Say hello to Aren, Founder and CEO of Foxpass!
Aren is a former travel-loving, country-hopping jetsetter-turned-family man with an extensive background in high-level engineering roles such as Vice President of Operations at Bebo, CTO at Third Ave Labs, and Director of Engineering at Oodle.
Join us for a conversation with Aren as we pick his brain for all his insights on network security, building a company, and everything you should know about Foxpass:
Interview with Aren
Shall we begin with a bit of background about yourself?
I'm Aren, the founder of Foxpass. I’ve been doing this for about 4 years now.
Prior to this, I was Head of Technical Operations and IT at Pinterest, and prior to that, I was at Beebo, Oodle, and Danger (they made the T-Mobile Sidekick, if you remember that phone).
And prior to that, I was at Stanford for a Master’s and Bachelor’s degree in Computer Science.
So how did you get started in programming?
My mom brought home one of her office's Apple IICs, one of the early portable computers, and I just found myself trying to use it every weekend, learning as much as I could about it.
I ended up learning a little bit of Applesoft BASIC, and from there was able to make pretty simple programs.
When we got our next computer, I picked up a book on C, learned how that worked, and just went from there.
Wow. So, you were self-taught and went to school as well?
Yeah. That's right.
Most of the programming that I learned before school was all self-taught, then at Stanford, I picked up a computer science degree and did all the CS coursework there.
In terms of applications that you’ve built, what's the least favorite one that you've made? Have you ever made a side project that you don't remember why you did?
I think my memories, at least of programming, are all of school projects.
The ones I make for fun are all great, even if they don't work out, because I at least learned something or got to experiment.
The ones for school were just tough because you're under time pressure and it's all new material. You're not exactly sure exactly what they're supposed to do or how they're supposed to look, so some of my least favorite programming moments are definitely from school, like late nights in the computer lab pounding my head against the keyboard.
Tell me about an event at any of the companies you worked for where you just saw a complete disaster. Have you ever had a moment like that?
I can't think of one that [lasted] 10 hours, but there have certainly been moments of terror when something pretty bad was about to unfold.
I think I've been pretty lucky in that the extended incidents just resulted in two or three or four hours of impairment or downtime.
But there are always times when you thought you'd planned for everything, and there's something else that pops up.
Murphy's Law, I guess. I've had them at every company.
How did you get into server and network security?
It's something I've had to pick up pretty much every role from Oodle on forward.
Either there wasn't anyone in that role, or that person had left the company, and it needed some attention.
Especially at Pinterest, which is common for many new companies, it really was all application developers, and security wasn't as important until you got into onboarding a lot of new people.
That's when access control and identity become really important, because you're onboarding all these new people.
You want to get them into the servers right away, so they can be productive as soon as possible. It's great for morale when onboarding. But at the same time, you have to be careful about who can do what.
You want to be able to respond quickly, both in the onboarding case and the off-boarding case.
What's a big security mistake that you commonly see with engineering teams?
I think the biggest security mistake is sharing credentials. It's really easy.
“Hey, you've got some new engineers on the team. Here's how to log in to the servers, whether that's the username and password that everyone uses, or you share with them the private key that was set up on the server when it was created.”
Those are the biggest and the worst mistakes that I see.
From there, maybe everyone has their separate SSH key, but they all share the same user. That's not terrible, but it's still not the best practice.
Let's say everyone was doing all those things — describe the outcomes. What could go wrong?
I think the worst-case scenario is: you're just not protecting the company.
If someone off-boards or is let go, and they have an axe to grind, if you don't immediately go and rotate all those shared credentials, that person logs into your servers, deletes everything, and causes you a lot of problems.
That's the worst case, but a company's job is to protect itself.
Which is why the company just needs to think about these situations and how to protect itself. That's obviously the worst case; it rarely happens, but if it does, it's catastrophic.
How would you explain Foxpass to the world? What's your favorite piece of functionality that you built out of Foxpass?
Basically, we want to give everyone their own name and password, or their own credentials, to everything in your infrastructure. No more shared wireless passwords on the whiteboard. No more shared usernames or SSH keys to your Linux servers. Everyone has their own credentials.
Now that everyone has their own credentials, you get to transition into access control:
“This person can only access these servers, which is a separate list from Bob over there. He can only access a different set of servers, and on those servers, he's limited in his functionality.”
It's not all or nothing to the whole infrastructure. It's not even all or nothing to a certain server or set of servers. Everyone has granular access that's specifically for them.
Then, on top of that, you can grant temporary access.
You give permission to somebody on a set of machines with either an end date (like a date and time) or an end event.
For example, the example I like to give is: when you have an on-call week, then you'll have pseudo-permissions everywhere you need them. But when your on-call shift is over, you lose those permissions.
You can get them again pretty easily if you ask whoever is on call, but you just don't have them anymore until you're either on call again or you request them. That way, if your laptop gets stolen, the company doesn't have to worry that your keys were on that laptop.
They have full permissions for everything, and there's a lot more service area we have to cover to make sure that there are no breaches.
You started Foxpass out of a problem you saw at Pinterest. If you had to go back in time and do anything different, is there anything you would change about Foxpass? Or maybe mistakes you made early on as a founder?
Sure, tons of mistakes. I mean, my background is engineering, not building businesses. So when I look back, all the things I wish I had done differently are around growing the business faster.
I think we've done a great job of giving all our early customers a really good experience, but there are things we could have done, probably, to find more customers like those earlier on.
What's your favorite random thing a customer said to you?
I think the best quotes that I get are something like, “Wow, I've been looking for this forever.”
Those are the ones where I know that I've found the people that I'm trying to sell to, and that the product that we've built is exactly what they're looking for, just like it was exactly what I had been looking for at previous jobs.
What do you like to do for fun?
I used to enjoy traveling. It's hard to do that now with two kids and a startup.
Now you'll find me at the park with said kids, or when they're napping, I'll be working on my house, which is a passion of mine.
What's the coolest place you've traveled to?
Favorite place I've traveled to...
Well, in 2009, I took a trip around the world. It was only three months, but I got to see parts of the world that were just incredible to me.
Most of Asia was amazing. Southeast Asia, India — just beautiful, beautiful countries and beautiful people. That was probably my favorite part of that trip.
It's so hard to get to those places that I'm glad I got an extended amount of time to see them.
There are a ton of people starting companies and building really great products. Some may not be building them with security in mind from the beginning. If you had any advice to give those founders of those startups, what do you think it would be?
“Start security earlier than you think you might need to.”
First, it’s important to make sure you have a product people want to buy.
If you don't have any customers, you have nothing to secure. But as soon as you start getting traction, start thinking about your security stance.
I think customers are more and more savvy these days and are going to ask these questions earlier than they used to.
“What is your access control strategy? Do you have principles of least privilege?”
Think about these things earlier, so you're not scrambling when they start asking these questions.
Upgrade Your Security
Are you ready to secure your network and keep your business safe? Click here to learn how Foxpass can help you avoid costly security mistakes!
