Don’t exchange data in a way that it needs to be decrypted to be utilized. Today, to use any data, it needs to be decrypted. This means an exact replica of the data is generated at the counterparty and this replica of the data presents huge liabilities. As I mentioned earlier, stray data may be breached long after its useful life is exhausted and be used in malicious ways. Decryption also presents other regulatory and compliance challenges because decryption causes loss of control over how the data is used — there’s no way to guarantee that it won’t be abused by the counterparty. This causes a lot of friction in the overall data economy. Techniques like multiparty computation ensure that the data is usable to its fullest extent while still ensuring that the raw data remains invisible from the counterparty.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Riddhiman Das, co-founder and CEO of TripleBlind.
Previously, Das worked in corporate venture capital and M&A for Ant Financial, a financial services arm of the Alibaba Group. In his role as head of international technology investments, Das was focused on deals in enabling technologies for Alipay worldwide including blockchain, artificial intelligence, security, IoT and computing. He also spearheaded the Ant Financial and Alibaba network in Israel, Silicon Valley and New York, helping bridge the gap between the Alibaba ecosystem and technology startups outside China.
Das came to Ant Financial through EyeVerify’s successful exit. At EyeVerify, he helped commercialize a software-only, biometric method for verifying the identity of mobile users called ‘Eyeprints’, which is based on the unique vein patterns in the whites of a person’s eyes and has fingerprint-level accuracy.
A lifelong entrepreneur and innovator, Das has spent most of his career in leadership and technical roles in software and product development in startups, academia, and consulting across a variety of industries, including cybersecurity, fintech, digital identity, mobile payments, wireless systems, chipsets, healthcare, biometrics, security, and government and civil technology.
Das holds a bachelor’s degree and an MS in Computer Science and Electrical Engineering from the University of Missouri — Kansas City. He received the 2013 White House Champions of Change from President Barack Obama.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I feel like there’s two parts of my life — one before I knew computers and the one I live now. I grew up in a family of doctors, and when I was six, we got our first family computer. I knew that very night that this is what I wanted to be doing for the rest of my life. I started learning how to program in second grade and have never looked back.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I wrote my first encryption software tool when I was 12 — it was a simple cipher that generated passwords for me based on phrases I spoke in real life. This was before I knew about hashes and the best practices in cryptography, but I did have really strong passwords.
Right after college, when I was developing a biometric system to identify a person based on the layout of blood vessels in the white part of your eye, we developed a pretty cool cryptographic approach to generate keys based off of your biometric. On top of that, it preserved privacy. In essence, we turned every person into a walking cryptographic key generator. It was such a profound realization of the power of cryptography to do things society had struggled to do that I decided to dive really deep into it.
Can you share the most interesting story that happened to you since you began this fascinating career?
The interesting thing about infosec nowadays is that the nefarious actors are industrialized. After my previous company was acquired by Ant Group, the financial services sister company of Alibaba, we learned how professional the fraud industry was — buildings full of thousands of highly-trained programmers were working around the clock to break software. And occasionally getting arrested by the police. But the realization that there are legions of smart people, even outside of nation state efforts, to break our systems really makes you realize how important the work of honest actors is.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I lost my dad when I was really young and was raised by a single mother. I would not have done anything had she not stood by me and lifted me up. From doing everything she could to help me pursue my dreams to picking me back up when I was punched in the face, she’s the reason why I’m here.
Are you working on any exciting new projects now? How do you think that will help people?
I’m working on TripleBlind — where we’ve built new and novel cryptographic techniques that allow companies to allow private access of their most private and sensitive data. From training deep learning models to encrypting algorithms, we’re building a safe, secure and compliant way to build liquidity for data and algorithms beyond organizational boundaries. All operations on all kinds of data are possible, as long as it’s authorized. The data and algorithms are never decrypted during the process and are able to be utilized to its fullest extent possible.
The biggest impediments to the next big leaps in the information revolution result from a lack of access to the right datasets, and we’re fixing that.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I wish I had the magic formula for this one, but I think it’s important to work on a problem that you care about. There’s a lot every one of us can do to change the world, but I’m lucky that “work” and “play” are pretty indistinguishable for me.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
I think we’re still early in the “software is eating the world” movement. I’m excited to see the rapid advancements we’ve made in edge computing and how these systems are kept secure and safe using a combination of hardware- and software-based approaches to securing the entire stack. COVID-19 is also accelerating a lot of trends already underway, and as large enterprises refine their security posture for the new normal, I think we’ll see a dramatic rethinking of how we approach overall enterprise security.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
I still think that the “organized cybercrime mafia” is in its infancy in the western world. We’ll see a lot more threats and novel exploits. All of my banking information is still vulnerable to just one employee at my bank becoming a victim of a phishing attack. My opinion is that organizations need to shift from a “don’t be evil” mindset to a “can’t be evil” mindset in their IT security exploits.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I had a chance to really view the mobile security threat landscape firsthand at Alipay. We faced a well-organized fraud industry that was always on the hunt for exploits, not just in our production systems, but also in our mobile apps spread across all kinds of mobile devices. We had to ensure that every component was subject to vigorous testing and ensure that any aberrations anywhere were detected and stopped.
This was for a system that had almost a billion users — it was a fun challenge to always try to outthink the most creative hacker army in the world.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Personally, I’m a big fan of FIDO based second factor authentication for all online services that allow it. It basically is a hardware backed authenticator that is the state of the art in preventing phishing attacks. Most phishing attacks can be prevented by using a FIDO based authenticator.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
The best part about a “Can’t be evil” vs “Don’t be evil” mindset to cybersecurity is that it is so much more immune to human error. I think we’ve made tremendous strides in the last few years in making BYOD really safe. However, even if companies don’t have a CISO in house, making sure that all the places where enterprise data is stored is configured to use the most stringent security setting should be the best practice.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
For the layperson, the two most common ways things go wrong are often phishing scams and local endpoint (read: laptop) compromises. For phishing scams, inspect links before clicking on them to ensure the domain name is correct is paramount — even the most trained professionals occasionally fall victim to clicking on strange links. For local endpoints, intermittent CPU whirring even while you’re not doing any demanding tasks is often a sign that your computer is compromised.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
As soon as you learn about a possible data breach, the first course of business is to what was likely to have been compromised, and communicate to those stakeholders. If customer data was breached, companies should strive to let customers know as soon as possible, so that they can take the appropriate mitigations. If there isn’t a CISO department with a cyber forensics expert, hiring a cyber forensics firm to determine the extent of the breach and learn about the appropriate mitigation steps to take as a company should be the first item on the playbook.
It’s actually been really good for us, while being good for the world. The privacy statutes are in the best interest of consumers and companies to ensure that their data is not being abused in unintentional ways. Most governments are developing some form of data privacy regulation to safeguard their citizens’ interests, and I am hopeful that there’s a federal privacy statute in the next decade.
My company, TripleBlind, provides cryptographic tools that enforce privacy regulations worldwide without losing the utility of the data. We’ve seen legitimate uptick in interest from companies that operate in multiple jurisdictions that see the benefit of having a global view of the operations, while still enforcing the local privacy regulations.
What are the most common data security and cybersecurity mistakes you have seen companies make?
A common mistake I see is holding on to stray data from past uses of the data. For example, if you look at the recent breaches that have affected some of the large banks, it’s leaked credit data for millions of Americans. But the reason the bank held on to it is because even after the data was used — it was useful when determining if an applicant for a credit card really deserved the particular credit card, but after that, it presented a huge liability to all stakeholders.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
We’ve seen a huge amount of uptick in cybercrime. During the COVID-19 pandemic, ransomware was up 72%, and as we did more from our own devices from home, even mobile exploits grew 50%! A lot of these were targeted at critical infrastructure of hospitals, pharmaceutical companies and research labs. The best practices and tools to prevent most of these exist today! I’m hopeful that as more and more companies take cybersecurity seriously and adopt best practices, that they don’t just apply band-aid fixes, but see a trend of a more strategic stance on adopting a security first mindset.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
In my opinion, here are the five things every company needs to know to tighten up its approach to privacy:
- Don’t leave stray data unprotected. If you’ve used data from another company or institution for a particular transaction, it’s a huge liability to hang on to that data forever and leave it exposed. For example, we learned with the Capital One breach that they hung onto every credit file from every application for their credit products and left it unprotected!
- Protect data in use. Conventional data security’s best practices protect the data while it’s at rest and in transit to a third party, but not while it’s being used by the third party! While historically we haven’t had the tools to enforce that the data is secure while it’s in use, we have the tools to do it today. The cryptographic, statistical and mathematical primitives required to ensure that sensitive data is secure while an algorithm is being executed on it, are mature and production ready. Secure enclaves, for example, are a hardware backed solution that ensures that a malicious party cannot snoop on the data while it’s under use. However, the limitation is that the data can be safe only as long as the right hardware is present. Homomorphic encryption has a lot of promise, but is still infeasible. There are enterprise ready solutions out there today, for example, TripleBlind enforces privacy at enterprise scale for all kinds of data for any operation being performed on it, without any hardware dependency!
- Don’t exchange data in a way that it needs to be decrypted to be utilized. Today, to use any data, it needs to be decrypted. This means an exact replica of the data is generated at the counterparty and this replica of the data presents huge liabilities. As I mentioned earlier, stray data may be breached long after its useful life is exhausted and be used in malicious ways. Decryption also presents other regulatory and compliance challenges because decryption causes loss of control over how the data is used — there’s no way to guarantee that it won’t be abused by the counterparty. This causes a lot of friction in the overall data economy. Techniques like multiparty computation ensure that the data is usable to its fullest extent while still ensuring that the raw data remains invisible from the counterparty.
- Don’t rely on the receiver’s data security infrastructure. For most data exchanges today, because the receiver ends up with a replica of the data, it’s still exposed to all the vulnerabilities of the receiver’s security infrastructure. Despite the owner of the data following all best practices, the data is still exposed at the third party! Cryptographically enabled virtual clean rooms for data ensure that the raw data isn’t replicated by the receivers, and therefore its security and privacy does not rely on the receiver’s IT security infrastructure.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Monetizing latent data securely. We can make rapid strides in precision medicine, financial inclusion and fight credit card fraud if companies allow their latent data to be used by third parties without any of the liabilities, risks and compliance issues that are there today. TripleBlind is leading the way to making the world’s private and sensitive data usable.
How can our readers further follow your work online?
Read about the exciting work we’re doing around building a Privacy API at https://tripleblind.ai
This was very inspiring and informative. Thank you so much for the time you spent with this interview!