RealTime IT News

Jonathan Fisher, CEO, Bharosa

Jonathan FisherSAN FRANCISCO -- Computer security vendors come in many flavors. Some, like Symantec , offer several security products to thwart viruses and malicious intruders.

Others, like Ping Identity, specialize in locking up customers' identities to facilitate federated computer communications between users in a secure network.

Bharosa ("trust" in Hindi) is a startup that wants to excel in two distinct areas: fraud detection and multifactor authentication.

The Santa Clara, Calif., company's Tracker verifies the device the user is coming from and profiles the risk, using the device as a second factor. Authenticator then uses a virtual token to securely send data online and protect the password or PIN. caught up with Bharosa CEO Jonathan Fisher at the recent RSA Conference to chat about industry trends.

What are the challenges of playing in both fraud detection and multi-factor authentication?

Fraud detection, if installed correctly, can do a better job [than products] designed for Web-based permissions. Great idea at the time.

Fraud detection can generate Web-based permissions based on thousands of distinct criteria all in real time. You're seeing fraud detection not just as additional security, but also as an interoperability platform uniting disparate philosophies and vendors. So the real challenge for me is to see how deep we can go within each enterprise customer because there's gold when you get there, and there's gold in phase two and three.

With authentication, the big challenge is: how much security do you give millions of end users. What we've found is, don't change the user experience at all. Give them fraud detection and then allow the fraud detection to invoke various forms of authentication as you go along.

One market challenge is a hypothesis. I personally believe millions of users should be subjected to a default authentication or stronger authentication, but the banks and e-commerce guys are a little timid in that area. And rightly so. You don't want to deploy a new technology to five million users and generate two million customer service calls that day. So the market challenge is how much, and beyond that, how you deploy strong authentication across a very large user population?

That's where, in my mind, the interplay between fraud detection and authentication and the expertise comes to bear. You really have to get that straight as far as when you give someone extra authentication, when not to, and how to mitigate the risk of false positives.

How do little guys like you compete with bigger vendors?

There's a constant decision the enterprise has to face whether to solve security problems through many points, many vendors and corresponding points of failure, or if they have a single point solution. I think Bharosa fits very cleanly in the middle. We do some things very well, but of course our product line is not as robust or as built out across the gambit of solutions as, of course, RSA and VeriSign .

Where it's very hot right now is in enterprise and portal security. Compliance is the primary driver there, whether it's Sarbanes-Oxley, HIPAA. Our key value proposition is correct; everyone needs fraud detection. Multifactor authentication manifests in a variety of different ways. So combining the two, especially the knowledge of how to invoke multifactor authentication based on scoring and risk and rules when you're dealing with 150 or 200 concurrent users across a five million user population, with all due respect to our competitors, gets very, very tricky.

RSA and VeriSign have acquired comparable technology in various roll-up strategies. But putting these various technologies together is not something at first blush that works as well. Do these things exist for a reason? Were they built to exist together? We're noticing some integration-related challenges [from the competition]. So, that's really our value proposition -- from under one roof, a nimble startup company, customers can get that holistic approach.

Do you want Bharosa to get acquired?

I believe the best home for this technology, if applicable, is with a world power. I think we've done a lot of work. I think we have a great technology and I think it deserves the best home possible as far as leveraging this particular asset. I'm running this company as far, as hard and as fast as we can. But we are being approached.