Welcome to the Code of Entry podcast, where we cloud the issues with facts and help you up skill to stay on the digital edge. Here’s your host, Greg, with the latest.
Welcome and Topic Introduction
Hey Team! Today, we’ve got some awesome stuff in store for you. We have a special guest, Justin Cleveland, that we’re going to be interviewing from authentic8. They’ve got this really cool cloud browser named Silo. If you’ve never heard of a cloud browser before, don’t worry, you’re not alone. Most people probably haven’t. It’s this really cool tool that allows you to remove a lot of risk from your desktop. Not only does it allow you to remove risk from your desktop, but it also allows you to provide yourself or your employees common tools with common access privileges from a cloud environment. That way you can log in and get access to your resources from anywhere in the world while at the same time, keeping your home computer, your work computer, your work network safe. So really cool tool and we are excited to have them on.
Thanks and Subscribe
We just wanted to say thanks for listening and remind you to follow like and subscribe to Code of Entry on all your favorite channels. We appreciate having you on the team and any help reaching out to others. Remember, we’re here to help you providing cutting edge digital insights into this ever-changing industry. Now, back to the show.
I’ve got Justin Cleveland with me today. Justin has been a friend for a couple of years. He is working for authentic8 now and before that worked for Recorded Future, before that.
Really appreciate Justin coming on today. He is going to blow your minds about some technologies that she should already be using.
What is a Cloud Browser?
Greg Bew: I really want to get started with this Cloud Browser thing that authentic8 has. Then I’m going to tell a story about RS, because it’s one of my favorite stories.
What is the Cloud browser?
Justin Cleveland: What Cloud browser is exactly that. I use the Netflix analogy. If you recall the early days in Netflix, they would actually send you a DVD. You would have to put that DVD in your computer or in your DVD player and run the DVD locally to watch the movie. Basic, that’s basically what a normal web browser does today. That web browser is reaching out to the web, going to the website that you point it to, grabbing from that website an arbitrary blob of code and is running it locally and on your machine.
Well, Netflix figured out pretty early on, that’s kind of a crappy business model. You have to do an awful lot of stuff. So, they switched to a streaming model. Whereby the DVD is still running, it’s just running in infrastructure that they control and they’re streaming pixels down to your TV. A much better user experience rather than having to go to the post office.
We are effectively doing the same thing with the browser. We are spinning up a browser in our cloud environment, which is hosted by Google, and we are then streaming that browsing experience down to you via Remote Desktop Protocol Display.
Now what that does for you as an end user, there’s really no change to your behavior. You click on our icon instead of Google Chrome, you go to your website, just like you normally would. Everything works the same. It’s the same user interface. It is based on Firefox.
The big difference is, if you click on that cat video that your grandma sent you, that’s actually a Russian watering hole type of attack, that’s all self-contained within our cloud environment. When you close out the web session, it’s as if it never occurred on your computer. Kind of a fundamental transformation for how people could get online safe.
Greg Bew: [Timestamp: 4:24] I remember the first time I saw it, I’m like, Oh, this is neat. And then sometime between the first and second interaction like, ‘Wait, wait a minute, you do what?!?’ There’s so much potential from the Cloud Browser for so many applications. From your cyber hygiene, to providing tools to your employees, to easy ways to do bring your own device, to just being able to know what’s coming in and out of your network. There are so many huge implications to this technology, it’s crazy.
I personally really think if you’re going to do one thing for cyber security, one thing for your digital hygiene at all, it should be using Silo, the authentic8’s Cloud Browser.
Why should you use Authentic8’s Cloud Browser:
- It’s not expensive
- You don’t go directly at harmful things anymore
- You can click on emails from African princes and still be okay!
How to Deploy the Silo Cloud Browser
Justin Cleveland: I was pretty early at Recorded Future, and Recorded Future was a rocket ship. It still continues to this day to be a rocket ship. I took a meeting with Scott Petry, and he explained to me the addressable market was everybody on the planet that got me pretty excited. We really view Silo as more of a platform. You can do an awful lot with our platform.
We have customers doing things like globally distributed workforce for a major Fortune 500 company. What they did is they put their Gmail applications behind Silo, so the only way you can get into Gmail is if you’re in our platform.
There’s really interesting use cases for how you want to deploy. You could deploy it where it’s the only web rash you have. You could deploy it where some web traffic that you trust runs on the local browser, other web traffic that you don’t trust, like social media can run in us, so a hybrid model. We can deploy it a whole host of ways. As integration with your secure web gateway, integration with your firewall. It’s really flexible platform that any organization can deploy largely with a click of a button.
Greg Bew: [Timestamp: 7:17] Currently I use a VPN and Silo both. When first hearing about Silo I thought it was a good idea, but I wasn’t quite at that, I’m going to pay for this and use it for the first-time level. But then because some of my data was in one of those kind of data losses, I remember that you all had the deal, it allowed me to get on there for free. Is that still something that you all do or there’s just too many people with compromised data, these days to keep afloat with that?
Wonderful Tool for Audit and Oversight
Justin Cleveland: [Timestamp: 7:47] Yeah, we still offer up to anyone that was part of the Office of Personnel Management data breach, we still do offer pro bono the licenses for a year as part of the clean-up for that. We feel like given the fact that we’re a very, very government-heavy business and we’re very appreciative of our government customers, and we want nothing more than people that have government background security clearances to feel safe when they go online. So yes, that is still something that we offer up. I think we have about few thousand people that have taken advantage of that.
I use it every day. I’m paranoid. I don’t access my banking in anything but our web browser. I don’t allow my employees to get into sensitive company web applications in anything but Silo.
Salespeople get fired. It’s kind of part of the job. Salespeople is a high turnover, it’s a high turnover industry. What I’ve experienced in the past is salespeople value the customer data that you have as an organization very highly. So Salesforce becomes an absolutely critical business application. We’re able to actually lock Salesforce down behind our firewall in Silo, so that a salesperson doesn’t even know their credentials to log in, and we have full visibility into everything they’re doing in Salesforce. So in the event that somebody is leaving, we have the ability to force them to not be able to download any data out of Salesforce, and if they do try to try to download data out of Salesforce, we would actually see that in the logs that occur in our cloud browser, so it’s a wonderful tool for audit and oversight of high risk at business applications.
Web Traffic Vulnerability
Greg Bew: [Timestamp: 9:46] A lot of folks don’t understand just how vulnerable your web traffic is just from your point of presence, your endpoint to that local router to wherever in the cloud it’s going to go. For example, you’re on Wi-Fi on your street, the ability for somebody to do a man in the middle of attack or just view your traffic, the ability is high.
Let’s go conspiracy theorist, there is the ability for a nation-state actor to own part of the route or that you’re communicating with… All that stuff exists.
One of my favorite things ever was going to the RSA conference. You walk around, you get this awesome swag from everybody, you get to see great ideas, you get to see some fake ideas.
We’re at RSA Conference, biggest cyber security conference. It takes over San Francisco for a few days. If you’d never been, you should go. So we get to RSA and we’re coming, we’re trying to find the authentic8 booth. So we are looking and the papers say authentic8 has a boost right here, but I don’t see it, and then you pay attention for a minute and there’s this Francis Archibald Keyes Esq. So that everybody understands… that’s fake, when you put the acronym together, there’s this fake security solutions booth up. They’ve got this cast of three or four actors sitting there like selling snake oil. And I think over the course of RSA, you get one of the most popular Twitter followers from the event, you’re getting retweeted, half of the people love you. The other half of the people absolutely hate you because you’re calling them out for being fake.
Justin Cleveland: [Timestamp: 13:19] It’s like the Silicon Valley story. I think they did the best take on artificial intelligence. I don’t know if you watched the show, but this character made an app that was hotdog or not a hot dog. I think that was the greatest use of poking fun at machine learning and AI right. Cool, you told me it’s a hot dog.
Greg Bew: What inspired you to have this fake booth at this huge conference? It was awesome! We still talk about it all the time. I’ve got the bottles sitting here. Instead of evangelizing your awesome game-changing technology, what possessed you all to go out there and be like, Hey, all these people are lying to you?
Justin Cleveland: We’re a weird company and we kind of take pride in being a little bit weird. That was us showing a little bit of our internal attitude towards things. We are a little more effervescent than a lot of other buttoned up companies.
The second thing is our customer’s experience. Our customers are trying to solve really, really hard problems and they are flooded with nonsense and buzzwords from the cyber industry. They are constantly being told ‘Oh, if you just use machine learning, all your cyber problems would go away. We have all of these things, if you just deploy our product, your world would be nirvana.’ And it’s just not true.
We’ve seen recently with what’s happened with some of the compromises that the cyber world has had. It’s like, these are really, really hard problems, there’s really, really smart people thinking about them. We wanted to play a tongue and cheek with it.
The cyber industry is 100 billion a year industry. If any of the products out there that are claiming to be kind of a panacea that fix all this stuff works, we wouldn’t be in the situation. We don’t come at it from a ‘We’re a silver bullet to solve all your problems’, because we’re not.
We saw the very narrow and very hard problem to solve, which is the browser is the Trojan horse into your network. What we do is neck down your attack surface. If you have a lot less attack service to look at your sock analyst, become that much more effective at hunting really hard stuff.
So, yeah It was tongue in cheek. It was fun. It did get a lot of play. Got retweeted thousands of times, we’ve really made some of the big players in the industry mad to the point where we actually had a top 25 cyber security company who is in the boot next to us, actually come up and ask our actors to stop saying things like, “You need 5G, we got 6G.” because they viewed it as such an insult to their technology.
Greg Bew: [Timestamp: 16:07] Whether you’re a business or just somebody sitting at home the web browser is it. It is your attack surface, because you can button up as much as you want, and you can try to do the right thing.
People think, ‘Oh, that looks legit. I have to pay my credit card yet’, or I won the lottery, CLICK and then all of a sudden, all the defenses are by the wayside, because you’re executing code on your browser. Whereas if you can control everything that comes in and out…
Justin Cleveland: You hate to say it, but your people are your weakest link. They’re your greatest asset, especially if you’re a business or a large organization, but they’re also your Achilles heel. People consistently will disappoint you in my experience.
Greg Bew: I compare this to the Japanese Toyota Production System. One of the great improvements Toyota made was the couplers between process lines in the factory. They made it so anywhere that something was ever supposed to be set, there was a shape and form for it. So if something wasn’t just right, you would know right away and could throw it out. It insured quality.
It’s kind of the same thing here, where we have so much traffic going in and out, it’s hard to inspect to see what the right things are. Whereas if we take over 95% of it and put it through one way where it’s not a risk anymore, then all your other little things can be inspected. They can be looked at it, you can take better analysis of it.
COVID and the Telework Dilemma
Greg Bew: [Timestamp: 18:15] A lot of businesses have been hit hard by COVID, a lot of new folks tele-working. How does Silo play into that? I guess knowing what I know about that technology could be a big opportunity for you to help some other people keep doing their job in these tough times.
Justin Cleveland: We’ve had some really good success stories from the tele-working community. COVID happened so fast that most organizations didn’t have a plan for mass tele work. What we saw was VPN capacity was relatively fixed for most organizations. You can’t just buy more VPN. There’s a supply chain that goes to support VPN that’s largely hardware-based, and that’s what really kind of choked during the early days of COVID. A lot of organizations were looking for alternatives to VPN to do neck down the security aspect. That’s when we really saw an uptake in our business. We had a lot of large government organizations start to authorize our products used for home work. That solved two problems.
One, it gave the government an idea of what those people were doing when they were working from home because of the audit logs that we have. Perhaps even more importantly, the government didn’t have enough things like CAC- card readers or excess laptops to give to all the people that didn’t already have one issued, so there was really a dearth of the ability for them to even do tele work, so they had to allow to bring your own device.
Bring your own device creates a whole host of issues because it’s by nature and untrusted device in someone’s home network. We help solve a lot of that problem.
Then as we got further down into COVID people who are realizing that people were working globally. You had no idea who the ISP, the traffic was going over, you had no idea if you could trust that ISP depending on what country your workforce was in. It was potentially an issue for individual users at home. If they were trying to execute a sensitive mission, say in anti-money laundering at a major bank, and they were in a country that had a reputational problem with money laundering, if that ISP was providing data to the government it probably would have put a triangulation together to say, ‘Hey, this analyst is looking at money laundering in our country, we don’t like that.’ It was a potential health and safety risk for a lot of our employees. Because our browser is completely non-attributed back to an individual end user, it actually provided a safe way for people to execute their missions from anywhere globally.
We had our own challenges too. We are pretty lucky that as a Silicon Valley company, we were pretty flexible in our ability to work remote. But it did take us three months to get a cadence together. Largely because we had a globally distributed workforce. Our CEO spends most of his time in Berlin, and he was largely unable to travel. Almost all of our engineering is done on the West Coast, so you have a three-hour time difference there. Almost my entire organization is here in the Washington, DC area, so to get a communication cadence that was successful and repeatable for our business took a while. My days were stretched because I had to so much time on Zoom meetings. I missed the human interaction, and I over-compensated for that with Zoom, which was challenging.
COVID and Work-Life Balance
Greg Bew: [Timestamp: 21:59] That was interesting when COVID hit and we all went virtual it was really challenging because there’s this new normal. A lot of folks that care about the organization, and their business success are going all in to make it work. Work-life balance is out the window. If you’re looking at the date on this podcast, we’re recording this in December 2020. In 2021, I think the thing we’ve all got to get back to is some type of work-life balance. Right now, there’s not a lot of opportunities to do other stuff. There’s still no downtime for a lot of folks trying to make their company succeed in this climate. It speaks a lot to human resiliency, but at some point, we’re going to have to figure out as organizations, as leaders, how do we stop going back to the well and allow people to recharge and exist in that pre-2020 environment?
Justin Cleveland: We try to do as much business continuity planning is any company should or would, but what’s normal look like in 202? We don’t anticipate anyone really going back to the office until we hit 60% or 70% vaccination rate. We don’t know when that will be. We’re hopeful that vaccines start rolling out in the April time frame to the general population, but we’re prepared to see all of 2021 be in a remote or tele-work kind of environment.
I’m personally just miss interacting with my team. That’s the thing I miss the most. I can stomach the 14-hour days, and the business uncertainty as budget shrank and continuing resolutions hit. What I can’t stomach much longer is just not seeing my teammates.
Greg Bew: Yeah, I think that’s where we’re lucky. Our team’s pretty small, so we still get to see each other and interact. We’ve basically made that closed circle of just us. The thing I miss is that it’s hard to stay relevant. Technology changes all the time. Nothing has changed that. But now we’re missing the opportunities to engage with folks and see what the newest stuff is. How we should be doing our jobs tomorrow versus concentrating on last year’s technology.
I told somebody recently, if you wanted to ask me what the state-of-the-art was in 2019, I would have been very confident I was telling you the absolute truth. Now sitting here in 2020 I hope I can tell you better than most people, but I don’t have that confidence.
Justin Cleveland: What tech are you tracking now that you think is kind of interesting in the marketplace?
Greg Bew: [Timestamp: 24:48] I think some of the interesting/concerning things are definitely 5G. I think that’s the easy button for the answer here. 5G has a lot of implications on our ability to transmit and transport data, because a lot of the use cases that we look at are definitely restricted bandwidth use cases. The thing that’s out there that needs to be fixed is kind of first mile/last mile transport.
Elon Musk and Starlink
A lot of places have great pipes and infrastructure, but that first mile/last mile transport is a real problem. I guess expanding. I’m super geeking out over Elon Musk and Starlink. That thing’s awesome. So my dream of retiring to a Caribbean island somewhere was always like, ‘Yeah, I could do that… except I wouldn’t have internet, so I don’t know.’ Now there might be internet, so I’m going to have to redo the whole decision analysis here!
Justin Cleveland: That’s a really interesting. Post-Star link, and some of the things that Musk is doing it with Tesla. They’re really, really exciting. Some of the computer vision stuff that’s coming out of the autonomous driving cars is really exciting to me.
Low Code, No Code
I think the biggest trend that I’m excited about, I would love to hear your take on it is low code, no code. We have such a lack of computer scientists in this world that can actually write code and make things useful, that I love to see the trend in organizations moving to a low code, no-code type of software. It’s just democratize the ability to enter the text base in my opinion. Which is super cool.
Greg Bew: [Timestamp: 26:36] We make a lot of websites. 80-90% of those would be a WordPress-based almost for that reason. Spoiler: I can code. But why if I don’t have to? I can go up there and pop up a WordPress template that I can make look however I want. But instead of trying to figure out, you know how to reinvent the wheel for doing these 10 functions that every website wants to do, I just go to WordPress and download these plugins.
I think the thing I’m afraid of with low code/no code is we’re already a pretty high risk for cyber things and not every other country has the same maybe ethics standard that we do. So I think one thing with low code/no code is just figure out what’s the code review for things that are sensitive? And if they’re not sensitive, they’re not. I joke with people all the time, they’re worried about Alexas. I’ve got Alexas all over my house. Hopefully, you don’t hear one…
People are like, Oh yeah, but somebody’s listening to you… Well, congratulations, anything I’m talking about in front of Alexa, if somebody wants to listen they can. I’m actually protecting our national security, becasue they’re listening to me, then it means they are not listening to somebody else. So maybe that’s also that low code/ no code, figuring out what things are actually high risk and just what aren’t. Putting the right effort towards solving the problems.
In the security world there’s always, this one standard (if the shoe fits). Why does there have to be? If this a one day throw away fix and I should be able to use it, right?
Justin Cleveland: [Timestamp: 28:16] That’s always the balance. Especially in the business world, there’s a trade-off between security and productivity. Unfortunately, it’s a sliding scale. You can’t have the no security, which would likely result in the highest productivity. You get stuff done, but the business risk is too high. When the securities pendulum swings too far in the other direction towards locking everything down, productivity absolutely suffers. If you put yourself in the unrealistic expectations from a security standpoint, it can be a really challenging thing to overcome. You’ve got to do business at the speed of business. Sometimes security can get in the way that.
Greg Bew: We were talking before we kicked off the podcast. One of the things we were talking about was education. I like to develop that in two ways. One is, ‘What did you do in college? Was worth it?’ And then the other is the route of, ‘If you had to learn a skill today, what’s the thing that everybody needs to learn to be trendy?’
I’ll with my view first. I’ve got a couple of degrees and custom certificates. I think that they’re important, but more from what I learned about myself versus what I learned in the curriculum. I think there are a lot of folks that hang their hat on their degrees. Like the degree gave them something. I approach it from the ‘I have a degree, which just means that I went to class and I learned.’ But it’s just that many hours that I spent figuring out how I learned.
If I look back along my time in academia, whether it was in college or when I was teaching at West Point, I actually know how I learn now. I spent a dumb amount of hours on Udemy (I love the Udemy website) because I will think ‘the last time I was developing web things as a real full stack developer, I was like, 2016, let me buy the 2020 Ultimate Web Developer thing.’ Or I’ll think, ‘Hey, I was really good with elastic 6, but elastic 7 came out. Let me look at it, Kubernetes Ansible, all these other buzz words. And it’s like I can pay $10 for a course to get myself spun back up.
Justin Cleveland: [Timestamp: 30:41] For me, I’m kind of in the same boat. It definitely gave me a framework for how I learn. I mean, my undergrad was largely spent and drinking Miller Light and it was great, I learned a lot about human consumption of Miller Light.
But overall, I think I’m less a much bullish on traditional education than I was because I see how my kids are currently interacting. They’re in a remote tele school environment. I get so proud of my daughter, she’s six at this point, but if she doesn’t know how to do a problem, I used to go to my parents or go to my teacher, the first thing she does YouTube. The YouTube video explains to her how to conjugate a sentence.
That’s just really, really powerful. The one thing I think I took away from my education was largely from my master’s degree at Penn, which kind of put me way out of my comfort zone. I went to grad school right after undergrad, which isn’t really necessarily traditional out of school like that. It taught me how to interact with different types of people that were very different than people I grew up around. These are politicians, people that had spent or made millions of dollars at Goldman Sachs and then wanted to go back and get an advanced degree.
They taught me how to interact with people across the spectrum. I could have a conversation with the guy drinking Miller Light in the dive bar, but I could also feel confident in myself and my ability to communicate. At that time, Governor Ed Rendell of Pennsylvania was one of our professors. That was invaluable to me, and it gave me a lot more confidence than I had as a 21-year-old guy graduating undergrad. but for the rest of it, I’d rather use YouTube if I could, going forward.
Greg Bew: [Timestamp: 32:50] So somebody out there aspiring to up-skill in an area, what’s the up skill target you think?
Justin Cleveland: I think there’s just so many web resources at this point. We’ve gotten to the point where college has become almost an expectation. But the hard skills like learning to code, It’s ultimately no different than learning a foreign language. You don’t need to go to college to learn a foreign language. There’s a bunch of better ways to do that. One of which is immersive, like if you start to practice coding… That’s immersing yourself in code.
There’s an awful lot of awesome repositories like GitHub, there’s a lot of tutorials on YouTube. Try that first. You can always go for more finished or polished instructions, more formal education later.
My undergrad degree is in Political Science, I don’t use that very much. Could I have gotten a similar education by reading history books on my own and not cost myself six figures, probably…
Cloud Solutions Architects
Greg Bew: [Timestamp: 33:53] I think if I had to throw a recommendation out there for one topic to upscale on, and this is totally just based off my preferences, it would be cloud solutions architects.
I like to be a jack of all trades, not necessarily a master of any. I remember recruiting cadets at West Point to come to the system of engineering department. I’d be like, You can go to these engineering departments that are like Mech. or civil or electrical, and you can become an engineer that’s really good at solving an aspect of a problem, or you can be the person that understands holistically how to solve that problem and you manage the team. What does managing a team sounds like… It sounds like leading soldiers! But you know what the other cool thing is about being a leader of a team, you get paid more.
It was my own selfish sales pitch. I might not be the best person at every single angle, but I like being well-rounded and able to solve problems. I think that there’s so many cloud technologies out there that are having a big impact along with some of the technical things but figuring out how that all fits together to provide a solution. I think that is super valuable because then you don’t necessarily have to be the best person slinging code or the best person doing one particular aspect of the problem, but you understand the technology space.
Greg Bew: [Timestamp: 35:30] Why did Authetic8 pick Google over some of the other cloud vendors?
Justin Cleveland: A couple of different reasons. We really like the fact that at the time that we selected Google, they were further along in federal accreditation. We’re a security company, we take our security very seriously. That was very appealing to us to have global points of convergence with Google and leveraging their infrastructure to make our fedramp process that much cleaner and tighter.
Google is in a fight in the cloud space with Amazon, with Microsoft, with some of the other large players. We were able to leverage our business, which was attractive to them from a partnership perspective to drive price down. That’s part of our goal is to keep our prices as cost effective for our customers as possible. We were able to really get what we feel is a mutually beneficial relationship with Google based on price.
The third reason we picked Google is sort of strategic. Google’s a household name. When we walk into our customer sets and they ask what is our infrastructure published on, they really generally feel good about our infrastructure being on Google, giving its reputation as a world leader. A leader not just with cloud computing, but the things you use the most in your life is probably some part of tied to Google.
It is a tough choice, and we still do have infrastructure on Amazon and we have other infrastructure players that we use to make sure that we’re diversified, and we aren’t single-threaded, but we feel pretty good about Google.
Greg Bew: I remember we had that conversation a couple of years ago where it was like, Hey, we’d really prefer you beyond this infrastructure, and your answer is, Yeah, we could totally do that. But we went with this provider for a reason, so I think it kind of circles me back to talking about having people that understand the cloud in general is… You’re not locked into one. I know I probably shouldn’t say this out loud, but they’re all generally the same, but they all have different business models, right. So Azure focuses on what it wants to do, well Amazon focuses on what it wants to do well.
I think Google at the time had the best CPU utilization for you, so you were able to get better customer performance. Any company out there, look at the cloud vendors and go with the best one. You’re not going to be completely locked down because they all generally do the same thing, but it’s a great time to be in tech. There are just a lot of awesome options out there without having to stand up your own data centers.
Justin Cleveland: We looked at the market seriously. We did reviews of all the major players in the cloud space. We were getting better performance with Google at a lower cost, and also because Google was trying to kind of catch up to Amazon and Microsoft, they were a little more pliable in doing things like sourcing chipsets that we really like that made our performance better. They were more willing to come to the table with some exotic ideas that our cloud solution engineers we’re proposing and some of the other big players.
Whether the person that’s listening to this is a fortunate at a Fortune 50 or a start-up or just sitting at home, I really believe that authentic8 is something that’s a tool that should be in everybody’s toolbox. There are different tools for every problem.
You don’t know what you don’t know, and there are a lot of people that just don’t know that cloud brothers are a thing. That the web browser is the worst thing on your computer because it’s the first thing everybody goes to use.