Keeper co-founder and CTO on the cold hard facts of data security today.
Craig Lurey is co-founder and chief technology officer at Keeper Security. It’s his job to insure that Keeper’s solutions stay a step ahead of the dangers in today’s hyper-dynamic threat environment. Here’s his take on just what is changing, and how Keeper intends to change as well.
Q: What is changing most profoundly in the threat environment?
A: The use of cloud-based services continues to grow dramatically, whether we know we are using them or not. For individuals it’s not just email, for example, but there is the IoT with things like Nest controllers, cars with hundreds of on-board computers, new AI services like Google Home and Amazon Echo – all interconnected and accessed by everyday devices. That makes all these devices targets, and the personal information on them vulnerable to attack.
Q: What about the traditional threats, like malware and viruses?
A: Malware, ransomware and viruses will continue as major threats for the near term. But as services move increasingly to the cloud, big firms like Google, Apple and Microsoft and the thousands of skilled security professionals they employ are doing a much better job of identifying and stopping such threats.
Q: How do the attackers burnish and refresh their skills in this changing world?
A: It’s actually quite interesting. Today there are researchers and students in universities and think tanks being trained in cyber security, identifying changing threat vectors. Then they publish their findings and initiate discussions and online chats to embellish their knowledge. Problem is, the hackers and bad guys are also there, getting all the latest information on the latest threats and weaknesses in defenses! And there are plenty of weaknesses.
Q: What is it about cloud services that can be risky?
A: Remember that cloud services are all about software, and all software – it doesn’t matter who wrote it – has bugs. These bugs have the potential to become vulnerabilities. With many cloud services, who knows what measures were taken in the development process to insure security? Who even asks? Consider Cloudflare, which powers some five and a half million websites. It recently disclosed that a software bug gave hackers the ability to access sensitive data in real-time, including passwords, cookies and tokens to authenticate users. Most likely users of cloud services powered by Cloudflare never even heard of the company but nonetheless could have been victimized by the vulnerability presented by the software bug.
Q: What do these many changes in the threat environment mean for passwords and their management?
A: It is more critical than ever before for individuals as well as businesses to focus on the password. For example when it comes to exploiting weaknesses in cloud services, hackers choose the paths of least resistance. For the most part they aren’t going to sit there and try to decrypt SSL traffic. The easiest attack vector for them is the password. They know individuals use the same ones over and over for different services. So they will attack through some random shopping site, for example, and use various widely available tools to break simple passwords. They aren’t going to target Facebook or Google.
Q: What do businesses need in this regard?
A: They need visibility into password usage throughout their organization. They need to know how individuals are managing passwords, if they are being managed at all. Are they being rotated? Where are they controlled? It all comes down to the same issue, and it is access and who has access.
Q: What is Keeper doing to stay ahead of this dynamic threat environment?
A: We go to extreme lengths to protect our customer’s data, so much so that we don’t have access to it. We are a true zero knowledge product. That means we don’t access or decrypt anyone’s data. So if a hacker happened to get the data stored in a Keeper vault, it would be useless. A zero knowledge environment is the extreme end of data protection. Any encryption or decryption is done solely by the users on their own devices. We are after all protecting our customer’s single most valuable piece of information, namely their passwords.
Q: Without giving away secrets, what can customers expect in the future from Keeper?
A: We are building out a series of products that protect users’ data and their identity, and we’ll be doing that not just with passwords but with other kinds of information as well. In essence we are going to bring our zero knowledge architecture to other product platforms.
Q: Anything else?
A: Yes. The field of DevOps is very rapidly emerging, creating a new category of engineers that not only develop software but also then deploy and manage it through its lifecycle. Our customers will see a migration from pure password management to more privileged access where we still manage the password but also the access to DevOps processes as well. In DevOps the engineers deal with all sorts of functions like access to systems, servers, and cloud services as well as to physical devices. So while we at Keeper are building out and improving upon solutions for business users in marketing, sales, HR and so on, we’ll also focus more in IT teams who are often inundated with securing all these access points. Today there are simply no great solutions out there for them.
Q: Has the near total blurring of the lines between personal and business use of many devices presented particular challenges for organizations, and for Keeper for that matter?
A: Users just expect to intermingle personal and business use, especially on their own devices but even those provided by the employer. We encourage our business users to deploy the Keeper data vault to their business users under a business account. But we strongly advocate for using a separate personal vault on the same device for all personal data. We made multi-account switching really easy and completely seamless. So the business has control only over the business data in the business vault. The individual has complete control over what’s in the personal vault.