Featuring Status Identity
Read Time: 15 minutes
Welcome to Episode 42 of Students vs. Startups. This week, moderator John Gilroy talks with the founder and CEO of Status Identity, Nakul Munjal. Status Identity provides intelligence for its customers by preventing hacks around account authentications. Listen below to hear all about their approach to increasing the strength of cybersecurity!
If you would like to get weekly updates sent straight to your phone, you can subscribe below on iTunes!
Thanks to our Sponsor:
John Gilroy: Welcome to Students vs. Startups Showdown, the Potomac, my name is John Gilroy, I'll be your moderator today. Big round of applause for show number 42. Here we are sitting in the offices of Eastern Foundry, like always, we took over a conference room kind of like occupy Rosslyn, occupy Rosslyn, and we have a big table here. One side of the table, we have three students, the other side of the table we have a startup, we have a little 26 minute conversation, we walk out of here fast friends. Munjal, does that make sense to you?
Nakul Munjal: It does indeed.
John Gilroy: Great, great, great, great. Our three students today, kind of a good mix I think. We have Madeline Tomchick, we have Michael Lamos, and we have Ekaterina Pamsheva. How are you three doing?
Madeline T.: Doing quite well.
John Gilroy: Good, good, good. Madeline, tell us about your background please.
Madeline T.: I'm a graduate of Georgetown University's Technology Management program in 2016, and now I work for Applied Information Sciences in Reston, Virginia, and we are a Microsoft Systems Integrator, so we are what builds that relationship.
John Gilroy: AIS is what they call it here and very, very well-known company, been around for 30 years, so they're doing something right, huh?
Madeline T.: I think so.
John Gilroy: Michael, your background please.
Michael Lamos: My undergrad is Mechanical Aerospace Engineering from Catholic University in D.C., and in May I graduated from Georgetown with a Master's in Systems Engineering Management and I'm currently a systems engineer who works in the software environment.
John Gilroy: Ekaterina?
Ekaterina: Currently I'm a student at Georgetown University, in the middle of the program, and I do work as a consultant at General Service Administration, and we manage government websites.
John Gilroy: Well, that's a formidable crew against, we'll see if our startup can actually handle it. Our startup, the company's called Status Identity, and the gentleman who is the founder and CEO is Nakul Munjal. Nakul, how are you?
Nakul Munjal: I'm doing excellent, excellent, thanks for having me.
John Gilroy: How'd you ever wind up with this company and down here in Washington D.C.?
Nakul Munjal: Well I don't have one of these interesting stories like I had a dream in the middle of the night or anything like that. I've been in the identity and access management space about 10 years, and I've started out with a startup called Software Secure, where we were administrating the bar exam using computers. My job at the time was basically to try to cheat. I was trying to figure out different ways to cheat and authentication was one of the primary issues that I was trying to overcome.
From there, did a lot of school, and then I was part of the founding team for IBM Security Systems in 2009, so we started out with an acquisition called QRadar, that's now about a 30 billion dollar business and then from there, I decided I wanted to focus even more on the identity and access management space, so then I moved to Micro Focus, which is a company that does provisioning and de-provisioning in the IAS space, and I've been there basically running their partner program. We've taken it from a single $200,000 deal to last year was a seven million dollar set of revenue, so we've experienced quite a bit of growth.
My partner and I, who used to be coworkers, saw a niche in the market where we just kept encountering it over and over again in client discussions. It was something where we did a bit of market research and validation, looked a lot of Gartner, talked to a lot of business partners, and we did a fair bit of validation. We decided that there was enough growth in the market to justify a new entrant, so that's where we came up with the idea and we thought we would try to step out on our own and make this happen.
John Gilroy: So right now, you're affiliated with MACH37, is that right?
Nakul Munjal: Yes, we were one of the five companies out of my understanding is 110, that were selected to be a part of the MACH37 Cohort this year, so it's been a great experience for us. Obviously the capital injection helps, but we also have access to some great resources like yourself John, you're a great resource.
John Gilroy: Madeline, it sounds like a good topic, jump in please.
Madeline T.: You worked for another startup and you've had other jobs, what inspired you to say okay, I'm going to do it on my own?
Nakul Munjal: I think you have to be willing to torture yourself a little bit, let me put it that way. There's a gradient of people in the corporate world and in my time with IBM and Micro Focus, I always tended to gravitate towards the sales side of things. The thing that always attracted me to that was that I was paid in proportion to my effectiveness. So in sales, there's a direct correlation between how successful you are in closing deals and how much you actually take home in your paycheck. That's not always the case in the corporate world, so I started out as a strategy consultant and ended up in sales because that was what attracted me to it.
In a startup, it's that idea taken to an extreme. The reward is high, but the risk is also high. I have zero income right now. At my burn rate, I think I have about 18 months to go. I'm being very serious, this is what I live.
John Gilroy: So Michael, if you go to their website, you see these words, "adaptive multifactor authentication", kind of an impressive phrase there, huh?
Michael Lamos: Yeah, that was one of my questions I wrote down. I think many of us in this space, even just in our day-to-day office jobs, we know what MFA, right, multifactor authentication, so what is this adaptive part of it? I see it on your website and in the little write up we were given, adaptive authentication algorithms, so without spilling the secret sauce, what is that about?
Nakul Munjal: It's not rocket science to understand, it's a little harder to do on the back end, but basically, if you look at it philosophically, there's an inverse correlation between security and convenience, so as systems access becomes more secure, you then are in a situation where passwords get longer, and you have more controls in place that increase the amount of friction in the system. So two factor authentication is what was proposed as a way to dramatically increase the level of security without increasing the amount of inconvenience that's required to make that happen, but even two factor authentication has its challenges.
The most popular form of two factor authentication today is SMS two factor authentication. It's no longer recommended for a couple of different reasons. It's kind of been substituted not as a second factor, but as the thing that you get when you forget your password as a verification. If you think about it, that's no longer a second factor of authentication, it's still a first factor of authentication. Rather than it being a first factor set of credentials with a user name and a password, and a second factor of a code that you get as an SMS, that it's become an either/or type of situation.
The second reason is that by relying on SMS two factor authentication, you're actually bringing a third party into the mix, which is your telecommunications company. So that has a series of challenges, it's actually been hacked through that kind of a process. So now, what we're doing is we're trying to break this paradigm of convenience and security. We're trying to make things more secure and simultaneously more convenient.
Our approach to it is what we call adaptive in-band, to be specific, multifactor authentication, and in essence, we have a couple of apps that we've developed, we have an Android and an iOS app. You install this app on your phone, and at every point of login, we have a server that's sitting on AWS, so you enter your user name, password, that page has a few lines of code which will ping our server. Our server will then capture a bunch of information from your phone. It'll capture your location, it'll capture your history, it'll have a record of your historic login activity, it'll capture information about your mobile device, will check to make sure that you're plus or minus one major release in the operating system, and what we'll do is we'll associate your user activity as well as the application that's being accessed, and we'll calculate a risk score.
That risk score is calculated at every point at login, which is what makes it adaptive. So what we use that risk score for is to step up or step down the authentication threshold. I'll give you a couple of use cases. You login from New York, two hours later you login from Los Angeles. We block you, that's impossible. You login from New York, 10 hours later, you login from Los Angeles, we require you to do your thumbprint on your iPhone touch ID or your fingerprint authenticator on your Android device.
You go into work at 9 a.m. every day for three weeks in a row, you login from the same location at the same time with very predictable behavior patterns. Once we achieve statistical significance, we will then start to deescalate you from a biometric call to a push notification, and then from a push notification to something that we're calling passive two factor authentication, where we're effectively just pinging your phone, we're ensuring that you're within our risk parameters. We have algorithms that determine what your risk parameters are, and then we're going to determine that you no longer need any active two factor authentication, but we're actually allowing you to authenticate with a second factor without any active involvement from the end user.
John Gilroy: Ekaterina, fascinating concept, status? I mean what do you think? Any questions for our guest here?
Ekaterina: Obviously security is a very hot market right now, there are a number of companies that have products to make sure that the environment is secure. So my question is what sets you apart and who are your competitors?
Nakul Munjal: Okay. Yeah, this is a great question and something that we've done a fair bit of homework on. Let me throw a few numbers at you. These are not my numbers, this is a combination of markets and research and Gartner data. The two factor authentication market is going to be growing at 24% annually from now until 2021. The adaptive authentication market, which is a subset of the two factor authentication market is expected to grow by 35% year over year. This is going to be a 10 billion dollar market by 2020, 2021 time range.
So it's an extremely high growth market, security is becoming an increasing concern, not just because of all of the hacking events that you hear about every day, but also because there's major changes in regulatory compliance. The industries we've identified are healthcare and financial services, where more authentication creates a lot of friction in the system, in people's day-to-day jobs. Reducing that friction is going to become an increasing need. So that's what the market says in terms of the analysts, for whatever that's worth.
In terms of competitors, there's also a lot of competitors out there. There's two things that differentiate us. There's probably, I would say, 300 companies of various sizes that are doing this. If you look at Gartner, you'll see 15 to 20 different companies that are focusing in authentication that are large companies. I'm talking about the RSA's and the CA's and the IBM's of the world. So there's two things that I would say justify our existence in the market. Number one is that the market growth rate is so high that for a startup to get in there and capture a little bit of market share in the SMB market or even in projects and discreet projects within large organizations, that is a piece of business justification. The second is that all of the adaptive capability that's in the market today is applied to the first factor.
If you look at companies like CyberArk or NetIQ, there's a series of adaptive authentication companies out there, they're applying that machine learning capability to the first set of credentials, which does provide some level of security, but it limits you to IP address and location only inasmuch as the device that you're using to access will provide that location. When you apply these machine learning algorithms to the second factor, your mobile device, it opens up a whole new set of possibilities. We're able to calculate geo velocity, we're able to incorporate really cool things that is in our development roadmap.
If you go for a jog every morning, and you login at 9 a.m. after having done your jog, your phone actually has a steps counter in it that will track how many steps you took. If you all of a sudden run a marathon that morning, that would, to a lesser degree than some of the other factors we consider, impact your risk score. We're basically looking for anomalies in behavior. The fancy way of saying it is behavior biometrics, but we're just looking for anomalies in your behavior and using that to authenticate you.
John Gilroy: Let's have Madeline jump in with a question please.
Madeline T.: You said about who your competitors are and what makes you different, but what are you doing to try to get people to your site? What kind of marketing plans do you have out there, are you active on social media, is your website up to date, what exactly is ... do people even find out about you?
Nakul Munjal: That's a great question, and to be honest with you right now, we are at a phase in the company where we have a demo, we are not at MVP as of yet, and any visibility is good visibility, but my team is a team of four, and we are focused on product development right now. Product development, and any of the funding that we're able to acquire is going to go straight into product development. Getting the word out and marketing is a massive effort, and that's something that we do have to take on, but at this stage in the company, we have to pick our battles, so right now, my battles are building out the back end on AWS. Leveraging our partnerships, trying to build signed LOI's with customers, and that's really where our efforts are right now.
John Gilroy: I'm going to jump in, you use the word "battle". Many times in the real world, the battle is with getting people to use it, it's too complex, and your website talks about it's only when easy to use. So Michael's an engineer here, he knows about easy to use and the trade off there. Does it sound easy to use? Or I don't know.
Michael Lamos: Yeah, this is really perfect, 'cause my second question was about this and you eluded to it a little bit earlier, so I think you're probably familiar with the saying security is never convenient, and you say easy security for all users, right? So what are you doing to make it easy, to kind of get rid of that stigma to where people are comfortable using it, where it's not a burdensome thing to type in your 18-digit password with special characters and numbers and uppercase and get out your OTP token and you know-
Nakul Munjal: Yeah, you got it. Half hour later, I hope I didn't say security's never easy to use, 'cause I don't like to use absolutes, but if I was to make the statement that security is fun to use, if that's the adjective I use, I don't think most people relate the words "fun" and "security" together. When you start employing graphic user interfaces that are very intuitive for people, and you do them in a way that is fun, the adoption curve of that product accelerates dramatically. That's the major challenge. The major challenge is not the doctor who's complaining that he has to multifactor authenticate to an electronic medical record system five times a day, or is an Emergency Room trying to access EMRs and doesn't have the time to do a multifactor authentication, he only has to do it because of HIPPA compliance. That is not the key use case here.
The key use case here is is that doctor willing to adopt the solution rather than us twisting their arm into making them adopt it. That's where the compliance and regulatory aspect of this is today. When you start using machine learning, we no longer have to apply a static authentication threshold for everybody. That authentication threshold changes based on the things that we gather, and this is a bit aspirational, but I think we can make security fun. I think by using machine learning and by using very slick, nice, easy to use graphic user interfaces, I think we can overcome a lot of the obstacles that our traditional paradigm of security has presented.
John Gilroy: Ekaterina, jump in there, when I was doing research for this interview, I wrote down these four letters, "NIST", and NIST guidelines, are you familiar with any guidelines for status identity? I mean where does this all fit in from your perspective?
Ekaterina: Yes John, so NIST is a general standard for pretty much every website out there, and NIST is the institute that sets the-
John Gilroy: Yeah, I didn't know if there are standards for this or not, does it make sense or-
Ekaterina: But the problem is that there are times where the standards crash with reality, so it's a good practice to have, but when you spend five minutes to login to your computer, then another two minutes-
John Gilroy: Exactly . .
Ekaterina: ... to log through the jump box and so on and so forth, and you have those hoops to jump through, it definitely in a way takes a lot of time, right? So the convenience is one thing that we are looking here, and the adaptive component of that would definitely help if you could see how the user behaves and see where they're aligning with this. I wanted to ask you about I know you touched on, and you said that primarily you're working on the back end development right now, but once the product is out, who are your target audience who could use this?
Nakul Munjal: Good question. So like the same with the marketing efforts, right now we have to pick our battles. What we're targeting right now are the two industries that are affected most by compliance requirements, especially as it pertains to multifactor authentication. So those are healthcare and life sciences, as well as the financial services industry. The regulations of these two industries are evolving very quickly. As of 2014, HIPPA requires two factor authentication for access to electronic medical record systems like Epic or Cerner.
Just this March, there was a new set of regulations released by the New York Department of Financial Services that requires two factor authentication for access the material non-public information. This is information that can be used for insider trading, and then of course Sarbanes Oxley has a whole set of application access controls that would be relevant to this. So that's the two reasons why we're targeting those two verticals right now.
In Europe, you have GDPR, which is coming out, it's the General Data Protection Regulation? I think. So GDPR, Article 9 provides it says, explicit consent for the processing of special categories of personal data. These kinds of regulations in our current way of doing two factor authentication is not only insecure in the case of SMS, which by the way is no longer recommended by NIST. NIST [crosstalk 00:19:23] NIST released a study, I think this was last year, which specifically says, "Do not use SMS two factor authentication" because of the two issues I cited earlier, so between HIPPA, Sarbanes Oxley, New York DFS guidelines, GDPR, which is coming out this year, we feel that the lowest hanging fruit right now are those two industries.
John Gilroy: Michael?
Michael Lamos: Sure, I just thought of this one. Do you consider yourself a turnkey product, or a service that could be integrated with?
John Gilroy: That's a good question.
Nakul Munjal: That is a good question.
John Gilroy: He just started, he's got to figure it out.
Nakul Munjal: Yeah, that's honestly Michael, that's not an easy question for me to answer right now, just because I think once we start getting into client environments and see what clients are currently using for two factor authentication, the key question that I think the client is always going to ask is, "Is this a rip and replace product, or is this something I can use in concert with the current 2FA solution that I'm using?"
Michael Lamos: Maybe their authentication mechanism to begin with, right?
Nakul Munjal: Yeah, exactly. If they have a single factor authentication mechanism, then of course, it's white space for us. But if they already have something like a duo, or an auth-ed that's deployed, and they're using SMS to factor authentication or a push-based app, would they say, "What can we do to deploy this adaptive capability that status identity is bringing to us?" In that scenario, there is some element of redundancy. That's the reality of it, so yeah, fair question. I'm afraid I don't have a great answer for you right now.
John Gilroy: Madeline, I'll give you the last question here please.
Madeline T.: You talked about hire, very much focusing on product development, but in the end, where do you see yourself in five years? Where has the company grown?
Nakul Munjal: Okay, so our five-year target, I hope there's - are there angel investors?
John Gilroy: We'll distribute it widely.
Nakul Munjal: Yeah. So our financial plan makes a series of assumptions. Our three paths to market are systems integrators, these are the big Accenture's and KPMG's of the world, managed security service providers, these are much smaller, two to five hundred employee services organizations, and then of course direct sales. So in five years, we want to be a $20 million dollar company.
John Gilroy: Oh, that's pretty aggressive. Cool, good job. If someone wants to have more information about your company, what website should they visit?
John Gilroy: I'm afraid we're running out of time here, if you'd like to have show notes or links or a transcript, please visit TheOakmontGroupLLC.com.
I'd like to thank our sponsor, The Radiant Group. If you are interested in getting involved in geo-spacial projects, contact The Radiant Group.
We are hosted by Eastern Foundry, a community of government contractors who are bringing innovative solutions to the government marketplace. For more information, go to Eastern-Foundry.com. If you would like to participate as a student or a startup, contact me, JohnGilroy@theoakmontgroupllc.com, and thanks for listening to Students vs. Startups showdown in the Potomac.