Can you tell me about Passbolt?
Passbolt was founded in Luxembourg at the end of 2016. Our core product is an open source password manager that has been purpose designed specifically with the needs of agile and devOps teams in mind, especially the requirement for collaboration and password sharing, which means they are the ones on the frontline with password management issues. Passbolt helps them centralise, organise and share credentials securely leading to greater efficiency and productivity gains. We like to see it as a 360 degrees toolchain that covers the needs of the various individuals that make up the agile teams: productivity for developers, security for ops, automation for devOps, and collaboration for everyone. It can be easily installed on-prem, used in a secure cloud, or deployed as a cloud-native application and is now also available as a mobile app for Android and Apple devices. Our solution is currently trusted by over 10,000 organisations worldwide, including Fortune 500 companies, journalists, governments and defence forces in more than 50 countries.
What is your role and responsibilities at the company?
I am a founder and CTO at Passbolt and primarily responsible for the technical design of the product. I am also responsible for the overall quality and security of our day to day operations. Last year, in 2021 for instance, we worked in close collaboration with the German cyber security specialists Cure53 to conduct six independent security audits on all aspects of the Passbolt codebase. We also conducted a SOC2 Type II audit which covers the systems and organisational control of the company as a whole. Due to the nature of my role in the business it means that I work very closely with the product team to ensure a constant alignment between the functional scope and the security model as well as participate in the arbitrage wherever there is some tension between competing requirements.
What are the benefits of a password manager?
In simple terms password managers take the pain out having to remember possibly hundreds of different passwords for each application we use. Passwords have become the de facto authentication methodology to login to everything from our online bank accounts to our business files or favorite social media platforms but we are constantly warned about the dangers of using weak passwords and using the same one for every account. Unfortunately, the human brain is not good at recalling the long, complex passwords that we are recommended to use and too many of us still mistakenly choose the easy option, ignoring the advice. A recent survey by the UK’s National Cyber Security Centre showed that the most used passwords still include ‘123456’, ‘123456789’, ‘qwerty’, the word ‘password, which are about as much use as a chocolate fireguard to any hacker.
The large majority of successful cyber attacks are due in some way to poor password management policies. Using a password manager is a very good way to protect passwords by keeping them stored encrypted, making sure that each password is hard to guess and unique, controlling access rights precisely for each user and enforcing the company security policies at passwords level.
In the case of Passbolt it also includes support for multi-factor authentication, provides better control in terms of password usage tracking and reporting as well as automation capabilities for DevOps teams so that they can integrate our solution in their continuous integration and delivery pipelines (CI/CD) or using command line tools (CLI) and software development kit (SDK).
How important is it for businesses to protect their critical data?
The rapid growth in companies going through digital transformation means that every aspect of a successful business operation relies on how they collect, store, manage and access their data; from financial management, HR, marketing, supply chain management and production. It provides the basis for critical decision-making and strategic planning needed to remain competitive. As such, data is a highly valuable corporate asset that has become a major target for cyber criminals and needs maximum protection from robust security technologies and policies.
Deploying the latest cyber security solutions is not just needed from a business perspective, the data protection and privacy regulations such as Europe’s GDPR rules means that any company that stores personal data is legally responsible for ensuring that data is fully protected from deliberate or accidental leakage. With companies facing fines that can amount to up to £17.5m or 4% of global turnover as well the associated reputational damage for any infringement, it makes sound financial and business sense to invest in the protection of critical data.
Moreover, with a lot of organisations' procurement processes, GDPR compliance is part of the required due diligence when selecting a new vendor, even small businesses need to show some proof of security compliance. Insurances also require some form of security baseline to be implemented in order to be insured. Businesses cannot simply ignore the topic and hope for the best.
What do you see as being one of the top emerging cyber trends this year?
One of the most interesting trends I see is the replacement of more traditional security awareness training with more practical programmes that are designed to provide a practical evaluation of each organisation's members' readiness and that is tailored based on their risk profile.
Additionally, I think in 2022 we will again see some issues similar to Log4j. In my opinion as the usefulness and complexity of the open source ecosystem grows, tension will continue to rise between non-contributing members and maintainers of open source projects. Maintainers will be hard pressed by their users to provide better prevention and reactivity to security incidents. These expectations will be hard to meet, and I think we will see some new initiatives to try to solve these problems.
What can we expect from Passbolt in 2022?
We have just launched two brand new mobile apps for iOS and Android. For the rest of 2022, we’ll keep pushing and deliver the features that are requested by our community of users and customers. A very important feature that we are going to release in April is a new account recovery process (also called key escrow). It will make it possible for administrators to retain an encrypted backup of the users’ private keys in case they lose access to their account which is a problem that happens increasingly often when teams are scaling. Then we have more features that will be launched after that, most of them can be seen on our public roadmap on our website.
At an organisational level we’ll keep scaling our team in order to meet with the demand. We are hiring mostly tech people and since we are remote first, we are open to hire absolutely anywhere in the world.