Ray Potter, CEO and founder of SafeLogic, sat down with Jonathan Vanian to talk about how 2014 is the year of encryption, what the future is for security on wearable tech, the issue of security not being at the forefront of software development, and his time at SafeLogic.
Jonathan Vanian: All right, we are on. I'm with Ray Potter. Ray Potter is with SafeLogic, and Ray, why don't you start off and just tell our listeners a little bit about yourself and a little bit about your company.
Ray Potter: Sure, Jonathan. Thanks so much. So, Ray Potter CEO and co-founder of SafeLogic. We provide a cryptographic solution for mobile devices, for servers, and for even wearable environments that essentially provide drop-in compliance for regulatory requirements, all right? So one of the challenges in security and especially in the crypto space is making sure that products are designed and architected in a way that meet very strict either government or private sector vertical requirements.
Jonathan Vanian: Right.
Ray Potter: I think we've done it in a way that traditionally had been lacking in the industry so far. So it's just pretty exciting. We actually got our start by kind of bootstrapping from some consulting operations. So I ran a services firm for about nine years where we provided security and cryptography and compliance consulting to a ton of just, you know, household security companies, network companies, as well as start-ups.
Jonathan Vanian: Right.
Ray Potter: Then what happened was we kind of saw that everyone was typically seeing the same challenges and issues with the traditional model for compliance with some of the traditional players out there for the software space. So we came up with kind of a R and D effort to kind of close that off and that's how SafeLogic was born.
Jonathan Vanian: So you've been in the security space for quite awhile then.
Ray Potter: Yes, for oh gosh, a good number of years. So before my service company I was at Cisco Systems for a number of years. So I basically kind of ran their security and compliance program, and really helped them kind of build a strategy for how they start to attack different compliance programs especially for federal government and try to get some of those requirements either merged into the development process or at least thought about it a little bit earlier during a product development lifecycle, so that they can kind of close off some of the ... I guess make some of the sales people happy as we like to say.
Jonathan Vanian: Always important to do that. So I mean, so obviously you've been in the security space for awhile, so any sort of trends that you're seeing? I mean, what have you witnessed happening with security over the past few years? I mean, what are you seeing today?
Ray Potter: Sure, well, I think one thing that's kind of exciting is that encryption is like cool again, right? I mean for the longest time it's just been essentially plumbing for all sorts of different products. I mean, you know, so many products sue encryption technology for a variety of reasons but after some of the alleged issues with one of the large vendors last year, and then with everything happening with Edward Snowden and everything, it's almost like people are really thinking about encryption now more seriously than before and actually really considering it during product development and I think even from a in-user perspective. Kind of just asking some questions and taking more of an interest in it where that's been a big challenge in security from homeless from day one, right? It's getting kind of in-user interest and buy-in.
Jonathan Vanian: Yeah, it's hot one day and the next day it cools off a little bit, but now it seems to be back hot in the cycle again.
Ray Potter: Yeah, exactly, but then, you know, now, like here in 2014 it's just like embedded. It's almost like the year of encryption, right? Which I feel pretty fortunate that we're in the space that we're in and I think that hopefully the timing should work out for us. But it seems like every day goes by you see news articles and tweets about Yahoo and Google's efforts to encrypt email and even just from that perspective it's interesting, but as I said, we start to look at other security, mobility, and big data that are out there offering solutions.
We're starting to look at encryption and cryptography a little bit more seriously from the beginning. So I think that's pretty exciting.
Jonathan Vanian: How did you guys get involved in the embedded space?
Ray Potter: Really just kind of looking almost from a forecasting perspective, right? I mean, if we kind of follow the trends from what's happened over the last couple years with the mobility movement I guess I'll call it, I think wearable and embedded devices are going to be kind of the next thing, right? I mean, it's almost like everyone is talking about Internet of Things already. So we wanted to just get a little bit ahead of that, right? You know, when we started we weren't really thinking about that, but about six months ago we started developing for Google Glass and Samsung Smart Watch and devices like that and basically importing our libraries over there.
Just because we figured that is going to be the next big thing, right? To be frank, I think it will be awhile before people really start asking the tough questions about security and encryption for those devices, but it's coming. I mean, especially a particular use case is for Google Glass, right? If you've got a surgeon using Glass during an operation, well they have patient data without being stored or transmitted elsewhere, and according to HIPAA rules that data needs to be protected, right?
So we're looking to kind of solve that need, and I think with what we've done on the embedded space, I think we're there but I think that still is going to continue to grow, and evolve, and mature. I don't think we're quite there yet but I definitely see that coming.
Jonathan Vanian: Yeah, I mean that's obviously a big concern about security for embedded development. I mean, what other sort of concerns are there out there that you're seeing? I mean, and when you're seeing so many security concerns is it just that it's such new ... it's a new sphere ... embedded so new that people just aren't really taking it into account? Or exactly what are you seeing there for some of these embedded developers?
Ray Potter: I think there's a few things. You know, I think there's ... which platform do I target, right? I think it's almost kind of ... it's so fluid like it almost seems like a moving target, right? Even on the mobility space when you look at do I start with iOS or do I start with Android, or do I look at HTML5 or you know, whatever. I think it's going to compound on the wearable space because that's going to move so quickly, and it already is.
So I think that's going to be a particular challenge is really having development and a really strong security architecture keep up with that rapid pace, but then also I think we're going to have to rethink security architecture in some ways because some of these devices, especially now, are relatively, you know, they have a small footprint. The apps are smaller. There's not as much memory. There's not as much processing power, so that's something to keep in mind.
I mean, obviously that will change as technology develops, but it's kind of hard to just like I said, port the existing technology to that environment, and we ran into that head first when we started looking at this because to be frank, we thought we thought we could go ahead and port our existing library to Google Glass since it's already on Android and call it a day. But then we got to looking at it, and thinking well, we're running into some potentially some space requirements, so we kind of wanted to do some bit slicing and get things smaller, and get things a little bit more compact. So I think there's a lot of different just moving parts here to keep in mind, and security isn't always at the forefront of development in terms of software, right?
Jonathan Vanian: Oh, yeah, sure.
Ray Potter: Almost like an afterthought sometimes, so I think that's going to be a particular challenge, is how to address that front and that changing dynamic.
Jonathan Vanian: Right, and you know when we talk about security, we're so concerned about testing over here, you know, because the testers are just constantly, I mean, you know, trying to get them involved in the process. How do you see testing changing and evolving in today's era especially with embedded development?
Ray Potter: Sure, I think that's always going to be a challenge. I guess it depends on what type of testing we're talking about.
Jonathan Vanian: So many types.
Ray Potter: There's different levels of testing for security, and then there's penetration testing, there's code analysis, there's all sorts of things. There's even just basic functional testing, right? So I think again, that's going to have to keep up with kind of the rapid development. Another thing to kind of think about is, especially from a crypto side, one of the things that like I said in the beginning that we're pretty focused on is compliance, right?
Jonathan Vanian: Yeah, regulatory compliance.
Ray Potter: So one of the benefits ... compliance is always a challenge, but one of the benefits is that that prescribes certain ways to do things that are known to be industry standard, or good practice, or just good things to do, right? So if you look at programs, it will prescribe certain cryptographic algorithms that should be used and things like that. So when folks are looking at different crypto solutions or what have you, if they can look for that kind of compliance seal if someone has met that, I think it can kind of help offload some of the testing because you're using kind of a known good and in some ways trusted product at the core.
So ideally that could reduce some of the testing that happens, but it's still certainly going to be a challenge.
Jonathan Vanian: Oh, yeah, definitely. Any other trends in testing that you're seeing that our readers should be aware of?
Ray Potter: In testing per se, not that I can think of off the top of my head. I mean, I've seen a lot of big push for more awareness, right? And just kind of more standard methodologies for development and incorporating testing into an actual security development lifecycle if you will. So I think Microsoft kind of pioneered this idea of a secure software development lifecycle, and I think they've done a very good job with it but one of the things I've seen that I really liked is that folks are using that model and using it as a way to address all sorts of security issues during development a little bit earlier and at least having some sort of a process and checklist and things like that so that it's not an afterthought.
It's mostly the big folks, right? I mean, it's the larger companies ... the Cisco, the Adobe, and the EMCs that are adopting this methodology which I think is a very good thing. I'd like to see it push down to some of the smaller more rapid development shops, but again, I think some of those folks are so eager to push out product and new features, it's hard to go back and really ... it's hard to address security from the beginning, let alone institute a process from the very beginning.
Jonathan Vanian: Right, especially when you're just doing ... it's so agile and you got such a-
Ray Potter: Exactly.
Jonathan Vanian: Yeah, that's a very important issue I think, almost getting overlooked. I mean, so yeah, let's go back to security. So I mean, what can some of these companies do to ensure that good security practices are being followed? You know, and let's say maybe this is a small development shop. Maybe they are, you know, they've got to meet these iterations ... these fast, rapid iterations.
Ray Potter: Sure, I think what I've seen is not ... I have seen some things that don't work in terms of corporate mandates, and policy requirements, and things like that, right? They either work or they don't. People will follow them or people will bend the rules to get their job done. Security isn't always what most people are selling, right? So it's not at the forefront.
What it has some people do is start to look at just simple things like a threat model right? So what are, as I'm building my system, what are potential threats that could compromise my system or compromise my data, and how can I drop them? That's one of the benefits of kind of this security development lifecycle if you will. It just kind of institutes that thinking during the dev process.
Jonathan Vanian: A threat model? Can you give us some examples of what could go into a threat model?
Ray Potter: Sure, so basically, if you want to look at it in it's simplest forms, you can think about if you're building a server application, you'll want to think about denial of services attacks and what can you do to help prevent and stop those. If you're looking at it from a mobility perspective, you'll want to think about what happens if the device gets compromised, or if the device gets rooted, or jail-broken, or somehow lost, right?
Jonathan Vanian: Yes.
Ray Potter: So just thinking of general threats and it can get much, much, much more complicated even down to source code module levels and looking at potential attacks and things like that, but I think just kind of in general, you know, thought process of what could actually compromise this system and how can I address it? It's a living process, right? It's not something that happens once.
Jonathan Vanian: It's throughout the lifecycle. It's throughout the entire development lifecycle.
Ray Potter: Exactly, exactly.
Jonathan Vanian: Yeah, how about let's talk a little bit about enterprise tech. Any sort of trends that you're seeing in that sphere?
Ray Potter: In the enterprise space? Nothing is really jumping to mind. I mean, I think I'm scared enterprise is almost getting left behind in some ways in favor of the push towards mobility, but-
Jonathan Vanian: Yeah, that's very interesting.
Ray Potter: I'd say that's certainly one trend, right? If folks are looking at, from a general security perspective, it's kind of moving away from just the legacy of being loss prevention and access control products, and again moving more towards mobility, and security, and user enablement, right? So if I've got a mobile workforce, how do I make sure that they have the right data at the right time and in a secure way?
Jonathan Vanian: Yeah, that would be a very big issue.
Ray Potter: That's certainly one trend that I think is happening within enterprise, and it's gradual and it's certainly not consistent, right? I mean, I know a lot of very large, very old, very Fortune 10 level companies that frankly mobility is just too hard. It's like, you know, we've got so many people, we've got so many things going on, we really don't want to attack this problem now because we've got other issues. It is a hard problem but I think people are starting to embrace that that's not the future, that's now. That's how people are doing work and I think enterprises need to adapt to that.
Fortunately there's a lot of security vendors out there that are ... kind of foster that change, right? So as someone is looking to move to a mobility infrastructure or something like that, there's a couple thousand different ways to actually attack that. One of the challenges is that it's not a one size fits all solution, right, which is why there's so many different mobility vendors out there that are tackling the security problem is because people have different needs, different environments, different challenges.
Jonathan Vanian: It's all about the context of the situation.
Ray Potter: Exactly.
Jonathan Vanian: All right, so how about ... I guess any ... I guess what's on store for SafeLogic? What is the big thing SafeLogic will be working on in the future as we wait?
Ray Potter: I think you're going to see a few things from us, right? You're going to see some interesting partnerships coming up. You're going to see kind of a more formal proactive attack if you will on Internet of Things space. That's a pretty challenging space and that's ... I've already seen some other companies claim to be the leader in Internet security. Well, in my mind I don't even think that's really a market yet. I think we're still trying to figure out as an industry what Internet of Things means and what it means for the future.
Jonathan Vanian: Right, and when you're saying it's challenging, I mean I'm just assuming because it's the big spider web that it is, that it's keeping everything in place. I mean-
Ray Potter: Yeah, exactly. So we're starting small with it to be honest. We've got a couple partnerships that we're going to announce that we're ... where we're trying to get into kind of the plumbing of that infrastructure and see if we can get it from an operating system level and device level and things just because I think that's going to be important, right? As people have connected devices in their home or their cars, well all of a sudden there's a lot of different attack points now, right?
It's not just the home access point or what have you. You know, there's the security camera that someone might have or what have you. So that's something that we're thinking a lot about and making some effort toward. You're going to see more of push from us on the wearable space. I mean, I think that's going to continue to evolve. I think as an industry that's still kind of looking for the killer app and killer use cases, but it's going to be there and especially from certain verticals like with the health care earlier.
I think you're going to see some interesting things from us. So I think it's just making sure that we're not only looking ahead and attacking problems that we foresee coming but also just making sure that we're keeping up, right? I mean, one of the things that we focus on as a company is making sure that we've got ... our software is government tested on some of the latest platforms right? So when IOS 7 rolled out we were the first third-party crypto library tested on it. Same thing with IOS 6, right?
Jonathan Vanian: Yeah.
Ray Potter: We're pretty committed to the compliance stance. We're going to maintain that. Yeah, I'm excited. Like I said in the beginning, I think 2014 is the year of encryption and I think we're in a pretty good spot. I'm excited.
Jonathan Vanian: Very cool, Ray. All right, Ray, well thank you so much for taking time out of your day to chat.
Ray Potter: Thanks, this was fun.
Jonathan Vanian: Yeah, totally. Thank you very much.
Ray Potter is the CEO and Founder of SafeLogic. Before starting SafeLogic, Ray founded Apex Assurance Group, a firm providing security and compliance consulting to top companies globally. Ray grew top-line revenue at 47% CAGR with 75% net profit margin. Prior to starting Apex Assurance Group, he was the Manager of the Security Assurance Program at Cisco Systems, where he was responsible for the direction, strategy, and operations of Cisco’s global security certification and assurance initiatives, including the FIPS 140, Common Criteria, and ICSA programs. He was the single point of contact for standards bodies, Cisco’s customers, and Cisco’s product teams. Ray started his career as a consultant with a global management consulting firm, assisting Fortune 500 companies and government agencies implement IT solutions and process improvement initiatives. Ray is the co-author of FIPS 140 Demystified: An Introductory Guide for Vendors, has been published in Information Security Magazine, and is a frequent guest speaker in industry forums and conferences on the subject of Information Assurance, risk management, and compliance.