Aviva Zacks of Safety Detectives recently interviewed Paul Martini, CEO and co-founder of iboss. She asked him about how his company is providing network security.
Safety Detectives: What motivated you and your brother Peter to start iboss?
Paul Martini: I was working at a company called Copper Mountain Networks. This was at the beginning of broadband and things like high-speed connectivity. At the time, in the early 90s, everybody worked on a desktop computer that sat under their desk. So, all of the strategies for security were based on a castle-and-moat strategy, where you basically secure the fortress.
Since all employees worked in the office, all of the security was applied there. There are lots of different cybersecurity technologies, but network security specifically is applied when data moves from your laptop or your desktop to some destination, where it acts like an airport security checkpoint.
Network security opens the luggage and looks for malware, ransomware, or data loss. You have firewalls, proxies, and all of this gear that was installed in the office to ensure that as data came in and out of the office, it was inspected and secured from malware.
When you look back at that time, we started to see bandwidth and connectivity going up with the advent of Blackberry smartphones and people using that as their computer for email. The real question was, what would happen when the phone in your hand became your computer?
SD: Which takes us to today, right?
PM: Right. iPhones and laptops are so powerful now, that no one really has a desktop anymore. But once that occurred, you couldn’t force someone to stay in the castle. The security needs to follow the user wherever they work. And so, how would you apply the network security functions, so that you ensure that ransomware or malware are not getting to those devices or protect against data loss. You shouldn’t be losing data when you’re working remotely. So that was really the thesis of the company which was moving security to the cloud.
We live in the cloud era, but moving security from a perimeter-based security model with fixed physical boundaries to a service like Netflix is challenging. As users go from place to place, the user becomes the office, and work is performed on their laptop or phone.
All the data that gets transferred to and from those devices as users interact with cloud apps and data. Instead of only being protected by security while you’re in the office or when you send the data back to the office, you can just connect to whatever you need, and the security runs where the applications run in the cloud.
SD: What kind of impact did COVID have on all this?
PM: COVID just basically accelerated this transformation. We saw that this was inevitable. The issues I have been describing so far were going to happen anyway because we knew bandwidth was going to keep going up. We knew mobility would keep going up. And we knew that devices themselves would be mobile.
Today, it’s hard to find a desktop computer anymore. Most people do the majority of their work in the palm of their hand or on a laptop. So, with COVID hitting now, we see the future of work is hybrid at best, but many organizations have shut down their offices for good. Many users are working from everywhere and anywhere full-time.
SD: How does your software protect users?
PM: What we envisioned really has come full circle, which is a SaaS-based cloud security service that allows users to work from wherever they work, but also connect directly to any application that they need.
Those resources could be in the office or the cloud, it doesn’t really matter. They call it a Zero Trust service. And the Zero Trust service is responsible for both connecting the user to the applications as well as ensuring that the data is secured as it moves between that user in the application, so it is free of malware and prevents data loss. In addition, Zero Trust ensures that all applications and data are completely private and only accessible by employees that should have access to them while automatically rejecting everyone else.
I think NIST 800-207, which is the standard the government is moving toward for Zero Trust, is where this is all heading. The government is moving toward this idea where all applications are private. As a result, there’s no application, whether it’s in the cloud or in the office, that you can get to unless you’re a trusted user.
We basically put our service in front of the government’s or company’s applications, making them private, sort of like an airport security checkpoint in front of the applications it’s designed to protect.
We only allow the few employees that should have access to those applications and are allowed to interact with them. If the application becomes vulnerable, it’s not a fire drill. And you’re not having hackers from Russia or other places, getting to the front door of these applications to begin with.
SD: What is your company’s flagship product?
PM: It’s called the iboss Zero Trust Edge. Netflix didn’t invent the movie; they changed the way you watch it by streaming it from the cloud.
What we’re doing is the same thing, except it’s not with movies — it’s cybersecurity for all connectivity. Instead of the DVD player, which is the equivalent of all of the legacy cybersecurity gear including firewalls and equipment that physically only protects the office, we’ve replaced that with a global security service that moves security to the cloud. We moved that to a SaaS-based service that streams the security to the user wherever they are. Whatever they connect to is always secure. Connections go through our service where we inspect for malware, ransomware, data loss prevention, and compliance.
SD: How does your company stay competitive in a world filled with cybersecurity company?
PM: I think, defense in depth, having multiple layers of security is really important. But there are some key staple security components that every company needs, and every user needs.
For example, desktop antivirus scans your hard drive to make sure that there are no viruses sitting on your computer. I feel that’s one staple. But eventually, the data is going to leave your computer or come to your computer from the internet or from an office. And so that’s the network security, which is where we sit and feel it’s another core security staple. However, instead of doing this with network security gear, we’re doing this as a SaaS service, automatically and at scale.
And then there are things like virtual private networks (VPNs). You turn on a VPN to connect to the office. Then you turn it off when you’re done with it. That’s a staple because as an employee working for a company, you can’t do your job if there are some applications sitting in the office, and you can’t connect to them. With our service, we automatically connect employees to any application, including those in the office without the need for a separate VPN. The service handles the security and the connectivity to everything.
So, we solve those things that I just spoke about – eliminating the need for network security appliances, eliminating the need for VPNs, and ensuring that users get a consistent and great experience as they interact with the data and applications they need by delivering security in the cloud. Instead of turning on a VPN to connect to the office for applications, our Zero Trust service is always on.
If I’m on my laptop and I open different applications up, some of those might be on the internet and some of them might be in the office. But I’m never turning on a VPN to do that. We’re able to reduce the costs related to having to buy these VPNs and then improve the end-user experience.
The other issue with VPNs is users typically experience pretty slow connections when using them. Having a service that’s always running and that provides ultra-fast connections while eliminating the need to enable or disable a VPN improves the user experience.
In addition, because we are connecting the users to these applications, whether they’re in the office or in the cloud, we can run all of the security functions, open up the payloads, and look for things like ransomware and malware, as well as making these applications private.
In the end, the budget needed for the digital transformation that organizations are looking for can come from eliminating this legacy gear and technology. Our Zero Trust technology actually saves companies money because it eliminates companies’ budgets for VPNs, proxies, and firewall gear. And using our service, companies still get more output even in the case of limited staff due to shortages which have been a problem in skilled labor markets like network and network security.
Many companies can’t afford to have those people and they can’t find them. It’s easier to eliminate the complexity of the legacy castle-and-moat security strategy by transitioning to a SaaS security service. Just like Netflix, you don’t need an audio-video expert to set up all of your sound system and DVD players anymore. So, it’s more cost-effective.
When rolling out a service like iboss, we start with the resources, the most critical and vulnerable applications first. Even though the users can connect to these applications, we start by putting ourselves in front of the company’s applications to make sure that they’re completely private.
If you look at a report from CISA, the Cybersecurity, and Infrastructure Security Agency, which performed a study of the ransomware incidents in 2021. They partnered with all American agencies such as the FBI and NSA, as well as the United Kingdom and Australia. It was a big joint effort. What they found was the top three initial infection vectors for ransomware in 2021 were phishing, stolen credentials, and vulnerabilities in software. So, for example, in some cases where software becomes vulnerable and should be asking for authentication, like prompting you for using your username and password, it doesn’t do this. It fails to prompt for credentials because it’s vulnerable and just lets you in. And that’s an issue, obviously.
So, the top three initial infection vectors are phishing, stolen credentials, and vulnerabilities in software. But the root cause if you think of those top three is actually unauthorized access to the software to begin with.
Because if the software becomes vulnerable, why is it that Russia and China can take advantage of that? They shouldn’t be able to connect to that application to take advantage of the vulnerability. If they steal a set of credentials, how are they able to connect to the service or an application and use those credentials?
If you think about the way we used to work, the reason there were fewer breaches and ransomware was that all of the applications were inside of a physical office. Even though there were vulnerabilities, or someone may have stolen your password, how are they going to use the password unless they break into the office to punch it into the server, right?
Today, that perimeter is gone. So, all of these applications are running in the cloud. The attackers know this, so they just wait for these vulnerabilities to come out. They can sit in Russia, China and other places, and then they use that to connect to the application. They don’t need to go into a physical office and take advantage of the stolen credentials or the vulnerability, or even take advantage of phishing. You click the link, they get ransomware on your laptop, and that spreads immediately.
This is why NIST, which is the National Institutes of Standards and Technology, put out a framework called Zero Trust architecture. It’s under a document called the 800-207, which is referenced inside of the recent Executive Order. The goal of the Zero Trust Architecture presented in the NIST framework is to focus on the crux of the issue, which is to prevent unauthorized access to data and services.
That’s the core of Zero Trust, according to NIST. And that’s actually the core of Zero Trust according to what we offer. Our goal, really, is when you look at an approach to reduce breaches and risk substantially, is to prevent unauthorized access to applications and data, whether they are in the cloud or run in the office. That’s the number one thing, I would say, to reduce your risk of getting cryptolocker ransomware or having your data put on WikiLeaks. You’re solving for the root cause of how they get in, to begin with.
So, we started by putting iboss Zero Trust service in front of those applications, and they became private. Then we let the users in only once we know they’re an employee and part of the organization. No different than an airport security checkpoint lets passengers board the plane only once they check their ID check, their ticket, and their bags and then let them cross the checkpoint. It’s the same concept that they use in an airport to protect planes, except we do this with applications and data.
So, to answer the question and to circle back, this is a fundamental component. Every organization needs to move off of anything related to perimeter-based types of security approaches. They’ll spend less on firewall equipment, and proxy equipment, and less on VPNs. The goal is to connect users to whatever they need, regardless of whether it’s in the office or in the cloud.
Looking to the future, every company will be hybrid. It’s not just some employees, probably all employees will have some form of remote work and in-office work. Without technology like ours, there’s no way those employees and that model can exist. There’s no way the employee can connect to the applications and data they need to do their job; they need the resources and security in place.
So, we’re capturing budgets from a lot of different areas. We’re making world-class security cheaper, faster, and more efficient, for a better end-user experience. And we’re securing over 150 billion transactions a day. We work with the largest organizations in the world and protect millions of users worldwide.
We’re going to secure all companies because we can deliver this service to companies of all sizes you no longer have to be a Fortune 500 or the Federal government to take advantage of this type of technology.