Innovative Approaches to Safeguarding Information with Matt Howard

Show Notes

What if you could protect your organization's data as effortlessly as sending an email? Join us for an enlightening conversation with Matt Howard, a veteran IT professional whose career spans the dawn of the application service provider model to the forefront of open-source software and application security. Matt’s experience at tech conferences like DEFCON and Black Hat offers a firsthand look at the evolution of IT security. From his early days navigating the chaotic tech landscape to mastering the full technology stack, Matt’s journey reveals critical insights for anyone aspiring to excel in the field of IT.

Discover the future of data security architecture as Matt delves into the complexities of securing data within the finance industry and beyond. Learn how adopting a granular security architecture, similar to microservices in software development, can revolutionize secure data sharing across organizational boundaries. Through real-world applications, such as military alliances needing instantaneous and secure information exchange, Matt emphasizes the importance of dynamic, policy-driven access controls. His insights paint a picture of a more interconnected and securely collaborative world, one where data protection adapts to the demands of the moment.

Trace the historical milestones of data security with Matt, from the emergence of thin client computing to the rise of cloud services and microservices. Hear about key developments like Lotus Notes and the vital role of cryptography, as well as the modern-day necessity of encryption. Learn about Virtru’s innovative approach to simplifying data security with user-friendly encryption tools integrated into everyday platforms like Gmail and Outlook. Lastly, Matt introduces us to the Trusted Data Format (TDF) and the OpenTDF project, shedding light on how they provide granular security benefits and regulatory compliance. As we conclude, Matt shares the privacy-centric philosophy of Virtru’s founders and how you can connect with him for further insights.

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Chapters

• 0:00: Security and Data Protection in IT
• 13:00: Granular Security Architecture in Data Sharing
• 24:28: Evolution of Data Security Solutions
• 36:19: Privacy and Data Control in Technology
• 47:25: Privacy Beliefs & Contact Information

Transcript

Speaker 1: 0:53

How's it going, Matt? It's great to get you on the podcast. I'm really excited for our conversation here today.

Speaker 2: 1:00

Yeah, hey Joe, how you doing. Glad to be here. Thanks for having me.

Speaker 1: 1:03

Yeah, absolutely. It's an interesting time. I feel like everyone's recovering from the DEFCON Black Hat scene in Vegas last week. Did you end up making it out there?

Speaker 2: 1:14

I was not there this year but I know a a number of people that were and I agree.

Speaker 1: 1:19

I think people are still recovering oh, yeah, yeah, I um, I skipped this year very intentionally. I needed a break from last year because last year was non-stop meetings all day long. I couldn't even enjoy the conference, and then you know afterwards, of course, is after all the you know after parties and all that sort of stuff. So it was a much needed, much needed break.

Speaker 2: 1:46

Yeah, 100%. It's probably controversial to say this, but from the folks that I know and talk to, it feels like you know, black Hat is a little bit closer to RSA than it used to be, and that trend is it just gets bigger and bigger and interesting times indeed.

Speaker 1: 2:04

Yeah, yeah. I don't like Black Hat honestly, because it is just like RSA and for me, you know, I don't want anything to do with that world, right, I kind of I talk to vendors, you know, on a daily basis already. I'm already looking at new tech all the time, you know. So, from from my perspective, it's like when I go to, when I go to defcon, like I don't want anything to do with the black hat scene. I even try to stay away from rsa. I went once and I was like, yeah, this, this is enough for me. That's funny.

Speaker 1: 2:38

Yeah, so, matt, how did you get into IT? And I start everyone off there. I'll tell you why. It's because there's a portion of my audience that could be trying to get into IT for the very first time. Or they're trying to get into security for the very first time and they're not sure if it's possible for them. And they're not sure if it's possible for them. And I remember when I was going through that phase and hearing someone with a similar background to me getting in and being successful on that route was really all I needed to hear, right? Because it's like, okay, this is difficult, but if this person can do it, we come from similar backgrounds. Maybe I can do it too. So what's your background with that?

Speaker 2: 3:17

Well, I'm officially a dinosaur in this industry these days. I kind of made my first real step into what you would consider to be, I think, modern IT all the way back, you know, kind of in 1999, 2000, at a company called US Internetworking which was the world's first application services provider. You know, the idea was you would build this thing called a data center and you would run these things called applications inside of the data center and you would deliver those applications back to customers in a service model. So it was the precursor of SAS. And you know, you think it seems like a really good idea to kind of go to market in a model like that, and it is. I mean, certainly there was a tremendous amount of learning and value created as a result of that. But at the same time there's a lot of challenges that surface along the way, not the least of which is security. So when you're touching other people's software and you're hosting other people's applications and you're doing it in your data center, you better be really good at your job lest there be any kind of risks that you undertake on their behalf. But that was my first foray into what I would consider sort of the IT world. I was always a little bit more interested in kind of higher up the stack applications as opposed to sort of lower in the stack infrastructure. But understanding the full stack, I think is important for anyone looking at the world today. You know it's important to have broad perspective on all phases of the stack. But as an applications person, you know, I eventually kind of made my way into a couple of my own companies and then, you know, became intrigued with open source and how open source, you know software was increasingly being used to build applications and software developers were increasingly assembling third party components, components from these third-party open source ecosystems. And then you get into this whole interesting question about like, well, how good is the software that an engineer is actually building? Most of the code that they're actually putting into the application is borrowed from third-party open source ecosystems. Like, what's that all about? Um, and you know so, along the way you get exposed to not just security as it relates to kind of the infrastructure that you're responsible for managing. You get exposed to really interesting and different questions with regards to, you know, creating really granular, really small policy, access control and security governance that is designed to protect the data itself, I mean, for a long time now, and I think we've all seen this.

Speaker 2: 6:23

In this world that we're living in, whether it's an RSA or Black Hat or pick your favorite conference that you might go to, the number of identity and access providers there is mind-boggling. You know, you got your big players like Okta and the rest. It's got all these endpoint players protecting these endpoint devices. Proud strike, you've got. You know, the network security guys. Pick your favorite flavor of network security, whether it's z, scalar or um, you know. Pick your favorite one of those guys. You know the micro segmentation guys.

Speaker 2: 6:54

Then you get the application security guys and there doesn't seem to be, in my view, at least historically, enough attention being put on to who's out there doing really innovative work with open standards that's designed to protect the data. Forget about the endpoint, forget about the network, forget about the identity. Let's just assume that we've already been breached, because that's unfortunately a reality that many of us are contending with, and if that's the reality that the bad guys are already in our house, then what's left to protect it's the data. And how do you do that? That's ultimately kind of where I've kind of arrived in my journey.

Speaker 1: 7:34

Yeah, that's a really good point that you bring up. You know, I always start with protecting the data, right? It's kind of, if we had to boil security down to like one or two things, it would be IAM and data security. 100% Right, because nothing else matters if they're already in, you know, like, especially if you're in the cloud. You know, one of the one of the key tenants is iam. If you're not doing iam, right, then they're able to log right in and they'll have access to everything.

Speaker 1: 8:08

And if they're able to access everything, then what's left to protect your crown jewels? Your crown jewels are probably your data, right, how are you encrypting it? Are you encrypting it? It? That's a huge question, right there? Right, to even ask you know taking it from like a third-party consultant, you know sort of thing, right, that's a huge thing. To even ask a company is well, how are you protecting your data that's stored in that aws managed rds database? How are you? How are you actually securing it? And if they say, oh, it's with you know default aws encryption or whatnot, so you can assume that they'd probably already be breached, then right, because the default encryption is going to store the key in kms and and if they're already logged in, they can just get that key and decrypt it right. So it's a very complex problem and we're only making things more complex as we kind of delineate away from legacy infrastructure.

Speaker 2: 9:10

Yeah, and listen. I mean I think that point about moving away from legacy on-prem and moving everything to the cloud is important. I think to your earlier comment I couldn't agree more. I mean, when you stop and think about what is security like, well, first things first. Like what is the job to be done? The job to be done is to protect the data Like nothing else matters. Okay, well, if that's the job to be done, you got to protect the data.

Speaker 2: 9:38

I would argue that it's really important for people to reflect on the following there is one massive data estate and there are two parts of the data estate. There's the part of the data estate that you possess which is sensitive information that you have inside of your business which you want to protect from bad actors and threat actors externally being able to get it, steal it, exfiltrate it or whatever, and you don't want employees of your company doing silly things that would result in a misconfiguration and cause it to be leaked or exposed to a bad actor. So part of the big challenge is, especially with regards to the movement to the cloud, is how do I protect the sensitive data that I have in my possession and how do I prevent it from being accidentally or unintentionally lost to these third-party risk actors. That's why I got to keep control of what I control Very important. That's a risk management defensive kind of motivation.

Speaker 2: 10:43

The other side of the data state, which I would argue doesn't get enough attention but is increasingly getting more attention, is okay. I have a business to run. My business requires me to do what I have to share sensitive data with third parties every single day in massive quantities. I have to share data with third parties who I may or may not entirely trust. So the idea is okay. I want to actually protect both the data that I possess from being lost or stolen and I also want to have good governance and control with respect to the sensitive data that I need to share with third parties. I should protect both sides of the data estate, not just one.

Speaker 1: 11:25

Yeah, it's. You know, I recently I guess fairly recently, right in the last 12 months I encountered a situation where, you know, I worked for a very large company and I won't name them, uh, for for my day job, right, and I worked for the financial services part of this company and some of our data was with our parent company, you know over, still within the country and whatnot, right, but it was just residing in their sales force, right, it was going from our sales force to their sales force and to us, they're not a financial institution, we're the financial arm of this large company. To us, they're a third party. And that was a totally different way of me thinking about it, right, because my architect brought this problem to my attention and I said, well, what's the problem? Right, like they're're, they're a part of us. Like we're, we're more part of them than anything else. You know, what does it matter? Right? And he said, no, we have to treat them as a completely separate entity because they don't deal with this data. They don't, they're not they're not regulated.

Speaker 2: 12:32

Probably they may or may not regulated right?

Speaker 1: 12:34

yeah, they're not regulated for any of this data, and so we had to go through a very arduous process of not just saying you know how are you encrypting this data or how are you storing it, how are you protecting it. Show us evidence of how you're doing it, show us evidence that you're logging, show us evidence that, hey, there's alerts that pop up and we have a whole process around it. It was a new situation for me, even being in the finance industry for probably the past 10 years, almost at this point right, where it's always been in-house to me, it's never been that sort of situation of it's a parent company and we're sharing data with them and I have to think of them as that third party, right.

Speaker 2: 13:23

Yeah, that's the verb. I mean, I think that that's the point. The verb is sharing versus protecting. Right, like you and your mindset, like a lot of security professionals in traditional IT are absolutely thinking first and foremost about I have data that I need to keep possession of and I can't let anyone get it. And then there's the other sort of verb, which is I have data that I have to share. They're not a regulated financial institution, but they're part of your larger holding company and you need to share data with them.

Speaker 2: 13:52

Because, let's be honest, data, even sensitive data, has to move. It moves by definition, and when it does move and it inevitably will leave your possession, the question is what can you do to share that data but not sacrifice ownership, control, privacy or security? How can you share that data with that third party and potentially do something like expiry, like hey, you can have it for 30 days but not 31 days, or you can have it today, but you know what? I might change my mind tomorrow and I want to revoke it. Like, how can you take security architecture when you traditionally think about zero trust and you have identity and endpoint and network and application and then you have data? Can you imagine shrinking the security architecture all the way down to the granular object level, which is the data itself. And in many respects I tell people all the time when we talk about the open standard that we're building upon here, it's called trusted data format.

Speaker 2: 14:54

I like to remind people that it's pretty similar to Kubernetes and containers, like, if you think about like software application architectures, like 10 years ago they were all three-tier monolithic software applications and over a 10-year period of time, engineering and software development teams began to componentize those applications and this thing called microservices and this thing called cloud became real and everybody realized it was like a good idea to build applications with microservices as core architecture, where everything was smaller, everything resided within a container and the container itself was this granular object of software which made like production maintenance, better bug fixing, better vulnerabilities, better, like you could do so much more efficiently in an ops perspective if the application architecture itself was shrunken down into the container.

Speaker 2: 15:49

Well, if you think about security architecture, it's the same thing. If you shrink security architecture down into a container or know, we like to think of it as a, it is in many respects the same thing as an application container, except it's a data container, but the architecture itself, the access control, the policy, the entitlements associated with who can access this information, are all defined in that granular level. That's where you get to this world where policy is defined to your earlier point, at the intersection of data that's been classified as this is sensitive, and there's an identity and identities over here that are authenticated or entitled in some form or fashion, and who gets access to the sensitive data. It all depends on what data we're talking about, whether it's been classified as sensitive or not, and who the identity is that's trying to access it, whether they have need-to-know privilege or not. And, if nothing else, just do that and you're all of a sudden sort of thinking about the world architecturally in a different way that I think has traditionally been the case.

Speaker 1: 17:02

That's really fascinating what you said with you know, protecting the data beyond your boundaries and kind of expanding out that security architecture.

Speaker 2: 17:16

Right, that is something pretty novel that I certainly haven't encountered um that's a totally different way of thinking about it, even it's happening, though, and and like, just think about this. I mean, like, let's just pretend for a second and use a use case, that everybody today, unfortunately, is very familiar with this concept of nato and this unfortunate thing called war right, where all of a sudden you're assembling force of allies, third parties, other countries that are federating together in near real time to do a job, and you're across different domains and the job today is here and the job tomorrow is there. So the actual environment in which you're executing is temporal, it's ephemeral. Tomorrow is there. So the actual environment which you're executing is temporal, it's ephemeral. There is no it infrastructure, because it's just incredibly hard to build networks and and perimeters and and and identity and access control and all those traditional sort of it infrastructure kind of things at the pace at which the mission demands, because the mission demands, you know, speed and it has to like work here today, now, and as a result of the mission being very temporal and very dynamic and cross domain and and collaborative with different mission partners, it's not just the us, it's it's it's the uk, it's france, it's germany and it's even now new NATO members like Finland and Sweden.

Speaker 2: 18:45

And all of a sudden you're like, okay, how do I share information with my trusted allies and my partners across domains in that context where I don't have time to build a secure network? How do you do that architecturally? The answer is you probably have to get more granular. The answer is you probably have to examine the possibility of a container-like capability and hopefully you could imagine it in an open standard. That's what trusted data format is and it's something that you know. And look, I'm not saying that the architectural concept of granular is the only thing that's necessary for modern cybersecurity practices to kind of reach their potential. I'm saying that it is a component of the architecture. Yes, you're going to continue to have to do traditional identity and endpoint and network and application security, of course, but I'm also certain that the nature of the business that we all have to contend with is increasingly going to the benefit of having granular security. Architecture will become obvious to folks as the world continues to kind of unfold as the world continues to kind of unfold.

Speaker 1: 20:06

Yeah, you put it an interesting way. You say the world unfolds. It certainly feels like it. It's an interesting time. I feel like we've never gone through something like we're going through or about to go through before. What's the company that you're a part of is coming up with this kind of open framework and whatnot?

Speaker 2: 20:28

Well, first of all, I mean to emphasize again the open standard is called Trusted Data Format and anyone can go and look at it. It is, in fact, hosted today by ODNI, which is the Office of Director of National Intelligence, so it comes out of the NSA. We my company, is called Vertru, and we have innovated on top of this open standard and we've developed a variety of integrations to different workflows that are all about the verb sharing. So if I have to share sensitive data in a workflow called email, or if I have to share sensitive data in a workflow called files, or if I have to share sensitive data back to your example between two different Salesforce instances across two different domains that happen to be part of the same company all of those scenarios, sensitive data that has to be shared as part of some value stream the question is how do you ultimately provide granular policy access, control and enforcement encryption optionally on that information? And you know not to.

Speaker 2: 21:34

I don't want to diminish, you know, the importance of Virtru as a company, because what we're doing with the open standard is really pretty innovative, but I'm a big believer in the power of open standards and I just think that it's, uh, very compelling to step back and sort of again look at like, wow, man kubernetes over a 10-year period of time became the standard for microservices application architecture and there were lots of reasons for it.

Speaker 2: 22:09

You know, architecturally the world of how software is built and delivered in production and maintained in production today is fundamentally different because of an open standard, and I believe the same will happen with security architecture At least granular security architecture will be supported by an open standard. I'm not saying TDF is the only open standard that might be benefited as a result of that, but it's certainly well positioned to help with that sort of trend, that shift in architectural thinking. And as that plays out, my company, virtru, intends to be a leader in that regard and we're already doing a bunch of great work today by providing granular policy access, control and enforcement of those policies on that sensitive data that's shared through email, file and application workflows.

Speaker 1: 22:55

Do you think you bring up Kubernetes? Do you think containerized experience or knowledge is going to be critical to have for any security professional, you know, going into the future, Because that is something that I actually haven't thought a whole lot about, but it seems like more of the cloud is going towards this containerized slash serverless infrastructure.

Speaker 2: 23:23

Smaller is better. They call it microservices application architecture, for a reason Microservices in the application realm is to microsecurity in the cyber realm. So, whether you're talking about cloud ops or you're talking about security, I think there is a shift. Whether you're talking about cloud ops or you're talking about security, I think there is a shift where granularity matters, and the shift towards microservices and more granular application architectures has gone full circle. It's a thing, it's happened, it's done, it's there. The shift towards micro security architectures, with something like TDF, is underway. You know if it's a baseball game, we might be in the second or third inning, but I do believe it's going to continue and it will take time. Like any large scale tectonic architectural shift in IT takes time a decade, but it's underway.

Speaker 1: 24:28

Yeah, it's really fascinating to try and guess where the market is going, where it's all heading right, Because I always try to approach it from the perspective of giving people advice of what skills to get right, Because there's so many out there, there's so many you know, different domains that you can specialize in and whatnot. If there was a key, maybe one to three skill sets that you would recommend for someone to start mastering now, what would those be?

Speaker 2: 24:58

I mean number one, without a doubt. Two things I would say is history with Windows to thin client computing, with the browser to on-prem server data center computing, to the eventual migration to cloud everything and the eventual migration from three-tier monolithic application architectures to microservices. If you step back and you give yourself as a person who's really seeking to understand, I think, if you give yourself the benefit of a 10,000-foot view and you take the time to understand the big picture architecturally, then that's a really sound basis from which to dive deep into any particular area, to kind of develop a sharper expertise. I think it's very important to understand the history of where we come from expertise. I think it's very important to understand the history of where we come from, the reality of where we are and the potential for where we're going. If you can ground yourself in that big picture then it's a lot easier to make decisions as to where you want to go deep.

Speaker 1: 26:18

Hmm, yeah, that is really fascinating. You start with the history of it. I never thought about it like that. To be quite honest, I've been doing this for several years now and I've never thought about trying to go back and see where things were and trying to guess, use that to judge where everything is going now. It's a really interesting method.

Speaker 2: 26:42

It's history. Here's the good news. In know it's, it's and it's here's the good news, and that it's kind of fun. Um, you know, you look at something like lotus notes and ray ozzy. You know who invented notes, you know, and you look at the massive implications that that had, as it related to what we now know to be modern computing. I mean, it was truly, truly formal.

Speaker 2: 27:07

And you think about, I mean cryptography. I mean notes was the first product in the history of the world to distribute cryptography at a time when the federal government and the NSA in particular, wasn't particularly keen on anybody distributing cryptography if you weren't employed by the NSA, like, like, like. There's a lot of history there which you know goes back to. You know kind of their. I do think if you spend a little bit of time in the history of the, of the industry and the evolution of those, um, great company stories, great product stories, great product stories, great innovation successes, they all have an opportunity. They all tend to teach you a ton, not just about what happened in the past, but they all tend to give you some really interesting perspective with regards to where things are right now and why.

Speaker 1: 27:58

Hmm, yeah, it's fascinating, you know, bringing up encryption and cryptography and the fight that the NSA went through, right of trying to maybe, you know, keep it behind closed doors, but then I also feel like there's a whole lot more reasons that it should be out there, right? Obviously, you know, people have to be able to protect their own data. They have to be able to own their own data and ensure the integrity of it, right? Without the encryption capability, you're not really able to do that.

Speaker 2: 28:40

There's a terrific book. There's a terrific book, if you're interested, really able to do that. And there's a terrific book, if you're interested. It's called crypto and it's by steve levy and it's really, really awesome and and would encourage anyone that might be listening to check it out. But it's, it's, it's everything that you're talking about. It's and it and it goes from the very earliest beginnings. You know with like you know with diffy and hellman. You know public infrastructure. It goes through the whole nsa. You know hand-wringing about we can't let encryption into the hands of anyone, because that would be bad for us to where we find ourselves today, where encryption is a necessary component of good modern uh it engineering and cyber hygiene, because, um, you're up against really formidable opponents who have really top-notch skills and you better be able to protect your information with with cryptographic skills. If not, you're gonna lose. I mean, it's been a long time coming, but that world has come full circle too.

Speaker 1: 29:47

Yeah, so how does Virtru let's talk about how Virtru, you know, solves this problem or helps working towards solving this problem.

Speaker 2: 30:00

Yeah, I mean listen at the end of the day. Sometimes people look at Virtru from the outside and they go it's for example. Somebody might look at it and go, oh, it's an email encryption company. I'm like no, it's not. Yes, we provide a 50-year-old with no IT education who's a nurse at some healthcare practice in the middle of the country, doesn't know the first thing about encryption, can compose an email, attach a file and click a button and apply granular policy and access control and encryption to the object for the purposes of protecting HIPAA data. It is that easy for the purposes of protecting HIPAA data.

Speaker 2: 30:45

It is that easy, and all of the magic that happens under the covers is made possible by the Virtue data security platform and the services that we make available in that platform. Things like encryption, management, key management, policy definition, enforcement, access control all those things are exposed in an application that gets integrated into this thing called Gmail or this thing called Outlook. Alternatively, we can integrate into different file sharing services like Google Drive services like Google Drive. Alternatively, we can provide policy and access control between two different SaaS applications that might be sharing data back and forth, but it is ultimately for us. It's one of the reasons I really wanted to emphasize earlier. We're very clear about who we are and who we aren't.

Speaker 2: 31:38

At Virtru, we are not in the business of helping you protect sensitive data that you possess inside of your business from being lost or stolen due to bad guys. That's not my business. My business is the other side of that coin. My business is the other side of that estate. My business is helping you get to a place where you can confidently share sensitive data with third parties in the name of driving your business forward, because that's what's required. You have to share data to do business. I want to give you the confidence and the simplicity and the ease and the elegance to do that in a way where you can share the data but you are not going to sacrifice control, privacy or security, and you can do things like exploration and revocation, because the data belongs to you and you alone. Hmm.

Speaker 1: 32:30

And does this work with other SaaS applications like Salesforce and all the other myriad of apps out there?

Speaker 2: 32:39

So we have natively integrated this data-centric security granular control into SaaS applications like Zendesk ticketing for help desk. We have, I would call it, arm's length integration into Salesforce vis-a-vis what's called an application gateway. So as long as your Salesforce instance is communicating sensitive information out of your Salesforce instance to a third party and you're using SMTP to do it, we can just very elegantly apply policy and give you all the benefits of those granular controls that we just talked about. We have also developed a platform that's now increasingly being deployed on the high side in support of DOD customers and IC customers, which gives them the ability to take advantage of those low-level system services that I described at the platform substrate and to incorporate them into.

Speaker 2: 33:41

You might think of them as legacy mission applications, like older applications that would benefit from granular policy and access control on unstructured data that's being shared out of the application. That's not something that's off the truck, that's a bit more custom and bespoke for some of those customers. But yeah, that's what we're doing and it's all about sensitive data and I want to emphasize the verb sharing of sensitive data, because if you're going to share the sensitive data, you got to think about security architecture differently than if you're only focused on protecting it from being lost or stolen, and you already possess it like like the intentionality.

Speaker 2: 34:23

you have agency over data, um, and you have agency over the data that you possess, because you don't want someone else to get at it. I get, get that, that is not my business. But you also have to have agency over the data that you intend to share with others, and that's what we do.

Speaker 1: 34:44

So you were talking earlier about having almost like a container around that data. What does that look like? I mean, is it really a container and you're assigning permissions to that data type? How is the container defined? I guess is a better question.

Speaker 2: 35:03

That is exactly the open spec in the trusted data format, which is the open standard.

Speaker 2: 35:09

It is think of it as an XML wrapper or a bit. I mean. Sometimes people will call it an XML wrapper, sometimes people will call it an XML wrapper, sometimes people will call it a container. People historically have called it a wrapper or an envelope. I have become fond of calling it a container and the reason I like calling it a container is because it's essentially XML standard which basically allows you to define policy and to assert policy on the object Like.

Speaker 2: 35:41

This thing is allowed to be shared with this person. This person can access it. It's going to require encryption and the way that it's going to be decrypted is this way. And so defining the policy and giving you the ability to enforce the policy at that intersection between this object, which we've determined is sensitive, and that entity, which we'll call it a human or a machine, once it's been authenticated and entitled, is how we ultimately bring to life the application value that Virtue delivers. But we do it all on top of an open standard. And to your question, for anybody who's interested, I would encourage them to look at. It's very easy. There's the you know the TDF spec is available for anyone to see. Just simply Google it. There's also the OpenTDF project. You can see the full spec there. You can see sample code, you can see use cases. There's a really good, rich, robust set of information that's available for anyone to kind of dig into and get their head wrapped around it. It's pretty robust.

Speaker 1: 36:51

Yeah, it's really fascinating and you describing it as a container makes it more, I would say, easily consumable and understandable to a lot of people. Right, Because if I would have seen let's just say, for example, right, if I would have seen like XML wrapper in a description or something like that, I'm going to think of it differently. But now that you've related those two terms to something that I understand like container, it makes it a lot easier to understand, I guess.

Speaker 2: 37:23

Well, I'm curious. So I'm glad to hear you say that. But I'm curious, why Is that? Because you have an IT background and you already kind of conceptually understand what containers are in the application sense, and to you a container is nothing more than a small microservices unit of software which sits inside of this container, which allows me to manage it in kind of a molecular nature. So container means something to you in a software sense and it's easy to relate that to a security sense. Is that?

Speaker 1: 37:55

is that true yeah, so I I would say I have more experience with containers than I do xml wrappers or tcp wrappers. Right, because that's not my background. My background is more infrastructure, turning into iam and data security and network a little bit, right. So when I hear container, I understand what a container is. I understand, you know the different security principles of it and everything else isn't an easy concept for a lot of people to grasp.

Speaker 2: 38:36

And back to our earlier conversation about how do you determine whether you're new to the industry and just getting started, or whether you're a longtime veteran of the industry and you know what you already know. I think it's oftentimes easiest to kind of convey you know. Again, be really clear about who you are and who you aren't. And in order to be clear about who you are, I think it's oftentimes easier to do that when you can communicate in the context of something that everyone else already understand. So, like the world gets containers today because of Kubernetes, the world gets containers today because of Kubernetes.

Speaker 2: 39:14

The world gets containers today because of the cloud. The world gets containers today because they remember the old days, 10 years ago, when you had an application in production and you had to take it down for 48 hours just to patch a zero-day vulnerability. What your software is going to be down for two days to patch a vulnerability that's insane.

Speaker 2: 39:38

Now they're like, no, the application doesn't come down. We're going to patch the vulnerability here in this container. We're not going to do open heart surgery, we're going to do laser surgery. It's like that's the power of granularity. And then it's like, okay, so I get containers and how they're valuable to the application architecture. And then you're all of a sudden having a conversation. You're like, well, now let's talk about containers and how they can be powerful to security architecture. What do you mean? I mean like a little container, you put sensitive data in it and you share it. Why? So you can define policy, enforce policy and access control and you can protect the thing, the object, at a granular level like never before.

Speaker 1: 40:22

It's just, yeah, that that is. That's very interesting. And you know, you, you brought up, uh, you know europe, right, and my mind immediately went to gdpr and how useful this would be in that environment, right, I wonder if this will be used to kind of push along even more, you know, even more, I guess, recommendations or policies within the United States itself, right within the United States itself, right, like kind of having that mentality shift and then creating the policy to follow it. Does that make sense?

Speaker 2: 41:01

Well, 100%. So let's talk about that for a second, because with the email product that I mentioned the integration of Virtru into an email workflow like Gmail let's use Gmail as an example. You're the business and you're a smart it person. You understand encryption and keys. You get the basics of what I'm talking about here. Um, what happens is google has your content, they have your email, they have your, your, your keystrokes, like they've got your content in their cloud. And when virtue Virtru integrates into Gmail, you then click a button and you apply a policy and access control and encryption and the encryption key. They have your content, but we have your key, and so there's separation of trust, and that's a good thing.

Speaker 2: 41:51

As you kind of go back to your GDPR analogy, it's like you know what it's my data. It's not Google's. I understand Google Workspace is a remarkably powerful cloud collaboration platform. I love it and at the same time, it's my data, not theirs advantage of everything that Google Workspace has to offer me in a way where I'm in control of my data, not Google.

Speaker 2: 42:18

And you know this concept of like a blind subpoena. I don't know if you're familiar with it, but, like God forbid, you know this is popularized now, just recently with the assassination attempt on Donald Trump. You know, the young man who did this, you know, apparently had his iPhone locked and there's some debate now going on about how law enforcement is working to get to the device, and apparently they were able to do so with some assistance from a third party who has expertise in that. But, as I understand it last and I'm not fully read up on this, but I understand that there was some subsequent information that was encrypted in, I think, whatsapp, which was the application on the guy's device. But it goes down to this and this, of course, goes full circle back to the NSA and the law enforcement concerns.

Speaker 2: 43:07

At what point does society get so good at encryption and privacy that it makes it difficult for law enforcement to do their job? I'm not in the business of drawing those lines I mean, that's way bigger than me but I do absolutely agree with you that in the world as we know it today, more and more human, just normal people are beginning to understand the value of their data. And when they understand the value of their data, they're going to ask for capabilities, they're going to ask for the ability to control their data. They just don't want to simply give it up to Google or they don't want to simply give it up to their bank or whoever because it belongs to them, to their bank or whoever because it belongs to them. And in that world where everybody understands that it's their data, that world will begin to demand more and more capabilities from their cloud providers, from their application providers, from their IT providers, and that's again back to that. It's going to take 10 years, but that's where the world's going, I believe yeah, I certainly hope so.

Speaker 1: 44:20

I feel like you know, just seeing how our own data is being used against us to like, form different opinions and direct our thinking and our buying habits and everything else like that, right, like it's frustrating. It's frustrating, it's very frustrating and it's also very eye opening because it's like oh, you guys are, you guys are monetizing everything about me when I use your platform, whether I, whether I know it or not, and that's really frustrating because now you're making money off me and you're a multi billion dollar company you know probably trillion dollar market value, right, and you're a multi-billion dollar company. You know probably trillion dollar market value, right, and you're you're making that money off of me. You know that's. That's a very uh, dicey topic, right?

Speaker 2: 45:05

well, listen, I mean, you know, I don't know how big the market for duck duck go is. I've heard it's like less than 10, maybe less less than five. It's small, but there's a percentage of people out there that are all in on DuckDuckGo and believe the power of that browser and the privacy enhancement capabilities that it delivers is well worth the investment, for exactly the reasons you just articulated. But it's not nine, it is a small percentage. And then there's, you know, I have a I know a guy, a friend of mine, john Doyle, who's the CEO of a company called Cape Wireless here in Washington DC, who is getting ready to launch a really innovative, interesting national cellular carrier, wireless carrier network where you can basically go to Cape Wireless and get a new mobile phone number and a phone and they don't ask you for any information about you because they don't need it. They're not creating an account profile with your name and your social and your address and your email and all that stuff, because they don't want that information. Like this is privacy-first mobile carrier network called Cape Wireless, and so again, it's a journey we're all on it and privacy and this whole thing is complicated.

Speaker 2: 46:25

I don't. I, you know. I separate that a little bit from just the IT infrastructure side of it. Before you can kind of get to that future vision, there's the IT infrastructure side of it.

Speaker 2: 46:34

Before you can kind of get to that future vision, there's the practical reality today that says I'm just a healthcare company trying to share sensitive patient data with a client or a patient outside of the organization. How do I do that in a way where I'm compliant with HIPAA? Or I'm a bank and I have to share really sensitive information with a client who's on a yacht in the Caribbean and I want to encrypt it, but I don't want the person on the yacht to struggle mightily with the decryption experience. It's got to be simple, elegant, seamless for everybody the person in the bank sending the information and encrypting it and the person on the other end receiving it and decrypting it. You know these are simple, practical things that businesses are doing today with virtual products powered by that OpenTDS standard and you know we're excited to play a role in I'll call it data-centric security. But the founders accurately both have a deeply held belief that they're doing the right thing as it relates to privacy.

Speaker 1: 47:35

Yeah, that's awesome. Well, matt, you know we're at the end of our time here, unfortunately, but I really enjoyed our conversation. I think it was a fantastic conversation.

Speaker 2: 47:45

Yeah, I appreciate you having me, and thanks for the opportunity to connect and compare notes and we'll catch up with you soon.

Speaker 1: 47:53

Yeah, absolutely. Well, Matt, before I let you go, how about you tell my audience where they can find you if they want to reach out and where they can find your company?

Speaker 2: 48:00

Yeah, virtrucom, that's V I R T R Ucom, v I R T R Ucom, and I am available right there on the company management page, and you can also find me on LinkedIn.