Adam Bowen, Anchor: “Fools rush in, treating the cloud as just someone else’s computer”

As the cybersecurity industry evolves, so does cybercrime, with threat actors lurking for new opportunities to exploit vulnerabilities.

Remote work has posed additional challenges to employees and companies around the globe. Workers often opt for non-secure work environments, such as libraries, cafes, and their own homes, and don’t use a VPN or antivirus. Such a relaxed approach might cost an organization everything: from monetary losses to the entire business.

Adam Bowen, Head of Sales and Growth at Anchor – a company that specializes in computer and network security – explains how companies can better address these concerns.

How did the idea of Anchor come about? What has the journey been like?

Our product, Anchor, came out of The Ohio State University. It was a project of our CTO Hari, a graduate student, and our CEO Emre, a university professor. After many years of R&D at The Ohio State University, we became a company in 2019.

Since then, it has been a wild ride. When people hear about our approach to zero-trust data security, they get really excited. That is what gave Emre and Hari the validation that this was worth pursuing.

Can you introduce us to what you do? What methods do you use to protect business data?

Traditional IT controls focus on locking down networks, devices, and people. All of this is done in the name of protecting data. But, once files are moved, shared, or stolen, the data is no longer protected. Even worse, these controls get in the way and frustrate business users to the point they intentionally work around them. Anchor inverts the equation by baking protection into the data, invisible to the business users (like antivirus) so that files are self-protecting and free to travel with security out of the way. Simply put, wherever the data goes, it is protected.Anchor is a SaaS platform, with an endpoint component, that bakes protection into your files with a unique transparent combination of encryption, continuous multi-factor access controls, and a digital chain of custody. And when you do share or collaborate, Anchor protection stays with your data, even when it leaves your organization. Anchor empowers you to maintain control of your files while collaborating on-premise or in the cloud, including forensic logging and revoking access.In under 30 minutes, Anchor is fully deployed and empowers your business users to securely work and collaborate without complicated security products or rules in the way. All without requiring you to change existing IT controls or how your users and applications work today.

At Anchor, you emphasize the importance of the Zero-trust principle when it comes to data security. Can you tell us more about this approach?

Since we enable data to be self-protecting and the only way for that data to be accessed in an unencrypted state is by passing the multifactor access controls. Anchor is not only “transparent encryption.”

Anchor has a patented heartbeat technology that constantly verifies access rules in real-time based on a myriad of data sources such as Active Directory, IP Ranges, etc. When an access rule is broken, Anchor instantly revokes access. Even while the file is in use. Trust is never assumed, even after a file is open.

How do you think the recent global events altered your field of work?

It has certainly brought our field into focus and accentuated the importance of not relying on the old “Castle Wall” model of data protection. Microsoft, Githib, and Okta had “all the walls” and “the biggest walls.” Yet the bad guys still got in. And though we have large companies that use us, we have many “mom and pop” companies that use us, too.

They do not have six-figure IT budgets, and that makes them soft targets to bad actors. We are proud that we can serve the “little guy” just as effectively as we do the big guy at a very affordable price.

What are some of the worst mistakes you notice companies make when handling sensitive data?

Placing the burden on the business user to work through complex rules, classification/tagging, or specialized storage to just do their job. When the rules become too much, the business users end up spending more time just trying to avoid the controls. Remember the complex password debacle of the early 2000s?

I was working as the Network Architect of the USDA and C-level executives were taping their passwords to the bottom of their keyboards or, even worse, their monitors. Now business users are doing the equivalent by sending sensitive data to their home email or cloud accounts so they can “just get their job done” via their personal devices.

As more companies move their workload to the cloud, are there any details that might be overlooked when making the switch?

There are so many things you can overlook. Fools rush in, treating the cloud as “just someone else’s computer.” Unless you have ever configured an AWS policy document, you have no idea. The ones that do understand the big difference are typically afraid.

According to a report from the ISC2 Foundation from 2021, 68% of Cybersecurity professionals said that misconfiguration of the cloud platform was the biggest threat. Not surprisingly, the Exfiltration of sensitive data and Unauthorized Access were ranked 2nd and 3rd.

Why do you think certain organizations are unaware of the threats hiding in their own networks?

Because it doesn’t make for great movies. Everyone is so focused on “the bad guy” and protecting from external threats: Russia, Hackers, etc. It is the Bogeyman hiding under the bed. But a 2020 report from Securonix showed that the number one cause of data exfiltration is still employees forwarding work email to their personal accounts.

Since work from home is the new normal, what security measures are essential in keeping not only the organization’s but also its customer data safe?

Actually, working from everywhere is the new normal: Home, the lake, Tahiti. You have to bake protection into the data. Data travels. That is how we release value from data. But since data travels, it can often go where it would rather not: personal accounts, forwarding on to others, thumb drives, etc.

Traditional IT controls focus on protecting the things that house data: Networks, storage, laptops, etc. When data moves to a new thing, it inherits the protections (or lack thereof) of that new thing. Protection that is baked into the data goes wherever the data goes. So, when data travels to someone or somewhere unauthorized, it is unusable.

And finally, what does the future hold for Anchor?

We are listening to our customers and partners that want Anchor to be the data security platform that they can plug all their things into. We are releasing our Northbound and Southbound APIs so that Anchor will take instructions from EDR/XDR, work in conjunction with Data Classifiers, and feed its granular logging to SEIM and LM tools.

There are a lot of other exciting use cases that our customers are eager to explore with our platform that will be enabled with our APIs, such as “Bring your own context.” This allows people to build their own multifactor access control and provide it to Anchor. For example, we may have a business rule that Adam can access this data from his work laptop only while he is in the secure facility. While we can validate factors like IP addresses, etc., out of the box.

The customer could use this new API to validate Adam’s presence in the secure facility by checking that Adam’s Bluetooth device is in proximity to the NFC sensor in the room every 10 seconds. As soon as Adam is not in proximity, access to those documents is revoked, and they are instantly closed on the system. No longer accessible until all of the factors are true again.