RSA 2020 wrap-up: VMware Carbon Black integrations; MAM for BYOD; how to handle non-employees

RSA is always full of interesting things to learn about, so here are a few more vendors I sat down with.

With RSA 2020 in the can for another year, I wanted to take one last look at some additional interesting things I learned about. I looked at LastPass, Windows 10X, and Hysolate in my first article, so this time I’m looking at VMware Carbon Black, MAM for BYOD, and handling non-employees accessing corporate data.

VMware Carbon Black initial integrations

VMware announced their intention to acquire Carbon Black last year ahead of VMworld and the purchase became official in October. I’ve been waiting to see how VMware would use Carbon Black, and we now have the first major integration: VMware Advanced Security for Cloud Foundation.

I sat down with COO Sanjay Poonen and Patrick Morley, former president and CEO of Carbon Black and now general manager at VMware. They explained that Carbon Black is part of their vision for “intrinsic security.” Specifically, Carbon Black technology is involved in real-time workload audit/remediation, next-generation antivirus, and endpoint detection & response through vSphere. VMware designed this to be an “agentless” solution to protect servers, though Sanjay said they need a footprint on the device and in this case it’s through vSphere with Carbon Black code.

As for future Carbon Black plans, Patrick told me that we should see the Carbon Black integration with Workspace ONE in the second half of this year, along with integrations into other areas. At VMworld 2019, VMware showed AppDefense working with Carbon Black, but they said at RSA 2020 that they’re going to fold it under Carbon Black going forward.

Are we starting to see MAM over MDM?

I spoke with a few MTD vendors like Pradeo and Wandera at RSA that talked about offering more MAM-type services as companies consider additional approaches to the ever-evolving BYOD landscape. Jack likes to drone on and on about how there’s a reason to use both MDM and MAM—but I wanted some other opinions about what those in the industry were seeing from companies right now.

I sat down with Wandera’s Michael Covington, who explained to me that the mobile security vendor is now also working on the application side. They have clients interested in MAM deployments because their desire is to protect corporate applications and data, but they don’t care about the whole device. Some companies don’t even care about a particular threat incident on an employee’s device unless that threat attempted to access a business-critical app. Additionally, some clients with MDM deployments find themselves a little overwhelmed by the amount of devices they have to manage—it’s just easier to go to BYOD and use MAM. 

Part of this move away from device protection to MAM also has customers wanting differing policies if an employee tries to access a business app from a company-owned device versus the same employee logging in from their personal smartphone when at home. 

Handling non-employees remains complicated

Sometimes we forget that the EUC goes beyond just office workers and includes frontline workers, which increasingly includes contractors and non-employees. In these use cases, MDM isn’t an option, so some companies turn to MAM or device attestation to ensure devices are secure.

That’s for when you can trust the user and not the device—but what if you want to be sure you can trust the user before granting access at all? While vendors offering a form of non-employee identity verification isn’t new, I did want to see what different options there are for solving this issue.

I spoke with SecZetta, an IAM vendor that helps companies manage non-employees (this includes bots, too). SecZetta collaborates with customers and third parties to become the authoritative source of data around non-employees. They collect the necessary info from non-employees to verify they are who they claim to be.  

They can manage non-employee access to corporate data up to and through termination, ensuring that non-employees only have access while they’re working with the company. SecZetta will periodically contact the delegated admin about a non-employee assigned to them and whether they should still have access. If not, the non-employee’s access is revoked in real time.

SecZetta also provides identity consolidation, which ensures each user has appropriate access. One example they gave me is a college student has one persona with specific access permissions, then they become a teacher at the same school resulting in the creation of a second persona. SecZetta reduces the profiles to just one, reflecting the person’s current access permissions and creating an identity trail admins can review.

That’s a wrap!

And so closes another year of RSA—I’ll be sure to attend again in the future, provided Dell’s sale of RSA doesn’t impact the conference side of the company.

Dig Deeper on Risk management