Jeff Man 0:01
Welcome to this edition of Security and Compliance Weekly. Today we welcome Matt Erickson, who is VP of solutions for today’s sponsor SpiderOak Mission Systems. Matt is going to guide us in a discussion of the challenges involved with protecting digital communications and collaboration across both local and remote systems for the federal and the private sector space. We’ll start with a discussion of the challenges facing both the public and private sectors, we’ll discuss how emerging technologies and methodologies address these problems, and we’ll learn about what Spideroak is doing to help address these issues as well. All this and more as we continue our journey of tearing down silos and building bridges on security and compliance weekly.

SPONSOR 0:47
This is security weekly, for security professionals by security professionals. And now, it’s the show that bridges the requirements of regulations compliance and privacy with those of security, your trusted source for complying with various mandates building effective programs and current compliance news. It’s time for security and compliance weekly. Some things are best kept secret, you wouldn’t send your company’s financial data through the mail on a postcard then why would you let your employees use insecure collaboration and file share tools to share sensitive business information introducing cross plate a file sharing and collaboration solution built secure from the ground up think signal only designed specifically for business and enterprise users across clave uses blockchain technology and end to end encryption to deliver a true zero trust system designed to protect you and your business’s most valuable data. So if you need to share sensitive information Spideroaks Cross Claim is your only choice. Go to securityweekly.com/spideroak and get a free account with five gigabytes of storage.

Jeff Man 1:56
Welcome to Episode 82 of security and compliance weekly recorded on August 10 2021. I’m your host, Mr. Jeff man and I am joined remotely today by the singular Mr. Josh Marpet. Josh welcome.

Josh Marpet 2:12
Why thank you. Pleasure to be here. As always.

Jeff Man 2:15
It’s just us today and this is a landmark day because Mr. Scott Lyons This is the first time he’s ever missed an episode so he’s broken his strength, but – his streak, but he’s on an airplane flying back from Las Vegas after doing at DEF CON this past week. Okay, I will miss him and it was in Vegas last week. Maybe we’ll talk about that a little bit during the course of today’s show.

Josh Marpet 2:43
It’s a great idea.

Jeff Man 2:44
We have a few announcements before we jump into it. Here’s some exciting news SC media which is also a part of the Cyber Risk Alliance has debuted its all-new SC digital experience, which is fully integrated with the security weekly podcast content and more. The new site increases the scope and scale of original content resources from the editorial staff and contributor. I can’t talk from contributors and the far reaching Cyber Risk Alliance Network if you want to check it out, visit www.scmagazine.com take a new look. And if you dig far enough under the podcast category, you’ll see our show it’s kind of cool. Also, Security Weekly Unlocked will be held in person this December 5 – 8 at the Hilton Lake Buena Vista. We’re excited to announce our first round of speakers who will include such notable luminaries as David Kennedy, Alyssa Miller, O’Shea Bowens Marina Ciovata, Patrick Coble, Chris Ang, Eric Escobar. Kevin Johnson and Justin Kohler. Visit securityweekly.com/unlocked to register and check out our speaker lineup. Okay, enough of that. Let’s jump into our discussion today. As mentioned in the opening segment, we are joined today by Mr. Matt Erickson. He is VP of solutions at Spideroak. Matt, welcome to the show.

Matthew Erickson 4:14
Hey, great to be here!

Jeff Man 4:16
And great to see another bodied bearded man on the show today right Josh?

Matthew Erickson 4:21
You know, it’s it’s really the best when the hair migrates from here to here.

Jeff Man 4:27
It is. I I’ll never understand as a fellow bald person why so much hair grows on other parts of your body everywhere but the top of your head. But perhaps that’s another issue for another day.

Josh Marpet 4:41
My daughter just says that I’m a warm fuzzy blanket Life is good, you know, I mean, come on.

Jeff Man 4:47
There you go. There you go. Not to not to be overrated, I guess. So Matt, tell us a little bit about yourself how you got into cybersecurity and ultimately how you ended up where you are today Spideroak?

Matthew Erickson 5:02
Well, I’ve been at Spideroak for over 10 years now. So a kind of a short story leading up to I’ve just been here forever. I got started in climate science, actually, at U of I Champagne. Did some research programming there and wound up being a customer of Spideroaks before I started working here. A combination of my housemate was working at Spideroak, and also, I was working with sensitive information as relates to climate sciences, a lot of sensitive data that’s used to process to run climate models against. And so I was inspired to back that up. And eventually I wound up being Spideroak, first mobile developer, wound up running through engineering roles. VP, engineering moved over now, VP solutions. So most of my career has actually just been Spideroak. So slightly boring, about how I ended up around up here.

Jeff Man 6:04
Well, it’s slightly boring. But it’s also slightly intriguing. Because, you know, those of us that have been in the industry a long, long time, they’ve often made several career moves, either voluntarily or involuntarily. So it’s, it’s relatively rare to meet somebody that has a long tenure at one company. I mean, you’ve basically spent your entire career at one company. So yeah, that begs the question, tell us a little bit about what Spideroak is all about. And what makes it such a great company to still be a part of after all these years?

Matthew Erickson 6:41
Yeah, so Spideroak, I guess, is the OG Zero Trust Company. When we got started, the founders didn’t want to deal with having the responsibility of the plaintext data from users on their systems. And we just kept going from there. So our original solution, which is now what we call one backup, got started with really interesting key management. Because, you know, those of us who grew up with crypto solutions,

Josh Marpet 7:14
No, no. Let’s be honest, let’s be honest, it was lazy key management, it was you handle your own keys, because we don’t feel like doing it. Okay. Come on, just here’s your key go away. handle your own key. I mean, it’s..

Matthew Erickson 7:24
I mean, one man’s lazy man’s easy management.

Well, okay, so like, if you want to talk about key management the time like, looking around, what else do you have to encrypt anything with before sending it up to the cloud? Which other cloud keyword for somebody else’s computer? And so what are you going to do PGP, and like, keep that somewhere? I mean, they’re the PGP key servers is almost like littered history of people forgetting their previous passphrase. And moving on to the next one.

Josh Marpet 7:56
Hey, hey, I resemble that. identities on the MIT, sir.

Matthew Erickson 8:01
I know right?

Jeff Man 8:05
What you’re saying is I should give up on all those floppy disks I have, because I’m never gonna remember the passphrase and…

Josh Marpet 8:13
And the one with 30,000 Bitcoins. Yeah, you’re never getting that back. Sorry.

Matthew Erickson 8:21
Yeah, so I boiled it down to a username and password. And the password was actually stretched to be your key. So as long as you could remember your password, or have a device that is online, if you’ve forgotten your password, you could just change it from that app. And that’s it. That’s how he got started. And we wound up in the enterprise space with that wound up serving a bunch of, you know, variety of customers. And so, a few years ago, we started looking around thinking like, Okay, well, backups, cool, and all but what else is there? And he started work on what is now cross play, and the platform that powers it underneath it, but how can we do this collaboratively? How can we because Spideroak One Backup isn’t really designed to work well with multiple people just backing up your stuff. And maybe your corporate administrator can work with you on that and PKN but really, it’s just your stuff goes to the cloud and it’s safe there. Whereas, you know, it’s a very collaborative world today we have a variety of actually really great solutions to work together and all of them are kind of terrifying to extremely terrifying if you’re thinking about putting actually sensitive information on there. So we started work on on the system is now grown to cross clave and the Spideroak platform underneath. So that’s, that’s our stick.

Jeff Man 9:52
Okay, before we get too far into the weeds, and talking crypto and encryption is always a fun topic for me. We are of course security and compliance weekly. And we start each of our interviews with what we call the hot seat question. And the question is simply this. And this is not a right or wrong response we’re looking for, we’re just trying to get a little bit of a sense of your perspective on this whole thing that we like to call the security versus compliance continuum. So where do you fall? In this thing called security versus compliance?

Matthew Erickson 10:30
I definitely understand the difference. There’s a lot of compliance that’s based off of making sure you’ve ticked boxes just enough to get somebody who actually doesn’t know security happy with you. But I think done well, a good compliance regime, hypothetically speaking, administered by people who get security can really help a lot of organizations with a much better security posture online. So..

Josh Marpet 10:58
Admit, it sir, you went to law school.

Matthew Erickson 10:59
in the middle…. I did some privacy lobbying for a while so hard.

Josh Marpet 11:06
Ah ha, We come to the root of the matter, you, sir, a lobbyist?

Matthew Erickson 11:11
Oh, no! But, Privacy falls into that as well, like that. So

Josh Marpet 11:17
It does. You’re absolutely right.

Matthew Erickson 11:18
Yeah. It’s a three-way Venn diagram. And ideally, you’ll find the spot right in the middle.

Josh Marpet 11:26
Right. So I really, if you don’t mind, let’s take a couple of seconds to talk about that. Because you’re the first one that I can recall. That said, you know, there’s security compliance. And by the way, it’s privacy. That’s it’s a three-way not just a two-way, a two-way spectrum. And I really like that That’s fascinating. And do you think that privacy should and can be segregated out from the security and compliance as privacy is separate from?

Matthew Erickson 11:54
Yeah, it’s a separate topic, like a look at Google’s business model, I have nothing but praise for Google’s security efforts. And you can set up your G Suite to have all the tick boxes that you need for a variety of regulated industries. But their privacy model, their business is built off of having weak privacy from Google. I know that Google Apps are supposed to not be scanned by Google for their advertising purposes. But if you’re thinking about like, just a small solo practitioner might just have a personal Gmail account. Their data is not by definition, private, in exchange for this free service. Another thing to look at is, you know, I’m just going to say this and then drop it and not touch it with a 10-foot pole. But the recent stuff going on around apple and their content scanning that they’re talking about. Again, it’s a compliance thing. And they’re trying to put security and privacy around that as well. It’s a very active and energetic topic, like where, how you get that Venn diagram. But ideally, you want to be in the center, right? And compliance is a tool in theory, where you can have some common yardstick to measure both privacy and security from and I understand that, in a lot of giant organizations, or the government, you wind up with compliance being its own end goal, outside of the purposes why you’re going through a regulatory process to begin with, but

Josh Marpet 13:34
I see the furrows in your brows Sir.

Matthew Erickson 13:38
Oh, man,

Josh Marpet 13:41
I want to get the hang of it. I just want to finish off with one little thought there. So first off in terms of the apple photo scanning two things one is but I mean, think of the children, you horrible person, I’m joking, relax. That’s how everything starts with think of the children and then it just goes well, if we just look for pictures of drugs, you know, hey, we’ll find some and then we can arrest them and make money. Amazing. Don’t get me started. But if you just turn off your iCloud photos, and use, for example, your amazon prime, which gives you free photos in full, full resolution, any amount of photos you want, you know, hey, I mean, I’m just saying anyway. So scanning anyway, that I hate. It’s going to be scanned, just get used to it, man. It’s just gonna be scanned. Don’t you understand? That’s the price of progress. And when I bring up the joke where you know, do you know the difference between a tech enthusiast and an actual technologist?

Jeff Man 14:43
No? What?

Josh Marpet 14:46
A tech enthusiast has Smart Home everything. They’ve got a Google Assistant over there on Alexa glued to their ceiling, you know, like an apple come home, whatever the thing is, uh, wherever their house answers to them their walls, you know, open up and have like, TV screens glued everywhere like tiles. And then like the whole house answers to them and a technologist has a printer with a baseball bat next to it in case it starts talking.

Matthew Erickson 15:12
You’re not wrong. There’s actually a there’s a former cybernetic intelligence professional that I know. And he’s retired living the life. He has an Alexa in his home. And it’s purposely left unplugged unless he’s cooking.

Josh Marpet 15:31
Yeah, no. More than anything else. Yeah, exactly.

Matthew Erickson 15:33
Yeah exactly. And they just don’t talk about anything while they’re cooking anything, anything important. And that’s it. Yeah.

Josh Marpet 15:40
I don’t have a single Alexa google home or anything in the house other than the Roku. And we have the one that doesn’t, I believe have Alexa enabled on it, which makes me very happy. It’s getting harder to find those. So anyway, I apologize Jeff, I interrupted you before. Please go. No,

Jeff Man 16:01
that’s, that’s fine. I wanted to harken back to a statement you said early on Matt about, you know, back in the day. And in you know, what were the options for encryption. And I sort of chuckled because, you know, I, as I am want to do, I’m going to bring up PCI. And PCI has been out the data security standards since 2004. And there has always been a requirement to encrypt data at rest, specifically credit card data. And yet in those early days, in probably forgot the first five or six years, there were effectively no options for encrypting any of that data, a lot of the data was sitting in databases, and none of the database providers back in those days had an encryption option, or if they did, it was very expensive and in hard to implement. So, you know, I don’t know how much your company grew up around compliance, or specifically PCI. But you know, what, what makes a company I guess, decide to there’s a, there’s a, there’s a market here, there’s a gap here, where we should provide encryption solutions, unless all of the people that started the company came out of the God, which, for all I knew they did, you know, what makes a cup into this kind of thing.

Matthew Erickson 17:31
So first off, our founders were probably the most opposite of DOD people you can imagine. In fact, one of our original tech co-founders is that working with z cash pretty closely. So um, what makes people want to do this? I mean, they just people want to people want the Star Trek future. Right? Like, right, but Okay, so. Okay, so the enterprise has terrible cybersecurity because the computer gets hacked, and the ship gets taken over every other week, right? But..

Josh Marpet 18:03
It’s got replicators. Tea, Earl Grey hot.

Matthew Erickson 18:06
Yeah, and outcomes like Slimer and attacks the room. But really, people have, it’s, it’s such a fearless embrace of technology that you get out of Star Trek. That is really cool. And technologists want to go to your earlier comment about smart home gear, you want to just ask the house to get you some tea and it appears on your desk. Wouldn’t that be amazing. But to do that, fearlessly, you really need to have those assurances of security and privacy. And that’s really what got us going originally to be able to make use of cloud computing. And this is 2006, 2007. Dropbox itself didn’t exist until 09 the iPhone was announced in what 06 released in 07 maybe off by a year or two here. But this was this is what a smartphone meant a blackberry or Nokia remember those things? They were great. And, like cloud services,

Jeff Man 19:13
Cause they worked like a communicator. You had to flip it open to talk.

Matthew Erickson 19:16
Exactly. I used to have one of those. It was it was pretty baller, um, could run Python on it. But you had that was smartphones. And if you were lucky, you had three megabit DSL. Whoo. So that’s when Spideroak really got rolling with this. In terms of being able to how can we this is a brave new world out there. How can we actually use it safely and you make full use of it because you’re not worried about who’s looking over your shoulder. And that’s what really drove Spideroak not some, not some DOD use case it turns out that the DOD actually has – the DOD themselves wear tinfoil hats so They’re a pretty natural fit for us in terms of marketing and sales. But in this case, yeah, I mean, because there’s one..

Jeff Man 20:10
I have no hair because of my past tinfoil hat.

Josh Marpet 20:15
Oh, you haven’t heard about the metal foil issue with nevermind anyway. You know, I gotta say, I remember when Spideroak was one of the only choices and the fact that I could encrypt it locally with my key and then upload the encrypted blob, and Spideroak had no knowledge, you know, full zero knowledge, zero trust of what I was uploading was amazing. Because it meant that I could actually guarantee who had access. Yeah, I remembered consulting to companies who were like, Well, how do we guarantee that because they had contracts even back then 2008 2009 2010, depending? How can we guarantee that our third party provider, our backup provider, a lot of people were using Spideroak for backups? Don’t you know, they do not have access? I’m like, well, encrypted locally. Like, well, does that mean they don’t have access? I’m like, if you don’t give them the key, they can’t decrypt it. But how Sure, are you that? You know, I’m pretty sure on that pretty Yeah. They’re, they’re like, well, when could they decrypt it? I’m like, you know, four, maybe six, like, yeah, like million years from now. And we don’t care about that. I’m like, right. So it’s actually pretty popular. I used it for I recommend it to my clients a lot back 10-15 years ago. But you know, I’ll be honest with you, and I’m going, you know, not after your company, but I’m talking about it. Like I haven’t heard much about Spideroak recently. I just know, I just haven’t talked to me. Why is Spideroak you know, what are you doing now?

Matthew Erickson 21:52
So Spideroak. But after looking at the backup market, which is very margin driven, like talk to anybody who does online backups, and some of our competition, you can see how they’re clearly using tape, just to keep those margins down. Because at some point, spinning platters of rust can only get so cheap. Because it’s spinning rust, yes. So I get it can only get so cheap before, you’re just talking about the cost of iron dust on metal platters. And so the, we started looking at the collaboration market. And so we’ve been in a bit of a pivot reboot. With moving to collaboration tools first set before and now cross clave, which includes chat file share, eventually, video conferencing. And we’ve also been getting them to space actually. Because satellites are I know this is this is saying security and compliance and not spaceships, and Captain Picard weakly but you know, bald heads, but

Jeff Man 23:07
we can believe in – No, we’re no one has gone before.

Matthew Erickson 23:12
But space is coming back to a lot of traditional infrastructure. Space is still important. We’re using imaging capabilities that 10 years ago, were military only. And now you can just go to planet or max R and just start downloading imaging imagery for both your own products or like hedge funds, counting cars and parking lots. You might be deploying new infrastructure to help bolster up like power or telecom or help and have to hit communication satellites. And up until recently, the security model for satellites was well nobody else can talk to it.

Josh Marpet 23:56
I was at a talk about hacking Mars using VX works. And I was like, Oh my god, you can get it, Mars, using a damn near obsolete, you know, real time operating system. And he was like, uh huh!

Matthew Erickson 24:08
Oh gosh, you can today roughly about $100 in parts, the Air Force calls it the Nyan Cat – from that pop tart, Rainbow cat thing 100 bucks a parts of the Raspberry Pi and some actuators. You can basically talk to any satellite low Earth orbit now. Which is basically most of them like all the really interesting stuff is still in low Earth orbit. So yeah, now

Josh Marpet 24:36
the starlink is in low Earth orbit, isn’t it?

Matthew Erickson 24:39
Starlink, Planet, bunch of government stuff. There’s a term coming out of Air Force Research called the hybrid space architecture, which is how can the government actually make use of commercial space or national requirements. So it’s a kind of a wild west currently because either you have your own bespoke security Can’t talk to anything else. But on the same side, you have an Amazon ground station as your orbital leisure space and putting the cloud in the cloud, how do you secure that? And that’s where Spideroak comes in. That’s we’ve been doing a lot of work on that combined with our collaboration product. And so it’s taken a while encryption tools, definitely that that’s a very long story, why you haven’t heard that much from us up until recently, again, is encryption based tools take a lot of time upfront to get right. Because unlike, unlike a traditional sort of tool where the provider knows everything about it, we need to make sure the data is structured properly, out the get go, because we’re not going to be able to change it afterwards, we can’t see the data, we can’t modify the data. So if we get it wrong, we’re stuck with that design forever.

Josh Marpet 25:55
I mean, four to 6 million years, it’s not actually forever, but it’s close.

Matthew Erickson 26:00
All we need to do is just pull down all the power in Utah, and we’ll be fine. Oh, dear. So. So that’s where we’ve been collaboration tools, and, oddly enough space, which personally I don’t mind, you know, Spideroak going to the moon!

Jeff Man 26:21
Yeah, that’s super cool. Let’s be honest. I mean, that is a very, very coincidentally, did the decision to shift towards collaboration happen and say the like, last 12 to 18 months?

Matthew Erickson 26:34
We actually started with summer core back in 2015. There is a round of, you know, we got some investment. There’s a change of some management. But then, kind of some combination of things happening corporate high jinks, and we’re doubled down on this pivot starting around 2017 2018. But it’s just taken a while to get the tool out there. So yeah, that’s, that’s why you really kind of this. We went quiet for a bit in the mid teens, basically.

Josh Marpet 27:05
Okay, so that makes sense. I was honestly curious. And so, okay, so you’ve done collaboration tools, you’ve lent us encrypted communication and encrypted collaboration and encryption security systems into the space systems and space. Companies, I guess, and they’re in their hardware and software. That’s fascinating. I’ve got to ask, I mean, are you still doing just sort of your basic encrypted communication, encrypted backup, encrypted here, encrypted data storage market as well? Or if you literally just walked away from all..

Matthew Erickson 27:38
Yeah, So we still have our backup product, you can still sign up for it. And over the coming some amount of time, I can’t give you a precise quote, it’ll all get kind of rolled in. So that way, one was, you know, the one backup stuff is available in cross clave. And you can use the total new modern architecture and run with it like that. which also includes fully functioning naps on phones, which I know it’s been a long bugaboo for customers on one backup, one to upload from their phone. So eventually, when the backup product gets put out to pasture, it’s because there’s already an upgrade path, giving everyone what they want, and more.

Jeff Man 28:25
Well, let’s take a quick break and we will come back and we will keep peppering you with questions I’ve got I’ve got a few up the encryption lane. Where do you see things going? I also hopefully I’m not throwing you a curveball. But I want to ask your take on one of my favorite topics lately, which is homomorphic encryption, but don’t answer yet. We’ll take a break and be right back