Identity And Access Management

Interview: Thales IAM Director On Imperva Acquisition, Rising Enterprise Passwordless Adoption

Expert Insights interviews Jason Keenaghan, Director of Product Management, IAM at Thales

Thales Jason Keenaghan Interview

The Thales Identity and Access Management (IAM) platform is used globally by more than 80 million people, in more than 3,000 organizations. In December 2023, Thales completed its acquisition of Imperva, creating a new data-centric security portfolio covering apps, data, and identities. Thales now employs more than 5,800 cybersecurity experts across 68 countries and expects cybersecurity revenues of €2.4bn in 2024.

The Imperva acquisition brings new capabilities to the Thales product portfolio, including application security (e.g. web application firewall, API security, runtime protection, etc.,) and data activity and security solutions. These will sit alongside Thales’s existing data security and identity and access management solutions which include workforce identity, customer identity, B2B, and gig workers with capabilities for multi-factor authentication, single sign-on, and passwordless.

“Imperva brings lots of complementary capabilities into Thales,” Jason Keenaghan, Director of Product Management, IAM at Thales tells Expert Insights. “There’s actually very little overlap, which is kind of bizarre. That doesn’t always happen. With an acquisition, you end up going through some kind of a rationalization phase. But on the Imperva side, it was fully complimentary.”

“Imperva brings data security and application security. On the data security side, it’s complementary to what Thales was already doing. We had capabilities like data encryption, key management, etc. Imperva brings threat monitoring, visibility and activity monitoring, compliance and governance. Those capabilities we look at as full lifecycle data security. Now we can discover your data, and combined with our access side, control who has access to it.”

“I’m most excited [about] the opportunity to combine the Imperva application security portfolio with our IAM portfolio. Today, Thales can manage access, authentication, and authorization at the API layer. Imperva brings a threat protection focus to that, making sure there are not malicious API attacks. When we combine those two things, we can get full coverage for API risks. Imperva also brings strong bot protection capabilities, which is again very complimentary to our fraud detection capabilities, like behavioral biometrics. We can layer these capabilities together to be able to detect human versus non-human attacks and protect more of the full end-to-end lifecycle.”

Growing Passwordless Adoption

One of the big trends in the identity and access management space today is an uptick in passwordless authentication, Keenaghan says. 

“Passwordless isn’t a new concept at all. We’ve been trying to kill the password for decades. But I think there’s a lot of market momentum now that is arriving. A light at the end of the tunnel, so to speak, for us to be able to get towards passwordless and the biggest thing that is driving it I believe, is Passkeys.”

FIDO Passkeys are a phishing resistant password alternative using biometric authentication or a device-bound security key. They are based on a standard developed by the FIDO Alliance, a consortium of leading tech brands – including Thales – built to improve passwordless and authentication standards.

Global password usage has been down since the FIDO alliance launched FIDO2 Passkeys, primarily driven by Google, Amazon, and Microsoft making FIDO Passkeys an option for their hundreds of millions of users. This is being reflected by growing adoption in the business world, Keenaghan argues.

It is “when technologies actually get adopted by us as consumers [that] enterprises and workforce users start taking advantage of it and demanding it. So, kudos to the Googles, Microsofts, and Amazons of the world. They’ve been able to say: ‘If you’re in our ecosystem, you can establish a Passkey and it’ll be used on all of your devices, and it’s super convenient. You don’t have to worry about passwords anymore. And by the way, it’s more secure.’ I think they’re helping to educate the market, and users start to ask, why can’t I do this at work?”

The Thales Roadmap

Looking ahead, with the trends in passwordless, B2B identity and access management, and the Imperva acquisition, the Thales team is prioritizing helping teams adopt new technology like FIDO, without compromising on control, Keenaghan says.

“We’re focusing on how we can make it easier for enterprises to have the conveniences of modern technology, but not lose hope for control. Because right now [control] is a blocker for adoption. We have a long history in the PKI space. We know a lot of the problems customers deal with. We want to apply that knowledge to FIDO as well.”

“We build hardware authenticators, like USB tokens, smart cards, etc. We want to use these devices to give enterprises better control for use cases like fleet management. Things like, if you’ve got 20,000 FIDO tokens that you manage for your users, how to provision those, what’s the life cycle, how do you control it if it’s lost, how can you restrict it?”

“Trying not to remove all the openness and good aspects of FIDO, but making it easier for enterprises to strike the balance for commercial enterprises, and government adoption.”