Security is boring—at least until you don’t have it anymore. Then it becomes exciting for all the wrong reasons. 

In our increasingly interconnected world, it’s also painfully difficult. How do you secure connections to internal devices and external services that you do not and, indeed, cannot own? For enterprises trying to lock down sensitive corporate data in a world awash in personal devices and cloud computing, it’s an exercise in futility. 

Maybe. Maybe not.

Zack Urlocker

Zack Urlocker was just named COO of Duo Security, a Benchmark and Google Ventures-backed security company that aims to make two-factor authentication omnipresent and painless. Is this Urlocker’s next unicorn? After all, as SVP of products and marketing at MySQL, he helped to drive a $1 billion sale by Sun. Later, he went on to run operations at pre-IPO Zendesk (now worth $2 billion). 

Urlocker clearly knows how to build unicorns, but is security ripe for a unicorn-sized exit? 

To better understand the allure of security to Urlocker, I caught up with him to discuss the shift from databases and help desk software to security.

Security Is Big For All The Wrong Reasons

Security has been a big market for a long time, but for all the wrong reasons. And while we like to think of security as someone else’s problem (at least, until our own data is pilfered), a Ponemon study shows that we all bear the costs:

Source: Ponemon

And while malicious criminal attacks account for 42% of data breaches, human error comes in second place (30%). Lost devices or other errors in human judgment open up corporations to all sorts of security problems. 

Making It Easy

The problem for most people, however, is that securing their devices and, hence, their data, can be a pain. Often we won’t bother until we’re forced to do so.

I remember when I first implemented two-factor authentication. My IT team had been pushing me to do it for nearly a year, and I kept resisting because I didn’t want the bother. It didn’t help that some things (like calendars) were shared with other family members on their devices. The thought of having to constantly update the passwords on their devices, and not merely mine, seemed to not be worth the effort.

That is, until my daughter’s Gmail account was hacked.

In this case, the hacker goaded me as I madly tried to get ahead of him to change her passwords. He used the Gmail account to get into her Facebook and other accounts, and used all of them to send vile messages to her and her friends. As I tried to stop him, he IM’d me to laugh at my efforts. It was frightening.

It was the wake-up call I needed, and I implemented two-factor authentication for myself and my family immediately afterward. We haven’t had a problem since (though I wish I could keep my credit card numbers from getting stolen every few months.) 

Since that time, two-factor authentication has become increasingly easy, thanks to companies like Duo Security, which Facebook, Box, Palantir, Yelp, Whatsapp, Etsy, and over 5,000 other companies use to provide simple security to hundreds of millions of users. In fact, Duo’s founding CEO, Dug Song, developed solutions at his previous startup that today secure 80% of the ISPs globally. 

As Urlocker told me, 

Duo makes strong security easy to buy, easy to use and easy to roll into production. Usually security means making things hard for people. With a SaaS solution, it’s easy to deploy. You can get Duo Security up in running in 15 minutes or a few days for major rollouts compared to weeks or months with traditional solutions. And it works, too! 

That ease of use is essential. I’m a reasonably savvy technologist. No one in my family is. For them to be comfortable with two-factor authentication, it has to be as simple as typing in a password. (Or, in this case, a code sent to them via SMS.)

Learning From Open Source

So how did Urlocker get here from open source land? Duo, so far as I know, isn’t offering its software free over the Internet and charging for support. What can open source teach us about security?

Security, it turns out, has an equally open community, sharing both code and insights into how to secure code. 

Importantly, as he told me, it’s critical to “know how bad guys operate and where the vulnerabilities hide,” not to mention “how customers behave.” The best open source software makes difficult processes easy for developers. Duo is trying to accomplish the same thing for security. 

Which means not foisting silly security policies on users (i.e., forcing them to change passwords every 90 days to equally obscure and hard-to-remember passwords). Duo provides multiple ways for users to authenticate, but the one I like best involves sending push notifications and allowing me to simply to respond.

As the thinking goes, anyone can get my password. But getting my password and my mobile device? That’s hard.

Not surprisingly, then, Urlocker find that certain SaaS categories, like Zendesk, Box, New Relic, HubSpot and Duo Security, “definitely operate at a similar scale” to open-source software, “but with much better conversion rates than we ever had in open source!”

That’s good for Duo, of course, but also for corporate security. Which makes it easier to sleep at night, even if the hackers never do.

Photo by Tim RT