Skip to content
InTechnology Podcast

Securing Tomorrow: How Fortanix Is Shaping the Future of Data Protection (216)

In this episode of InTechnology, Camille gets into data security with co-host Sunil Kurkure, Managing Director at Intel Capital, and Anand Kashyap, Co-Founder and CEO of Fortanix. The conversation covers Fortanix’s unique data security solutions, how companies can better protect themselves in the age of AI security, and future innovations and concerns about data security and AI.

Learn more about Intel Capital here.

To find the transcription of this podcast, scroll to the bottom of the page.

To find more episodes of InTechnology, visit our homepage. To read more about cybersecurity, sustainability, and technology topics, visit our blog.

The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.

Follow our host Camille @morhardt.

Learn more about Intel Cybersecurity and the Intel Compute Life Cycle (CLA).

Fortanix’s Unique Data Security Solutions

Anand kicks off the discussion by detailing what inspired him to found Fortanix. He explains how traditionally, there is no deterministic encryption, so bad actors can more easily breach cybersecurity defenses. However, confidential computing brought about a new way to strengthen security by using hardware to protect software. Anand says this latest development made him want to protect data directly and create a security boundary around data at all times by decoupling the security of the data with the infrastructure. He further explains confidential computing as protecting data in use, which is a further step from the existing solutions for data at rest. With confidentiality, no one can look inside the enclave, and integrity protection adds another layer that no one can change the enclave once it has been built, which is enforced by remote attestation.

Anand emphasizes that Fortanix is one of the only companies in the world using this technology to build products in data security that allow data to stay protected and encrypted from end to end. Sunil adds how Fortanix’s approach to data security greatly interested Intel Capital. He notes how Fortanix is able to manage data on-prem, in the cloud, and through various SaaS services. Sunil also highlights how Fortanix’s founders have great domain expertise—another attractive element influencing Intal Capital’s investment.

How Companies Can Better Protect Themselves in the Age of AI Security

The conversation then shifts as Camille asks Anand about AI security, specifically how AI is being used both in security and for attacks. Anand discusses how both the good guys and the bad guys have access to the same AI tools, thus creating a cat-and-mouse game where both sides are using AI to make their security and attacks more powerful. He says going back to the basics of data security is the best way for companies to be proactive in this new era of AI. This starts with building the right security solutions, encrypting all data, and having proper identity and access management and role-based access control. Anand then adds that the second layer of preparedness is to have defense in depth, or having multiple layers of security. When it comes to AI, he explains that a centralized system for managing and deploying AI tools will help large organizations have better control over their AI.

Innovations and Concerns about Data Security and AI

Moving to the future of AI, Camille asks Anand about distributed AI and protecting data at the edge. He explains that there will be two phases, training that is centralized and inference that will continue to be distributed and at the edge because of better performance and lower latency. He cites examples of this already happening with Apple Intelligence on the latest iPhone and AI PCs. Anand sees a future for a hybrid system of distributed architecture where some data gets pushed onto the cloud, which will require a secure computing environment. As for other consumer and end-user access to AI, Anand says data protection needs to start as close to the source of the data generation as possible.

As for data sovereignty and regulations, he notes they will continue to affect technological solutions like confidential computing and training AI models. Quantum compute is another big concern for future data security. Thankfully, Anand says that there have been great developments already in developing a new class of cryptography algorithms known as post-quantum cryptography, or PQC. Finally, Sunil asks about the platformization of data security. Anand answers that while platformization has happened with endpoint security, that hasn’t been the case yet for data security. He says this is because data security is still fragmented since data lives in many places. However, Anand believes that eventually a data security platform will be built.

Sunil Kurkure, Managing Director at Intel Capital

Sunil Kurkure data security AI confidential computing Intel Capital Fortanix

Sunil Kurkure is a Managing Director at Intel Capital, investing since 2015 in cloud-native infrastructure, developer tools, data platforms, and cybersecurity. He serves as a board director or observer for companies including Eclypsium, Fortanix, and SecurityScorecard. Previously, Sunil was an enterprise-focused investor at Mirador Capital, Greenspring Associates, and Charter Ventures, advising companies like Snowflake, Sumo Logic, and Splunk. Before joining Intel Capital, he worked in M&A and equity financing at Goldman Sachs and Credit Suisse. Sunil holds a B.S. from UC Berkeley.

Anand Kashyap, Co-Founder and CEO at Fortanix

Anand Kashyap data security AI confidential computing Intel Capital Fortanix

Anand co-founded Fortanix with Ambuj Kumar in 2016. He served as CTO from 2016 to 2022 when he transitioned to the role of CEO. Prior to Fortanix, Anand was a Staff Engineer at VMWare, MTS at Arkin Net, and Principal Security Researcher at Symantec. He holds over 25 patents and has been a speaker at Financial Cryptography and BlackHat conferences. Anand earned a Ph.D. in Computer Science from Stony Brook University and a Bachelor of Technology in Computer Science from IIT Kanpur.

Share on social:

Facebook
Twitter
LinkedIn
Reddit
Email

Camille Morhardt  0:23

Hi and welcome to InTechnology podcast. I’m your host, Camille Morhardt, and today we are participating in the Intel Capital series with an episode around data security. Here to co-host with me is Sunil Kurkure, who is managing director at Intel Capital; he invests in cloud, native infrastructure, applications, Developer Tools, Data platforms and security. And before he was at Intel Capital, he worked as an enterprise-focused investor at Mirador Capital, Green Spring Associates and Charter Ventures, where he held board and advisory roles in the companies they invested in, as he does at Intel Capital. Welcome to the podcast, Sunil, and could you introduce our guest today?

Sunil Kurkure  1:04

Thanks, Camille, thanks for having us. So today, we’ve got Anand Kashyap, who’s a CEO and co-founder of Fortanix. Anand is a longtime technologist and a security researcher. I’ve known Anand for almost a decade. He spent time in various roles at Symantec and VMware, but I think his true expertise is really around solving the hard problems in technology and security and his ability to get others to focus and to build great products. So welcome, Anand.

Anand Kashyap  1:32

Thank you, Sunil, and thanks Camille. It’s a pleasure to be here.

Sunil Kurkure 1:36

Anand, you and I have known each other for a long time, and I see your drive to continue to build Fortanix; but just to share with others, maybe you can talk about what inspired you to start the company.

Anand Kashyap  01:47

I used to work in a security company, and what I was seeing there was, security is like a cat and mouse game where it’s the bad guys are creating these attacks and the good guys are creating defense against those attacks. But there’s no deterministic security. There’s always some false positives, false negatives, where the bad guys just need one entry point, they can come in, and once they’re in your environment, they can do pretty much anything.

What we saw with technologies like confidential computing is using hardware to protect software is a stronger security phenomenon; it’s a better way to do security because hardware is more immutable than software.  And by doing that, I saw a way by which you can make security a little bit more deterministic. And it’s not just left to, you know, inspecting every packet, inspecting every file to see if it’s malware or not. It’s more about, “okay, I’ll build a boundary, a hardware boundary, around my data and my compute, and I will only allow certain APIs to be accessed by some users, and I can verify that this security boundary is has not been tampered with, and it’s opaque, nobody can look into this.”

So, my thesis was, why not just protect the data directly and create a security boundary around data, and then wherever data goes–because data is not static, data is in on-prem environments, it goes to cloud, it goes to SaaS systems–if you can make sure that the security travels with the data, and then we can decouple the security of the data with the infrastructure and build security solutions around data.  Those are your crown jewels, your data, your encryption keys, for example, which are used to encrypt that data. If you can protect all of those very well, then we can seriously improve the quality of security that an enterprise can get.

Camille Morhardt  03:47

One of the things that’s been gaining traction in the industry is confidential computing, or this notion of finally, actually protecting data while it’s in use. Can you briefly describe what it is and how you’re working with it?

Anand Kashyap  04:02

Yeah, confidential computing is the foundational technology that we adopted when we started the company to build products and tools and software on top of that, such that the data can stay protected even when it is in use; and that is the key part protecting data in use, because there are already solutions for protecting data at rest. You could just encrypt it when it is sitting in your disk or in your database. There are solutions for protecting data in motion. So, when you connect to your bank’s website, everything goes over a TLS channel, and data stays encrypted. But there was no solution before confidential computing to protect the data in use, which means when it is in the memory, which is when it is being processed by the CPU.

And that’s when Intel came up with the SGX technology, or the Software Guard Extensions, about ten years ago, which allowed for creation of a trusted execution environment by the CPU and any data or any code that goes inside this trusted execution environment–which is also called a “secure enclave”–stays protected. You get confidentiality; nobody can look inside the enclave. And you also get integrity protection, so nobody can change the enclave when it has been once it has been built, and that is enforced by remote attestation. So, the combination of confidentiality and integrity of both data and the code that is used to process that data–which is enforced by the hardware–all of this together forms confidential computing.

And using this technology, we have been able to build products in data security which allow data to stay protected and encrypted end-to-end. And we are probably one of the only companies in the world using this technology, deploying SaaS services, who can make a claim that, you know, “we cannot look at our customers data when we run a SaaS service or a cloud service using this combinational computing technology.”

Camille Morhardt  05:58

That’s really interesting, and maybe a good time to ask Sunil why Intel Capital was interested in Fortanix?

Sunil Kurkure  06:05

We looked at many data security companies, and most data security companies were able to protect data on-prem, and they’re able to do it at rest. They’re not able to do it in motion, as Anand pointed out, and the big difference that Fortanix had at the time when we invested was really the only company that was addressing the digital transformation around the cloud platform. They’re able to manage data, not only on-prem, but into the cloud and in the various SaaS services that most enterprises use, as Anand mentioned. And along with the fact that we had two founders in this company that had domain expertise that were very differentiated to the rest of the founders in space, that kind of got us comfortable in investing in Fortanix.

Camille Morhardt  06:45

How is AI being used in security today, and how is it being used in attacks?

Anand Kashyap  06:52

So the modern AI tools are available to both the good guys and the bad guys, and the good guys are using AI inside the security tools that they have been developing. They’re using AI to build co-pilots, which provides a completely new interface for organizations to interact with these security tools. They’re using AI to process vast amount of data, and they’re using AI to build automations and building autonomous agents which can act on behalf of the security tool and respond to active threats. The bad guys, unfortunately, also have access to the same tools. So, they are using AI to develop attacks against organizations. They’re using AI to develop phishing emails, for example, which look very much like real emails. They’re using AI to develop deep fakes; especially in the upcoming election season, we are seeing the bad guys coming up with videos of people asking you for even money in some cases. And there have been instances where somebody wired a bunch of money influenced by a deep fake. So, all of that is happening, as well.

So, in the end, it’s like a cat and mouse game where both sides have access to the same tools, and they’re using the AI tools to make the attacks on the bad guy’s side much more powerful. And then on the other side, on the security vendor side, they’re using AI to make their tools more powerful as well.

Camille Morhardt  08:23

Is there any way to prepare in the truest sense of it.  I mean, there, there was a kind of a revolution in AI when ChatGPT came about. Like you’re saying, I mean, the deep fakes are now having to be people are scrambling to figure out how to protect against them, and I expect there’s going to be another kind of revolution at some point, and we don’t know when. Maybe it’s not large language model, maybe it’s some other thing that we haven’t really grasped or figured out yet. So, how do security companies or data security companies even think about versus scrambling, is there any way to be proactive about what could come in the future?

Anand Kashyap  09:03

I think companies need to go back to the basics. They need to understand the motivation of the bad guys. Why does somebody want to attack you? They’re either after your money, your data, or they’re trying to disrupt something. They’re trying to do a denial of service. These are the two primary classes of attacks the bad guys try to launch. Right? So, if the bad guys are after your data, and with the advent of new technologies, new tools, maybe it will make their life easier as they go after your data; but let’s say you’ve already encrypted all your data, and you have made sure that the encryption keys are only available to the right user. Now, even if somebody goes and gets your data, if it is encrypted, they’ll just get garbage. So, I think going back to the basics, building the right data security solutions, making sure data stays protected, encrypted, you have proper identity and access management and role-based access control. Those requirements never change. So that’s something people have need to continue to do.

The second thing in security is there’s always defense in depth. So, a single security solution will never be adequate, and you need to have layers of security. So even though data security is very important, and we talk about data security, it doesn’t mean that you don’t need to protect your infrastructure. You still need your various layers of defense. You still need a firewall. You still need endpoint security; and having a robust security program where you’re protecting your data, making sure you reduce your attack surface by keeping your data protected and out of harm as long as possible, and then building layers of security around your data, that is the right solution. And even if new threats come because of new technologies, I think companies can be better prepared if they take care of the data security part.

Camille Morhardt  10:55

That’s probably reassuring to people. It’s not like, “Okay, you need to go and implement some radically new plan for your security.” You really need to just make sure you’re doing all of these things over and over again, everywhere you are.

Anand Kashyap  11:08

Absolutely.  I think developing security from the first principles, making it inside out, if inside is the data, and then going to the periphery, where it’s your infrastructure, I think that’s the best way to create a right security solution.

Sunil Kurkure  11:24

Anand, how do you think, given that before AI was very much for data scientists, you know now that given ChatGPT is available, more and more people are going to have access to these tools. You know, is there a way to manage this better than the way it’s being managed today with various tools? Is it just a data security play, or is there some additional technology we need?

Anand Kashyap  11:45

There is a need for monitoring and managing the use of AI. And what you’ve seen in large organizations is they have built these “AI center of excellence,” where there’s a central body which is responsible for deploying AI, and it’s blessed by the security teams, the CISO, to make sure that people are deploying AI the right way. That is one approach that is quite popular. Of course, people worry about shadow AI, right? Nobody can stop somebody from going on their phone and using ChatGPT for something, and that will probably exist, but will have to be managed.  So having a centralized system where AI tools are managed and deployed in a managed way is probably a better way for large organizations to control how AI can be used and deployed in their organization.

Camille Morhardt  12:43

AI is finding ways to migrate to the edge, or in a more of a distributed manner, for a variety of different kinds of uses and use cases. So how do you protect data when it’s at the edge or when it’s going back and forth between the edge?

Anand Kashyap  12:58

Yeah. Typically there are two phases in AI, there’s a training phase and then there’s an inference phase. I think training will continue to be centralized in the servers; but what we’ll see is that inference will continue to be distributed, will keep going to the edge, and this will happen because of better performance requirements or latency requirements. As we have seen with the latest iPhone launch, that Apple has now introduced, Apple Intelligence, which is their version of AI, which will allow AI to be run on the phone itself. But what we have seen is that they’ve built a system by which, if there’s a heavyweight processing required, then a secure channel is established between the phone and the server, where heavyweight processing can happen in a server, in a secure environment.  Again, technologies like confidential computing become very important, because as sensitive or private data goes to the cloud, you want to make sure that it is as protected as it is on your phone.

I think with the advent of things like AI PCs, we’ll see the same thing, where AI compute will start happening on our laptops, on our endpoint devices, and again, for more heavyweight processing, there will be some kind of a distributed architecture where some data will get pushed out to the cloud, and it will require secure computing environment. So, we’ll see kind of a hybrid system going in future. And I think data security continues to stay very important, because as data is processed in these AI systems, simple data production technologies like encryption of data, tokenization of our sensitive data, making sure that the encryption keys are only available to the right hardware or right user or right application, all of these will continue to be very important.

Camille Morhardt  14:48

Do you see this migrating down to a consumer, sort of end user level at some point? Because right now, I think we’re largely talking about major organizations or enterprises. Are we going to see things down at the smartphone level, where regular people are able to use or have access to AI engines and build models. How does securing that if it migrates in that direction, how does that change look for securing those kinds of devices?

Anand Kashyap  15:17

Yeah, I think that’s already happening, as we have seen with the iPhone getting AI. I think that will come to a lot of consumer devices, as well. A lot of people use wearables these days, which can track various biological behavior from our body, and all of that is very sensitive healthcare data. And as it is being processed on a wearable device, I think it’s extremely important to make sure that the data stays protected. So, for me, data protection starts as close to the source of the data generation.

If you can identify which data is sensitive, which is not, very quickly, and then you can implement the protection measures–whether it’s encryption of data, whether it’s tokenization of data, which is creating another version of the data by preserving the value in the format of the data–if you can do that, and if you can have proper access controls around the data, and then having hardware-based security, which is also available on smaller devices–if you can use technologies like secure element to make sure that the data stays protected and as the data leaves the edge and goes back to the servers or goes back to the cloud, as it invariably has to do, if you can make sure that the data is already protected before it leaves there, so it cannot be intercepted anywhere else or misused in the cloud, I think that would be the right security strategy. So, identify sensitive data early, protect it early, and keep it encrypted or tokenized for as long as possible.

Camille Morhardt  16:59

I want to jump over to a topic of data sovereignty, which is a fairly popular topic right now. I think a lot of people, when they think of the cloud, it’s sort of like this nebulous thing that, you know, it’s not located in any geography, we don’t know where the data is going, and then we hope it’s secure. But there’s a lot of regulations, particularly in Europe, requiring that the physical server that’s holding personal data of citizens be in a certain geographical location so that the data never travels outside. I’m wondering if you’re seeing a future where technology can help overcome that kind of a requirement.

Anand Kashyap  17:39

I think it’s a trade-off between technological solutions. So, these concerns as well as geopolitical reasons for doing this, as well. So, for example, with GDPR in Europe, organizations are required to store data on a server inside the European Union and that became a kind of a hard requirement. What we have seen globally is that a lot of other countries have created their own data privacy, data sovereignty regulations based on GDPR. So, as we are becoming more and more global, these regulations are making us more and more local.

At the same time, some technological solutions do exist. For example, it is possible to create a sovereign zone inside the public cloud using technologies like such as confidential computing, where a service provider can potentially process data from somewhere else, inside a confidential computing environment, inside a trusted execution environment, and thus can claim that they don’t have access to the data.  So, it is possible, but again, what we’re seeing is because of geopolitical concerns, sometimes it’s beyond just what technology can offer; and there’s also a competitive edge that people get by accessing data from somewhere else, and there may be countries or sovereign regions who would not want their data to be used to train AI models, for example, and for that reason itself, they would impose the sovereignty requirements, less so because of technological concerns, but more so because of geopolitical concerns, and to maintain that competitive edge.

Camille Morhardt  19:25

So, you deal with encryption, and the future of encryption is quantum, and we’re all familiar with the notion that when quantum compute becomes accessible, that it will break a lot of our public encryption. So, what should people be doing right now, and what does the future hold?

Anand Kashyap  19:46

Yeah, great question. So, this is something we get asked all the time as we deal with cryptography and encryption. And it’s true that when quantum computers become feasible, then there are algorithms that exist which will break most of the traditional public key cryptography. The good news is that a lot of people have been working on developing a new class of cryptography algorithms called PQC, or post-quantum cryptography.  And NIST in the US, and then the other regulatory bodies around the world who have been trying to identify and curate a set of algorithms that could classify as PQC, which are safe against quantum computers, and they continue to develop these algorithms. Just a couple of months ago, NIST standardized four more algorithms, which are now safe to be used in a post-quantum world.

So, as new algorithms become available, organizations will have to start adopting it. But the one challenge over here is nobody knows yet when quantum computers will come. So, it’s kind of like the Y2K problem we had 24 years ago, when all the computer systems had to be upgraded to the newer date system, here the new cryptography. The only difference is that the date was fixed in Y2K everybody knew midnight 2000 everything has to change.  Here that date is not clear, nobody knows.

I think the best thing people can do today to get prepared for it is just to get prepared.  So, getting prepared means getting an inventory of all the encryption keys they might have in their organization, all the applications that are using encryption in their organization, all the places where data is being exchanged and it requires encryption. So, if somebody has an inventory, then that’s the first step to get ready. The second step would be to create some kind of an abstraction layer in crypto terms, people call it “crypto agility.”  And the idea is, if you have a middle layer, you should be able to migrate from one algorithm to a new algorithm very quickly. So, when the time comes, they’re ready to switch. And the third is, start educating yourself about the new algorithms, how they work, what’s the performance characteristic is where it can be used and get ready.

Sunil Kurkure 22:09

Anand, over the recent years, platformization has been the name of the game. Most solutions and customers are looking for platforms. Data Security, in itself, is a challenge. How do you think data security should be platformitized?

Anand Kashyap  22:24

Yeah, in security in general, in cybersecurity, we have seen the rise of the platforms in the last few years.  The notion that security tools should be offered in the form of a platform, it works better for the CISOs around the world, because they have fewer vendors, fewer tools to deal with, and they work well with each other. What we have seen is that while platformization has happened with endpoint security, with XDR, for example, with network security, with Sase cloud security, with things like CMap, which combines CSPM, KSPM, or other things, in data security, the platformization has not really happened.  And the reason it has not really happened is data security continues to stay fragmented. There are a lot of challenges around where data lives. It’s not contained–it’s on prem, its cloud, it’s SaaS. The regulations around data security and privacy, data sovereignty that we just talked about, and then the upcoming threats of quantum computers, but the same time opportunities with AI, where AI, we know, will transform the tech infrastructure, the tech stack quite drastically.

So, building a proper data security platform solution which can address all these various requirements around discovery of sensitive data, to assessment of what needs to be protected, actually protecting it and making it future proof, that is something which is data security platform would look like, and nobody has built it yet. But I’m sure with the wave of platformization, and CISO is asking for platforms, a data security platform will be built.

Camille Morhardt  24:06

Thank you, Anand, CEO of Fortanix, and Sunil Kurkure, Managing Director at Intel Capital for today’s conversation on data security.

Sunil Kurkure  24:13

Thank you.

Anand Kashyap  24:14

Thank you.

More From
Vivek Sharma John Gildea AI marketing omnichannel marketing Movable Ink Intel Capital

Personalized Marketing: How Movable Ink Delivers with AI and Automation (219)

What Keeps IT Leaders Up at Night? The Complexities of Cloud Security and Data Sovereignty (218)

Federated Learning: A New Era of Collaboration for Pharma (217)