James
Maguire,
editor-in-chief
of
eWeek,
recently
interviewed
Jason
Meller,
chief
executive
officer
of
Kolide,
a
zero-trust
access
company
for
organizations
that
use
Okta.
In
this
interview
for
TechRepublic,
they
discussed
the
challenges
businesses
face
with
mobile
device
management
as
well
as
possible
solutions.
The
following
is
an
edited
transcript
of
their
conversation.
Jump
to:
Challenges
in
the
MDM
market
James
Maguire:
The
mobile
device
management
market
is
pretty
hot
—
it
saw
about
$5
billion
worth
of
revenue
last
year,
and
it’s
growing
about
20–25%
a
year.
One
pundit
predicted
that
it
would
hit
$21
billion
by
the
end
of
this
decade.
There’s
a
lot
of
growth,
but
not
everything
is
perfect
for
those
companies.
What
are
some
of
the
challenges
involved
with
this
fast-growing
market?
Jason
Meller:
The
mass
amount
of
growth
is
primarily
being
driven
by
the
new
compliance
standards
that
are
really
coming
to
bear.
A
lot
of
companies
that
are
selling
business
to
business,
particularly
SaaS
companies,
have
to
pass
new
style
audits
like
SOC
2,
which
really
require
that
devices
are
under
some
kind
of
management.
That’s
where
mobile
device
management
really
comes
into
play.
For
the
first
time
—
before
they’re
really
needing
to
and
from
an
IT
perspective
—
they
fundamentally
need
to
pass
these
audits.
They’re
finding
these
devices,
they’re
putting
them
under
management
and
they’re
buying
MDM
style
solutions
for
them.
When
they
go
to
look
for
those
solutions,
they’re
looking
to
solve
every
single
IT
management
and
security
challenge
with
this
one
thing.
Unfortunately,
MDM
isn’t
really
good
at
solving
everything.
It’s
particularly
good
at
getting
the
device
initially
in
the
state
that
you
want
it
in
—
from
a
security
perspective,
making
sure
that
right
out
of
the
box
it
has
disc
encryption
and
the
firewall
is
on.
But
once
the
end
user
gets
to
use
it
on
a
daily
basis,
that’s
where
the
story
starts
to
fall
apart,
and
it
happens
relatively
rapidly.
For
instance,
one
of
the
most
important
things
that
you
have
to
reason
about
in
the
security
space
is
making
sure
that
the
computer
has
its
latest
patches,
and
not
just
the
computer,
but
also
the
web
browser
and
other
critical
software.
MDM
doesn’t
have
a
great
answer
to
that.
In
fact,
most
of
the
companies
that
we
talk
to,
despite
rolling
out
MDM,
still
have
significant
lag
time
between
when
the
device
is
fully
patched
from
when
the
device
is
offered
the
patch.
That
lag
time
can
often
be
in
the
order
of
weeks;
sometimes,
it’s
even
longer
than
that.
These
patches
contain
critical
things
that
you
need
to
install
—
otherwise,
you
could
be
the
victim
of
a
drive-by
malware
attack.
Reducing
that
lag
time
isn’t
something
that
MDMs
have
been
particularly
good
at.
So
far,
IT
admins
have
been
faced
with
building
their
own
solutions
that
rely
on
forcing
reboots
to
make
sure
those
things
are
happening,
but
that’s
just
one
of
many
things.
Anything
that
requires
nuanced,
end-user
consideration,
where
the
user
really
needs
to
think
“when
do
I
want
to
do
this?
Is
this
a
sensitive
data
device?”
MDM
just
doesn’t
have
an
answer
for
it.
And
those
are
things
that
are
really
important
—
just
as
important
if
the
device
itself
is
encrypted.
MDM
security
wake-up
call
James
Maguire:
Those
are
some
of
the
challenges
in
the
market.
Why
is
now
such
an
important
time
for
MDM?
What
issues
are
most
urgent
for
companies
to
address?
Jason
Meller:
There’s
a
number
of
things
that
are
driving
the
adoption
of
increasing
the
security
and
compliance
of
devices.
I
already
mentioned
these
compliance
audits
like
SOC
2
and
GDPR.
Those
are
things
that
are
driving
it.
There’s
also
this
recent
wake-up
call.
IT
and
security
administrators
have
realized
there
are
a
number
of
companies
right
now
that
are
getting
hacked,
and
the
way
that
they’re
getting
hacked
is
that
these
devices
are
being
compromised
because
they’re
not
being
up-to-date
in
a
timely
manner.
Users
are
authenticating,
usually
via
some
sort
of
SSO
provider,
by
signing
in
with
their
username
and
password
and
following
that
up
with
two-factor
authentication.
It
turns
out
that
two-factor
authentication
isn’t
good
enough
to
resist
the
more
recent
attempts
at
phishing.
We
saw
recently
with
one
of
the
major
hacks
—
Uber’s
a
good
example
of
this
—
where
the
attacker
was
able
to
convince
and
trick
that
user
into
either
sharing
their
passcode
or,
in
Uber’s
case
specifically,
to
actually
tap
a
button
on
their
phone
to
confirm
the
two-factor
access.
SEE:
Mobile
Device
Security
Policy
(TechRepublic
Premium)
If
you
had
asked
IT
administrators
just
a
year
ago
if
two-factor
authentication
is
sufficient,
they
would’ve
all
said
yes
and
that
it’s
an
industry
standard.
Since
these
hacks,
suddenly
people
are
thinking
two-factor
isn’t
enough
anymore.
We
really
need
to
ensure
that
devices
are
the
things
used
to
tie-in
with
the
authentication.
That’s
what’s
driving
this
idea
of
zero-trust
methodology.
These
are
major
initiatives
that
many
companies
are
taking
on,
and
part
of
that
is
making
sure
the
device
is
known
to
the
company,
trusted
and
in
the
right
posture.
That’s
really
driving
the
focus
on
this
area
right
now.
CEO
Jason
Meller
discussed
mobile
device
management
in
this
TechRepublic
video
interview.
Kolide’s
MDM-related
solutions
James
Maguire:
Let’s
take
a
minute
to
drill
down
your
company’s
offerings.
How
is
Kolide
addressing
the
MDM
needs
of
its
clients?
What’s
the
Kolide
advantage
in
terms
of
the
overall
market?
Jason
Meller:
Kolide
was
founded
on
the
premise
of
not
trying
to
extract
the
end
users
out
of
the
problem.
The
end
users
have
the
most
context
in
what
they’re
doing,
so
how
do
we
leverage
their
time
and
attention
to
get
the
device
in
its
most
secure
state
possible?
Now,
this
would’ve
been
a
fool’s
errand
if
you
asked
IT
and
security
administrators.
End
users
are
typically
perceived
as
the
enemy,
or
at
least
the
source
of
many
of
these
compromises.
We
read
about
it
all
the
time,
but
Kolide
sees
much
potential
in
end
users
being
able
to
assist
IT
and
security
teams.
Fundamentally,
MDM
software
is
constrained
by
one
reality:
In
order
for
you
to
be
able
to
fix
the
problem,
it
must
be
something
that
can
be
automated.
It
must
be
something
where
the
end
user
isn’t
involved
at
all,
and
you
have
to
force
it.
that
requires
really
careful
coordination
with
the
OS
vendors,
and
it’s
a
limited
way
to
ensure
security
and
compliance
on
a
device.
There
are
much
more
nuanced
instances.
We
mentioned
updates
as
one
of
them
earlier,
but
let’s
think
about
another
one
like
sensitive
data
on
the
device.
I
can’t
tell
you
the
amount
of
engineers
or
customer
service
reps
that
have
this
treasure
trove
of
sensitive
information
that’s
just
sitting
in
their
downloads
folder.
What’s
the
MDM
solution
for
that?
There
really
isn’t
one.
You
can’t
go
in
there
and
just
try
to
find
it
automatically
and
delete
it.
What
if
the
user
was
in
the
process
of
using
it?
What
if
they
really
needed
it?
You
need
the
end
user
to
collaborate
with
you
to
solve
a
lot
of
these
challenges.
That’s
what
we’ve
set
out
to
do
inside
of
Kolide.
We
endeavor
to
create
a
product
that
enables
that
type
of
conversation
between
the
IT
administrators
and
the
end
users.
What
are
the
components
that
make
that
possible?
With
Kolide,
what
we’ve
stumbled
upon
is
that
if
you
use
the
authentication
flow,
when
you’re
signing
in
to
anything,
we
say:
“Your
device
is
not
in
the
state
that
we
would
like
it
in
before
we
let
you
access
all
of
this
sensitive
data.
Please
do
X,
Y
and
Z,
and
if
you
do
those
things,
only
then
can
you
sign
in.”
That’s
never
been
tried
before
in
a
meaningful
way
in
our
industry,
and
that’s
exactly
what
Kolide
does.
We
present
you
that
message,
we
give
the
end
user
step-by-step
instructions
on
how
to
fix
it
and
then
they
do
fix
it.
That’s
the
key,
because
if
they
don’t
fix
it,
they
can’t
sign
in
and
do
the
things
that
they
need
to
do
for
their
job.
What
we
found
is
that
end
users
understand
that.
It’s
a
very
transactional
cause-and-effect
type
of
thing.
They
understand
if
their
device
isn’t
properly
secured,
then
they
shouldn’t
have
access
to
the
company’s
most
sensitive
intellectual
property
or
data.
If
they’re
not
doing
their
updates
on
time,
then
yes,
that
makes
sense,
they
shouldn’t
be
able
to
get
access
to
the
keys
to
the
kingdom.
That
simple
nuance
in
how
that
interaction
works
can
drive
so
many
more
compliance
initiatives
inside
of
your
organization.
If
you
can
enumerate
to
an
end
user
how
to
fix
an
issue,
then
Kolide
can
be
the
solution
to
get
that
metric
to
100%.
That’s
never
been
possible
before.
That’s
what’s
so
fundamentally
different
about
our
offering
compared
to
a
traditional
automated
MDM
provider.
You
can
keep
your
MDM
provider
too.
This
isn’t
an
either/or.
Use
the
current
MDM
for
what
it’s
good
for:
Make
sure
that
file
vault
encryption
is
on.
Beyond
that,
get
the
end
users
to
solve
a
lot
of
these
issues.
You’ll
find
that
to
be
a
much
better
long-term
solution,
and
Kolide’s
created
a
product
to
allow
you
to
do
that
at
scale.
That’s
really
what
we’re
offering.
James
Maguire:
Kolide
is
requiring
the
users
to
be
more
involved
and
more
invested
in
their
own
security
process?
Jason
Meller:
Yes.
In
order
for
you
to
be
able
to
communicate
to
an
end
user,
you
have
to
explain
not
just
the
what,
but
the
why.
Why
is
this
important?
Why
does
it
matter
that
I
don’t
have
my
two-factor
backup
codes
sitting
on
my
desktop?
The
end
user
may
not
know
why,
but
by
getting
them
to
fix
it
and
then
teaching
them
the
why,
the
recidivism
rate
—
whether
they’re
likely
to
do
it
again
—
is
going
to
be
extremely
low.
We’ve
also
seen
that
on
the
update
side
as
well.
When
customers
have
deployed
this,
users
learn
very
quickly
what
the
system
is
really
looking
for
intuitively.
Then,
the
next
time
they’re
in
their
web
browser
and
they
see
that
little
badge,
they
think:
“Oh,
it’s
time
to
update.”
They
don’t
wait
for
it
to
turn
crimson
red
anymore.
They
click
it
right
away,
because
they
know
if
they
don’t,
the
company
is
going
to
eventually
block
their
access
to
a
number
of
different
apps
that
they
need
to
do
their
job.
They
start
to
learn
to
preemptively
anticipate
and
do
that.
That’s
been
the
goal
of
IT
security
training
since
its
invention.
Now,
with
the
right
type
of
system
and
process
in
place
to
encourage
that
behavior,
we
can
actually
achieve
it.
That
is
novel,
as
far
as
I
know.
I
don’t
think
that’s
ever
actually
been
achieved,
not
just
attempted,
but
that’s
what
we’ve
done.
Predictions
about
the
future
of
MDM
James
Maguire:
Let’s
look
ahead
to
the
future
of
MDM.
What
are
a
few
key
milestones
we
can
expect,
and
how
can
companies
get
ready
for
them
now?
Jason
Meller:
The
future’s
going
to
be
really
interesting
when
it
comes
to
mobile
device
management.
We’re
already
seeing
a
lot
of
these
shifts.
We’re
in
the
midst
of
many
of
them.
The
biggest
shift
that
we’re
starting
to
see
is
that
the
diversity
and
types
of
devices
that
end
users
are
using
to
do
their
work
is
increasing.
I
can’t
tell
you
the
amount
of
companies
that
have
come
to
us
because
they
have
an
increasing
number
of
Linux
devices
that
are
coming
in,
and
they
don’t
have
any
answer
for
that.
There
is
no
MDM
for
Linux
at
all,
so
they’re
asking
how
to
solve
the
issue.
The
diversity
of
devices
is
going
to
continue
to
increase.
Since
the
pandemic,
the
amount
of
folks
that
are
working
remotely
is
like
toothpaste
that’s
out
of
the
tube
—
you’re
not
putting
it
back
in.
We
need
to
be
in
a
position
as
security
and
IT
practitioners
to
enable
these
remote
workers
to
be
secure
from
any
location
with
any
possible
device.
As
that
becomes
the
challenge,
trying
to
centralize
all
the
management
under
one
OS
vendor
or
one
type
of
MDM
product
becomes
really
problematic.
SEE:
BYOD
Approval
Form
(TechRepublic
Premium)
What’s
the
common
thread
that
runs
among
them?
It’s
the
end
user.
The
end
users
are
the
key
to
leveraging
their
own
ability
to
change
the
settings
on
their
computer
to
actually
get
their
computers
in
the
right
state.
We
think
that’s
the
future.
The
thing
that
we
see
as
a
fundamental
change
in
the
future
is
how
two-factor
authentication
is
now
being
subverted
by
attackers.
I
mentioned
this
earlier.
We
think
that’s
going
to
increase
over
time,
and
what
comes
into
consideration
with
that
is
how
people
are
structuring
their
network
security
architecture
and
how
they’re
protecting
these
systems.
We
may
think
of
things
like
the
VPN,
which
is
the
classic
way
of
creating
this
strong,
outer
barrier,
and
then
once
you’re
into
the
private
network,
you’re
in.
We
think
that
that’s
going
away.
We
think
that
zero
trust
—
or
BeyondCorp,
as
Google
has
called
it
—
will
be
the
thing
that
actually
drives
more
modern
network-style
architectures
for
accessing
apps.
SaaS
apps
have
taken
over
our
world.
We
don’t
see
that
going
away.
We
think
more
and
more
apps
you
use
on
a
regular
basis
for
business
are
going
to
be
SaaS
based,
and
they’re
going
to
be
accessible
potentially
by
any
device.
The
future
really
relies
on
organizations
understanding
that
they
need
to
control
which
devices
truly
can
access
those
apps.
Zero
trust
is
going
to
be
the
major
initiative
that
organizations
embark
on
to
actually
solve
that
problem.
Read
more:
Zero
trust:
Data-centric
culture
to
accelerate
innovation
and
secure
digital
business
(TechRepublic)
About Author
