Secure data at rest. It’s important to make sure that user and other critical data is protected even if it isn’t moving. One way to do this is with regular backups, encrypted drives, and good passwords. It’s also important to lock down endpoints, making sure data STAYS at rest, by denying computers access by default to resources they don’t need. This is a combination of a couple principles that are too lengthy to describe here, but involve the theory of “zero-trust” as well as “micro-segmenting” your network.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Ron Indeck, Ph.D., CEO of Q-Net Security, an innovative cybersecurity company based in St. Louis. Prior to joining Q-Net Security, Dr. Indeck served as President, CTO, and Founder of VelociData, a technology spin-out delivering accelerated decisioning to global corporations. Before forming VelociData, Ron founded and was CTO to Exegy, a firm that enables over $1 trillion in trades daily. At Washington University, he was the Das Family Distinguished Professor and Director of the Center for Security Technologies. His security technology has been incorporated into roughly half of the card readers in the world. He has published more than 60 peer-reviewed technical papers and been awarded more than 75 patents; been named the Bar Association Inventor of the Year; and served professional societies in various roles including IEEE Magnetics Society President.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in the mosquito-filled tundra of Minneapolis, Minnesota, as the fourth of four boys. To this day, we still have no idea how my mother survived us all! Education was extremely important in our home, curiosity was encouraged, discussions were demanded, and advanced formal training was expected. All four of us have advanced education and degrees. This has carried on to our children as all of them have doctorates, which hopefully is part of a positive life attitude and not a burden. Science and math, or STEM, were the strong drivers. I recall being given a chemistry set for my birthday and I did many fun experiments from making color changing salts to indicate humidity, to (un)controlled explosions. Did I mention how we have no idea how my mother survived our childhood? I also remember taking things apart to see how they work even though I frequently had parts left over after putting them back together. This set me on a path to pursue engineering as a career, teacher, and passion.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
I was raised in the ’60s and while we may think back on the drugs, sex, and rock-n-roll counterculture, the Vietnam War, or the nuclear-fueled Cold War, there was another remarkable thing happening during that time — President Kennedy set up a mission to the moon. This moonshot, along with the Mercury, Gemini, and Apollo programs, created an amazing and awe-filled time where anything could be accomplished. I recall having the pictures of all the astronauts on my wall, photos and models of different rockets in my room, and very closely following many of the activities associated with the Space Program. I actually wanted to be an astronaut, even though I was told my need for glasses meant I could not be a pilot. Anyway, the United States reaching a dramatic high with the lunar landing (which I watched alone on a small black and white TV), became the inspiration for me to ultimately go all in on engineering rather than other sciences or medicine.
Can you share the most interesting story that happened to you since you began your career?
What’s in a word? To most of my colleagues, “noise” is a random process that is always different every time you measure it. Such random processes give people an understanding of what can and can’t be done. As an example, Claude Shannon provided us with a view into how much information we can put into a communications channel in the presence of random noise. My research led me to investigate a communications channel in which we put the data to rest in the middle — the magnetic recording channel. For decades, the noise in this channel had been viewed as random and no different than the processes caused by such things as temperature-induced variations. With my physics background, we started to look at the sources of magnetic recording fluctuations and discovered that a large portion of the “noise” was repeatable. This was fascinating for me as any repeatable signal can be engineered down or even removed entirely. Additionally, it can provide insight into how to engineer a better channel (the recording medium and recording process) to get more information through this channel. For some years we presented data that demonstrated recording media contained a large component of “repeatable noise” owing to material nanostructure. However, most in the industry could not believe the results and thought we got the experiments wrong, even scoffing at us in professional conferences. As I look back, I think many were simply unable to move past their narrow understanding of the word “noise.” Yes, words matter, even in science!
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I have been blessed with a bunch of awesome technical and business associates through my career and I am deeply indebted to them all. The single most important person that has helped me get to where I am today is my wife. This is not a trite attribution to her but rather a recognition that I have taken a rather unusual professional path through academia, to research, and on to entrepreneurship, and she has supported me the entire way. She buoyed me numerous times when a stable future was quite uncertain. She guided me through difficulties when those managing things got in the way of success. She was always supportive as we started on risky new ventures. She even took charge of our young family as we headed to Japan, a country we knew little about, including the language. I could not be where I am without her support and guidance. She is even my best friend.
Are you working on any exciting new projects now? How do you think that will help people?
Yes, we’re working on a number of new projects. Part of the mission at Q-Net Security is to secure the nation’s critical infrastructure. Recent events have shown just how vulnerable aspects of our system can be, so we’re really trying to help improve some of those systems. Several of our projects are doing that on both the governmental and commercial sides.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Find something that you enjoy and don’t give up on it. I believe that “burnout” comes when you are not doing what you want to do. I think it’s important to figure out what you want to do, understand that there are usually many ways to do what you want, and pursue those paths vigorously. I see in most people that pursuing a paycheck will rarely lead to satisfaction; rather doing what you want to do will likely lead to realizing that you have enough to be satisfied.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
For the exact requirements, I would recommend you consult a lawyer or other expert in that field. But suffice to say, there are increasing laws and regulations about private information. You’re right, every business certainly has important information it needs to protect. Everything from internal HR information, to customer contact info, to just trade secret documents can be very important for the operation of a company. In the United States, there are comprehensive laws that govern specific types of information (e.g., health info under HIPAA) as well as general privacy laws, especially in certain states like California. Europe also has laws under a set of regulations called the GDPR, and I wouldn’t be surprised if such laws appeared in the United States in some form over the next few years.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
It depends. Certain laws require a “right to be forgotten,” that means customers, upon request, can have their information deleted. But there are also regulations that require information to be kept. This can include data on internal matters, financials, and research data. So there is no one best practice for keeping data, but there are certainly some best practices for protecting it. After all, much of this data is sensitive, and it’s no good to have a plan to keep or destroy data if you can’t back up those intentions with a good security policy.
In the face of this changing landscape, how has your data retention policy evolved over the years?
As a relatively young startup, our policy has of course evolved in some ways. For example, we have a lot of data about our products themselves that we didn’t have when we first started. Since we’re a very scientifically-backed company, we make sure that we have test data on hand to back up our claims. But mainly, we’ve focused on security. Our product, the Q-Box, secures data “in flight,” or as it moves between computers. So we have a very good grasp on how to work with data as it moves in a network.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
Unfortunately, I can’t get too much into the specifics for that with my company. One other “best practice” is not to explain too much about your company’s own security policies. After all, with many attacks that aim to steal or corrupt data, much of the time is spent on actually gaining information about a network. Unlike the movies, where you see the hackers just deciding to hack a network, a successful hack in the real world takes research and planning. So we encourage people to update their networks regularly and not publicize all the details! However, in our specific case I can tell you that, in addition to our proprietary hardware barrier technology, we also do a lot of industry-standard things. This can include regular onsite backups, two-factor authentication, least-trust approvals, and more.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
I mentioned above GDPR and some of the recent regulations in California. I think that this legislation is part of a bigger trend to protect data, and to enact data privacy. I do think it’s a bit of a shift from where the industry has been. Security has often been about detecting problems by viewing the data and trying to “learn” through machine learning or rules when bad patterns emerge. That is a very anti-privacy approach. Our technology is more compliant with these new rules because we really don’t view the data at all — we just secure it. I’m actually feeling quite positive about the current legislative landscape, although we’ll see what comes next!
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Well, as a company that designs one of those tools, my opinion is probably a little biased. But yes, I think people and companies are much more conscious of security these days, and technology has made certain attacks feasible that simply weren’t five or 10 years ago. So of course tools to protect data have evolved. That includes protection from future technologies, like quantum-computers. We really try to be forward-looking when we design security, protecting not just against today’s threats, but tomorrow’s as well.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
If anything, these have made us more passionate about the work we do at Q-Net Security. It was really concerning to see what we had long suspected — that many of the critical resources and companies we rely on in this country are so vulnerable to these kind of state-sponsored attacks. I don’t mean to suggest that the attacks weren’t sophisticated, but at their core, they were the result of bad updates to software. That’s why we are adamant about our hardware security, or “hardsec” approach. Our devices don’t require updates, and had they been in place, would have prevented many of these recent breaches.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Physical access is full access. You have to realize that once someone physically gets near your computer or device, it’s often fairly easy to get data out of it. And virtually every security company will tell you that. If you have precious data, make sure it is kept as much as possible in secure locations, and on secure servers.
- Humans are fallible. We all know that people can make mistakes — I am sure I’ve made plenty of my own. But when it comes to security, people often make very avoidable ones. This includes the obvious of don’t write your password down on a sticky note or send it via email. It can also manifest in corporate environments. With today’s technology, security requires management of complex keys and certificates. Let’s say one person in IT misses their morning coffee and boom, you can have an accidental breach.
- Keep it simple. Networks are often a patchwork of different technologies, all of which need updating at different times and rely on various interlocking features to work. It may seem like it’s more secure to have more devices and protocols, but it also means it’s much easier to make a mistake. Even things that seem like a good practice, like changing passwords, have been shown to cause burden to your users without much benefit. Simple is best!
- Secure data in flight. So many people use email to transfer information, even business-critical information. And unfortunately, email was never meant to be a secure way to send information. Since I don’t see email going away, we need to think outside the box for ways to secure data as it moves from computer to computer. That’s the problem we work to solve at Q-Net Security. And while our solution can’t secure every email you send today, it can make sure that the critical pathways of your network are protected and fully encrypted.
- Secure data at rest. It’s important to make sure that user and other critical data is protected even if it isn’t moving. One way to do this is with regular backups, encrypted drives, and good passwords. It’s also important to lock down endpoints, making sure data STAYS at rest, by denying computers access by default to resources they don’t need. This is a combination of a couple principles that are too lengthy to describe here, but involve the theory of “zero-trust” as well as “micro-segmenting” your network.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would suggest that we really need to consider computing from a new angle. Obviously, many of our lives have been improved by general-purpose computers in so many ways over the last few decades. In the span of fewer than 30 years, we’ve moved from computers being primarily a feature on college campuses to having a computer or multiple computers in most homes. The flexibility of those devices to do anything and be anything is great, but we can’t forget that much of the world, and our infrastructure, works on dedicated systems. That includes some that haven’t been updated in years. We can embrace these systems for what they are, specialized hardware, and that will really improve security.
That’s a pretty technical wish! I suppose generally, I would want to inspire people to just be a little more conscious of security in their day-to-day lives. Your data is important to you and treating it with care can really pay off.
How can our readers further follow your work online?
I encourage people to visit Q-Net Security’s website, www.qnetsecurity.com, and also follow us on LinkedIn, Facebook, and Twitter. We also do live (remote over video) demonstrations of our product. Feel free to contact us at [email protected] for more information.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!