How Egress is doing away with usernames and passwords, and making security frictionless

Tony Pepper, CEO of Egress, explains what he's doing to make security a help rather than a hindrance, and how his organisation is finding success at the highest levels of government

Though it hasn't made any public announcement, Egress appears to have won a major contract with the Ministry of Justice.

Log into CJSM.net, the secure communication system used by every facet of the UK's criminal justice system, and you'll see a ‘Powered by Egress' logo at the bottom of the screen, and a helpdesk contact in the egress.com domain.

More evidence can be found in the published terms and conditions for connection to the service, which states that it is now run by Egress.

Then there are documents detailing the Ministry of Justice's spending, listing regular outlays of £215,400 going to the software firm since 2017.

Whilst he doesn't comment on the contract, Egress CEO Tony Pepper enthuses about his firm's work with government, and the way in which his organisation is trying to redefine our relationship with security software.

"We're getting into the higher end of government now, working with them to solve problems they've never been able to solve before," Pepper begins.

"We're helping them to share top secret information digitally. Previously the UK government has always been quite draconian in how it has shared the highly classified end of the data spectrum, they've never been able to share that easily electronically, and have often resorted to paper. But with the government going through massive change, that's up for grabs now.

"They've got to find a way to share this information securely, that can save us as a nation enormous amounts of money and be so much more efficient for government."

Achieving the Kitemark

Whilst other firms have tried to crack this particular nut in the past, Pepper explains that only now has an organisation, Egress, met the required standards.

"The challenge has always been finding a software company to meet their requirements. The NCSC [National Cyber Security Centre] has never been comfortable before [with other products], but we've finally cracked that problem.

"So we're now looking to expand into helping customers share sensitive content right the way up the classification spectrum. Which is for us a fabulous opportunity which will open up new markets."

Egress is on track to grow by 50 per cent year on year in 2018, and Pepper puts part of this success down to the fact that Egress is tackling what he describes as a long-standing problem with security tools: usability.

"The technology that we launched earlier this year been really well received. That's because we're tackling the fundamental problem that security has had for 20 years. It's too hard to use. Ask yourself one question, why isn't data security a household commodity just like anti-virus? The bottom line it's just too hard work.

"And end users don't know what to protect, or when, it's all too clunky. There's no automation, the technology hasn't moved on in 15 years. Overall it's just not engaging enough. We think we've solved that problem.

"When you share information stuff externally, the barriers are too high still, it's really not frictionless. It's ultimately still seen as a barrier to business. If you really want data security to be adopted by every business and become a commodity, you've got to make it completely frictionless."

[Turn to next page]

How Egress is doing away with usernames and passwords, and making security frictionless

Tony Pepper, CEO of Egress, explains what he's doing to make security a help rather than a hindrance, and how his organisation is finding success at the highest levels of government

Better security through machine learning

Pepper explains that he believes Egress have solved the problem through the use of machine learning.

"We've always had a background in delivering best of breed encryption, and the ability to control content once shared. And then in 2017 we started to introduce machine learning into our platform. Initially it was designed to look for anomalies. Do you mean to share that with those people? It catches certain uses cases.

"Then early in 2018 we released a more sophisticated capability using machine learning attributes to help the sender dictate what type of protection the content needs. Does it need TLS [Transport Layer Security] or message level encryption? What classification is it?

"It pulls together somewhere between 40-50 attributes including what you're sending, who to, and have you sent anything to that person before, then it builds a picture to ascertain the risk of that information being shared externally. It then automates how it protects the data in transit, helping the end user to make decisions on their behalf on an appropriate level of protection."

It sounds complicated, which is opposite of Pepper's stated intention, but he insists that the end user experience couldn't be more straightforward, describing the experience as being "a simple red to green dashboard".

But if it's so simple, why has no one done this before?

"Because it requires a combination of machine learning capability around a host of data around who you're sending to, then checking the domain, the individual recipient, whether TLS is enabled on that domain, how long it's been set up, and all of that is done in the background.

"It also requires other things like document and email classification, which you either integrate with others, or provide own level of classification, and also the ability to provide message level or TLS encryption, which we do.

"It's gluing together all things we've developed over the last six to eight years."

The dreaded username and password

The next thing on the roadmap is to provide the same level of flexibility and control to recipients of secure communications, which Pepper says will be available later on in 2018.

"The other part is how make it completely frictionless for people receiving content. If you look at the data security products on the market, access is always via username and password.

"Every product on the market requires you to authenticate that way, without it there's no security. That's where the problem lies because people can't be bothered to do it.

"Instead of asking you to authenticate with username and password, we'll use same machine learning engine on the sender's side to check the domain and user, and run some DMARC [Domain Message Authentication Reporting] checks; was the domain just set up yesterday or ten years ago? Does it have good solid standards? What's the domain authority?

"Then go to the user and check if you've ever sent to that user before, not just this user in this domain, but any user in that domain? "So the tool looks at all the attributes of the company and the individual. It's building a security profile of you and your domain.

"Then it looks at other attributes, like the geolocation of what you're pulling in. What device might you be accessing it on? Windows, iOS, or something else, and on what IP address?

"All of these checks are done in real time, asking if it can lower the barrier of entry by not asking you to authenticate with a username and password, but instead give you frictionless access based on all those other attributes?"

[Turn to next page]

How Egress is doing away with usernames and passwords, and making security frictionless

Tony Pepper, CEO of Egress, explains what he's doing to make security a help rather than a hindrance, and how his organisation is finding success at the highest levels of government

This doesn't mean that usernames and passwords will be going away completely however, as Pepper envisages them still being required for more sensitive information.

"This is where classification comes in, if I'm sending top secret info, I'll probably still want a username and password, and maybe a one-time PIN code."

Pepper says that the level of security needed for a particular type of content can be decided by the business, so that rather than every type being given the one-size fits all approach, less sensitive information can be accessed far more seamlessly.

"Ultimately it's enabling you to protect all information knowing you're not going to get kicked back from the people you're sending it to."

He adds that this could push encryption right across the information spectrum, rather than solely being used for the most sensitive data as is often the case today.

"We think this will disrupt how people approach encryption. Instead of people saying ‘I'll only protect the top end of my dataset', I think it will push encryption further. If there's no barrier at all in some instances, then organisations will be more likely to encrypt by default.

"We'll deliver this external frictionless capability by the end of the year, and I think it will be game changer."

Earlier in the same interview Pepper explained why the UK doesn't produce billion-dollar valued companies.