Cybersecurity goes Automated
“The differentiation between humans and code with regard to the aspect of information security management will change. That change will compel security companies to change accordingly," says the founder, CEO and chairman of CyberArk, Udi Mokady, in a special interview with Israel Defense
Ami Rojkes Dombe
| 09/08/2018
Image: Bigstock
The CyberArk Company acquired the Conjur Company of Israel in 2017 for the purpose of providing support for authorization security in dynamic applications. The technology acquired enables CyberArk to secure sensitive information at the container layer, thereby extending the Company's solution range to include programmers as well.
“Until that acquisition, we had managed our data access admin authorizations using static applications. The solution provided security for questions such as which application attempts to access the database, while the primary focus was on a static profile of connections. Over time, we realized that the clients shift toward dynamic applications involving the use of containers. The cheese had been moved, and we wanted to move with it,” says Udi Mokady, the founder, CEO and Chairman of the Board of the CyberArk Company in an interview to Israel Defense.
“In today's reality, the DevOps people have become the primary element in the development process, and we wanted to provide them with tools for securing admin authorizations. The reason for this change is business-oriented. Organizations seek ways to reach the market quickly, so for this purpose, they transfer their applications to the cloud. Today there are organization-wide applications that are being updated a few times daily with new data or new versions.
“This variation rate changes the application testing process. There is no longer time for a testing process that charts where static applications are connected to. Instead, the rapid changes that take place are based on containers, which are, in fact, small pieces of software that communicate with one another. In order to transfer sensitive information between containers, a protocol known as Secrets is used. This profile makes it possible to provide information security at a very early stage of the application development process. Anyone who fails to be there will not be able to ensure protection for the information.”
Different Information Verification Methods
One of the questions CyberArk deals with is how to verify the party requesting authorization. When a code communicates with a code, the process is not based on a password but rather on other verification methods. “If you look at containers, they are pieces of software from all sorts of different places, and we should get them to communicate with one another. How can you tell whom you can exchange information with? These are questions that arise in the context of dynamic application development configurations, to which a solution should be provided. The solution may consist of Secrets, API or any other method,” explains Mokady.
“We at CyberArk want to connect with the verification processes on the human side and on the code side. In this way, we will be able to protect the entire information usage circle. As long as people use computer devices, some form of human verification will be required. It may be a password, biometric identification or any other method, and it will be presented in conjunction with the code-level verification.”
One of the fields that evolve in that direction is the IoT field. Millions of mobile devices are deployed in different locations and require information access authorizations. “We are already there,” says Mokady. “The professional discourse on this subject notwithstanding, a substantial part of the world's organizations still fails to devote sufficient attention to IoT security. Some organizations still deal with password protection. The technology evolves, but in reality, not all of the organizations are there. To attack a toaster is good for conferences and headlines, but major organizations, worldwide, are still dealing with previous-generation problems.”
Another matter that keeps CyberArk preoccupied is GDPR, the General Data Protection Regulation expected to come into effect next May in Europe. Simplified, this regulation sees to it that the personal particulars of the citizens of Europe will be protected against abuse. As part of the preparations for the implementation of GDPR, business organizations are currently reviewing their information security infrastructures. “The primary attack vector against organizations is a search for admin authorizations,” explains Mokady.
“Hackers search, first of all, for the places out of which they can extricate admin authorizations. These authorizations will provide the attacker with the option of reaching sensitive organizational information. Among other things, such information may include the personal information of clients. In such scenarios, CyberArk can be an element of the solution. If the organization protects these authorizations more effectively, the potential of damage to private information stored by the organization (PII – Personally Identifiable Information) will be reduced.
“The beginnings of CyberArk were based on authorization security gaps in Microsoft's operating system. Today, this activity generates a major portion of our revenue, but we evolved to the entire range of connectivity software: operating systems (Windows or Linux), communication devices and more,” explains Mokady.
“The technological developments notwithstanding, in the foreseeable future people will continue to take part in decision making in the context of automated processes. Consequently, admin authorizations enabling management of computer infrastructures and automation processes will remain a critical element of the attack vector. Our responsibility is to continue to protect these processes and infrastructures against the attackers.
“Among other things, we are also examining the use of blockchain infrastructures for identity management. This option is currently undergoing testing in our laboratory. Several such solutions have surfaced recently, but none of them has presented a full-proof, mature product. One should bear in mind the fact that we provide protection to thousands of clients, including some of the world's largest, and they want a proven solution.”
Thoughts for the Future
According to Mokady, the challenge for CyberArk is to continue and provide their thousands of clients with effective protection even against the threats of the future, which is not a simple undertaking. The threats are evolving; new attack methods enter the market and organizations want a dynamic computer infrastructure that would support rapid changes. “The challenge will continue to be how to stretch our solutions so that they apply to dynamic applications. How we can help programmers work securely even at the earliest stages of the code development process. We have recently issued a code for the open source code community. This has been a major change for us. We did that in order to harness this world to our solution,” explains Mokady.
“The time axis dictates a transition of cybersecurity to automation processes. A major portion of the security solutions will have to be introduced as early as the code level. The differentiation between humans and code with regard to the aspect of information security management will change. That change will compel security companies to change accordingly.
“CyberArk provides security solutions for operating systems, cloud computing, and codes. The more we grow, the more expansive the competition field becomes. New or existing companies attempt to enter the field of authorization security. One of them is CA Technologies. The Dell Company had also acquired a company from this field at some point, and there are other companies that observe us and want to enter the field. The differentiation stems from the fact that we focus on this field exclusively and from our desire to remain in this field and continue to lead it.”
“The differentiation between humans and code with regard to the aspect of information security management will change. That change will compel security companies to change accordingly," says the founder, CEO and chairman of CyberArk, Udi Mokady, in a special interview with Israel Defense
Image: Bigstock
The CyberArk Company acquired the Conjur Company of Israel in 2017 for the purpose of providing support for authorization security in dynamic applications. The technology acquired enables CyberArk to secure sensitive information at the container layer, thereby extending the Company's solution range to include programmers as well.
“Until that acquisition, we had managed our data access admin authorizations using static applications. The solution provided security for questions such as which application attempts to access the database, while the primary focus was on a static profile of connections. Over time, we realized that the clients shift toward dynamic applications involving the use of containers. The cheese had been moved, and we wanted to move with it,” says Udi Mokady, the founder, CEO and Chairman of the Board of the CyberArk Company in an interview to Israel Defense.
“In today's reality, the DevOps people have become the primary element in the development process, and we wanted to provide them with tools for securing admin authorizations. The reason for this change is business-oriented. Organizations seek ways to reach the market quickly, so for this purpose, they transfer their applications to the cloud. Today there are organization-wide applications that are being updated a few times daily with new data or new versions.
“This variation rate changes the application testing process. There is no longer time for a testing process that charts where static applications are connected to. Instead, the rapid changes that take place are based on containers, which are, in fact, small pieces of software that communicate with one another. In order to transfer sensitive information between containers, a protocol known as Secrets is used. This profile makes it possible to provide information security at a very early stage of the application development process. Anyone who fails to be there will not be able to ensure protection for the information.”
Different Information Verification Methods
One of the questions CyberArk deals with is how to verify the party requesting authorization. When a code communicates with a code, the process is not based on a password but rather on other verification methods. “If you look at containers, they are pieces of software from all sorts of different places, and we should get them to communicate with one another. How can you tell whom you can exchange information with? These are questions that arise in the context of dynamic application development configurations, to which a solution should be provided. The solution may consist of Secrets, API or any other method,” explains Mokady.
“We at CyberArk want to connect with the verification processes on the human side and on the code side. In this way, we will be able to protect the entire information usage circle. As long as people use computer devices, some form of human verification will be required. It may be a password, biometric identification or any other method, and it will be presented in conjunction with the code-level verification.”
One of the fields that evolve in that direction is the IoT field. Millions of mobile devices are deployed in different locations and require information access authorizations. “We are already there,” says Mokady. “The professional discourse on this subject notwithstanding, a substantial part of the world's organizations still fails to devote sufficient attention to IoT security. Some organizations still deal with password protection. The technology evolves, but in reality, not all of the organizations are there. To attack a toaster is good for conferences and headlines, but major organizations, worldwide, are still dealing with previous-generation problems.”
Another matter that keeps CyberArk preoccupied is GDPR, the General Data Protection Regulation expected to come into effect next May in Europe. Simplified, this regulation sees to it that the personal particulars of the citizens of Europe will be protected against abuse. As part of the preparations for the implementation of GDPR, business organizations are currently reviewing their information security infrastructures. “The primary attack vector against organizations is a search for admin authorizations,” explains Mokady.
“Hackers search, first of all, for the places out of which they can extricate admin authorizations. These authorizations will provide the attacker with the option of reaching sensitive organizational information. Among other things, such information may include the personal information of clients. In such scenarios, CyberArk can be an element of the solution. If the organization protects these authorizations more effectively, the potential of damage to private information stored by the organization (PII – Personally Identifiable Information) will be reduced.
“The beginnings of CyberArk were based on authorization security gaps in Microsoft's operating system. Today, this activity generates a major portion of our revenue, but we evolved to the entire range of connectivity software: operating systems (Windows or Linux), communication devices and more,” explains Mokady.
“The technological developments notwithstanding, in the foreseeable future people will continue to take part in decision making in the context of automated processes. Consequently, admin authorizations enabling management of computer infrastructures and automation processes will remain a critical element of the attack vector. Our responsibility is to continue to protect these processes and infrastructures against the attackers.
“Among other things, we are also examining the use of blockchain infrastructures for identity management. This option is currently undergoing testing in our laboratory. Several such solutions have surfaced recently, but none of them has presented a full-proof, mature product. One should bear in mind the fact that we provide protection to thousands of clients, including some of the world's largest, and they want a proven solution.”
Thoughts for the Future
According to Mokady, the challenge for CyberArk is to continue and provide their thousands of clients with effective protection even against the threats of the future, which is not a simple undertaking. The threats are evolving; new attack methods enter the market and organizations want a dynamic computer infrastructure that would support rapid changes. “The challenge will continue to be how to stretch our solutions so that they apply to dynamic applications. How we can help programmers work securely even at the earliest stages of the code development process. We have recently issued a code for the open source code community. This has been a major change for us. We did that in order to harness this world to our solution,” explains Mokady.
“The time axis dictates a transition of cybersecurity to automation processes. A major portion of the security solutions will have to be introduced as early as the code level. The differentiation between humans and code with regard to the aspect of information security management will change. That change will compel security companies to change accordingly.
“CyberArk provides security solutions for operating systems, cloud computing, and codes. The more we grow, the more expansive the competition field becomes. New or existing companies attempt to enter the field of authorization security. One of them is CA Technologies. The Dell Company had also acquired a company from this field at some point, and there are other companies that observe us and want to enter the field. The differentiation stems from the fact that we focus on this field exclusively and from our desire to remain in this field and continue to lead it.”
