In this Spotlight edition of the podcast, we speak with Marc Blackmer of ShardSecure about that company’s new approach to protecting data at rest. Marc and I talk about the challenges of securing data in hybrid cloud and on-premises environments and how ShardSecure’s Microshard(TM) technology is being used to protect firms from inadvertent data leaks as well as threats like ransomware.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google Podcasts, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Securing data at rest seems like a problem that we should have solved a long time ago. And yet, a quick scan of the headlines tells us that the truth is far from that. Barely a week goes by without revelations of large-scale data breaches and leaks from both corporate networks and, increasingly, cloud-hosted infrastructure.
Data At Rest = Data At Risk
In recent days, online gaming firm SEGA Europe admitted that an audit revealed sensitive data was being stored in an unsecured Amazon Web Services (AWS) S3 bucket. In December, it was Audio equipment manufacturer Sennheiser, which admitted that it exposed the personal data of around 28,000 customers through a misconfigured S3 bucket,
Encryption tools for securing that data are widely available, but they come with costs both in management overhead and in speed of access. Besides, public key encryption has been the go-to for securing digital data for four decades. Isn’t it time for another approach?
Microshard: A New Approach
Our guest today says that he may have one. Marc Blackmer is the Head of Marketing at ShardSecure, an innovative, Boston-based start up that has come up with a novel way to secure data on premises and in the cloud without using encryption. As its name suggests: Shard fragments and scatters stored data across various data repositories, only to reassemble it on request.
In this interview, Marc and I talk about the Shard technology and how it works, and about some of the market and business dynamics are driving companies to look beyond the usual suspects when it comes to securing data at rest.
Check out our full conversation above, or click on the button below to download the MP3.
(*) Disclosure: This post was sponsored by ShardSecure. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
[START OF RECORDING]
PAUL: This spotlight episode of the podcast is sponsored by ShardSecure. ShardSecure is the world’s most innovative data security company, disrupting the data privacy and security market with Microshard technology, the only solution capable of breaking data into single digit at bytes and distributing across cloud locations without sacrificing performance. Microsharding provides zero data sensitivity for cloud stored or on Prem data, and can be used with or without encryption to provide true defense in depth. ShardSecure works with some of the world’s most successful companies in healthcare, financial services, and technology to ensure ultimate data privacy and compliance, while making data migration to the cloud more secure and faster than ever. Check them out shardsecure.com.
PAUL: Hello, and welcome to a spotlight edition of The Security Ledger podcast sponsored by ShardSecure. Securing data at rest seems like a problem that we should have solved a long time ago. And yet a quick scan of the headlines tells us that the truth is far from that. Barely a week goes by without revelations of large scale data breaches and leaks from both corporate networks and, increasingly, cloud hosted infrastructure. In recent days, online gaming firm Sega Europe admitted that an audit revealed sensitive data was being stored in an insecure Amazon Web Services S3 Bucket. In December, it was the audio equipment maker Sennheiser, which admitted that it exposed personal data of 28,000 customers, again through a misconfigured Amazon S3 Storage Bucket. Encryption tools for securing that data are widely available, but they come with costs both in terms of management overhead and in speed and performance. Besides, public key encryption has been the go to for securing digital data for four decades. Isn’t it time for another approach? Our guest today says that he may have one. Marc Blackmer is the head of marketing at ShardSecure, an innovative Boston based startup that has come up with a novel way to secure data on premises and in the cloud without using encryption. As its name suggests, ShardSecure fragments and scatters stored data across various data repositories, only to reassemble it on requests. In this podcast interview, Mark and I talk about microsharding, the ShardSecure patented technology, and how it works. And we also talk about the market and business dynamics that are driving companies to look beyond the usual suspects when it comes to securing data at rest.
MARC: My name is Marc Blackmer, and I’m the Head of Marketing for ShardSecure.
PAUL: Marc, welcome back to the Security Ledger podcast.
MARC: Thank you. It’s good to be back.
PAUL: It is good to have you back. You were here in a different incarnation.
MARC: Indeed, I was.
PAUL: So, Marc, for our listeners who have not heard of ShardSecure, and you’re a fairly new company, so it’s possible. Tell us a little bit about Shard and what they do.
MARC: The simplest way I put it to people, because what we do is different. It’s like rate five for data in the cloud. So basically it’s a technology that we have a patent pending for it’s called microshard technology. So if you’re familiar with the idea of sharding databases, for example. But I mean, really, the way that it works is we present ourselves as storage to an application, for example. But on the back end, you can use multiple cloud providers, multiregion a hybrid between onprem data centers, cloud, whatever the case is. And let me be clear, this is the customer storage, as we’re not a SAS. But basically what we do is you save a file or an application saves a file to storage, which is us. And then what we do is we go through this three step process which we call shred, mix, and distribute. So basically what we do is we take that file and we shred it into what we call microshards. And so these, by default are four bite shards. So the idea is that one microshard just isn’t big enough to hold any sensitive data, like a full Social Security number, a phone number, or anything like that. The next step that we go through on the mix is we have these virtual microshard containers. So we’ll randomly mix those microshards into different containers. We can throw in poison data as well, just to make things a little more confusing. And then the distribution part is then, depending on how many storage locations you want to deposit these things in, we then distribute those microshard containers to all those locations. So you could have container in S3, you can have another one in Azure. You could have one in a data center, GCP, whatever the case is. So we just spread all that out. So that’s the process by which we microshard. And then when the customer wants to use their file on the back end, we pull all that back together. They just see their file as they normally would. So that’s it in a nutshell. I mean, I’m sure we’ll get into more of it, but that’s the basic concept.
PAUL: It’s really a fascinating concept. And obviously the name shard kind of says a lot. You’re breaking this data into small bits and then distributing them in a way that makes it impossible for anybody to kind of put them all back together themselves. One thing to point out is this would be an alternative to the means that or the technology that most organizations are using to secure data, which is, of course, encryption. Can you talk about that?
MARC: We look at encryption as, dare I say, frenemies. We’re not looking necessarily to replace encryption. I mean, you look at something like regulations like HIPAA, you have to use encryption. So there’s nothing wrong with encryption. And I should point out that we’re focused on data at rest. So this isn’t about securing data in motion. So we’re talking about at rest.
PAUL: Communications and stuff like that.
MARC: Yeah, exactly. That’s not where we play, but when we’re looking at data at rest and whether to encrypt or not. I mean, I think there are things to consider, such as key management, key rotation. How much hardware do you need? What does it add? Meaning encryption to the administrative overhead, the likelihood of making a mistake. If somebody does pop a location that’s encrypted, could they get your keys or your keys properly protected? And then two, if you think about it, it’s all safe to assume that there are nation-states out there just sucking up encrypted data, and they’ve got time to work on it. And if your data is valuable for a short period of time, you’re good. But if it’s long term storage and it’s going to sit there for ten years, five years, you could be exposed, and then everything is in one location. So where we’re looking at it when it comes to encryption is number one, we can also microshard encrypted data. So there is that possibility or where it’s not necessarily needed. This is an alternative to say, and kind of a lightweight alternative, if you will, because we’re not key base, and there’s no single location. And even if you do pop a location where there’s microshard data, that’s just a piece. So an attacker, to put together microshard data has to know where all of the rest of the microshards, those containers are stored. They have to know all of that. They have to know what kind of file type it is. They have to know what’s poisoned data and what isn’t and what order things go together. So really, the complexity is a lot higher. So back to the point of encryption. We work side by side. I would think of us as another layer for those Crown jewels, if you will, and then also to a much lower head alternative where you aren’t required to put encryption.
PAUL: You’re listening to a Spotlight edition of The Security Ledger podcast sponsored by ShardSecure.
PAUL: And I mean, in terms of the use case here, there are a lot. And I think our listeners are probably familiar with the many instances and many headlines they’ve read about, for example, data backed up to, let’s say, Amazon’s S3 storage cloud that is then exposed inadvertently to malicious actors or frankly, white hat security researchers who just happened to be looking for it. And I know there was incident over the summer with a company called People GIS, a major technology provider to municipalities, particularly in the Northeast. And they left a terabyte of data, basically, close to 2 million files from municipalities were exposed via misconfigured. Amazon S3 bucket. Hugely, this is information on property owners and sensitive information, and in some cases, this type of stuff happens all the time. And obviously, we don’t read about most of it, most of them don’t make headlines. Right? I mean, there are incidents of this that just never see the light of day. But I’m guessing that’s kind of the type of problem you could help with. Right? Where we’ve got some big blob of data that is being backed up to the cloud, which is great, but left vulnerable by somebody misconfiguring that cloud based storage bucket.
MARC: Absolutely. Look, people make mistakes. It happens all the time, and we’re human and I’m certainly not immune. I remember one time I set up my home network with all these multiple VLANs, and I was kind of like, all right, this is the guest network, and I was so proud of myself. And like six months later, I just realized I was handing everything out from the same IP pool and it’s just window dressing like I was working for Cisco at the time. So mistakes happen. It just happens. So, yeah, because if you think again, this idea of how we’ve distributed those microshards or those microsharded containers. So if I accidentally expose an S3 bucket to the world, again, what an attacker or let’s just say unauthorized user would get is just a piece of random information so they can’t do anything with it. It has no value, even if it’s a plain text file. So if there’s no other encoding to it like you’d have with a PDF or an image or something like that, they just don’t know because they have to find all the other bits and put them all back together. And the likelihood of that happening is really small. So that is a use case. You don’t want to pitch it as, hey, if you screw up, we have you covered. But mistakes do happen that way. You think being the marketing guy, they would have let me do that, but not so much. No, but seriously, these things happen. And that is a use case or things that are outside your control. You look at GDPR because that’s become a popular use case that we’re hearing about for us specifically because even sometimes companies go to do the right thing. That’s one of the things you go to the cloud. You get to trust somebody else to do your security. And if you’re looking at data residency. So even if your stuff is not exposed to the Internet, what country is it in? What laws then are you subject to that the EU does not have, for example? So even if it’s not your mistake, if it’s your cloud provider’s mistake or somebody else’s. Yes, we do offer protection in that because nobody gets the whole picture except anyone who’s an authorized user.
PAUL: So in that case where you’ve got an application that’s backing up to the cloud, where does the shard technology kind of slot in? And on the back end, do you now need multiple Amazon S3 instances to distribute the data to or how does it work?
MARC: Yeah. So it’s going to be however many storage locations that you want to distribute this to. I mean, we recommend a minimum of four. So that it’s that much harder to put things together, whether or not it’s with the same provider. So maybe what you do, let’s just say it’s all Amazon, maybe different regions, different S3 buckets, maybe part of the one container goes to on Prem. So that not all of it’s out there. Whatever the case is, again, we say a minimum of four locations. We can go up to ten, and I believe more. So it depends on how complex you want to do it. So from that perspective, but again, we’re using what the customer has so they can make that determination.
PAUL: And you said they could be both cloud and on prem, like, they don’t have to say, here’s the data that’s on the cloud and here’s the data that’s on IT assets that we’re owning and operating. You can spread your data across both of those.
MARC: Yeah, that’s correct. We say the cloud a lot. I mean, it’s just quite honestly, it’s just easier to say cloud data. But because we do on Prem, this works across multiple data centers. We do have customers, there’s one in particular who actually doesn’t use the cloud. All their use cases are basically on Prem or within their own network. And what we do is we have an Iscuzzy module that will run on, just say a Windows Server, Linux Server, whatever the case may be. So we look like just network storage. So two advantages to that you can use on Prem, or if you have an application that is not say cloud capable, it sees network storage. But really the back end, we’re using the cloud. So it’s both just as easily really.
PAUL: Talk about how this data is kind of reassembled. It’s a very cool concept that you’re kind of pulling data from these different repositories and reassembling it. So talk about that. And also, my understanding is one of the other benefits of this technology is if any of that data has been modified or tampered with, shard is going to recognize that and be able to alert on it. So explain kind of that data integrity piece of it as well.
MARC: Exactly. So basically what happens is as we go through the process so again, say you save that file, it comes to our and what we are is we’re actually a virtual appliance. We’re all software, too, by the way. So it comes to the virtual appliance just looks like storage to the application. We go through that whole shred, mix, distribute process that I talked about. As we write to Storage, we always do an integrity check on every one of the containers that make up that file. So where everything is really data at rest, there should be no modification on the back end. Any modification is going to be an indicator of compromise. Anyway, so when we pull it back, we check again to make sure that the state of that container hasn’t changed. Assuming it’s not, it hasn’t. We just reassemble it and the user gets their file. Now, if we notice that there’s a change, we know what the last known good version was. So number one, what we do is we just roll it back. So again, the user doesn’t notice anything’s amiss. They continue working and doing what they do. As I mentioned, there’s no reason this should change on the back end. So like I said, that’s an indicator compromise. So we’ll alert. So whether we alert directly or into the sock, however the case is. So we’ll generate an alert saying, hey, this has been tampered with and then that becomes part of the socks workflow and really should be investigated because there’s no reason for that to happen. And we’re able to do that. And that’s kind of another part of the Raid Five analogy is because you could also just take a site out completely. So it’s not just a matter of there’s the data integrity around modification could be deletion, it could be that the site is unavailable, whether it’s a firewall misconfiguration or was it like last two weeks ago…
MARC: AWS went down in the east?
MARC: So if you have a container or one of our stuff is going to S3 in that region, for example, plus three or four, however many others, we can rebuild that data. So again, it’s kind of like that Raid Five concept where we’re actually using a form of parity to put it all back together. So again, as a user, for whatever reason, if I lose my cloud storage service, I’m still working. That still continues. So that’s something that’s pretty cool about it as well. So it’s not even the distribution of it. And not really, I shouldn’t say never, you never know. But not being able to really crack that, but also to that ability around resilience and availability is something that is pretty cool. And you can imagine we’re getting a lot of excitement about.
PAUL: For example, any of these shards, there are redundant versions of those shards in other locations, so that if one side goes down, you can restore those from a redundant location, as with a ray.
MARC: Yeah, but it’s not so much, I should point out, not redundant. It’s because of that parity, we can do the math to reconstruct. Interesting what was missing. Yeah, it’s almost like Raid Five versus Raid Ten. Okay, so there’s not a mirror image of it. It’s just that parity so that we can do the math to reconstruct what’s missing. And when it comes back up, we’ll make sure that the updated version either a check that we’ll wait until it’s up or two. What you can do is say, all right, especially like, let’s say it’s a ransomware attack, cloud admin gets popped, encrypts your S3 bucket. I shouldn’t just say S3, but that’s what everybody is using. Nothing against Amazon, I swear.
PAUL: Could be Azure, it could be Google, it could be exactly whatever, right.
MARC: Exactly, any of the above. But the thing is, if you’re under, say, a ransomware attack. You don’t want to keep writing back to that location because it’s just going to keep reencrypting. I mean, we’ll deal with it. But you also have the ability to say, all right, I’m going to now move everything from that location to a new location. And then that way, too, as we’re working, we don’t rewrite back to the place that’s under attack. So that way, too, you avoid that. So there’s a lot of flexibility there.
PAUL: Yeah. It’s kind of a resilience piece to this as well.
MARC: Yeah. If you hear about a ransomware attack, it’s like, oh, we’ll just restore from backup and then that gets popped because then you’re host.
PAUL: Right. In fact, I think it was the Sophos report. They did the state of ransomware report. And I think they said something like, I forgot what the number was, but I think it was like something like 50 or 60. Only about 50% or 60% of the encrypted data is ever successfully restored. So even when you’re paying the ransom, like you’re paying the bad guys and getting the decryptor key, a lot of times that decryptor key is shit and you don’t actually get your data back or don’t get all of it back, which I think is something not enough people talk about. You can even pay off the bad guys and you still might be screwed.
MARC: Exactly. Something to understand, too. So, number one. Right. I totally agree, because you’ve still got to trust the person who’s, you have to go trust the criminals. And I would think the mature ones don’t want to ruin business. So they’ll give you the key. But who am I? I’m on the other side of this equation. But the thing, too, when you look at a ransomware attack, is a possibility, is that they’re going to exfil your data before they encrypt it. So they have a copy of it. And again, if that’s data, that’s microshard data. Well, you’re hosed. I mean, they’re hosed because you got nothing. You got a steaming pile, if I may be so crude.
PAUL: Yeah, double extortion is just another data theft, and resale is just another line of business for ransomware guys.
MARC: Yeah, exactly. So that way, even if you exfil before you encrypt, you’re still back to getting nothing from us.
PAUL: Who’s interested in this Mark? ShardSecure, fairly new company on the marketplace. Who are you talking to?
MARC: We’re getting a lot of interest. So I mean, you know, finance. Anyone in fin-serv has been very interested in what we’re doing. Again, that makes sense. Healthcare, of course, because anyone who’s dealing with private information PII, PHI. Exactly. So that helps a lot. We are hearing from governmental agencies who are interested. We’re hearing from higher education. What we’re looking at is anyone who is either A) subject to GDPR or whose business or they’re trying to do business in the EU. SaaS providers. So that’s been an interesting and growing conversation that we’re having with, say, US SaaS providers who want to do business in Europe. But there’s the whole data residency question. So being able to microshard on the back end as part of the stack is something that has been a conversation now that we’ve been starting to have with a number of SaaS providers, so we’re looking at it from the end user. I mean, Pharma, I’m just thinking again, it’s popping into my head. So even tech companies looking at kind of like if you look at software supply chain attacks, if they can microshard their code, then that protects them there. So from all of those, those are the big ones we’re getting. I’d say finance, healthcare, Pharma, government, and then even SaaS providers in general.
PAUL: Does this complicate application delivery or is it more or less transparent for the companies and the end users who are using ShardSecure?
MARC: I’d say it’s more or less transparent again, where we’re software. So we can either be in on-prem VMs or run in the Cloud either, or. So there’s not our hardware to go and rack and do anything with there so it can be deployed pretty quickly and then even just set up as storage. So if I’m an application owner, I just see storage. So there’s really, whether it’s an IP address or something like that that I need to configure that I’d have to do that anyways. So there’s really nothing more for the application owner to do. And from an IT and a security perspective, there may be policies and pointing to which storage locations they want to use, but again, that can be done easily within a day, if not less. So the idea too is to make it as painless as possible. I mean, even if I decide I want to move from this is something that we hear about too. Those that don’t want to avoid vendor lock in, like cloud vendor lock in. So hopefully no cloud providers are listening to this. But it’s easy for–that was Paul, that wasn’t me–but it’s easy to move. I actually, I’m a former SE, so I’m like show me how this works. It’s literally four clicks. So if I want to move something from one provider to another and the application users never see a thing. So it’s pretty painless to put in and set up and really doesn’t require much configuration.
PAUL: What about latency? That’s always a big issue with encryption, right? We should encrypt everything, but obviously it just adds a certain amount of processing overhead to any transaction and at scale it can really slow things down. So what about the ShardSecure…
MARC: That as you can imagine, comes up quite a bit. So where we’re writing to different storage locations, we actually do that in parallel. So we are seeing either the similar latency next to none or improved performance. We’re actually doing some benchmark testing right now to put some hard numbers around it. But in terms of any impact on network performance, we’re not seeing any or application performance. And we’ve actually now one of these use cases it’s interesting because in my short time here, new use cases keep presenting themselves, and one of them is around streaming video, for example. So those that are using CCTV, for example, in order to encrypt it. And again, I’m not talking about in motion, I’m talking about on the server that’s receiving everything. Either companies are not encrypting that information or what they’re doing is they’ve got to add so much hardware to accelerate the performance, it becomes cost prohibitive. So we’re seeing an interest in folks, whether they’re municipalities, whether they’re gaming institutions, what have you in using microsharding because we’re not impacting the performance of the application. So we’re pretty performant in that sense. And like I said, we’re putting some benchmark numbers together so that we can actually give hard numbers.
PAUL: You know, we were talking earlier about being frenemies, the ShardSecure solution kind of frenemies with encryption providers, PKI data encryption. And you mentioned encryption isn’t going anywhere. It’s mandated by so many regulations. And I wonder, you’re absolutely right. And that’s true in general in security is there are a lot of technologies that more or less are kind of written into law, as it were. Like, you got to use them if you’re handling certain types of data or if you’re in a certain industry. Does that complicate things for vendor like Shard, who’s coming along really with a new approach to a well known, well established problem in that–how do we–if it’s GDPR or if it’s HIPAA, how do you come along as a newcomer with new technology like Shard and say, you should be able to use this, too, maybe in some cases, even in lieu of encryption?
MARC: Yeah, that’s the blessing and the curse of coming in with something new because a lot of people don’t know what it is that we do or how it works. So there’s an education perspective to go along with just the regular trying to generate awareness to show how we’re different. I mean, realistically, you look at something like HIPAA, do we expect them to change for us? No, I don’t think that’s realistic…
PAUL: Don’t hold your breath…
MARC: With any kind of governing body, especially when things are prescriptive that’s a lot of runway that you need to make any changes. But that’s the thing is we’re not really focused on trying to get a regulation to change. When you look at GDPR in terms of data in motion, it does specifically say encryption, which is fine, but it really doesn’t specify it anywhere else. So that’s one way that we can help. But there are a number of use cases that we have in front of us that aren’t solved by encryption or aren’t… I don’t want to say competitive, but where it’s not even a topic. So we get into it in some places, but a lot of what we do isn’t in lieu of. And then the thing is to what we’ll see is because we can microshard encrypted data. We do have customers that say, all right, these are the Crown jewels. We want as much protection on these as possible and we’ll add microsharding on top of that. But really, there’s a lot for us to focus on without even getting into a knife fight over encryption. And again, any regulating body these things. I mean, my days in the ICS space, I spent enough time around NERC CIP to know how this stuff works. And there’s more than enough other things we can focus on then changing regs at the moment.
PAUL: To those use cases for folks who may be listening, what would be types of customers or problems would be a good entree to…
MARC: Yeah, sure. Just off the top of my head. And of course, you can go to shardsecure.com where we have a use cases page, but just even securing backups to the cloud because again, you think of a ransomware attack other than what we’re talking about cloud based just any ransomware attack, the backups are your key, but they’ll attack your backups, too. So if those are microsharded, that’s a benefit. Even though people going into the cloud, I think there are a lot of organizations that went with, say, the low risk stuff, but if you need to bring in the high risk stuff, that’s where we’re seeing a drawback or I should say, people holding back. So we can certainly help with protecting those things, even seeing it. I don’t know if I told you a story around data analytics. Out of the top six reasons I saw this was in a four five one report, three of them that we address data privacy, data security, and multi cloud management. So there are a lot of things that we can do. So basically, if you have to store data that you need protected, odds are we can help you.
PAUL: Marc Blackmer of ShardSecure. Thank you so much for coming on and speaking to us on Security Ledger podcast. It’s been great having you back.
MARC: Thanks, Paul. Great to come back. Thanks for talking to me.
PAUL: Marc Blackmer is the Head of Marketing at the firm ShardSecure. You’ve been listening to a Spotlight Edition of the Security Ledger podcast sponsored by ShardSecure. ShardSecure is the world’s most innovative data security company, disrupting the data privacy and security market with microshard technology, the only solution capable of breaking data into single digit bytes and distributing across cloud locations without sacrificing performance. Microsharding provides zero data sensitivity for cloud stored or on-prem data and can be used with or without encryption to provide true defense in depth. ShardSecure works with some of the world’s most successful companies in healthcare, financial services and technology to ensure ultimate data privacy and compliance while making data migration to the cloud more secure and faster than ever. Check them out at shardsecure.com.
[END OF RECORDING]