Kevin Dominik Korte of Univention: “Switch to two-factor authentication”

Switch to two-factor authentication. PrivacyIDEA [https://www.privacyidea.org/] is a fantastic Open-Source tool to enable your company to use two-factor authentication and Single Sign-On. Two-factor authentication requires more than a username and password for logging in to an application or even your computer. It helps keeping your login secure compared to just a password. Especially as computing […]

Thrive invites voices from many spheres to share their perspectives on our Community platform. Community stories are not commissioned by our editorial team, and opinions expressed by Community contributors do not reflect the opinions of Thrive or its employees. More information on our Community guidelines is available here.

Switch to two-factor authentication. PrivacyIDEA [https://www.privacyidea.org/] is a fantastic Open-Source tool to enable your company to use two-factor authentication and Single Sign-On. Two-factor authentication requires more than a username and password for logging in to an application or even your computer. It helps keeping your login secure compared to just a password. Especially as computing power becomes cheaper and cheaper, it will become less of a problem to guess logins or reverse engineer passwords from previous data breaches. Thus, requiring the usage of your phone or a token to log in is the only way to mitigate this without overburdening the user. Even for personal logins, such as G-Mail, it is a good practice to enable two-factor authentication.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Kevin Dominik Korte from Univention.

Kevin Dominik Korte is the President of Univention North America, where he is responsible for the US team and helps clients use Open-Source identity management systems. Univention provides standardized identity management systems for organizations from 5 people to 5 million. Kevin’s team provides Sales, Support, and Professional Services for Clients in the USA, Canada, and Mexico. The intense focus on optimizing the client’s identity and access management and helping them reach their goals more efficiently is the particular focus of Kevin’s diverse team.

Kevin’s forward-facing personality and broad knowledge make him one of the central individuals in Univention’s North American expansion. He is a trusted voice for both technical questions and the C-Suite.

Kevin gained his initial experience in Univention’s Professional Service Team, where he was primarily responsible for rolling out the world’s first commercial Samba 4 implementations. Kevin earned both his MSc and BSc in Computer Science from Jacobs University Bremen, in Bremen, Germany. A German native, Kevin moved to Seattle in 2013, where he enjoys a seldomly quiet life with his wife, two children, and a family of brown bears that often walks through the garden.


Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Growing up in Germany as a middle-class millennial had me experience the advent of our second information age firsthand. Cell phones went from a thousand dollars for a brick to 200 dollars for a smartphone back to a thousand dollars for a phablet. Social media went from the exciting ping of an AOL instant message to Facebook and the horror of seeing people surrender fully to social media. Living through this change in society has taught me a valuable lesson — the need to control your life and your destiny.

Accepting that I only can control myself has been one of the drivers behind my decision-making since then. In addition, it helped develop a keen focus on the things that I can control because even for outside events, you can control the outcome. I now enable others to take control of their world, whether as a Board Member for my Alumni Association, Toastmaster, or assisting people in keeping control over their organizations’ IT. This desire has led me to join Univention, a company dedicated to “be open” in all its endeavors and promote Open-Source and digital control, personally and professionally.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I always had a strong interest in computers and how to push them to the limit. One of the earliest stories that got me interested in preventing security incidents happened when I was 16 or 17. Both my brother and I had Lego robots that you could control with a computer. As brothers are, we had a competition going on. We tried to find out who could make the most interesting, outraging, over-the-top creation with them. Of course, one day, I came up with the idea that his robot should support whatever mine was doing. After much confusion on his side, he decided to reciprocate, which meant I needed to protect my computer without spending much money, so I started to play with Open-Source tools.

From there on, I developed a strong interest in keeping control of your computer and how to use tools like central identity management systems to make access to the family’s shared printer and storage more straightforward, or at least more interesting for me. Additionally, it got me hooked on the idea that I can always make a slight change in the software with Open-Source to better fit my needs.

Can you share the most interesting story that happened to you since you began this fascinating career?

The change in the perception of cloud services is a fascinating aspect of data privacy. It went from being a bleeding-edge technology to the mainstay and darling of the IT world, to the privacy nightmare and threat to data security. If you look back 5 to 10 years ago, everyone was trying to move workloads into the cloud, and just saying something was a cloud service became a sufficient reason for a decision. With the passage of the Cloud Act in 2018 and the preceding court cases, the rest of the world has woken up to the ownership and access questions in trusting US companies and the US government. Even US companies began to question whether they can trust these entities or need to keep tighter control over their data and metadata. The role of Cambridge Analytics in the US elections just reinforced the notion and made it visible to the consumer. Consequently, this renewed interest in more direct control and closer scrutiny of data and metadata ownership is something that I would not have predicted.

Even more fascinating in this regard is that most of the world is making a strong push for using Open-Source Software to strengthen their control. Whether it is gaia-X [https://www.data-infrastructure.eu/GAIAX/Navigation/EN/Home/home.html] and the Sovereign Productivity Suite [https://sovereignproductivitysuite.de/?lang=en] in Europe, or the Push against CPTPP in Australia [http://osia.net.au/news_press_releases.html], Open-Source is becoming a mainstay around the world. Whats remarkable in that regard is that it isn’t the idea of the software being cheap that drives this development, but the freedom to make changes, analyze the code, and be in control.

I am eager to see how these two trends will continue to play out and how our understanding of privacy and data protection will evolve. After all, the problems that lead to both trends did not go away after a single US election. It does not seem that the US government is changing its approach to cybersecurity, and neither are US companies collecting fewer data. Thus, I predict that the move away from leading cloud services will intensify over the next year.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

I certainly would have been in a vastly different position and maybe even country without my boss and mentor, Peter Ganten. Apart from the shared belief in data privacy and Digital Sovereignty, he provides feedback and guidance to grow.

The most memorable situation happened early in my time in the U.S. I was highly frustrated. When I started my work, I had this notion that customers would see the benefits of my solution, and the phone would ring constantly. Naturally, I had made one deal during the quarter. I will not forget the four-day meeting with Peter at that point. He had the right combination of encouragement and advice to guide me. By now, I am confident to share the vision of controlling your data and your IT with prospective customers.

Are you working on any exciting new projects now? How do you think that will help people?

As said before, the change in trust over the last two years has been remarkable. Consequently, a lot of the projects that I personally and Univention are focused on deal with giving businesses control over their data. If a company goes out today and purchases a piece of Cloud Software, they are buying a black box. They are at the manufacturer’s mercy, and if the said manufacturer decides to sell the metadata or shut down the product, there is nothing anyone can do about it. Thus, a lot of what we do focus on Digital Sovereignty. Digital Sovereignty means you are in control of your IT, own all the data, and are not at the mercy of any state, business, or another third party. Univention is working together with other big names of the Open-Source industry, such as Open-Xchange and Nextcloud. We aim to create an easy-to-use suite of applications, which gives you this type of control. The collaboration has been a great experience, and I genuinely believe that we can empower businesses to stay in command of their IT.

It is not just the big projects that excite me. Many small and medium-sized projects show our shared vision of self-controlled IT is resonating with the professionals. Just this month, we signed an agreement with a local IT service provider in Florida that is committed to putting their customers’ metadata back into the hands of the respective clients instead of using it as a revenue source. These small projects resonate more with me because I am not the one driving them. I only inspire others to act. That way, data ownership and Digital Sovereignty become a real movement that goes beyond my personal actions.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Dealing with issues in privacy and security, you often feel like fighting an uphill battle. However, users and customers are being trained not to accept five-second load times and to see sharing their personal data as a new normal. Unfortunately, businesses support this behavior by buying a multitude of cloud services from different vendors without evaluating the risks and practices of these suppliers. In the worst case, an attacker can reset the admin password of your business bank account using your mom’s maiden name, which is on Facebook.

When dealing with security and privacy issues that arise, professionals often push back against proposals. For example, “Do we need this cloud service?” or “I cannot sign off on unencrypted password storage.” Instead, it would be much more effective if we advocate for a long-term change in our thinking. We need to create a mindset where everyone in an organization and every consumer thinks about what impact a security breach could have on them and their organizations. A state where everyone considers whether a multinational corporation should be allowed to build a profile of my spreadsheet usage. A drive for everyone to take control of our data and software and not give in to the convenience of things happening to us.

Only if we can get end-users to see data privacy and data security as part of their liberties and get companies to consider both as essential to their core business will we reduce the load of incidents and subpar changes.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

Over the last few years, we have seen a change in perception of the big tech companies and proprietary software. It used to be that IT professionals thought they could trust the big names in tech and use their products without second-guessing whether they have their customers’ best interest at heart. However, with the maturing of the cloud, we have seen a shift in perception. Suddenly, a big name is not enough to build trust. The mindset is shifting from trust to verifiability of and control over the software. This change in attitude has resulted in rising interest in free and Open-Source software. Whether it is the Sovereign Productivity Suite in Europe or the strengthening of code.gov in the US, there seems to be a shift in mindset away from having others exert control over a central part of your life or business.

Talking about change would not be complete without talking about machine learning and automation. We will see many more tasks being centralized and automated in the future. If we look at managing user accounts and access, we can already see that sensible plausibility checks are becoming the norm. For example, can a person indeed log in from a computer in Asia when he worked from home in the US just 4 hours ago? What about if 12 hours are between the two events and the user is frequently traveling? Most of us know these checks from our credit cards, but they are moving ever faster towards becoming a mainstay in IT. Naturally, these systems only work if you have centralized Identity Management Systems in place and can automate data collection and evaluation. After all, allowing or denying access cannot stop while the admin is getting their next coffee.

In the long term, advancements in quantum computing will bring us significant security changes. Today’s encrypted connections are nearly unbreakable even with the massive cloud computing powers available, which leaves user passwords as the traditional weak point. Once we master quantum computing, we will need to rethink all these algorithms that protect our digital life. From the way we log in to online banking to how we store government secrets and personal data. Many companies are already behind in securing their infrastructure and user accounts against traditional attacks. It will be scary to see what will happen when we need to transition to an entirely new suite of encryption methods. Especially if we need to change the way users authenticate their own identity.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Passwords are reaching the end of their usefulness. Unfortunately, computers are much better at guessing passwords than we are at remembering them. So, we need to convince users and employees to use either token-based authentication or, even better, two-factor authentication. For businesses, that often means they must evaluate which applications they can support, which cloud services offer these methods as part of their service, and centralize the Identity Management to support more secure authentication methods. While most Fortune 500 companies are ready for it or have already deployed these services, SMEs are as unprepared as consumers.

Centralization and automation also help with dealing with another threat. We have a wave of retirees coming. Many of them include the senior management in the big IT departments. We have nowhere enough people coming in to fill these positions and keep systems secure. Especially in less attractive companies but critical to our infrastructure, like pipeline providers or utilities, we will see increased vulnerabilities.

More retirees also imply that IT will have to off-board more people. Unfortunately, many home-grown IT systems in medium-size companies still do not have their identity management systems integrated. Unless this changes, we will see retirees that keep accessing accounts in previously used systems, which creates backdoors as passwords are not changed.

One aspect where automation might throw us a wrench into the gears will be machine learning or what the media likes to call AI. These algorithms can help us tremendously to reduce workloads and improve threat response. However, we all too often work on the assumption that the algorithms are correct. Yet, in most fields outside IT, whether hiring or criminal justice, we know of systemic biases within the algorithms. Therefore, we must start assuming that we face similar problems when utilizing machine learning for computer security. Unless we are willing to question the results and control not only the input data but also the model, we cannot just assume that the output is correct.

How does someone who doesn’t have a large team deal with this?

The first big things are automation and integration. A lot of IT and IT Security issues arise because a human repeat an action multiple times. We all love changing our passwords, using our phone for two-factor authentication, and logging into yet another website. If I must do it once, I can see the benefits. If I must do it twice, I might question the usage of time. If my employer makes me maintain five different passwords in five applications, chances are, I will ignore the text messages and never change the password. Likewise, suppose an admin has to enter the same account information into multiple applications. In that case, the chance of a mistake grows, as does the amount of wasted time and ultimately the frustration. Thus, integrating your IT into one well-thought-out system is a key to reducing the workload.

Intricately connected is the idea of letting computers handle grunt work. No administrator should monitor routine loads, usages, and log files. Monitoring tools and dashboards, like Grafana, can control these and alert you whenever there is a trend that requires your attention. I know there is a morale boost to seeing a dashboard all green, yet there is no need to stare at it 24/7. The same is true for reminding people to change passwords or install updates on servers and endpoints. No one in IT should have to deal with it or be forced to decide between overtime and a security incident.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Humans are creatures of habit. If your boss requests a specific document every Tuesday at 9 am, and suddenly you are supposed to send it to his private E-Mail at 7:30 pm on Friday, it would be wise to pick up the phone to confirm it. It would be best to question anything that breaks an established routine because it might not be a legitimate request and because it makes your work more complex.

When using cloud services, watch for a decrease in engagement. Businesses need to keep in contact with their customers to drive recurring sales. If the line of communication breaks down, it is a good indicator that things are not running smoothly.

Third, you do not know who owns the data and metadata or receive a sudden clarification from the provider on data ownership. In the past, it was relatively easy. Data was on your server or computer, and you had complete possession of it. In the age of smartphones, software as a service, and cloud computing, the lines are blurrier. Cloud services mostly own the log files and metadata and might reserve a license to reproduce your data. If the terms and conditions do not spell out what is collected and who owns the data, that should be a big red flag.

Alarm bells should go off if a “routine” change in the terms and conditions changes responsibilities or ownership questions. That might be a sign that a business is trying to protect itself after a breach. Same, if a change excludes class action lawsuits or mandates arbitration.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Our mission is to allow businesses and people to keep control over their data and IT. Thus, privacy and data protection are built into our business decisions and our products. Therefore, I am thrilled to say that there were only minor changes to our products and practices needed.

In general, I believe that these measures are not going far enough. It is still possible to collect and sell vast amounts of customer data without needing the consumer to make an informed decision. Suppose you investigate the big cloud services today, whether aimed at businesses or consumers. In that case, most reserve considerable rights for themselves in the middle of the Terms and Conditions. Requiring everyone to prominently tell their customers that they or their personal and business data are the product that is being sold is the only way to create awareness for the issue.

What are the most common data security and cybersecurity mistakes you have seen companies make?

From my point of view, a fractured IT environment is the biggest problem in many companies. It overloads technical staff with menial work. Step by step, everyone remotely related to IT is creating users and resetting passwords in multiple systems. No one has time to evolve the IT environment. Moreover, training and retaining IT staff is expensive. So when everyone is doing help desk work, it is highly likely that they are not giving their full attention to their real tasks, which compounds the problem by introducing errors. After all, how often can you enter the correct e-Mail address before your mind starts to wander?

At the same time, it makes it harder for users to develop a security-focused mindset. If you must remember five or more passwords, they are going to be simpler. If you have to log into each work-related application separately, you will avoid waiting for an SMS. If you need to search multiple applications for a piece of communication or update numerous applications to store correspondence, you will find a shortcut or cut corners.

Besides the paycheck, we are looking to find pleasure at work. Ease and success are the two things that drive us. Unfortunately, a fractured IT environment overloads users and administrators, and when corners are cut, security and privacy suffer. Thus, integrating your environment and taking control of the overall design, from the user account management to the data storage and retrieval, is the critical step to reducing the workload and making all other security enhancements possible.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

“Everyone is at home; we quickly need to add an online storage service!” — Click & bought. “Our ERP has an internet connection module, so people can remotely work with the data!” — Click & bought. “Yes, I have imported the users into both. The password is ‘password’, and the users are reminded to change it.” I think everyone can see where we are going. “Why is our data on the internet?” “What do you mean, half the users still have ‘password’ as the password?”

When adapting to the pandemic, a lot of companies quickly added to their IT. Users had to work from home at a moment’s notice. Even for the ones still in the office, the interaction between staff had to be minimized. It is a testament to the strength of our IT staff that we were able to turn so many companies around so quickly. However, most of these companies did not do so in a structured way. That’s why many environments now look like Frankenstein’s monster. Here something was stuck on, there a barrier was broken. Documentation and security analysis were skipped, and reading the terms and conditions was already rare and ignored even more. Everyone was happy that it just worked and probably a bit amazed about it, too.

Now, we slowly see the costs of quick action. Needing to integrate user accounts and enforce security policies becomes necessary, all while pushing back against the routines employees outside the IT department have developed over the last year.

At the same time, the fractured IT has left administrators with little time to develop their infrastructure. It’s a combination that creates the perfect catastrophe just waiting to happen. Taking control of this mess and creating a coherent IT environment will be a task that has to be tackled as soon as possible. Hopefully before foreign hackers realize that we have many more pipelines and refineries that make excellent ransomware targets or are able to siphon all our innovations from US companies.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

  1. “Yes, I accept the terms and conditions.” — “Here is my mother’s maiden name” — “I prefer the following cloud service for handling reimbursement requests.” — “This was the first name of my best friend in primary school.” — “Of course, please e-mail your newsletter here.” We live in a world where we accept signing up for services and giving away a tremendous amount of information. We are so used to it that we rarely question whether it’s a good idea. Hackers used these five innocent questions to find out C-Level execs reimbursement platforms and change the account for the reimbursements, thankfully just as an exercise. It only worked because these mid-size companies had separate passwords for yet another cloud service.

As professionals, we should think about what we require users to share, and as end-users, we should think twice about sharing information on the internet. Likewise, we should think twice about whether we need another faceless cloud service provider for our business or whether a local company can provide us with a more complete and customized package.

One way to avoid sharing is, of course, an integrated environment. For example, Dermatology Partners [https://www.univention.com/referenz/pennsylvania-dermatology-partners/] is a group of numerous dermatology offices on the East Coast. Over the past year, they have nearly doubled the number of doctors and office staff working for them but kept the number of IT staff constant and their environment safe and secure. That growth was only possible because the environment is tightly integrated. The integration reduces the workload and error rate. That way, adding a user only takes 30 seconds with little chance of errors anywhere down the line.

Switch to two-factor authentication. PrivacyIDEA [https://www.privacyidea.org/] is a fantastic Open-Source tool to enable your company to use two-factor authentication and Single Sign-On. Two-factor authentication requires more than a username and password for logging in to an application or even your computer. It helps keeping your login secure compared to just a password. Especially as computing power becomes cheaper and cheaper, it will become less of a problem to guess logins or reverse engineer passwords from previous data breaches. Thus, requiring the usage of your phone or a token to log in is the only way to mitigate this without overburdening the user. Even for personal logins, such as G-Mail, it is a good practice to enable two-factor authentication.

If the idea of someone trying to poison your tap water scares you, you are probably not alone. Hackers already tried it in the US [https://abcnews.go.com/US/outdated-computer-system-exploited-florida-water-treatment-plant/story?id=75805550]. All thanks to outdated software being run on the system. Security updates and version updates should not be left to chance, and automating your test and update procedures is critical to keeping your infrastructure secure.

Lastly, do not let your staff do work that a computer can do. Data breaches have gone unnoticed because the team was too stressed out with other routine tasks to notice something was off. From senior homes [https://www.infosecurity-magazine.com/news/2year-data-breach-at-florida/] to Amazon, if repetitive work is not automated, it’s prone for errors and consumes valuable time. From automated monitoring to sensible defaults that reduce user input, anything that helps administrators to focus on the bigger picture should be considered — both for the well-being of the staff and the security of the company’s data.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

My mission in life is to have people take control of their own life. No one should act just because everyone does so or because a computer tells them to. A significant first step for everyone to take is to think for 30 seconds about the privacy implications when you sign up for a new online service, game, or business application. Do I want to share that much data, or do I give up too much when pressing the sign-up button? Making this small change puts us more in control of our online profile and, given the prevalence of the internet, our lives.

How can our readers further follow your work online?

You can follow me on Twitter [@univention_us] and LinkedIn [www.linkedin.com/in/kevindkorte] for the latest updates.

Alternatively, I enjoy a well-written, old-fashioned letter, as US laws protect it much better than any online communication.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

Thank you so much for having me, and remember, only if we control our data and software are we in control of our digital life.


    You might also like...

    Community//

    “Outcomes Versus Tools”, With Jason Remilard and Kurtis Minder

    by Jason Remillard
    Community//

    Strengthening Identity Security in the Hybrid Work Age

    by Mark Robinson
    Community//

    Cyber Attackers Will Highly Advance This 2019: 7 Tips To Ensure Ultimate Security

    by Daniel Moayanda
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.