Meet Alan Duric, co-founder and CTO/COO of Wire, a secure collaboration platform. He is an experienced leader with a strong background in real-time communications. He’s the co-founder and CTO of Telio Holding ASA, and Camino Networks, which was acquired by Skype/eBay. Duric is an early pioneer of VoIP technologies and a driving force in the standardization of the speech codecs that led to the WebRTC standard, which revolutionized how real-time communication products are built today.
Here, we talk to Duric about the various threats facing enterprises today, as well as how organizations can protect their employees and assets, and how organizations (and vendors) need to make a fundamental change to how they operate by implementing better security, technology, and approaches to build a security-first infrastructure.
Security magazine: What is your background, and what led you to the role of CTO and co-founder of Wire?
Duric: I have been in the Voice over Internet Protocol (VoIP) space for over 10 years now and have been in the tech industry for even longer. Before creating Wire, I worked in other tech leadership roles. I was a founder and CTO at Telio and was CTO at Camino Networks, which was eventually acquired by eBay/Skype. I’ve had the good fortune of working on the early front lines of VoIP, and was able to play a fairly big role in driving the development of WebRTC which is still used in many real-time communication products today.
What led me to my role at Wire was my desire to continue pushing the envelope and innovating in the collaboration tool space. Wire sprouted from a very organic process, driven by what the collaboration tool market needed. It began when a few of my partners and I realized that the VoIP and messaging space was moving towards mobile devices. We noticed that some providers were beginning to work towards fulfilling this need for better mobile communications, but also identified some huge gaps in the market. For example, Skype was changing the way we all communicate - through simplicity and accessibility - it allowed folks to talk to anyone around the world, but they were tailored for desktop use. In 2012, WhatsApp started picking up, allowing users to message easily on mobile devices but without any voice calling capabilities. Viber then emerged, and had good messaging and calling but no security. We realized that the collaboration space lacked a solution with: a good user experience, focus on mobile capabilities, and strong security and privacy. We felt that we could fill these needs, and that is how Wire came to be founded.
Security magazine: What are the biggest security and privacy issues that organizations should be aware of with collaboration tools?
Duric: Many messaging tools have become ubiquitous, but do not protect consumer data with essential Zero Trust technologies like end-to-end encryption (E2EE). The pandemic has put a spotlight on the collaboration tools space due to it’s growing use in our new fully remote work environment. This rapid and unplanned shift revealed the many flaws that existed and still exist in collaboration tools, especially messaging and video conferencing tools such as Zoom, Microsoft Teams, and WhatsApp. For example, Zoom saw a number of security issues ranging from bad actors hijacking private video conferences (aka ‘Zoombombing’) to egregious privacy issues like user data being used for ad targeting without user knowledge or permission. A combination of low barriers for entry for conference calls, integrations that led to backdoor security weaknesses (in the case of Microsoft Teams), and heaps of data privacy violations have all caused growing distrust in collaboration platforms and the security, or lack thereof, that they provide.
The bottom line is, if companies that develop these tools do not prioritize security for their own products, do not expect them to provide you with a secure solution. The seriousness of data privacy has only become more prevalent through the enactment of legislations such as the GDPR in Europe, and the newly passed CPRA in California. These movements towards data privacy show us that governments are starting to take this issue more seriously, meaning companies that push the boundaries without concerns for data privacy will start to feel more pressure to re-evaluate policies and technologies as time goes on.
Security magazine: How has the pandemic influenced these issues?
Duric: The pandemic really brought a lot of these pre-existing issues to the forefront. At the onset of the mandated lockdowns, millions of employees were shifted to remote work so suddenly that organizations had little time to thoroughly think through security implications. Remote employees inevitably created a higher level of cyber risk by operating outside of perimeter-based security (e.g. company firewalls, secure internet access). With employees working from unprotected home networks and possibly using devices or software that are not IT sanctioned, cybercriminals have new opportunities and vulnerabilities to attack and exploit.
Understandably, organizations were mainly concerned with handling the huge transition from in-office to remote work and simply sought out tools that were quick, accessible, and designed for hyper-connectivity. What those organizations soon learned is that those types of tools often make security and privacy sacrifices/shortcuts in order to maintain a simple user experience and compatibility with other applications. Security was an afterthought given the spate of cyberattacks (spiking as much as 400% in April) and glaring security issues that popular tools like Zoom and Microsoft Teams experienced at the beginning of the pandemic. The large influx of users drew the attention of cybercriminals and they exposed the flaws within these solutions.
Security magazine: What do companies need to know in order to best protect their employees and their data privacy? What is needed to ensure secure remote work?
Duric: Having a security-first infrastructure has become a crucial step for employers to implement this year for the protection of both their organization and employees. Many teams have recognized the importance of security and have started to prioritize patching and reworking aspects of their technology to anticipate threats. At the end of the day, however, these are retroactive fixes and will not be enough. Instead, organizations (and vendors) need to make a fundamental change to how they operate by implementing better security, technology, and approaches to build a security-first infrastructure. Here are three elements that should be included:
Transparency: Maintaining trust with users is critical and being transparent is vital to building a solid reputation for a platform. This approach can involve: adopting an open source approach, third party audits, and clear privacy policies. First, making a platform open source will allow developers outside the organization to review the code and ensure that any promises of data protection are followed through. Third party audits bring in security experts and researchers to conduct independent and in-depth analysis of a platform, providing a credible review that users can trust. Clear privacy policies give users better insight and confidence on the solution’s inner workings, especially with the management of sensitive data. Transparency is crucial to the success of a security-first architecture.
Zero Trust: Zero Trust is a security model that assumes that all data, devices, apps and users inside or outside of the corporate network are inherently insecure and given limited access. A truly holistic Zero Trust model applies to everything including policies, technologies and human behavior. Zero Trust also requires the utilization of technology such as: end-to-end encryption, multi-factor authentication, identity access management, network segmentation, and other system permissions which must be implemented.
End-to-end encryption: The definition of “end-to-end encryption” has become more unclear given its heavy usage in marketing materials and claims by companies that are not implementing it properly. Not all E2EE is created equal and multiple protocols do exist, but a good standard is being AES-256 bit, which can protect against side-channel and man-in-the-middle attacks. Key management is another critical aspect of encryption as gaining access to the keys can easily unlock encrypted files or messages. Look for strong systems like a double ratchet algorithm, which allows every message, call, and file to be separately encrypted on every device, with keys generated from the device rather than a server. Aim to protect information to the smallest possible unit as it would make it far more complex to decrypt and pick out specific data.
Security magazine: What will be most important for organizations to keep in mind moving into 2021?
Duric: In 2021, it’s possible that the global economy will shift to single-digit growth, as countries begin restarting economic activity in the aftermath of COVID-19. However, as remote work and insecure data practices persist within most organizations, cyber breach costs are slated to hit double-digit growth across all industries, with cyberattacks being the 4th highest risk for doing business in the world - right after fiscal crises and infectious diseases. Unless corporations, government agencies, and countries figure out how to mitigate these cyber risks, the global community could suffer catastrophic economic losses that will take years to rectify.
This will mean that organizations will see greater value in technologies that secure their operations while maintaining mobility. Organizations will selectively choose tools that can serve them in uncertain circumstances, which makes solutions with a security-first approach more appealing. Cyberthreats are not going anywhere, and if anything they will only continue to rise with companies starting to adopt permanent work from home policies. E2EE and other Zero Trust technologies will no longer be an optional component, as they will become essential to ensuring that both the company and its employees are kept safe from malicious actors looking to exploit new remote work vulnerabilities.
Customer demand for privacy and security has surged, and by the end of next year companies will expect and incorporate more security technologies across all communication and collaboration tools. Looking back at 2020, a security-first approach will be essential in the coming year as the rate of cyberattacks will likely hit an all time high. Luckily, organizations have more security tools available than ever before and all they need is a strong resolution to prioritize security in the new year.