Interview at the Zoholics’24 event in Austin, TX
In this installment of the Intellyx video series, we discuss how Zoho released a complete Integrated Security-Solutions Stack in June 2024 at their Zoholics customer event.
Join Mouli Dorali, senior evangelist for Zoho Security and Identity Management solutions, talking with Jason English, Intellyx Director & Principal Analyst about the current cyberthreat landscape, incorporating access and authorization policies without compromising customer experience, data privacy commitments, and the judicious use of AI in spotting anomalous behaviors.
Show links:
- Link to the latest news from Zoho about their security stack: https://www.zoho.com/news/zoho-integrated-security-solutions-stack-helps-global-organizations.html?zwcDate=june%205,%202024
- Watch the video on the Intellyx YouTube channel here: https://youtu.be/xMB-gGZDLuY
Read the full transcript on the Intellyx blog below.
Transcript:
JE: Well, great. I’m Jason English. I’m a director and principal analyst at Intellyx, and I’m here at Zoholics 24. This is a great event for customers as well as partners to more about Zoho products and what they’re doing in the market today. Today I’m here with Mouli Durai. He’s the head of security.
Mouli, would you kind of explain a little bit about what you do at Zoho and your role right now?
Mouli: Sure. Thank you, Jason. Thank you for having me today. I’m part of Zoho Corporation for the last 10 years. I am a senior evangelist for security solutions and digital signature services at Zoho Corporation.
JE: Well, Mouli, I was very curious about what you’re doing most recently. I know you’ve had some news come out about new products in the security division, as well as some authentication and authorization tools. So would you talk a little bit about what’s new?
Mouli: Sure. Today we are very happy to announce the launch of our tightly integrated security stack which has everything starting with a browser followed by an identity and access management platform which is tightly integrated with our multi-factor authenticator. So for shared accounts, we have a password manager. Today, all of these tools work together, helps customers, businesses to do their hybrid work in a secure fashion.
JE: So, what are the advantages of having this kind of centralized capability, but have it work across a suite of so many different tools — How do you kind of manage that disparate approach?
Mouli: Our vision at Zoho is always to be the operating system for business. So we help customers with their sales, marketing, accounting. We also want to help them with the security aspect and privacy aspect of it. So that was the key idea behind this integrated stack.
So even for security, they can get started on their journey from this integrated stack. We are in 2024. So we have a lot of devices, a lot of applications, and admins are having a very, very bad time knowing who is using which application from where and when. Meaning the security landscape has widened. There are lots of threats. The bad actors always want our data.
And if you are a business, you should also be worried about your customer data. And that is why we are making this big announcement to help businesses of all sizes to kickstart the security and privacy journey with Zoho.
JE: I know that at Zoho, for a long time running, you’ve kind of put privacy first. Customer privacy first kind of surrounds everything. So what are some of the details of how you manage to make that happen, where maybe today’s conventional approaches fall short?
Mouli: Starting from our day one, even in our free plan we don’t have an ad-based revenue model. So as a company, we want our customers data to be their own data.
We don’t touch them. We don’t have any monetization aspects on top of it. So that is on the privacy part. When it comes to security all the Zoho services run on Zoho’s data centers which are owned and maintained by us. This gives us a lot of freedom to offer a tightly integrated stack. We own our apps.
We own the services, starting with our single sign on, starting with our AI. All these are integrated by the way. The data interoperability is quite good, even in the security stack. So, this kind of helps us to differentiate from the traditional vendors out there in the market.
JE: Yeah, that’s interesting. And even when you’re doing an AI project like using Zia to model it based on your data, your data is still yours alone, right? So it’s training based on the same thing when you’re building processes, you’re building them based on your own data.
Mouli: So everything in Zoho is truly in house and built from scratch by us.
Not even one single app is by acquisition. Even our AI is from in house, which is Zoho’s intelligent assistant, Zia. So even the security stack, we have couple of security features for AI. To give you an example, our browser offers you phishing and threat detection, which is backed by the machine learning capabilities of Zia in the background.
The Zoho directory system offers you a malicious threat detection. Say, for example, if Mouli used to log in from Chennai office from 9 a.m. to 5 p.m., and if there is a new detection from maybe China or Japan or from remote location, this AI will help admins alert it to terminate the session immediately.
So that is the kind of AI, real world AI that works in the background, which helps customers to protect their security posture.
JE: What are some of the scenarios where you basically work with companies that have existing regimes of different types of identity access management tools?
Can they sort of mix and match it, or is there some way they can use Zoho’s and do a gradual transition, or how do you kind of manage those hybrid AIM advantages?
Mouli: Excellent question. For identity and access management, people will already havetheir own tech stack. Azure Active Directory, Okta, Entrust, you name any application.
So the Zoho ecosystem will readily work with the third party ecosystem as well. Say, for example, you can do app provisioning based on roles and responsibilities.
JE: Yeah. One of the big concerns that keeps coming up, especially in our coverage today is ransomware, it seems to be very promotional, you know, like people are basically grabbing that as a reason to start thinking about it. But how do you think about ransomware in terms of helping your customers prevent it?
Mouli: Like the example I give you, the Ulaa browser offers you phishing prevention. It also offers you protection from crypto mining. Today, crypto mining is another new topic that is picking up. So, the bad guys want to use your computers, your networks, your devices to mine cryptos. And in the Zoho, if you are about to receive a malicious email what to say credential stealing software or anything of those sorts.
The AI and ML capabilities within the Zoho ecosystem kind of prevents you from such suspicious activities. So all these AI capabilities work in the background by default without the knowledge of the customer. They don’t know, they don’t even know they are using AI. So that is the type of simple AI system and services that we are working on.
JE: That’s excellent. Yeah, a big part of it is basically also empowering teams to kind of explore their security posture and how good they are doing at being preventative about that. Sometimes it’s not just threat hunting. It’s really just about understanding what your overall posture is. So, how can, how can you help them ensure that they have a good security posture and that they’re compliant?
Mouli: To give you a good example, the dashboard in Zoho directory gives you a clear picture of the total number of users. Maybe the malicious login detection from various locations. And the password manager dashboard gives you the total number of passwords which are already part of various breaches. So the dashboards in our services kind of helps you to get a holistic picture of your security landscape in your company with which admins can take immediate actions.
So if your password is part of any breach in the past, maybe LinkedIn or Myspace, if your password is part of any breach and if you are someone who is reusing the same password for multiple accounts, then your data is at risk and the customer’s data is at risk. The business data is at risk. So with this, companies can improve their password policies, immediately rotate the passwords, add MFA on top of it.
So that is the type of services that we offer to our customers today.
JE: Hmm. MFA is another, another big part of this. So how do you do MFA without creating a burden on customer needs or making it too hard for end customers to use the systems that are created using Zoho?
Mouli: So our MFA is quite simple.
It works on all the platforms across the devices. On both Android, iOS, we also have the desktop applications, which kind of helps them to access their MFA from wherever they are, from whichever device they are using on. So if you are someone who is already using other authenticator, we have an import mechanism to move your MFA TOTPs from there to our existing system, which doesn’t just work with the Zoho ecosystem, but also with the third party ecosystem.
Twitter recently removed free MFA for free users. So in Zoho OneAuth we see a lot of traction from free users of Twitter who want to protect their account with an additional MFA.
So Zoho OneAuth is a free tool. Anyone can use it, not just Zoho ecosystem users. That’s another good news.
JE: Yeah, and you could also, also the Ulaa browser would come with that built in. So yeah, that’s another interesting angle. You have your own browser. How’s the adoption of that going? And how does that impact customers as far as their security?
Mouli: So I would say the adoption today is very, very high from the existing Zoho ecosystem. But also, customers who are new to the Zoho ecosystem is also trying the Ulaa browser. So we see two types of patterns today, but who the customers who are already with us have a better advantage because it helps you to do your work better.
It has its single sign on, it gives you Zia search, the Zoho notebook gets tightly integrated, you get the password manager service on top of it. So if you are someone in Zoho one already, if you have a subscription. The Ulaa browser is a no brainer for you. It helps you to do your work without much complication.
JE: Yeah, that’s nice, especially for employee adoption. You want them to do it without having any friction at all. or have to change their processes. So if they’re just, if they’re just still working as they did before, that’s because the browser today is a crucial endpoint across the world. That is where communication, collaboration, development, and everything happens.
Mouli: It’s a crucial endpoint, and it should be very privacy focused. Every company, you take any advertiser, they want your personal data. So your browser should be secure, and it should also work with your productivity tools. So that you can have some complete peace of mind and you can concentrate on your daily work rather than worrying about the other stuff which you don’t need to worry about.
JE: Yeah, especially for instance, single sign on and trying to take away the burden of having to have different passwords for different tools and things like that. So how do you kind of manage that part of the equation?
Mouli: So we are able to do this because, as I said before, we own the entire tech stack.
The Zoho directory service has been into the market, maybe in the background. The entire 100 million Zoho users enjoy single sign on via Zoho directory in the background. We are just commercializing the product now. The single sign on has been there for years. So we have this tech stack already, but now we are just passing it on, the advantage to our users, with which they can leverage it for their own app provisioning.
Device provisioning. Now we are also bringing in network authentication, especially for wifi VPNs. Zoho Directory will also help you there.
JE: You, you have some people who might have this actual security department or, or SOC or Security Operations Center that are implementing this. But then you have a lot of customers who, they don’t have anybody dedicated to security at all, right?
Mouli: Correct. So you know, I think this as part of their journey to growth. How do you kind of identify the right form factor to deliver the applications to different types of users like that? So, the easiest way is to begin your Zoho Directory journey by using the default security policies part of the application and the password policies that comes within it.
You can also enforce multi factor authentication on top of it. And now we are also introducing conditional based access. So, say, for example, you have a Salesforce application that you want to only open to users from New Jersey who joined the company from 2020 to 22. You can have any type of if-then-else condition.
So that is the level of sophistication we are talking about. So you don’t need to have a specialized security team to configure all this solution. So some of this configuration comes in the default mode. For more sophistication we have self learning resources. Any company can go about and configure this solution.
And we also have free migration and onboarding assistance that can help customers to kickstart their journey.
JE: Hmm. Yeah, that’s, that’s really cool. So they can basically even set their own policies in there and, they do that sort of in a low code method too, where they’re really looking at, they can look at policies like Workflows more than, how does that work?
Mouli: It’s basically a ready-made template, I would say, that can help you to enforce the security policy for your company for multiple things, the MFA, for the passwords, for the networks, for the apps, and all that. So it is simple for, even for a company of less than 50 employees, and it also works beautifully for companies with 5, 000 employees.
The system is truly scalable. It’s proven. It works for companies of all sizes.
JE: How critical is it to have a real-time response to a security threat for a business and, and how, how do you go about making that real-time response happen?
Mouli: So, as I said before we have behavior threat analytics.
If a threat is detected, it’ll immediately alarm the admins. So admins can take immediate actions. It is very, very important today. Because let’s take any region. If you take the European Union, if you take the states of America, if you take another region in the APAC. If there is a data breach, if there is a cyber attack in your company, you need to immediately pass on the information to the government and regulators.
Because the customer’s data is at risk. And we also urge our customers to have a response plan based on the business requirements and based on the regulatory framework in which they operate in.
JE: Hmm. Yeah, the remediation is a very important part of it. And recovery from these situations is equally as important. It is really interesting to talk about to talk about that. I didn’t, I wasn’t aware that you even had a, a threat hunting type module in your stack, it’s like UEBA or SOAR or like all the typical acronyms that go into a stack.
Mouli: And the another good news is all the critical log information can be sent to a CM service from where admins can get the holistic picture of the security posture.
So that is another area with which admins can take proactive measures. So not just with related to passwords or the directory. You get the holistic picture of your entire IT infrastructure.
JE: Do you collaborate with the the global security community in any way? For instance, working with, you know, MITRE ATT&CK, or contributing exploits that you are seeing out there as well, or, or do you, or are you pulling information from some of these global data resources as well?
Mouli: Yeah, we, we closely work with all the industry regulators and the government agencies. To give you an example we work with this service called Have I Been Pwned? in our password management service, which kind of gives you the public dump of all the data breaches and the login credentials which are part of that breach.
And we are also part of the FIDO2 Association. Which is coming up with the passwordless world, right? So, and we also pass on all the detection and share the critical information with the regulators.
JE: Well, Mouli, is there anything new that we hadn’t discussed so far in this, in this talk? I mean, it seems like you’ve kind of got all the bases covered.
But you know what else is new and significant that you want to mention?
Mouli: I just want to add one last message here. The number of cyber-attacks is increasing across the globe and companies who don’t have the right cyber security expertise and have the right budget are really finding it hard to kickstart the journey.
So we want to help businesses to take security and privacy seriously. And to Zoho portfolio from where you can start your security journey. And from there, you can even add it with your existing portfolio, or you can take it forward from there based on your business requirements.
JE: Very cool. Yeah. Well, this has been a great discussion, Mouli.
Thanks so much for joining me and telling us a little bit about what Zoho is doing in the security space. It’s, I think to most people, they don’t know how much has been actually going on in the background that leads up to today’s announcements. But it’s really a big story because It’s certainly something that most companies wrestle with every day.
Mouli: Yeah — The number of password attacks are increasing. The latest report says it is like 4, 000 password attacks per second. And one single breach can take a company out of business. So, I would conclude my interview with:
Take security seriously. Don’t think “this won’t happen to me.” So, yeah, take the first step. Be proactive.
JE: Yeah. Good. Thank you. Good thoughts from you. Alright. Thanks.
Watch the whole video on YouTube here: https://youtu.be/xMB-gGZDLuY
©2024, Intellyx B.V. Intellyx retains editorial control over this story. At the time of writing, Zoho is an Intellyx subscriber.
