Risky Biz Soap Box: Cool compliance tricks with the Island enterprise browser - Risky Business

Summary5 min read

Risky Business Podcast Summary

Episode: Risky Biz Soap Box: Cool Compliance Tricks with the Island Enterprise Browser
Release Date: December 20, 2024
Host: Patrick Gray
Guest: Michael Fay, Chief Executive of Ireland (Developer of the Island Enterprise Browser)

Introduction

In this edition of the Risky Business podcast, host Patrick Gray delves into the innovative compliance features of the Island Enterprise Browser with Michael Fay, CEO of Ireland. This episode, part of the Soapbox series, explores how the Island browser not only addresses cybersecurity needs but also fulfills various compliance requirements across different industries.

Understanding the Island Enterprise Browser

Patrick Gray introduces the Island Enterprise Browser as a robust solution tailored for enterprises, distinguishing itself from consumer-based browsers by offering comprehensive security and compliance features. Michael Fay expands on this, highlighting the browser's ability to perform endpoint health checks, secure application delivery, data loss prevention (DLP), and granular control over functionalities like cut-and-paste operations and file system access.

[00:30] Patrick Gray: "It's an enterprise browser with a full enterprise feature set, unlike the consumer browsers most enterprises are using."

Compliance Use Cases

1. Labor Regulations Compliance

A significant portion of the discussion focuses on how companies utilize the Island browser to comply with labor regulations, particularly in different geopolitical contexts.

[01:48] Michael Fay: "We can literally show you every click, every type at any given moment in any given policy structure."

Michael illustrates scenarios where the browser tracks detailed user activities, ensuring compliance with regulations such as France's restrictions on working hours. For instance, a French customer mandates that access to applications ceases at a specific time to adhere to labor laws, a feature seamlessly enforced through the Island browser.

[07:17] Michael Fay: "We actually have a French customer that their edict is their access to their applications has to shut down at that because there's a governance on the hours of work that they allow their employees to do."

2. Data Governance in Financial Services

Michael discusses how investment firms and trading teams leverage the browser to control data flow and access, preventing unauthorized data exposure and ensuring all interactions are auditable.

[06:59] Michael Fay: "Even inside your own company, your own geography, you can pick and choose how all this stuff works opposed to a one size fits all model."

This granular control extends to managing access based on geography and specific application domains, ensuring that sensitive operations, such as those involving Salesforce platforms, are meticulously governed.

3. Healthcare and Other Industries

The browser's versatility is further evident in its adoption by the healthcare sector, where it manages access for contractor doctors and protects patient data. Michael emphasizes that even industries not traditionally seen as compliance-centric find immense value in the browser's ability to address specific regulatory burdens without overhauling their entire security infrastructure.

[11:48] Michael Fay: "Healthcare as they're struggling with Teladoc and everything around that... you need to make it easy, but you have to obviously defend your patients."

Additionally, sectors like hospitality leverage the browser to manage customer data under regulations like GDPR, simplifying compliance without necessitating a complete transformation into highly regulated environments like banking or PCI-compliant industries.

AI Usage and Compliance Risks

Patrick shifts the conversation to the burgeoning issue of employees using Generative AI (GenAI) chatbots, such as ChatGPT, and the associated compliance risks.

[15:06] Michael Fay: "The blocking comes with this idea that you understand how AI is going to show up in your world and that's just not true."

Michael outlines the challenges of merely blocking AI tools, given their pervasive integration across platforms. Instead, the Island browser offers solutions to shadow and monitor AI interactions, redirecting users to approved models and enforcing DLP policies to prevent sensitive data from being inadvertently shared or trained into external AI systems.

[16:27] Michael Fay: "So we can redirect them. We see you're trying to go here, here's we prefer you to be over here. That's the first step."

Facilitating Mergers & Acquisitions (M&A)

Another critical use case discussed is the browser's role in M&A scenarios. Michael explains how the Island browser allows newly acquired companies to access essential applications and collaborate securely without integrating their entire network immediately.

[21:17] Michael Fay: "If you trust us for BYOD or contractors, and you just bought this company... treat them like a BYOD user, a contractor, is a simple way to solve this problem immediately."

This approach ensures a manageable and secure short-term posture, allowing IT teams to gradually integrate the acquired company's systems without compromising overall security.

Comparison with Google Enterprise Browser

Patrick brings up Google's launch of their own enterprise browser, prompting Michael to compare and contrast it with Island. Michael acknowledges Google's efforts to streamline configuration management for Chrome browsers within enterprises but notes that Google's solution lacks the granular control and dexterity offered by Island.

[23:19] Michael Fay: "We can control copy paste, and not only what you can copy, what you can paste, but where it goes."

He shares an anecdote demonstrating the pitfalls of blanket policies, such as disabling copy-paste entirely, which can disrupt business operations. In contrast, Island's flexible policies allow precise controls tailored to specific business needs.

Conclusion

The episode wraps up with Patrick appreciating Michael's insights into how the Island Enterprise Browser transcends traditional cybersecurity measures by embedding comprehensive compliance functionalities. This adaptability not only enhances security but also provides enterprises with the tools to navigate complex regulatory landscapes effectively.

[26:03] Michael Fay: "Thank you very much."

[26:06] Patrick Gray: "Big thanks to him for that. And that is it for this edition of the Soapbox podcast."

Key Takeaways:

Granular Control: The Island Enterprise Browser offers detailed monitoring and control over user activities, facilitating compliance with diverse regulatory requirements.
Versatility Across Industries: From financial services to healthcare and hospitality, the browser adapts to various compliance needs without necessitating extensive overhauls.
AI Compliance Management: Instead of outright blocking AI tools, the browser provides mechanisms to monitor, redirect, and enforce policies to mitigate risks associated with GenAI usage.
Facilitating Secure M&A: The browser enables seamless and secure collaboration during mergers and acquisitions by treating new entities as contractors initially.
Competitive Edge Over Existing Solutions: Compared to offerings like Google's enterprise browser, Island provides more nuanced and flexible compliance controls, enhancing operational efficiency without compromising security.

For more information on the Island Enterprise Browser, visit Island.IO.

Loading summary

Transcript71 lines

[00:00]
Patrick Gray
Foreign and welcome to another soapbox edition of the Risky Business podcast. My name's Patrick Gray. These soapbox editions of the show are wholly sponsored and that means everyone you hear in one of them paid to be here. And today we're speaking with the chief executive of Ireland, which is a company that makes an enterprise browser. Now, they've appeared on the show a bunch of times before and we've spoken about the, you know, the general shape and gist of the product. But there's a bunch of benefits, right? So this is an enterprise browser with a full enterprise feature set, unlike the consumer browsers or the consumer based browsers that most enterprises are using. But, you know, you use island, you get some benefits. Like you can do endpoint health checking, you can do secure app delivery, you know, pegged to that browser. You can do DLP stuff. You can do cut and paste restrictions that are quite granular. So you can cut and paste between these apps, but you can't cut from this or copy from this app and paste it outside. And there's file system restrictions and, you know, just really, really cool stuff and granular controls. But something that's happening with them lately, which I find really interesting, is increasingly people are buying them to tick off various compliance objectives and not just cybersecurity objectives. In this interview, you're going to hear Michael talk about how people are able to comply with like labor regulations by using an enterprise browser. Which I know technically isn't a cybersecurity thing, but I just found it so interesting that I kind of zeroed in on this part of the conversation in the edit. So here is Michael Fay to kick things off now about how companies are ticking off compliance requirements with the island enterprise browser. Enjoy.
[01:48]
Michael Fay
Why don't we start with what we can do and then I think it'll be easy to see where you get used. We can literally show you every click, every type at any given moment in any given policy structure. So what does that really mean? You are an IT worker. We don't care about 90% of what you do from a compliance perspective, but you just logged into Amazon and you're setting up new users. I can literally track everything you do in that process and I can send that to the sim or your S3 bucket or wherever else you need that. So I can grab data at a very intricate level opposed to having to do it every application. So you could do things like Pam, you can literally put, you know, privileged account management on an app that a cyber ARC doesn't even know exists. You literally could give that control in place. I can make it so an end user at a call center, if they want to access something, they got to put in a reason they have to, you know, I'm about to go look at your last purchases. Wait a second. We shouldn't have to do that. Well, this case I do. Here's what I have to do from a compliance perspective to be allowed to do that. I put in the reason I attach the ticket. It's now recording everything I do in there. And then I step off and the end user gets a warning. This is all being recorded. So it keeps them inside the bounds of that. Also we get a lot of compliance around data flow. How do we ensure that this data can't be seen, this data can't be taken, this data can't be accessed? We could govern all of that. Who can get to what from where and what geography they could get there. And you know, are my people in Germany getting to the German salesforce or are they being redirected to the US Salesforce? When they fly to the US which salesforce do they connect to? We can manage all of those elements and it's just extreme visibility as needed.
[03:35]
Patrick Gray
And how do you manage that though? Sorry? Because that's an interesting one that I wouldn't have, you know, that's a, that's a use case for like GDPR purposes that I wouldn't have thought was immediately obvious, which is I am a German person working for an insurance company or whatever. You know, I go to the United States for a conference and then just via their CDN or whatever, the way that they distribute resources, I'm winding up kind of logging into the wrong, you know, to the wrong portal. How do you actually enforce that in the browser when a lot of this is done via the sort of content distribution networks for those apps? Because that's got to be tricky.
[04:06]
Michael Fay
So we have tenant control to start with. The trickiness you speak of, which I've dealt with, my boss of my career was based in the networking aspect of it. If we wanted, if we want to force to a connection back to a given location, we have the ability to do that with policy very easily. So where really shows up is which G suite am I going to. I want to, I'm a strong organization. I want to bring in G Suite. Am I going to your personal G Suite or my corporate G Suite? Those are very different tenants. To us. The German salesforce is different than the US Salesforce. They are literally fundamentally different links. We can direct that and control that and the end user never has to understand that. And we can also then control what data they see because that's.
[04:51]
Patrick Gray
So, hang on, that's by domain, is it?
[04:53]
Michael Fay
It can be. It could be by main. We can do a. Direct IP addresses, it could be your. But we also have network control. We literally have the ability to do a ZTNA connection and take them back to their data center if we want or take them back to, you know, source IP address.
[05:07]
Patrick Gray
So is that via like some sort of what we would call like an identity aware proxy sort of thing and you, you peg certain URLs to those. Those proxies. That makes sense.
[05:16]
Michael Fay
Yeah. But I will tell you, it's shocking how little you actually have to use the proxy chaining when you have actual control of the real URL.
[05:25]
Patrick Gray
Yeah, I just wondered because I would have thought though when I was talking about CDNs, you know, it's obviously because you're going to get different, you know, you're going to get different IPs back for Google.com in Australia than you're going to get in Germany and whatever. So I just wondered if you were sort of pegging DNS results to a country of origin or how that all worked.
[05:42]
Michael Fay
Yeah, so most of the companies really care about this. They actually have a set of IP, of privileged IPs they use that you call back to.
[05:52]
Patrick Gray
Yeah. Okay.
[05:53]
Michael Fay
So like they don't really go directly to Salesforce, they go to a set of IPs and then they're. So we can do that, but we also have our own thing that sits inside the DMZ and we can call that to get access back to data centers.
[06:05]
Patrick Gray
And I'm guessing what you're saying is that if a user just tries to enter like salesforce.com or whatever, it just redirects them or whatever. Yeah, yeah. Okay. So that's pretty simple. Like it's just redirecting them to the customer's domain for.
[06:19]
Michael Fay
But let's get a little trickier. So now you're dealing with a French organization and yes, you have the Geo, but they can't work past 430. How do I govern that? And any interactions, we can't record what they do, we can only record their violations. But when you go over to the uk, we can record everything they do and they can run all day long and they're in the same Amazon bucket. How do you set policies for these different flavors? We give you really strong dexterity on that. Where even inside your own company, your own geography, you can pick and choose how all this stuff works opposed to one size fits all model. Identity based policy is really hard to do at the network layer.
[06:59]
Patrick Gray
Really it is.
[07:02]
Michael Fay
We can do it at the endpoint and really change the way that works. So you can.
[07:05]
Patrick Gray
Well, it's hard to do in the IDP layer as well. Right. Because you're sort of issued with tokens that grant you access. But my mind is boggling a little because you just said French people can't work past 4:30. What's that?
[07:17]
Michael Fay
So we actually have a French customer that their edict is their access to their applications has to shut down at that because there's a governance on the hours of work that they allow their employees to do and they literally stop the ability to access their applications at a certain time of day.
[07:33]
Patrick Gray
Why do they do that?
[07:35]
Michael Fay
According to them, it's a government regulation for them of how many hours they can have in a work week.
[07:39]
Patrick Gray
Are they in a sort of specialized ultra regulated industry or is this just like, I mean, you know, Are you telling me the French people can't work past 4:30? Cause that'd be pretty cool.
[07:48]
Michael Fay
Not all. Well, hey, listen, there's obviously French people dead, but French. The French have a governed hours of work in a week. And you don't take a salaried employee and have them work 80 hours like we do in the US and just say that you're salaried. It is what it is. And they often have to prove that that can't occur. Now I'll tell you, we have this in the US too in a different way. We have a wonderful customer that is trying to do really right by their employees. They're a fast food restaurant, or maybe they think of themselves as not fast food. So. Or find food or whatever it is. And their workers can go out on their portal and look at the other stores and take hours at those other stores if they want to complete. And they want more hours. Right. They, they don't have to just get the hours at their local store. And they did this to try to make sure their workers could get to full time as fast as possible, going everywhere they want. If they spend more than 10 minutes doing that, you have to pay them for the full hour. In California.
[08:45]
Patrick Gray
Yeah.
[08:45]
Michael Fay
So here they were trying to be nice and then they hit this roadblock that says if you spend, you know, a while clicking around here, we have this problem. We govern that relationship.
[08:55]
Patrick Gray
Yeah. So you kick them out at 9 minutes and 45 seconds or whatever.
[08:58]
Michael Fay
Yeah, exactly. And, and you know, that's something that company Needed. Will they need it next year? Policies will change. Maybe that goes across, maybe it goes away. And they want that dexterity. The number of bizarre rules that end up in this is amazing. You know, I'll give you another one. We got traders and investment teams that can't view LinkedIn because LinkedIn has messaging and it's not audited and it's not tracked. So they can't. So imagine you're investing people's money and you can't go out on LinkedIn and see who quit from that company that day, which will be a telltale sign of what's going on, where executives move and where they go. So what are they doing? Well, we all know they're going to see it. They are taking the risk of having that interaction on their own device, outside of the jurisdiction of the SEC and everything else. They have to be. They're not saying dumb to that information. We make it so they can go to LinkedIn, but we record that. If they do happen to have a chat, we can record that messaging or we can block the messaging in the first place. Something you can never do at the network layer, figuring out which stream that is. That actually has been used a lot. We've had others that want to do zooms and they want to make sure no one can do screen captures on the zoom. Nobody can upload a document or download a document or put something in the chat. And that last mile control shows up in so many ways that aren't cyber. It's amazing what can be done with that.
[10:22]
Patrick Gray
Yeah, I mean, you're actually really selling it on the compliance stuff, because just those use cases that you're talking about in finance, I mean, eventually, you know, that can pop up in investigations. Right. Like you're being investigated by the government. There's a few screen recordings lying around. You know, that's not good. They shouldn't have been taken in the first place. And they can incriminate people. And even if they're not incriminating, they shouldn't have been taken in the first place and, like incorrectly stored and all of that.
[10:48]
Michael Fay
Right. So, you know, Patrick, one of the things we added on because a customer built it and we made it part of our product after we saw it, they put a QR code in the watermark and the QR code would say, what machine, what user? You know, what was going on when that. When that QR code showed up. So if you pull out your phone, you try to take a picture of your screen and they find it on the dark web or Whatever. They know everything about the leakage.
[11:10]
Patrick Gray
Yeah. It's like printer marking, right?
[11:13]
Michael Fay
Yeah. And then there's the other watermark that just has your name and your phone number and all that stuff on it. So you take a picture of it. You know, you better be really good with Photoshop because you know you're, you're going to be outing yourself when you, when you share that.
[11:26]
Patrick Gray
Yeah, that's interesting. So I mean in terms of like the industries where this sort of compliance stuff lights people up. Right. Because I can imagine that's how the conversation goes. Like, you know, the case you just laid out for, you know, like trading houses and whatever that is, you know, I can imagine that that's a pretty easy sell, you know, Are there other industries where it's as much of a slam dunk?
[11:49]
Michael Fay
Yeah. So healthcare.
[11:50]
Patrick Gray
Yep.
[11:51]
Michael Fay
As they're struggling with Teladoc and everything around that. And you know, I didn't know this when I first started working with them. Almost every doctor is a contractor. So you have this, they all run.
[12:01]
Patrick Gray
I mean it's the same here, right? They all run like a company basically in Australia or a trust. And you know, that's how they work.
[12:07]
Michael Fay
So you have this Arm Lakes transaction with a doctor, but they have all of your, you know, all your patients data. So you're the one with the risk as the company and you need to give them access. And the interesting thing about that problem, if you make it too hard to work with another hospital, so if you require too much stuff on them, they're in such demand, they just won't work with you, they'll work with another set of providers and this and that. So you want to make it easy, but you have to obviously defend your patients. So there's that in the healthcare world, state and local's got a lot of governance to it, federal's got governance to it. But I will tell you what's really shocking. Many industries that you don't think of as compliance centric, we get purchased for because they have the one thing they've got to do, they've got this one area that's a burden for them and they don't want to adopt a massive effort to solve that. So maybe you're a hotel chain and you've got customer data that GDPR cares about, but it sits in one place. If you just govern that one place, you took that entire risk off your back. So they don't have to, if you will become a bank or become, you know, a PCI juggernaut or anything else. They can solve that one problem. We see that come up a lot. So it's, it's not just these highly regulated. They care and then of course they get their security upgrade and then we get automation and it just, it becomes of one of the many tipping points for, for kind of crossing that chasm.
[13:38]
Patrick Gray
Yeah, it makes a lot of sense. Now look, another thing that's popped up over the last couple of years as an issue is, and you're not the only company that's looking to address this, right, which I find interesting is the idea of company staff just plugging all sorts of sensitive information into Genai chatbots. And I know people who do this, right. Like I know people who use like Chat GPT for as like a coding assistant. Like even my colleague Adam Boileau, he just re engineered and rewrote the back end to our content management system. He's not a developer and he used Gen AI for suggestions in various places and he said it was actually quite useful. He said you don't just take its output and use it because it's always like, yeah, you know, a bit hinky in some ways, but nonetheless he found it quite useful. Now that's fine because we're a small business writing a content management system or whatever, but you do have to worry if you're running a large, tightly regulated organization about what your staff are slapping into those models which are then going to use those inputs and those queries to train their data sets. And you don't know how that's going to fall out again when someone else asks it a question. So I mean, this is the thing at this point, the risk I think is largely theoretical. It's just that we don't know how that's going to go. So you have had a lot of customers who are quite concerned with controlling the way people are using those, those sort of services, right?
[15:07]
Michael Fay
Yeah, we do, we get a lot of.
[15:08]
Patrick Gray
And how do you do that? Like is it granular or do you just block them from being able to use those services? Because I'm aware of other companies where you can just block it and just say, no, you can't use that. Or is it a case where you're trying to do inspection of these prompts?
[15:20]
Michael Fay
Yeah, so the blocking is a terrible approach because the blocking comes with this idea that you understand how AI is going to show up in your world and that's just not true. You know, is Salesforce and AI company or not? I don't know if I watch the commercials. They are. So what do I Do there. Do I block?
[15:37]
Patrick Gray
Everyone's an AI company. Everyone who's publicly listed now is an AI company. Because they want to make the little line go up.
[15:43]
Michael Fay
Exactly. And they're going to have really AI products and when do you run into them and is it obvious? Right. So the idea that I'll just block AI and you know, it will allow these two AIs. Okay, good luck. So step one that we provide is that shadow it, what AI are you actually running into? Which is usually shocking. When we ran in our own company, we ran in about 200 AI engines that we ran into for a 400 person company. And okay, great. So new shadow a IT problem. So what are we even running into then? We can govern, of course which ones you can go to, but we also can, can steer, which I think is very important. If you want to go to one AI engine, let's say some legal engine, but you have another one the company has license, prefers, has governance over. We can redirect them at that moment.
[16:27]
Patrick Gray
So not just like a standalone model, that's not going to refeed the training set for everybody.
[16:32]
Michael Fay
Exactly. So we can redirect them. We see you're trying to go here, here's we prefer you to be over here. That's the first step. Then we can apply DLP policies against whatever you do on any of those items. So what are you saying into it? What items are in there long term though? And this is pretty funny, we've got to build an AI engine to govern.
[16:52]
Patrick Gray
So I was about to say, if you want to be able to do detection on content types that are being fed into prompts, you're going to need to do a detection that says is this a block of code and do we want to allow that? And the way you're going to do that is with an LLM. So you're actually using AI to prompts to make sure they're okay to put into the AI.
[17:11]
Michael Fay
And it's so unique to a company. You can imagine a banker that deals with deals and deal flow and buying and selling companies. What is important to them. And they're the ones I think that are kind of leading this charge of you might learn what we're doing. And if you have a jpmc, for instance, whether if they were using AI without abandon and they don't, they're very governed, you might be able to see where JPMC is investing or what customers they're helping or who's being sold because they're in everything that's very scary and can move Markets and tons of SEC violations hidden in there if it ever happened. So in that scenario, mentioning say my company could be perfectly fine for American Airlines, hey, we're talking on this island about a standard travel agreement. Great. But if jpmc, who's one of our bankers, starts talking about what we're doing, that could be literally a massive issue. So understanding that risk is going to be company by company. And I think you're going to need that AI engine to start to understand what is confidential for our company. Every company's different.
[18:19]
Patrick Gray
Yeah. And I just think that is an interesting thing because a lot of people are using things like ChatGPT as a replacement for search engines. So if you're sitting upstream and you somehow had visibility into the queries coming out of a large bank, which all of a sudden a lot of people are asking AI chatbots, hey, tell me about island, what do we know about their market share and whatever that's going to be valuable and sensitive information.
[18:43]
Michael Fay
Valuable. And I gotta tell you, I mean I use it to create PowerPoints and the wrong PowerPoint getting out could be very damaging. So you have to be smart about how you use it and some governance definitely helps, but I think pointing people to the right models is helpful. Guiding them to it is helpful.
[18:59]
Patrick Gray
Well, how do you handle that? I mean, I'm guessing you've got a licensed sort of standalone model to do that.
[19:04]
Michael Fay
Yeah, so we literally, we can embed whatever engines you want and literally make it part of the browser itself. We modify the buttons, click here.
[19:12]
Patrick Gray
I meant you personally when you're doing your PowerPoints. I'm guessing what, you've got a sort of private license off to some, you know, standalone model, like an anthropic or something?
[19:19]
Michael Fay
Yeah, it was, I don't use the help for anything that would be confidential today.
[19:24]
Patrick Gray
Yeah. Okay. Right.
[19:24]
Michael Fay
So it's, it's self governed, it's very simple for me. But I will tell you, if you use, if you're a software company and you sign the contracts we sign about data residency and where your data can go and the like, it is very hard to operate anything customer related with an AI engine and live inside what you've already agreed to contractually, now, could you get caught? Probably theoretical. Difficult, but you know, Grammarly breaks half of those contracts. Right. You know, much less. And I think the usage of things like ChatGPT, it is like Grammarly now. Hey, make this sound better. You know, give me a better graphic on this. So the data risk is very, very real, long term.
[20:07]
Patrick Gray
Yeah, it's Funny that you say that. I mean, one of the things that I find extremely frustrating actually is having spent a large part of my life actually writing professionally, I find it immensely frustrating that people use these models to sound better because everything that comes out of these models sounds the same and they don't really write well. So it's, it's a pet peeve of mine.
[20:25]
Michael Fay
Yeah, you are starting to. You can feel it when ChatGPT is on the other side. You know, you get an email and you're like, this is weird. You can feel it when somebody ran it through those engines.
[20:38]
Patrick Gray
Oh, 100%. Like, you know, when it's AI generated text, you know. Yeah. So look, one last thing I wanted to talk to you about, and this is something that's come up previously when I've spoken to Ireland, is you always talk about how, you know, in the case of an M and A using island lets people work quickly together and whatever, and it's, you know, less of a disaster to start integrating networks and whatever. I wanted to get some more detail on that because I'm not exactly clear what the use case is for. I mean, I'm guessing, okay, if you need to get into someone's SAP or whatever, all of a sudden, this entire new set of users, external needs to get into some of those applications. I'm guessing that's where it's useful. Is that about right? Or is it, you know, or am I missing something there?
[21:17]
Michael Fay
No, no, you're getting it. I think of it this way. If you trust us for BYOD or contractors, and you just bought this company and you are a well run company yourself with good security and good IT enablement, you look at that company, you have to integrate and go, okay, I gotta go figure out what they have, what their risk is, what issues they've got before I bring them into the tent. Right. I'm not gonna risk my entire company over this thing we just bought. So they keep it at arm's length, but that company that just got bought, wants to sell your products, wants to get into, wants to be able to be on the same email, wants to be able to communicate with you, wants to, to be part of that company. So treating them like a BYOD user, a contractor, is a simple way to solve this problem immediately. So you can literally say, all right, you can get to our messaging platform day one, and we're going to inspect your devices, what we think it is that you're configured correctly and we're going to give some data controls around that so you can quickly Offer up applications to share. So SAP is a great example. You know, you need to be on my SAP. Great. We can give you access to that. But I don't have to bring your entire company over. I don't have to bring your device into my, into my network. I can still be suspicious of your setup while we collaborate. And that's really what it's about. It's not about a long term posture. It's about how to get an acceptable short term posture while those IT teams figure out how to become one company.
[22:43]
Patrick Gray
So people spin up island to get the initial access going and then gradually those networks are joined and then what they revert back to often their other browsers.
[22:51]
Michael Fay
They don't. That's the beautiful part.
[22:54]
Patrick Gray
Hey, speaking of. Right. We've seen Google actually launch their enterprise browser which looks, you know, it's very different to what you're doing. Yes. You know, any thoughts on what they're up to? I mean it seems like they're trying to deliver different objectives with this.
[23:09]
Michael Fay
Yeah. The Google Enterprise browser has been around before Island. Right. And what it really, I think.
[23:16]
Patrick Gray
But they've kind of relaunched it and just added features, right?
[23:19]
Michael Fay
Yeah, yeah. But I think really at the heart of it was there's this massive estate of Chrome browsers at any company. How do I ensure configuration is optimal? How do I ensure that our settings are right? How do I set general policy for this giant estate? Doing that with, you know, a big fix and all these weird controls trying to. It was very kludgy and very challenging and I think Google set up to do that. Then they had their Beyond Corp vision which has been around for, I don't know, a decade and a half or whatever. I can't remember when it showed up, but it seems like it was always there. How do I engage in that BeyondCorp? How do I make sure our traffic can plug into all these other items and open up that integration? And so it's active. Trying to be a little more collaborative with the enterprise estate opposed to ambivalent to it. These are all positive things. They are minor features of our product, but they are positive for the environment to have those. So it's not that they're bad ideas or not needed. You could just do a lot more. There's a lot more.
[24:24]
Patrick Gray
Yeah, yeah. I mean that was the impression I got as well when I looked at it, which is okay, you know, they're sort of dragging these things kicking and screaming into a more modern age when it comes to configuration management.
[24:34]
Michael Fay
But they're not offering it is blanket configuration, like turn off copy paste.
[24:40]
Patrick Gray
Yeah.
[24:41]
Michael Fay
So we did this little game for a company to understand the value of having dexterity on copy paste. Like, for us, we can control copy paste, and not only what you can copy, what you can paste, but where it goes. So we can say these seven applications can share data. You can copy and paste between them at will. If you have blanket copy and paste, you're going to turn it off. That even applies to the app you're in. So imagine working in Salesforce or something where you can't copy and paste and you can't go and get your contact and put it in your email and all this other stuff. So for a couple hours we did that, and the plan was to have it. We turned our policy to mimic that. We planned to do it for half the day. We made it about 90 minutes before the team just, literally just destroyed us. It made us turn it off because they couldn't work, they couldn't function. And that's what happens with these blind policy updates. The reality is it is nice to get a common configuration across the environment right up until somebody says, but what about me? And it has to be different. And now you're outside of that control, and now you're yet another variant. So it's a step in the right direction, but the dexterity isn't there to really be used by enterprises at large, and that's why you don't see it around too much.
[25:54]
Patrick Gray
All right, well, Michael Fay, we're going to wrap it up there. Thank you so much for joining us for this, the last soapbox edition of 2024. Have a great Christmas and a great New Year's, and we'll chat to you again next year.
[26:04]
Michael Fay
Thank you very much.
[26:06]
Patrick Gray
That was Michael Fay there from Ireland. Big thanks to him for that. And that is it for this edition of the Soapbox podcast. I do hope you enjoyed it. You can find island at Island I.O. if you want to go and get some more information and maybe take the browser out for a bit of a spin. But, yeah, that's it for this podcast edition. I do hope you enjoyed it. Until next time, I've been Patrick Gray. Thanks for listening.