[00:00:00] CS: Every week on Cyber Work, listeners ask us the same question, “What cyber security skills should I learn?” Well, try this. Go to infosecinstitute.com/free to get your free Cyber Security Talent Development ebook. It’s got in-depth training plans for the 12 most common roles, including SOC analysts, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more.
We took notes from employees and the team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals.
One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans. Plus, many more free resources for Cyber Work listeners. Do it! Infosecinstitute.com/free!
Now, on with the show.
Today on Cyber Work, Amish Divatia, CEO of Baffle, Inc., in joins me to talk about data privacy, data security, cloud security and how a skill set in the middle of that triangle is going to be your best asset in the years to come. All that and a little bit of local-focused philanthropy today on Cyber Work.
[00:01:19] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week, we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals while offering tips for breaking in or moving up the ladder in the cyber security industry.
Amish Divatia is the Co-Founder and CEO of Baffle, Inc., a cloud data protection company. He has a proven track record of turning technologies that are difficult to build into successful businesses. Selling three companies for more than 425 million combined in the service provider enterprise data center infrastructure markets. Prior to Baffle, he led a premier CMOS photonics innovator, Lightwire Inc., from technology development into product development – technology development into product development leading up to an acquisition by Cisco Systems. He also founded two venture-funded startups, Aarohi Communication, storage virtualization. Acquired by Emulex. And PipeLinks Inc. optical networking acquired by Cisco Systems.
Today’s topic, we are going to talk about security and compliance and the intersections especially in regards to budget. And also, we’ve got a bunch of different topics to talk because Amish has a lot of stuff in his career and his accomplishments. I’m looking forward to it.
Amish, thank you for joining me today. And welcome to Cyber Work.
[00:02:38] AD: Thank you, Chris. Thanks for the opportunity.
[00:02:42] CS: To start with, I’d like to get to know our guests a little by finding out um how they got started in this phase. Where did you first get interested in computers and tech? I mean, I have to imagine, with everything I’ve read here, that it goes way back. You seem like you’ve probably been in this space for a long time.
[00:03:00] AD: It does. It does. And this was actually growing up back in India. And again, I’m going to date myself here because this was in the 80s. In fact, I distinctly remember, 1982. Time Magazine calls the computer the machine of the year. I was a high schooler. National Geographic publishes this cover story called The Chip. Very much impactful. Again, in those days, as you can imagine, there was no internet. So, we get all our information from things that are published.
And being in high school and looking at what to do as far as a career is concerned, these were very informative experiences. And yeah, I decided to pursue a career in actually hardware development. I became an electrical engineer. And I was always intrigued by making things work. And that’s what led me to a career in actually system design. I worked quite a bit in the networking space, and that’s what my experience has been.
[00:04:05] CS: Yeah. You started in the hardware space. And then did you sort of moved from there into the software space and the security space?
[00:04:12] AD: Yeah. I grew up, as I said, in the networking space. Back in the day, we were just starting to connect computers together and there was a very, very rapid pace of innovation there. Every few years, we would basically 10x the bandwidth that we would be able to drive on those wires. And it was never always about the actual bits. It was always about the applications that ran on it. The systems aspect of it became very, very important.
I spent 10 years building networking systems first. Starting being technical support straight out of graduate school. And then actually designing these systems. The one thing that I always want to do is to get the big picture. I always wanted to understand, “So, what? What does this actually do for the customer?” And that led me to a career in system architecture. I started to become more focused on product planning and product architecture.
And after 10 years of being a developer and designer, I wanted to learn more about how these systems actually can be used in real world large enterprise environments. And I wanted to get more of – Being in Silicon Valley, the entrepreneurship thing was definitely something that was all around me. And I decided to take the plunge. Decided to use my expertise in the data networking space and apply it to optical networking.
One of the interesting things about technology is not all aspects of the technology business evolve at the same pace. Data networking, for example, was very, very rapid. It was all new. Companies like Cisco grew from nothing to becoming huge. I used to get Treecom.
It was very rapid. But there were legacy infrastructures, for example. In the optical networking space, everything was dominated by the phone company. And it was designed to carry voice. And we were just getting to the point where data was becoming important. This is now late 90s. The early, early days of what eventually became .com. But it was important to figure out ways of transporting data or voice networks. Again, scope for innovation. That’s where my first company was, PipeLinks.
And ever since then, that turned out to be a successful exit. It was a very close collaboration with a large company, Cisco, in this case. And I started to get the bug about, “Hey, now I can do this in other places.” The next one actually was in storage. Again, an area that does not evolve as fast because it was very mainframe-centric and it was becoming decentralized. That’s been the story. You always go through the adjacencies and keep building new things that are interesting.
[00:07:14] CS: Well, that moves nicely into my second question here about your – you’re just saying here that you’ve founded a good number of companies that were later acquired by larger companies like Cisco and Emulex. Was this – You sort of said that. But was this a career strategy that you started out wanting to get companies off the ground and then move on once they’ve been acquired? And if so, can you tell me about some of the challenges and skills needed to take a company from the ground floor to maturation?
[00:07:42] AD: Sure. I’ll answer the first question. Not necessarily. First of all, you never build a company for acquisition. And you never want to just be the innovator and leave, right? You always want to see it to a logical point.
Now, the challenges that you face to get things off the ground are definitely around the fact that it needs to be something that’s truly different and innovative. And I’ve been doing this now for 20 years. I can tell you, that job is becoming harder and harder. Finding what is called white space, right?
[00:08:16] CS: Yeah, yeah, yeah.
[00:08:16] AD: Because there’s a lot going on. And there’s a lot of venture dollars chasing nice ideas. It’s becoming harder and harder to do that.
[00:08:26] CS: So, more and more of the farmland’s already been taken up. And so, you’re trying to innovate in smaller and smaller patches.
[00:08:32] AD: Precisely. Right. And you also have to take bigger and bigger risks, which makes it harder. The success percentage goes down. But what you always focus on is, again, that big picture thing, right? Which is what problem are you solving? You always go through this – when you build a pitch, defining the problem is the most important. And then define the solution is important, but be careful. Don’t try to define it to rigid away because it is going to evolve.
[00:09:03] CS: Yeah, don’t start with – or don’t force the thing into the solution that you wanted, right?
[00:09:08] AD: That’s the other thing, right? Just because you have a hammer, don’t just look for a nail. But you always ask the, “So, what?” And the so what really means that you look for the big picture, the big thing that you can do with what you’re doing. I always say in the tech business, we don’t have anything like base hits, right? You always have a swing for the fences. Because if you don’t, the chances of being out are a lot higher when you’re trying to get a base hit, right? Instead of going for the home run. You really want to make sure that you are looking at how you can change the world. And I don’t mean this lightly, right?
When you are building something new, you want to always think about how things will be different for who will be your customer. Don’t get too bogged down about categories and what people are telling you about, “Well, you sort of fit into this category.” It’s okay to create new categories. That is what entrepreneurship is all about. But always, always look for that big, big achievement, big, big goal that you want to make sure that you get there.
[00:10:20] CS: This is not in my question list, but that brings up an interesting point that I kind of want to talk about. Yeah, I’ve been around enough spaces where the big innovation has already happened. And all the Innovations from here on get increasingly more fine-grained not just because there’s like less places for it, but because you already have this sort of functioning machine. And so, each of the little things that your reach of the innovations that you’re trying to do now are just trying to sort of build the larger function. I mean, do you see any spaces within security? And specifically, where there might be like another one of those kind of big innovations the way, like you said, like Cisco or something like that did back in the day? Is that still coming, you think?
[00:11:06] AD: I absolutely do. I think security, just like any other space, also grows in waves, right? You get these waves, which lift up a whole bunch of companies. And then these waves build on each other. It’s not like one goes away right.
And security has always been something that’s important. But, obviously, it’s becoming more and more important now as everything goes online. But there was a time when security used to be the most prevalent inbound threat, right? You had your data center. You had your your infrastructure. You wanted to make sure nobody got in. That’s where the network security business was born, right? You want to make sure that you control everything that comes in, authenticate it, make sure you look for people coming in that are not authorized. That led to the device way, which was making sure that you had a firewall at the entrance to mandate and make sure that only permitted people are let in.
Now we are in the identity way, right? There is a lot of emphasis on identity. Because infrastructure is – the whole model has been turned inside out, right? The infrastructure is outside of the data center, out in the cloud.
I think the next big wave is data and data-centric approaches. Because it doesn’t matter where your data ends up, as long as it is secured. Because it is not in its original form, you’re okay. It is going to be protected. But at the same time, you want to make sure that authorized people do get access to it. That’s where the next big thing is, which is data-centric security.
[00:12:41] CS: Interesting. Okay. Yeah. No. I completely believe that. We’ve done some episodes on data privacy, data security. Yeah, it’s definitely something that a lot of people are coming to us with ideas and angles on.
For today, we have a nice mix of topics to go over with, Amish. But the first and think possibly largest topic that I want to discuss is a report from Baffle called using compliance budgets – Using your compliance budget to advance security priorities.
The initial thesis of the report is as follows; organizations continue to prioritize security and security spending, but that spending is often at odds with a more pressing business priority, regulatory compliance. You noted that, “The best solution is to partner with a compliance/risk/governance teams to address compliance control gaps while advancing the company’s security priorities.”
These are intriguing ideas in the abstract. And we’ve talked extensively on the show about regulatory compliance frameworks from data privacy to requirements from the DoD. Can you speak more – a bit more concretely? I.E., sort of one level down from the thesis about the ways that regulatory compliance can be handled independently allowing more resources to be put into the company’s security posture?
[00:13:52] AD: Absolutely. I think the most important thing to notice from a practitioner’s perspective, right? Which is really what we should all be looking at. We shouldn’t be building tools just for the sake of it. It should really solve a problem. It should address what practitioners are looking for. Let’s first define sort of security versus privacy, right?
Privacy is personal. Privacy is subject rights. Privacy is your and my data. And where does it show up? And why does it show up? Security is a responsibility. It’s a responsibility of somebody who collects the data to make sure that they can ensure that the data is not lost. That the data is protected correctly and processed correctly. It’s important to process the data.
Privacy regulations, though, are definitely creating the sense of urgency around it, right? Everybody wants the right thing. But IT is always understaffed. There are always more things to be done. Business always takes precedence. One of the most important things that we saw in this particular report was the fact that, actually, 75% percent of practitioners thought that the data privacy program would be a competitive differentiator.
This is changing the game, right? It’s not just about complying and checking the box there to make sure, “I did all the right things, so you can come after me.” Fear only goes so far.
[00:15:23] CS: Yes. Right.
[00:15:24] AD: This is actually about proactive controls. It’s making sure that you embrace the right security paradigms to ensure that you look better compared to your competitor. More of your customers want to do business with you because you are responsible. You have all the right controls in place to make sure that only authorized entities see the data.
First of all, you don’t collect every possible piece of data that’s out there. I mean, again, this is where I’m not saying compliance is not important. It’s very, very important. Compliance sets the stage. But the pace at which it is adopted, these kind of controls are adopted, is dictated by good practices.
From a practitioner and for people getting into the space, perspective – this is a very, very hot area. Every company is going to be looking to hire more people in this space. But you need to have a certain attitude, a certain approach to this. Again, it shouldn’t be just because you want a job and it pays well, right? It is because you really take privacy personally. You feel that you’re responsible to somebody else if you are taking care of the data inside of a company. And that’s where I feel that it is going to be a game changer from an IT practitioner’s perspective to have exposure to security controls and how to do the right thing, which is not just it’s – it’s not just good business. It’s good for business as well, right?
[00:17:00] CS: Yeah. No. Yeah. Yeah. Totally agree. Yeah. I guess we talk about security. We talk about privacy on the show. But we don’t necessarily always put them together. Although, Chris Stevens, one of our past guests, did talk about the importance of going beyond just checking off the boxes and actually think about what your specific situation calls for. I mean, that’s how some of the hotel breaches and stuff have happened, is like they were compliant but they still were not – they were missing pieces of the puzzle that were specific to them and so forth.
Along with our own security instruction courses in literature, Infosec has got a number of great privacy instructors that are well-versed in international CIPP certifications and others. Also, I mentioned this stuff only because I find privacy possibly is a good entrance for people who don’t have tech backgrounds like lawyers or other types of auditors to understand the larger contours of the security space and bring their talents in. With all of the skills gaps and so forth, I think it’s not enough anymore to just try to make more tech people. There has to be a way of like bringing non-tech people in and showing them where it is, whether it’s privacy, or threat modeling, or risk management, or whatever.
Can you talk about how, with the recommendations you mentioned before, that you can sort of – your compliance budget and sources can be reallocated? And how people with your org-based in privacy, in related areas, could maybe like transfer their skills over to the problem of the data security?
[00:18:34] AD: Absolutely. First of all, compliance regulations are also evolving, right? We had PCI. We had HIPAA. That were primarily oriented towards how you protect your data in your environment. And they basically give you recommendations as to what to do. You shall encrypt your data at rest, for example.
Privacy regulations don’t do that, right? They are essentially just saying, “This is private data. This is PII. This PHI. And if you lose it, you shall be fined.”
[00:19:06] CS: But it’s not specifically prescriptive. They just say don’t do it. And it’s up to you to figure out how to do. Is tha –
[00:19:12] AD: Exactly. You have to come up with your own controls. And that’s where the innovation comes in. That’s also where the responsibility comes in, to do the right thing. You want to make sure that you are putting in the controls that can be audited because there is actually benefit to that, right? If you have taken reasonable security procedures, you’ll be fined less.
I think um there is a lot of commingling going on right now in terms of expertise to go do that. You mentioned lawyers. I think accountants are becoming [inaudible 00:19:45] as well when it comes to these – whether you’re ISO or whether you’re getting your SOC compliance.
It is becoming much, much more widespread, beyond just technical capabilities. It is really about just making sure you put the right controls in place and you make sure that you are able to comply to certain regulations.
Privacy certifications, CIPP is great. IAPP does a fantastic job of publishing all kinds of very, very useful information, comparison between different kinds of regulations and how to meet them. I love their charts about how do you get ready for CPRI, for example? If you’re already a GDRP compliant. And so on. But what is very critical from a training perspective, I feel, and especially for people who are getting into the space, is to also become cloud savvy.
[00:20:42] CS: Oh, yeah. Sure. That makes sense.
[00:20:45] AD: The implementation of controls are very different depending on where they are, whether it’s on-prem or whether it’s in cloud. Get the privacy certifications, because that’s important, because you want to understand what you’re really protecting for. But the how is all related to cloud certifications. How do you use the cloud effectively? How do you make sure that you create postures where you fail safe?
I always encourage anybody trying to get in space, whether it’s a fresh grad or somebody who has had other careers, to get cloud savvy. And it’s not about tech. It’s about usability.
[00:21:23] CS: Yeah, yeah, that’s interesting. Because we – like I said, I’ve said this before. But I like to sort of square what the message of the guest is versus what I’m hearing in the comments below the episode. And a lot of times you’ll hear people say, “I have this, this and this certification. And I can’t get even an informational interview and stuff.” And I think there’s something really interesting about that particular triangle. If you have knowledge of privacy regulations, you have some technical security knowledge, and then you have some degree of cloud knowledge, you’re going to be like right in the center of this like expanding field. Because you can imagine, like a privacy person on your team saying, “Thou shalt not this, this and this.” But if they can tell you what we need to do this to make sure that that happens and stuff, you’re going to raise your value in the company significantly, right?
[00:22:15] AD: Absolutely. We used to – when we first started, when we – I mean, the history of this company really is the OPM breach, right? The office of personnel management, which is part of the Department of Homeland Security, had a massive breach where they lost a whole bunch of data of citizens of this country related to their security clearances, which is extremely private information.
[00:22:40] CS: Oh, yeah.
[00:22:42] AD: When you look at something like that, you know that our entire IT infrastructure and its existence is threatened if you don’t have the right controls in place. You have to make sure that your infrastructure can manage the asset that it was created for. Otherwise, people are going to find other ways, right? And we as an economy will not be able to progress. It’s very fundamental.
[00:23:13] CS: Yeah.
[00:23:14] AD: That’s where we came up with this idea of saying, “Okay, we have to start thinking about what’s next.” What is it going to be a control that will always feel safe? Will always make sure that you are able to manage your data effectively as the data owner and not rely on somebody else like the infrastructure provider?
And that’s where we were really early to recognize that. And over time, what has happened is nobody asks us why they have to do this. What they ask us is how? Right? Wait a minute. How do I find ways of protecting the data, but at the same time keep it usable?
And I think that’s where we need a lot more help from practitioners to make sure that they can implement these controls, which are essentially invisible. I mean, case in point, right? When you go to a website and it shows up as https, you did not do anything to secure that pipe. But you can rest assured that it is secure, because that’s what it does. It creates a secure funnel. That’s the model. That is what we want to do for security everywhere. Not just when you’re browsing, but when you’re collecting data. When you’re cleaning the data to make it more usable through the ETL pipelines. Streaming the data and then actually processing it and displaying the results of your analytics. Security should be built in. It should not be a bolt on.
[00:24:45] CS: Yeah. And shouldn’t be a sort of a side thought along the way.
[00:24:54] AD: Well it can be about fear, right? You should not be implementing something just because there’s an audit coming in. You’re implementing something because you want to do the right thing and you want to get more customers.
[00:25:05] CS: So, one of the phrases that we hear a lot on the show is we don’t want cert collectors. You know, get the get the cert that you need for the job you’re doing. Don’t just you know go to Home Depot and buy a whole box full of tools without a project to do them.
But one of the things I’ve been seeing in a roundabout way from talking with privacy professionals is realizing that, especially if you’re a large company, all the subdivided privacy regulations and frameworks that cover the different parts of the world, there can be a little overwhelm trying to find like your company’s like center in a series of privacy Venn diagrams.
[00:25:59] AD: Yeah. Again, policies are only created to make sure that there are controls put in place so that the bad things don’t happen. Most of the approaches that address these privacy regulations directly are designed for, again, providing some level of coverage. They monitor as data is exfiltrated.
That process, number one, is error-prone, because you can always miss something. Number two, it is sort of always finding problems after the fact. But it is already lost before you discover a breach.
A better approach is to protect the data as soon as it’s created. So, at the beginning of that cycle if you were to look at a pipeline going from left to right, data is created in the field. It gets ingested into pipelines. And then it flows through the pipelines as it gets processed.
The controls for privacy regulations are always looking at what is exfiltrated. What is coming out? You want to start at the beginning of that particular pipeline. Protect the data by encrypting it, tokenizing it, as it goes in, so that it’s fail safe.
If the infrastructure has a breach, it’s okay, because they’re only transformed data, encrypted or tokenized data ever get stolen. And then when it comes to sharing it on the other end, yeah, sure, use masking to make sure that you don’t share data that does not need to be shared. But at least you’ve made sure that throughout the pipeline, the data stays protected. That’s a much better approach than this bolted on approach to just look at exfiltrated data.
[00:27:43] CS: Gotcha. That’s a, yeah, a very good point. And again, I think all of my attempts to sort of wind you in different directions, you’re like just – Yeah, you got to be laser-focused on the actual security of the data as it’s being stored and as it’s moving and as it’s being used, and sorted and cleaned as you say. Yeah.
A recent guest pointed out that – And you mentioned this briefly before in terms of the way we collect data from users, that a lot of the data collection that we’re used to now comes from sort of a Wild West time before data privacy and data security regulations were so overarching. If you go back to the early 2000s or whatever, there’s this feeling at the time that you just collected all the consumer data that you could as a matter, of course. The date of birth, address, employment type. And because it was assumed that even if you didn’t have a use for that data, now you would have the use for it someday.
In some ways, it seems like these frameworks are acting as an attempted barrier to this type of indiscriminate data collection or at least are trying to discourage it. Can you talk about some dream data privacy requirements that would sort of unify all these diverse requirements and maybe sort of move people away from the idea of just grab everything and we’ll learn what to deal with later?
[00:29:02] AD: Yeah. Specifically, from a data regulations perspective, there is the right to use, right? As to what is it – you have to define a purpose for the data that’s reflecting. But overall, the approach that any practitioner needs to take, especially if they’re in the data space, is that while data is an asset, it is also a liability.
[00:29:24] CS: Yeah.
[00:29:25] AD: The chief data officer manages the asset, but the chief security officer has to make sure that it does not become a liability. Storing data that you don’t need or storing data that is sensitive without protecting it can get you in a lot of trouble. It can essentially put you out of business. That balance is very, very critical. You want to define a purpose. You also want to know what you’re going to be using the data for downstream, because it helps you transform the data in a certain way.
There’s a new paradigm now, something called privacy preserving analytics, which is a way to actually protect data, but at the same time get utility out of it. That’s the kind of frameworks. That’s the kind of techniques that data engineers need to start embracing in order to make sure that they can still get utility of the data but not make it a liability.
[00:30:22] CS: Yeah. Yeah, I love that. We talked about this before. Like I said, I mentioned that sort of perfect confluence of data privacy, cloud security, data security, file access. They’re all becoming more intertwined. And that if you have some knowledge of all of that, you’re giong to be in the in the catbird seat here. Can you talk more granularly about what types of areas of expertise you think current students should be working towards to operate competently within this nexus of all these interconnected skill sets?
[00:30:56] AD: Yeah, I think, again, knowledge of data is very critical now. Understanding how data is collected. How data can be processed? I think artificial intelligence and machine learning is absolutely going to be a very, very interesting area for a long time to come.
I think marrying that up with good security practices is critical as well. Like I said, it takes a certain mindset, a certain attitude to be a security practitioner. And you want to make sure that you embrace that, right? Sometimes you have to think negatively to make sure that you’re protecting your constituents. So, not everybody is set out to be a security practitioner. But that’s where you want to make sure that you are understanding what you’re going in for.
But, again, from a professional perspective, there’s a lot of other opportunities that are out there. Data engineering, infrastructure engineering, which is where, again, I’m a big, big believer in understanding how clouds work and how frameworks work in cloud, because that’s where we’re going to have a huge skills shortage as we move forward.
[00:32:09] CS: Can you talk about some of those learning areas? Because, I mean, I understand the idea of cloud security and stuff. But this sounds like something that’s sort of slightly cutting edge right now.
[00:32:21] AD: It is. The whole mechanism, the way we deploy workloads in the cloud is changing, right? We had this big paradigm shift to go from bare metal to virtual machines. Everything is containerized now. It’s a new paradigm. Again, it’s new in the sense it’s been around for at least five years, maybe longer. But it’s still very early in its deployment stages.
Having knowledge of that, understanding how those containerization frameworks work, it’s very important because it actually provides a lot of interesting features straight out of the box effectively for free.
For example, redundancy is very well factored into that particular framework. Scalability, right? Making sure that you can scale based on load is also something that’s very well understood. We’ve developed new frameworks and new capabilities that address directly the problems of what used to happen on old on-prem fixed infrastructure as we move things to more fungible, more volatile infrastructure in the cloud.
[00:33:32] CS: Got it. Yeah, yeah, that’s going to be where, yeah, you’re going to really be able to set yourself apart from other candidates is if you understand those specific mechanics.
I want to move over to some of your other activities, specifically a topic you discussed with me before the show is your volunteer work on your city’s technology council, too. As you said, kind of give back to the community. Can you tell me more about what you do? What type of work, or expertise, or service are you providing to your city?
[00:34:06] AD: Yeah, this is a very interesting journey. It’s really hard to really even imagine this. But being in the middle of Silicon Valley, we have a lot of infrastructure constraints. Things have gotten slightly better over time. But back when I first got involved was almost 15 years ago. Or back when I first had that experience 15 years ago, I got involved about five years ago, was the fact that internet access was not always something that was ubiquitous. It was controlled by a very few number of players. And not everybody got access to it. And more importantly, not everybody got access to it at the right price point.
These days, it’s not a luxury to be able to have a fast pipe that connects you to the internet, right? It’s a way of making a living. And this is where it’s very important that this is provided as sort of a function of doing good for the greater community. Not just for industry or not just for individuals. That’s where I got involved in actually creating a way to create diversity amongst providers that provide connectivity in my town.
And that has evolved now. Now that I’m in the security business, I actually got involved because we wanted to provide ALPRs, automated license plate readers. And everybody was up in arms about the fact that that could be a huge privacy intrusion. We came up with the right controls, right?
The thing about privacy is while it is an interest important and while it is something that everybody should be embracing, it should not get in the way of making the community safer, making the community better. And that’s something that license plate readers do.
I helped evaluate vendors there. I helped created a request for code to request for information to make sure that we chose a vendor that was responsible. They collected the data, but nobody could get access to it. They allowed for opt-outs for people who did not want to have their data collected. And then, more importantly, when that data had to be processed, only authorized professionals who had dual factor authentication enabled for themselves could actually be able to access the data.
And so, we built a case where we presented this. First of all, some things are actually very, very important to understand. Not all data is private, right? Your license plate is not private. You have it on the back of your car. You’re moving around all over town. Anybody can see it. That is not private information. But connection to your name and your address is absolutely private. And it is something that’s available, right? You go to a database, you can collect it. That information should not be available to everybody.
Putting the right set of control was important. And we chose a vendor that was capable of doing this. And we made sure that whoever law enforcement that had access to it had the right way of getting access to it. It’s been very gratifying.
Like I said, one of the things you really understand when you work with the community is it is very different from working in industry. It is really trying to figure out what is good for the greater community. You cannot cater to just one segment of the population. You have to cater to the entire population. And not having had any experience in politics, that was eye-opening for me how that would work.
[00:37:40] CS: Yeah. How did you get started? You know, I like to sort of hand everything on a plate to people so that they can’t say, “Well, I didn’t know where to start with doing this.” What was your first step in sort of realizing that you wanted to sort of help out with the city? Were you going to like council meetings? How were you made aware that there was this tech deficiency that you could fill?
[00:38:08] AD: Well, I mean, this happened when I had no option but to get a really expensive wireless line to connect to the internet. I went to the city and I got an appointment with the city manager and said, “Why is this the case?” And I found out actually that there were some reasons for this. They had franchise agreements with certain providers, which allowed them to give favorable treatment to some of them versus all of them. There wasn’t as much incentive for new people to get in.
So, then, I got active with the council and said, “Hey, this town needs a technology committee. We need to have somebody who can represent the interests of the residents so that we can, first of all, put the infrastructure. But more importantly, layer it with good services.” One of the biggest issues that we have going is elderly people still want to live in their own homes. And by the way, that’s not just good for them. It’s actually good for their providers as well. Because it’s a lot cheaper to stay in your own home than live in assisted living, for example. But it comes with risks. You have a fall. You have a problem, a medical emergency. How do you get help? That’s where technology comes to the rescue.
But not only is it important to put the infrastructure in place to make sure that everybody has access at the right speeds. But then you layer that on with applications and use cases that actually make people’s lives better.
So, yeah, the concrete point is go to your town, watch out for requests. They’re always looking for volunteers. Always looking for help. But you would have to have a different mindset, much like what we talked about in the security mindset. You’d have to have a different mindset. You got to be patient. Things don’t move as fast in government as they do in industry. And you always have to look out for the greater good.
[00:40:04] CS: Yeah, that’s all great advice. Yeah, I think I had kind of misunderstood what you were working on, because I immediately tried to spin it into working with your local – Like, city hall’s security infrastructure and industrial control systems, which its own entire thing. But I like this, too, because it makes you think not just in terms of I have a security thing and I’m going to apply it to a security thing. You’re thinking, “I have these these skills and I’m going to make some aspect of my community better,” whether it’s directly securing something. Is that right?
[00:40:40] AD: Well, we do that as well, right? We had to go through an IT infrastructure overhaul. We created a subcommittee who would do that. But, again, that’s very well understood, right? Everybody knows how to secure the city hall’s systems. But the thing that gets me excited about is how to make lives better, right?
[00:40:59] CS: Right. Yeah. Yeah. As we wrap up today, I mean, can you tell me more about Baffle and your cloud data protection program and some of the projects and developments with that program that might be on the horizon for 2023?
[00:41:13] AD: Absolutely. As we oppose the end of this year, again, it has been a very, very interesting paradigm shift where there’s more ‘how’s than ‘why’s. We are very excited about that. This survey was great to see how people can actually use these kind of technologies to differentiate themselves. Not just meet compliance. I will continue to build on this, this theme of being able to protect data as soon as it’s created. It’s very, very critical to building better infrastructure.
While we started out building solutions for databases, we have evolved to build solutions for data warehouses. As we go forward, we’re looking at more and more of controls that happen in the pipeline itself. Streaming is the new ETL. Data constantly keeps getting created. And we have customers in the critical infrastructure area that really got us going on this as well, which is that having critical infrastructure that is vulnerable, again, is a national security problem, right? It’s not just about privacy. It’s really about how the country works. It’s just absolutely critical.
We’re creating solutions that actually work on those streams directly without the knowledge of even knowing as to where the data is headed. Truly transparent in the pipelines. We’d have a lot more stuff that’s being built there. And we have announced specific support for things like Kafka, and for Snowflake, and for Redshift. But we’ll continue to evolve and make more data stores available that we protect, as well as more of these streaming capabilities that will be capable of protecting PII as soon as it gets into the IT infrastructure.
[00:43:08] CS: Yeah. Oh, thank you. That’s great. Yeah, I had a thought while you were talking there, that whenever I think of security disasters from a community or a municipal standpoint, it’s always things like Oldsmar, Florida where there’s the water hack and actual – Potentially, poison can go into the water supply. Or too much lye.
But our society runs just as much on information at this point. And a hack into like your data lines is going to be just as disruptive and just as possibility to sort of like cause real damage to a community as water, or electricity, or internet.
[00:43:53] AD: Absolutely. It’s just a critical part of our infrastructure. And it has to be protected, like physical security, right? It’s the same concept.
[00:44:02] CS: Yeah. All you students out there, this is your assignment for the next 20, 30 years here, is keep it all safe. One last question, most important question of all. If our listeners want to connect and learn more about Amish Divatia and Baffle, where should they go online?
[00:44:21] AD: Https baffle.io. Just type Baffle and you will see it. Info@baffle.io is the best way to reach us. We look forward to connecting and telling you more about what we do and how we can protect you and your data.
[00:44:36] CS: Awesome. Amish, thank you so much for joining me today. This was a lot of fun.
[00:44:41] AD: Thanks, Chris. Appreciate the opportunity again.
[00:44:42] CS: Yep. And as always, I’d like to thank all of you who are listening to and watching Cyber Work podcast. On an unprecedented scale, we are delighted to have you and so many of you along for the ride. I just want to close out by saying go to infosecinstitute.com/free to get your free Cyber Security Talent Development ebook. It’s got in-depth training plans for the 12 most common security roles, including SOC analysts, penetration tester, cloud security engineer, information risk analysts, privacy manager, secure coder and more. We took notes from employers and a team of subject matter experts to build training plans that align with the most in-demand skills.
One more time, go to infosecinstitute.com/free or click the link in the description that’s probably down here for your free training plans and many more free resources for all you lovely Cyber Work listeners. Do it. Infosecinstitute.com/free.
Thank you once again to Amish Divatia and Baffle. And thank you all so much for watching and listening. And as always, we will talk to you next week. Bye now.
[00:45:42] AD: Thanks. Bye.