Transcript
Hi Mike Matchett with Small World Big Data. We are here today talking about, uh, what, you know, a big threat that's coming up for a lot of people, which is their data loss due to possibly AI, to quantum decryption, uh, to lots of other things. There's lots of data at risk right now, uh, and has been for, for, for, for years. Uh, it's going to take quite a bit, quite a few different changes in attitude and technologies to really address that risk. But Cy4Data labs has got some answers for us, uh, that are, you know, are pretty thorough. So let's get into it. Uh, just hold on a second and we'll bring them on. Go. Hey, Lance, welcome to our show. Hey, Mike. Thanks for having us. Uh, you know, it's a big topic, and, you know, we only have you can get pretty technologically deep, but just at the top level, uh, what's the. You know, why did you want to start Cy4Data Labs? What did you see happening in the industry and in hacking and in encryption and decryption? That said, this is the thing we got to do next, and this is where this is where we're going to put, put all my energy. And I'm like, that's a it's a it's a good question. It's insightful because the company itself, um, we noticed something that was bothering us. And this was this problem of an increasing number of data breaches. I'm sure that the that the listeners and the viewers have received, you know, a, uh, a letter that there was some kind of data breach from a company that they didn't know. And, you know, they hand them a coupon for one year to check their credit. Uh, history. That was frustrating. And what really got to us was when we saw this happening to, um, our youth. Right? Kids that are six, seven years old, um, to our veterans, to our seniors, and these are folks that aren't able to protect themselves about their personal information that's routinely captured and used in businesses, um, you know, and used to, uh, try and make life better applications more usable. But it's dangerous, right? Because that information can be used to exploit and get money out of these folks or harm them. And that's what drove us. That's what that's the need that we saw. We had to solve that problem. Right. And, uh, I don't think people need much of a lesson in the fact that hacking is accelerating, ransomware is accelerating, AI is making the situation worse. But, uh, you know, if you look at if we look at some graphs of things and you showed me some graphs of CVEs before, it's starting to really just go nonlinear at this point, right? It's not getting better. It's actually getting worse and worse. Why why is that? Well, I think there's a couple of. Reasons for that. I think it's the rate of development. It's also the, you know, AI is helping to create new products. Uh, the world's getting bigger. There's more people, there's more ideas, and there's innovation that's occurring on a daily basis. It also is prime for someone to pick apart these architectures, to see any kind of minute little flaw that they can find to get into these systems, try to steal credentials, fish them right, because we'll make mistakes as humans, and we'll inadvertently allow someone to get something on a machine where they will go and capture keystrokes. And all of a sudden now they're into these, uh, enterprising networks where these databases reside with this sensitive information that's probably the primary driver is just more of the same. Year after year, we have more common vulnerabilities, exploits year on year. I think it's close to 775 this year alone, going to like 800 next year per week. That these are showing up means that there's just more chances for this, the data to get stolen. I mean, there are more digital apps, there's more big data. I mean, it's the name of what we do here. Small world, big data. It's just, you know, this data is data is growing tremendously. And that's data in storage, data at rest, data in the clouds, data everywhere and just this complexity of the modern world as apps and languages and and devices proliferate. And you have IoT things now and cars and there's just more points of vulnerability. Um, and then and I just and before we start talking about what you guys do in particular, I just also want to talk about this quantum, this quantum threat a little bit, uh, this idea that quantum computing is coming along and, uh, people, people's data that's already out there, even if it's stolen in encrypted form, is at risk. Could you explain that a little bit more? Yeah, yeah. Let's, um, let's be pretty frank about what the sort of the concern is. So NIST has spent the last nine years creating, um, some new post-quantum cryptography algorithms to do one thing to protect the data that's in transit. When you communicate between two people, two devices, between servers, you need to protect those bits that are in flight so that there's no man in the middle of attack, somebody that's listening to those bits, they need to be encrypted. Now, we've been using a number of technologies for the last couple of decades. It's been fine. But, you know, back in the 1990s, uh, a guy by the name of Shaw, uh, had created this algorithm that said if we, in theory, had a quantum computer here would be an algorithm that I could use to break the public key encryption that's in place today. So this new algorithms are coming out to replace them. Their algorithms called like RSA, might be familiar to people Diffie-Hellman um, uh, elliptic curve cryptography. These are three of the public key algorithms that are used to generate those protocols. They have found without a doubt it's breakable. So some point in the future, uh, a nation state, cyber criminals will have commercial accessibility to a quantum computer. The projections, even like a year ago, was that before the end of this decade that they would be widely available. So what they would do, the the criminals would do is they would intercept or harvest those transmissions today and in the next couple of years, decrypt and break them open and get that data. That's what the threat is. Wow. And I mean, I don't even want to hazard a guess here. This sounds like a science fiction novel we should be writing. Except it's not fiction. Uh, that that a lot of secrets that people think are secret today are going to be cracked open tomorrow. All right, so let's talk about what we can do about this. Right. Because, um, now Cy4Data labs, you guys have approached this problem with the idea that it's not simply data at rest or data in flight. Uh, but, uh, something you call data in. What data in use? Just outline that for us. Like most people you know, I'm from the storage industry. You know, data at rest. Data in flight seems to bend it for a while. What is this now? Extension to data in use? Well, it would, uh, it explains why the data breaches are skyrocketing. Um, the data at rest is when you write that data to a disk or to a storage device, so that if somebody steals that storage, if they steal the disk, it's protected because it's encrypted when it was written on the disk. Okay. But that's the number one job. That's the only thing that it does. Then the data in flight is what we said before this man in the middle of attack. Okay. And that's where people refer to end to end. But the thing is, it's only between systems and machines when it lands on those intermediate machines, like an application server or a database management system or the endpoint device, it lands onto those machines in the clear, meaning it's usable. It's not encrypted any longer. The job is only during transport and nothing else. The problem with the data breach is this it doesn't get bothered by either one of those two protocols. It's when someone actually has credentials, logs into an application and does a query, or it fakes that that application out or it does attacks like SQL injection attacks, which is a fancy term for saying, hey, you asked for X, Y, and Z, but you know what? I'm going to tag along and ask for A, B, C as well. And all of a sudden this information comes pouring out right on top of those systems. And that's why these data breaches occur, amongst other things, you know, besides vulnerabilities that show up in certain protocols or applications that got developed, which is all, you know, continuing to happen. But you have to ask yourself a question. If you had no security at all firewalls, moats, you know, machine guns, you know, nested around your, uh, data centers. What if you had none of that stuff? Could you still protect the data? And the answer is yes. If you can protect the data itself, not the file it's written to, not the the protocol that's transporting it. But if I start with protecting that data itself, well, it turns out computers don't care because it's like a foreign language to, uh, to us, but to the data, I mean, to a computer. It's digital information. It doesn't understand the difference between English, French, German, Italian or French, but it does know hexadecimal. So if you make it look like hexadecimal, that is the start. There's a few more other technological innovations that need to occur, but it can operate on that information. And so when it gets broken into or when someone steals those records, they're natively or in situ encrypted. And that's the basis of our ability to protect data under all circumstances, with no perimeter or typical perimeter based security or rule based application security, where it prevents people from logging in who don't have authorization. If that data gets taken out, they still need the keys to the crypto because all they get is encrypted information. So we're not talking about necessarily encrypting drives or storage. We're not talking about necessarily having to encrypt the protocols to transfer information. But if we just store our if we just make the data itself encrypted and use it and use it in an encrypted fashion, because as you're saying, there's lots of things you can do with data from a computational perspective where the computer doesn't care. Um, then the data is much safer. But then how do how does somebody actually at the end point then see it? Like how does how does it how do you actually get to the idea of encrypting the data? Uh, at the user interface. Right. The, the sort of the simplest view of this is that on that endpoint device, if that user has the authorization to get the keys to decrypt each one of the words of a of a of a record, then, um, it's transparent. They don't even know the keys are being requested on their behalf. But, you know, they've been authorized. And then those keys show up and it decrypts in real time, you know, in nanoseconds. So it's there's no perceivable impact on performance, zero impact on the database that's doing all the queries because it's always operating, uh, in the encrypted form. And so for the end users that don't have authorization, well, there's a natural data masking that's built into the system that, uh, is easily deployed to those endpoint devices through the application itself. And then you just don't see it like it's it's just magically seems to happen for you if you have authorization. You see all the data in the clear, no impact on changes, you know, user workflows, those types of things. So you're really pushing that decryption and the key access down to the very end point where someone who's authorized. That is the most secured, no matter if it's a, you know, a smartphone or a desktop or a laptop or a terminal, it's all it's all transparent to them. And I think, I think the big switch here for a lot of people, if there's one takeaway and just trying to get your head wrapped around this, it's that the database in the middle is actually working with natively encrypted data and doesn't and doesn't know any better. It works just fine. Find, uh, but it is not a clear text data in there in any way. So that's. Yeah. See, the database can't work on, uh, the encrypted file, so they actually have to decrypt that file when you pull it, pull it off the storage. And then that's why all the data going into the database is in the clear. That's the that's the architectural model that always worked with which is translated into another language. We can't read it but computers can. Yeah. Which is, which is which is crazy. Uh, if you ask me. So, uh, this must take millions of keys, and you're saying there's no performance impact, uh, uh, in because, again, you know, all those other layers between storage and database and other things don't care. They're not decrypting it. Uh, but from an end user perspective in human time frame, um, it's not it's not a burden to to. And here's the beauty of it is that, uh, normally what would it be done is that someone would try and encrypt columns in a database, and for you to perform searches, you'd have to decrypt the entire column before you did the search. Okay. And that's where it would just be 20, 25%, uh, performance impact on the database. In this case, it's zero, right? Databases are working on encrypted lands to the end user. The end user is not asking for 100 million records. First of all, uh, database uh, managers or DBAs will not allow someone to ask for every record in a database, okay? Because it would bring it to its knees. And from a performance perspective, um, but they need to ask a query that limits the result, right? So a lot of times by default, they limit it to 20 records or 100 records or 1000 records, but you're not showing 1000 records on the screen at a time. Maybe you're showing 20 or 50 at a time or 100 at a time. That's all we have to decrypt. That's a couple of hundred megabytes, tops, right? That takes milliseconds to do. That's why it works. It's about the context of data and data use, you know, and then when do we have to actually decrypt. Because we don't decrypt it. When it gets on the endpoint machine we leave it encrypted in memory on the disk and only decrypt it when it gets displayed. All right. So let me let's let's wrap up here on what threats we're now able to, uh, protect against. You've got obviously, uh, a lot of the hacks that are stealing data in flight are stealing data that's been stored somewhere else. Right. You can only you can only do this. Um, what about, um, you know, sort of that idea of somebody who is authorized a lot, a lot of data disappears from insiders. What does this help with that? It does help with it. So the insider attack is very important, whether it be, uh, driven by an AI agent, like a AI that would be searching, um, what seem like routinely inside. Or you've got a good actor that turns bad, like an exiting an employee says, you know what? I need to get all the contact information of customers. So when I go to my new, uh, uh, competitor, you know, my my new company, I already got a leg up. And you want to go and protect that? Well, we're able to do is we're able to sense, $0.02 on the use and what they request that somebody is making for the keys. That represents that data. And when it's unusual is when we get to govern it. And then we start to control who actually gets those keys. So someone, you know, it's been a good employee for ten years, all of a sudden asked for every record in the CRM, right in the customer relational database. Um, that's an unusual request. That's someone wouldn't ask for every one of them and for every single field, we wouldn't give them every single key because it would be unusual activity. What if it's done at 3 a.m. in the morning that for that particular user's time, that's unusual activity. These are kind of simple ones. There's more complicated ones that we go and we detect and make a determination, um, to govern them, slow down the number of keys they get, wait to see what their activity is, and then maybe shut it off and say, look, we're going to shut you off. You have to re MFA. I mean, it's really interesting. You've got that single point of control for access to the data, and that sort of combines with the idea that, you know, if there's backups and snapshots And that database has been replicated and so on. That data, no matter what's happened to it, all those copies are still encrypted. It's that single point of access control through the keys. No matter how many copies of the database are out there. Right. So like that. And that has something to do with human errors, too. I think that you're going to stop a lot of, uh, and AI assisted human errors as we see accidental exposures. Accidental exposures. Um, and then, but I guess, I guess just to just to just to close this up. So we talked about that, uh, that, that quantum threat earlier. Uh, how is that folding in here? Yeah, it's a very simple, uh, problem uh, look, this is in the government. Us government is working very hard to close that gap up. They've worked for it for nine years. Um, there is a rollout, um, and essentially for the next two years, qualifying those algorithms, generating the libraries and getting them integrated into applications, and then the customers, the enterprises have to upgrade all those applications. That's going to take at least another two, possibly three years for that. I'll get finished. In the meantime, there's harvesting going on. But if you protect the data itself, then when someone harvests that that secured communication using current public key encryption, when they break it open, all they see is the raw encrypted data. Right? Natively encrypted data. So we can stop that threat now. And yeah, granted there is data that has a shelf life to it, but when it gets down over the next couple years, you still don't want someone to have the ability to crack those open. We can stop that today. Right. And your encryption, for a number of reasons, which we don't have time to get into, is is pretty resistant to this quantum attack, uh, if not fully resistant to it the way it's designed and the way the keys work. That's right. We had talked about public key encryption was the vulnerability. We use nothing but symmetric key encryption and or, uh, what they refer to as a one time pad approach. And those are all unbreakable by quantum computer. All right. So you're quantum safe. You've got you've got the data safe. You can stop some of the AI problems that are that are starting to happen. Uh, and uh, you know, we looked at some of the things that have happened in the past, uh, that didn't actually stop the level, exponential level of hacking. Maybe you guys are the thing that gets on that map and starts to starts to stop that. Uh, so, Lance, if someone wants more information about this, I mean, there's lots of questions people might have, like, what's the effort to do this, does this, does this, uh, slow down things? Does this is this expensive? All that sort of stuff? I don't have time to get into that right now, but it's so cool if someone wants to dive into that and ask you some more questions, what would you have them do? Yeah. So one of two ways but let's first talk about our website company Cy4Data Labs. That's spelled CYE for data labs. Com there's plenty of information there. You can contact our sales folks as well. We're also at shows around the around the US, um, every month, uh, whether it be in the private sector, enterprise space or in the public sector, um, space, You'll find us, um, prominently, uh, across the US. Um, we've got folks, um, uh, deployed in different cities, um, in certain venues, right where we get to do sit down and one on ones look for us, we'll be there. All right. That's very great. And I have seen a preview of what you guys did when you came out at RSA this last year. Rsac I should say it was very cool. Uh, you guys, I mean, even now, a few months later, you've got some great new, uh, conversations and technologies and bits going on. Uh, and, uh, I can only imagine that once people really understand the vulnerabilities that they have with the data, the way they're storing it, the way they're using it today, even though they've probably done all this encryption, they're going to want to talk to you guys and get, get, get more secure and really, really lock that stuff down. So check it out. Thank you for being here today, Lance. Appreciate it. All right.Take care folks.
