Camille Morhardt 0:23
Hi and welcome to InTechnology podcast. I’m your host, Camille Morhardt, and today we are participating in the Intel Capital series with an episode around data security. Here to co-host with me is Sunil Kurkure, who is managing director at Intel Capital; he invests in cloud, native infrastructure, applications, Developer Tools, Data platforms and security. And before he was at Intel Capital, he worked as an enterprise-focused investor at Mirador Capital, Green Spring Associates and Charter Ventures, where he held board and advisory roles in the companies they invested in, as he does at Intel Capital. Welcome to the podcast, Sunil, and could you introduce our guest today?
Sunil Kurkure 1:04
Thanks, Camille, thanks for having us. So today, we’ve got Anand Kashyap, who’s a CEO and co-founder of Fortanix. Anand is a longtime technologist and a security researcher. I’ve known Anand for almost a decade. He spent time in various roles at Symantec and VMware, but I think his true expertise is really around solving the hard problems in technology and security and his ability to get others to focus and to build great products. So welcome, Anand.
Anand Kashyap 1:32
Thank you, Sunil, and thanks Camille. It’s a pleasure to be here.
Sunil Kurkure 1:36
Anand, you and I have known each other for a long time, and I see your drive to continue to build Fortanix; but just to share with others, maybe you can talk about what inspired you to start the company.
Anand Kashyap 01:47
I used to work in a security company, and what I was seeing there was, security is like a cat and mouse game where it’s the bad guys are creating these attacks and the good guys are creating defense against those attacks. But there’s no deterministic security. There’s always some false positives, false negatives, where the bad guys just need one entry point, they can come in, and once they’re in your environment, they can do pretty much anything.
What we saw with technologies like confidential computing is using hardware to protect software is a stronger security phenomenon; it’s a better way to do security because hardware is more immutable than software. And by doing that, I saw a way by which you can make security a little bit more deterministic. And it’s not just left to, you know, inspecting every packet, inspecting every file to see if it’s malware or not. It’s more about, “okay, I’ll build a boundary, a hardware boundary, around my data and my compute, and I will only allow certain APIs to be accessed by some users, and I can verify that this security boundary is has not been tampered with, and it’s opaque, nobody can look into this.”
So, my thesis was, why not just protect the data directly and create a security boundary around data, and then wherever data goes–because data is not static, data is in on-prem environments, it goes to cloud, it goes to SaaS systems–if you can make sure that the security travels with the data, and then we can decouple the security of the data with the infrastructure and build security solutions around data. Those are your crown jewels, your data, your encryption keys, for example, which are used to encrypt that data. If you can protect all of those very well, then we can seriously improve the quality of security that an enterprise can get.
Camille Morhardt 03:47
One of the things that’s been gaining traction in the industry is confidential computing, or this notion of finally, actually protecting data while it’s in use. Can you briefly describe what it is and how you’re working with it?
Anand Kashyap 04:02
Yeah, confidential computing is the foundational technology that we adopted when we started the company to build products and tools and software on top of that, such that the data can stay protected even when it is in use; and that is the key part protecting data in use, because there are already solutions for protecting data at rest. You could just encrypt it when it is sitting in your disk or in your database. There are solutions for protecting data in motion. So, when you connect to your bank’s website, everything goes over a TLS channel, and data stays encrypted. But there was no solution before confidential computing to protect the data in use, which means when it is in the memory, which is when it is being processed by the CPU.
And that’s when Intel came up with the SGX technology, or the Software Guard Extensions, about ten years ago, which allowed for creation of a trusted execution environment by the CPU and any data or any code that goes inside this trusted execution environment–which is also called a “secure enclave”–stays protected. You get confidentiality; nobody can look inside the enclave. And you also get integrity protection, so nobody can change the enclave when it has been once it has been built, and that is enforced by remote attestation. So, the combination of confidentiality and integrity of both data and the code that is used to process that data–which is enforced by the hardware–all of this together forms confidential computing.
And using this technology, we have been able to build products in data security which allow data to stay protected and encrypted end-to-end. And we are probably one of the only companies in the world using this technology, deploying SaaS services, who can make a claim that, you know, “we cannot look at our customers data when we run a SaaS service or a cloud service using this combinational computing technology.”
Camille Morhardt 05:58
That’s really interesting, and maybe a good time to ask Sunil why Intel Capital was interested in Fortanix?
Sunil Kurkure 06:05
We looked at many data security companies, and most data security companies were able to protect data on-prem, and they’re able to do it at rest. They’re not able to do it in motion, as Anand pointed out, and the big difference that Fortanix had at the time when we invested was really the only company that was addressing the digital transformation around the cloud platform. They’re able to manage data, not only on-prem, but into the cloud and in the various SaaS services that most enterprises use, as Anand mentioned. And along with the fact that we had two founders in this company that had domain expertise that were very differentiated to the rest of the founders in space, that kind of got us comfortable in investing in Fortanix.
Camille Morhardt 06:45
How is AI being used in security today, and how is it being used in attacks?
Anand Kashyap 06:52
So the modern AI tools are available to both the good guys and the bad guys, and the good guys are using AI inside the security tools that they have been developing. They’re using AI to build co-pilots, which provides a completely new interface for organizations to interact with these security tools. They’re using AI to process vast amount of data, and they’re using AI to build automations and building autonomous agents which can act on behalf of the security tool and respond to active threats. The bad guys, unfortunately, also have access to the same tools. So, they are using AI to develop attacks against organizations. They’re using AI to develop phishing emails, for example, which look very much like real emails. They’re using AI to develop deep fakes; especially in the upcoming election season, we are seeing the bad guys coming up with videos of people asking you for even money in some cases. And there have been instances where somebody wired a bunch of money influenced by a deep fake. So, all of that is happening, as well.
So, in the end, it’s like a cat and mouse game where both sides have access to the same tools, and they’re using the AI tools to make the attacks on the bad guy’s side much more powerful. And then on the other side, on the security vendor side, they’re using AI to make their tools more powerful as well.
Camille Morhardt 08:23
Is there any way to prepare in the truest sense of it. I mean, there, there was a kind of a revolution in AI when ChatGPT came about. Like you’re saying, I mean, the deep fakes are now having to be people are scrambling to figure out how to protect against them, and I expect there’s going to be another kind of revolution at some point, and we don’t know when. Maybe it’s not large language model, maybe it’s some other thing that we haven’t really grasped or figured out yet. So, how do security companies or data security companies even think about versus scrambling, is there any way to be proactive about what could come in the future?
Anand Kashyap 09:03
I think companies need to go back to the basics. They need to understand the motivation of the bad guys. Why does somebody want to attack you? They’re either after your money, your data, or they’re trying to disrupt something. They’re trying to do a denial of service. These are the two primary classes of attacks the bad guys try to launch. Right? So, if the bad guys are after your data, and with the advent of new technologies, new tools, maybe it will make their life easier as they go after your data; but let’s say you’ve already encrypted all your data, and you have made sure that the encryption keys are only available to the right user. Now, even if somebody goes and gets your data, if it is encrypted, they’ll just get garbage. So, I think going back to the basics, building the right data security solutions, making sure data stays protected, encrypted, you have proper identity and access management and role-based access control. Those requirements never change. So that’s something people have need to continue to do.
The second thing in security is there’s always defense in depth. So, a single security solution will never be adequate, and you need to have layers of security. So even though data security is very important, and we talk about data security, it doesn’t mean that you don’t need to protect your infrastructure. You still need your various layers of defense. You still need a firewall. You still need endpoint security; and having a robust security program where you’re protecting your data, making sure you reduce your attack surface by keeping your data protected and out of harm as long as possible, and then building layers of security around your data, that is the right solution. And even if new threats come because of new technologies, I think companies can be better prepared if they take care of the data security part.
Camille Morhardt 10:55
That’s probably reassuring to people. It’s not like, “Okay, you need to go and implement some radically new plan for your security.” You really need to just make sure you’re doing all of these things over and over again, everywhere you are.
Anand Kashyap 11:08
Absolutely. I think developing security from the first principles, making it inside out, if inside is the data, and then going to the periphery, where it’s your infrastructure, I think that’s the best way to create a right security solution.
Sunil Kurkure 11:24
Anand, how do you think, given that before AI was very much for data scientists, you know now that given ChatGPT is available, more and more people are going to have access to these tools. You know, is there a way to manage this better than the way it’s being managed today with various tools? Is it just a data security play, or is there some additional technology we need?
Anand Kashyap 11:45
There is a need for monitoring and managing the use of AI. And what you’ve seen in large organizations is they have built these “AI center of excellence,” where there’s a central body which is responsible for deploying AI, and it’s blessed by the security teams, the CISO, to make sure that people are deploying AI the right way. That is one approach that is quite popular. Of course, people worry about shadow AI, right? Nobody can stop somebody from going on their phone and using ChatGPT for something, and that will probably exist, but will have to be managed. So having a centralized system where AI tools are managed and deployed in a managed way is probably a better way for large organizations to control how AI can be used and deployed in their organization.
Camille Morhardt 12:43
AI is finding ways to migrate to the edge, or in a more of a distributed manner, for a variety of different kinds of uses and use cases. So how do you protect data when it’s at the edge or when it’s going back and forth between the edge?
Anand Kashyap 12:58
Yeah. Typically there are two phases in AI, there’s a training phase and then there’s an inference phase. I think training will continue to be centralized in the servers; but what we’ll see is that inference will continue to be distributed, will keep going to the edge, and this will happen because of better performance requirements or latency requirements. As we have seen with the latest iPhone launch, that Apple has now introduced, Apple Intelligence, which is their version of AI, which will allow AI to be run on the phone itself. But what we have seen is that they’ve built a system by which, if there’s a heavyweight processing required, then a secure channel is established between the phone and the server, where heavyweight processing can happen in a server, in a secure environment. Again, technologies like confidential computing become very important, because as sensitive or private data goes to the cloud, you want to make sure that it is as protected as it is on your phone.
I think with the advent of things like AI PCs, we’ll see the same thing, where AI compute will start happening on our laptops, on our endpoint devices, and again, for more heavyweight processing, there will be some kind of a distributed architecture where some data will get pushed out to the cloud, and it will require secure computing environment. So, we’ll see kind of a hybrid system going in future. And I think data security continues to stay very important, because as data is processed in these AI systems, simple data production technologies like encryption of data, tokenization of our sensitive data, making sure that the encryption keys are only available to the right hardware or right user or right application, all of these will continue to be very important.
Camille Morhardt 14:48
Do you see this migrating down to a consumer, sort of end user level at some point? Because right now, I think we’re largely talking about major organizations or enterprises. Are we going to see things down at the smartphone level, where regular people are able to use or have access to AI engines and build models. How does securing that if it migrates in that direction, how does that change look for securing those kinds of devices?
Anand Kashyap 15:17
Yeah, I think that’s already happening, as we have seen with the iPhone getting AI. I think that will come to a lot of consumer devices, as well. A lot of people use wearables these days, which can track various biological behavior from our body, and all of that is very sensitive healthcare data. And as it is being processed on a wearable device, I think it’s extremely important to make sure that the data stays protected. So, for me, data protection starts as close to the source of the data generation.
If you can identify which data is sensitive, which is not, very quickly, and then you can implement the protection measures–whether it’s encryption of data, whether it’s tokenization of data, which is creating another version of the data by preserving the value in the format of the data–if you can do that, and if you can have proper access controls around the data, and then having hardware-based security, which is also available on smaller devices–if you can use technologies like secure element to make sure that the data stays protected and as the data leaves the edge and goes back to the servers or goes back to the cloud, as it invariably has to do, if you can make sure that the data is already protected before it leaves there, so it cannot be intercepted anywhere else or misused in the cloud, I think that would be the right security strategy. So, identify sensitive data early, protect it early, and keep it encrypted or tokenized for as long as possible.
Camille Morhardt 16:59
I want to jump over to a topic of data sovereignty, which is a fairly popular topic right now. I think a lot of people, when they think of the cloud, it’s sort of like this nebulous thing that, you know, it’s not located in any geography, we don’t know where the data is going, and then we hope it’s secure. But there’s a lot of regulations, particularly in Europe, requiring that the physical server that’s holding personal data of citizens be in a certain geographical location so that the data never travels outside. I’m wondering if you’re seeing a future where technology can help overcome that kind of a requirement.
Anand Kashyap 17:39
I think it’s a trade-off between technological solutions. So, these concerns as well as geopolitical reasons for doing this, as well. So, for example, with GDPR in Europe, organizations are required to store data on a server inside the European Union and that became a kind of a hard requirement. What we have seen globally is that a lot of other countries have created their own data privacy, data sovereignty regulations based on GDPR. So, as we are becoming more and more global, these regulations are making us more and more local.
At the same time, some technological solutions do exist. For example, it is possible to create a sovereign zone inside the public cloud using technologies like such as confidential computing, where a service provider can potentially process data from somewhere else, inside a confidential computing environment, inside a trusted execution environment, and thus can claim that they don’t have access to the data. So, it is possible, but again, what we’re seeing is because of geopolitical concerns, sometimes it’s beyond just what technology can offer; and there’s also a competitive edge that people get by accessing data from somewhere else, and there may be countries or sovereign regions who would not want their data to be used to train AI models, for example, and for that reason itself, they would impose the sovereignty requirements, less so because of technological concerns, but more so because of geopolitical concerns, and to maintain that competitive edge.
Camille Morhardt 19:25
So, you deal with encryption, and the future of encryption is quantum, and we’re all familiar with the notion that when quantum compute becomes accessible, that it will break a lot of our public encryption. So, what should people be doing right now, and what does the future hold?
Anand Kashyap 19:46
Yeah, great question. So, this is something we get asked all the time as we deal with cryptography and encryption. And it’s true that when quantum computers become feasible, then there are algorithms that exist which will break most of the traditional public key cryptography. The good news is that a lot of people have been working on developing a new class of cryptography algorithms called PQC, or post-quantum cryptography. And NIST in the US, and then the other regulatory bodies around the world who have been trying to identify and curate a set of algorithms that could classify as PQC, which are safe against quantum computers, and they continue to develop these algorithms. Just a couple of months ago, NIST standardized four more algorithms, which are now safe to be used in a post-quantum world.
So, as new algorithms become available, organizations will have to start adopting it. But the one challenge over here is nobody knows yet when quantum computers will come. So, it’s kind of like the Y2K problem we had 24 years ago, when all the computer systems had to be upgraded to the newer date system, here the new cryptography. The only difference is that the date was fixed in Y2K everybody knew midnight 2000 everything has to change. Here that date is not clear, nobody knows.
I think the best thing people can do today to get prepared for it is just to get prepared. So, getting prepared means getting an inventory of all the encryption keys they might have in their organization, all the applications that are using encryption in their organization, all the places where data is being exchanged and it requires encryption. So, if somebody has an inventory, then that’s the first step to get ready. The second step would be to create some kind of an abstraction layer in crypto terms, people call it “crypto agility.” And the idea is, if you have a middle layer, you should be able to migrate from one algorithm to a new algorithm very quickly. So, when the time comes, they’re ready to switch. And the third is, start educating yourself about the new algorithms, how they work, what’s the performance characteristic is where it can be used and get ready.
Sunil Kurkure 22:09
Anand, over the recent years, platformization has been the name of the game. Most solutions and customers are looking for platforms. Data Security, in itself, is a challenge. How do you think data security should be platformitized?
Anand Kashyap 22:24
Yeah, in security in general, in cybersecurity, we have seen the rise of the platforms in the last few years. The notion that security tools should be offered in the form of a platform, it works better for the CISOs around the world, because they have fewer vendors, fewer tools to deal with, and they work well with each other. What we have seen is that while platformization has happened with endpoint security, with XDR, for example, with network security, with Sase cloud security, with things like CMap, which combines CSPM, KSPM, or other things, in data security, the platformization has not really happened. And the reason it has not really happened is data security continues to stay fragmented. There are a lot of challenges around where data lives. It’s not contained–it’s on prem, its cloud, it’s SaaS. The regulations around data security and privacy, data sovereignty that we just talked about, and then the upcoming threats of quantum computers, but the same time opportunities with AI, where AI, we know, will transform the tech infrastructure, the tech stack quite drastically.
So, building a proper data security platform solution which can address all these various requirements around discovery of sensitive data, to assessment of what needs to be protected, actually protecting it and making it future proof, that is something which is data security platform would look like, and nobody has built it yet. But I’m sure with the wave of platformization, and CISO is asking for platforms, a data security platform will be built.
Camille Morhardt 24:06
Thank you, Anand, CEO of Fortanix, and Sunil Kurkure, Managing Director at Intel Capital for today’s conversation on data security.
Sunil Kurkure 24:13
Thank you.
Anand Kashyap 24:14
Thank you.