In this Spotlight edition of The Security Ledger Podcast, sponsored by CyberArk*, we interview serial entrepreneur Gil Rapaport about his latest creation: Alero, a new remote authentication tool that promises to fix remote vendor access by doing away with passwords…and agents…and VPNs. If that sounds like a tall order, check out our podcast to learn how he does it!
Third party risk is exploding for organizations. Whether the organization is in healthcare (where EHR hacks are a huge problem) or e-commerce where groups like Magecart have been targeting insecure deployments on platforms like Amazon’s S3 storage cloud. The fact is: more data breaches and network compromises are being linked to third party vendors such as contractors, managed service firms and SaaS providers. Cyber criminal groups and nation states are pursuing a “weakest link” strategy gain access to sensitive networks and data – and its working.
Authentication: the Weak Link in Remote Vendor Access
That puts the onus on companies to shore up the systems they use to manage third party providers and third party access to their environments. Historically, that job has fallen to technologies like Virtual Private Networks (or VPN), which create a secure tunnel from a third party into protected networks. But these days, few organizations are willing to grant third parties unfettered access to protected networks. Permissions – if they’re granted at all – will be limited to a specific application and a specific user role for that application – a use case that VPN was not designed for.
And even the most granular access policy can be undermined by weak authentication schemes and account takeovers. Simply put: how does your company know that the third party seeking access to your trusted application is who they claim to be? The cost of not knowing is high. Granting access to an attacker or malicious actor – even to a single application – can spell disaster if your organizations handles highly sensitive or regulated data. (Just as British Airways and Marriott!)
Alero: Beyond Passwords, Beyond VPN
That’s where our guest this week comes in. Gil Rapaport is the co-founder of the firm Viewfinity, which made Windows least privilege management and application control software and was purchased by the firm CyberArk back in 2015. An expert in password management and application control, Rapaport’s next act he’s taking on the third party authentication challenge. As you would expect, he’s doing that by launching a startup, Alero, that promises to solve third party access by dispensing not just with VPNs but with passwords, also.
What’s unusual is that rather than go it alone, this time Rapaport is launching his new company from within the confines of CyberArk itself: turning himself back into an entrepreneur without leaving the company that facilitated his latest exit.
In this conversation, recorded on the sidelines of CyberArk’s Impact Conference in Chicago last week, Gil and I talk about Alero and how it works, as well as the larger problem of moving beyond passwords.
(*) Disclosure: This podcast was sponsored by CyberArk. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.