Podcasts
Caveat
Ep 247
Caveat 1.23.25
Ep 247 | 1.23.25

Breaking the SaaS paradigm.

Show Notes
Transcript

Shiva Nathan: By storing all of this data, you are a honeypot. You are a honeypot that is actually attracting unwanted attention to your enterprise and bringing cybercriminals to attack it. And cybercriminals are no longer one guy or two guys sitting in a basement trying to attack the system. Right? These are well-funded, thousands of employees employed, nation-state data centers, and IT firms that are trying to do cybercriminal activity against one country to another country.

Dave Bittner: Hello, everyone, and welcome to Caveat, N2K's CyberWire's Privacy Surveillance Law and Policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hey there, Ben.

 

Ben Yelin: Hello, Dave.

 

Dave Bittner: On today's show, Ben and I look at some of the early actions of the Trump administration and what they portend for the future. And later in the show, my conversation with Shiva Nathan, founder, and CEO of Onymos, talking about the challenges of data privacy. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice or official legal advice on any of the topics we cover. Please contact your attorney. [ Music ] >>All right. Ben, so as you and I are recording this, it is what, 26 hours or so till after --

 

Ben Yelin: Only 1,400 or whatever days to go. I don't know how many hours that is. So somebody will do the math.

 

Dave Bittner: President Trump was sworn in. We are recording this on Tuesday. So President Trump was sworn in yesterday on Monday. And he got right to work with a whole avalanche of executive orders. Which is, you have pointed out to me, is pretty par for the course in terms of a new president coming in and taking over and reversing a lot of the executive orders or the of the prior president.

 

Ben Yelin: Right. They want to feel like they're doing something. And you can't just pass laws on your first day, although Congress can tee up some bills for you. So yeah, this is the way to do it through executive orders.

 

Dave Bittner: All right. Well, let's start off with, I think, something that's been certainly capturing a lot of people's imagination and the media. And that's the TikTok ban. I think we find ourselves in an interesting place here with TikTok, what President Trump has said he's going to do, and how that might bump up against the limits of what he's actually able to do. So where are we, Ben? >>Ben Yelin: So, just to give some quick background, I know we've talked about this a lot. Congress passed a law last year. It was supported by a majority of members of both parties in the House and the Senate. It required TikTok to divest from its parent company, ByteDance, lest it be banned in the United States. So the drop-dead date was going to be January 19th, the day before President Trump was sworn in. They picked that date on purpose. If TikTok had not been sold to a US entity, then it would be banned in the US. There was some dispute as to what that actually meant. Like, was it just banned from app stores or were they going to go into your devices and prevent you from using it? Which it turns out TikTok did shut itself down prior to that deadline. The only way that deadline could have been extended is if the president made some sort of statement through an executive order saying, "We are close enough to a deal for divestment. Here's the evidence of divestment. Here's the potential buyer that we're putting a pause on this for 90 days." And the president was granted authority to do that in this law that passed. So this was challenged through our court system. The DC Circuit upheld the ban on TikTok. It was challenged on First Amendment grounds. So, it went up to the United States Supreme Court. They considered the case on an expedited basis because, obviously, we needed a decision prior to that January 19th deadline. So the Supreme Court heard the case. And late last week, in an unsigned but unanimous decision, the Supreme Court upheld the ban. So, there were a couple of First Amendment challenges. One was from TikTok itself, saying that they had First Amendment rights in some of their own content. The use of their algorithm is a form of expression or speech. That was one of the things they argued. And then separately joining the suit were a bunch of TikTok users, influencers who used TikTok as their mode of expression. And they asserted in this case that the government's policy was violating their First Amendment rights. And basically the Supreme Court said a foreign entity does not have First Amendment rights. That's very important. And even granting that TikTok itself is a US company, if you're not including ByteDance. This is -- this law is still constitutionally acceptable if you are considering this under what's called intermediate scrutiny. Because this is a content-neutral restriction on speech, then the government certainly has an important interest here in preventing ByteDance, which allegedly is a wholly owned subsidiary of the Chinese government, from collecting data on US persons and through allegedly manipulating the algorithm to influence what our young people in the United States are seeing on their timelines. So certainly, you have an important governmental interest there. And the means of achieving that interest are substantially related to that interest. There was a dispute as to whether strict scrutiny should apply, which it would have to if this was a content-based restriction on speech. So, if we were restricting only a particular type of content, only a particularly particular type of speech, that strict scrutiny would apply. It -- this was a completely novel case. So, it wasn't entirely clear which level of scrutiny applies. If you read the Supreme Court decision, they seem to say, "We think intermediate scrutiny should apply here because this is content neutral. We're banning every single TikTok video, whether it's from an influencer or whether it's from the Chinese government itself. It's all banned." So, they think that the only intermediate scrutiny should apply. But they also said if strict scrutiny applies, they probably still would have upheld the statute anyway. The rationale is that Congress put together a very compelling record of the Chinese government's actions vis-a-vis the parent company ByteDance, that they really are manipulating algorithms. They really are collecting data on US persons. The record is very substantial on this. So, the government has a proper national security justification. And they added a little caveat in there, so to speak. I love throwing that in. I need a little bell to ding [dings].

 

Ben Yelin: Yeah. Every once in a while. That the analysis of this case is limited to the present circumstances, which might sound familiar because that's kind of what the Supreme Court said in Bush v. Gore back in the day, that like, don't take too much presidential value from this. Don't use this in future cases because the circumstances here are very unique. And I think that's actually compelling because there's no other social media company that allegedly has this type of foreign malign influence that TikTok has. And the circumstances are unique and specific here because of the record that Congress has compiled, because of the investigatory work we've done highlighting the Chinese government's influence campaign that they run through this parent company. So the law was upheld late last week on Saturday, which was the 18th. A bunch of users started getting a message on their phone saying, "This application is no longer available in the United States. However, we are working with former president/president to be, Donald Trump on a solution." So yay, go Trump. He's going to solve this problem for us. Donald Trump, if you'll recall from like 2019, 2020, was the first politician who tried to ban TikTok in the United States. And then he realized that TikTok was a really useful tool in promoting his candidacy. He also formed a friendship with the CEO of TikTok, who was at his inauguration as well as just other people in the tech industry who were standing up for TikTok's interest. So he completely changed his opinion on this and said in statements over the weekend, like, "Don't worry. We're going to restore TikTok. As soon as I get into office, you know, we'll figure it out." Biden for his part, basically said like, "There's nothing I'm going to do. I can't really enforce this on the 19th." The enforcement mechanism is to levy fines against the companies that allow TikTok on their applications. But like, just starting that process of going through fines is going to take more than the 24 hours that Joe Biden had in office. So he was basically like, "I can't really do anything about this."

 

Dave Bittner: He kicked that can down the road to the next administration.

 

Ben Yelin: And he was happy to do it. And there was this really interesting political divide. Because you have national security hawks in both parties saying how necessary this is, how critical this law is to protect our national security. And then you have all these young people, especially, say Gen Z, Gen Alpha, who couldn't give two, you know whats, about the national security implication. They see that their favorite application is being taken away. And they're freaking out. And people are recording, you know, "This is my final TikTok video. I can't believe their government is doing this to us." And Trump has great political instincts and sees all these young people who don't know anything about the influence campaign from the Chinese government being very upset about this. So he guarantees that he's going to get TikTok back online. So come late Sunday, the day before his inauguration, TikTok starts to reappear on people's phones, largely because President Trump was able to promise TikTok that they would receive this 90-day extension. As soon as he took office at noon on the 20th, he signed an executive order which extends the deadline for these 90 days to see if he can cobble together a US buyer for the service. Contrary to the actual law itself, it doesn't seem that President Trump has identified any potential buyer. It's not clear to me that a sale is particularly close here. He's just using the authority given to the president under the act to extend this deadline for 90 days.

 

Dave Bittner: Let me just give you a quick correction there. His extension is 75 days. The one in the law is 90 days.

 

Ben Yelin: Got you. Okay. Yeah. Always open to that correction.

 

Dave Bittner: And that's a point of contention. We'll get to [laughs], but go on.

 

Ben Yelin: Yeah, no. That's actually really interesting. I hadn't realized that. So 75-day extension, and I don't know about you, Dave, but I think he's kind of biting his time and seeing if there's the political will to get Congress to repeal this provision or to at least revise it. One of the things that came up in the Supreme Court oral arguments and the oral arguments, frankly, of the DC Circuit, was all these judges being like, "Why can't you just sell TikTok to a US entity? What's the big deal here? Why is it so important for ByteDance to be the parent company?" And what the attorneys for TikTok kept saying is, "We can't do it. Like, ByteDance has built the algorithm. TikTok runs on the juice that ByteDance has built over the years. And it would just be completely impractical." So, you know, I'm just throwing that out there as context. If there are people who are like, "Well, why can't we just have this? Just find some US company to make the purchase. And the problem is entirely solved." Now, whether TikTok is completely on the level about that, I have no idea. And perhaps only they know. But that's where we are. So Trump has extended it, as you said, for 75 days. You can access TikTok on your device at the moment. And we'll see where it goes from here. I think to me, just before we go forward, I think this is just like a fascinating political moment in that you have literally the establishment, which is members of both political parties who've done the research, who've been knee-deep in national security matters for decades, saying this is a huge danger. And then you have the masses of people who love this application, who love creating content, who use it as not just a communications tool, but to hawk their products to go viral, being like, "This is going to be the death of me if this application closes." And it seems to me that the influence campaign on the new president of the United States that was victorious was young people and not the political establishment in Washington. And that, to me, is very interesting.

 

Dave Bittner: And you have a populist president who is very -- as you say, has amazing instincts when it comes to sensing which way the wind is blowing.

 

Ben Yelin: And this is actually like a textbook example of his populism. I almost give him credit for it. There are people in Washington who think they know better than the populace about this application and why it should be shut down and why it's a national security threat. And you have normal people in the millions across the country being like, we want this application. People even knowing that this is, you know, maybe they don't know the full details. But that this is owned by ByteDance, and the Chinese government is wielding this influence campaign. People still seem to want the application. And in fact, polling numbers started shifting against this ban once people started to realize that it was coming because I think there was a backlash among the users of TikTok who are very influential. So it was just a really interesting view into how politics really works these days.

 

Dave Bittner: There's a really interesting unpacking of this over at Lawfare. We'll have a link to that in the show notes. One of the things they talk about is how both Apple and Google have removed TikTok from their app stores. And the infrastructure providers, the cloud providers, which are Oracle and Akamai had terminated their services. So you couldn't download the app. You couldn't use the app for that period of time over the past weekend. Apple and Google are still not allowing you to download the app. But Oracle and Akamai have decided to resume their services based on the word of President Trump. Now, the violations are $5,000 per user who accesses TikTok.

 

Ben Yelin: Yeah. That's really going to add up if they violate it.

 

Dave Bittner: Yeah. So there -- what's the term of art that they used here? There -- some of the senators who are trying to, you know, keep TikTok illegal or a ruinous, is the word they're using ruin that these fines are potentially ruinous because they could easily and quickly get into the trillions of dollars. When you're talking about $5,000 per user, and you look at the size of the audience that TikTok has

 

Ben Yelin: Right. And obviously that was Congress's intention in drafting the law in this manner.

 

Dave Bittner: Right. So they're also looking at the ability of the president to do what he's done here with the 75-day suspension if that's even legal. Given that there was a legal framework in the bill for a 90-day extension, why didn't he use that? Well, this article contends that he didn't do that because he would've had to have cooperation from Congress to do that, as you pointed out, make the laws. So that's interesting.

 

Ben Yelin: Yeah. That is really interesting. So I guess the technological upshot of this is that you can't -- if you've never used TikTok before, you currently can't download it from an app store. Is that correct?

 

Dave Bittner: Correct. Yeah.

 

Ben Yelin: But if it's already on your device, it's usable? >>Dave Bittner: Right. >>Ben Yelin: And presumably, the people who are addicted to it are -- already have it on their devices. >>Dave Bittner: That's right [laughs]. Are already using it. Yeah. It's really interesting. One thing they note in that Lawfare article is that people who have relied on the non-enforcement of anything from an executive branch have fared poorly in court. Because oftentimes, the executive branch will say like, we're not going to enforce XYZ law as a statement of policy. They can justify it under what's called prosecutorial discretion when we're talking about criminal matters, being like, "Look, we only have so many prosecutors. And we are going to devote our resources to violent criminals and not to children who are brought here as immigrants. So we're not going to enforce our immigration laws against those individuals." Obviously, that example is DACA. And in many circumstances, courts have held that people shouldn't rely on that type of executive pronouncement. It doesn't have that great of a force if there is litigation. So, I think that's what Apple and Google are thinking right now. Like, "These assurances are great. But it exposes us to substantial risk to put this back in our app stores." And I think that's probably a wise decision, considering how drastic these penalties are. I don't -- so I -- on the 75 days thing, I mean, I don't know -- what do you think the justification for that is? Because I mean, I understand what you're saying about the Lawfare blog and not having to go through Congress. But what is that in -- what do we think that's intending to achieve?

 

Dave Bittner: I think it's just buying time. I think it -- he's just -- it allows him to do nothing and to let the app run and, you know, we'll figure it out.

 

Ben Yelin: Yeah. I think so.

 

Dave Bittner: I don't think it's more -- any more complicated than that. We'll figure it out. We'll get together with people in Congress. We'll get to -- you know, we'll get everybody together and figure it out. And yeah. I don't think there's anything more complicated than that.

 

Ben Yelin: Yeah. And we'll just have to keep track of what happens through these next 75 days. I mean, I'm wondering if some members of Congress got cold feet seeing how freaked out their constituents got about this application being taken down. And I'm not sure that Congress properly considered the actual real-world impact of taking down this application. I think many members of Congress assumed a couple of things. One, they assumed that the threat of shutting down the application would inspire divestment. So TikTok would be purchased by some US entity. And that would solve the problem. That didn't happen. Then they assumed that our court system would strike down the law so they wouldn't be the ones responsible. And that didn't happen. The courts upheld the law. So now they realize that they were playing with live fire here. Now, there are some members of Congress who believe deeply in this stuff, including many of President Trump's own allies. If you look at somebody like Senator Tom Cotton, who is an immigration restrictionist, who is just a very conservative lawmaker, very Trumpy, he is adamant about banning TikTok in the United States. And has made statements talking about its importance. So there are people like that in Congress who are never going to compromise on this, that they have these -- this genuine belief that is a national security threat. And that includes members of both parties. But I'm wondering if there are enough members who are like, "Eh, you know, I understand the -- I understood the rationale behind this law when it passed. But do I want a bunch of young people yelling at me on the line?"

 

Dave Bittner: Right. Well, if it -- like you mentioned earlier, I mean, what a political moment to be in where Congress went -- Congress did the work. Right. They brought the evidence. And since then, I've seen some research someone else did about the type of information that TikTok puts in front of people or doesn't, that is beneficial or detrimental to China. And they -- there was a compelling research that showed that these -- the things that Congress are saying that TikTok does is true that does happen that there is bias there in terms of putting things in front of people that are complimentary to the Chinese government and suppressing things that are not. But what an interesting thing that you bring all of this evidence that say, "Ladies and gentlemen citizens of the United States, we are talking about a national security issue." And people are getting cold feet because -- but people really like it. Right?

 

Ben Yelin: "I really -- I want to really want to go viral."

 

Dave Bittner: It's like [crosstalk] --

 

Ben Yelin: "I can't do it on one of the other 100 applications that allow the same functionality."

 

Dave Bittner: Right. Right. I mean --

 

Ben Yelin: It's fascinating. It's really fascinating.

 

Dave Bittner: Yeah. It really is.

 

Ben Yelin: But it's like you could see this being taught in textbooks about democracy. Like, there are elites in every political system who think they know best and have done the research and know, you know, what's good for you guys. What's good for the masses. And then there are the masses. And those two interests do not always align. And I think that's the case here is people are being told, "We're trying to protect your national security." And people either don't care or don't believe it. And Congress is going to have to contend with that reality.

 

Dave Bittner: Another sort of, I don't know, tidbit this Lawfare article points out is that there's a five-year statute of limitations on this. So obviously, President Trump has four years. And so someone's going to follow him. And whoever that is the actions taken by the tech companies today will not have exceeded their statute of limitations when President Trump is presumably no longer in office. So there -- just in terms of the long-term potential liability here -- also the article points out President Trump could change his mind. Right? He's certainly ethereal in the things that -- he has certainly proven his ability to change his mind on things, you know, along the way. And so that could absolutely happen here. So it's fascinating that Apple and Google have taken one point of view. They're playing it safe. They're taking the safe but unpopular position. And the cloud providers, Oracle and Akamai are taking the popular, but as we've said, potentially ruinous position to do what's popular. How interesting.

 

Ben Yelin: It is. It is a really fascinating story. If I had to guess, I don't think he's going to change his mind about this, because I think he's become invested in this issue because his biggest fans are very invested in this issue. Including people who it's worth noting two, three years ago, have tweets saying, "Ban TikTok." Like, "We don't want the Chinese government influencing people on the United States." Now they're the ones being like, "Look what those people -- look at what these elites in Washington are trying to do to your application." So it is a fascinating issue. That's for sure.

 

Dave Bittner: Just real quick, I just want to touch on the fact that moving on from TikTok that one of the first things among the avalanche of executive orders that President Trump signed on day one, hour one really, it was --

 

Ben Yelin: I assume you're going to talk about changing the Gulf of Mexico to Gulf of America.

 

Dave Bittner: You know, that's a little outside of our lane.

 

Ben Yelin: Oh, okay. That's too bad.

 

Dave Bittner: So we're not going to talk about that. But we are going to talk about how President Trump scrapped President Biden's AI safety executive order. So did away with that. which Republicans had said was detrimental to progress to you know, the -- was a barrier to innovation was what they called it. So, President Trump rolled that back. Interesting. You know, here we are deep in everything being -- everything having AI grafted onto it. And under Biden's administration tried to put some guardrails on that. And President Trump has removed those guardrails right away. Is there anything to really make of this? Or do you think this is just par for the course of the new president coming in and doing a reverse on many of the previous president's executive orders? >>Ben Yelin: Yeah, I think it's more the latter. I wouldn't read too much into it. He reversed 88 separate Biden administration executive orders on the first day that he took office. So I think part of it is just the normal new president comes in who's ideologically opposed to the previous president. And you don't want a lot of the previous president's policies to remain in place. And I'm sure in President Trump's mind vis-a-vis AI, he wants to start over and develop his own policy. The one negative here is I think there was momentum -- bipartisan momentum growing around guardrails on AI. And I think the Biden administration's executive order was a good start at the federal level. The only way to really solve this problem and to make it last more than one presidency, is to pass some sort of piece of legislation that's signed into law establishing these guardrails in statutes. I doubt that a very divided Congress is going to be able to do that. But maybe I'll be surprised. But I don't know what this says about his views on artificial intelligence, on how his administration's going to approach issues of artificial intelligence rather than his view that Joe Biden was bad. And let's go -- let's comb through his executive orders, figure out the ones that are important, and reverse them. Yeah. I mean, it's a good point that it wasn't like freeing AI was a major campaign promise of President Trump. Right. I mean, he had other things that -- I guess this isn't going to bubble to the top of his list of -- on his to-do list, I think right away. >>Ben Yelin: I don't think so either. This isn't an issue of passion for him. There is kind of a general warning, I think, from actually the Biden presidency about reversing previous executive orders without really thinking about it just because he didn't like the last president. For Joe Biden, I think something that brought down his presidency was executive orders that he issued in January 2021 reversing President Trump's immigration policies and particularly rules around asylum seekers. I have views about that as a policy. But from a political perspective, it ended up being disastrous for President Biden. There was a surge of asylum seekers, migrants at the border. It became a giant political problem for him. And by 2024, when it was probably too late to affect the election, he ended up enacting a policy via executive order that was as strict as Donald Trump's was before he left office the first time. And a lot of people were really perplexed in 2021 that he would've reversed that executive order. In my heart of hearts, I think his view was what Trump was doing on immigration was cruel. I want to do the opposite of that. So, let's reverse every single thing that he did. And I think that instinct, no matter who the president is, is dangerous. So I don't know how that's going to play out as it relates to artificial intelligence, but just a word of caution there. Yeah. Interesting. All right. Well. we will have links to the stories in our show notes. [ Music ] Then I recently had the pleasure of speaking with Shiva Nathan. He is founder and CEO of Onymos. And we're talking about some of the challenges of data privacy. [ Music ] >>Shiva Nathan: Pro privacy, the way that I think about it and from analogy point of view is the food diabetic endemic or pandemic that's actually coordination. We create so much of food the same way that we create so much of data without even thinking about it. And then we consume and share the food and the data so much that all of us are making some corporations obese with data and honeypots of attacks. And that's the data privacy problem. We are not even thinking in terms of how much data we are creating of ourselves and how much data are we sharing of ourselves with people. That's the data privacy problem. Nothing to do with security. So, in what ways does this become a specific challenge for organizations to deal with? >>Shiva Nathan: So, 15, 20 years back, when social media started to come in, we were all thrilled to share our family photos and videos and what I ate for breakfast and everything else with the social media companies without thinking a second time in terms of how this data going to be used by this free service. And now, 15, 20 years later, we realize that, oh, these things are not just being used to target advertisements for me. In many cases, these are being used for bad and sometimes in real nefarious cases. So enterprises are just now getting warmed up to the problem that consumers have had for the last 15, 20 years. Our consumers have unwillingly gotten themselves into enterprises now five years -- till five years back, enterprises thought data is the new oil. I need to get data as much as possible about my customers and about my -- anyone that interacts with my systems and collected all this data. And wondering now we find out that the more data that an enterprise has, the more liable that they become and the more become more honeypots for cybercriminals and hackers to come and attack them. You know, I think with as inexpensive as storage has become, there's a real impulse to just kind of be a pack rat when it comes to data. You know, we might as well hang on to this because who knows, in the future, we might need it. Do you understand folks coming at it from that point of view? >>Shiva Nathan: Yes. Absolutely. So the 2010s created the cheap storage. And cheap storage essentially meant data retention policies kind of went out the window. And there was so much anticipation about using the data to unravel something great about a business insight that will -- can fundamentally change the business, which it did. In -- so Amazon is a classic example. They used the data to target retail. And they did a really wonderful job when it came to that. And Google did the same. And every small enterprise and large enterprise started thinking, "Oh, maybe that one piece of data, if I kept it around, I can use that for my data mining and data analytics and get some insights that will fundamentally transform the business. And since storage is cheap, why delete it? Let me just keep holding data like anything, like there's no tomorrow." And that's what enterprises started doing. And so, where does that leave us today? Are folks still holding on to way more data than perhaps they should? >>Shiva Nathan: Yes. Unfortunately, the momentum is still there. That the systems that were set up in the 2010s and early 2020s to collect and store this data are still running fine. That they -- we are collecting a lot more data than an enterprise needs. But only now we are opening up our eyes to the fact that, "Oh my God, this data is caustic for two reasons." So one reason is that if it gets hacked, that data gets released, you are really liable because nation-states have actually have strong privacy laws now. And even individual states like California have strong privacy laws that if you are -- if you somehow release this data unwillingly, you are liable for the damage that it causes your enterprise users. That's one part of the problem. The second part of the problem is essentially, by storing all of this data, you are a honeypot. You are a honeypot that is actually attracting unwanted attention to your enterprise and bringing cybercriminals to attack it. And cybercriminals are no longer one guy or two guys sitting in a basement trying to attack the system, right? These are well-funded thousands of employees employed nation-state data centers and IT firms that are trying to do cybercriminal activity against one country to another country. So you become the target of unwanted adversarial country's attention essentially. So how should a company come about getting a handle on this? I mean, what do you recommend in terms of having good policies in place?

 

Shiva Nathan: So a lot of companies have something called a security posture. And I have been advocating that the companies need to start having a data posture. Data posture essentially means that think deliberately in terms of what data that you want to even collect for your business. And do not collect data that you do not need today. So that's step number one. Start -- stop at the creation of data. And then the second thing is, if you collect the data, right, during the time when you collect the data is when you have to say when the data should expire or how long am I going to retain the data? It's very tough to go back to a hard disk that you have had for three, four years and say, "I'm going to delete it all." Because you don't know what's in there because you forgot what you collected and for what reason. So the best time to slay out data retention is during the data creation. So that's a step two. A lot of people think of lifecycle and go, "Oh, I'll think about the data deletion towards the very end." That's fundamentally wrong thing. The fundamental right thing is during data creation or even before data creation, thinking in terms of, "When am I going to delete the data? And when we then create that data, once you know what the expiry date of the data is going to be." And the third, fourth, fifth and the next step are all about how do you secure the data, how do you share the data, what are you going to use that data for, and so on and so forth. But the first two important steps are data creation and expression of data. And how about could data posture around it.

 

Dave Bittner: How about dealing with individual users and all of the endpoints that are within an organization? You know, I'm thinking it -- I think it's natural for people to collect the things that they suspect they're going to need on their laptops and these days, probably more and more on their mobile devices. How do you come at that particular problem? >>Shiva Nathan: So this is where we ought to take learning from what the defense agencies and CIA does, need to know policy. They always talk about need to know. And in an enterprise, there is this thing about empowering employees and making employees do stuff that we want to be, you know, big one Kumbaya family, where we share data so that even the new hire knows every data that's out there to be able to look at it, use it for their own work and so on. So, we have become one happy family sharing data in an enterprise. And that's supposed to be like a very happy, healthy company. But unfortunately, that's come to bite. We have seen individual employees leaking data inadvertently or willingly in some cases for nefarious reasons, right? So we have to take a data posture where we have to go back and then go back into really need-to-know policy where when an employee wants to really get data for their work, they have to fundamentally justify why they need that particular data. And data has to be thought of as important and data is important. And they need to be kept away from people that don't really need the data. So that is a fundamentally phenomenal change, especially Silicon Valley companies where CEOs like myself, pride in keeping transparency and sharing every information about the company, every data about the company, giving free access to the data within the company to everyone. The sales team would know will have access to the engineering stuff. The engineering team will have access to the sales stuff because we say that everyone is an employee-owner. Everyone has equity and everyone needs to know the entire business. All that is true, except when it comes to the fundamental granular data. You can share everything about the company without having to share the credit card number of your customer widely with the entire organization. You can share things in an engineering to the sales team and the marketing team without having to share the actual source code and the code base. So you ought to have -- like I said, we ought to have a data posture and then decide need to know basis what data goes to who. I mean, it really strikes me that a big part of this is communications as well to be able to explain to everyone why these policies are in place and the effect they can have on the health and survival of the company. >>Shiva Nathan: Absolutely. See 15, 20 years back, hoarding information gave people power. The manager would know some information that the employees would know. And that gave the manager the power in the organization. And then the level above would know some information that the levels below did not have. In some case, that's -- those barriers getting broken were good that it became more egalitarian company. There was not like a pyramidal hierarchical structure in the organization. And people said, "Oh, we empower our employees that everyone knows everything that the CEO knows, almost everything that the CEO knows." And we, you can use that data to do fundamental things. And innovation really came through with all of that. But getting back to saying that you can still have this and that is a pattern that we have to go to. And we ought to communicate that transparency does not mean profuse data sharing. Yeah, you can be transparent about the customers you have, about what the customers have bought and stuff. But you know, like I said, the extreme case is that not everyone in the organization needs to know the customer's financial account information. So that's why we have to be very cognizant in communicating transparently in this particular case, saying why certain data is kept away from certain sections of the -- within the company. Not because it's about going back to the 15, 20-year-old story of hoarding information power. It's not about that. It's exactly about need to know basis. What is the need for an employee in one department to know the data of another department's data? Not getting silos of departments, but really understanding the needs for that day-to-day work function and then use it. And if the employee is able to prove -- for example, if a marketing employee is able to say why he or she needs a certain sales data or a certain engineering data, yeah, vet it and then provide access. Make that easily doable. But don't do it as a default. All right. Well, I think I have everything I need for our story here. Is there anything I missed, anything I haven't asked you that you think it's important to share? >>Shiva Nathan: Our fundamental about SaaS, Dave -- so 20 years back, software as a service companies came about. And we fundamentally believe that that was implemented wrongly and quickly. Let me quickly explain. Software as a service was when an enterprise could not or did not want to create all the pieces of the application themselves that they thought, you know what? I can go to this vendor that does log in really well. Or I can go to this vendor that does payments really well and obtain the service from them. Then that transaction was going to be just about I give money, and I give a service -- I get a service back from them. It was supposed to be a single, I give money, I get a service. But essentially, what happened was the way that SaaS got implemented, not only did enterprises give money, they also gave data to get the service back. That was a fundamentally wrong handshake that happened, giving data and dollars to get a service back from SaaS. And essentially what that did was every enterprise data is spread across so many different SaaS vendors. Statista had a report that said there were like 120 SaaS vendors on an average that a large enterprise uses across their entire company, right? So, an enterprise actually has their data spread across 120 SaaS vendors. Take, for example, you have an application that uses a login from an auth provider. The login auth provider gets your customer's username and email addresses and stuff. The same enterprise uses a payment provider. That payment provider now gets to your customer's email address, financial information, and data. Your data is basically being -- your customer's data for an enterprise is being strewn around to all of these different SaaS providers. That fundamentally is wrong. And data had to be swerved on its head where it is only about giving dollars and getting a service back and not dollars and data. [ Music ] All right. Interesting conversation. And again, our thanks to Shiva Nathan, founder, and CEO of Onymos, for taking the time for us. We do appreciate it. [ Music ] And that is Caveat brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Trey Hester. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Ben Yelin: And I'm Ben Yelin.

 

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.