In this interview for TechStrong TV, I am joined by strongDM CEO Elizabeth Zalman and mParticle CISO Dave Anderson. Dave shares with us how mParticle uses strongDM proxy services to rapidly enable the expanding mParticle team to access infrastructure, assets and applications necessary for mParticle to fulfill its mission to its customers.
With the rapid growth of mParticle, the company needed a solution that would allow it to onboard its new employees and locations seamlessly. strongDM gives mParticle this capability. Have a watch of the video and follow along with the transcript to find out more.
Alan Shimel: Hey, everyone—back here for another segment on TechStrong TV. I am joined once again by my friend Liz Zalman at strongDM. Hey, Liz, how are you?
Elizabeth Zalman: Hi, Alan. I’m well, thank you.
Shimel: Good to have you back on. And joining Liz and I today, another guest, is Dave Anderson. Dave is the CISO at mParticle. Hey, Dave—welcome to TechStrong TV.
Dave Anderson: How’s it going?
Shimel: Going great. Not as great as you are. Dave’s coming at us from a sailboat today and we’re all stuck in our homes and offices, but hey, the life of a CISO—and you guys complain.
Shimel: Anyway. You know what, we—yeah, I don’t know, it’s hard to make that less glamorous, Dave, but we’ll give you the pass. Liz, for those who haven’t seen some of our previous interviews with you and the strongDM team and some of the customers, why don’t we start off, give our audience a quick background, who’s strongDM, what you guys do?
Zalman: Sure. Strong is a proxy and it lets people manage and audit access to any firewalled infrastructure—servers, databases, Kubernetes clusters, RDP, firewalled web apps, HTTP endpoints. So, essentially, instead of managing keys and creds, you give people access to strong, and then it talks to the target systems on your behalf, so you get access control and then auditing through the proxy itself.
Shimel: Everything you expect from your proxy—great.
Shimel: And it’s sort of proxy as a service, if you will, yeah?
Zalman: Yeah, there’s a portion of it that is hosted, the control plan itself, and then the rest goes through your own hardware.
Shimel: Got it. And Dave—
Zalman: Or whatever your virtual hardware is these days.
Shimel: Well, yeah—no one uses hardware. Through your own infrastructure, how’s that?
Dave, talk to us about mParticle.
Anderson: Yeah, so, mParticle is a customer data platform. So, what that means is, our customers are able to use our platform to ingest pretty much anything, any data about their customers, about the activity that’s going on on their websites and mobile apps into the mParticle platform, and then we’re able to give our customers the full control of being able to fan that out to any of our different integration partners. So, there’s that, as well as being able to do things like data quality, match identity resolution, figure out where a particular user is, what sort of ways you want—like, how they’re interacting with their particular application or whatnot.
To be honest, we have customers, like, in a bunch of different verticals, and they all use the product a little differently, and it’s—we’re continuing to grow and innovate and figure out different ways of kind of helping our customers along with their data journey.
Shimel: Excellent. And, you know, that kinda mission is just so attuned with what I think companies are looking for today, right, which is—you know, there’s so much data out there. There’s so much—you know, do you want it all, what are you gonna do with it all, what makes sense, what doesn’t make sense? But the idea of being able to access that, analyze it—hopefully, with as much automation as possible—is what it’s all about.
Of course, it also creates—as a CISO, you know this—it creates tremendous responsibilities and potential pitfalls from a security, data, access, compliance point of view. But it also, you know, to the strongDM mission of proxying through firewall to assets, whether those assets are remote workers who have to access, you know, data in the cloud or on-prem or wherever or just whether they’re remote or not, access incorporate assets, which, in your case are, in some cases, I’m gonna assume, a lot of PII kind of data.
Shimel: This is a potential security nightmare. This is what keeps CISOs up at night on their boats. So, talk to us, Dave, what is—you know, how does strongDM help you sleep better?
Anderson: So, naturally, we’re a data collection—data collection and distribution company. So, we have a lot of data, a lot of data split up into a lot of different databases, and we have to have very tight access controls for those databases. So, one of the things that strongDM gives us the capability of doing for—when any sort of support people or operations people need access to a particular database or data set within the kinda mParticle back-end, we’re able to utilize strongDM to give us the ability to have secure access to that, that is able to be tied back to the individual who’s doing the work, everything is audited, everything’s logged, we’re able to generate reports for compliance.
So, it gives us the capabilities of not having to give our, like a support person, for example, give them a direct access to the database. They have, like, a nice tool they can use, everything is integrated nicely on the desktop, and everything is integrated well with all of our identity management platforms as well.
Shimel: Excellent, excellent. So, Dave, I think we—you know, we get what you’re doing there, we get what the potential risk is. And we’ve done a few interviews—in full disclosure, we’ve done a few interviews with some of the strongDM clients in fintech and other verticals. What we haven’t done is kinda peeled back what was—I mean, using a proxy, I think a lot of our audience has probably used a proxy one way or another.
But I want to peel back now, in the case of mParticle, walk us through how you guys sort of say, “Okay, we’re gonna use strongDM.” How did you set it up? How did you deploy? How do you manage it, right? How does it give you the warm fuzzy feeling you need to know that you can sleep well at night?
Anderson: Well, to be perfectly transparent, I was—I’m pretty new at mParticle, so, I wasn’t here when—
Shimel: So, you inherited it?
Anderson: Yeah, so, I inherited it. But I actually am a pretty early strongDM customer from my last job at Greenhouse Software, and so, I’m very familiar with that aspect of it. We used it for similar purposes back then. Back at Greenhouse, we had a lot of support personnel that were—and kinda data quality engineers that were using the strongDM platform to access our databases within AWS. And similar here, we want to have—we try to keep as much, the access as restricted as possible. We believe in the principle to release privilege, and separation of duties.
Anderson: So, with that, we need to have our networks deeply, deeply isolated. The databases live kinda deep into the network, not even having access to the outside world. And with that, the only way to give somebody in support access to that database traditionally would have been giving them VPN into that environment and then them having to actually install the different tools and having to manage authentication and access control. And even then, what would happen is, we would also lose visibility into what they did on that database. Like, what queries did they run, what data did they see? Because it’s not even necessarily a kinda everyday type of thing for someone to have access to the data itself. We tightly, tightly control who has access to what data, and using a tool like strongDM is pretty much a requirement for that.
Shimel: Yeah. I mean, look—and I’ll try to put it in layman’s terms for our audience who maybe aren’t as familiar with this stuff. When you’re using a VPN, they call it a tunnel, right, a tunneling tool. Because really, what you’re doing is, you’re punching a tunnel through, whether it’s your firewall in your infrastructure, and it’s an encrypted tunnel at that, right? So, everything that takes place within that tunnel is encrypted.
And so, when I connected to a database via a VPN, you may see that I did connect—oh, yeah, that’s Alan’s client and he connected to the database. But in terms of what data was in that tunnel and what—you know, you really don’t, you don’t have visibility there, by its very definition, right? On purpose. It’s not a byproduct, that’s how it’s supposed to be. And you don’t—you know, you can…it’s just, that’s how it was designed.
And so, that doesn’t really play well, you know, in the areas of DLP and you wanna make sure data’s not ________, you know, taken out. It’s a problem. So, now, strongDM helps you solve that, is what you’re telling me, because now we can see, you know, it’s a proxy, but on the backside of the proxy, that goes into the firewall and into the trusted network as we used to call it 100 years ago when I was in security, right? When you go through that into the trusted network, you can still see where Liz went or Alan went or Dave went, because it’s not that tunneled, right? It’s not that encrypted tunnel through there, it’s more of the proxy. I remember when we were NAT-ing firewalls, right, a long time ago, and it was that same thing—at least I could match up this IP to that IP, the behind the firewall versus the public IP, you know, private IP, public IP. And so, you had some of that then.
Then, on top of it—look, giving people a VPN, with everything going on in COVID and remote workers, you know, and all we’re hitting, and of course they’re not just hitting your database, there’s also SaaS apps that they need to hit and everything. A VPN is—I’m not a big fan of VPNs in today’s world, if you can’t tell, okay? I just—it don’t make sense. I mean, and then, and the whole idea of VPN-ing back into a central kinda office to go back into the cloud also kinda, I mean… You know, a friend of mine, I know a guy named Jay Chaudhry who is, of course, the CEO and Founder of Zscaler—he used to rail from the very time the cloud-first started coming on the scene big, 2006-’07, he was saying back then that VPNs were, you know, the time has come, but here we are, 2020—same thing.
But, Dave, how easy was it to set up the strongDM proxy, and what kind of visibility is it giving you?
Anderson: I mean, setting up strongDM is really easy. There’s a couple of pieces of infrastructure that you put into your environment, and that would all depend on how you deploy your infrastructure. So, there’s—I’m trying to remember the exact terminology. Like, a gateway and a—what was that?
Shimel: Liz, can you help him here?
Shimel: Can you help him out, here?
Zalman: I ________. I would never leave my friend hanging—never. [Cross talk]
Anderson: [Laughter] Yeah, so, you deploy that infrastructure that, basically, that sits in your network and you have, and then it talks back to the strongDM portal and so, the strongDM clients actually know who to talk to, like, what IP addresses and what databases it has access to. You go through the strongDM UI or you can use their API, depending on your preference to set up different databases and set up the credentials in there and all the users and what users have access to what databases and what roles within those databases they have access to. And then there’s a client that runs on the person’s laptop, and that client, they’re like, you’re talking locally to that client and it’s magically on the strongDM back end, like, routing everything around to the right place and makes it extremely streamlined for the end user, because they just have this little control panel down there, like, in the bottom of their screen that lets them connect to the particular database, and it’s really, really ridiculously easy to use.
Shimel: Very cool. Now, as part of the role in CISO, you’ve always gotta be thinking not if, but when we have an incident, right? I’ve gotta be able to do forensics, I’ve gotta have an audit trail, right, I’ve gotta be able to figure out, what the heck—I have to show people what happened here, did we take reasonable steps, right, and stuff like that.
What is it, in terms of audit trail and forensics, how does strongDM help you there?
Anderson: So, it shows us who connected to what resource when, how long they were connected, what they did, what sort of careers they were in, what sort of other kinda SQL comments or whatever the database may be, and be able to produce that in near real-time, as well as have logs to go back to if there was an incident that we would know what data was accessed by a particular individual.
Shimel: So, that’s kinda the control plane that sits in the cloud, Liz, or that’s local to the client?
Zalman: The auditing happens through the gateway. So, when the request hits the gateway, it actually deconstructs it in order to provide the audit trail—so, that stays resident in Dave’s network, yeah.
Shimel: Excellent. So, we don’t have to worry about access to strangers to that.
Zalman: Yeah, no, it’s his data. We don’t wanna touch it. [Laughter]
Anderson: Yeah, that’s one of the most attractive things, actually, was the fact that the data stays in our network. strongDM operates the, how things actually get connected, but as far as, like, once you’re in that network, it’s, everything stays within there.
Zalman: Cool. Alright, sounds great. Dave, one other question. With COVID and everybody working remote, I know—look, I mean, strongDM, from what I’ve seen, has built a…not built, but while there are plenty of people, obviously, suffering as a result of COVID and my heart goes out, I’m sure as you guys, too, to people who have lost loved ones and are sick and have lost jobs and money and all of the bad things that are happening with this. The fact is, you know, with remote workers being more and more common, solutions like a strongDM are thriving, right? Are being rapidly adopted. Not because they’re nice to have, because you gotta have something like that, right? So, I’m wondering, what are you guys seeing at mParticle and a similar kind of thing as you’re going remote?
Anderson: Yeah. I mean, thankfully, we were really well-equipped for going remote. A lot of the engineering team is distributed to begin with. We had people in Seattle, Florida, Texas, and New York, of course. But we were able to transition to it pretty seamlessly. We just spend a lot more time on Zoom.
Shimel: Don’t we all?
Anderson: Yeah. [Laughter] Yes, but having the technology in place for being able to securely connect to remote networks, remote resources is definitely, it’s a requirement nowadays. I mean, especially with—you can’t, you don’t have a perimeter anymore. There isn’t that network, the whole concept of having that network firewall that was sitting there and protecting everything is kinda dead now, especially with, since everybody’s working from home. I mean, and VPNs, as we were talking about before, only give you so much. There’s only so much flexibility you have with how you can protect your network and segment your network to make a VPN be as flexible as a platform like strongDM.
Shimel: Look, I thought network firewalls were dead in 2007, right? I remember the first time I saw a Jericho—I don’t know if you remember this, Dave, but do you remember the Jericho project? Did you ever hear of that? That, you know, they were the first ones to talk about the de-perimeterization of security and micro-perimeters and personal perimeter and all that stuff. That whole moat and castle setup that the network firewall played in and the VPN was sort of a bastardized child of, you know, that disappeared when we got mobile devices and people started going mobile. Sounds like a Who song—“Going mobile, mobile”—anyway. But yeah, I don’t disagree with you.
Liz, let me ask you. I mean, mParticle, is this sort of the—it seems like it’s right in the sweet spot for what you guys are doing, then, right? This is the mission.
Zalman: This is the mission, yeah, and it’s, and actually, Dave, shifting from—I mean, what do you call Greenhouse, ATS?
Zalman: It’s a form of data management, actually, shifting into customer data. It’s a vertical that I hold dear, because I actually started my career in ad tech, and what he’s describing is what I wanted a decade ago. So, like, I personally love the fact that mParticle is a customer. [Laughter] There is simply no place to store that stuff and then to link it across various touchpoints—it never came to fruition.
But yeah, a company that is distributed, that isn’t hyper-growth, it has large corporate clients who have, I’m guessing—Dave, tell me if I’m wrong—contractual requirements with respect to security and pen testing in various attestations.
Anderson: Of course, yeah.
Zalman: Yeah. [Laughter] Yeah, we do a good business in that area, and it hits all those things.
Shimel: Very cool. Guys, we’re about out of time. Dave, I appreciate you taking time out of your busy day on the boat to join us here. [Laughter] All kidding aside, man, it actually is a very great socially distanced way to get work done.
Shimel: Truth be told, I’m supposed to be on a boat tomorrow and I canceled, because I had some stuff come up, and [Cross talk].
Zalman: Alan, it’s not that strongDM helps Dave sleep better at night, it’s those waves in the harbor, too. [Laughter]
Shimel: Yeah, well, that—right, they’ll help you sleep, either way. They’ll help you sleep well, as well.
Shimel: I’m not gonna go there, though, Liz. You know, leave Dave alone.
Anderson: It’s also my alarm clock in the morning. [Laughter]
Shimel: Yeah, that’s exactly it. You know what, alright, the guy’s on a boat, there’s worse things. It doesn’t make him a spoiled person. I don’t wanna get—you know what, but for all those people who say CISOs are underworked and overpaid, as Dave’s living here on the boat, that’s not true. CISOs are overworked and underpaid.
But anyway—Liz, thanks for joining us.
Zalman: Thanks, Alan.
Shimel: We’ll hopefully have another interview with you soon, maybe.
Zalman: I think we have one on Friday.
Shimel: Very cool. Dave, thank you for joining us—great, continued success with mParticle. Sounds like a great business and a great use case here for strongDM, and enjoy—enjoy your time. Stay safe and stay well.
Zalman: Thank you for having me.
Shimel: Thank you. Hey, this is Alan Shimel. You just watched another TechStrong TV segment. We’re gonna be right back with another guest.