ideas to the table and ultimately the speed of innovation is way faster than trying to do it in-house. And it’s almost you get that minimum viable product and then you’re like, right, I’m there now, I’ve got to go on from the project-
Jason Meller:
I need to go onto to another thing. Right.
Michael Tock:
Exactly. Whereas-
Jason Meller:
You’re not going to get any brownie points for making it 20 times better.
Michael Tock:
Exactly. But once it’s there, once it’s deployed and you’re using it, every feature enhancement and item comes to the product may be Kolide or any other product, you’re like, cool, okay. Some of them might hit the mark, other ones might not be relevant. But you get that sort of as part of your buy-in if you like, by buying rather than building. And that has value as well. And it’s not just the year one value, it’s the year two, the year three, and that real partnership.
Cross-Department Collaboration (15:56-19:48)
Jason Meller:
So you tried this out, you decided to purchase and then came the important work of how do I bring everybody on board? Because it’s not really just the security team, this is impacting all the users-
Michael Tock:
Everyone in the company.
Jason Meller:
I imagine legal cared about what was going to happen here. There’s privacy implications. How do you manage such a multidimensional project with so many dependencies on other people? How do you bring everybody together and make that happen?
Michael Tock:
Completely. So you hit it on the head. It’s not just like a hey one click deploy. That’s it. And I think actually it’s being very specific around Kolide, there’s a bunch of features that’s made it very easy for us. So the classic, you go and put a tool out there where the machine’s not compliant, you lose access. Okay, how many machines are going to lose access on day one? Don’t know. That’s a huge risk. No one wants to take that risk. It just unrealistic. So getting the agent out there and seeing the health of the estate, that’s a huge win. I mean, before any user even sees what’s going on, just getting the telemetry coming in and going, okay, devices are healthy, devices aren’t healthy, where are our biggest problems? That’s the welcome information.
And one thing that really led it for us was using that to drive the adoption. So where a user is going to fail a check because their machines are compliant, do you, A, go and turn it on and they get a horrible, you are blocked! And they’re like, oh really? Or do you reach out first and say, “by the way, can you find some time, have a chat with IT. Let’s fix a machine.” And then when we do enable it, they’re good to go.
So it’s a real partnership. And you’re right, legal has to be involved. We’re a global company. So [inaudible 00:17:30] like GDPR, there’s compliance, there are works councils, IT because it’s intrinsically tied to the IT stack, it’s part of Okta. So it’s conversations there, security, is it a secure product? Are we introducing a back door everywhere?
So a lot of factors that come into play. But for me, the one that really made it very easy was the whole privacy aspect to it. So dialing into the product, taking that, going to the works council and showing the attitude towards security. I mean it’s a classic question, is it spying on me? No, no it’s not. And here’s the answer why. And showing that made it a very easy conversation. And then ice all of that cake with the user experience, it’s a much easier sell.
Jason Meller:
That was a key thing for us as well. When we went off to build this, I wasn’t the leading expert on a GDPR dashboard, that did not enter my mind. The thing that I was thinking about was people are going to be informed by us. There’s things wrong with their computer, but the natural question is: how do you even know that about me? And they need to be able to reach for something and they shouldn’t have to ask a human being that’s going to get back to them later. They should be able to self-service some of that information and just see it right then and there as soon as they want us. That was a big design goal for us.
Michael Tock:
Exactly.
Jason Meller:
I’m glad to hear that help with work councils and GDPR compliance.
Michael Tock:
Completely. And then just like any live project, rolling it out, I mean the technology is… it’s complex stuff, but it’s a SaaS application which actually abstracts a lot of that away from my team. We don’t have to worry about the complexity of how it’s working and the magic in the background because it’s a SaaS product. You guys nailed that for us. It’s the people and the process part, that’s the real sort of bit that we have to focus on as the company. How do we make sure that we’re adopting this in a way which is healthy for business, everyone understands? People and process.
And actually in many ways not having to worry about technology means we can really focus on the people and the process part and put appropriate checks and balances in place to make sure are we balancing security versus user experience. It’s very easy to lock everything down, but no one can work and that’s not going to last very long before you have to roll it back and find that sweet spot. It’s much easier to find that sweet spot in advance with our partners in IT, in legal, in HR, find the sweet spot and then land that the first time. Rolling Out Kolide to Minimize Disruption (19:49-24:18)
Jason Meller:
Makes sense. Now, the thing that you mentioned earlier is, and this I think was one of the smartest things most of our customers do is they roll out the agent first, they let it settle in, they run the checks, just sort of in this passive background mode, we’re not blocking. And then you have a lot of wealth of data. When you have all that data, what is the process that you’ve now been starting to go through internally and like, all right, we’re going to turn on blocking for the first time. What were those discussions like internally as much as you can say? I’m curious, what were the criteria? What were the trade-offs that you wanted to hit?
Michael Tock:
No, totally. So the health checks, I mean it is an infinity… by the time you have the obvious ones, ones you want to add to it’s where do you draw a line? And something that we are very keen to do from the outset is make sure we get the most of the bang for buck if you like. What are the ones that make the biggest security difference? So things like is your machine encrypted? That’s a real problem if it’s not. So that’s a good obvious first check. It’s very tempting to start writing really bespoke niche checks for really obscure corner cases. But I think that sort of misses a point somewhat where you’re looking for the mass market bit. Machines are encrypted, integrity protection’s turned on. Are you using updated browsers? You don’t need that many checks to get a really good overall feeling around positive security. And that’s testing I think to just really thinking about what are the requirements, coming back to it. And for us in a security compliance perspective, the requirements are laid out already in our security policies. Devices will be encrypted. We should check for that.
Jason Meller:
And not rely on the thing that’s doing the encrypting to be the thing that actually reports out that it’s working, right? Having some degree of-
Michael Tock:
We’re not introducing new rules around, oh, the wallpaper on your laptop must be this one. No, that’s not tied into any security policy. Things like it should be encrypted; that is in security policy. Now we’re validating things that should already be there. And that’s really the half it. So when someone does say, “why do we have to have this?” We’re tying it back to an already documented and approved security policy where there’s a good reason to it. Either it’s an audit requirement, a PCI, HIPAA, FedRAMP, or there’s a really good business reason for it and that’s justification. We can be transparent about it. There’s no sort of “security said we have to do this.” We can internally be very transparent and say this is why we’re doing it.
Jason Meller:
Right. You’re now creating a learning opportunity instead of just like it must be this, don’t question it, you can actually have a conversation with people.
Michael Tock:
Exactly. I really enjoy this conversation internally because it’s not a sort of challenging security. It’s the, okay cool, let’s have a conversation. You’re clearly passionate enough about this to come and ask why is this the case? Let us discuss it. It’s great to see colleagues that are passionate about security and want to come and have those conversations. And that’s proven one of the highlights of my role is having those dialogues and after a 15, 20 minute conversation and I go, “Oh, that’s really cool. Thank you.” That’s the highlight for me.
Jason Meller:
Well one of the reasons that I wanted to build Kolide is I’ve always been a software engineer by trade and I always found myself in these weird… I am also security practitioner. I’d be like, I have to turn off system integrity protection. I want to test, I need to run an app that’s not signed or I need to turn off gatekeeper and that’s actually what Apple recommends, but I know myself, I’m never going to remember to turn it on and some of these things, they don’t even have MDM profiles or if they do, I’m going to be contacting IT anyway to turn it off so that I can do my job well. And so that was the thing, it’s like these aren’t people that are acting in bad faith. They’re just trying to find that-
Michael Tock:
Just trying to do their job.
Jason Meller:
… yeah, that little middle gray area where I’m an engineer, I have to do a lot of weird stuff occasionally and if you lock me down, the next thing I’m going to do is I’m going to ask for a laptop that’s just not in the MDM at all. Now we’ve lost the whole plot essentially.
Michael Tock:
And then you’ll use a laptop that’s got an MDM, you’ll access your SaaS applications from that because it’s easier and given a few days a week and that becomes your primary device. And actually we’re in a worse position now because we have an unmanaged unknown device that’s maybe not as compliant as it should be. So I think a lot of it is really enabling business, enabling business and promoting that honest security. Users just try and do their jobs. How can we enable that but at the same time make sure the company’s doing or security’s doing our job of securing the company so we have a successful and happy future?
Tailoring Security to Technical Users (24:19-29:26)
Jason Meller:
Now one thing I want to ask you about is your perspective on more technical end users and everybody else. A lot of our customers, they ask right before, “Oh, should we be thinking about putting them in different buckets? Are there different checks we want to…” And we’ve just introduced a groups feature where now that’s actually starting to become possible. How do you see that? Do you actually not consider technical expertise when you think about what checks we want users to fix or in your mind is everybody… the checks that you want to start with that everybody should be able to do?
Michael Tock:
Yeah. So I think it’s a really interesting one and good example, EDR tooling. So CrowdStrike, Sentinel One, whatever EDR tooling you’re using, maybe it’s not possible for the end user to self-service fix that. I mean that’s not necessarily because of a technical bar, but do you really want anyone in the company to be able to go and install EDR tools on random devices? Maybe that’s a design decision that you’ve made as a business to say actually IT will manage this or a security team or a particular function will manage that.
So I think it’s important to decouple the technical skill of the user versus what they should be self-servicing and what they shouldn’t be self-servicing. And then that’s the follow-on challenge of what checks do we have? Sure, running an EDR tool, that is a requirement so we are going to check for it.
And, okay, maybe it’s one that they can’t self-service. But coming back to that early data, if we can see a handful of users for whatever reason aren’t compliant, can we reach out to them proactively? Fix them for whatever reason, we’re not judging them, it’s broken, let’s fix it and then enable them to carry on working. But for most users, make it easy for them to fix problems. They may not want to and that’s fine. We’ll always have an IT department, we’ll always have IT support and they can always reach out to that. And that is… it is a user decision. It might be level of technical knowledge, it might be how much time they would spend on it. It might be just honestly they don’t quite understand it. That’s fine, it’s what’s right for that user. So suddenly it’s not about IT saying we will fix it or security saying you must do this. It’s a user’s decision. And giving the grace period, so where it’s slightly out of date, do you have to fix it right now before you can do anything else? It’s a bit heavy-handed versus if your machine isn’t encrypted and maybe system tech reflection’s turned off, yeah, you should fix that now and we’ll be pretty ruthless about that. So the granularity allows you to be really careful around what’s the user experience? What’s the requirement? Where can we give a little to help find that sweet spot? And that’s a dialogue that isn’t just security practitioners going, I think it’s this, it’s a business, across business, IT, security, end users. And we really took time to get that feedback from all the groups, say what is reasonable for applying a security update? Should it be within the minutes of being released-
Jason Meller:
And now you finally are really wrestling with it.
Michael Tock:
[inaudible 00:27:11] of like wow versus within six months a little bit relaxed. So where is the sweet spot? Can we all agree around that? And then making sure that we’re enforcing that sweet spot. But it is a dialogue and it has to be that way. You’re bringing the users along with the journey. When they’re on board, it’s much, much easier for it to succeed.
Jason Meller:
Right, you’re having conversations that probably have needed to happen for years across our whole industry and now are finally in place where there’s technology to assist us and now we’re wrestling them. Is it 14 days, is it 12? Is it dependent on the update? What is really our risk tolerance? It’s easy to write it down when there’s really nothing to really add any bite to it, but now it’s there, we know we’re going to be dealing with it. It is a problem if it’s not dialed in exactly right.
Michael Tock:
And you nailed it. It’s risk tolerance, it’s all about risk. And going back to the earlier questions around SaaS vendors and on-prem, cloud, it’s risk. It’s all about risk. Everything comes down to risk. And having the data coming in from osquery under the hood makes some really informed risk-based decisions and at that point you can adjust the security policy. I think the bit that I really wanted to focus on was you don’t want to get into a nuance where it’s like, ah, that user on that device on that day, here’s the risk policy because then it becomes a difficult journey to explain to the user. So it is that sort of double-edged sword. And for as much as there is a flexibility to have different groups and so on, how dynamic do you want to be with this versus going, “look, your laptop should be encrypted.”
Jason Meller:
Period.
Michael Tock:
That’s it.
Jason Meller:
End of discussion.
Michael Tock:
And right. There might be examples where a test device can’t be or there’s a very particular use case, but how nuanced do you want to get? And I think we’ve seen this time and time again in any product, not just Kolide but you take Okta, how many companies have ring binders of policies versus exceptions… and it just becomes a minefield to navigate? That is always a little bit of a tricky bit.
So it is great to have flexibility, but at the same time it’s just coming back with: what’s the requirement and being really honest to that core mission. What are we trying to achieve? Do we need to have a thousand different checks for different users and groups? Are we sort of missing the requirement? So it is good, but it’s finding that sweet spot.
Should Device Trust Be Required for Vendors and Contractors? (29:27-33:49)
Jason Meller:
Now you mentioned other SaaS vendors, now that you are in the process of rolling this out, you’re sort of experiencing its effects in your organization. Has that made you think differently about the bar that you want to set for the vendors that work with Databricks in the future? If it was as easy as it was for you to get there on that journey, why not make something like device trust a requirement for the vendors that are working with you? Has that changed your perspective? Update your security questionnaire or-
Michael Tock:
It all comes back to that risk. I mean take two extremes. A vendor processing company financial data, that’s really sensitive, the vendor that provides lunch menu and people can order lunch, it’s lunch. Okay, so a one size fits all is never going to work. It’s that balance of risk. What are we aiming for? Where could we accept a little bit of risk? Where could we really not? And I think it’s…one of the really nice things about not just selecting vendors or working vendors is looking at how they tackle problems. What are they doing? What are their approaches to things like zero trust? There’s no one size fits all, but it’s definitely something that’s top of mind.
It’s the okay, we’ve made a lot of investments as a company in securing our endpoints, ensuring that they’re up-to-date, they’re patched, they’re managed, users are accessing data on the right devices that are in good health, but if an external party can work with us, how are they doing it? Of course it’s part of the process. Yeah, it’s definitely their top of mind and they’re very fortunate, have a lot of colleagues in the security compliance space, that help with that conversation.
But I think it’s a growing trend and we’ll see more and more companies that are either doing this through their own choice and making it a selling point or their customers are saying, hey, we need to see this. I mean think about MFA, how many suppliers now would go, “oh yeah, we don’t do MFA.” Ooh, Okay. It’s going to be pretty tricky. So everyone does it but is that because they wanted to do it? Or it now becomes so normal that if you don’t do it then wow. All right. That’s a big deal. I think device trust and contextual access is moving so that… We’re in the–it’s a selling feature. In the not too distant future it’ll be a norm and then it’ll be a: “You don’t do it? Ooh, okay. Pause the thought [inaudible 00:31:45].”
Jason Meller:
One of the things that you mentioned though, it’s not just about the SaaS partners that you have in those vendors. It could also be contractors, suppliers that you’re working with. I think one of the failings of the MDM model is that you can really only have, at least in the Mac world, one device be managed by one MDM server. And so now you’re in this weird place as the parent company like okay, I’m working with the supplier. They want to use their laptops and the choice is either I put their laptops on our MDM and now they can’t do their thing or maybe we buy them laptops for just the work they’re going to be doing for us.
Does something like Kolide or any concept of like, this is the bar, this is now a way for us to measure its effectiveness, do you think you could foresee you thinking about your supplier relationships in a different way that way?
Michael Tock:
Yeah, I think so. I think you’re absolutely right. It’s a problem. We’re a heavy Mac shop and your MDM solution, yeah, you’re tied to one MDM solution. So at the point you have a third party vendor, supplier or whatever the relationship might be, and you’re looking at, okay, well if we enroll in our MDM and we now putting our agents on there, our EDR, et cetera, at which point… why not just give them one of our laptops? Versus do we trust them with the data? And especially if that’s, say a third party is a SaaS vendor, well park the end device for a moment. Where is our data sitting? In their cloud environment.
So they could be maintaining that, they’re a SaaS vendor, that’s what you’re paying them to do, maintain the cloud environment so that they don’t have access anyway, which changes the dialogue around how are you doing this, how are you securing it? And that gating around personal devices, unmanaged devices, there’s a bunch of ways of solving it, but you’ve got to solve it one way. You can’t have a blank answer in that box on the security questionnaire. You’ve got to have an answer. And I don’t think it’s necessarily our place to say, you must do it this way. But you must do it one way, whatever way you choose to go. We’d like to see how you’re doing it. Absolutely.
Weighing End User Remediation Versus Automation (33:50-37:35)
Jason Meller:
Going back to the MDM, have you felt your opinion on the things it should be used for versus now we have the ability to get in front of the end user ask them to do things. Has that maybe changed your mind on, oh, maybe we want to not do this with the MDM anymore, like let’s say updates or do you want to take a dual approach? What are some of the things you’re thinking about there?
Michael Tock:
So MDM is great for pushing policies out, hitting particular check boxes, pushing agents out. I mean we deployed Kolide through MDM. We didn’t ask users to install it. Imagine trying to ask thousands of users, please install the software. “Is this a phishing exercise?” “No, it’s a security tool.” It’s a nightmare. You can never get to a hundred percent. MDMs always going to have a place for pushing agents out, configuring, certificate management, all the bits and pieces-
Jason Meller:
Remote wipe, all the things that you need.
Michael Tock:
Right. Exactly. But when it comes down to, “hey, can you change a setting, can you fix this?” Do you want to be scripting that at a distance when a lot of these might be unique problems where a user’s installed this software? Well the user installed it, they didn’t think they felt they needed it. So us ripping it off in an MDM tool, what’s going to happen? The user’s just going to install it again because they felt they needed it. So you’re back in an arms race, which isn’t really very helpful versus nudging the user back saying, hey, would you mind patching it? That seems fair.
So I think it’s a complementary part and where MDMs generally fall down speaking in real general terms is that user interaction. MDMs are designed for an IT admin to push a policy out with minimal to no user interaction. That’s the whole point of an MDM.
So as soon as you want to have a dialogue with a user about, “hey, we noticed this, would you mind fixing it? Could you please apply a patch, could you do something?” MDMs aren’t really geared up for that. They don’t really have that dialogue path. I think that’s where products like Kolide really fill that gap. Where it’s: this is going to be disruptive, but you do need to patch your machine. Please plan it into your working day. And by the way, we’ve given you X amount of days to do this, over to you-
Jason Meller:
There’s going to be a proportionate consequence. And that I think is the big unlock because there’s really not stopping any vendor out there from building something that nudges end users, but they get fatigued over time. They learn, yes, I’m being asked, but I have a million things I have to do today. An update would be really disruptive and there’s just never enough time to do it no matter what it is.
Michael Tock:
Always tomorrow, tomorrow, tomorrow, six months later, tomorrow. And you’re like, okay. You’ve got to do this at some point. And it’s promoting the argument that users want to do the right thing. I don’t think it’s anyone in the company who sits there and goes, I’m not going to install an update because I don’t want to do it. See, no, I’m trying to close a deal. I’m trying to win business. I’m trying to do whatever the function is and this is a distraction or annoyance. But you still have to do it, and it’s giving that flexibility. I think we would never be in a position to roll something out with, you must do it at this time on this date. It would be really disruptive and-
Jason Meller:
Well, that’s effectively though the decision you sometimes make with MDM, at some point the nudge runs out and you’re like, all right, well we just have to now just slam it on and now it’s rebooting and we’ll pick a time and it’s… no matter what time you pick, global company-
Michael Tock:
It’s never going to be a good experience.
Jason Meller:
It’s never going to be great.
Michael Tock:
Exactly. So it’s putting it in the hands of users and I think also, especially in a really technical company, users can see what’s going on and it is that sort of I guess comfort that things are being patched, things are being managed. Yes, this is an annoyance, having to restart your machine from time to time. But at the same time, I think users generally accept this is par for the course, this is the nature of IT, have to apply updates. And a lot of our staff are applying updates to our products. It’s part of their role. It’s no different for our own endpoints.
Does IT or Security Own Device Trust? (37:36-42:55)
Jason Meller:
How do you think about operationalizing Kolide for the long term, right? So you know you’re going to be using this for a while, you’re going through a rollout period, and then that rollout period will be done. You’ll be onboarding new users within every day as they join the company. How do you think about the different roles and responsibilities? What is IT’s role? What is your role? How does everybody come together to have the important discussions around how do we want to use Kolide for a new emerging issue that’s happening out in the world? How does that work?
Michael Tock:
Completely. So I think in any company, ownership of things like: where are the Okta admins? Is it IT, is it security? I mean, there’s no right answer. So your resources are going to be spread across. At which point, when it comes to the question of who should be responsible for administration or managing products like Kolide? Well probably makes sense, would be a similar team to those that are using Okta given the two are so intrinsically linked, but that’s the operator, does that necessarily mean they’re the right ones to make decisions around what we’re checking, how many days a user should have for applying an update? I mean, probably not. It’s a balance. So for us, that’s really where it’s a group thing and we put mechanisms in place internally to make sure every stakeholder. So security clearly have a role to play around compliance, how many days is acceptable, coming back to risk, IT have a role to play around user experience because when we start forcing things onto users, IT are going to see the raw end of that.
They’re going to see the users coming in saying, “hey, I can’t work, fix my machine.” So they have a part to play as well. Compliance, we have customers, we sell to many, many customers. Those customers have their own requirements of us. We are a SaaS vendor to them. So how are we meeting those requirements? That comes into play. The legal side, the HR side, there are so many parts to play. The only real way to solve it in my view is to bring it together and get that consensus.
And change management, whether you follow or subscribe to things like [inaudible 00:39:37] or any sort of change management process, it’s really about reviewing the change, combining it, getting sign off, planning implementation, communicating implementation and going ahead and doing it. And should it be unsuccessful, have a clear rollback. And I think it’s really important to look at things like Kolide as a change governance, whether it’s an [inaudible 00:39:57] type process or some other bespoke internal process.
It’s, are all your stakeholders happy? Do they understand? Do you have alignment on what you’re trying to achieve? Have you communicated it? Do you have an execution plan? Do you have a rollback plan? And you move through the change. And having that in place really is the key to it. It’s not a technology problem, it’s a people and process problem. The process, that whole change control process, however you want to label it, is really the ticket, making sure that the people are happy. A poor process, people would be aware of it. There’s arguments, you roll it back, it becomes a real nightmare. So having a clear process, following that process, takes people on the journey and it means the technology part almost takes care of itself. That for me really is the winning formula. It’s not bureaucracy for bureaucracy’s sake. Change control, love it or hate it-
Jason Meller:
You care very deeply.
Michael Tock:
It’s part of every part of IT.
Jason Meller:
And auth is just one of those things you cannot break. I think we have a lot of latitude and all the other stuff that we do as practitioners in the space. If CrowdStrike is a little bit temperamental or other EDR vendors, it’s okay, it’s not the end of the world. We lost visibility for 30 minutes. Not a problem. Auth goes out for 30 minutes, you’re going to get… your phone will actually explode with the amount of calls that have come in.
Michael Tock:
And that’s assuming you can even access things like PagerDuty because oh wait, there’s no auth. So how do you get to anything on your phone? It’s simply because that whole… it’s so core to everything. It’s critical. And change control, we have change control across customer facing systems, intel systems, change control everywhere for a really good reason to protect against unintended outages and things like that. At which point, sure, sandbox environments, test environments, non-production environments. Go crazy, test things there. Innovate to your heart’s content.
When it comes to production, change control is king and it’s no different for Kolide. If we’re introducing a new check, where do we test it? What’s the impact going to be? And the beauty of having osquery there means we can model it so so quickly to see what the implications are and maybe there are certain checks you want to roll out, where these users will lose access immediately.
And if it’s a critical zero day, maybe that crosses a line where it’s like, actually that secures the company, let’s do it. But IT, security, legal, it’s a multi-team decision. It’s not just a security practitioner going, this is a good idea. Then suddenly IT is inundated with people who need help and they won’t even know where it’s happening. You failed at that point. You’ve already failed.
Jason Meller:
It’s a superpower. You want to wield it responsibly and not have it be abused because it is very potent. And if everybody’s like, oh great, I can just lump another thing on, then suddenly you kind of boil everybody to death with: this is now actually miserable.
Michael Tock:
Exactly. Exactly.
Jason Meller:
Or we roll out a change, it took everybody out. Now we’re afraid to roll out changes in the future.
Security Must Lead With Transparency (42:56-End)
Michael Tock:
And come back to the conversation around honest security. We have to be transparent. I mean a security function in any company is like law enforcement or the police. It’s the ones that’s there to enforce security. Who’s policing the police? Who’s monitoring what’s going on there? And actually, if you can be transparent around what you’re doing, why you’re doing it, how you’re doing it, then it builds trust with your end users, the business. And the same’s true for things like Kolide. What are we checking for? Why are we checking it? What’s the motivation for it? If we can’t articulate that, that doesn’t sound very good. We should be able to explain that to the user and ideally show we’ve gone through that process and by documenting it through a change control process. It’s audited, it’s there.
Jason Meller:
Well, one of the things that you do well, and I know it’s hard to toot your own horn, but I’ll do it for you here, is that yes, you have a lot of process, but I think the thing that you guys do that really signals to the rest of the company is that we are going to really use this ourselves for a while. You’re not the type of security or IT team that’s like, we’re going to foist all the stuff on the end users and we’ve got the vendor demo, so we feel pretty good about it. You’re living and breathing it for a while, really letting it bake in. And it’s not even just the folks who’ll be using it every day, you have your boss, the CISO of the company who’s using it. And it’s often like, I’m always been surprised in my experience how often C levels are often just excluded from these really critical tools because everybody’s afraid of disrupting them.
You guys want to feel that pain so you understand what you’re in for in a wider deployment and that’s actually informed. So I think yes, the process has been good, but I think you guys just have a natural knack for, we really want to know what it’s like because we care a lot about what the end user’s going to do. So I’ll say it if you’re not going to say it, because I know how important that was.
Michael Tock:
You’re right. And I mean, you want honest feedback from everyone. That’s the value of it. And if you can get feedback, that’s half the battle sometimes. When things are really bad, people are vocal. People will speak up and say, “This is terrible, why are we doing this?” And sure, trust the process and go here’s and why we’re doing it. Have the honest answers ready. But equally well just maybe trying to avoid having a really bad conversation in the first place by thinking it through and testing it.
I mean, testing it on security, piloting on security, getting the wrinkles out makes a much better user experience. And it also makes it defendable when someone goes, gee, this is really difficult or this is bad for my user experience. It’s like, well, we think actually we found the sweet spot, and by the way, we’re using it as well. It’s much more authentic. If it’s a, “yeah, we don’t use it, but you guys can have it, good luck.” You suddenly just devalue your position entirely.
Jason Meller:
You’d be surprised at how many teams operate from that perspective. The thing that we found about our earliest adopters is they naturally get that. And what we’ve learned as a company is how to take the things that you’re naturally doing at the various scales, like at Databricks size for a thousand person company, and even a 250 person company. What are the ways that they’ve done this? And actually take companies that are not used to that level of rigor and be like, no, this is one of those times you have to do it. This is a cultural change. There’s technology involved, but this is a people problem.
Michael Tock:
Completely.
Jason Meller:
And so it’s been great to watch how you operate through a big change like that, even though we felt like, oh yeah, we know it. We have the empathy piece. At your scale, it’s actually really useful. And that’s actually why we wanted to have these talks. I think things that are obvious to you are I think really helpful to the folks who will be watching this video.
Michael Tock:
Never forget the people. People, process, technology. And I think it’s all about people. That’s why companies can buy technology all day long, pick different vendors. You can’t get people that you know really well. You’re building a family in many ways. It’s the people part. Take care of the people and they’ll take care of everything else. And the process helps protect that. And the technology is the bit that sort of makes it happen. But never forget it’s about the people. The user experience is fundamental. And I mean you won’t say this one, but when we create support tickets and cases, it’s the pushing the user experience. That’s the driving factor. And you guys go above and beyond already. And I love challenging you guys to go that bit further and the ideas and the conversations dialogue we have around, hey, we found this. Can we make it better for ourselves? And we know our colleagues will love it, and we’re really appreciative partnership, constantly challenging to find better user experience and refine it and polish it. That’s awesome to see.
Jason Meller:
Well, I couldn’t have said it any better. I’ll just say somebody who’s the founder. The reason why we’re doing this is we want to get this type of solution out in the world where end users really do get to be a part of the security conversation in a meaningful way. They’re not just sort of being passively rattled along as cattle. They’re actually a superpower that you can unlock and you just need to use a little bit of technology to make it work at scale and to watch you guys see it. It’s like, and I know that, oh, we’re going to actually level up because we learned something new from every one of our customers. So we appreciate those challenges. Michael, thank you so much for being here.
Michael Tock:
Really appreciate it.
Jason Meller:
I really enjoyed the conversation. I really hope that you have a great time at Oktane as well.
Michael Tock:
Thank you. And thank you [inaudible 00:48:14].
Jason Meller:
Thanks. I appreciate it.
Want more perspectives from Kolide customers? You can watch more of our Oktane fireside chats on our YouTube Channel!
