In addition to providing a diffentiating and long-overdue delightful customer experience in IAM, Core Security is also broadening its go-to-market for IAM, looking to expand beyond the enterprise, and in Canada specifically, to make it much more of a channel play.
Atlanta-based Core Security, which makes a broad range of security products across the Identity and Access Management [IAM], Vulnerability Management and Network Detection and Response categories, has launched the 9.0 of its Core Access Assurance Suite (AAS). While AAS now has enhanced out of box workflows and improved password security, the big improvement here is in the interface, which has been redone to provide a consumer-grade experience for corporate users.
Core Security’s focal organization was originally called Courion, whose focus was on Vulnerability and Access Risk Management solutions.
“In 2015, Courion secured venture capital funding and acquired five additional companies, one of which was Core Security,” said Venkat Rajaji, Senior Vice President Marketing at Core Security. “In May 2016 they rebranded the company around the Core Security name.”
Historically, the company differentiated itself in its marketplace with its deep ties to many vertically-specific applications, which provided greater speed of automation.
“We have had deep ties and connectivity with about 350 applications, many of them vertically specific,” Rajaji said. “We have been strong in health care, with EPIC EHR systems, and regional banking systems, because of those deeper integrations. That has been our historic differentiation. More recently we have added a focus on identity analytics, providing visibility into things like abandoned, orphaned accounts, or privileged accounts, so an organization can clean up risks. We believe the siloes of security need to be broken, and that by breaking down those siloes, and improving visibility, you can take surgical action to remediate risk. That’s important today with the mixing of vulnerability and identity. You need visibility across different threat vectors.”
AAS 9.0 adds a focus on consumer grade experience, something that Rajaji emphasized is against the norm in the identity and access management space.
“Moving forward, we believe a consumer-grade experience is important,” he said. “This shouldn’t be new thinking in today’s world – but it is new in IAM because IAM is still thought of as an IT back-end use case, where the vendors don’t consider the needs of end users. Provisioning isn’t typically usable today by end users at all. Self service access is still geared to IT. The problem is that it is actually the end users in an organization who need the access. After an employee is originally onboarded, a person may change their job within the company, or require access to a new application, or a higher level of access. These are not necessarily IT users at all. They are consumers. So it’s a reasonable expectation that they have consumer grade IAM. Their managers also aren’t IT people. They are people like nurse supervisors in hospitals.”
Rethinking and reworking the interface to cater to these users is a major differentiation in today’s marketplace, Rajaji emphasized.
“We believe this is a game-changing provision in the access management space,” he said. “We’ve seen this happen in ERP, in CRM, at the application layer. We need to do it here in IT security as well.”
AAS 9.0 also makes changes to improve password security.
“As part of Password Reset, we have added randomized questions for knowledge based authentication,” Rajaji said. “We use five or six different questions, which are specific to the user. The change is that we used to rotate through the questions. Now we have changed the process so the questions are randomized instead of rotated.”
The other major change is adding best practices workflows out of the box.
“The improvement to workflow provisions should help significantly with the speed of deployment times,” Rajaji said.
Identity management is one of the more enterprise-focused offerings in the Core Security portfolio, but the company is looking to expand their market reach.
“Our positioning in the market varies a lot depending on the product,” Rajaji said. “While something like penetration testing spans the whole market from top to bottom, IAM has been focused on the enterprise and the upper end of the midmarket – basically organizations of 10,000 employees or more.”
“We are looking to broaden out beyond the enterprise, specifically with solutions for the small to medium size market,” said Andy Osburn, GM Canada & Director Channels at Core Security. Osburn, who is Halifax-based and who came to Core through one of those other acquisitions, Halifax based Secure Reset, said that this shift is also being accompanied by a greater focus on the channel – in Canada in particular. While Core’s direct-channel business is about 50-50 globally, with most U.S. business being direct and global business being channel, the plan in Canada is to make it largely a channel market.
“The go-to-market strategy in Canada is to move to an almost exclusively VAR-specific strategy,” Osburn said. “In Canada, we have a mature VAR network around several security products, such as vulnerability management and penetration testing. The channel only has a footprint here in identity management. But we are in the process of moving it from minority VAR to majority VAR.”
Core Security’s channel philosophy is very much along ‘value reseller’ lines rather than a volume play, looking for deep relationship with mutually committed partners. Nevertheless, Osburn emphasized that they are always recruiting those kinds of quality partners.
“We are looking not just at our existing partners to do more, but to recruit new partners, and in Central Canada and Western Canada in particular,” he said.