Joakim Thorén, Versasec: “you need to properly increase the security level for each part of the company”
Global unrest is a convenient time for cyber felons, yet a difficult one for enterprises. As the attack surface increases, the need to protect business infrastructure arises.
Companies are experiencing various cyberattacks, such as password compromise, fraud, ransomware, data breaches, and other threats. It becomes a matter of time when you’re going to experience financial loss or reputational damage.
While getting a Virtual Private Network (VPN) or other traditional cybersecurity solutions can help, they’re typically not enough as the whole organization needs to be protected.
That’s why we invited Joakim Thorén, the CEO and Founder of Versasec – a company that offers highly secure identity and access management products. Thorén shared his views about successful cybersecurity procedures for enterprises.
How did Versasec originate? What would you consider the biggest milestones throughout the years?
Versasec was founded 15 years ago in Stockholm, Sweden. Our mission from the start has been to help organizations manage their digital identities effectively.
The Versasec founders have a solid background in Public Key Infrastructure (PKI) and credential management projects before starting Versasec. PKI projects used to be large, complex, and costly. The Versasec founders saw a need for a product to enable small and mid-size organizations to achieve the same high level of security with PKI-enabled hardware devices without the cost and complexity.
The goal has always been to deliver a Credential Management Solution that grows with the industry. The vSEC:CMS was developed for the small to the mid-size business tier. Larger businesses noticed the simplicity of deploying credentials using vSEC:CMS and all verticals adopted our product. From small companies with ten employees to companies with hundreds of thousands. Since then, vSEC:CMS has grown to manage FIDO2 and supports the largest list of PKI authenticators.
Can you introduce us to what you do?
Versasec’s award-winning product is vSEC:CMS, a credential management software enabling companies to easily manage digital identities with a wide variety of integrations. It was built to sustain a PKI, so it integrates with key functions, such as Certificate Authorities and HSM’s. With vSEC:CMS, our customers can leverage a world-class PKI without the cost, technical expertise, or having to deploy to their entire organization. With cyber threats on the rise, companies are paying more attention to their defense strategy. Multi-factor authentication and zero trust are key topics in our industry today, raising awareness about the importance of high-level security. Not all authentication methods are created equal. OTP, username-and-password, among others, are legacy systems that do not use PKI and are under attack. And they have been broken by cybercriminals multiple times over.
PKI uses asymmetric cryptography that makes the highest level of authentication and cryptographic operations possible. Managing PKI credentials across an organization with multiple users, users with different access requirements, and integrations already in use by the company can be cumbersome and complex. A simple platform is essential to manage all these different user permissions and integrations, and that is where we come in.
What are the most common ways threat actors use in an attempt to bypass various identity verification measures?
Threat actors easily attack passwords. Multi-factor is also not immune when the technology is weak, for example, intercepting communications or Man-in-the-Middle attacks for stronger MFA. However, for a well set up and managed PKI, there are so far no effective attack vectors for the actual authentication process. Threat actors will therefore look for other weaknesses in the IT system.
How do you think the recent global events affected the cybersecurity landscape?
Times of crisis heighten criminal activity, as with cybersecurity we saw many companies being victims of cyberattacks around the globe. Decision-makers took notice and placed their organizations’ cybersecurity as a priority, starting to place higher security measures in place.
Besides quality Identity & Access Management solutions, what other cybersecurity measures do you think every company should implement nowadays?
There are advantages to implementing a Zero Trust Architecture if executed properly. I also see value in solutions that provide continuous authentication using behavioral biometrics. But as always, with security, you need to look at the entire IT system and properly increase the security level for each part of the company for a robust security strategy.
As for personal use, what security measures can average individuals take to prevent their identity from being stolen?
Average users’ convenience and comfort can undermine their own cybersecurity. Given the choice between a password or MFA, the average user will choose comfort – easy-to-remember passwords and only one factor rather than multi-factors to authenticate.
If they’re reading articles such as this one, that’s already a win for them. When people gain knowledge of the cyber world we live in today, with many technological advances at the fingertips of cybercriminals, they are more likely to make decisions prioritizing their security. They are more likely to implement strong passwords, multi-factor authentication, and PKI-based authenticators when available.
In your opinion, which types of organizations should be especially concerned about implementing quality identity verification measures?
Small organizations like to think they can cut costs with low-security measures. However, robust cyber security infrastructures are now a necessity. In 2022, the market now offers high-quality products that are cost-effective for small organizations, as is the case for vSEC:CMS. We believe small businesses will be big tomorrow, and they cannot afford to be compromised.
What do you think the future of identity and access management is going to be like? Do you think the use of biometrics is going to take off?
In the past years, and more during the recent months, there has been a strong influence and directive from governments on the implementation of Multifactor Authentication (MFA) and Zero Trust. As a result, we are observing changes across the industry. Companies are being challenged to provide users and enterprises with easy-to-deploy products and services.
Cloud is still on the rise, especially for small and medium-sized businesses. Companies are looking for experts to help them drive their security needs. We used to talk about Two-Factor Authentication (2FA), something you have and something you know. Now it is becoming more common to also talk about additional factors, which can be something you are, something you do, and somewhere you are. If used right, these factors can not only increase security but also convenience. Being recognized (biometrics) is typically something humans, in general, appreciate more than having to prove their identity by remembering a secret (passwords).
Combining biometrics with asymmetric crypto is on the rise both with FIDO and PKI, and we are excited about this going forward.
Would you like to share what’s next for Versasec?
Our product continues to evolve and grow. We bring four releases every year to our customers, expanding product integrations, strengthening performance against new threats, and bringing innovative features to lead the way in our industry. Towards the beginning of April, we released our newest version, vSEC:CMS Version 6.3, and it has been a great success so far. This release achieved FIDO management for credentials and as always is a reflection of the entire team at Versasec working together. We are currently working on delivering our software products in new ways that we are looking forward to announcing very soon.