What if you could protect your organization's data as effortlessly as sending an email? Join us for an enlightening conversation with Matt Howard, a veteran IT professional whose career spans the dawn of the application service provider model to the forefront of open-source software and application security. Matt’s experience at tech conferences like DEFCON and Black Hat offers a firsthand look at the evolution of IT security. From his early days navigating the chaotic tech landscape to mastering the full technology stack, Matt’s journey reveals critical insights for anyone aspiring to excel in the field of IT.
Discover the future of data security architecture as Matt delves into the complexities of securing data within the finance industry and beyond. Learn how adopting a granular security architecture, similar to microservices in software development, can revolutionize secure data sharing across organizational boundaries. Through real-world applications, such as military alliances needing instantaneous and secure information exchange, Matt emphasizes the importance of dynamic, policy-driven access controls. His insights paint a picture of a more interconnected and securely collaborative world, one where data protection adapts to the demands of the moment.
Trace the historical milestones of data security with Matt, from the emergence of thin client computing to the rise of cloud services and microservices. Hear about key developments like Lotus Notes and the vital role of cryptography, as well as the modern-day necessity of encryption. Learn about Virtru’s innovative approach to simplifying data security with user-friendly encryption tools integrated into everyday platforms like Gmail and Outlook. Lastly, Matt introduces us to the Trusted Data Format (TDF) and the OpenTDF project, shedding light on how they provide granular security benefits and regulatory compliance. As we conclude, Matt shares the privacy-centric philosophy of Virtru’s founders and how you can connect with him for further insights.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, Matt?
00:00:01
It's great to get you on the podcast.
00:00:03
I'm really excited for our conversation here today.
00:00:07
Speaker 2: Yeah, hey Joe, how you doing.
00:00:08
Glad to be here.
00:00:08
Thanks for having me.
00:00:10
Speaker 1: Yeah, absolutely.
00:00:11
It's an interesting time.
00:00:12
I feel like everyone's recovering from the DEFCON Black
00:00:16
Hat scene in Vegas last week.
00:00:18
Did you end up making it out there?
00:00:21
Speaker 2: I was not there this year but I know a a number of
00:00:25
people that were and I agree.
00:00:26
Speaker 1: I think people are still recovering oh, yeah, yeah,
00:00:30
I um, I skipped this year very intentionally.
00:00:33
I needed a break from last year because last year was non-stop
00:00:38
meetings all day long.
00:00:39
I couldn't even enjoy the conference, and then you know
00:00:43
afterwards, of course, is after all the you know after parties
00:00:46
and all that sort of stuff.
00:00:47
So it was a much needed, much needed break.
00:00:53
Speaker 2: Yeah, 100%.
00:00:53
It's probably controversial to say this, but from the folks
00:00:58
that I know and talk to, it feels like you know, black Hat
00:01:01
is a little bit closer to RSA than it used to be, and that
00:01:05
trend is it just gets bigger and bigger and interesting times
00:01:10
indeed.
00:01:11
Speaker 1: Yeah, yeah.
00:01:12
I don't like Black Hat honestly , because it is just like RSA
00:01:17
and for me, you know, I don't want anything to do with that
00:01:21
world, right, I kind of I talk to vendors, you know, on a daily
00:01:25
basis already.
00:01:26
I'm already looking at new tech all the time, you know.
00:01:29
So, from from my perspective, it's like when I go to, when I
00:01:33
go to defcon, like I don't want anything to do with the black
00:01:36
hat scene.
00:01:36
I even try to stay away from rsa.
00:01:39
I went once and I was like, yeah, this, this is enough for
00:01:42
me.
00:01:42
That's funny.
00:01:45
Yeah, so, matt, how did you get into IT?
00:01:49
And I start everyone off there.
00:01:50
I'll tell you why.
00:01:51
It's because there's a portion of my audience that could be
00:01:55
trying to get into IT for the very first time.
00:01:57
Or they're trying to get into security for the very first time
00:02:01
and they're not sure if it's possible for them.
00:02:02
And they're not sure if it's possible for them.
00:02:04
And I remember when I was going through that phase and hearing
00:02:06
someone with a similar background to me getting in and
00:02:10
being successful on that route was really all I needed to hear,
00:02:14
right?
00:02:14
Because it's like, okay, this is difficult, but if this person
00:02:17
can do it, we come from similar backgrounds.
00:02:19
Maybe I can do it too.
00:02:20
So what's your background with that?
00:02:23
Speaker 2: Well, I'm officially a dinosaur in this industry
00:02:27
these days.
00:02:28
I kind of made my first real step into what you would
00:02:34
consider to be, I think, modern IT all the way back, you know,
00:02:38
kind of in 1999, 2000, at a company called US
00:02:42
Internetworking which was the world's first application
00:02:46
services provider.
00:02:47
You know, the idea was you would build this thing called a
00:02:49
data center and you would run these things called applications
00:02:52
inside of the data center and you would deliver those
00:02:55
applications back to customers in a service model.
00:02:58
So it was the precursor of SAS.
00:02:59
And you know, you think it seems like a really good idea to
00:03:05
kind of go to market in a model like that, and it is.
00:03:10
I mean, certainly there was a tremendous amount of learning
00:03:12
and value created as a result of that.
00:03:14
But at the same time there's a lot of challenges that surface
00:03:19
along the way, not the least of which is security.
00:03:21
So when you're touching other people's software and you're
00:03:24
hosting other people's applications and you're doing it
00:03:26
in your data center, you better be really good at your job lest
00:03:30
there be any kind of risks that you undertake on their behalf.
00:03:35
But that was my first foray into what I would consider sort
00:03:40
of the IT world.
00:03:42
I was always a little bit more interested in kind of higher up
00:03:47
the stack applications as opposed to sort of lower in the
00:03:50
stack infrastructure.
00:03:51
But understanding the full stack, I think is important for
00:03:56
anyone looking at the world today.
00:03:59
You know it's important to have broad perspective on all phases
00:04:04
of the stack.
00:04:05
But as an applications person, you know, I eventually kind of
00:04:08
made my way into a couple of my own companies and then, you know
00:04:13
, became intrigued with open source and how open source, you
00:04:16
know software was increasingly being used to build applications
00:04:19
and software developers were increasingly assembling third
00:04:22
party components, components from these third-party open
00:04:25
source ecosystems.
00:04:26
And then you get into this whole interesting question about
00:04:28
like, well, how good is the software that an engineer is
00:04:30
actually building?
00:04:31
Most of the code that they're actually putting into the
00:04:34
application is borrowed from third-party open source
00:04:36
ecosystems.
00:04:37
Like, what's that all about?
00:04:38
Um, and you know so, along the way you get exposed to not just
00:04:43
security as it relates to kind of the infrastructure that
00:05:04
you're responsible for managing.
00:05:06
You get exposed to really interesting and different
00:05:08
questions with regards to, you know, creating really granular,
00:05:15
really small policy, access control and security governance
00:05:23
that is designed to protect the data itself, I mean, for a long
00:05:28
time now, and I think we've all seen this.
00:05:30
In this world that we're living in, whether it's an RSA or Black
00:05:34
Hat or pick your favorite conference that you might go to,
00:05:37
the number of identity and access providers there is
00:05:40
mind-boggling.
00:05:41
You know, you got your big players like Okta and the rest.
00:05:43
It's got all these endpoint players protecting these
00:05:46
endpoint devices.
00:05:47
Proud strike, you've got.
00:05:49
You know, the network security guys.
00:05:51
Pick your favorite flavor of network security, whether it's z
00:05:54
, scalar or um, you know.
00:05:57
Pick your favorite one of those guys.
00:05:59
You know the micro segmentation guys.
00:06:01
Then you get the application security guys and there doesn't
00:06:04
seem to be, in my view, at least historically, enough attention
00:06:09
being put on to who's out there doing really innovative work
00:06:13
with open standards that's designed to protect the data.
00:06:17
Forget about the endpoint, forget about the network, forget
00:06:21
about the identity.
00:06:22
Let's just assume that we've already been breached, because
00:06:24
that's unfortunately a reality that many of us are contending
00:06:27
with, and if that's the reality that the bad guys are already in
00:06:30
our house, then what's left to protect it's the data.
00:06:33
And how do you do that?
00:06:35
That's ultimately kind of where I've kind of arrived in my
00:06:38
journey.
00:06:41
Speaker 1: Yeah, that's a really good point that you bring up.
00:06:44
You know, I always start with protecting the data, right?
00:06:49
It's kind of, if we had to boil security down to like one or
00:06:54
two things, it would be IAM and data security.
00:06:58
100% Right, because nothing else matters if they're already
00:07:03
in, you know, like, especially if you're in the cloud.
00:07:07
You know, one of the one of the key tenants is iam.
00:07:09
If you're not doing iam, right, then they're able to log right
00:07:12
in and they'll have access to everything.
00:07:14
And if they're able to access everything, then what's left to
00:07:17
protect your crown jewels?
00:07:19
Your crown jewels are probably your data, right, how are you
00:07:22
encrypting it?
00:07:23
Are you encrypting it?
00:07:24
It?
00:07:26
That's a huge question, right there?
00:07:29
Right, to even ask you know taking it from like a
00:07:33
third-party consultant, you know sort of thing, right, that's a
00:07:37
huge thing.
00:07:38
To even ask a company is well, how are you protecting your data
00:07:42
that's stored in that aws managed rds database?
00:07:46
How are you?
00:07:47
How are you actually securing it?
00:07:49
And if they say, oh, it's with you know default aws encryption
00:07:53
or whatnot, so you can assume that they'd probably already be
00:07:57
breached, then right, because the default encryption is going
00:08:00
to store the key in kms and and if they're already logged in,
00:08:03
they can just get that key and decrypt it right.
00:08:06
So it's a very complex problem and we're only making things
00:08:10
more complex as we kind of delineate away from legacy
00:08:15
infrastructure.
00:08:17
Speaker 2: Yeah, and listen.
00:08:18
I mean I think that point about moving away from legacy on-prem
00:08:22
and moving everything to the cloud is important.
00:08:25
I think to your earlier comment I couldn't agree more.
00:08:29
I mean, when you stop and think about what is security like,
00:08:33
well, first things first.
00:08:34
Like what is the job to be done ?
00:08:36
The job to be done is to protect the data Like nothing
00:08:40
else matters.
00:08:40
Okay, well, if that's the job to be done, you got to protect
00:08:43
the data.
00:08:45
I would argue that it's really important for people to reflect
00:08:49
on the following there is one massive data estate and there
00:08:55
are two parts of the data estate .
00:08:56
There's the part of the data estate that you possess which is
00:09:00
sensitive information that you have inside of your business
00:09:04
which you want to protect from bad actors and threat actors
00:09:10
externally being able to get it, steal it, exfiltrate it or
00:09:16
whatever, and you don't want employees of your company doing
00:09:19
silly things that would result in a misconfiguration and cause
00:09:23
it to be leaked or exposed to a bad actor.
00:09:25
So part of the big challenge is , especially with regards to the
00:09:30
movement to the cloud, is how do I protect the sensitive data
00:09:33
that I have in my possession and how do I prevent it from being
00:09:36
accidentally or unintentionally lost to these third-party risk
00:09:41
actors.
00:09:41
That's why I got to keep control of what I control Very
00:09:44
important.
00:09:45
That's a risk management defensive kind of motivation.
00:09:50
The other side of the data state , which I would argue doesn't
00:09:53
get enough attention but is increasingly getting more
00:09:55
attention, is okay.
00:09:56
I have a business to run.
00:09:58
My business requires me to do what I have to share sensitive
00:10:02
data with third parties every single day in massive quantities
00:10:07
.
00:10:07
I have to share data with third parties who I may or may not
00:10:11
entirely trust.
00:10:12
So the idea is okay.
00:10:13
I want to actually protect both the data that I possess from
00:10:17
being lost or stolen and I also want to have good governance and
00:10:20
control with respect to the sensitive data that I need to
00:10:24
share with third parties.
00:10:25
I should protect both sides of the data estate, not just one.
00:10:32
Speaker 1: Yeah, it's.
00:10:32
You know, I recently I guess fairly recently, right in the
00:10:36
last 12 months I encountered a situation where, you know, I
00:10:41
worked for a very large company and I won't name them, uh, for
00:10:44
for my day job, right, and I worked for the financial
00:10:48
services part of this company and some of our data was with
00:10:53
our parent company, you know over, still within the country
00:10:57
and whatnot, right, but it was just residing in their sales
00:11:01
force, right, it was going from our sales force to their sales
00:11:04
force and to us, they're not a financial institution, we're the
00:11:09
financial arm of this large company.
00:11:11
To us, they're a third party.
00:11:14
And that was a totally different way of me thinking
00:11:17
about it, right, because my architect brought this problem
00:11:19
to my attention and I said, well , what's the problem?
00:11:22
Right, like they're're, they're a part of us.
00:11:26
Like we're, we're more part of them than anything else.
00:11:29
You know, what does it matter?
00:11:30
Right?
00:11:31
And he said, no, we have to treat them as a completely
00:11:34
separate entity because they don't deal with this data.
00:11:37
They don't, they're not they're not regulated.
00:11:39
Speaker 2: Probably they may or may not regulated right?
00:11:41
Speaker 1: yeah, they're not regulated for any of this data,
00:11:44
and so we had to go through a very arduous process of not just
00:11:48
saying you know how are you encrypting this data or how are
00:11:52
you storing it, how are you protecting it.
00:11:54
Show us evidence of how you're doing it, show us evidence that
00:11:58
you're logging, show us evidence that, hey, there's alerts that
00:12:03
pop up and we have a whole process around it.
00:12:05
It was a new situation for me, even being in the finance
00:12:11
industry for probably the past 10 years, almost at this point
00:12:16
right, where it's always been in-house to me, it's never been
00:12:20
that sort of situation of it's a parent company and we're
00:12:24
sharing data with them and I have to think of them as that
00:12:28
third party, right.
00:12:30
Speaker 2: Yeah, that's the verb .
00:12:31
I mean, I think that that's the point.
00:12:32
The verb is sharing versus protecting.
00:12:35
Right, like you and your mindset, like a lot of security
00:12:39
professionals in traditional IT are absolutely thinking first
00:12:42
and foremost about I have data that I need to keep possession
00:12:46
of and I can't let anyone get it .
00:12:47
And then there's the other sort of verb, which is I have data
00:12:50
that I have to share.
00:12:51
They're not a regulated financial institution, but
00:12:55
they're part of your larger holding company and you need to
00:12:58
share data with them.
00:12:59
Because, let's be honest, data, even sensitive data, has to move
00:13:03
.
00:13:03
It moves by definition, and when it does move and it
00:13:07
inevitably will leave your possession, the question is what
00:13:10
can you do to share that data but not sacrifice ownership,
00:13:16
control, privacy or security?
00:13:18
How can you share that data with that third party and
00:13:23
potentially do something like expiry, like hey, you can have
00:13:26
it for 30 days but not 31 days, or you can have it today, but
00:13:30
you know what?
00:13:30
I might change my mind tomorrow and I want to revoke it.
00:13:33
Like, how can you take security architecture when you
00:13:37
traditionally think about zero trust and you have identity and
00:13:40
endpoint and network and application and then you have
00:13:42
data?
00:13:43
Can you imagine shrinking the security architecture all the
00:13:48
way down to the granular object level, which is the data itself.
00:13:51
And in many respects I tell people all the time when we talk
00:13:55
about the open standard that we're building upon here, it's
00:13:59
called trusted data format.
00:14:01
I like to remind people that it's pretty similar to
00:14:05
Kubernetes and containers, like, if you think about like
00:14:08
software application architectures, like 10 years ago
00:14:12
they were all three-tier monolithic software applications
00:14:16
and over a 10-year period of time, engineering and software
00:14:19
development teams began to componentize those applications
00:14:23
and this thing called microservices and this thing
00:14:26
called cloud became real and everybody realized it was like a
00:14:29
good idea to build applications with microservices as core
00:14:34
architecture, where everything was smaller, everything resided
00:14:37
within a container and the container itself was this
00:14:40
granular object of software which made like production
00:14:44
maintenance, better bug fixing, better vulnerabilities, better,
00:14:50
like you could do so much more efficiently in an ops
00:14:51
perspective if the application architecture itself was shrunken
00:14:54
down into the container.
00:14:56
Well, if you think about security architecture, it's the
00:14:58
same thing.
00:14:59
If you shrink security architecture down into a
00:15:02
container or know, we like to think of it as a, it is in many
00:15:06
respects the same thing as an application container, except
00:15:09
it's a data container, but the architecture itself, the access
00:15:13
control, the policy, the entitlements associated with who
00:15:22
can access this information, are all defined in that granular
00:15:25
level.
00:15:25
That's where you get to this world where policy is defined to
00:15:29
your earlier point, at the intersection of data that's been
00:15:32
classified as this is sensitive , and there's an identity and
00:15:37
identities over here that are authenticated or entitled in
00:15:41
some form or fashion, and who gets access to the sensitive
00:15:44
data.
00:15:44
It all depends on what data we're talking about, whether
00:15:47
it's been classified as sensitive or not, and who the
00:15:50
identity is that's trying to access it, whether they have
00:15:53
need-to-know privilege or not.
00:15:54
And, if nothing else, just do that and you're all of a sudden
00:16:00
sort of thinking about the world architecturally in a different
00:16:03
way that I think has traditionally been the case.
00:16:09
Speaker 1: That's really fascinating what you said with
00:16:13
you know, protecting the data beyond your boundaries and kind
00:16:17
of expanding out that security architecture.
00:16:22
Speaker 2: Right, that is something pretty novel that I
00:16:28
certainly haven't encountered um that's a totally different way
00:16:31
of thinking about it, even it's happening, though, and and like,
00:16:35
just think about this.
00:16:36
I mean, like, let's just pretend for a second and use a
00:16:39
use case, that everybody today, unfortunately, is very familiar
00:16:42
with this concept of nato and this unfortunate thing called
00:16:47
war right, where all of a sudden you're assembling force of
00:16:53
allies, third parties, other countries that are federating
00:16:57
together in near real time to do a job, and you're across
00:17:01
different domains and the job today is here and the job
00:17:05
tomorrow is there.
00:17:06
So the actual environment in which you're executing is
00:17:09
temporal, it's ephemeral.
00:17:10
Tomorrow is there.
00:17:11
So the actual environment which you're executing is temporal,
00:17:12
it's ephemeral.
00:17:13
There is no it infrastructure, because it's just incredibly
00:17:15
hard to build networks and and perimeters and and and identity
00:17:19
and access control and all those traditional sort of it
00:17:22
infrastructure kind of things at the pace at which the mission
00:17:26
demands, because the mission demands, you know, speed and it
00:17:31
has to like work here today, now , and as a result of the mission
00:17:36
being very temporal and very dynamic and cross domain and and
00:17:40
collaborative with different mission partners, it's not just
00:17:43
the us, it's it's it's the uk, it's france, it's germany and
00:17:46
it's even now new NATO members like Finland and Sweden.
00:17:52
And all of a sudden you're like, okay, how do I share
00:17:54
information with my trusted allies and my partners across
00:17:57
domains in that context where I don't have time to build a
00:18:01
secure network?
00:18:01
How do you do that architecturally?
00:18:05
The answer is you probably have to get more granular.
00:18:09
The answer is you probably have to examine the possibility of a
00:18:13
container-like capability and hopefully you could imagine it
00:18:21
in an open standard.
00:18:23
That's what trusted data format is and it's something that you
00:18:29
know.
00:18:29
And look, I'm not saying that the architectural concept of
00:18:33
granular is the only thing that's necessary for modern
00:18:39
cybersecurity practices to kind of reach their potential.
00:18:42
I'm saying that it is a component of the architecture.
00:18:52
Yes, you're going to continue to have to do traditional
00:18:53
identity and endpoint and network and application security
00:18:55
, of course, but I'm also certain that the nature of the
00:18:56
business that we all have to contend with is increasingly
00:18:59
going to the benefit of having granular security.
00:19:03
Architecture will become obvious to folks as the world
00:19:06
continues to kind of unfold as the world continues to kind of
00:19:11
unfold.
00:19:13
Speaker 1: Yeah, you put it an interesting way.
00:19:14
You say the world unfolds.
00:19:16
It certainly feels like it.
00:19:20
It's an interesting time.
00:19:21
I feel like we've never gone through something like we're
00:19:25
going through or about to go through before.
00:19:27
What's the company that you're a part of is coming up with this
00:19:32
kind of open framework and whatnot?
00:19:34
Speaker 2: Well, first of all, I mean to emphasize again the
00:19:38
open standard is called Trusted Data Format and anyone can go
00:19:41
and look at it.
00:19:41
It is, in fact, hosted today by ODNI, which is the Office of
00:19:45
Director of National Intelligence, so it comes out of
00:19:47
the NSA.
00:19:48
We my company, is called Vertru , and we have innovated on top
00:19:54
of this open standard and we've developed a variety of
00:19:58
integrations to different workflows that are all about the
00:20:02
verb sharing.
00:20:03
So if I have to share sensitive data in a workflow called email
00:20:07
, or if I have to share sensitive data in a workflow
00:20:10
called files, or if I have to share sensitive data back to
00:20:14
your example between two different Salesforce instances
00:20:18
across two different domains that happen to be part of the
00:20:21
same company all of those scenarios, sensitive data that
00:20:25
has to be shared as part of some value stream the question is
00:20:30
how do you ultimately provide granular policy access, control
00:20:34
and enforcement encryption optionally on that information?
00:20:37
And you know not to.
00:20:41
I don't want to diminish, you know, the importance of Virtru
00:20:44
as a company, because what we're doing with the open standard is
00:20:48
really pretty innovative, but I'm a big believer in the power
00:20:52
of open standards and I just think that it's, uh, very
00:20:56
compelling to step back and sort of again look at like, wow, man
00:21:00
kubernetes over a 10-year period of time became the
00:21:05
standard for microservices application architecture and
00:21:09
there were lots of reasons for it.
00:21:16
You know, architecturally the world of how software is built
00:21:17
and delivered in production and maintained in production today
00:21:19
is fundamentally different because of an open standard, and
00:21:24
I believe the same will happen with security architecture At
00:21:28
least granular security architecture will be supported
00:21:31
by an open standard.
00:21:32
I'm not saying TDF is the only open standard that might be
00:21:35
benefited as a result of that, but it's certainly well
00:21:38
positioned to help with that sort of trend, that shift in
00:21:42
architectural thinking.
00:21:43
And as that plays out, my company, virtru, intends to be a
00:21:47
leader in that regard and we're already doing a bunch of great
00:21:50
work today by providing granular policy access, control and
00:21:54
enforcement of those policies on that sensitive data that's
00:21:57
shared through email, file and application workflows.
00:22:02
Speaker 1: Do you think you bring up Kubernetes?
00:22:04
Do you think containerized experience or knowledge is going
00:22:08
to be critical to have for any security professional, you know,
00:22:14
going into the future, Because that is something that I
00:22:17
actually haven't thought a whole lot about, but it seems like
00:22:22
more of the cloud is going towards this containerized slash
00:22:26
serverless infrastructure.
00:22:30
Speaker 2: Smaller is better.
00:22:31
They call it microservices application architecture, for a
00:22:36
reason Microservices in the application realm is to
00:22:42
microsecurity in the cyber realm .
00:22:44
So, whether you're talking about cloud ops or you're
00:22:48
talking about security, I think there is a shift.
00:22:50
Whether you're talking about cloud ops or you're talking
00:22:52
about security, I think there is a shift where granularity
00:22:55
matters, and the shift towards microservices and more granular
00:23:00
application architectures has gone full circle.
00:23:05
It's a thing, it's happened, it's done, it's there.
00:23:07
The shift towards micro security architectures, with
00:23:12
something like TDF, is underway.
00:23:15
You know if it's a baseball game, we might be in the second
00:23:18
or third inning, but I do believe it's going to continue
00:23:23
and it will take time.
00:23:25
Like any large scale tectonic architectural shift in IT takes
00:23:29
time a decade, but it's underway .
00:23:35
Speaker 1: Yeah, it's really fascinating to try and guess
00:23:41
where the market is going, where it's all heading right, Because
00:23:43
I always try to approach it from the perspective of giving
00:23:47
people advice of what skills to get right, Because there's so
00:23:50
many out there, there's so many you know, different domains that
00:23:54
you can specialize in and whatnot.
00:23:55
If there was a key, maybe one to three skill sets that you
00:24:00
would recommend for someone to start mastering now, what would
00:24:04
those be?
00:24:05
Speaker 2: I mean number one, without a doubt.
00:24:07
Two things I would say is history with Windows to thin
00:24:32
client computing, with the browser to on-prem server data
00:24:34
center computing, to the eventual migration to cloud
00:24:35
everything and the eventual migration from three-tier
00:24:37
monolithic application architectures to microservices.
00:24:41
If you step back and you give yourself as a person who's
00:24:46
really seeking to understand, I think, if you give yourself the
00:24:49
benefit of a 10-foot view and you take the time to
00:24:53
understand the big picture architecturally, then that's a
00:24:58
really sound basis from which to dive deep into any particular
00:25:03
area, to kind of develop a sharper expertise.
00:25:06
I think it's very important to understand the history of where
00:25:09
we come from expertise.
00:25:10
I think it's very important to understand the history of where
00:25:12
we come from, the reality of where we are and the potential
00:25:17
for where we're going.
00:25:18
If you can ground yourself in that big picture then it's a lot
00:25:19
easier to make decisions as to where you want to go deep.
00:25:25
Speaker 1: Hmm, yeah, that is really fascinating.
00:25:28
You start with the history of it.
00:25:31
I never thought about it like that.
00:25:32
To be quite honest, I've been doing this for several years now
00:25:36
and I've never thought about trying to go back and see where
00:25:40
things were and trying to guess, use that to judge where
00:25:44
everything is going now.
00:25:45
It's a really interesting method.
00:25:49
Speaker 2: It's history.
00:25:49
Here's the good news.
00:25:51
In know it's, it's and it's here's the good news, and that
00:25:54
it's kind of fun.
00:25:54
Um, you know, you look at something like lotus notes and
00:25:59
ray ozzy.
00:25:59
You know who invented notes, you know, and you look at the
00:26:05
massive implications that that had, as it related to what we
00:26:09
now know to be modern computing.
00:26:11
I mean, it was truly, truly formal.
00:26:14
And you think about, I mean cryptography.
00:26:18
I mean notes was the first product in the history of the
00:26:21
world to distribute cryptography at a time when the federal
00:26:25
government and the NSA in particular, wasn't particularly
00:26:27
keen on anybody distributing cryptography if you weren't
00:26:30
employed by the NSA, like, like, like.
00:26:32
There's a lot of history there which you know goes back to.
00:26:36
You know kind of their.
00:26:37
I do think if you spend a little bit of time in the
00:26:41
history of the, of the industry and the evolution of those, um,
00:26:45
great company stories, great product stories, great product
00:26:49
stories, great innovation successes, they all have an
00:26:53
opportunity.
00:26:53
They all tend to teach you a ton, not just about what
00:26:58
happened in the past, but they all tend to give you some really
00:27:00
interesting perspective with regards to where things are
00:27:03
right now and why.
00:27:05
Speaker 1: Hmm, yeah, it's fascinating, you know, bringing
00:27:09
up encryption and cryptography and the fight that the NSA went
00:27:13
through, right of trying to maybe, you know, keep it behind
00:27:17
closed doors, but then I also feel like there's a whole lot
00:27:33
more reasons that it should be out there, right?
00:27:36
Obviously, you know, people have to be able to protect their
00:27:39
own data.
00:27:40
They have to be able to own their own data and ensure the
00:27:42
integrity of it, right?
00:27:43
Without the encryption capability, you're not really
00:27:46
able to do that.
00:27:47
Speaker 2: There's a terrific book.
00:27:48
There's a terrific book, if you're interested, really able
00:27:51
to do that.
00:27:51
And there's a terrific book, if you're interested.
00:27:51
It's called crypto and it's by steve levy and it's really,
00:27:54
really awesome and and would encourage anyone that might be
00:27:58
listening to check it out.
00:27:59
But it's, it's, it's everything that you're talking about.
00:28:03
It's and it and it goes from the very earliest beginnings.
00:28:06
You know with like you know with diffy and hellman.
00:28:10
You know public infrastructure.
00:28:14
It goes through the whole nsa.
00:28:16
You know hand-wringing about we can't let encryption into the
00:28:20
hands of anyone, because that would be bad for us to where we
00:28:25
find ourselves today, where encryption is a necessary
00:28:30
component of good modern uh it engineering and cyber hygiene,
00:28:34
because, um, you're up against really formidable opponents who
00:28:39
have really top-notch skills and you better be able to protect
00:28:43
your information with with cryptographic skills.
00:28:45
If not, you're gonna lose.
00:28:47
I mean, it's been a long time coming, but that world has come
00:28:52
full circle too.
00:28:54
Speaker 1: Yeah, so how does Virtru let's talk about how
00:28:59
Virtru, you know, solves this problem or helps working towards
00:29:04
solving this problem.
00:29:06
Speaker 2: Yeah, I mean listen at the end of the day.
00:29:08
Sometimes people look at Virtru from the outside and they go
00:29:12
it's for example.
00:29:13
Somebody might look at it and go, oh, it's an email encryption
00:29:15
company.
00:29:15
I'm like no, it's not.
00:29:17
Yes, we provide a 50-year-old with no IT education who's a
00:29:32
nurse at some healthcare practice in the middle of the
00:29:34
country, doesn't know the first thing about encryption, can
00:29:37
compose an email, attach a file and click a button and apply
00:29:40
granular policy and access control and encryption to the
00:29:44
object for the purposes of protecting HIPAA data.
00:29:47
It is that easy for the purposes of protecting HIPAA
00:29:52
data.
00:29:52
It is that easy, and all of the magic that happens under the
00:29:57
covers is made possible by the Virtue data security platform
00:30:01
and the services that we make available in that platform.
00:30:05
Things like encryption, management, key management,
00:30:09
policy definition, enforcement, access control all those things
00:30:14
are exposed in an application that gets integrated into this
00:30:19
thing called Gmail or this thing called Outlook.
00:30:22
Alternatively, we can integrate into different file sharing
00:30:25
services like Google Drive services like Google Drive.
00:30:33
Alternatively, we can provide policy and access control
00:30:35
between two different SaaS applications that might be
00:30:36
sharing data back and forth, but it is ultimately for us.
00:30:38
It's one of the reasons I really wanted to emphasize
00:30:41
earlier.
00:30:42
We're very clear about who we are and who we aren't.
00:30:45
At Virtru, we are not in the business of helping you protect
00:30:49
sensitive data that you possess inside of your business from
00:30:52
being lost or stolen due to bad guys.
00:30:54
That's not my business.
00:30:55
My business is the other side of that coin.
00:30:58
My business is the other side of that estate.
00:31:00
My business is helping you get to a place where you can
00:31:04
confidently share sensitive data with third parties in the name
00:31:09
of driving your business forward , because that's what's required
00:31:12
.
00:31:12
You have to share data to do business.
00:31:14
I want to give you the confidence and the simplicity
00:31:18
and the ease and the elegance to do that in a way where you can
00:31:21
share the data but you are not going to sacrifice control,
00:31:26
privacy or security, and you can do things like exploration and
00:31:30
revocation, because the data belongs to you and you alone.
00:31:34
Hmm.
00:31:37
Speaker 1: And does this work with other SaaS applications
00:31:41
like Salesforce and all the other myriad of apps out there?
00:31:46
Speaker 2: So we have natively integrated this data-centric
00:31:51
security granular control into SaaS applications like Zendesk
00:31:56
ticketing for help desk.
00:31:57
We have, I would call it, arm's length integration into
00:32:03
Salesforce vis-a-vis what's called an application gateway.
00:32:08
So as long as your Salesforce instance is communicating
00:32:13
sensitive information out of your Salesforce instance to a
00:32:16
third party and you're using SMTP to do it, we can just very
00:32:20
elegantly apply policy and give you all the benefits of those
00:32:23
granular controls that we just talked about.
00:32:25
We have also developed a platform that's now increasingly
00:32:31
being deployed on the high side in support of DOD customers and
00:32:35
IC customers, which gives them the ability to take advantage of
00:32:39
those low-level system services that I described at the
00:32:42
platform substrate and to incorporate them into.
00:32:48
You might think of them as legacy mission applications,
00:32:50
like older applications that would benefit from granular
00:32:54
policy and access control on unstructured data that's being
00:32:57
shared out of the application.
00:32:58
That's not something that's off the truck, that's a bit more
00:33:03
custom and bespoke for some of those customers.
00:33:05
But yeah, that's what we're doing and it's all about
00:33:10
sensitive data and I want to emphasize the verb sharing of
00:33:13
sensitive data, because if you're going to share the
00:33:15
sensitive data, you got to think about security architecture
00:33:20
differently than if you're only focused on protecting it from
00:33:24
being lost or stolen, and you already possess it like like the
00:33:28
intentionality.
00:33:29
you have agency over data, um, and you have agency over the
00:33:34
data that you possess, because you don't want someone else to
00:33:38
get at it.
00:33:38
I get, get that, that is not my business.
00:33:40
But you also have to have agency over the data that you
00:33:46
intend to share with others, and that's what we do.
00:33:51
Speaker 1: So you were talking earlier about having almost like
00:33:54
a container around that data.
00:33:56
What does that look like?
00:34:00
I mean, is it really a container and you're assigning
00:34:03
permissions to that data type?
00:34:06
How is the container defined?
00:34:07
I guess is a better question.
00:34:10
Speaker 2: That is exactly the open spec in the trusted data
00:34:13
format, which is the open standard.
00:34:16
It is think of it as an XML wrapper or a bit.
00:34:19
I mean.
00:34:19
Sometimes people will call it an XML wrapper, sometimes people
00:34:22
will call it an XML wrapper, sometimes people will call it a
00:34:26
container.
00:34:26
People historically have called it a wrapper or an envelope.
00:34:29
I have become fond of calling it a container and the reason I
00:34:32
like calling it a container is because it's essentially XML
00:34:38
standard which basically allows you to define policy and to
00:34:44
assert policy on the object Like .
00:34:48
This thing is allowed to be shared with this person.
00:34:50
This person can access it.
00:34:52
It's going to require encryption and the way that it's
00:34:56
going to be decrypted is this way.
00:34:58
And so defining the policy and giving you the ability to
00:35:02
enforce the policy at that intersection between this object
00:35:06
, which we've determined is sensitive, and that entity,
00:35:10
which we'll call it a human or a machine, once it's been
00:35:14
authenticated and entitled, is how we ultimately bring to life
00:35:20
the application value that Virtue delivers.
00:35:22
But we do it all on top of an open standard.
00:35:26
And to your question, for anybody who's interested, I
00:35:29
would encourage them to look at.
00:35:30
It's very easy.
00:35:32
There's the you know the TDF spec is available for anyone to
00:35:36
see.
00:35:36
Just simply Google it.
00:35:37
There's also the OpenTDF project.
00:35:39
You can see the full spec there .
00:35:42
You can see sample code, you can see use cases.
00:35:46
There's a really good, rich, robust set of information that's
00:35:49
available for anyone to kind of dig into and get their head
00:35:53
wrapped around it.
00:35:54
It's pretty robust.
00:35:58
Speaker 1: Yeah, it's really fascinating and you describing
00:36:00
it as a container makes it more, I would say, easily consumable
00:36:05
and understandable to a lot of people.
00:36:07
Right, Because if I would have seen let's just say, for example
00:36:13
, right, if I would have seen like XML wrapper in a
00:36:16
description or something like that, I'm going to think of it
00:36:18
differently.
00:36:19
But now that you've related those two terms to something
00:36:22
that I understand like container , it makes it a lot easier to
00:36:28
understand, I guess.
00:36:29
Speaker 2: Well, I'm curious.
00:36:30
So I'm glad to hear you say that.
00:36:33
But I'm curious, why Is that?
00:36:35
Because you have an IT background and you already kind
00:36:39
of conceptually understand what containers are in the
00:36:42
application sense, and to you a container is nothing more than a
00:36:45
small microservices unit of software which sits inside of
00:36:50
this container, which allows me to manage it in kind of a
00:36:53
molecular nature.
00:36:54
So container means something to you in a software sense and
00:36:58
it's easy to relate that to a security sense.
00:37:00
Is that?
00:37:02
Speaker 1: is that true yeah, so I I would say I have more
00:37:06
experience with containers than I do xml wrappers or tcp
00:37:09
wrappers.
00:37:10
Right, because that's not my background.
00:37:12
My background is more infrastructure, turning into iam
00:37:16
and data security and network a little bit, right.
00:37:20
So when I hear container, I understand what a container is.
00:37:23
I understand, you know the different security principles of
00:37:27
it and everything else isn't an easy concept for a lot of
00:37:43
people to grasp.
00:37:43
Speaker 2: And back to our earlier conversation about how
00:37:44
do you determine whether you're new to the industry and just
00:37:46
getting started, or whether you're a longtime veteran of the
00:37:49
industry and you know what you already know.
00:37:51
I think it's oftentimes easiest to kind of convey you know.
00:37:58
Again, be really clear about who you are and who you aren't.
00:38:02
And in order to be clear about who you are, I think it's
00:38:06
oftentimes easier to do that when you can communicate in the
00:38:10
context of something that everyone else already understand
00:38:15
.
00:38:15
So, like the world gets containers today because of
00:38:20
Kubernetes, the world gets containers today because of
00:38:21
Kubernetes.
00:38:21
The world gets containers today because of the cloud.
00:38:25
The world gets containers today because they remember the old
00:38:30
days, 10 years ago, when you had an application in production
00:38:34
and you had to take it down for 48 hours just to patch a
00:38:38
zero-day vulnerability.
00:38:39
What your software is going to be down for two days to patch a
00:38:43
vulnerability that's insane.
00:38:45
Now they're like, no, the application doesn't come down.
00:38:48
We're going to patch the vulnerability here in this
00:38:51
container.
00:38:52
We're not going to do open heart surgery, we're going to do
00:38:55
laser surgery.
00:38:57
It's like that's the power of granularity.
00:39:00
And then it's like, okay, so I get containers and how they're
00:39:03
valuable to the application architecture.
00:39:05
And then you're all of a sudden having a conversation.
00:39:08
You're like, well, now let's talk about containers and how
00:39:10
they can be powerful to security architecture.
00:39:13
What do you mean?
00:39:13
I mean like a little container, you put sensitive data in it
00:39:18
and you share it.
00:39:18
Why?
00:39:19
So you can define policy, enforce policy and access
00:39:23
control and you can protect the thing, the object, at a granular
00:39:27
level like never before.
00:39:29
Speaker 1: It's just, yeah, that that is.
00:39:33
That's very interesting.
00:39:35
And you know, you, you brought up, uh, you know europe, right,
00:39:40
and my mind immediately went to gdpr and how useful this would
00:39:44
be in that environment, right, I wonder if this will be used to
00:39:49
kind of push along even more, you know, even more, I guess,
00:39:54
recommendations or policies within the United States itself,
00:39:59
right within the United States itself, right, like kind of
00:40:03
having that mentality shift and then creating the policy to
00:40:06
follow it.
00:40:06
Does that make sense?
00:40:08
Speaker 2: Well, 100%.
00:40:09
So let's talk about that for a second, because with the email
00:40:12
product that I mentioned the integration of Virtru into an
00:40:16
email workflow like Gmail let's use Gmail as an example.
00:40:18
You're the business and you're a smart it person.
00:40:23
You understand encryption and keys.
00:40:24
You get the basics of what I'm talking about here.
00:40:27
Um, what happens is google has your content, they have your
00:40:32
email, they have your, your, your keystrokes, like they've
00:40:35
got your content in their cloud.
00:40:37
And when virtue Virtru integrates into Gmail, you then
00:40:44
click a button and you apply a policy and access control and
00:40:47
encryption and the encryption key.
00:40:51
They have your content, but we have your key, and so there's
00:40:54
separation of trust, and that's a good thing.
00:40:58
As you kind of go back to your GDPR analogy, it's like you know
00:41:02
what it's my data.
00:41:03
It's not Google's.
00:41:04
I understand Google Workspace is a remarkably powerful cloud
00:41:08
collaboration platform.
00:41:09
I love it and at the same time, it's my data, not theirs
00:41:22
advantage of everything that Google Workspace has to offer me
00:41:24
in a way where I'm in control of my data, not Google.
00:41:25
And you know this concept of like a blind subpoena.
00:41:26
I don't know if you're familiar with it, but, like God forbid,
00:41:30
you know this is popularized now , just recently with the
00:41:33
assassination attempt on Donald Trump.
00:41:35
You know, the young man who did this, you know, apparently had
00:41:39
his iPhone locked and there's some debate now going on about
00:41:44
how law enforcement is working to get to the device, and
00:41:50
apparently they were able to do so with some assistance from a
00:41:53
third party who has expertise in that.
00:41:55
But, as I understand it last and I'm not fully read up on
00:41:59
this, but I understand that there was some subsequent
00:42:01
information that was encrypted in, I think, whatsapp, which was
00:42:04
the application on the guy's device.
00:42:06
But it goes down to this and this, of course, goes full
00:42:11
circle back to the NSA and the law enforcement concerns.
00:42:14
At what point does society get so good at encryption and
00:42:19
privacy that it makes it difficult for law enforcement to
00:42:22
do their job?
00:42:25
I'm not in the business of drawing those lines I mean,
00:42:28
that's way bigger than me but I do absolutely agree with you
00:42:33
that in the world as we know it today, more and more human, just
00:42:40
normal people are beginning to understand the value of their
00:42:43
data.
00:42:44
And when they understand the value of their data, they're
00:42:47
going to ask for capabilities, they're going to ask for the
00:42:50
ability to control their data.
00:42:51
They just don't want to simply give it up to Google or they
00:42:55
don't want to simply give it up to their bank or whoever because
00:42:58
it belongs to them, to their bank or whoever because it
00:43:00
belongs to them.
00:43:00
And in that world where everybody understands that it's
00:43:03
their data, that world will begin to demand more and more
00:43:12
capabilities from their cloud providers, from their
00:43:13
application providers, from their IT providers, and that's
00:43:19
again back to that.
00:43:20
It's going to take 10 years, but that's where the world's
00:43:22
going, I believe yeah, I certainly hope so.
00:43:27
Speaker 1: I feel like you know, just seeing how our own data is
00:43:30
being used against us to like, form different opinions and
00:43:34
direct our thinking and our buying habits and everything
00:43:38
else like that, right, like it's frustrating.
00:43:40
It's frustrating, it's very frustrating and it's also very
00:43:44
eye opening because it's like oh , you guys are, you guys are
00:43:47
monetizing everything about me when I use your platform,
00:43:50
whether I, whether I know it or not, and that's really
00:43:55
frustrating because now you're making money off me and you're a
00:43:57
multi billion dollar company you know probably trillion
00:43:59
dollar market value, right, and you're a multi-billion dollar
00:44:00
company.
00:44:00
You know probably trillion dollar market value, right, and
00:44:04
you're you're making that money off of me.
00:44:06
You know that's.
00:44:08
That's a very uh, dicey topic, right?
00:44:12
Speaker 2: well, listen, I mean, you know, I don't know how big
00:44:15
the market for duck duck go is.
00:44:16
I've heard it's like less than 10, maybe less less than five.
00:44:19
It's small, but there's a percentage of people out there
00:44:23
that are all in on DuckDuckGo and believe the power of that
00:44:27
browser and the privacy enhancement capabilities that it
00:44:30
delivers is well worth the investment, for exactly the
00:44:33
reasons you just articulated.
00:44:34
But it's not nine, it is a small percentage.
00:44:38
And then there's, you know, I have a I know a guy, a friend of
00:44:42
mine, john Doyle, who's the CEO of a company called Cape
00:44:45
Wireless here in Washington DC, who is getting ready to launch a
00:44:50
really innovative, interesting national cellular carrier,
00:44:55
wireless carrier network where you can basically go to Cape
00:44:59
Wireless and get a new mobile phone number and a phone and
00:45:04
they don't ask you for any information about you because
00:45:06
they don't need it.
00:45:07
They're not creating an account profile with your name and your
00:45:11
social and your address and your email and all that stuff,
00:45:15
because they don't want that information.
00:45:16
Like this is privacy-first mobile carrier network called
00:45:23
Cape Wireless, and so again, it's a journey we're all on it
00:45:28
and privacy and this whole thing is complicated.
00:45:32
I don't.
00:45:33
I, you know.
00:45:35
I separate that a little bit from just the IT infrastructure
00:45:39
side of it.
00:45:40
Before you can kind of get to that future vision, there's the
00:45:41
IT infrastructure side of it.
00:45:41
Before you can kind of get to that future vision, there's the
00:45:43
practical reality today that says I'm just a healthcare
00:45:46
company trying to share sensitive patient data with a
00:45:48
client or a patient outside of the organization.
00:45:51
How do I do that in a way where I'm compliant with HIPAA?
00:45:53
Or I'm a bank and I have to share really sensitive
00:45:56
information with a client who's on a yacht in the Caribbean and
00:46:00
I want to encrypt it, but I don't want the person on the
00:46:03
yacht to struggle mightily with the decryption experience.
00:46:07
It's got to be simple, elegant, seamless for everybody the
00:46:10
person in the bank sending the information and encrypting it
00:46:13
and the person on the other end receiving it and decrypting it.
00:46:15
You know these are simple, practical things that businesses
00:46:20
are doing today with virtual products powered by that OpenTDS
00:46:24
standard and you know we're excited to play a role in I'll
00:46:29
call it data-centric security.
00:46:31
But the founders accurately both have a deeply held belief
00:46:37
that they're doing the right thing as it relates to privacy.
00:46:42
Speaker 1: Yeah, that's awesome.
00:46:43
Well, matt, you know we're at the end of our time here,
00:46:47
unfortunately, but I really enjoyed our conversation.
00:46:49
I think it was a fantastic conversation.
00:46:52
Speaker 2: Yeah, I appreciate you having me, and thanks for
00:46:55
the opportunity to connect and compare notes and we'll catch up
00:46:59
with you soon.
00:47:00
Speaker 1: Yeah, absolutely.
00:47:01
Well, Matt, before I let you go , how about you tell my audience
00:47:04
where they can find you if they want to reach out and where
00:47:06
they can find your company?
00:47:07
Speaker 2: Yeah, virtrucom, that's V I R T R Ucom, v I R T R
00:47:12
Ucom, and I am available right there on the company management
00:47:17
page, and you can also find me on LinkedIn.