Air Date: February 16, 2023
Most businesses today have two things in common. First, they happily use Google Workspace or Microsoft Office 365 for cloud computing and collaboration. Second, they are blissfully ignorant about a very important question: who actually controls the keys to unlock sensitive business data stored in the cloud?
Register now and join this virtual coffee chat with Virtru experts Andrew Lynch, Tony Rosales, and Trevor Foskett to learn perspective on the pros and cons of adopting privacy enhanced collaboration for business. This session offers a fun, friendly, and thought provoking conversation on the following topics:
What is privacy enhanced collaboration and cloud computing?
What is a blind subpoena? Why should anyone care?
What are encryption keys? Who controls them? Why does it matter?
What is CSE for Google Workspace?
What is the alternative for Microsoft O365?
[A. LYNCH] Welcome, everyone. Thank you for joining Virtru's Hash it Out today where we are going to be discussing privacy, enhanced cloud computing, among other topics. Please don't forget to redeem your coffee on Virtru. If you need a little pick me up. We hope that you can enjoy it as you join in on the conversation, even though you won't be able to add anything. But we would love to hear your feedback. If you want to reach out to us and ask any follow up questions. I am joined by 2 extremely talented co-workers today, Tony Rosales and Trevor Foskett, both on the solutions engineering team at Virtru. So on a regular basis are helping to convey the value. More importantly, answer some of the more technical questions that the sales team is coming up against. And being faced with from our prospects and customers. My name's Andrew Lynch. I manage a few of the sales teams here at Virtru. And so we wanted to begin the conversation today by asking who gives *** about privacy and enhanced cloud computing?
[T. ROSALES] Yeah, I guess I do too.
[T. FOSKETT] So for anyone listening, all three of us just raised their hands. If you're not watching the video.
[A. LYNCH] If you don't have your video on. Yes if you're listening to this while you're driving, please pay attention to the road. But we understand that you would not have just seen that we had our hands raised. So maybe let's kick it over to Tony. Because Tony, I think having known your background prior to Virtru working with various technologies, and even before the cloud was a thing, even to an extent I would love to hear what is that? What is cloud computing? What is collaborating in the cloud for those who, it's still a new topic, to, And why do organizations care about enhanced privacy with that topic?
[T. ROSALES] Yeah, Yeah. So just a quick, you know, to compress 30 plus years of cloud computing into a couple of soundbites here, essentially, you know, what everyone used to do is I've got this server and I've got my data sitting on it and it's happily in my office and I can lock the keys. I can lock the door at night. It's there, right? I own my data. I can physically touch it. Very cool. Fast forward to. OK, that's really expensive. Air conditioning is expensive. Electricity is expensive. Security is expensive. I don't want to do that. I'm going to put it in a co-lo space, our co-location facility, if we're not using acronyms. And I'm going to make sure that box is safe and it always on the internet is always accessible. Well, that really introduced the first starting to say, OK, well do I still own my data? It's on a box. I own the box, but it's in a cage. I don't own anymore. It's hooked up to the internet I don't control anymore. So we started moving out of that. I'm a very, I sleep very well at night. It's in my closet, too. OK now, this is in another building. Fast forward to today. We've taken all that information and no longer is it on virtual machines that you could go and visit. It's in the public cloud. It's also in private clouds. Right we will be real and say that most companies do operate in a hybrid environment. But, you know, now it's in a company that is publicly traded, that has responsibilities to board members that is, you know, sure a heck of a lot more affordable and convenient to use in terms of, you know, the big ones on GCP, AWS, Microsoft, Azure. And then there are several smaller ones, but where you start gaining agility, you start losing control. And that's where these terms of data sovereignty start coming into place in data security. And really it just starts becoming a kind of a mess to make sure your information is really your information only. And ultimately, you have the final say. And that's really kind of where we fit in the whole conversation, I think.
[T. FOSKETT] Yeah, I'm definitely reminded and I think it's even in his LinkedIn profile picture, but Tony has a shirt that says there is no cloud, there is just someone else's computer, right? So when we're leveraging all these cloud services, all we're really doing is say, hey, Google, you store this on your computer, hey, Microsoft, you store it on your server rack. And so there's an inherent level of trust there that they're going to steward that data accordingly. And we've seen, you know, various breaches across software platforms before. And so we have to understand that risk. On the plus side, there is a lot of benefit that comes with that, right? All the amazing things that Google and Microsoft can do through, you know, Office 365 or Google Workspace are going to allow us to do things that we couldn't do if we were doing all that in-house. So there's this balance that we need to strike. And sometimes privacy can fall by the wayside when we're thinking about new features and functionality that we have. It may be easier to say, well, you know, if my data is less private, I can do more with it. And where do we feel comfortable on that spectrum?
[A. LYNCH] Yeah, I think it's pretty common. And you all can probably relate that most people we talk to, I think rarely will people not know what the benefits of being in the cloud are. Yeah, there are just tradeoffs and privacy is one of them. I think even as a salesperson at Virtru, sometimes you're thinking or wants to be thinking how these big companies like Google and Microsoft, you know, are not secure enough and that you know, you should consider who you're trusting with your data because you're envisioning someone in their data center going in and regularly spying on a company. But in fact, I mean, these are very secure, very, of course, reputable companies. Yeah and so I guess, like knowing that that, you know, Google employees are not regularly, purposely knowingly spying on a customer of theirs. Why would a company want to consider adding additional layers of privacy in the cloud and even what are the options to do that?
[T. ROSALES] Yeah, there's a couple of reasons and I'll probably put this to Trevor once we start getting into the compliance reasons. And making sure that, you know, you're adhering to the letter of the law. But I mean, there's really a couple of reasons at the very beginning. One, first and foremost is if my data is sitting on a storage bucket, say, in Google Cloud platform, when I ask Google to run analytics on that, not only am I gaining the information that I'm asking for, I'm also opening up my data to whatever they might be doing with those analytics on their own site. Right, because they're running reports based off of what you've asked them to do. So it's a two way street. Your data is not now open to the public, but the stuff that gets interpolated from your data is now kind of part of their infrastructure, and there's really no separating that. Sure, it's anonymized and shared sharded and separated. And so there is no like, oh, we've just leaked out, you know, John Doe's information. But what you have done is given them patterns and those patterns can sometimes be stuff you don't necessarily as a business owner want out there because in and of itself, those things can be proprietary.
[T. FOSKETT] Yeah I mean, I'll touch on the compliance bit that Tony mentioned in a minute, but I think, you know, a large part of this is purely, ownership. Going back to sort of Tony's analogy before as we went from days where everyone owned their own house, and now we're largely in a world where everyone's renting. Everyone has an apartment in some other companies tower. So it really comes down to who actually owns that data. It can be a little bit tricky. It depends on the scenario. But when it comes down to, you know, Joe, Department of Justice comes knocking. A lot of times ownership is not in their possession is 9/10 of the law. Right so if you potentially get in a situation where someone is requesting access to your data, it may be something that doesn't actually fall to you. It may fall to, you know, to use the apartment metaphor, your landlord rather than you can they come into your apartment and see your stuff. You might not be home. You might not know. And so there's that just simple element of the fact that we're outsourcing a lot of this work to gain all that power. You know, are we still fully in control of that? A lot of times, the answer is a bit of a gray area. Of course, you know, as Andrew mentioned, these are large companies with amazing security practices and contracts 10 miles long that will sort of dictate what and who can do. You know, what, with that level of access, it's going to be very minimal. But still, when it gets into those sort of gray areas, a lot of compliance teams and security professionals don't like to operate in gray areas. They want to be more in a Black and white world. And so when we think about that, we think about how can we sort of turn the contrast up a little bit and eliminate that gray and start making things a little bit more cut and dry?
[A. LYNCH] Yeah, that's a good way of putting it. How can you kind of get the best of both worlds, that sense of data ownership that you're used to previously, but also the benefits of the cloud and the collaboration aspect? And for those who don't know, I mean, that's really where Virtru a large part does fit in, is we allow you to really have complete ownership over your data throughout its lifecycle. So that you can not have to worry about that and have peace of mind that, for example, if there is a blind subpoena against your organization where the government is asking maybe Google or Microsoft to have access to your data, that Google or Microsoft don't have any plaintext to give over, they just have ciphertext. So that's just one use case for Virtru. Another one that comes up is data sovereignty. It's a tough word to spell. I will say sovereignty. So for those who aren't familiar with that, would you guys mind sharing just at a high level what that is? And where does the cloud come into our consideration with that?
[T. FOSKETT] Yeah I'll, I'll jump in first because I of course, remember that I forgot to touch on the compliance piece that I just said I was going to touch on. But the compliance and data sovereignty go very well hand in hand, because in addition to simply your own security practices as an organization, depending on what industry you're in, what kind of data you deal with, where you're based in the world, you may have other legal requirements about what you are allowed to do and who you're allowed to do business with, and where your data is ultimately allowed to live. So if you're in the US and you do business with the Department of Defense or you do contracting work that touches that sort of defense industrial base, you may be beholden to things like ITAR or CMMC, things that really dictate what can be done with that sort of controlled, unclassified information in that legislation that says you can't put this stuff on cloud providers just can't, because the way that those organizations are set up, you may have a non-U.S. person, which again, could be some, you know, systems administrator may encounter that data tangentially, but according to the law, you just can't have that. What they've said, though, is if you encrypt that data before it goes into those ecosystems and you ensure that the keys are stored elsewhere, then they apply what they call this carve out. That's OK in that scenario, because if that non-U.S. persons encounters it, it's going to be ciphertext and without the keys it's meaningless. We haven't exposed that controlled information and so we see a very similar requirement coming from non-U.S. customers organizations based in the EU. France has very strong data privacy laws, for example, where when they do business with global or US-based entities, there's a concern about where that data lives. Whose regulations and laws is it's subject to is subject to US law because they have a data center in the US or is it subject to French law because it's a French company? And again, we're talking about these gray areas. So one of the ways that we look to eliminate that is through, again, ownership of that data. If I can use some sort of technique through technology and encryption, key management to tie all of those access requests back to my own organization, bring them in-house, bring more of that control, then that becomes less of a concern when we cross those borders under those scenarios. So it's kind of a similar story, although the motivations behind it can be a little bit different.
[T. ROSALES] Yeah Yeah. And I'll just add that really to the nature of the beast is kind of what, what drives the almost conceptual idea of ownership. Now, right? like it's not physical ownership anymore. It's if I have control, control equals ownership. And because everything's very ephemeral and kind of moving around all over the place, you have to almost set up these guardrails to make sure that what it is you're saying can indeed be actualized, even though you might not be doing it if it gets very gray, even in there, even in the explaining the concepts, because ideally I have to be able to point to something and say, OK, this one thing is what makes it all mine and I own it, right? And that's really where, where I feel like we fit into that to the picture.
[A. LYNCH] I like it. No, I think it's very well said. I want to circle back on something that you were talking about, Trevor. I think for the first time in this session, which is around encryption keys. So we've talked a lot about encryption. But let's talk about where do encryption keys fall in? What are the options that people can consider? You know, for example, should the encryption company be posting the keys for you? Should you consider organizations besides the collaborative platform you're using to host keys. We'd love to hear what you're all to take just around that is and will segue I think later into this is going to sound pretty complicated. So where in the world does sort of the end user experience fit in? But let's start with the encryption key part.
[T. FOSKETT] Yeah well, I would say, you know, you can think of an encryption key, of course, just like any other key. If we want to simplify the system, it's going to unlock and allow access to data. Most of the things you do online every day involve some sort of encryption. When you go to your bank website, you're communicating with the bank through a secure transport channel over the network. When we send emails through Google, they're encrypted at rest on Google servers. But the real crux here is who is managing those keys? The whole point of encryption is to make sure that it's only available to certain, certain people. And we do that through who has access to the keys. We can send private data over a public network if it's encrypted. And we're not also sending the keys of the networks. Where that ownership comes into play is where is the data living and where are the keys living? A lot of times, we find while a lot of these things are being encrypted as we use our ID, our online services day to day, the keys in the content are actually being stored by the same company, maybe stored in different locations than if they're stored by the same company. Ultimately, that company, again, is more in control of that data than you are. They have all the pieces to the puzzle. So if we're looking for a heightened security approach or where we want to meet compliance requirements or have that data sovereignty, we need to look at how we can separate those two out. How can we keep the keys in the content separate so that nobody ever has all the pieces of the puzzle, aside from those who we have explicitly stated should have access? And so you can do that through a couple of ways. You did a little sales plug for Virtru. I said we exist outside of these productivity suites that a lot of our customers use. So when they encrypt data in those ecosystems and use us as their external key store, you get that separation. We have keys. Google or Microsoft has content. Nobody really has everything they need except for ultimately the end user and anyone. They've granted access to that data. But there's also, you know, more and more ways coming out to do that. Now, Apple has recently introduced client side encryption for iCloud data, meaning that the end users store there and keep their own keys locally. Apple is not able to access that data on your behalf or through Google's new offering of client side encryption, which I know we're going to talk a little bit about in a moment. So don't get too far into it. But we're starting to see that Native support for these things as the global momentum behind data privacy starts to move in that direction. We're seeing a lot of support for it coming out of these large companies, which is obviously great to see.
[T. ROSALES] Right and it's kind of a pendulum effect. Right ? The idea is we moved so far towards the agile and get the software out the door. And, you know, we've got to move faster, faster, faster. That security, even though we have DevOps and that was great and we have DevSec ops on it, it went so far, so fast that everyone kind of went, oh, wait, who actually owns this stuff? Right? And so this is kind of that reverse effect where it's coming back in that, well, I have to I have to have actual ownership before I can move forward. And without sacrificing that agility, we are able to then you utilize these clients that encryption tools that people are putting out to actually create those things.
[T. FOSKETT] Yeah Yeah. And I mean to circle back just on, you know, on where the key is going to come into play, I'll, I'll kind of wrap it up with the. You know, the apartment versus, you know, a house analogy again is you have an apartment and your landlord has a set of keys to your place so they can allow maintenance in or, you know, do some sort of work on the place while you're out of town. There's less of an ownership of that place, right? Because someone somewhere someone else can come in and do things they may not. I've never lived in an apartment where I suspected that my landlord was in and out of my unit while I was at work. But there's always the possibility, right? There's always that possibility, even though I know that they're most, most likely not doing that. And I think what we're seeing now is people wanting to put that same sort of control in place of the data. Look, I know that as my cloud provider, I've signed a ton of contracts with you. You have policies and procedures in place. You're probably not going in there and reading my emails to see what I'm up to. I'm not that interesting of a person, but I'd like to be able to just say because of this actual technical layer, you couldn't, even if you wanted to, is always going to be a more private and more secure approach to just have that control in place.
[A. LYNCH] And I would say just adding in that at the end of the day, Trevor, Tony and I are all regular people, consumers that subscribe to lots of different things and buy stuff. I would appreciate if that was the case too. You know, there is that sense of there is what's the word? We're going to edit this out later, that it adds a sense of peace of mind, knowing as a consumer that you just don't have to worry that your data could be compromised and someone else can have access to it. And you're going to start getting now all these random phishing attempts because, you know, the data was compromised. Something else that you said, you know, you were talking about just I think. How to consider key management and control of your data with these collaborative platforms. You know, one thing that comes to mind to me, especially just as we're talking to organizations now compared to a year ago, we're obviously in a different economic, we're in a different economic environment. It sounds like this is something, at least from my perspective, that you may not want to work towards. Consolidating vendors actually sounds pretty easy to comprehend the benefit of not having one company doing all of this. What do you guys think?
[T. ROSALES] Um, in that regard. I think it's want to make sure it really especially if you're talking about bang for your buck. Economics right we want to make sure we're getting the best out of the money we are spending. You want to make sure that where you're spending your money is with someone who does that thing the best. Right you know, the analogy I always make is I'm not going to go to a steakhouse that is known for their prime rib and order the chicken. Right? I'm going to go there because I've already read about it's good. I know that they're good at it. So I'm going to get what they're good at.
[A. LYNCH] And so for those who couldn't put that together, Virtru like the prime rib of encryption and key management.
[T. ROSALES] So its what I'm saying its what I'm saying.
[A. LYNCH] We're talking about encryption keys and we're talking about getting the biggest bang for your buck. And again, you know, we at Virtru, we partner with, you know, Google, for example, as a recommended encryption partner. We think they have obviously great products and they came out with something pretty interesting and pretty cool. Google workspace, client side encryption. And we get asked about that. You know, sales, the sales team that I manage on a daily basis have Google customers that come to us and just want to first learn what is it? Who has access to it? What are the benefits? So, Tony, you would you mind sharing a little bit about just what that is?
[T. ROSALES] Yeah, absolutely. So Google's entire client side encryption offering is really based a kind of almost a derivative off of their Google Cloud platform, external key management. So the way it works within the Google ecosystem is everything is a product of Google cloud, right? So if you go and look at their masthead, it's not Google Workspace and then GCP, it's Google Cloud. And then under that is all the different products that they have. So really what they're essentially offering is saying, look, we're going to protect everything within our environment. And that's just how Google operates. Everything's encrypted at rest and in transit within their world. And so now what they've done is they've added a layer to say, OK, if you want to protect something and own the things that we are protecting for you and say, look, I need to have that external or that additional layer that Trevor was talking about. We're going to let you do external key management, Virtru, as a provider of one of these external key management systems. Right? And so within Google Cloud platform, there are several of the services that Google offers all the way from compute engine, all the way down to Kubernetes as well as, you know, the cloud storage and the big one. I'm trying to search for the– the BigQuery and everything in between. There's like 30 services available now that will use this, one of them being Google Workspace. Google Workspace has obviously much more to it because it's a product suite as opposed to just a single service. And so within that, there is additional functionality, right? So there's going to be client side encryption for Meet, for Drive, for Calendars, which is going to help you individually protect information within each of those offerings. You know, there's obviously client side encryption for Gmail, which is in beta that's coming as well as some of the other features that they're building out for.
[T. FOSKETT] I mean, content encryption from Google is, you know, I think Google's recognition of this. Zeitgeisty movement behind, you know, control and privacy of your data. One of the things that makes Google's platform so amazing is that they have this sort of unified ecosystem that allows data to move from potentially, you know, GCP, as you mentioned, into Workspace or different parts of workspace to another. But at times, that can lead to a sacrifice of what's exposed to Google, whether that's contrary to your own security posture or you're an organization that's beholden those compliance regimes that I mentioned earlier. Sometimes that would just preclude you from using those services. A lot of stories of Google Workspace customers who say, well, we still got a whole bucket of people who use Microsoft Word because the types of data they're dealing with just legally can't be put into Google Docs because, you know, that's Google. Google could potentially see that. And so content encryption for me is really their recognition of this kind of zero trust model. And whether you think that's a buzz word or you've been a diehard fan of it for a decade, you probably fall somewhere in the middle of that spectrum, I think is let's assume and you'll hear this from the DOD as well, when they talk about how they architect networks is let's assume there's always a bad actor in the network may not be true, but let's assume it and put the controls in place that would save us in that scenario and just have that be our standard posture. And so that's kind of the approach with CSE is, look, hey, use our services, use Google, send email, create documents, share files, everything. I do. Assume that we're bad guys and we're trying to see it, and we're to put controls in place that mean that we couldn't do it even if we wanted to. And that's why you'll see some of the requirements to use CSE. Things like introducing a third party identity provider as well as a third party key provider is let's only give each of these parties the essential bit of information they need to deliver the service. But nobody has enough to decrypt the data except for ultimately the end user. And so it's just a way to offer all these assurances that used to make us live in on prem environments. Now, getting that benefit of cloud computing collaboration, but without having to make some of that sacrifice, that we've seen.
[A. LYNCH] That sounds awesome. And so we've talked about, you know, key between different options of delivering it, the pros and the cons. For those who weren't aware, again, Virtru is able to add end-to-end encryption to platforms like Google Workspace and Microsoft Office 365. That said, I will say happily, two of the more technical people, a lot of this sounds complicated and I'm kind of wondering, scratching my head what an organization wants to implement all of this, because we all know that if a technology is too hard to use, employees are going to try and get around it. So we'd love to hear from you guys. Yeah at a high level, a little plug for Virtru. How does that work with Virtru? Is this something that is easy to deploy, easy to use? What are some of the tradeoffs? What do you guys hear from our customers?
[T. ROSALES] Yeah I mean, the things that I'm probably hearing the most are that, you know, in and again shameless plug. Insert here the way we design the stuff, it's very true. We're very cutting edge in terms of our architecture and the way we design our software. And so all of the work that gets done that has to be done is done, you know, with our teams and the different administrators of these systems kind of upfront. And really the end users are just seeing the benefits. They're there. It's not cumbersome. There are not a million steps. We leverage a lot of existing technology to help get us from A to B so that we're not reinventing the wheel. Just, again, very high level here. And it just makes it to the point where the end users are just doing their job right. And it's just a matter of clicking a button or making sure that there's a rule that if they forgot it's in place and don't worry, because we've got all the layers in place that are going to catch that information as it traverses the network.
[T. FOSKETT] Yeah I think, you know, very true. In partnership with Google, the reason that's been so successful over the years is because we both place a large, very large value on the user experience. And I think, I would not be out of line saying most people, even diehard Microsoft enthusiasts, probably prefer the user experience of Google products regardless of how they feel about whatever else is there. Google has placed that emphasis for years and we have as well to make this sort of complex stuff easily approachable for the end user. You know, you can get into the weeds a little bit with a lot of this key management stuff, but ultimately everything we talk about today largely happens seamlessly for the end user. The admin will need to configure things and maybe deploy a few things to get started. But for an end user, it's really going to be, hey, I'm using my Google productivity sweet and sending emails, creating documents. Maybe I click an extra button here or there, but it's all designed in a way that's meant to be approachable for someone who is not a technologist. None of this encryption stuff is new, regardless of how much we want to be excited by it. You can encrypt data. For 30 years, people have been sending emails, a TGP and other technology. Is the problem with all that it's only been delivered in a way that your IP administrator or your software developers, or just hard core technologists could use. And in business scenarios, we saw people just say, you know what, it's not worth it. And I'm not going to do that because it's going to take, you know, my end users 20 minutes to send me an email, kill our productivity, we're going to lose millions of dollars. So we'd rather just take the risk and go it alone. Now we're in a world where that's no longer the case. That tradeoff, again, similar to this kind of cloud compute, privacy, sacrifice we talked about earlier, you don't need to sacrifice the productivity for the privacy either. These tools are now presented in such a way that really anyone can use them, which which is the whole point. So again, there is a little bit of setup. Of course, you also see that between the products that Virtru offers natively versus what we support with Google and client side encryption. Both of us are very sort of workflow focused. We want to make sure that what we're delivering makes the most sense for what it is you're actually trying to do. And so there's a little bit of thought that goes into which set of those workflows are going to be the best mix and match between the two of us. But ultimately, you'll find that we can provide a holistic solution for most of what you need to do.
[A. LYNCH] I appreciate both of your inputs. And of course, I've sat in on hundreds, maybe 1,000 plus demos in my career now, at Virtru, And so, of course, I've heard similar feedback and reactions where one of the benefits of Virtru one of the biggest is how we make all of this easy. You're not sacrificing security or privacy for ease of use. A line that I always use is "encryption is not hard to traverse. It's been around a long time, making it easy, specifically decrypted. That is usually the hard aspect and that's something that's Virtru's patented to enable consuming and collaborating in a secure environment. Well, Thanks. Thanks Tony and Trevor for your insights. Again, I think when you're considering collaborating in the cloud, it comes down to there are trade offs that need to be considered and hopefully some of the viewpoints around encryption and key management. Specifically, how Virtru can help enable that in those environments have been helpful. For those who would like to learn more about Virtru, please just head over to www.virtru.com and we would enjoy a one on one conversation to learn. What are some of the things you are concerned about or keep you up at night around collaborating in the cloud and share firsthand customer stories as to some of the benefits that people are seeing using Virtru. So Thanks for the time, everyone, and we hope you enjoy your coffee!
Fill the form below to claim your gift.
Get expert insights on how to address your data protection challenges
Contact us to learn more about our partnership opportunities.