Andre Durand’s name is synonymous with identity and access management (IAM). Through a lifetime of fighting on the side of good to protect people and enterprises from external threats, Durand can speak to the absolute worst that cyberspace’s bad actors can think up for unsuspecting businesses.
His track record in tech companies began in 1993, when he founded his first software company with just $10,000. Durand Communications built the world’s first online photograph database for bulletin board systems – the servers that allowed users connecting via dial-up modem to share messages, files, and play games even before internet use was widespread. Then, in 1999, came a move to Denver, Colorado, where Durand founded Jabber, an early player in enterprise instant messaging. That business was snapped up by Cisco Systems in 2008, which incorporated the technology into its own collaboration services.
It was in 2002 that Durand’s interest in identity management was piqued with the launch of Microsoft Passport – the original single sign-on service – and he started to deeply question the assumptions that were being made when different parties interacted online.
“I had an epiphany,” says Durand. As far as internet communications were concerned, “anonymity was the default,” a state of affairs that was both liberating for users and intensely vulnerable to abuse by threat actors. Consequently, Durand founded Ping Identity, which has been a major influence on the enterprise identity and security space. Acquired in 2022 by Thoma Bravo in a deal worth $2.4bn, it still serves more than half of the Fortune 100, handles 8bn identities worldwide, and remains one of the principal gatekeepers of the digital landscape.
In the following interview, edited for length and clarity, Durand discusses his upbringing in Amsterdam, the beginnings of his love affair with software, and the immense danger deepfakes pose to the cause of identity management on the internet.
What led you down this path of becoming a tech entrepreneur?
Andre Durand: I have always been an entrepreneur, and that piece of me was always in my genes. I was always building and selling things. I did everything, including a paper route, but even then, I was also selling synthetic motor oil to customers on that route because my uncle was in that business. I was dumpster diving to get bike frames and then fixing them up and selling them at swap meets.
When I was four years of age, we had moved to an apartment in Amsterdam, and my mother didn’t know there was an international school a few blocks away, so I stayed home a lot. It was a lonely existence, but I got a lot of toys to play with. My mother tells me that I asked for a cash register so that I could sell my toys to kids in the area. I sat there for three days opening and closing my store in our third-floor apartment without selling anything, so she soon realised I needed to be around other kids, and she found the international school.
What made you decide to turn those skills towards software development?
I fell in love with software at 18 or 19, when I started reviewing it for a mentor of mine who was being asked to review but was not getting around to it. I remember two shelves of software in his office – maybe 30 different boxes – so I took them home one by one and played with them. I saw that with some of it I could do better.
It was all kinds of things from contact management software back in the age of GoldMine, when there was no Salesforce or cloud infrastructure, to project management software and everything in between. After leaving college, I got the idea for Durand Communications and that later led to Jabber, which Cisco embedded into its Webex messaging product.
In 2002, I remember Microsoft had announced Passport during the dotcom bubble, when the internet was taking off. If you logged into Microsoft, it would log you into other sites on the net, which it could do because Microsoft had a good lock on operating systems. Immediately, there was a reaction from the industry. Sun Microsystems started working on a more open version of something like Passport. That is when I had my epiphany about identity management.
What did you realise about the IAM space that others had missed?
Initially, the internet was two trusted servers in two universities talking to each other, so if you got access to the keyboard, you had clearance. Trust and anonymity were the default. As the internet became more mainstream, it occurred to me that if you don’t know what or who you are talking to on the other end, it could be problematic, so there had to be a way to have more certainty in online interactions.
I remember a poster that read ‘on the Internet, nobody knows you’re a dog.’ I realised that the internet needed an identity server of some sort. Since then, I have been on a 23-year journey to find the solution. In the large enterprise space that we serve there was a thriving identity management market.
Sun, Oracle, Netegrity and many others were helping with identity management, but everything was very proprietary, very much Version 1.0, but identity is bigger than any single company. Their identities needed to be intraoperative with other organisations’ identities. They needed an internet-scale identity which required open standards, not just enterprise-level identity management. We rode that transformation, following and implementing open standards.
What enabled you to create a company in an industry that, at the time, didn’t exist?
Personally, I have always had good intuition about this space, born out of good listening and sifting out the important comments. I naturally have a good signal-to-noise ratio. I have been blessed with an ability to find the pattern early, to see the signal through the noise, and I also have a good combination of grit and adaptability. That is what has made the difference in terms of longevity.
Things change, but we found a way to adapt to emerging opportunities and threats. That takes a lot of grit. Raising money was hard for Ping over the years, and we had to withstand people who did not understand what we were doing. If we were easily discouraged, we might not have survived, but we stuck to it, and we adapted if our story did not resonate.
What does the rise of AI and deepfakes herald for identity management?
It is going to be really challenging to keep pace with that. AI deepfakes are so real that human recognition can no longer determine what is real and what is fake. A talent studio in Hollywood has created a new actress – Tilly Norwood – who is 100% AI. Other studios and labour unions are up in arms; they can see the writing on the wall. You cannot tell that she is fake; her movements are so good and precise, and human, and the flaws are so real.
AI has given rise to two threats to authenticity and digital interaction. Firstly, deepfakes mean we cannot trust our eyes and ears. Secondly, agents have become autonomous entities that can act on your behalf, see what you can see through your browser, log into your accounts, inherit your logins and your security credentials, move your mouse, type your username and password and log in as you, and mimic your biometrics like the shakiness in mouse movements.
We now have to determine good bots from bad bots. And even good bots can have their authentication compromised, so things have got very complicated very quickly. The principles of zero trust are what the industry must rest on. Implicit trust no longer works, and even explicit trust may not always work. We have to verify and then trust – give no access privileges by default. Zero trust says there is no outside and inside. Assume that bad actors are already on the inside.
Read more: AI promises faster forecasts but human judgment remains essential, says Met Office’s Kirstine Dale
