Rocky Giglio (00:17):
You’re listening to another episode of Cloud N Clear, SADA’s cloud transformation podcast. I’m your host, Rocky Giglio, and today with me on the show is Harold Byun. He is the chief product officer of AppOmni. And before we get started, I just want to remind everybody to subscribe down below, help us hack the Googles, and thanks for tuning in. Harold, welcome and glad to have you on the show, man.
Harold Byun (00:40):
Yeah. Thrilled to be here. Thanks, Rocky.
Rocky Giglio (00:42):
So Harold, I’m looking at your background. You got an extensive background across product and marketing roles at ServiceNow, Citrix. You’ve got expertise across governance and compliance, data loss, encryption, and so much more. Sounds like you’ve had a great career. And then a couple patents, do I see a couple patents in your profile there?
Harold Byun (01:02):
Yeah. I mean, I’ve definitely worked with some really strong technical teams and have had the opportunity to dive into some pretty cool stuff. So yeah, I’ve had a broad coverage area within security. I mean, I think one of the major overarching themes in my career has really been around data containment overall. I mean, I think when you look at the security industry and whether it’s attacks or incident response or automation and how to do things faster or reducing the attack surface, the net-net of it is it always comes down to the information and the data.
(01:36):
I’ve had a lot of opportunities to work on data containment strategies, data leakage prevention, even early days, user behavioral analytics on how people were trying to circumvent systems. And that has led to my current role at AppOmni, where we are the most comprehensive SaaS security platform to assess the SaaS attack surface and posture for critical SaaS applications that enterprises use.
Rocky Giglio (02:01):
Yeah, I love it. It’s a lot of fun to get your hands into as much as you can as you go through your career. And so I love seeing all those different names and technologies across your path. What do you see as the biggest challenge right now in the security landscape? Why AppOmni? Why now?
Harold Byun (02:18):
Why AppOmni, why now, is we’re really fundamentally seeing a continued shift to SaaS first. And in many ways as you look at organizations, and probably an unknown fact for a lot of people is that the SaaS spend really is three times that of public cloud infrastructure spend when you look at the overall budget allocations and where people are putting their data in, where people are spending their money. And yet the tooling available for companies to address security risks related to SaaS is almost nonexistent. It’s almost an inverted model when you look at what’s available for cloud posture, security management, CWPP. All of the cloud infrastructure monitoring tools that are available and provided by the infrastructure providers far exceed anything that’s available for SaaS visibility and control. And yet the amount of risk associated with the dollars and the data that’s put into SaaS applications actually creates an inverted risk model.
(03:20):
Going back to why AppOmni, why now, is that there’s a massive gap in the market in terms of how people are really looking at controls around SaaS. And yet the adoption only continues to increase. It’s exceeded the industry projection year on year for the better part of the past decade. And in many cases, we’re operating under a thesis that SaaS is really the operating system of the future for business.
(03:45):
When you look at a lot of cloud challenges, a lot of SaaS challenges, a lot of security-related challenges, whether that be colo, whether that be third party, the problem isn’t really that the threat, the nature of threat and the way actors are operating have changed. It’s that the data has moved. I mean, effectively, your cheese has moved to a different location, and so that requires different tooling and different visibility to protect where the data is living. And SaaS is no different in that regard.
Rocky Giglio (04:11):
Yeah, for sure. It’s interesting. I’ve done a lot of the end user computing space, and that’s kind of a similar thing that I’ve seen just through that motion is companies look at the tools that the users are using day in and day out, and they don’t want to spend on the other side of either efficiency or security because it just seems like yet another thing. And of course, that multiplies super fast too. So I think that’s another challenge you begin to face is if I have 500 users and each one of those costs me $10 a month for something, doesn’t sound like a lot at $10 a month, but then when you start thinking about multiply that times 500 or times 5,000 or 50,000 or 500,000, suddenly that’s a really big number.
(04:51):
I’ve seen that as a challenge a lot of times is we look at that cost, but not what you’re saying. We don’t look at the other side of that cost, which is what is the risk that we’re putting ourselves at as we continue to deploy these SaaS solutions, user computing solutions, and that’s where all of our data gets generated, gets accessed, gets shared, and who knows what, especially with all the cloud access. I did an audit for a company once just looking at their network traffic through the firewall. They had 1,400 SaaS applications that they were sending data out to, and we found some proprietary information out on a site that was hosted in China. I mean, it’s just stuff goes everywhere.
(05:29):
So every day you’ve got data coming and going across organizations, across these SaaS platforms. And yeah, that’s super important. I love the illustration of just that inverted, we’re just not putting the right effort on the SaaS side of things. So that’s super interesting. So how are customers responding when you bring that up, and what’s the reception been as you’re talking to customers in the field day to day?
Harold Byun (05:51):
Yeah. I mean, I think it runs the gamut. I’ve talked to some CISOs who have said, “Oh, well, I’ve got two factor, I’m covered.” And you say, “Okay, I don’t want to contest too much what you’re saying, but I would beg to differ. You’ve got you covered, but your APIs to this SaaS provider are wide open and you’re leaking half a million records. But two-FA is going to protect you there.”
(06:20):
There’s a lot of scenarios where I think that there’s a lack of awareness, first and foremost, but it does run the gamut. There’s people who don’t think that they have a problem at all and are covered by these other mitigating factors, which again, I just absolutely do not believe that that’s the case. We found time and time again where organizations are leaking significant amounts of data out of the SaaS provider, largely due to misconfiguration.
(06:45):
This isn’t something where there’s something fundamentally flawed with these providers or anything. It’s just that as the SaaS providers have matured, there’s a million ways to shoot yourself in the foot. And so it’s hard to know how to not shoot yourself in the foot, especially when SaaS application A is vastly different than SaaS application B, and that’s different than SaaS application C. And you’re using these to run different operational aspects of your business with different domain experts and different business owners. And so all of a sudden, going back to your multiple factor of 500 users doing different things with different endpoints, well, now we’ve got a heterogeneous control model where there are different controls, there are different terms, and there are different levels of expertise in terms of again, how not to shoot yourself in the foot. And so it becomes very eye-opening for a lot of customers to say, “I had no idea.”
(07:38):
Going back to two factor, we had a customer who invested a couple million dollars in a centralized identity provider with multifactor stepped-up authentication. And when we looked at their critical SaaS environments, MFA was set as optional. So you can basically bypass that on every single SaaS application in that organization. So that’s 2 million bucks out the window, right? So those things are pretty eye opening. And then just the nature of the ways that people are enumerating data schema within these SaaS applications, again, anybody who’s doing customization, there’s a ton of custom applications built on top of a lot of these critical providers at the PaaS layer. So if you go into certain retail organizations without disclosing information, the kiosk that you use to access information is built on top of some of these common well-known PaaS platforms.
(08:40):
There are entire hotel registration scenarios where that’s all built on top of a PaaS layer. And the challenge with a lot of these portals or lightweight applications that people build out is they’re like, “Oh, I’m exposing my customer loyalty number and my first name, last name, and email, and slot down, there’s no other information.” But you know what? The entire object schema underneath that API for that application is open to the world for guest access or anonymous access, and we can enumerate the entire customer database via that type of access point. And so those things are very eye-opening.
(09:17):
Then the last category are customers or people who tried to operationalize or build this themselves because they recognize that they have a problem. And there’s just no way for them to keep up with the rate of change and the continuous monitoring that’s required as well as the new releases that come out time and time again on a regular basis from these SaaS providers. And so it becomes a problem of A, do I even have a problem to B, I think I have a problem to C, I’m trying to solve that problem. And ultimately, putting in the guardrails and keeping up and keeping pace with the SaaS providers and their overall release cadence.
Rocky Giglio (09:48):
Yeah. Just trying to keep up. I mean, they say the average now is something like 400 different SaaS applications inside of an organization that are approved. So that’s approved vendors, not the 1,000-plus that are unapproved and sharing data. The impossibility of keeping up with that is for sure-
Harold Byun (10:06):
Yeah. Even the rate of change is running-
Rocky Giglio (10:06):
Oh, yeah.
Harold Byun (10:08):
… it’s incredible. We worked with a customer. They said, “Let’s look back 90 days and see how many critical config changes there were.” There were 150,000 critical configuration changes over that 90-day period. And so there’s no human or manual process that’s ever going to keep up with that.
Rocky Giglio (10:25):
Yeah. The impossibility of trying to go back through the 100 of those, let alone 150,000. And just what was this for? Did we really need it? How are we securing this? What are we going to do in response to this? How’s it aligned with our policies, and on and on the list goes. It’s utterly impossible, which is the importance of a tool like AppOmni.
(10:47):
For the customers that are tuning into this and thinking about, okay, we got multifactor turned on, you mentioned identity providers. So tell us a little bit about the integrations that you guys have built and some of the things that you’re seeing. As your customers are adopting AppOmni, what are they seeing? What are the results that customers are getting?
Harold Byun (11:04):
We break out our results into our best practices ratings where we have a set of baseline policies that range in the hundreds of thousands of control checks that will run for a given SaaS provider. In many ways, I think what we’ve built out is a common security language across that heterogeneity that I was alluding to. It’s almost like you’re speaking French or German, and you’ve got to make sense and reduce that down to common security primitives. So I think fundamentally, we do that and we do it by doing a comprehensive analysis of critical security controls with different ratings for them.
(11:43):
But we also have a curated set of findings that we call insights, which are really built by subject-matter experts in the respective critical SaaS applications, whether that be a Workday, a ServiceNow, Salesforce, M365, Okta, whatever it may be. And so those are places where we’ll find incredibly specific, difficult to unwind access control or posture gaps that people may not be cognizant of. And that could be something that is leaking data records to the anonymous internet. It could be that an API is misconfigured incorrectly.
(12:22):
It could be that in the case of one of the more recent ones, not even recent at this point, the GitHub breach via the stolen Heroku and Travis-CI OAuth tokens. We had a curated insight for that within our product in less than two hours the Friday before Easter when that thing was announced. I mean, some of the providers themselves didn’t respond to that incident for four to six days later. And we had a number of customers that were alerted to that.
Rocky Giglio (12:51):
How many of our customers use GitHub? And so think about the amount of data coming and going on a day-to-day basis into something like GitHub and the importance of catching that vulnerability. You mentioned you guys helped catch that or you saw that. So talk a little bit more about what happened there with GitHub.
Harold Byun (13:09):
Yeah. I mean, in that case, there was obviously this incident where it was GitHub had actually announced that there were stolen OAuth tokens from a couple providers. And so we quickly, what we do, one of the things that we also provide visibility in, which is very eye opening for customers, is really looking at cloud-to-cloud connections into these SaaS platforms. And those are, in many cases, third-party plugins. In many cases, they’re riding an OAuth connection. That OAuth connection may be stale. It may be something that was issued a couple years ago, or in the case of GitHub and with Heroku and Travis CI, those were stolen tokens.
(13:48):
So we quickly did an analysis and found that roughly a dozen of our customers had those OAuth tokens in use. And so we quickly notified them, published this insight within two hours and had them actually remediate or kill those connections. The irony of this is that come Monday morning, ’cause this was happening the Friday before Easter, which is why I remember the dates so vividly. It always happened on these weekends right before the holidays. So it comes out and the next Monday, IT came back in and said, “Oh, this connection’s broken. Let’s re-enable that.”
(14:23):
There was absolutely no knowledge of the fact that this was an ongoing active incident. And it’s only from the continuous monitoring looking for those types of changes that we were able to catch that and flag that and then ultimately alert the security teams to say, “Hey, you probably want to talk to your business counterparts and let them know that this is something that is not in a state where it should be re-enabled at this point in time.” And so those types of cloud-to-cloud plugin-type connections are places where we ultimately see attackers trying to… and you’ve seen it probably recently as well. I mean there’s just been a slew of attacks via these third-party connections that have been announced even in the last couple months, many of them compromising source code repositories or identity-based providers. And so being able to be aware of those, being able to determine the authorization level, the permission scope associated with that.
(15:21):
The challenge with that is a lot of these third-party connections are also often initiated by the end users themselves. If I decide tomorrow that I want to write better emails and I want to plug in Grammarly into our enterprise email solution that lives in the cloud, I can do it and I’ll accept the EULA. Nobody in procurement was ever contacted. Nobody in security ever did any vet of what this application is, but it’s plugged in with rewrite privileges into the environment. And so all of a sudden I now have a landing spot to try and figure out how I might be able to compromise and move laterally in that SaaS, in that at least SaaS instance on that platform. So those are the kinds of the dangers and we’ll quickly flag those for customers.
Rocky Giglio (16:06):
Yeah. I love that example because I’m the king of, let me try this thing to hack my productivity, and then I’m going to try this other one over here and on and on. At SADA, the IT team probably hates me because I’m constantly throwing stuff at them and like, “Hey, I need this authorization.” So we actually block all of that stuff without admin approval. Then I’m the guy that’s like, “Yeah, but make it work because I’m trying to get this done,” or I want to test this out.
(16:32):
There’s two sides to the security story that we’re all super familiar with. One is the, no, you can’t do that because we don’t know the risk. And then the other one’s like, hey, we’re not going to check at all, so have at it. And I think really what we need is something in between. This is where AppOmni excites me is there’s so much to be done in the space of the EULA, right? I mean, it comes to me as the user. I click yes because I don’t know. The thing says it needs write access. I’m going to give it write access. I know enough in the security space to say, “Hey, that’s probably not a good thing, and what does it need this for?” And just look at it. But at the end of the day, I don’t have a choice. If I want to use this tool, I got to accept the EULA. I’ve got to accept the permissions and roll with it and hope for the best.
(17:14):
So having something that’s watching that connection and looking for breaches and alerting me to, hey, this thing is suddenly pulling all your drive files out into who knows, some third-party service for whatever reason, is super critical. I need to know that. The company needs to know that they have that security as well. You want to strike that balance between productivity and security. I don’t want to tell Harold every time he comes to me and says, “Hey, I want to try this tool out.” “No, you can’t do it,” because Harold might find a tool that really does double his productivity and the productivity of his team. That’s impactful for us as an organization. But on the other side of that, I can’t just let my data be exposed to the world and hope for the best. So how are you guys balancing that?
Harold Byun (17:57):
It’s a very tricky balance. I mean, I’ve heard some folks say, “I don’t want to be known as the CI no.” I mean, I don’t want to be saying no to everything. And at the same time, we’re all the kings and queens of our own little castle here. And so, I mean, I’m sure at least if I’m, not to date myself, but I mean I remember back on the Windows endpoints, I mean everybody was admin. I mean you had at least local admin privileges on that endpoint. And quickly people realized, oh, that’s a really bad thing and there’s all kinds of stepped-up attack methods to circumvent controls. And so you started limiting the privilege in the admin scope, you started implementing run as.
(18:38):
Then if you take that analogy further to the SaaS world, it’s like, well, SaaS does unlock a lot of productivity and there’s a lot of applications that’ll unlock that productivity. But again, now we see, well, it’s easy to enable users as admin for everything. And so how many users are admin across these SaaS applications when they don’t need to be and they’re over-privileged? Likewise, going back to the original point around installing these additional applications, what is the scope, and what is the permission? It is a balance. It’s not a CI-no carte blanche type approach, but you do need to balance it out.
(19:16):
And that brings me to the other kind of point here, which is around some of the other trends that we’re seeing, is really engaging with the business and really figuring out what the appropriate operationalization approach is for putting the appropriate security guardrails, conveying the understanding of what the risks are, and then coming to an agreeable, rational balance that’s going to serve both the business and secure the data.
Rocky Giglio (19:41):
How are you helping customers with that? Because that is absolutely what we need to be thinking about is relative to the spend… I mean, it’s 2023, probably gets talked about in every episode of every show, but there’s the macroeconomic situation that we’re in and everybody’s thinking, “Hey, where do I spend money? Why should I spend money on this new technology or this new security tool?”
(20:04):
There’s a real need to quantify that, which I think is where you started, the inverse pyramid of where we’re spending. But then how do we align with the business there and how does AppOmni help highlight the challenges or the risks is really a better word. What are the risks to a business as you guys are coming in?
Harold Byun (20:25):
Yeah, yeah. No, it’s a great question and a great point. I think if I look over my career in security, that’s always been such a friction point with the business and how to engage with the business and what is the appropriate level. I think that that’s matured a lot over the last few years. There’s a couple places where we see success specifically. One is we, in many cases, engage with a center of excellence or the business application owners and their teams. In some cases, those folks are very resistant like, “Look, trust us, we got everything locked down. You don’t need to come in here. You don’t need to look at anything.”
(21:03):
In other cases when we do run POCs, it’s very eye-opening as well for the center of excellence folks, and they find incredible usefulness in the tool. And then it becomes very much a joint project between security and the business to again drive towards that common operating model. So that’s one place where we see a lot of success. I mean, I think everybody has the best interest of the business in mind and best interest of the customer in mind. It’s just that everybody’s strapped for time, and so it’s really, what does the rollout entail? How do you create these milestones or phases for how you actually want to roll this out so that you can achieve some wins and demonstrate again that there’s mitigation to the business and it improves the operating model.
(21:47):
The other place where we see a lot of success, especially in the down economy, is really tighter integration into CI/CD pipelines and push out and development of applications on top of the PaaS layer. And so we’ve got customers that in some cases are claiming a 400% increase on the release cycles because we’re eliminating a lot of the manual security reviews or the architecture reviews by establishing these guardrails. And they really use AppOmni as a stage gate for validating the dev environment versus the UAT environment versus pre-prod and prod. And if the checks fail, just like any type of Jenkins or CI/CD check-in for code, then the code doesn’t get promoted. And so this is classic when you’re promoting code in staged environments because the dev team typically runs with everything turned off. And production, you run with all the security controls turned on.
(22:44):
So what happens when you hit production and you needed to deploy this for the business? It didn’t work. Well, let’s turn off those security controls so then my code works. And that’s kind of the backward shift-right model versus the shift-left model that I think everybody’s trying to get to. And so we really help organizations that are trying to establish us as a shared service. And what they’re finding is faster release times, less back and forth, less round trips with the developers, and just a cleaner path forward to releasing code in that model. And that ultimately accelerates the business, which generates an ROI in this down economy and further secures the business. So that’s a win-win, right?
Rocky Giglio (23:23):
Oh, yeah. It’s definitely a win-win. And that’s a key theme I think this year that I’m hearing from customers as well is just that shift left. We talk about shift left a lot from a security perspective, getting the security controls into the code earlier, do more via policy and infrastructures code. I’m saying that like it’s a bad thing. It’s a thing we all have to be thinking about, we need to be focused on and continue to drive, but it is a challenge. It’s also not a, hey, turn this thing on and go.
(23:54):
It’s hugely impactful to be able to insert something that’s going to make that faster, that’s going to allow us to integrate across all of the data sets that we’re deploying and pulling into our application code. Tell me a little bit more about that, because I was only barely aware that you guys were in that space. So I’m thinking about the competitors in that space that are, I’m thinking Snyk that’s doing the container stuff, and there’s a whole bunch of other players out in that space. Where do you see the distinction for AppOmni versus the marketplace there already?
Harold Byun (24:29):
I do want to clarify, we’re not explicitly playing in those spaces. We’re kind of an integration hook where what we’ll do is we’ll analyze the environments and do a comparison like for like. I mean this is to classic configuration drift. So we might integrate alongside something like a Snyk or integrate alongside… We’ve got customers that are including us in a stage-gate in conjunction with Veracode and in conjunction with a Veracode scan result on code. So they’ll do the code level check, they’ll do that analysis. Then they’ll do the environmental checks. They might have some custom scanners that they’re also doing. We basically become part of that overall release pipeline. And if any of those fail at a certain threshold, then the code doesn’t promote and an alert is triggered, but it vastly reduces the amount of manual workload once you set those guardrails up.
(25:26):
That’s going to give security the opportunity to redeploy those resources to other projects. It’s going to free up their time. It’s going to give them the ability to look at other potential risks or gaps in the security model for the business. And ultimately, I mean even from an operational perspective, I mean we’ve got customers that are exclusively using us in a programmatic fashion as that shared service where it is all API driven. There’s no hands on keyboard. Nobody’s even allowed to log into the solution, although we have a fantastic console for people to operate from. But people want to more automatically provision these policies and guardrails and have them deployed exclusively via API and scripting.
(26:10):
Again, that’s going to also have a return on the security team itself in terms of what is your bandwidth? What can you do for other projects? How many business units can you support at a given ratio? So these are all things that I’m sure security leaderships and businesses are going to be looking at from a ratio and metrics standpoint going forward in 2023.
Rocky Giglio (26:29):
Yeah, for sure. I mean, I think that’s one of the key things there too is one of the challenges why that shift-left conversation is still out there is it just takes time. It’s hard to do. It’s not just an easy turn this on and go kind of thing. And so now we need tooling to do that. We don’t have enough people. I mean security is the only industry I think that has a hundred percent hire rates. There’s no open people sitting out there going, “Yeah, let me look for a job.” And so that does present a challenge as we continue to try to integrate security into more parts of the process, the deployment processes, the updates, the software catalogs, the user data, I mean all the things we’ve been talking about. It puts a real burden on the security team that they can’t necessarily handle.
(27:16):
That’s where we’ve seen interest in things like managed services on our side from our customers and just helping write that code. And we have a whole GitOps team that we can bolt onto a customer’s environment and help them do those things. And then from AppOmni, you guys coming in alongside of the service providers like us and being able to help really make that transition is key. There’s this ideal of, and you mentioned it, nobody logs in, that everything gets deployed via a process so that we can put these gates in place. And I think I see a lot of customers struggling with that and struggling to get to that point. What are you seeing as some of the key things to help be successful with that?
Harold Byun (27:57):
Yeah. I mean, I think part of it is really, obviously, setting up some milestones and what success looks like for that customer and then really looking at their operational model and how you can establish, again, some of these quick wins in a phase one. Part of it is obviously base-level assessment and visibility. Then the next step from that is probably refinement and tuning of the policies or establishing the custom policies, which is where a service provider such as yourselves can also help with a lot of the expertise around cloud and SaaS and making recommendations around that policy configuration and tuning, what is the operational model to engage with the business.
(28:35):
And then as we go lights out, I mean, I guess if you want to call it lights out, I know that might be an overall used term or more an operator in a more automated fashion, helping construct those scripts once we agree on what those policy value settings are, what the process is to modify or update those configuration settings. And then helping customers with establishing almost what I would think what we would call almost security policy and implementation by code. And so in that sense, you are operating in this automated deployment model, but in conjunction with the service provider and the customer agreeing on what those values and settings are and then helping them get deployed into what does the scripting operation look like.
(29:24):
Obviously, having knowledge of our API set is going to help a service provider have an extreme leg up in terms of knowledge and accelerating the customer to get deployed in that manner. And so that’s definitely an area where we see a distinct need.
Rocky Giglio (29:40):
Yeah, for sure. What’s the illustration? The man, the dog, and the factory, right? Yeah, the man’s there to make sure everything’s running. The dog’s there to make sure the man doesn’t touch anything.
Harold Byun (29:50):
There you go.
Rocky Giglio (29:52):
But there’s a reality to that that is necessary in order to be secure in an environment where 150,000 configuration changes that happen in an average environment or something along those lines, I think you mentioned earlier, nobody can keep up with that. And so we do need that machine. We need to leverage things like AI and ML to identify patterns that are particularly bad and bring those forward so that we can respond to them. But then along with that is the need also to automate everything that’s going on and make sure that when we deploy something, it goes through these security checks automatically.
(30:28):
We can’t go back through 150,000 configuration changes, but we can have a policy in place that automates the security from the get-go so that when it goes out, when that configuration change is made, security’s built into that process. I think that’s a critical component of just really not only leveraging AppOmni, but just building a security policy and strategy that’s going to be successful in the long run. Right?
Harold Byun (30:50):
Yeah, absolutely. And I mean, I think again, where service providers can help is really helping these customers define, to put it more simply is, is what does good look like? We know what bad looks like and we know what good looks like. And so let’s spend our time defining what good looks like through policy. And when those 150,000 changes run, evaluate very quickly in an automated fashion, are they good or bad? And then that’s how we can really ultimately make sure that we’re sticking to what we believe is the good baseline and make sure that we’re bringing things back to that baseline on a continual basis. It’s almost kind of an immutability to the SaaS configuration and making sure that we’re constantly resetting to that to the ideal. Right?
Rocky Giglio (31:37):
Yeah. Love it. I love that language too, the immutability of it, because that’s something we’re already familiar with in the DevSecOps conversation. Everybody’s talking about that and that is again, the ideal of how we ought to operate. And so thinking and bringing that same mindset into the SaaS world I think is super critical because it gives us a consistent operating model. We’re not trying to change what we do in SaaS versus what we’re doing in infrastructure and so on. So I love that.
Harold Byun (32:04):
And it’s very relevant to the threat factor for SaaS too. I mean if you look at the way data is taken out of SaaS, it’s not an extended kill-chain event with lateral movement. It’s a smash-and-grab operation. And so if you’re not operating at baseline with this immutable approach of what good looks like, then you’re open to that smash-and-grab operation and it’s done. The horse is out of the barn when the horse is out of the barn. There’s no way-
Rocky Giglio (32:27):
Yeah, the data’s gone. It’s too late.
Harold Byun (32:28):
Running out in the field and chasing after it and trying to bring it in, right? It’s gone.
Rocky Giglio (32:33):
Yeah. Here’s your $10 million bill to get that cleaned up. That’s never fun.
Harold Byun (32:37):
Yeah, really.
Rocky Giglio (32:38):
Yeah. Well, good. Harold, it’s been great to have you on the show. I know you guys are also working with SADA as an ISV Alliance partner, so I’d be remiss not to bring that up and just say thanks for working with us.
Harold Byun (32:48):
Thank you for working with us. Very much appreciated.
Rocky Giglio (32:54):
Yeah. It’s been great and I hope to have you on the show again here in the future. And obviously, this year with our partnership in place and we’re kind of off to the races here, excited to see how customers adopt AppOmni. And of course, if there’s ever any questions on this, hit them up on your website. What’s your website address? We can stick that in the show notes as well.
Harold Byun (33:13):
Oh, yeah. It’s appomni.com, A-P-P-O-M-N-I.com. So, yeah.
Rocky Giglio (33:20):
Very cool.
Harold Byun (33:21):
Come give us a visit.
Rocky Giglio (33:22):
Yeah, check it out. And obviously, hit your SADA rep up as well as they’re part of our partner program, and we’d love to work together with you. So Harold, so this has been great conversation. Obviously, these trends are continuing to take shape in front of us in 2023 with all the things going on. Great to have you on the Cloud N Clear podcast. And for all of those that tuned in, hopefully this is insightful as we start thinking about securing our SaaS applications, which we know we all have.
(33:48):
Again, I think it’s back to where we started, Harold, right? Everybody’s like, “Yeah, we’ll get to that later. We don’t need to do that. I’ve got MFA turned on.” We can’t ignore this area, especially now with the number of breaches we’ve seen, with all the changes and the speed at which we’re making changes as well. So yeah, love the conversation. The challenge is real. The need is real. So anyone listening, check out AppOmni and reach out to your SADA rep for more information. Thanks all, and don’t forget to subscribe and like the show. Thanks, Harold.
Harold Byun (34:22):
Thanks, Rocky. Take care.
Rocky Giglio (34:22):
Likewise.
Harold Byun (34:23):
Okay, cheers.
Narrator (34:25):
Thank you for listening to Cloud N Clear. Check the show notes for links to this week’s topics, and don’t forget to connect with us on Twitter, @cloudnclear, and our website, sada.com. Be sure to rate and review the show on your favorite podcast app.