In this standalone episode, I speak with Jason Miller. Jason is the founder of collide. A company recently acquired by One Password. And in this conversation we discuss collides acquisition by one password. The synergy between collide and One Password. The challenge of password management. The concept of device trust and zero trust. The limitations of current MDM solutions. Engaging end users and security remediation. The philosophy behind collides approach.
The importance of human friendly security solutions. Future plans for collide and the potential for broader application of collides technology. And with that, here's our conversation with Jason Miller. All right, Jason, welcome to unsupervised Learning.
Thanks for having me.
Yeah. So I understand you've had some big news in recent weeks.
Yeah. Yeah, it's been a whirlwind. Uh, as I think some some folks have found out, we've been acquired by one password. We announced that a few weeks ago at the time of this recording, and, um, it was a really big deal. Uh, it's something that we've been working on with them for a while and discussions, and it was awesome to finally be able to talk about it publicly. But I've always loved the one password product. I got to meet a lot of the folks who lead the
company there, including the original founders. And, uh, they're incredible. They're just as good as the product that they sell. And that was really important to me, because some of the foundational elements of collide was around treating end users with respect, honesty, getting in front of end users and giving them. Under an understanding of what's wrong with their device. Will they do the same thing? But they focused on probably even the harder problem than we solve is what
do you do about passwords? How do you keep yourself safe with all these different logins to all these different apps? They've solved that so well that it's been ubiquitous like everybody uses it. And that was always a goal for me at Callide is to achieve the same thing. But on the in the device trust space and for end user driven remediation. And so for us, like culturally the fit was perfect. And it's great for me because we get a lot of opportunity to still grow and what
we're doing at Callide. But now we have a lot more resources, and that would have had to have come through the form of venture capital and a number of other things, and the incentives can sometimes get misaligned. Really confident that with one password, we're going to be able to continue our mission, achieve it at a much faster pace and keep what was core about us, our DNA, the same because they're that way too.
Yeah. That's great. So so talk about some of that synergy. Like how did this, uh what do you think they saw in you? Obviously we think it's a great product, but like the different spaces, a lot of people might be like, wait a minute, which space is one password? Which space is Callide? How do you how do you see that merging both when you first heard about it and then also now like as you actually implement it?
Yeah. I think to understand why one password likes collide. It's not about necessarily product or feature synergy. We're in different areas. And the thing that makes sense to them is like the way that one password sees themselves after talking with them, they really see themselves as a company that is distilling down a really hard topic to, you know,
a hard problem to solve. And in their case, that's password management and making it something that is easily solved through software and technology, and distilling it down to a level of simplicity that even my mom could figure out, right? I mean, before there were password managers, there really weren't. There was a lot of recommendations on what you're supposed to do to do a good job, to keep yourself safe. From a password perspective, you're not supposed to reuse passwords.
You need to have a certain level of complexity. So we're doing a lot of talking as security practitioners and telling people what they need to be doing. But we weren't giving them any tools to really effectively put those things into practice. And that's what one password was able to do. On the Callide side, we have a very similar challenge in front of us. We have a lot of IT and security practitioners to tell end users all the time, hey, you got to keep your OS up
to date. You need to have disk encryption enabled. You need to have system integrity protection on the browsers need to be up to date. You need to do this. You need to do that. And today the tools that we have to help users solve those problems don't work very well. We have MDM. Most of Clyde's customers use MDM, but it has a flaw. And that flaw is it only can work on the devices that it's installed on. And there's nothing that really stops people from signing into
your most important apps with their personal devices. Right? You need to have something in place that says, hey, these are the rules of the road. You're going to either have a device that's managed under MDM or in addition to that, or alternatively, you're going to meet these basic security requirements before you can get on AWS, before you can get on GitHub, before you can get on Salesforce, like, these are the core apps that we have that sensitive data in them. You need to be on a computer
that's safe. Well, there's no real good answer to that. And Callide has found the beginnings of that solution for folks who have Okta. And our plan is to make that as ubiquitous as the one password password manager is for passwords. We want to be that solution for solving that problem for devices.
Yeah, that makes a lot of sense. I heard someone describe business strategy in an interesting way before they said, look for a really acute problem that's just so annoying for people, and just solve it more elegantly and better than anyone else. And both of the two problems that that you described, they very much fit that.
That's exactly right. And that's why I think one pastor has enjoyed so much success is sound like they have some. They have a really great people there. But let's be clear, the reason why they're so successful is they've built an incredible product that solves a real problem that people have. That's hard to do in the security space because first, it's really hard to get people to even recognize there
is a problem. So like in colliders case, the thing that we battle all the time, and one of the reasons I even come on podcast to talk about it is people don't necessarily recognize that it's bad that any device can sign in to most of your apps, including the devices that are not under management. And that's universally true in a lot of organizations today. Device trust and zero trust is concepts are new. Yeah, only a few
years old and the concepts are older. But the products that actually create the outcomes people are looking for a really new. And so most organizations are in a state right now where yes, they have MDM, they have all these things, but they're not actually. They haven't created a protective layer that actually ensures that devices are in a basic state. So a basic state of security. So fundamentally we collide. Uh, we're solving that problem, and we're trying
to solve it in the most elegant way possible. That still preserves the cultures of these companies, like a lot of companies allow a pretty broad BYoD program, or they have contractors that don't use company provision devices, and they want to preserve that cultural element of their company, but they want to have some semblance of security. Well, what is the state of the what can you purchase today to ensure that happens? There really isn't a lot out there.
A lot of the zero trust device trust solutions that exist on the market today. Implicitly assume that the way that you're going to decide whether a device should be signing in or not is whether it's enrolled on the MDM. But if you have a big BYoD program, end users aren't going to want to enroll their devices in the MDM, or nor is it really appropriate for them to be doing that in some cases. Or contractors, they may be
on their own MDM and they're not on yours. And a lot of the solutions out there just don't work in that world. We've sort of distilled it down beyond that. The thing, the key insight that Callide has had is you can't assume that a device is in a good state just because it's on the MDM anyway. So let's just start at first principles. Yeah. What is the disk encryption story? What is the OS version? How long has it been since the the device has been rebooted. So
on and so forth. And you can run hundreds of different checks. Let's just look at those at a baseline level. Not even thinking about the MDM. And and if they're not in that state then they don't get on. But more importantly, we can engage with the end user to get them to fix those problems while they are being informed that they're blocked from being signing in. And that's the key. And that's why this type of solution is so important, because it will work on anything. Like we
support Linux, you have mobile devices. The reason why we can do that is we don't need a special API to fix the problems. The interface to fix the problems is the person sitting behind the computer. Yeah. And if you embrace that and you make it so that they understand and they have the motivation and the tools to
do it, they can solve any problem. Even the most nuanced security issues your organization is trying to solve today and users can fix for you and with perfect efficacy if you do this the right way.
Yeah.
Yeah, that makes sense. It's actually interesting. I mean, that zero trust story really, really does resonate because it's like you're falling back and saying, look, this MDM thing, it hasn't worked out that perfectly. And you're dealing with the reality that is, which is the business hands out laptops to people and says go to work like that just happens. And then when security is like, well, you don't have the MDM, we can't let you on. Like we're literally stopping business.
Right? Yeah. And it's a concern. Well, what's interesting is that. The companies don't really have good tools today to measure how effective. Their device program. So let's say you don't have a zero trust or device trust solution today. And you're trying to understand is that even important? Well, the first thing that you need to do is you need to at least cast a net and understand who, what devices are even signing into apps. Yeah. And that is that there really isn't an answer to how to solve
that today. You know, that's one of the things I'm working with on the one password side is can we actually help capture that? But let's say that report did exist. Let's say I could give you a report today for your business. That said, here's all the devices that we saw. Log in to this app and here's their state. Without deploying an agent or anything like that, let's just say that report exists. I think the challenge is that you're
going to see a lot of things. You're going to see, hey, a lot of these some of these devices aren't on any MDM. Some of these devices don't have any disk encryption. Like they just file Vault is off if it's Mac or BitLocker is off if it's windows. Here's a bunch that have like an OS version that's three years old. Four years old. Yeah. Probably exploitable remotely easily by any drive by malware that could go to the wrong website and you're popped. You would see a report that says that.
And then the key insight is, after seeing this report, what do you want to reach for to solve that problem? And I think what a lot of folks naturally reach for is, oh, we need more MDM. Well, no, not really either. You already have MDM and that's not clearly not working. We've captured a bunch of devices here that are being used to do real work that aren't on the MDM. So now that's not working that program. And
the other thing is. You don't have any way of even effectively measuring the security of these devices outside of the MDM. So the right thing to reach for isn't an MDM. In that case, it's to reach for device trust. It's to say, hey, let's say I have Okta. Let's figure out a way during the Okta authentication flow to vet a device. Let's figure out what's going on with it and then let's. Not let it in if it's
not in the right state, but not block work. As you said, let's actually give that person who is being blocked a path to redemption. How do they get their device in the right state? And they'll be highly motivated to do that because they want to go and get to work. And then how do you get the nuances of that interaction? Right? Like maybe it doesn't start off with a block. It starts off with a warning and you have 14 days. Or maybe it's not even a
warning with a consequences. It's just an FYI like, hey, we're gonna, in the future, be rolling out this program. If it were to have been implemented today, you probably wouldn't have met the bar. You may want to start thinking about that and then graduate to an explicit warning with a time deadline to then eventually to a block. And maybe even when they're blocked, you don't. You give them one more snooze, right? And then they can still
get it if it's an emergency. So those are like the types of human elements that we've built into the collide platform, because now we've been running this app, we've been selling this product for about a year. We're going to continue to sell it at one password. And we've learned a lot about how end users react to these
types of screens. And it's been incredibly effective, like all of our customers today have essentially been able to achieve perfect compliance and anything that they want by utilizing this mechanism, which has been fantastic to see.
Yeah, I love the fact that it's enabling business to happen. I also love the fact that you're using the best possible resource for remediation, which everyone has been hesitant to do, which is the person actually using the computer, and you're sort of guiding them. And it's like, you know what this reminds me of? And hopefully this isn't offensive in any way. But, um, I've been like kind of marveling at calendly. Yes. So it's like, okay, wait a minute.
What are you doing exactly? Like, how bad was this problem before? Billions of people probably suffering from a problem that, like the big tech scene has not solved, and someone comes in and cleanly and, like, elegantly solves this one thing. It's like what? In their case, it's like, how do you share calendars? Okay, they make this one thing. It doesn't do that much and it's amazing. And now everyone uses it. And guess what? When the bigger people try
to compete, they cram all this extra stuff. They actually miss the point of the app and end up making something inferior. Even though they have a much larger team, it's because they miss the philosophy of it, and I feel like the collide product basically really understood the problem and really understood not to over engineer the solution and to kind of just make it as as clean as it needed to be.
Yeah. And I think ultimately the reason why we were able to see that problem isn't because, like, we're clairvoyant or we understand it. I think we started off looking to solve like fundamentally, I don't think that the existing security solutions on the market are very human being friendly. Yeah. And I wanted to build a security company that had that as a core principle. So we were sort of we knew that was an immutable part of collide. How
do we build something on top of that? The second thing that is part of my DNA that sort of informed this was I worked in manufacturing as a couple of first jobs that I had and like, you know, actually on the machine shop floor. And a big part of that experience was safety training. And I remember, like sitting down, you're getting the orientation. It's like making sure that you're being aware of your surroundings and like, but you learn about some of these systems that were put
in place and every single. Safety law and process is written in blood, right? Like people died. And then they figured out a way to stop that from happening. And the one that really stuck out to me was this concept of lock out tag out. So for the folks who are not familiar with this, let's say you have a really dangerous piece of equipment on the shop floor. And someone needs to repair it. Well, previously before lock out tag out, what would happen is that person would
climb and they would turn off the machine. They would climb into it, and they'd probably tell everybody, hey, don't use this machine because I'm going to be fixing it. And then they'd repair it. And then what would happen every once in a while is someone wouldn't realize someone was in the machine. They would turn it on, and then that person inside the machine would die. So that
was really bad outcome, obviously. And the problem was, is like, no matter how much training you gave to be like, always check inside the machine.
Yeah.
People were still dying. So the right solution wasn't more training. And to give them more PowerPoints or more manuals or scary videos, it was to actually engineer a system that would hack around the fallibility of human beings and actually
solve it for good. Yeah. So the way lockout tag works is when that same person is going to decide to repair the machine, they actually go up to the control panel and they lock out the controls, and they take the key that is used to lock out the controls with them, so that if anyone even tries to turn on the machine, they can't do it because they don't have the key to unlock the controls. It's with the person. Yeah, who's physically repairing the machine. And that
one simple trick. Effectively eliminated that whole class of deaths in on a machine shop floor. Well, I feel that the problems that we face in the security space about getting human beings to do things we're still stuck in, like the old. 1920s and 1930s Industrial Revolution phase of it where we're trying to we know that we need to get end users to know how to do things. But the the instruments that we're wielding today are all training videos, you know, yelling at people when they're not
doing things right, adding MDM. But we really need human based systems that understand human psychology. They understand how people operate. They understand that. People need systems that will prevent the thing from happening entirely. And that's what Callide is. I think it's the first product on the market that takes lessons learned from those safety industries, and then brings them in to the world of cyber security and gets end users at scale with almost perfect efficacy to solve problems.
And that's what we've built. And that's why one password was really excited about what we're doing, because they see their systems. And the way that they arrived with their answers is very similar methodology.
Yeah, absolutely. That's, uh, that's really interesting. And I like that story a lot. I've done a bunch of work in the safety space as well, and they take it very seriously. And like you said, when you care, you engineer a solution that solves that problem. And, uh, yeah, I really like that analogy. Well, where can everyone, uh, find find out about the product.
Yeah. So you could still find us at Callide. Com. And today we still sell to folks who have Okta so that none of that's changing. We're still open for business, we're still selling our product. And in fact, we're starting to reach out now to folks who don't have Okta. So if you have Google Workspace or use Microsoft Entra, we have something in the works that we're going to
be launching later this year. And we want to start talking to folks to get their insights on what we're building and to get them in a place where they get even beta test it. So if you have Okta today and you want to use something like collide, go to collide comm, collide comm. And if you have something different that you use for single sign on, hit us up as well and we'll have a chat.
Awesome. Great talking to you.
Thank you so much for having me.