In this podcast Shane Hastie, Lead Editor for Culture & Methods spoke to Shiva Nathan about data security, privacy, retention and enabling a security mindset in development.
Key Takeaways
- When considering data privacy and retention we should be planning for time horizons of 20+ years
- Do not collect unnecessary data, put an expiration on any data collected and do not get nostalgic about data
- Building secure systems starts with attitude and mindset, followed by process and tools
- Engineers should be proficient in secure coding practices
- Continuously keep tools and platforms at the latest security levels available
Subscribe on:
Transcript
Shane Hastie: Good day, folks. This is Shane Hastie for the InfoQ Engineering Culture Podcast. Today, I'm sitting down with Shiva Nathan. Shiva is the founder of Onymos and has a background working in high security environments. Shiva, welcome. Thanks for taking the time to talk to us today.
Shiva Nathan: My pleasure being here, Shane. It's a great time to be talking about security and privacy and such.
Shane Hastie: Thank you so much. So, probably a useful starting point, who's Shiva?
Introductions [01:26]
Shiva Nathan: I'm the founder and CEO of a company based out of Silicon Valley here in the San Francisco Bay Area in California. We are a company that's trying to invent the next technology abstraction when it comes to enterprise applications. So, you can look us up at onymos.com O-N-Y-M-O-S.com. The name itself came about to be the antonym of anonymous, so we wanted the antonym of word to know about us. That's how the name Onymos came about. That's a fun fact for you there.
Shane Hastie: And now, chatting earlier, we were talking about the importance of privacy in particularly data privacy, personal privacy. Your background working in that high security space, what have you seen and what should we be thinking about as technologists working in that space?
Data privacy and retention needs to consider the implications over multiple decades [02:11]
Shiva Nathan: As technologists, we are to start doing everything that we do with a very, very long-term time horizon in mind, and I'm not talking about 15 years, 20 years, or something. I'm actually literally talking about what is the data or information that you are leaving behind today that might affect your great-great,-great-grandchild. If you start to think, it's a very different view of security and privacy, and I'll give you a particular specific example. It might be out there, but I'll still give you a specific example. Imagine five generations from now, your great-great-grandchild cannot get insured because you actually put out there about something that you did or did not do for your health, and your great-grandchild gets denied his or her insurance because of that information that you put out there. You are long gone. You are in your grave rolling probably, and your great-grandchild is doing that. That's on the personal side.
But on your work side, the stuff that we are building right now are probably going to be lingering around in some fashion for 30, 40, 50 years being used. With people that are using it, not even thinking about who built it or how it was built or under what conditions it was built. And if they run into a problem, it was caused by you, and you're probably long gone and retired from your day job and still that can linger on. So, if you approach every single problem with this long-term vision in mind as a technologist, it'll actually help make the right decisions and do the right things when it comes to either of these aspects, when it comes to security and privacy.
Shane Hastie: Organizations don't think long term.
Shiva Nathan: Very true, they don't, and that's unfortunate in some sense. But then, if you actually look at organizations paying for problems that's created, and if you actually go do a root cost analysis of the problem that organizations have created, you'll actually find the origin of it, the decision or the non-decision of it from years back. So, all of us are familiar with the Boeing problem and the Boeing planes crashed killing people because of some application software that took control of the plane and plummeted them into land and oceans, right? Go back and do a root cause analysis for that problem, and you'll find that that particular decision or non-decision was made years back, and it slowly percolates up, and then infects itself into the organization. And then, finally comes to literally killing people years after such decisions are made. Security and privacy are privacy averse.
Shane Hastie: What are some practical things I can do as a technologist?
Be very deliberate about what data is collected and how long it needs to be retained [04:38]
Shiva Nathan: Start with thinking data. What data do I really need, and what data do I not need? We are at a point in inflection in the technology where storage is cheap, and analytics is the biggest thing that everyone wants to do. And since storage is cheap, analytics is good, I want to capture each and every piece of information and data out there to store it, not even knowing whether I'm going to use it or not.
Let's take this one particular podcast for example. So, as people that are going to be listening to this podcast are thinking that "Okay, let's save this podcast. Let's save Shiva's voice and Shane's voice somewhere, and let's store this information whether we want it or not. Let's store other information about Shiva and Shane whether we want it or not." Such storing of information "Where is Shane speaking from? Where is Shiva speaking from? Is it even relevant to the conversation that we are having?" But all that information is being stored in the podcast. And that data collection, what I call as unnecessary data collection, is what is going to do technologies in. So, you are collecting data without even having a current use for it, thinking, and hoping that "Hey, that might be a time when I might need it, and I should be able to go back to it." And capturing the data is the one that's going to do you in when people hack into the data and find out and stitch where Shane lives, how old is he, and how many children he has, and all of this different stuff to do a technology attack on Shane and Shane's bank accounts. And all of that was caused by some innocuous data collection to begin with.
And then, the second thing is write one data. Let's say you do have to collect this data. Start to think from day one in terms of "How long do I really need this data?" Okay. I'm collecting a data about a particular person or a particular enterprise. How long? Think about the expiry of the data when you collect the data. Not many enterprises are very disciplined about doing that. If you put an expiry tag onto the data when you collect it, you would, and if you have a process in place to go delete the data on that expiration date, it'll do your world of good.
And the third thing that I talk about is if you don't do that is you start to get nostalgic about data, and the nostalgia of data is a bigger problem.
Well, the first part is that don't collect unnecessary data. Second is put an expiration on the data, and do not get nostalgic about data. So, as technologists, if we follow these three principles, I think you'll be in a much better place when it comes to data security. Then, there are a lot of other aspects of security and privacy.
Shane Hastie: So, thinking of your experience working in high profile organizations where they were the target of, as you mentioned, state and non-state actors, how do you build platforms to be secured?
Shiva Nathan: Building secure systems starts with attitude and mindset
Start with the people. Again, it might be the different way of thinking. Start with the people first, the people that are actually building these platforms. What I'm going to tell in you this podcast is not about, "Oh, buy this tool, buy that tool. Implement this, implement that, implement the process and stuff." It all comes boiling down to the people that are building this stuff. People and their abilities and in many a times their lack of imagination is what is the Achilles heel for secure platforms.
In my previous job and in my current job, when we are building platforms that enterprise applications are going to be built in, the first thing that we start with is how much of the time and their mental focus are my engineers focusing on privacy and security? How much are they diligent about following the process that we lay around? How much are they proficient in the tools that we're going to give them? It all starts with the people. So, once you have the people area covered, and you know that if every engineer in your team is first of all have their mindset on doing it the highest private way and highest secure way, if you have those two aspects covered, then, you go tell them about the process, you go tell them about using of the tools, then, you go up, tell them about other aspects and other vulnerabilities that they're going to put in all kinds of testing that they have to do, everything comes easy from there. It flows from there.
Shane Hastie: And what do we build on top of that?
Building for security starts with data at the centre [08:33]
Shiva Nathan: Once you have the people in place, then, start with data at your centre. So, you have the people as your rock bottom foundation, people and the mindset. And then, once you have the people as your rock bottom foundation, then, start with the data, and I've already touched upon this data. So, data, very simply think about what is absolutely necessary, what is not relevant, and collect only what is absolutely necessary. Do not collect data that you think you might need it one year from now, two years from now. Do not do that. Then, once you collect the data right at the time of collection, put an expiration tag on the data.
And then, the third thing is do not get nostalgic about data. When the expiration clock ticks in, go delete the data subject to federal regulations, data collections, whatever regulations you have, go delete that data. Once you have the data in place, then, the second thing is your engineering practices. In terms of development, testing and such, right from the beginning, make them super robust. Find out secure coding practices. All your engineers should be proficient in secure coding practices. Then, your CI/CD pipeline, continuous integration/continuous delivery pipeline, they need to be set up to catch security vulnerabilities.
Then, go look at tools that you have already in place and tools that you can augment that continuously keep checking your security vulnerabilities and stuff. Then, go into your release and deployment process, and follow the same thing in terms of how secure and stuff. And more important thing is that most companies do this one time, and the thing is like one and done. It's never about one and done. It's continuous evolution. If you're still running your iPhone on iOS 15, you are in bad shape because there are a lot of security updates that have come up.
Keep platforms and tools up to date [10:11]
Imagine an enterprise running an application on the latest and greatest releases of everything that their stack depends on. It's a lot of hard work. It's a lot of hard work to make an application that you're developing to be running on the latest and greatest. Most of the times, the latest and greatest don't even work with each other. Finding that denominator that makes things work will bring you down in security levels multiple fold.
Think about what are the things that you can do. Let's say there are two components that you're depend on. One is on version two, one is on version three, and you want to upgrade one of them up one version and those two don't get along. What are the security fixes that I can at least bring in to make them work along so that I'm not open security wise?
To summarize, start with the people, think about the data, think about the entire process, and keep thinking about it continuously, and always stay on the latest and greatest of technologies because that's what is going to keep you safe.
Shane Hastie: So, let's go right to the base then and start with the people. How do you create an environment where the safety security thinking is pervasive, and the culture is generative and engaging?
Enabling a security conscious culture [11:16]
Shiva Nathan: All of us as human beings have grown with biases and such. Especially, a newer generation that has grown with social media and such. It is second nature for them to expose most of the lives onto the social forums, that many that are born 40, 50 years back would not even think about doing. Whether or not someone is interested, people start to post attributes about their life in terms of what they ate for breakfast, where they went on vacation and such. I'm not saying don't go tell your engineers that now you work for the CIA, and you're not supposed to do all of that particular stuff, but make them start to think in terms of, "This information that you are really sharing with the world, do you understand the ramifications?” Once you understand the ramifications and once you put out your data out there, then, if you've gone to the thought process, then you go to whatever you want.
Once you build that particular culture where you educated your team, in terms of what is data, what is data privacy, what is data security, and then, you make them work on your application development as a technologist and such. And then, giving them more time and praising them for the efforts that they put in to be security focused, to be privacy focused. As leaders, we need to walk the walk and talk the talk or rather walk the talk to be sure, to be able to say, "I have really acknowledged and appreciated an engineer in my team that took the extra effort to make something a little bit more robust and a little bit more secure." So, that's how you build that culture within the company.
Shane Hastie: We were talking earlier about what makes a good leader, and you had some counterintuitive advice in terms of what comes first.
Employees come first, customers second and investors third [12:50]
Shiva Nathan: Employees come first any day. I have this fundamental belief that I've got it from my previous employers and stuff. The employees come first, customers come second, investors come third. With extreme pride, I tell my investors that they come third, and when you make employees come first, if you take really good care of your employees, your employees will do the right thing for the customers. And if your customers have taken really good care of, they automatically will take care of your bottom line and investors.
You try to put this in any other order, employees, customers and investors. And selfishly, I'm an employee as well, so it actually bodes well for me too. So, if you put employees first, customers second and investors third, the system all works diligently. If you try to put customers first, a lot of companies out there that actually go out and say, "Customers first," and do substandard decisions for their employees, what happens is that unhappy and discredited employees don't always go the extra mile to make the customers happy. And when your customers are not made extremely happy, your investors suffer. There are some people out there say they are looking for the next fundraising and go, "I'm going to put my investors first". You can build a rocket ship or a meteor that actually launches and grows very fast for the investors for the next three, five years, and then crashes and burns because you are not taking care of your customers, because you're making suboptimal decisions for your customers, because you put your investors first. And if you make suboptimal decisions for your employees, they don't take care of the customers.
Going by this logic of employees first, customer second, investors third, always, always is the right approach in my mind to build a long-lasting company that really succeeds and takes care of all of these three stakeholders.
Shane Hastie: If we look around the tech industry at the moment, we're recording this in March 2023. See a lot of behavior that has definitely not been putting employees first. The massive layoffs. And I can understand that layoffs at times are necessary in economic climes, but what has worried me in this round is the inhumane way that that has been dealt with or certainly what has been reported on the social media. We arrive at work and can't log in, or I'm working remotely, and my ID no longer works, and that's how I know I was let go. What happened that organizations got it so wrong?
The impact of the way layoffs are handled [15:08]
Yes. It is unfortunate what we are going through in the economic climate. Although, I would not say that the company making a layoff makes it a non-employee first company or anything. Layoffs are a necessary part of an economic cycle, but how that is handled is what is important. If you have an employee or a particular division that is not got attraction for no fault of a single employee. So, let's say there's a division within a large company try to introduce a product. The product did not get attraction, and the company decides to lay off the entire department, that is the right thing for the company. But how you treat the employees when you are going to lay them off speaks a ton about the culture, and tells the current existing employees, the existing employees how they're going to be treated going forward.
The particular example that you talked about where a person wakes up in the morning, finds out that they are no longer able to log into the system, and that's how they get to know that they're laid off. In this day and age, that to me is horrendous. It could have taken just one email to the person. Even if the company's laying off 10,000 people and they don't have an HR that can sit across a table from 10,000 people and have the conversation to tell them gracefully that "Yes, you got laid off." A simple email would have been understandable. A simple email informing very clearly and nicely that, "Sorry, we have to make this hard decision to let you go," would have served those companies really well, and that is unfortunate.
And then, there are companies where HR got laid off along with the people that there was no one to do it, but it's on their leaders then. It's on the leaders to be able to be upfront. And let's say, I'm running a company where I would let go of 10,000 people. Let's say I would let go 99, but I hope I'd never come to that situation ever in my life, but let's say the entire company has to be shut down. As long as a leader comes out and send out a mass email even saying why that leader is shutting down that company, and what are the reasons, and then also explaining "Why am I sending a mass email because I cannot afford to send 10,000 emails one by one and for the sake of time, I am doing that through a mass email," that will go a long way. Being upfront, being a person of high integrity and showing leadership, that will go a long way. Then, employee waking up in the morning and finding out that they cannot access their corporate system and that's why they know they’re laid off.
Shane Hastie: These are not difficult concepts, but we see them breached all too often. What does this tell us, I wonder about our industry or elements of our industry? That's getting into philosophy, and we might not go too far there.
Human connections got reduced through the pandemic [17:33]
Shiva Nathan: No. I think what the pandemic did to the world is that it actually reduced the level of human connections for people in the last two years that people were hunkered down in the homes. So, there are some managers that I know I've never met their employees in person ever. So, if I've never met you in person, I've always seen you as a two-dimensional object on a Zoom or a Microsoft Teams call, that personal connection doesn't get formed, so it's easy for you to wake up and find out that your employee access is not working anymore, and it does not affect me personally. The interpersonal connection is gone because of the pandemic.
I'm getting into the philosophical realm now. I think we as human beings, like what we did, Shane, before this podcast started, to be able to talk about each other's personal lives a little bit. Not go too much into it, but at least establish that human to human connection, and you offering to tell me, "Hey, if you're in my neighborhood, come by and say hi," that's a good human interpersonal connection, and I'll remember that for months and years to come. And when I'm ever in your neighborhood, I'll be like, "Yes, I know a person, Shane, that I can come by and say hi, and meet you all for lunch." And that only happens when we take the extra effort as human beings in every interaction that we have to go about "Why am I here? Oh, I'm here to do this podcast. Shane's here to record the podcast," and just have the conversation go away. That's not the case.
I really appreciate the time that you took to get to know me as a person and for offering for me to get to know you as a person. We have take the extra effort. If you are scheduled this to be like a 30-minute thing, 20-minute I'm off to my next thing, we won't have been able to make that connection. I think every human being has to do that in this world.
Shane Hastie: Build in the time to be human.
Shiva Nathan: Yep. You said that lot succinctly than I did.
Shane Hastie: Shiva, thank you so very much for taking the time to talk to us. If people want to continue the conversation, where do they find you?
Shiva Nathan: I'm on Twitter @_ShivaNathan, and they can also follow my company Onymos, O-N-Y-M-O-S on Twitter as well. And I'm also on LinkedIn, so people can connect with me on LinkedIn. You can look me up as Shiva Nathan on LinkedIn.
Shane Hastie: Wonderful. Thank you so much.
Shiva Nathan: Thank you so much, Shane. Thanks for having me. My pleasure.