SafetyDetectives spoke with Curity CEO Travis Spencer about improving digital services’ security posture, the latest API security trends, and more.
Can you talk about your background and your current role at Curity?
I obtained a degree in computer science from a state university in the US, and then worked for several years in software engineering. Later, I added to my education the fundamentals of business and entrepreneurship by earning an MBA and attended various startup workshops, lectures, and seminars. These things prepared me to launch and run a successful startup.
I launched my first company after relocating my family to Sweden. In this company, I formed a small team of identity experts that worked as consultants, learning about the market’s needs and requirements. From this purview, we noticed an unmet need that several organizations had to combine Consumer Identity and Access Management (CIAM) with API security. In 2015, we established Curity to fulfill that need, and I have been working as the CEO ever since.
What are some of the main services that Curity offers?
Curity provides a cloud-native software application called the Curity Identity Server that helps our customers answer the question of who is accessing their data and services. This way, they can determine if such access should be authorized or not. We also provide associated professional services (e.g., training, consulting, etc.).
How does the Curity Identity Server enhance the overall security posture of digital services?
To keep a digital service secure, the API must know who is accessing it. Authenticating who someone is in cyberspace is not simple. The Curity Identity Server helps organizations determine this without having to become experts in digital identity or related standards. It supports multi-factor authentication, which enhances the confidence in correctly determining someone’s identity. It also supports user journey orchestration which can be used to perform contextual verification of a user’s identity. It encodes the answer to the question of who someone is in a “token”. This memento is provided to digital services in a way that the service can know that the user was properly identified, greatly enhancing the security posture of those APIs.
What are the latest API security trends that our readers should know about?
There are trends, and then there’s trend spotting. Trends are easy: malware, ransomware, supply chain attacks, deep fakes, passkeys, etc. New things that are not quite trends yet that readers should pay attention to are the security implications of AI and the advent of decentralized identity.
The former, I fear, will have drastic negative effects on our society if we don’t pause innovation (which we can’t do) or regulate AI. Truth is already relative in our modern age, so people are naturally skeptical. Confidence in any information will disappear, I fear, if it’s all tainted by the possibility of being artificially created. This removal of reliability will have very bleak consequences, I’m sure. I think our society really is standing on the precipice, but, thankfully, on the precipice, we human beings tend to change. I sincerely hope that we do, and that AI becomes a helpful aid that makes us all more productive and efficient. I encourage your readers to dig into the security concerns around AI and be vocal about the need for transparency, controls, and multilateral treaties to regulate it.
The other nascent trend that readers should investigate is decentralized identity. This also has the potential to transform our society. Currently, digital identity is primarily “federated”. In this, large organizations create databases of user accounts, and others connect to those silos to determine who a user is. Decentralized identity provides a better alternative where the issuer of the identity is not privy to the places where that identity data (a “credential”) is used. This boosts privacy while simultaneously reducing the amount of digital identity data the receiver must be responsible for.
What are the biggest security and privacy risks of using an unsecured website or app?
Financial, reputational, and perhaps even existential. Basically, hackers want your money. Plain and simple. So, the most likely and worst risk of using an insecure website or app is that you’ll lose money. For some people who are famous or influential, though, a bigger danger is probably that their reputations are damaged. For dissidents, reporters, and civil servants, loss of freedom or loss of life is not an unreal consequence. These sorts of people need to be constantly on guard and should take application and internet security very seriously.