Ryo Koyama, Remote.It: ”assuming that your network is unsafe is the right perspective that everyone should have”
As the world gets more connected, threat actors will take advantage of overlooked network vulnerabilities in this ever-expanding global attack surface.
Smartphones, smart devices, and the cloud all serve as evidence that we’ve ushered in an era where the expectation is that we are always connected and everything is connectable. While having everything always available elevates overall capability, not every user is aware of the risks that having everything on the public Internet poses. These days, a single unprotected or misconfigured network endpoint is all that a hacker needs to gain access to someone’s private assets, whether it be a person’s home network or a business’s cloud infrastructure. Experts warn that with everything available from everywhere, the attack surface has never been larger, and continues to grow.
To discuss the challenges surrounding the current networking landscape, we invited Ryo Koyama, the CEO, and Co-Founder of Remote.It – a company bringing privacy to networks and networking.
How did the idea of creating Remote.It come to life? What has your journey been like so far?
Mike Johnson (my co-founder) and I have been deep in networking for a long time, having invented and implemented the first hardware (silicon) version of TCP/IP (acquired by NVIDIA). So although we might not be the smartest people in the world, we’re pretty knowledgeable about TCP/IP, especially since the RFCs that explain the protocols are really functional specifications and really don’t get into technical implementation details that building a state machine version provided us. These protocols have been around for almost 50 years and it’s a real testament to the foresight of the fathers of the Internet that their invention has scaled to empower all that we see today.
That said, as the use of the Internet expands from the public world wide web to private use by individuals and businesses, what we see as fundamentally broken is that the same techniques that are used to enable the public internet are in many ways exactly the wrong way to enable the private one. All the hacks that you see happen daily are because the default is to use TCP/IP in a trusted way when there’s clear evidence that following a Zero Trust model needs to be the new normal.
The idea for our core technology started when Mike and I were each installing networked cameras at each of our houses, and we realized that we didn’t really want to expose our home networks to the public Internet. Having built the solution for our own use, we realized that others might want it too – so we started by licensing it to companies. Over time, with the increase in the use of mobile networks (where VPNs don’t work) and the transition of infrastructure to the cloud driving an increased focus on security and privacy – the applicability of our solution started to mushroom to the point where today there are Remote.It protected endpoints in over 194 countries.
Can you introduce us to what you do? What are the main challenges you help navigate?
The challenge of networking is that it’s treated as an afterthought. If you set up a virtual private cloud (VPC) at AWS, there’s a network to manage – and you have to worry about subnet addresses and how they might conflict with other subnet addresses, etc. Then there’s the fact that you need to open a door to the public Internet to allow access and then use IP access lists to control what location has access, then you can finally start to think about who has access, what keys they are going to use, etc. That’s a lot to remember, and a lot to go wrong.
Containers and microservices have revolutionized cloud computing, making resources instantly deployable and truly scalable, but the security, user access, and network provisioning layers are still extraordinarily manual managed processes. What Remote.It does is replace those three layers with one line of code, so that those steps are solved at deployment and built-in from the start.
Our model is “connectivity as code”. At deployment, a developer knows they need access to resources in private VPCs, it makes sense that it’s done programmatically right then, and because our technology adds intelligence at layer 3 of the stack, security and provisioning are fundamental. Since secure connectivity is built-in, unlike a legacy VPN no public attack surface is exposed on the public Internet. That’s absolute Zero Trust.
From a DevOps perspective, the view is “networks as code” – so instead of being at the mercy of some DHCP server that assigns random IP addresses that no one remembers, we empower the infrastructure team to deploy trusted access directly into whatever they are deploying, so whenever they need to modify access that’s easily done dynamically using tags and roles that can all be programmatically defined and set.
What would you consider the most common threats associated with insecure networks?
Everyone has a deadbolt on their front door and in theory that provides the security, but in reality, it’s their postal code that provides safety. Networking is complex, and attempts at improving usability have created an environment with an abundance of attack surfaces. All global IP addresses and by association any private LANs that are tied to them are vulnerable to attack. For example, one of the worst hacks that happened affected home surveillance equipment in the US. But the hack wasn’t about getting people's private video streams – it was about using those endpoints to perform denial of service attacks. Similarly, we’ve seen a lot of NVIDIA Jetson deployments come to our solution recently, because their end-points were being hacked and used for crypto mining. That’s also the big misunderstanding regarding a VPN, which is really just another subnet that you typically remote tunnel to. These subnets often have the same “trusted” model that exists within most LANs, so all the management challenges that exist for private networks exist for a VPN, but in many cases, you are trusting someone else to maintain the endpoints within it. Maybe that “someone else” was busy and misconfigured the VPN exposing all networked resources on the subnet instead of just the resources required. Many data breaches involve a situation involving human error.
Most concerning is that legacy VPNs are deployed using public global IP addresses. That’s the equivalent of putting your front door in the worst neighborhood in the world.
Do you think the recent global events altered the way the general public perceives cybersecurity?
Widespread cyberattacks have forced awareness of network security, which is good. But the threats are vague and necessary actions are unclear – anytime something is left to “best judgment” there’s just a lot of room for error. The challenge is that the fundamentals of the cloud were built on top of what the public internet needed, while the entire networking industry has been built upon the concept of much smaller highly managed private networks.
Infrastructure virtualization through containers and microservices has unlocked the potential of the cloud. Networking will experience a similar programmatic reinvention, when both pieces together are truly agile, truly private platforms will emerge and provide safer havens for both the general public and businesses.
Why do you think certain organizations are unaware of the dangers hiding in their own networks?
Networks and network connections need the equivalent to the lock that we see when we visit every website. Best judgment and heavily managed isn’t the answer here. A software solution is the only hope for fundamental change.
Common network equipment, like surveillance equipment, and even networked games like Minecraft, encourage users to open up their network to the Internet, with no explanation of the dangers of doing so. The service providers allow the opening of ports, the routers allow the opening of ports, and applications encourage open ports. No one is taking accountability for the danger, even with the reality that their networks are being scanned tens of thousands of times a day looking exactly for this type of vulnerability.
I’m old enough to remember when networks only existed in businesses. Because of the Internet, networks are now part of every environment, but knowledge of networking and security has not kept up. Subnets were created to make up for a lack of IPv4 addresses, but have instead been used to provide “private networks” – and when those networks were air-gapped (not connected to the public Internet) it was an appropriate description.
What are the best measures companies can adopt nowadays to ensure not only smooth but also secure remote operations?
The default of using public IP addresses to access private assets has made the attack surface huge. Threats are constantly adapting because they are able to continuously scan, probe and adapt their attacks. And because of this, best practices have become a moving target, with a real risk of never catching up.
The simplest answer is the best one. Close all the doors, and even better have no doors or windows. Essentially eliminate your attack surface. Assuming that your network is not safe is the right perspective that everyone should have. For cloud assets, other than publicly facing websites, nothing should have a surface on the public Internet.
The best news is that taking the approach of eliminating targets is not mutually exclusive to whatever else they may be doing. Security should mean prevention, but on the Internet, the focus has been on detection. The fathers of the Internet had the foresight to build a completely secure interface into every TCP/IP stack, our invention unlocks the power of that interface to enable a truly locked down secure connectivity.
As the world starts opening up again, can you share some best practices when it comes to using public networks?
We’ve come a long way since the days of hoping for free wi-fi. The best choice now is to use your mobile phone as a hotspot. In most cases your phone is not going to get a public IP address – so it’s not even on the internet. The danger with a public network is that you are actually joining a private network where you have no idea how safe you are. When I use wi-fi on a plane, I usually do a quick scan and over half the time I can see all the other devices that are using the service. Most crimes are crimes of opportunity, and if you can be seen that means you are providing opportunity. The best practice is to not be seen.
In your opinion, what kind of attacks are we going to see more of in the upcoming years? What can average Internet users do to protect their home networks?
Today, everyone has a lot of networked devices in their home. So most of the attacks are going to be aimed at those devices because they have been built with little or no idea of security built-in (because they are assumed to live on private networks). Increasingly, manufacturers of devices have remote features turned off because it’s the safest way to minimize attacks. But if a user wants to turn remote access on, they can, and that’s when they begin to understand the complexity of doing it right.
Too often instructions from device manufacturers will direct users to open a port in their router to make the inbound connections work. This is going to continue to be the number one attack surface as long as users are continually educated to open ports and rely on port forwarding. It’s no longer acceptable, but we continue to see it implemented that way.
Also, we’ve seen a huge shift in our workforce working from home. Corporate networks have to make remote access safe for both the users and the corporate networks. Implementing VPNs has historically been the go-to method. But that also can create security holes that can be exploited. Not all corporate VPNs are managed correctly - updates and patches have to be applied, user credentials have to be managed, and roaming employees may need their IP addresses updated. All of these require management that can result in security gaps if not done correctly.
Bad actors are counting on finding misconfigured security appliances and open ports. We need to change behaviors and thinking to eliminate attack surfaces.
What does the future hold for Remote.It?
Marc Andreessen said, “software is eating the world”. At Remote.It, we believe that networks and networking will be the next thing that will be solved entirely with software.
In the same way that DNS unlocked the vast potential of the public Internet, by eliminating the reliance on knowing public IP addresses for discovery, our aspiration is to unleash the private Internet by eliminating the need for discoverable public IP addresses for connectivity.
Private assets need to be private, while also being available anytime from anywhere, for those with the proper permissions. Our mission is to enable this reality by being the go-to tool for developers, DevOps, and IT teams to deploy truly private Zero Trust connectivity.