[Interview] Introduction to cybersecurity
Timothée Rebours, Seald: “it’s now nearly impossible to protect or even define the perimeter as everything's so intertwined”
With the number of connected devices and users growing by the minute, securing large amounts of sensitive data becomes increasingly more difficult.
As more aspects of our lives become digitized, many companies and institutions providing online services start to struggle with ensuring their user data is safe. Sure, implementing quality authentication measures or encrypting the organization’s network is a good start, but what about using encryption to secure sensitive customer data?
To talk about the importance of encryption when it comes to data security, we talked with Timothée Rebours, the CEO of Seald – a company making end-to-end encryption easier and more accessible for developers.
How did Seald originate? What has your journey been like since your launch in 2016?
The project behind Seald was created in Berkeley in 2015, following the meeting of cybersecurity enthusiasts and hackers. The company was incorporated in France in 2016.
Seald has a mission – to improve the security and privacy of millions of people. We've come a long way since the project's inception, and we've created a whole series of products over the years, most of them ended up being scrapped to find our current positioning for which the product-market fit is there.
Every journey is incredible. The team at Seald is passionate and brilliant. Plus, we meet a lot of exciting people and customers who help us build Seald. We are super proud of what we have built thanks to them.
Can you introduce us to what you do? What is end-to-end encryption?
We want to help application developers protect their users’ data without needing cryptography skills. Integrating Seald allows the company to reinforce customer trust, be in compliance, and minimize the consequences of a data leak.
End-to-end encryption is considered to be the technology that provides the highest level of security on your data, that's why it is used in popular instant messaging apps.
Basically, it protects data in such a way that no one except the authorized users are able to read the data, not even the servers hosting the data or the app developer (and not even Seald of course).
In your opinion, what industries should be especially concerned about encrypting their data?
We built Seald for companies that make data security a strategic priority.
Every industry has its own data security challenges: strengthening customer trust, achieving compliance, minimizing the consequences of a data breach, etc.
But, the industry with the most at stake when it comes to data security is e-health. Medical data is among the most sensitive (social security numbers, test results, reports, prescriptions, etc.) because a data breach in that field destroys brand trust and can even lead to jail time.
E-health companies are very careful to meet the strict regulatory requirements on medical data and ensure absolute confidentiality of the sensitive data they are entrusted with, in particular, to respect medical secrecy. But with the shift to SaaS apps for patients and health professionals (that the COVID crisis amplified) comes the question: how do we keep data safe in the cloud?
There's also the question of the US hosting providers' hegemony which causes political and compliance concerns over data sovereignty (with regards to the GDPR in particular). With end-to-end encryption, you can ensure no server has access to the data, including a US-based hosting provider.
Have you noticed any new threats arise during the pandemic?
Ransomware is known to crypto lock data and eventually unlock your data when you pay the ransom. We've seen something new in the past years – criminals now steal the data and threaten to leak it if the ransom is not paid.
This stresses the question of end-to-end encryption even more: if the servers can't read the data, there's nothing to leak.
Another thing we've observed (like everyone else) is a massive shift to digital solutions in the cloud, some of them are really shaky because they were developed quickly to match the rising demand.
What measures should everyone implement to protect from these emerging threats?
For years, the preferred way to protect an IT infrastructure was by implementing perimeter protection, building large walls around information systems, so that an attacker cannot penetrate them. The idea was to put everything sensitive within that perimeter. Except that it's now nearly impossible to protect (or even define really) the perimeter because everything's so intertwined.
Another way to see security is through security by design or zero-trust. The goal is to make an attack on any portion of the IT systems as inconsequential as possible.
When it comes to data protection, the main idea is to implement the principle of least privilege. Basically, it means adding encryption to each piece of data and giving the keys to decrypt only to the users or entities that are authorized to read the data. In most use cases, this is end-to-end encryption coupled with fine-grained encryption at rest.
What would you consider the most serious threats surrounding web applications nowadays?
Looking at the OWASP top 10, the two first items in 2021 are broken access control and failure to implement cryptography properly.
With Seald, access control is strengthened with cryptographic measures to ensure that even if a resource can be read by an attacker, they would still need to decrypt it.
And with Seald, cryptography is our specialty, we don't take it lightly, our code has been thoroughly and independently reviewed to ensure we didn't make any mistakes and that our users wouldn't have to worry about the subtleties of how to implement crypto.
Could you share some best practices that organizations should adopt to protect their workforce and customer data?
The first best practice is to take data security into account when first designing any data processing workflow. When it's designed, it's too late.
The second piece of advice is to be humble and organize security training both for developers to learn the best development practices and for all employees to detect phishing, etc.
The third piece of advice when developing software is:
- Do not let something known to be insecure be rolled out to production (password management, random generation, etc.),
- Unit test & e2e test everything (check code coverage),
- Do systematic and thorough reviews before merging,
- Test before rolling out to production.
Talking about the future, what predictions do you have for the data security landscape for the upcoming years?
Everything will eventually be moved to the cloud rather than on-premise, and the question of the security in the cloud which is already in everyone's mind will become even more strategic as data breaches will happen more and more often.
Also, more pressure will be put on small companies to secure data (both in confidentiality and in availability) even at a very early stage.
And finally, what does the future hold for Seald?
We are focused on helping developers protect their users' data with end-to-end encryption, but this can be limiting as not everything can be encrypted that way. We'll most certainly diversify our products to tackle more use cases.