maxkabakov - Fotolia
10 unified access management questions for OneLogin CSO Justin Calmus
Enterprise security veteran Justin Calmus, who describes himself as an avid hacker, joined OneLogin as the CSO earlier this year. After last year's breach, who would want this job?
Justin Calmus was named the chief security officer at OneLogin Inc., the cloud-based identity and access management company headquartered in San Francisco, in April 2018. While the opportunity in identity and access management is enormous, Calmus faced some unique challenges.
He joined an online service provider that was in damage control mode after a single sign-on and identity management breach on May 31, 2017. Like other cloud-based identity providers, OneLogin has shifted its technology strategy in 2018 toward hybrid environments, repackaging its extensive product line as unified access management aimed at controlling access to devices and applications both on premises and in the cloud.
Since the breach, OneLogin has replaced key positions on its executive team -- Brad Brooks became the CEO in August 2017 -- and under Calmus' leadership, the company has moved to a security-first strategy.
Prior to OneLogin, Calmus was the vice president of hacker success at bug bounty provider HackerOne. His enterprise background includes stints as the CIO and CSO at Zenefits, director of enterprise security at Salesforce and manager of security engineering at LinkedIn.
In part one of this two-part interview, Calmus talks about why he signed on at OneLogin and how his work as a hacker informs his outlook in his new position.
Editor's note: This interview has been edited for length and clarity.
I understand you joined the company earlier this year. Can you tell us about your background and why you decided to move into this space?
Justin Calmus: I've worked at companies in the past such as Salesforce, LinkedIn and HackerOne. I'm pretty much an avid hacker. I spend a lot of my time -- and evenings -- hacking companies for the better good of the environment.
In terms of my background, I'm a hacker, but I'm also a CSO first and foremost, so I try to spend a lot of my time learning the latest and greatest technologies and then applying that same mindset to the CSO role.
When you say that you're a hacker, what does that mean in terms of your career? Is hacking something that you have just done over the years?
Calmus: I've been a software engineer most of my life, and I didn't quite realize that until I took a bigger look at the corporate world and what I was doing. So, as a software engineer, I would take a look at products and make them work the way that I wanted them to. Early on, I found out that I was hacking in applications when I didn't really consider that hacking.
Today, the way that I use that skill set is I am often invited to hacking events -- I'm flown out sometimes around the globe. Recently, I was in London for a hacking event, participated and found a few bugs. So what I like to do is apply my knowledge from hacking and use that here at OneLogin.
Do you recall the name of the London event?
Calmus: I am under NDA [non-disclosure agreement] specifically with that one, but I can talk a little bit about ones that I am not under NDA.
The U.S. government flew me out to participate in a hacking event last year where it was essentially the Hack the Pentagon program [the U.S. Department of Defense's bug bounty program on the HackerOne platform]. We're trying to essentially further security in the U.S. government and the military.
Justin Calmuschief security officer, OneLogin
So there are hacking events like that where I am flown out, spend time hacking and then learn how to do techniques, and then apply that knowledge as a CSO into our own format here in our own environment.
I talk to a lot of CSOs, but your background sounds kind of unique. Is that your feeling, as well?
Calmus: Yes, absolutely. We all have our wonderful, unique backgrounds, but it always centralizes and comes back to the same thing, which is we are all trying to protect customer data as best as we can, and that's kind of first and foremost, right? Every [CSO is doing that], and that's kind of my big feeling here, too.
What I absolutely love -- and the reason why I love hacking -- is that I get to apply those techniques to make sure that other companies, not just OneLogin, are secure, and they understand the bugs that they have and they are able to close those out. I am deeply passionate about it, which is why I spend time hacking at 3:00 a.m.
At the end of the day, no matter what unique background you have, we all have the same goal.
What drew you to identity and access management and to OneLogin specifically?
Calmus: There is a huge market in the identity and access management area. For example, I think Gartner says that it's a $20 billion market with a 15% growth rate, so it is a major, major opportunity.
The second thing is, as a CSO coming into this space, you can make an immediate impact. For example, one of the first things I did here was change one of our values at OneLogin to be security first. So I think that coming in, I am able to have a huge impact, and there is a very large market.
You have things like GDPR coming out. People want to know where their identity is, where their data is and we're able to address some of those concerns. So I think that this market will continue to grow. While we have all these disparate systems everywhere, someone needs to come in and be able to rein all those in and, at OneLogin, we are trying to do that here.
I think that you touched on this before, but what attracted you to a company that was facing these types of challenges? You worked at LinkedIn -- I know that they had a breach in 2012.
Calmus: You know, it is actually pretty funny, I was not part of that team when LinkedIn went through that issue, but I quickly migrated to the security team because, when things like that happen, obviously, it is all hands on deck. I moved into the security team after LinkedIn had that data breach, but, overall, my tenure has mostly been in the security world and, like I said, I have always been an avid hacker.
As to why I joined OneLogin, I really thought that, overall, I would be able to have a large impact on the company. I have been heavily involved in the security community. I know how to utilize hackers as much as possible to our benefit. There are a lot of great hackers out there who will allow us to use their time and expertise well.
And, in the market itself, there is tons and tons of potential here. I mentioned earlier we changed our value to be security first, and there we can really make a large difference, even in terms of expanding our product capabilities.
We recently launched OneLogin Access, and we're able to start taking these disparate systems and moving them into our environment -- we're able to control identity all over the world.
In terms of the category of identity and access management, I noticed that you worked at Salesforce, a company that pioneered single sign-on (SSO) for web apps, and now OneLogin is talking about unified access management. What is your definition of unified access management and how is it taking the category forward?
Calmus: I can give you an example of why this is important, but I wanted to comment on unified access management and the difference between Salesforce and what we do.
When I was first at Salesforce, they actually did not have any type of SSO product -- they did my second time around. My first time around, they were actually using a third-party service and they were very interested in internally building out an SSO organization, so I think they are in a very different space.
What we are trying to do here at OneLogin is to unify identity across the board. If you look at Verizon's "2018 Data Breach Investigations Report," it's phishing and vendor security. Data shows that the security of third-party vendors is actually incredibly important, so when it comes to ensuring that your identity and your data is protected, the best thing to do is put an identity and SSO provider in front of that.
What we are trying to do at OneLogin is to wrap all of these different disparate and complex systems [together] so that we can manage your identity across the board, no matter what -- if you are on a desktop, if it is in the cloud, if it is on premises -- we are trying to manage that whole ecosystem and trying to expand on that significantly. So that's our goal as long as these disparate systems exist.
How is that different than identity as a service?
Calmus: A good example of how that would be different is, let's say that you want to manage an individual's desktop. You can't do that well with identity as a service.
With OneLogin Desktop, with OneLogin Access, we are really able to manage your identity no matter where you are at, not just in the cloud and not just specific applications, but for everything. So we can deploy certificates to manage your desktop, we can deploy agents, as well, to manage specific parts of your application, we can do background services, we can really manage your identity anywhere, and I think that a big difference is that there are some technical gaps.
So you are able to protect multiple protocols, for example.
Calmus: Yes. And that's our goal. We are going to continue to expand into any and all of this because, at the end of the day, Gartner is saying that, by 2020, it is $20 billion [market] and then it is growing 15% year-over-year. That is not going to stop as long as these disparate systems exist, so we really need to tackle that. And it's something that I am truly passionate about because this is something that ties into security deeply, so it is something that I would like to see get done to solve everybody's problem of really managing their data and identity.
It is hard to ask you this question because you are working for a company that is providing these services, but I think one thing that a lot of CSOs have to debate is how much to outsource and how much to control themselves. How does that work with unified access management?
Calmus: It is funny that you ask that because that is such a great question. I am an advisor to a lot of companies and I get asked this question all the time. The answer, to the best of my knowledge, is there really is no black-and-white scenario, but I can give you an example that is kind of obvious.
Let's say that you are launching the coolest service in Silicon Valley, and for your first year, you want to hire 100 or so people for your awesome startup. Will security be the first hire that you make? Probably not. Unfortunately, that is just the reality that we live in. But you want to keep your customers' data as secure as possible, so at what point do you say, 'I am going to hire somebody internally,' versus 'I am going to hire some great resources out there' to better protect your security.
You can essentially utilize OneLogin's security team if you are using OneLogin's product. We are tackling all security issues for you while you grow your organization. Let's say you launch your infrastructure in AWS -- they have a great security team. You will be able to look for and ensure that you have the best security setup in AWS.
The minute that you look at your customer data and you come to realize 'OK, well, is this really manageable internally? Perhaps I should hire a CSO.' Maybe that is a conversation that you should be having. At the board level, I think it is important to have those conversations and also to do outside audits so that you are better protected while you also continue to grow your company.
So I think that it comes down to a fine balance. But if you can utilize all of these great security teams externally, you should.
And the minute that you really start to question your security organization and you really get those audits in and the audits tell you that, yes, you should probably start looking for a security compliance hire, you should get on that ASAP. But utilize as many external resources as you can, especially as you are trying to grow your company. And [do so] internally so that you know all of your security policies and procedures and make sure that you are getting all of the security audits that you can.
With your hacking experience, what types of attacks are you seeing in some of these environments that CSOs might not be aware of?
Calmus: I would say that the attack vector that we are seeing out in the wild today -- that OneLogin has actually solved for -- is a brute-force [password] spraying campaign.
What that means is that hackers are going out to all these services and trying just a few passwords. So we are saying that Bob has password one, but I am going to try password two and password three, but I am not going to do it enough so that you get locked out of your account. I'm not going to do it enough to see if this may trigger two-factor [authentication] that I'll have to bypass. I'm going to do this just enough so that I understand and I am able to say, 'OK, Bob uses password one.'
We are starting to see that widespread attack hit multiple folks in the industry, and I actually confirmed this along with other CSOs not only in Silicon Valley, but worldwide, and a lot of folks are seeing this issue come up pretty regularly.
The best defense for this type of attack is, of course, using OneLogin services, but outside of that, I would say to ensure that your customers and your clients are rotating their passwords. A lot of these brute spray campaigns are downloading marketing leads and they are trying to match that up with specific passwords, so it's really important that folks pay attention to that in the industry right now.