Almog Apirion, Cyolo: “zero-trust is a security approach, not a single solution”
Remote work environment means massive business’ operations decentralization, and this in turn brings new security challenges. It is no longer a question of securing the perimeter – now organizations must worry about securing every single device and system within it.
As must be evident by now, integrated virtual private networks and cyberattack monitoring software is really good at keeping the edges of an organization’s system secure. But they aren’t unbreachable. And once the perimeter gets breached, the system is in the hands of a hacker – they get unlimited access to all the data, assets, devices, and applications. Companies need to take on the new approach of securing access points inside their systems as well as outside.
To discuss this in more detail, Cybernews reached out to Almog Apirion, Co-Founder and CEO at Cyolo, a company that specializes in making secure connectivity simpler by using identity based authentication processes.
How did the idea of Cyolo originate? What has your journey been like since?
My Co-Founders and I created Cyolo in 2019 in order to solve problems that we had personally experienced in our previous security roles. Our aim from the beginning has been to help organizations remain agile, resilient, and productive by securely connecting on-site and remote users, to corporate applications, servers, desktops, and files. Given my own background as a former CISO for a global organization, I wanted to introduce a solution that both improves security and, unlike so many existing tools, actually enhances user experience and productivity. I saw how much time and energy organizations spent on ensuring their employees had secure access and connectivity that I wanted to provide them with a product that allowed for peace of mind when it comes to security. In terms of growth, Cyolo has experienced rapid expansion since our inception, and in 2021, we were thrilled to announce our $21 million Series A funding round and increase in partnerships with global customers and service providers. In 2022, the company will continue this rapid growth with a focus on its international expansion and preparing for our next level of growth.
Can you tell us a little bit about what you do? What are the main issues you help solve?
At the end of the day, what Cyolo does is securely connect users to their work environments. Whether those users are working on-site or remotely, whether they’re company employees or third-party contractors, and whether they’re using IT or OT systems – we enable them to connect securely and conveniently to the tools they need to do their jobs with an identity-based security approach. When users can’t connect easily – for instance, when available bandwidth can’t support a remote worker’s VPN – productivity takes an enormous hit. Likewise, on the security side, we’ve all seen the devastating headlines and understand the potentially irreparable damage a data breach or other type of cyberattack can cause. Cyolo is the only connectivity tool that solves challenges related to both security and productivity – instead of improving one while harming the other, we augment both. Thanks to our distinctive zero-trust architecture, which differs in significant ways from other ZTNA solutions, Cyolo is able to provide secure access in all scenarios, including in cases where zero trust is not traditionally possible, such as in isolated or offline OT networks. Cyolo’s zero-trust platform also provides identity federation and password protection, and because our solution integrates seamlessly with the other tools and platforms our customers are already using, including their identity providers, users gain this added level of security without needing to change their existing routines or work habits. In these ways, Cyolo is changing the way that people connect to organizational computer systems so that companies can maintain productivity and security and, ultimately, achieve peace of mind.
At Cyolo, you emphasize the importance of the Zero-trust principle when it comes to security. Can you tell us more about this approach?
Zero-trust is an identity-based approach and is founded on the premise “never trust, always verify.” Practically speaking, this means all users must be validated each and every time they want to access a company resource, system, or application, and they’re never given access to the full network. In addition, even after their successful initial authentication, users and devices are continuously authorized as an extra layer of security. In contrast, popular network security tools, such as VPNs, work by establishing a perimeter around the network or certain network activity, so once an attacker is in, he/she can access all applications and systems in that perimeter, and breach them. While these legacy solutions may have been sufficient in the past, when most employees worked in an office and IT and security teams were tasked with securing the physical network perimeter, they are no match for either today’s distributed workforce or the advanced cyberthreats of the modern era. With remote work at an all-time high, global connectivity is expected, and cyber attackers are eager to exploit any vulnerability they can find. With a zero-trust approach, users are able to access all the organization’s applications, servers, desktops, and files securely and with ease. From the organizational side, with zero trust, IT and security teams can ensure only authorized users access critical applications and that attackers can’t access them, or even see these applications exist. And in terms of compliance, Cyolo’s ability to control what users have permission to certain access points enables compliance to solve itself. Cyolo aims to help organizations stay agile, secure, and productive wherever their users are located by providing a solution that is easy to deploy, scale and manage.
How do you think the pandemic affected peoples’ attitudes towards cybersecurity?
The pandemic and resultant rise in remote work revealed many vulnerabilities in companies’ security systems – creating a perfect playground for cybercriminals. Many organizations were solely focused on business continuity during those first few months of COVID-19, with security taking a backseat to workflows, production, etc. This lack of security focus allowed cyber threats to flourish as companies did not update their security systems to account for employees working at all different locations and potentially on unmanaged devices as well. Prior to the pandemic, cybersecurity measures were seen as a "nice to have" for many businesses. Now, two years later, enterprise executives are finally putting an emphasis on upgrading their security measures and providing a secure environment for their employees.
What are the best measures companies can adopt nowadays to ensure not only smooth but also secure remote operations?
Zero-trust is a security approach, not a single solution. At Cyolo, we understand that the perimeter has dissolved and we need to protect our assets, application, systems, data, and devices – and not just our network. Once businesses understand that concept, they can gradually implement various security measures that abide by that concept. Any control that is implemented makes the organization a little more secure than before.
The first thing we recommend doing is adding MFA to critical applications. MFA (multi-factor authentication) means that a user and password are not enough to validate the user, but additional factors are needed as well, such as texting a code to your mobile phone or verifying your device has an updated antivirus. This is because if someone steals your password, they still couldn’t access the application. If possible, organizations should eliminate using passwords altogether, but this can happen at a later stage. Next, we recommend a phased approach of gradually adding zero-trust access for different groups of users, depending on their risk level. In most cases, the first and riskiest group will be third parties who access critical applications. The supply chain is one of the most vulnerable links in an organization’s security, and by ensuring strong authentication for third parties like contractors and suppliers, you can significantly reduce the risk of an attack. Following this approach, third parties and remote users can then be migrated to zero-trust access. Remote connectivity is a huge security challenge since users are coming from insecure networks and possibly their own unmanaged devices. Then, after you’ve already seen success with the previous cases, zero-trust can be rolled out to the entire organization. Finally, we recommend implementing auditing and recording measures in the network. Auditing lets your teams be in control and see who is accessing what, as well as investigate any incidents.
Talking about individuals, what cybersecurity measures do you think everyone should implement?
Security is made up of three components: technologies, people, and organizational processes. Human behavior is unpredictable and can leave the organization at risk, so it is very important to refresh employees’ memories about security policies and provide them with tools to work securely. First of all, if you have to use passwords, don’t reuse them and choose passwords that are hard to crack, i.e. ones that don’t have any related context to the employee. Passwords should also not be dictionary words. Because of remote work, phishing has become a big challenge as we all are used to communicating digitally and receiving company emails with no policies, making it more difficult to differentiate what is real and what isn’t. It is recommended to be on high alert and when there’s even a shadow of a doubt, you should always ask IT. Third, don’t store company information in external locations, like a USB drive or even a personal computer. Fourth, and I know this is a hard one, don’t bypass IT. This phenomenon is called Shadow IT and it happens when employees introduce systems because they don’t want to wait for long approval processes. But Shadow IT could be very dangerous for organizations, as sensitive information could reside on vulnerable systems IT and security don’t even know they should be protecting. One great thing about zero-trust is that the user experience is so agile and easy that employees can get access to anything immediately without having to wait.
Why do you think organizations sometimes fail to see the full scope of their attack surface?
Common conceptions of security are often misguided, and can actually prevent organizations from implementing an effective security strategy and plan. For example, many companies believe that upgrading their legacy systems will keep them secure, but unfortunately, that is not enough to tackle today’s more advanced threat actors. Turning a system like VPNs into what it was not originally designed for is sub-optimal and will not deliver what you need in a timely manner. Additionally, companies think that the cloud is secure, however, the cloud is only an infrastructure that enables convenient access. And cloud providers only secure the cloud itself, not what is actually being stored in the cloud. Lastly, many organizations think their insurance will protect them. But getting insurance is not a replacement for securing the network and applications. The legal, ethical and financial repercussions are far more severe and long-term than what any insurance company will end up paying.
As cybersecurity measures are advancing, so do the tactics of threat actors. What types of attacks do you think are going to become a prominent problem in the near future?
We’re seeing a huge surge in ransomware attacks - both in the number of attacks and the amounts being demanded - sometimes even $50 or $60 million. Attackers are seeing this as a lucrative income method since many companies would rather pay and get their operations back in order before it becomes a media fiasco, so this is expected to grow. Supply chain attacks are also a huge threat, as we are all connected and rely on each other technologically, yet are unable to control each other’s security measures. New supply chain vendors are also becoming vulnerable to attackers, such as SaaS vendors and cloud providers. As more companies go through digital transformation, they become a means to reach large enterprises and tech companies. Therefore, it’s always important to ask how your vendors secure your data and access points. Finally, attacks on critical infrastructure systems will grow as well. These attacks cause widespread alarm and are also a source of financial income, so they’re appealing to attackers in that sense. In today’s world, these types of attacks are also a way of war between nation-states.
What does the future hold for Cyolo?
Cyolo’s ultimate goal is to connect everything based on identities, not just users, to applications and resources.