Identity verification for workloads, enterprise employees and end-consumers is the key to creating a world without passwords and a future without massive data breaches. At Comcast Ventures, we’re doubling down on two companies with unique authentication and identity verification technology: HYPR and Aporeto.
Food delivery service DoorDash announced that a data breach occurring in May 2019 had impacted nearly 5 million members, workers, and merchants of the company. Criminals gained access to data ranging from payment cards, bank accounts, names, addresses, and driver’s license numbers. In January 2019, approximately 773 million records were exposed from a series of data breaches at other enterprises that included email addresses and passwords.
Today, with so many password-based apps and services in our digital lives, it’s hard to keep up. I personally count 120 passwords that I’m managing — for everything from my gym membership, to my IRS.gov login, and even a portal I used to track my family’s trip to Disneyland. Unfortunately, hackers realize the vulnerabilities in this password-filled landscape and they’re targeting ALL of us in multiple places.
The problem with passwords
Hackers work around the clock looking for ways to pierce security defenses. Some infiltration methods include back door attacks, denial-of-service attacks, malware, credential phishing, and credential stuffing. Sometimes we even make it too easy for them to steal the keys to our digital lives.
Consider some shocking stats from a consumer survey by McAfee:
- Respondents said they have an average of 23 online accounts that require passwords, but on average only use 13 passwords for those accounts
- 31% surveyed only use two to three passwords for ALL their accounts
- 32% say they forget a password once a week
The problem with passwords goes beyond the fact that we still use them, sometimes carelessly, every day. The bigger issue is that in the past decade, the cost of the password reuse attacks has drastically decreased for hackers, while the cost of defending these attacks has grown for businesses. New tools such as SNIPR and Modlishka have made it easier for hackers to launch automated large-scale attacks to bypass passwords and 2-factor authentication. A single bad actor with minimal resources can launch a significant credential stuffing attack on a large enterprise — trying millions of username and password combinations.
Akamai reported more than 30 billion credential stuffing attacks last year — with malicious login attempts now accounting for more than 56% of consumer banking traffic. And as more businesses move to the cloud, the attack surface has grown larger than ever before.
HYPR: How identity powers security from the outside
HYPR delivers one of the first true passwordless security solutions. Powered by advanced Public Key Cryptography, the HYPR solution combines enterprise-grade security with a mobile-first approach to identity and authentication. Legacy security solutions such as password managers and multi-factor authentication (MFA) attempt to address username and password problems — but rely on a fundamentally outdated architecture of a password database. There are many companies out there with mature security posture who have adopted 2-factor authentication, continue to rely on passwords, and at the same time lack MFA for desktop login and customer-facing applications.
HYPR is helping put passwords in the past by taking a new approach.
“Cybercriminals are going after their favorite target — the password. Armed with passwords from massive breaches like LinkedIn, Yahoo and Twitter, they’re launching credential reuse attacks at a scale like never before.” explains George Avetisov, HYPR CEO and Co-Founder. “It’s human nature to reuse passwords, and adversaries are exploiting this behavior. While big breaches send consumers scrambling to reset their passwords, the aftershock doesn’t stop there. These large scale breaches are devastating and costly to businesses of all sizes and are felt for years after they happen.”
HYPR’s innovation is about eliminating the use of passwords and shared secrets by moving authentication keys to users’ smartphones. Building upon concepts of Public-Key Encryption and open standards such as FIDO, this innovative approach removes the hackers’ primary target — forcing adversaries to attack each device individually — while providing users a secure login experience across mobile, web and desktop applications.
“This approach has been tried, tested and trusted by the government for decades — but has typically required a smart card or Common Access Card. HYPR has taken a mobile-first approach, enabling service providers to replace passwords with a mobile device,” Avetisov says.
(With the HYPR True Passwordless MFA, authentication does not rely on shared secrets, eliminating credential reuse and most phishing attacks.)
Aporeto: Powering identity from the inside
Traditional approaches to security are holding the industry back. That’s why I’m excited about another cybersecurity portfolio company revolutionizing the security industry — Aporeto.
Since Comcast Ventures invested in Aporeto in January 2019, the cyber security company has grown revenue 600%, added multiple Fortune 500 customers and expanded its leadership team with the addition of Sunil Sampat as Chief Revenue Officer and Gregg Holzrichter as Chief Marketing Officer.
Aporeto has developed a scalable identity-based access control solution for securing service-to-service, user-to-service, and user-to-infrastructure scenarios in the cloud. Aporeto’s identity model uses cryptographic methods to fingerprint each workload and merges it with user identity as needed. Finally, a company that’s taking an identity-based approach to the cloud.
Challenges faced using traditional security methods
The old firewalls of yesterday worked well in closed environments but today, the cloud has changed everything. Data is on-premises, on devices, going to the cloud, coming from the cloud, from employees, partners, and vendors. In essence, it’s all about the data today — and protecting them is a priority.
However, appliance-based perimeter security (like firewalls and VPNs) can’t keep up with today’s security needs. And it’s creating holes and gaps in the security.
Traditional microsegmentation approaches rely on IP addresses, which don’t work in today’s hybrid cloud environments because today’s public cloud infrastructure does not make IP addresses visible. Workloads have moved to the cloud for increased IT agility, but with hybrid cloud workloads, security teams can’t keep up with evolving needs. A new architecture is required to ensure consistent security in hybrid cloud deployments.
Aporeto’s bold innovation
Rather than relying on IP addresses or simple token identifiers, Aporeto microsegments enterprise infrastructure and applications based on cryptographic workload and user identities to achieve a Zero Trust posture. Simply defined, it’s a Zero Trust approach to security where nothing is afforded access until verified through a cryptographic ID. Aporeto’s solution protects against attacks and prevents lateral movement with application policies that are portable and persistent for end-to-end visibility and centralized management. All policies for the entire hybrid or multi-cloud environment are managed from a central console, with automatic distribution of global policies to all workloads, including VMs, Containers, Kubernetes, serverless and even lambda functions in the cloud.
I think Aporeto’s Co-Founder Amir Sherif explains it the best.
“With a hybrid cloud architecture, organizations were struggling to protect application to application communication” says Sherif. “To solve this problem, we took a different approach. Aporeto’s identity-based cloud security platform empowers teams to easily authenticate, authorize, and encrypt every interaction within their cloud infrastructure. Now, with Aporeto, our customers can provide just-in-time access to what’s needed, when it’s needed and only when policy explicitly allows it.”
Aporeto and HYPR: Doubling down on identity and authentication
Aporeto and HYPR are creating a new modern security stance. The innovative teams behind these two companies are advancing identity and authentication while gaining ground against the bad guys. That’s why I’m excited about investing in a world focused on identity and authentication — a world HYPR and Aporeto are helping to create. I’m thrilled to partner with these two companies that are taking bold approaches to solving real-life problems for their customers and partners while advancing the whole security industry.