What if you could unlock the secrets of a thriving tech career and learn how to safeguard sensitive data in the digital age? Join us for an insightful episode featuring our special guest, Ameesh Divatia, who shares his captivating journey into IT, sparked by reading tech articles in Time magazine and National Geographic. From his early fascination with electronics to pursuing electrical engineering and navigating the evolution of technology, Ameesh offers a unique perspective shaped by experiences in tech hubs like the San Francisco Bay Area.
Ever wondered how stepping out of your comfort zone could propel your career in tech? We explore this theme with personal anecdotes about embracing discomfort for continuous growth, inspired by my father's philosophy. Discover how Amazon, particularly AWS, has revolutionized modern life and shopping habits. Learn about the dynamic culture of Silicon Valley, where rotating between major tech companies brings fresh perspectives. The episode also features an intriguing story about hiring practices and the essential lessons drawn from past cybersecurity breaches.
Finally, we tackle the critical challenge of securing sensitive data in today's interconnected world. Dive into advanced topics such as cryptography, privacy-enhanced computation, and the looming threat of quantum computing. Understand the pivotal role of human factors in cybersecurity and how changing attitudes can enhance protection measures. This episode wraps up with insights on mastering encryption concepts and the importance of collaboration and simplification in the learning process, providing you with the knowledge to navigate the increasingly complex digital security landscape.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going everyone?
00:00:01
So, before we dive into the episode, I really want to say
00:00:05
thank you to everyone that is listening in, that's tuning in,
00:00:08
that's enjoying this content and getting value from it.
00:00:11
I really love that.
00:00:12
That's why I do it following the podcast, and I really want
00:00:26
to encourage you to please follow and subscribe the podcast
00:00:27
on whatever platform you are listening or viewing this on.
00:00:31
It really helps out the podcast , it helps out the algorithm, it
00:00:34
helps more people hear this content that you already find
00:00:38
helpful and that they hopefully will as well.
00:00:40
So, if you go ahead and subscribe or follow the podcast
00:00:44
on any platform that you're listening on and please share it
00:00:47
with your friends, that'd be great.
00:00:49
All right, thanks everyone.
00:00:51
Let's get into the episode.
00:00:52
How's it going?
00:00:54
Amish, it's great to finally get you on the podcast.
00:00:57
We've been planning this thing for a while and, coincidentally,
00:01:01
my kid just tends to get sick every time we do it, so
00:01:04
thankfully, today she's finally not sick.
00:01:07
Speaker 2: It's good to hear Joe Great meeting you and, yes, I'm
00:01:10
looking forward to this chat.
00:01:12
Speaker 1: Yeah, absolutely so why don't we start with how you
00:01:16
got into IT right?
00:01:17
Just IT overall.
00:01:19
You know what made you want to go down that path.
00:01:21
What was it about you?
00:01:26
Speaker 2: that kind of interested you you know, in the
00:01:27
field and whatnot.
00:01:28
Well, growing up, um, I was always intrigued by what was
00:01:30
happening around me as far as new things in technology.
00:01:34
I remember a very clear memory of being in high school and this
00:01:39
was back home in india.
00:01:40
You know there was no internet back then, as it's difficult to
00:01:45
imagine right now, but I distinctly remember Time
00:01:49
magazine designating the computer as the man of the year,
00:01:53
if you will Got my attention.
00:01:56
National Geographic carries this cover story about microchip
00:02:00
being the most important innovation in a long time.
00:02:03
So I started to get intrigued about what used to be referred
00:02:08
to as electronics, if you will, and that got me into the whole
00:02:12
tech game.
00:02:13
So I studied electrical engineering and got interested
00:02:18
in communication networks.
00:02:20
Actually back then, actually um , back then.
00:02:27
Um again was one of those um, really crazy moments when you
00:02:28
know one of your alumni comes back to alumnus, comes back to
00:02:30
and talks to you and said, hey, this is something that's cool
00:02:33
and that's how we got interested in in networking and eventually
00:02:36
um in in it.
00:02:38
Speaker 1: Yeah, it's, uh, it's.
00:02:39
It's fascinating how people got into it back then at that time,
00:02:45
right, because it was kind of such a new thing Like today.
00:02:49
You know the people that are starting to get into it today,
00:02:53
right, that are at the beginning of their career, they've never
00:02:55
lived without the internet.
00:02:56
You know they've never really lived without a cell phone, like
00:02:58
in the marketplace.
00:02:59
You know, in their house.
00:02:59
Like in the marketplace.
00:03:01
You know, in their house, like at least when I was growing up,
00:03:04
I mean, a cell phone like that wasn't even in our vocabulary.
00:03:08
Basically Cell phone, what am I going to do with that?
00:03:12
I have a house phone.
00:03:12
Call my house if you want to get a hold of me, you know.
00:03:15
Speaker 2: Yeah Well, I grew up in the rotary phone world where
00:03:22
you know half the times you'll get the wrong numbers because
00:03:26
the dial has dust stuck inside it.
00:03:27
But anyway, fast forward.
00:03:31
Actually thanks to an Uber driver I was once with who
00:03:32
reminded me that the first app actually was developed in 2007.
00:03:35
2007 is not that long ago, you know.
00:03:39
So the pace of change is definitely something that is
00:03:43
extremely, extremely rapid, and that's what makes it exciting.
00:03:47
I think that's what makes it exciting to be in this space, in
00:03:50
IT and specifically in cyber.
00:03:53
Speaker 1: Wow, the first app was developed in 2007.
00:03:56
I didn't even realize that that is wild.
00:04:00
Speaker 2: My Uber driver once told me that's wild.
00:04:04
Speaker 1: I mean, I was in high school in 2007.
00:04:07
You know that's crazy how quickly this field has kind of
00:04:13
exploded.
00:04:14
Did anyone from what you remember, did anyone back then
00:04:19
kind of think that it was going to become what it is today?
00:04:23
Speaker 2: Obviously not Even in magazines or anything like that
00:04:26
I'm sure there were sci-fi writers who were thinking about,
00:04:29
you know, flying saucers and augmented reality and all of
00:04:34
that.
00:04:34
But nobody ever thought that we would be in this age where,
00:04:39
suddenly, you know you didn't have to write a paper, you know
00:04:43
CatGPD wrote it for you, you didn't have to lift your finger
00:04:47
and food shows up.
00:04:48
And you know stuff shows up reliably, you know, within the
00:04:53
hour of what is predicted.
00:04:55
So we've come a long, long way from where we were.
00:04:59
But I don't think when you don't have what you know, what
00:05:03
you don't know, it's not like you miss it.
00:05:12
Speaker 1: But obviously we're all better off with innovations
00:05:13
that we've all developed together.
00:05:13
Yeah, that's a really good point, you know, that you bring
00:05:15
up and for some, I guess, maybe some interesting reason.
00:05:20
My mind goes to like the uncontacted tribes in the Amazon
00:05:25
, right, people that are still back in the Stone Age,
00:05:29
essentially that don't want outsiders.
00:05:33
I mean, I guess they have a very valid point for why they
00:05:38
don't want outsiders because their immune systems are very
00:05:41
vulnerable compared to ours and I.
00:05:44
It's just, it's fascinating, right, because you would think
00:05:49
injecting technology, injecting modern medicine and things like
00:05:53
that would improve their lives.
00:05:55
But it actually impacts them in different ways and they're kind
00:05:59
of, you know, very against it, right, like they're pushing
00:06:03
against that grain to say like no, we want to stay, you know,
00:06:06
like this, you know.
00:06:08
And they also don't know what they're, what they're missing.
00:06:11
So if you don't know what you're missing, you're not
00:06:13
missing anything.
00:06:13
That's exactly it.
00:06:15
Speaker 2: Right, it's a matter of perspective, and actually the
00:06:18
the reverse of it is true.
00:06:19
When it comes to people like us , who are in tech especially.
00:06:23
You haven't seen anything until you've actually come to a place
00:06:27
like the San Francisco Bay Area .
00:06:30
Right, it's just something that I had read about it.
00:06:35
I had, you know, thought about what it would be like, but it
00:06:39
was completely different.
00:06:40
The part that actually completely blew me away was,
00:06:44
first of all, how small it was.
00:06:45
Geographically it's such a small area.
00:06:49
And the other part that's always fascinated me is about how it's
00:06:55
not a zero-sum game, right, everybody here is from somewhere
00:06:58
, and everybody here got their start from nothing, so we sort
00:07:03
of feel obligated to help others to get going as well.
00:07:06
And that's the part that really got me into that whole idea of,
00:07:12
hey, we've constantly got to push ourselves to build
00:07:15
something better because somebody else did it before us.
00:07:18
How do you start from nothing?
00:07:19
It's amazing.
00:07:20
You literally just walk down the street and you go to a
00:07:25
leasing office.
00:07:25
Back then I'm talking about today I don't think you would do
00:07:28
that, but I literally just walked down to a place and said
00:07:31
I need space.
00:07:31
They did not ask me for my credit record.
00:07:34
They did not ask me for references, they just said here,
00:07:37
here's the suite, this is what you have to pay every month, and
00:07:40
that's it.
00:07:40
I had a place.
00:07:42
Now I could get people over to start brainstorming.
00:08:01
Speaker 1: Everything and that's it.
00:08:03
I had a place.
00:08:05
Now it's well.
00:08:06
I guess it's it's less scary.
00:08:08
The younger you are, I would say, right, like now I've.
00:08:12
You know, I have a one-year-old at home.
00:08:14
Right, I have a wife, I have a mortgage.
00:08:16
I can't just quit everything and start over.
00:08:19
You know, completely fresh, like even if I were to do that,
00:08:23
it's like okay.
00:08:23
You know fresh, like even if I were to do that, it's like okay.
00:08:25
You know you need to empty out your retirement, utilize all of
00:08:27
your savings.
00:08:28
This is your burn period and all that.
00:08:30
You know, uh, it's.
00:08:32
It's a really fascinating area and time in someone's life when
00:08:37
they're when they kind of identify that you know where
00:08:40
it's like, hey, I have, you know , very limited responsibilities
00:08:45
right now, so why don't I throw my whole self into this thing?
00:08:45
And where it's like, hey, I have, you know, very limited
00:08:45
responsibilities right now, so why don't I throw my whole self
00:08:48
into this thing and see where it takes me?
00:08:50
Speaker 2: Yeah.
00:08:51
So, by the way, it's still scary.
00:08:53
I mean, we're all responsible adults, right?
00:08:55
Yeah, we don't want to depend on somebody else, but there's
00:08:59
some secrets there that you need to unlock in order to get there
00:09:01
.
00:09:01
That you need to unlock in order to get there.
00:09:03
First of all, you know, get a partner in life that is more
00:09:08
accomplished than you are.
00:09:10
Number one, number two, somebody who you can depend on.
00:09:13
So you know, when I decided to do that, I had two things going
00:09:17
for me.
00:09:17
First, you know, I had a wife who had a very steady job and I
00:09:22
didn't have to worry about the mortgage or worry about the
00:09:24
bills.
00:09:24
And secondly, I had a boss who was extremely supportive.
00:09:28
I still remember distinctly, you know, when I came to
00:09:37
actually quitting and wanting to go and go down the
00:09:38
entrepreneurial path, which I did about seven years into my
00:09:40
journey I went to my boss and said I'm still scared, and he
00:09:42
said you know what?
00:09:43
Just go, take the chance, just go do it and if you don't like
00:09:48
it, come back in a month, and that's all you need, right?
00:09:51
That's a lifeline, and I never turned back after that.
00:09:55
But again, I always feel very blessed to have all of those
00:10:00
things that helped me get started.
00:10:03
Speaker 1: Yeah, that's a very unique situation Maybe not too
00:10:07
unique right when your boss told you take a month and give it a
00:10:13
try and if it doesn't work out, come back right.
00:10:16
Unfortunately, there's some bosses out there that would say
00:10:20
that's never going to work, don't waste your time.
00:10:22
I think when Jeff Bezos was starting Amazon, his boss and
00:10:28
his friends were all telling him you have a good life, you're
00:10:33
not going to duplicate it outside.
00:10:35
Why are you going to create something from nothing?
00:10:38
They were telling him not to do it, not to duplicate it outside
00:10:40
.
00:10:40
Why are you going to create something from nothing?
00:10:41
You know they were telling them not to do it.
00:10:42
You know not to take that risk.
00:10:43
Now, it's really hard to imagine a world without Amazon.
00:10:46
I mean like AWS.
00:10:49
It's hard to imagine a world without AWS.
00:10:51
You know Jeff Bezos obviously didn't found AWS or whatever.
00:10:55
The name.
00:10:57
Aws is synonymous with Amazon.
00:10:59
Now, you know you can't.
00:11:01
I don't buy anything before I check it on Amazon first.
00:11:05
Is it available on Amazon?
00:11:06
Is it cheaper on Amazon?
00:11:07
Do I get it faster on Amazon?
00:11:09
And if it meets those things, you know I'm getting it on
00:11:13
Amazon.
00:11:13
Right, like, and I'm sure millions of other people do that
00:11:16
exact same thing?
00:11:22
Speaker 2: Yeah, but this is what I tell everybody that I
00:11:23
happen to mentor.
00:11:24
If it's somebody coming out of school, somebody starting their
00:11:25
job, getting comfortable around having a job or sometimes
00:11:31
uncomfortable and wanting to quit, you always want to
00:11:35
challenge yourself.
00:11:35
One of the things that I always done very early in life and I
00:11:39
saw it being done right now I saw my father doing it all the
00:11:44
time where if he felt like he was in a comfort zone, he was
00:11:48
always trying to get out of it.
00:11:49
We're all trained to actually fall into our comfort zones.
00:11:53
You know that.
00:11:54
Stay within that.
00:11:54
But as soon as you do that, you are limiting yourself.
00:11:58
So every time you feel that you are limiting yourself, so every
00:12:01
time you feel that you want to break out of that mold and you
00:12:03
want to challenge yourself.
00:12:04
And it's amazing how, once you do that, you feel so empowered.
00:12:08
You feel like you can do anything at that point Because
00:12:12
you broke out of your comfort zone and you did something that
00:12:15
was uncomfortable.
00:12:16
I mean, most uncomfortable thing that anybody can do is selling
00:12:21
a product or selling yourself.
00:12:22
First of all, it never comes naturally to anyone and no
00:12:26
matter what your personality is.
00:12:27
I know there are some people who are born salesmen.
00:12:29
But if you really ask them, it didn't come with them.
00:12:31
Naturally they developed it, but it is again.
00:12:34
It's something that you have to do because it's the most
00:12:37
difficult thing to do out there.
00:12:38
Call calling, you know, approaching somebody at a party
00:12:42
and just say, hey, what's up?
00:12:44
But you have to do that, you have to break out of that
00:12:48
comfort zone.
00:12:48
Speaker 1: Yeah, that's.
00:12:49
You bring up such a good point, you know.
00:12:53
And I look at this in my own life and sometimes I try to
00:12:59
almost check myself at the door right, like, hey, why are you
00:13:02
getting uncomfortable right now?
00:13:04
You have a good job, you have a good thing going on right now.
00:13:07
Why are you trying to switch everything up?
00:13:10
And it's something about being comfortable for too long.
00:13:15
It's okay to be comfortable in your current situation, right,
00:13:20
for a certain amount of time.
00:13:21
That certain amount of time can be different for for everyone.
00:13:24
I give myself, you know, one to two years, right.
00:13:27
But at some point you're not going to grow anymore, you know.
00:13:31
And when you don't grow anymore , there are some people that get
00:13:34
very comfortable in that situation.
00:13:37
They stay because it's what they've always known, it's a
00:13:40
stable job, you know, and they don't venture outside of that,
00:13:44
right.
00:13:45
But the people that when they, when they get comfortable and
00:13:49
they start pushing themselves to learn new things, you know they
00:13:53
tend to grow a lot more and they end their life, at the end
00:13:56
of their career or their life right, in a very different place
00:14:00
than where they ended up.
00:14:02
And if you were to ask them if they regretted it, they would
00:14:04
say you know more than likely that they didn't regret it and
00:14:08
in respect of the outcome, right uh, of the outcome.
00:14:12
Speaker 2: You may fail, but you never regret it, that's the.
00:14:16
Speaker 1: yeah, I think I think even you know, even in failure,
00:14:18
even if you, I think, even you know, even in failure, even if
00:14:20
you put everything into something you know and you truly
00:14:23
believed in it right, and it didn't work out, you know that's
00:14:27
not a failure.
00:14:27
You, you just learn something about yourself.
00:14:30
You learn something potentially about you know, that industry
00:14:34
that it didn't work in, or whatever it might be, failure
00:14:37
isn't always, you know, as cut and dry as.
00:14:40
Did I make money from this thing?
00:14:42
Did I become rich from this thing, or did I not?
00:14:45
You know, I feel like it's not as cut and dry.
00:14:49
Speaker 2: And that's the other thing about a place like Silicon
00:14:51
Valley right, you're not judged based on outcomes.
00:14:54
I mean, to some extent, everybody gets judged based on
00:14:57
some outcomes, but in a place like this, you always have
00:15:01
another chance.
00:15:02
You always have the ability to go to the next thing, having the
00:15:09
lessons learned from the previous experience, good or bad
00:15:12
.
00:15:12
Speaker 1: Yeah, that's probably why.
00:15:13
That's probably why, for a while there I mean, maybe it's
00:15:17
still going on.
00:15:18
Even like in the big tech Silicon Valley companies you
00:15:22
know Facebook, apple, nvidia, microsoft their employees would
00:15:27
rotate between those companies, typically like every six months
00:15:31
even.
00:15:31
And it was a very common, very common thing that I was, you
00:15:37
know, reading about is because they, they, you know, as long as
00:15:41
, like, you're not the culprit of a breach, you know that costs
00:15:45
them a whole bunch of money.
00:15:46
And now you're before, you know , congress, right, um, as long
00:15:50
as that doesn't happen, which is far less than 1%, you know
00:15:55
you're able to take those lessons learned and bring them
00:15:58
over here and you can transform processes, you can adjust how
00:16:03
the business is running so that those same mistakes are not
00:16:07
going to affect your new company and whatnot.
00:16:11
And it's not as accepted everywhere else, even within the
00:16:16
country, right, because I remember a time when I was
00:16:19
working for a credit bureau, the CISO hired someone from a
00:16:23
company that recently had a massive breach at that time and
00:16:29
the company before that he was at, that large company that had
00:16:33
the breach, also had a breach.
00:16:35
So this guy went through two massive breaches.
00:16:39
That you know, everyone in the country you know you, if you
00:16:42
name the company, everyone would know it right, probably even
00:16:45
worldwide.
00:16:46
Everyone really kind of critiqued our cso for bringing
00:16:49
in this guy.
00:16:50
Um, because we're like what's he going to teach us?
00:16:53
Like how to do it wrong.
00:16:54
But everywhere else, or at least in silicon valley, that
00:16:58
mentality is completely different.
00:17:00
Speaker 2: Well, and it's spreading right, Even within
00:17:01
tech.
00:17:02
Now, all of that is spreading because we know that we are
00:17:04
fighting a war where the adversary actually has unlimited
00:17:09
budget and unlimited number of people that they can throw at it
00:17:12
.
00:17:12
Right, that's what nation-state actors are.
00:17:14
So that's where we are always playing catch-up from a security
00:17:17
perspective, and that's where we're always playing catch up
00:17:19
from a security perspective, and that's where we feel that, you
00:17:21
know, something needs to change.
00:17:23
You're starting to see this already actually in security.
00:17:27
Now.
00:17:27
You know, sim was something that was considered to be the
00:17:30
standard way to actually monitor threats and now it's being
00:17:34
reimagined.
00:17:35
You know, it's a new way of looking at threats.
00:17:39
I think that's a good beginning because, as the industry
00:17:43
evolves and we're at $100 billion, going to $225 billion
00:17:48
in four years in terms of cybersecurity budgets, we'll
00:17:53
have to reimagine how we are doing things, because the fact
00:17:56
is, breaches are not stopping, and that's really something that
00:18:00
A lot of the times they're increasing.
00:18:02
They're always increasing and getting more and more punitive
00:18:05
as well.
00:18:06
Right, they're becoming more difficult to manage even at the
00:18:09
individual level, so we have to reimagine how we protect
00:18:13
sensitive assets in the cloud?
00:18:15
Speaker 1: Yeah, in security.
00:18:19
We always say our job security is based on the last big breach.
00:18:27
That was in the news, right?
00:18:29
Because it's very easy for you to justify why you're there,
00:18:35
what you're working on, the budget that you need, when you
00:18:39
can point the finger and say, hey, look at that, they're our
00:18:41
competitor, they're in the exact same space as us, they had a
00:18:45
similar security stack as us and they got breached.
00:18:49
See, this is why I'm asking for the additional $50 million to
00:18:54
go and augment the security stack.
00:18:56
It's a huge, huge selling point .
00:18:59
Speaker 2: Yeah, well, you know, as solution providers, we tend
00:19:02
to avoid a lot of that ambulance chasing.
00:19:05
I'm sure this happens from an internal perspective, justify
00:19:09
budgets.
00:19:09
What we really believe is, from a design perspective or from an
00:19:14
innovation perspective, we want to make sure that we enact
00:19:18
proactive controls rather than continue to invest in reactive
00:19:22
controls all the time.
00:19:23
If we architect something right and we make sure that you have
00:19:28
what is known as an assumed breach posture, which means that
00:19:33
you're assuming that things are going to go bad and somebody is
00:19:35
going to get into your network, we want to design the pipeline
00:19:39
in such a way that the sensitive data, even though it is stolen,
00:19:43
it's useless.
00:19:43
That's what we really are trying to do from a, from a,
00:19:49
from a data pipeline design perspective.
00:19:54
Speaker 1: That's really fascinating.
00:19:55
So let's, let's dive into it a little bit.
00:19:58
You know, let's talk about you, let's talk about the company
00:20:01
that you had to go in there.
00:20:32
Speaker 2: I remember back in the day, you know, when I was
00:20:34
first starting out in college.
00:20:36
You know you had these mainframes and you had to go and
00:20:38
punch cards, drop the cards off and come back the next day to
00:20:42
pick them up.
00:20:42
Now you know that those days are the most secure because
00:20:48
there's nothing leaving that particular environment unless
00:20:51
you had the ability to get inside the building and take
00:20:54
things.
00:20:54
Well, for good or bad, those days are gone and everything is
00:20:59
everywhere.
00:21:00
So the most important problem that we solve is that when you
00:21:04
have your sensitive data in infrastructure that you don't
00:21:08
control, you want to make sure that nobody else has access to
00:21:12
that data other than yourself.
00:21:14
And this is where cryptography really helps, because if you are
00:21:19
able to secure your data by encrypting it with a key that
00:21:23
you control, nobody else can see the data unless you authorize
00:21:27
them or you go in there and actually use the key to retrieve
00:21:34
.
00:21:34
The data is locked down, you cannot manipulate it, you cannot
00:21:38
process it.
00:21:39
So what's the use of having an asset that you cannot use, right
00:21:42
?
00:21:42
So that's where the second innovation comes in, where we
00:21:46
have figured out how we can actually process that data
00:21:49
without still revealing it in the data store environment where
00:21:54
the administrator of that infrastructure can see the data.
00:21:57
So the category is called privacy enhanced computation or
00:22:02
the more simplistic term is data-centric security, because
00:22:04
you're securing the data all the way down at the record level
00:22:09
and you're keeping it secure so that it fails safe If something
00:22:12
really bad happens.
00:22:13
Somebody gets in there.
00:22:14
They only get encrypted data.
00:22:15
So encrypted data is useless from the perspective that you
00:22:19
can see it.
00:22:19
But, more importantly, it also does not trigger any kind of
00:22:23
notification requirement, so you don't have to tell anybody you
00:22:26
were breached because you only lost encrypted data.
00:22:28
So it helps you from a lot of different perspectives, but most
00:22:35
importantly, you're able to control your assets on
00:22:38
infrastructure that you don't know.
00:22:41
Speaker 1: So is this similar to homomorphic encryption?
00:22:46
Speaker 2: In principle, yes, because of the fact that
00:22:49
homomorphic encryption is really defined as being able to
00:22:52
encrypt data and then discard the key.
00:22:54
You can throw away the key, but you can still process it.
00:22:57
It's a very fascinating technology.
00:22:59
It's been around for a long time, in academia especially,
00:23:03
but it's never been practical because it slows things down by
00:23:07
a factor of a million sometimes and all the computers in the
00:23:12
world cannot really do much to accelerate it, because
00:23:15
cryptography is designed to make sure that it's very difficult
00:23:18
to process data that is encrypted.
00:23:21
There's lots of optimizations that have been developed over
00:23:23
time.
00:23:24
One of them is what we pursue.
00:23:26
We actually call our technique secure multi-party compute,
00:23:30
where what we're really doing is taking a secret you know, a
00:23:34
piece of data, for example and splitting up the operation or
00:23:38
manipulating that data into multiple pieces.
00:23:40
So if you steal one or a few of these call them shares you'd
00:23:47
only get part of the secret, so you cannot reconstruct the data.
00:23:51
You would have to compromise all of it, which just makes it
00:23:55
so much harder compared to what it is today, where you can just
00:23:59
go in there and steal a piece of data from a data store.
00:24:02
So that's the whole race that we are in right.
00:24:07
What we want to do is we want to make sure that the need and
00:24:11
the ability to actually compromise secrets takes effort.
00:24:17
That is a lot more than what it's worth.
00:24:20
You always want to keep ahead in that race.
00:24:23
That's really our job as security professionals to make
00:24:27
the job of the hacker harder than it is and make it as
00:24:30
unprofitable as it is development, a technological
00:24:37
development that would, you know , potentially give hackers like
00:24:43
the upper hand against this sort of technology?
00:24:47
Speaker 1: right, because it's like a cat and mouse game, right
00:24:50
, where you know the hackers, you know, find a new way to do
00:24:54
something.
00:24:55
They have more computation power, they have more, you know,
00:24:59
zombie computers to do a larger DDoS or whatever it might be
00:25:02
right, and then the technology side of it picks up and it
00:25:09
eliminates all those threats, right, but then sometimes the
00:25:12
hackers find a new way of handling it.
00:25:15
Is there something like maybe supercomputers or quantum
00:25:18
computers that you could think of, right, that may pose a risk
00:25:23
to this, or is it more of a post-quantum resistant
00:25:30
technology?
00:25:31
Speaker 2: Yeah, let's talk about two things actually
00:25:33
technology and people.
00:25:34
Technology part is relatively straightforward.
00:25:36
Quantum absolutely has the potential of breaking encryption
00:25:40
.
00:25:40
In fact, some people say it's already broken it from the
00:25:44
perspective of breaking PKI Not necessarily symmetric encryption
00:25:48
, but it does definitely affect asymmetric encryption.
00:25:51
But now we already have algorithms that are quantum safe
00:25:55
.
00:25:55
We're trying to catch up in that race to make sure that that
00:25:58
doesn't happen, because a lot of people are doing a lot of
00:26:01
hackers are doing what is known as harvesting.
00:26:03
They store encrypted data waiting for current control so
00:26:06
that they can eventually decrypt it.
00:26:07
I think we're mitigating a lot of those risks by developing
00:26:11
quantum safe technologies and I think technologies will continue
00:26:14
to always keep pace because there's a lot of incentive to go
00:26:17
do that.
00:26:19
The part that is more difficult is people.
00:26:21
Most of the hacks happen because people are irresponsible
00:26:24
.
00:26:24
They just take shortcuts for business reasons to ignore
00:26:29
security practices like encryption, for example, until
00:26:33
it is absolutely necessary to do it, to do it.
00:26:41
And that's where compliance really really helps, because now
00:26:42
you have another set of capabilities, another set of
00:26:43
controls that come in to make sure that such things don't
00:26:47
happen.
00:26:47
You make sure you have to go through checklists and make sure
00:26:51
that those particular data stores are encrypted, so that
00:26:55
will change behaviors.
00:26:56
I think the other part that's also very interesting is and we
00:27:00
talk to security practitioners all the time I think what is
00:27:04
happening is investment in security are being perceived
00:27:08
more and more as competitive differentiators.
00:27:10
Back to this issue of oh, your competitor just got breached.
00:27:13
You know, how safe are you?
00:27:14
The fact that you are adapting to and adopting better controls
00:27:20
is considered as a competitive advantage.
00:27:23
Fear only goes so far.
00:27:24
If it's a necessary evil to do something.
00:27:27
People will always drag their feet.
00:27:29
If we make them look better, there's a better chance that
00:27:32
they will adopt those kind of controls controls so that's
00:27:41
where I feel like you know well, technology will always be there
00:27:43
and will always keep improving.
00:27:43
The attitudes and the approaches of individuals or
00:27:47
people are definitely changing, which tells me that we're going
00:27:52
to do the right thing going forward.
00:27:55
Speaker 1: Yeah, you bring up a very interesting point there
00:27:59
that you know.
00:27:59
I was having this conversation with someone else recently.
00:28:02
They were saying that the technology or the security of
00:28:07
these systems are significantly better than they used to be.
00:28:11
Spend that much time trying to get in via old methods of doing
00:28:24
a port scan and seeing what's available and trying to
00:28:25
manipulate requests in certain ways.
00:28:27
Right, they just go straight to the people and try to fool the
00:28:31
people as best as they can to get access, because they'll
00:28:36
spend so much time doing the technical route that it doesn't
00:28:40
even make sense to spend that much time on it up front.
00:28:45
Speaker 2: You're only as strong as your weakest link right, and
00:28:47
in this case, people are the weak link.
00:28:49
Yes, technology definitely has some weaknesses as well.
00:28:53
Supply chain vulnerabilities are a big thing and they're well
00:28:56
known, but everybody has really really good controls now, every
00:28:59
time you release something, you go through all of those testing
00:29:02
.
00:29:02
It's becoming more and more automated.
00:29:04
Ai is helping tremendously in that area as well.
00:29:08
So I think it's about the people.
00:29:11
That's where we need AI to really help.
00:29:14
We can make sure that people get alerted about certain things
00:29:19
that happen around them when they get phished, so I think
00:29:23
there's a lot of potential there as well.
00:29:26
Speaker 1: Is there any limitations with your solution
00:29:28
with large data sets?
00:29:30
I ask it specifically because you know, when you think of
00:29:34
encrypting, let's say, a SQL server, right, you're not going
00:29:37
to encrypt the entire hard disk of a SQL server because the
00:29:41
performance is significantly degraded.
00:29:44
Right, you encrypt, you know, rows and and sometimes a whole
00:29:49
table, but you'll you'll typically do rows and columns of
00:29:55
sensitive data and encrypt it that way, right?
00:29:57
But maybe because this is a quantum resistant solution, it
00:30:03
doesn't have the same problems as full disk encryption speed
00:30:07
issues have.
00:30:09
Have you seen anything like that?
00:30:12
Speaker 2: So this is where the cloud really really helps, right
00:30:15
?
00:30:15
One of the biggest reasons why we exist is because of the cloud
00:30:20
.
00:30:20
Infrastructure is so much easier to obtain because of the
00:30:24
fact that it's all on demand and the configuration aspect of it.
00:30:28
Containerization is something that is really really important
00:30:33
and useful when you're putting in this kind of capability,
00:30:36
putting in this kind of capability.
00:30:37
To answer your question about scale, the biggest reason why we
00:30:41
believe we have no limitations of scale is because we use cloud
00:30:44
resources.
00:30:45
We are instantiated in the cloud, in the customer's
00:30:49
environment.
00:30:50
We are able to scale with the infrastructure as it is deployed
00:30:54
and it's adaptive.
00:30:56
You know network load balancing , you know containerization,
00:31:01
failover.
00:31:02
All of that happens because of cloud technologies that are now
00:31:06
available at scale.
00:31:08
Full disk encryption actually had a different purpose.
00:31:11
There was a reason why you would do full disk encryption
00:31:13
back in the day because disks were getting stolen or lost.
00:31:16
Nobody has a data center in their basement anymore, right?
00:31:20
The data centers are centralized, they're locked down
00:31:23
, they're physically very secure .
00:31:25
So even if you had that capability, it is useless.
00:31:30
What you want to protect is the data while it is being
00:31:33
manipulated, while it's being used, and that's where the
00:31:36
column level and row level encryption is the way to go In
00:31:40
terms of performance impacts and whether you want to do all of
00:31:43
it or none.
00:31:44
Well, obviously, doing all of it is the easiest way to do it
00:31:47
right, because you don't have a way about what part is sensitive
00:31:50
and what part is not, but you know it has implications about
00:31:54
how it is processed and everything else that goes with
00:31:58
that, so it becomes a cost versus performance trade-off.
00:32:03
What we like to suggest is find the data that is sensitive and
00:32:08
then protect it using these scalable techniques, so that the
00:32:12
volume of data from the number of rows you have shouldn't
00:32:16
matter.
00:32:16
If you talk about the other dimensions and the columns of
00:32:20
data, there may be some data that is not sensitive and
00:32:23
there's no reason to encrypt it, and that's where we like to
00:32:27
make sure that the customers have control of granularity.
00:32:32
It's not an all-or-nothing thing.
00:32:34
You want to pick what you want to protect or what you are
00:32:38
protecting.
00:32:38
You want to protect it throughout its lifecycle, from
00:32:41
creation, use to when it's discarded.
00:32:46
Speaker 1: Now with, I guess, legacy encryption, it's highly
00:32:51
dependent upon the usage of keys and the security of those keys.
00:32:55
Is there any key usage that is dependent with your solution, or
00:33:03
does this solution take keys completely out of the mix?
00:33:08
Speaker 2: Now again, we're utilizing existing key
00:33:10
management mechanisms which have been there, which have been
00:33:14
standardized, which are extremely secure.
00:33:15
The whole HSM KMSs that were created are very, very secure.
00:33:21
It's just that nobody utilizes them to the full.
00:33:26
Speaker 1: You know.
00:33:27
Speaker 2: keys become dormant, you don't rotate them often
00:33:30
enough, you don't put them in the right places.
00:33:33
All of those things are what we have addressed very, very well.
00:33:37
We also use envelope encryption , so you don't have to
00:33:41
re-encrypt the data every time you are rotating the key.
00:33:43
So what we are able to do really is to put security best
00:33:47
practices into action without creating a tremendous amount of
00:33:51
operational overhead.
00:33:52
You set up the policies, you define what your sensitive data
00:33:57
is, you say how often the keys are to be rotated.
00:34:00
Everything happens automatically.
00:34:02
We manage that whole process.
00:34:04
You don't need to actually do it manually, and that's where,
00:34:09
again, the operational efficiencies are.
00:34:11
The most important benefit of using our solution is over the
00:34:17
long term.
00:34:17
Speaker 1: You know, I got to say it's really impressive that
00:34:22
you're this technical, that you're this in the weeds, that
00:34:25
you're able to, to speak to the solution this.
00:34:29
Well, this is not an easy topic to talk about.
00:34:33
Encryption is always, you know, maybe the last thing that I
00:34:36
want to study for a test.
00:34:37
Right, it's uh, it's, uh, it's the thing that I hope that I
00:34:41
somehow get right.
00:34:42
You know, um, that I don't have to learn it too much.
00:34:46
I remember when I was studying for my ISC squared certs, I
00:34:51
spent the majority of my time on the encryption part, because it
00:34:56
was just so difficult to conceptualize and understand
00:35:00
what sources helped you learn encryption.
00:35:04
Because what we're talking about right now is legacy
00:35:07
encryption, something that everyone has done, and now we're
00:35:11
talking about a new solution that is quantum resistant, right
00:35:15
, that is kind of almost being invented as we create it.
00:35:20
You know, like that's really what we're talking about here,
00:35:23
and so that is extremely, it's extremely difficult to
00:35:28
understand and, like, comprehend it.
00:35:31
Right, like tomorrow, if you were to ask me what we were
00:35:34
talking about, I would probably say I'm not sure, because, not
00:35:39
because I forgot about it, but because I don't, like I stand it
00:35:43
in the moment, right, but then regurgitating it and
00:35:46
understanding it in a day is a totally different story.
00:35:49
So how did you pick up this skill set and how did you learn
00:35:53
it?
00:35:53
Speaker 2: I highly recommend that you do that right.
00:35:55
The regurgitating part and teaching somebody else is the
00:35:58
best way to learn.
00:35:59
Well, obviously, I give my team a lot of credit.
00:36:01
My co-founder is a mathematician, you know.
00:36:03
He's extremely, extremely knowledgeable about the space.
00:36:07
And then, as we built the team, you know I always paid
00:36:10
attention to how we were building it and I always wanted
00:36:13
to break it down to how I can actually extend it to somebody
00:36:17
else, especially a customer.
00:36:19
So that's a skill that you always want to have, which is
00:36:23
that you have to be able to regurgitate it and be able to
00:36:26
field questions as well, because that's what happens all the
00:36:28
time on customer calls.
00:36:31
Why is it important?
00:36:31
How does it actually work?
00:36:33
You don't have to get into the weeds, I don't have to write the
00:36:35
formulas, but at least I need to understand the concept of
00:36:39
exactly how we developed it, how it works.
00:36:42
What I like to do is actually break it down to simple pictures
00:36:45
that I draw and then validate it.
00:36:46
I've always validated because I don't want to make anything up.
00:36:52
So it's been a fascinating journey.
00:36:53
We've really built something that we're really proud of.
00:36:55
But I can also tell you that you know, the core technology is
00:36:58
something that you build in the early days.
00:37:00
Most of the work after that is just about adaptation.
00:37:04
You know there's so much change .
00:37:09
Again, going back to what we talked about at the start of the
00:37:13
podcast, which is the pace of change is just relentless.
00:37:17
Every cloud has a slightly different variant of how they do
00:37:23
orchestration, how they do key management, how they do
00:37:26
containerization, and that's what we deal with a lot on a
00:37:29
day-to-day basis.
00:37:30
The core technology was something we developed in the
00:37:33
early years and we are able to defend it quite effectively also
00:37:36
.
00:37:38
Speaker 1: You bring up your co-founder being a fantastic
00:37:42
mathematician, right, and I remember getting into IT right
00:37:48
and going down that path.
00:37:49
I never, I never would have guessed that a mathematician
00:37:54
would play such a pivotal role in IT right, in technology
00:38:00
overall.
00:38:00
But you know, truly they're kind of, you know, the unsung
00:38:05
heroes of all of our underlying security and tech.
00:38:09
Like, if the mathematicians get it wrong, right with the
00:38:13
encryption protocols and whatnot , then there is no security,
00:38:17
there is literally no data encryption.
00:38:19
There's nothing you can do about it.
00:38:20
You know.
00:38:22
Speaker 2: Yeah Well, all of us going through high school always
00:38:26
hated basic sciences, right?
00:38:28
Math and physics is what drives tech for the most part.
00:38:31
And again it goes back to the one thing that I always had
00:38:36
which has helped me is I always want to know about the big
00:38:39
picture.
00:38:39
When you're learning about a math algorithm or encryption and
00:38:43
you don't have the vision of, hey, someday I can prevent
00:38:47
breaches if I learn this, it's boring, it's not interesting,
00:38:52
and that's where media and, back in the day, printed media had
00:38:57
such a big impact.
00:38:58
You see, something like this is a magazine cover.
00:39:01
This is cool.
00:39:02
If I can be part of it, there's probably something that would
00:39:06
be exciting.
00:39:06
That's a very important thing to have.
00:39:09
Always try to look for the big picture.
00:39:11
Don't get mired in the details and forget about why you're
00:39:14
doing what you're doing.
00:39:16
Speaker 1: Yeah, that's extremely important For me as a
00:39:20
cloud engineer.
00:39:22
It is very easy to get just thrown into the weeds and you
00:39:28
know, you come up for air and it's like man, I don't even know
00:39:31
what I'm working towards Like, I don't know why I'm doing all
00:39:34
this stuff, and that's a very common thing on the technical
00:39:37
side of security.
00:39:39
And I feel like it may even be the opposite problem for, like
00:39:43
the architects, necessarily right, because I'll give you an
00:39:47
example, my current architect, you know, created a fantastic
00:39:51
reference architecture for the entire environment.
00:39:54
You know where everything is positioned and everything like
00:39:57
that, right, well, I was looking at it, and I was looking at it
00:40:01
from a technical perspective, from an engineering mindset, and
00:40:05
I'm just saying to myself when would I ever reference this?
00:40:08
You know it's a reference architecture, right, but when
00:40:11
would I ever actually reference this in any of the in the weeds
00:40:16
sort of work?
00:40:16
Right, and it's important to have that blend.
00:40:20
It's important to be technical, to be able to handle the
00:40:23
technical side of things but to also relate it in a overarching
00:40:29
bigger picture sort of thing.
00:40:31
And I guess that's where CISOs come in, right, they kind of
00:40:35
take it from all the people that are in the weeds that don't
00:40:38
really come up for air ever and they translate it into
00:40:41
consumable PowerPoints right and consumable slides for the
00:40:46
executives to understand what's actually going on at the company
00:40:49
.
00:40:51
Speaker 2: It will fly up and down right, go from NGA to the
00:40:54
50K level and back downs, and I think the biggest job to CISO is
00:40:59
always to justify it from a business perspective.
00:41:01
If they just put security up front as a good practice, it's
00:41:06
not likely to get as much mileage, because the CFO doesn't
00:41:10
really understand why they are doing certain things.
00:41:12
They can clearly outline the business benefit, which, in this
00:41:17
case, is very easy to do.
00:41:18
Right, you're making your sensitive data consumable,
00:41:21
especially in this AI era where you're required to share data
00:41:25
now.
00:41:25
Earlier it was a choice, now it's a necessity.
00:41:28
You have to send your data to an LLM to be able to get better
00:41:32
outcomes.
00:41:32
Being able to justify it based on such business drivers is
00:41:38
really the secret to making sure you get the budget that you
00:41:41
want.
00:41:41
Speaker 1: Yeah, and it's really interesting how seeing it from
00:41:45
that 10 foot view enables you to be better in the weeds.
00:41:50
You know, so to speak, right, Be better on the technical side
00:41:54
of things and everything, and so it's just.
00:41:56
It's an interesting perspective that I think people overlook.
00:42:00
You know that they don't put too much weight into it, right,
00:42:03
but it would really improve you, really improve their workflow
00:42:06
and what they're doing and why they're doing it.
00:42:08
Well, Amish, this has been a fantastic conversation, but
00:42:16
we're at the top of our time here and I'm always trying to be
00:42:19
very cognizant of my guests' time.
00:42:22
We're all so very busy.
00:42:23
So, before I let you go, how about you tell my audience where
00:42:27
they can find you, where they can find your company, if they
00:42:30
want to learn more and if they want to talk to you more about
00:42:33
this?
00:42:33
Speaker 2: First of all, Joe, it was a pleasure.
00:42:35
I always love these podcasts because it goes so fast and I
00:42:39
love the free-flowing nature of it, and I think we covered a lot
00:42:43
of ground here.
00:42:44
So I would love to hear from your listeners.
00:42:48
The company website is baffleio and I am Amish D at Baffleio.
00:42:54
I look forward to hearing from them.
00:42:57
Speaker 1: Awesome.
00:42:57
Well, thanks, amish, and thanks everyone for listening to this
00:43:01
podcast.
00:43:02
I hope you enjoyed it.