TechStrong TV: Credentials Management, with strongDM and Software.com

Now more than ever, businesses around the world should pay close attention to how they manage their credentials and control access to their sensitive data, in order to protect it from being hacked or compromised in any way.

During this interview for TechStrong TV, Mason McLead of Software.com and Elizabeth Zalman of strongDM, discuss the great responsibility of safeguarding credentials and how strongDM has proven to be an effective credentials management tool, helping Software.com to control access and keep their data safe, even when working from a remote environment.

Software.com is a data platform dedicated to help developers and engineering teams learn from their data, increase productivity and improve their coding routine.

Check out the interview below and follow along with the transcript to find out more.

Transcript

Alan Shimel: Hey, everyone, thanks for joining us on another episode here of TechStrong TV. We’ve got our recurring guest friend, Elizabeth Zalman, of strongDM joining us, here—hey, Liz.

Elizabeth Zalman: Hey, Alan.

Shimel: And joining—hi—and joining Liz and I is Mason McLead of Software.com. Hey, Mason, welcome to TechStrong TV.

Mason McLead: Hey, thanks for having me.

Shimel: Alrighty. So, Mason, you’re the new kid on the block, and we’re gonna give you a chance to lead things off. I think a lot of our audience has certainly heard of Software.com if they’re not really, really familiar with it. But for those who aren’t, you know, why don’t we give them a little background?

McLead: Sure. I mean, high level, Software.com is a developer data platform, and our aim is to create and provide insights for productivity for individual developers as well as engineering teams. And we do this by gathering telemetry data from inside of code enders and then layering on contextual data from other parts of the software development life cycle, like how many hours you’ve been at meetings, what kind of music do you listen to while you code, do you code during work hours, after work hours, at the office, remotely—and then really pain the full picture of where your time goes and how it’s impacted by these external inputs. And that’s what we provide back to developers as kind of the product there, so you can really see how your time is impacted and what you’re doing throughout the day in order to improve.

Shimel: Very cool. And then, Mason, we should tell people or at least give them a little background—what’s your role at Software.com?

McLead: Yeah, so, I’m the CTO here at Software, just joined this year. And you know, it’s an exciting time to join in. The product’s been out for a while, and so, there’s a lot of proven track record and it’s just taken to that next level, and I’m excited to be here.

Shimel: Very cool. And, you know, we do have Liz from strongDM here, so the obvious question is, you guys are using strongDM, I’m gonna assume. Talk to us—why? What’s happening that strongDM was a solution for you?

McLead: Yeah. I mean, the main thing—and this is actually the second time that I’ve signed up to use strongDM. I used them before at my previous company I worked at, Fair, it’s a fintech company. And the real premise is that, you know, at Fair, it’s in fintech, so we gather a lot of personal information. At Software, it’s a lot of information about your behaviors and all of that stuff.

And it’s just personal information, and I feel like, in the role that I have of being CTO, I have a responsibility to protect that, and I really, personally, feel like it’s a moral obligation to protect my users’ data. And strongDM helps me do that in a number of ways. And so, it’s been a rock steady foundation that I always build into the tech stack whenever I go and build something now.

Shimel: Excellent. So, you know, you opened the box, we gotta see what’s packed inside—what are the number of ways why, you know, you can’t just leave us hanging there.

McLead: Sure. [Laughter] Yeah, I’ll enumerate. So, for getting access to developers—and the classic way that you do it for databases, right, is you have credentials that you share amongst however many developers need access to that database. Which means, as soon as you rotate that password, if you do, then you’ve gotta update everyone else. And now you’ve got copies of passwords everywhere on people’s local machines. And not everyone stays at a company for their entire life, so whenever they leave, you must do something about that. Like, that credential is now out in the wild, and there’s not very many good tools to manage that.

So, strongDM really fills that gap really, really nicely, that use case. So, we can issue credentials automatically for people as they come on. We use Gusto for our HR stuff. So, if they’ve got an API, we can just—as soon as someone comes online, we can issue them credentials to data stores immediately. And then, if they go offline to their contractor, they’re immediately revoked. And the perimeter of the security just gets really tight and really well controlled, which is such a relief for me.

And then on the other side, securing access to servers via SSH, and we’re also deploying a new Kubernetes cluster, controlling QTTL access, and having all of that be auditable, because we also have some contractors working on our database so we can see what commands they’re running, what queries they’re running, and be able to trace that all back. And being—like, most of the time we’re not, of course, looking at the audit trails. It’s really, like, knowing that it’s there if something happens, we’ll know exactly how to trace that back.

Shimel: Love it—very, very good stuff. And, you know what, I applaud your personal, you know, taking this, I’m gonna call it fiduciary duty or responsibility for safeguarding people’s really personal data—you know, for taking it personally like that, no pun intended. And, you know, maybe if more people did, we’d be better off.

Though, look, no one ever raises their hand and says, “I wanna be breached,” right? And even sometimes doing everything you can, it’s still not enough in order to prevent these things, but you can certainly take precautions, you can make it harder by using tools like a strongDM and so forth. So much—I had a friend of mine call me last week, an old client of mine from my security days who, unfortunately, they got to pretty bad. They got into his Charles Schwab account, they got into his payroll account, they got into all of his e-mails. And he’s in the merchant processing business, so there was merchant applications—it was crazy. And, you know, he was beside himself. On the other hand, he didn’t use a password manager—you know, typical kinda things you hear. So, it happens.

Anyway, but it’s interesting, you know, that across verticals, right, from fintech to what you do now at Software.com, though the mission may have changed in terms of the business, you know, goal, the mission in terms of protecting data hasn’t, is still relatively the same.

Liz, is this—is Mason’s experience, Mason’s motivations typically, you think, for strongDM customers across the board?

Zalman: I think our customers feel deeply that there is—our customers feel deeply that there is a right way to do things. I think Mason, as an early customer of ours and at Fair, I think came in it from day one, just had a very particular point of view on how things should be done. I think he was actually one of the first customers to even be deploying Kubernetes in a production environment.

And so, our buyer is the head of infrastructure or infosec or DevOps as a way that they want to do things, it’s always very forward thinking. And finding a way to do them in an automated fashion that sort of fits into these, you know, Infrastructure 101, the ABCs of how to set something up in a way that helps them scale is probably a core precept that they have. I mean, Mason, how big are you guys now at Software when you inherited the team?

McLead: When I inherited the team, there were five other engineers and we’ve grown that up by about 50%. So, it’s still small and growing, but you know, I think no matter the size, the problem is still the same. And, for me, the solution’s been the same, too.

Zalman: Yeah. Yeah, so, at Fair, I think you guys were maybe 100 people who were touching some form of infrastructure, and here, Mason’s starting, he started at six. So, yeah, certainly, it’s like, when you know that there’s a good way to do something and a right way to do something, you start it right at the beginning.

Because, to do that when you’re a thousand people is—you can do it, but it’s a two year process of rinse and repeat sort of work group by work group. You do it right from the start and you’re off to the races.

Shimel: Well, if we all had the luxury of starting in a green field, right, and starting it from the beginning as it grows—what a wonderful world it would be, as they say. But unfortunately, we don’t, right? There’s a lot of brown field—muddy brown fields out there.

Mason, let’s talk a little bit—and Liz as well—let’s talk a little bit about, you know, so, this whole COVID thing comes up now, right? We’re all here, you guys are in your houses doing this interview—what, if any, effect has that had on the business and has strongDM helped, hindered, not been a factor in that?

McLead: Yeah. So, actually, Software.com was fully remote from the very beginning. So, internally, it hasn’t made a big difference in how we work. I think it’s an upgrade—like, going to strongDM for access control is an upgrade, no matter how you work. I think it’s probably more important whenever you’re remote—I mean, people have central VPNs and those sorts of things, but it’s still, building that defensive wall in strength and depth is still the right move there.

And so, internally, it hasn’t affected us too much, just because of the way the company is set up. For the business itself, though, it actually highlights a big advantage that we can provide as part of our products, of being able to see productivity metrics between remote and in office. Because people are gonna have a big choice coming back in from COVID whenever this is resolved of how much office space do I actually—do I need an office? And then how do they actually guide that discussion and that decision when you don’t have data around it? And that’s where we can really fill a gap there between knowing how people are working remotely and how they’re working in the office, so you can have a real comparison.

Shimel: Wow, what a great use case that is. I’m sure that was one of the use cases they drew up when they were starting the company, right? If there’s a worldwide pandemic and everyone’s working from home, wouldn’t it be great to know how well they’re working from home?

McLead: Yeah, it’s amazing the foresight we had. [Laughter]

Shimel: Yeah. But, nevertheless, it’d be nice to have there. You know, I wonder about that issue, question myself, though. I mean, here, you know, we’re a small company, we’re about 23, 25 people, and everyone’s remote now except for me and my video director and, you know, we’ve—we have three and a half years left on our lease. Actually, September, it’ll be three years, so three years left on the lease. So, I’m stuck with, you know, this for three years. But I don’t see people running back, and if they do, they might just come in a day or two a week.

And, you know what? That’s fine. As the CEO here and founder, it’s fine with me. We’re working fine remotely. No one needs to necessarily be here to do their job, though I do think there is—there is some good you get from having people in the same office, whether it’s the water cooler or hallway talk or what have you. But that is—you know, that’s the new normal, that’s the new now, and I think we need to get used to that.

Liz, you know, again, in any situation there are winners and losers. But this whole COVID thing has—you know, not your fault, obviously, right, but it’s given people a reason to say, “Jeez, I need something like a strongDM,” right? “I want to spin up my remote force” or, “I want to—we need to secure it better” or what have you. What are you hearing from companies? You know, Mason’s a two time user already—but first time people, what are they saying when they come by?

Zalman: Yeah, Alan, I am the mastermind behind COVID, you just—

Shimel: Yeah, exactly. [Laughter] Dr. Evil, okay—we got ya! [Laughter]

Zalman: No, yeah, Mason is certainly in a subset of companies that enjoys being remote from the start and being able to build that way. We saw a doubling down of an existing customer base where even if they had remote or satellite teams, now everybody became distributed. But also, new people reaching out because traditional companies, you can’t rely on the corporate network as a perimeter any more. It’s dead. It’s just—it’s completely gone and you had to switch on a dime, and what do you do?

And I can’t even imagine—you know, by deploying strong, oftentimes, you can just throw out the VPN. Many customers choose to do that. And I can’t even imagine what these poor IT folks were dealing with in old companies who, you just had to go into the office, there was no other way of working, all of a sudden getting all these requests, “I can’t connect to the VPN” or any sort of IP-based white listing. Oh, my God, to get access to privileged systems? My heart goes out to them.

Shimel: Yeah. No, you know what, I actually did an interview last week from an analyst based up in Canada who just put out a report about, you know, how COVID caused a short term increase in people buying concentrator licenses and more VPN capacity, but how long-term, that’s probably throwing good money after bad in terms of out the window. I mean, you gotta just—you gotta re-architect is the bottom line, there.

But it’s hard to do an engine transplant in the middle of the race. And so, people get stuck, you know, in those situations.

Zalman: Well, as one of my investors is fond of saying, “You gotta build the Ferrari while you’re driving it.”

Shimel: Yeah, and that’s—ain’t it the truth? I hear ya. Mason, what about you guys at Software.com? I mean, are you just ready for the new normal here and you were remote, anyway? Because there’s a part of—look, we can function in this environment, that’s fine. But are your customers functioning in this environment? Because ultimately, if they cease to function, no matter how high functioning you are, you know—big deal.

McLead: Yeah. I mean, developers are customer based, so we’ve got to make sure that is continuing to function, yeah. You know, we’ve actually taken surveys on this for our customer base, which is nearing about 100,000 and the majority actually said that they would want to do a bit in the office and a bit remote. So, kind of a mixed use case, there. And I think that that fits really well to get the advantages of being able to control your own schedule and control where you are with the in person being able to white board together, being able to really come together and think of new ideas and I remember all the hours that I spent in the office at Fair with a tight group of people developing all the stuff that we did there, and there are definitely some advantages to just being able to randomly yell out to the person in the other room to go and fix something.

So, you know, I think that it’s gonna be a mix of that, and you’ll have some people that’ll wanna go full remote once they’ve had the taste of it. Like, I really enjoy it. Like I said, and you can tell by the bare room behind me, I’m moving this week, actually, and it’s really interesting to start to feel the effects of being able to live anywhere and work the same job. Like, having it completely disconnected is a new feeling for me, and it’s weird, but I like it. And so, you know, I think [Cross talk] –

Shimel: I think we’re gonna see it.

McLead: Yeah.

Shimel: Yeah, no, I think—look, I read an article, I forgot what percentage rents in San Francisco are down, right? I think we’re gonna see rents going down in a lot of the cities because people are realizing where they work from physically is not necessarily tied any more to where the company is based.

Now, you still want to hire people with skills in places like New York and San Francisco or Austin or Boulder. They still have high concentrations of people with skills, so it pays to maybe put an office there. But, you know, I’ve had this conversation with Sid Sijbrandij, the CEO/founder at GitLab. They got, like, 1,200 people in 1,200 offices, because they don’t have an office. Everyone, including Sid, works from home, and his thing is, you know, for newer companies, it just doesn’t pay, because you know, once you put an office down, you’re saying, “That’s it, I’m only gonna—I’m confined to that talent pool.” Where, if you wanna swim in—you know, have choices in a wider talent pool, you’re not big enough to open an office wherever you’ll find talent.

And so, you know, a remote force is probably the way to go. I mean, good for Liz and the strongDM team, right? But that’s—I think that’s part of where we might be headed.

McLead: Yeah, and I think if you limit yourself to one specific geographic region to hire from, you’re limiting the upside of your entire company.

Shimel: Yep.

McLead: And incurring costs along the way. [Cross talk]

Shimel: Absolutely.

McLead: For the corporations that can do it.

Shimel: Right, I think that’s an outdated look.

McLead: Yeah, I think so.

Shimel: You know, I think that’s where we’re headed. Anyway, guys, we’re about out of time. Mason, I told you the 20 minutes goes quick, because usually Elizabeth talks so much, she takes over the whole conversation—no, she doesn’t. We’re just kidding.

But I’m gonna give you each a chance to say something before we log out, here. Mason, you’re the new kid on the block, so why don’t you go first?

McLead: Okay. Well, again, thank you for having me on, and it was a pleasure to talk about what we do at Software where it’s a developer data platform designed to help developers individually to see where they’re spending their time, look at productivity metrics, and improve, as well as helping manage the entire software development life cycle from input all the way through output. And thanks to Liz for strongDM and strongDM for a great product that helps us secure our data. It’s definitely a huge benefit that I put into every stack that I build now.

Shimel: Very cool. Elizabeth, I’m giving you the last word.

Zalman: I think Mason just summed it up for me, although I think my hair is better than his, so, I’m gonna retain that for me. [Laughter] [Cross talk]

Shimel: I think both of your hair is better than mine, and we’ll leave it at that. [Laughter]

Zalman: I don’t know how his looks so tight—dude, who’s cutting your hair?

McLead: I cut it. I learned how to—I watched YouTube. I missed this part here, but—

Shimel: Yeah, no—you know what? I think that’s been a thing. I mean, yeah. It’s easier for guys than it is for gals, I will say that.

Zalman: I commend you, Mason, both on your haircut and your choice of infrastructure technology products. [Laughter]

Shimel: Very cool. [Laughter] Guys, on that note, we’re gonna call it a wrap. This is Alan Shimel for TechStrong TV. Elizabeth Zalman from strongDM, Mason McLead from Software.com—thanks for being our guests. We’ll be right back with our next interview.