00:00:07 Data security and cloud computing.
00:00:38 Challenges of data security in supply chain optimization.
00:02:11 Increase in cyber attacks and dependency on IT systems.
00:03:08 Restricting surface attack area and outsourcing to cloud providers.
00:06:17 Minimizing attack surface in software design and avoiding relational databases.
00:08:01 Using simplicity and minimal components for security.
00:09:26 Openness, transparency, and exposure as keys to data security.
00:11:03 The importance of white hat hackers in improving security.
00:13:18 Fairly compensating white hat hackers for their efforts.
00:14:35 Differentiating between white hat and malicious hackers.
00:16:00 The security of company systems and prioritizing freelancers.
00:16:47 The confidence in data security and the impact of Bitcoin on security awareness.
00:17:50 Differences in security practices between B2C and B2B companies, large corporations, and governments.
00:20:01 Challenges in military network security and examples of hardware vulnerabilities.
00:24:01 The possibility of a future with significantly reduced hacking and embracing a culture of openness in supply chain security.
Summary
In the interview, Kieran Chandler and Joannes Vermorel discuss data security in supply chain optimization. Vermorel acknowledges the rising cyberattacks due to increased digitalization and dependency on software. He emphasizes the importance of openness and exposure in supply chain security, advocating for a “defense-in-depth” philosophy with multiple layers of protection. He cites the value of white-hat hackers in identifying and fixing vulnerabilities and suggests that companies can improve security by minimizing attack surfaces and relying on trusted cloud computing providers. Vermorel believes that embracing transparency and exposure in supply chain practices will result in a faster transition to more secure systems.
Extended Summary
In this interview, Kieran Chandler, the host, discusses data security with Joannes Vermorel, the founder of Lokad, a software company specializing in supply chain optimization. The conversation revolves around the increasing importance of data security as cloud computing becomes more popular and hacking techniques become more sophisticated.
Joannes acknowledges that data security is not a new issue but has been around for quite some time. He recalls that when he started Lokad 10 years ago, the initial idea was to keep data locked away from all networks, but this approach proved detrimental to supply chain optimization. Companies with complex and distributed supply chains need to provide access to data for all parties involved in order to optimize their operations. This inherently increases the exposure of data and systems, leading to data security challenges.
The host questions whether hacking incidents are genuinely becoming more frequent or if they are simply being reported more often in the media. Joannes believes that cyberattacks are indeed on the rise, mainly because there are more IT systems and increased dependency on software. As companies become more digitalized and consumers use more online services, the attack surface for hackers grows, leading to more data breaches.
When asked about techniques for protecting data, Joannes states that security is the second most important concern at Lokad, with the quality of the numbers they deliver for supply chain optimization being their primary concern. One basic approach to ensuring data safety is to restrict the attack surface for hackers. This involves designing software solutions with minimal potential for things to go wrong.
Joannes explains that one reason Lokad moved toward cloud computing was to delegate the hardware and handling of operating systems to larger companies like Microsoft. While not perfect, these companies have more resources and personnel to physically secure computing hardware. It makes sense to trust a company with hundreds of people working on security rather than a smaller team of 20.
The host then inquires about how to choose trustworthy computing companies to outsource work to. Joannes suggests that large cloud computing providers like Amazon, Microsoft, and Google, which are survivors of the internet, are generally reliable. These companies face constant cyberattacks, so their experience and resources make them better equipped to handle data security.
To ensure the safety of their systems, Lokad minimizes their attack surface area by using simpler components and avoiding programmatically smart data storage layers, like relational databases. Instead, they opt for a more basic data storage layer, using blob storage on Azure, which is less susceptible to certain types of attacks. Lokad is also selective in its use of open source components, vetting each one and restricting the amount of technological mass in their solutions.
Vermorel believes that a key element of corporate culture for improving data security is openness, which contrasts with the fortress mindset often used in supply chain practices. He argues that IT systems are not secure because of their design alone, but also due to transparency and exposure. Transparency involves people understanding how the systems work and their architecture, while exposure refers to subjecting the systems to white-hat hackers, who are ethical hackers looking to improve security.
White-hat hackers help organizations identify and fix vulnerabilities in their systems. Vermorel shares that Lokad has experienced this a few times, with white-hats finding issues within single accounts, which were subsequently reported and fixed. To encourage white-hats to continue identifying potential security issues, organizations should compensate them fairly for their efforts.
Vermorel shares his perspective on the varying levels of security maturity among different types of organizations. At one end of the spectrum are companies like Facebook and Google, which have robust security measures due to their massive exposure and high volume of hacking attempts. These B2C-driven companies are constantly under attack, forcing them to be well-prepared and proactive in their security measures.
Further down the spectrum are B2B software companies like Lokad, which, while not as exposed as the B2C giants, still strive for high levels of security by maintaining transparency and allowing easy access to their systems. Vermorel suggests that the security of these B2B companies tends to be weaker, as they do not have as much exposure and consequently do not face the same intensity of hacking attempts.
An even lower level of security maturity can be found in large, non-tech-driven corporations and governments, which often rely on an outdated “fortress mindset” and security through obscurity. These organizations may attempt to lock away sensitive information, but Vermorel argues that this approach is incompatible with the size and complexity of modern organizations.
Surprisingly, Vermorel claims that military organizations have the worst security practices, as they often use private networks that have been isolated for decades. While one might assume that these private networks would be more secure, their lack of exposure to outside threats has left them ill-prepared for modern security challenges. Vermorel notes that large military organizations spread across multiple locations and countries struggle to maintain an isolated network while also managing thousands of employees and contractors.
Vermorel highlights that even the most secure systems can be compromised, as demonstrated by past frauds and the vulnerabilities found in Intel hardware. He explains that hardware vulnerabilities, such as Spectre and Meltdown, can make software and applications insecure as well.
Vermorel emphasizes the importance of exposure to hackers who can identify and patch vulnerabilities before they can be exploited. He notes that military systems, which often use Intel hardware, are particularly vulnerable to such attacks. However, he believes that it’s possible to eventually eliminate hacking, as there’s no fundamental law that dictates all computer systems must be insecure.
Vermorel suggests that supply chains can become more secure by embracing a culture of openness and exposure. This involves making systems more transparent and accessible, while still maintaining security measures. He advocates for a “defense-in-depth” philosophy, where multiple layers of security are implemented to protect sensitive information. Overall, Vermorel argues that businesses and organizations with supply chains will be more secure if they adopt this approach, resulting in a faster transition to more secure systems.
Full Transcript
Kieran Chandler: Today on Lokad TV, we’re going to discuss how cloud computing gains in popularity and also how hacking techniques grow ever more sophisticated. Can you be truly confident in the safety of your data? So Joannes, this is a topic which has been somewhat sensationalized in the media in recent times, but is data security really a new issue?
Joannes Vermorel: No, it has been around for quite a while. It’s intriguing. When I started Lokad 10 years ago, the idea was to keep the data locked away from all networks and away from hackers and everything. But as soon as supply chains are concerned, if you just lock your data in a vault, yes, it’s very secure, but your supply chains suffer dramatically. The problem is that people, partners, and even your own organization do not have access to the data to actually optimize your supply chain. So if you want to achieve any degree of supply chain optimization and have a supply chain that is a bit complex and distributed across different locations or possibly different countries, then you need to have a way to feed all the parties involved in your supply chain with the right data. That means, by design, you are exposing your data more, you are exposing your systems more, and thus comes the problem of data security.
Kieran Chandler: It seems that every day in the media, we’re seeing a new organization or a new celebrity being hacked. Is this something that’s actually occurring more frequently, or is it just that we’re hearing about it more often?
Joannes Vermorel: I believe that cyber attacks are overall on the rise. There are some very basic reasons for that. It’s not that we have more bad guys around; it’s just that we have more IT systems and more dependency on our own software in general. Companies are becoming more digitalized, and even regular customers are using more online services. As a consequence, all of that just increases the surface attack area for bad guys, and thus you end up with more leaks. It doesn’t mean that security is getting worse or that there are more bad people overall.
Kieran Chandler: If there are more attacks happening every day, let’s look at some of the techniques that we can actually use to protect ourselves. What can we do here?
Joannes Vermorel: At Lokad, security is the second most important concern. The number one most important concern is the quality of the numbers that we deliver for great supply chain optimization. But the second concern is ensuring the safety of our clients’ data. One of the most basic techniques to do that is to restrict the surface attack area for hackers and problems in general. How do you do that when you’re designing a software solution? First, you try to restrict as much as possible the amount of things that can go wrong because of you. For example, one of the reasons why we moved toward cloud computing was so that we could delegate the hardware and much of the handling of the operating systems to Microsoft. It’s not that Microsoft is perfect, but in terms of engineering teams, they have way more resources to physically secure the computing hardware than Lokad. So it makes a lot of sense not to trust your team when you have 20 people, while Microsoft is trying to do the same security effort with several hundred people on the case.
Kieran Chandler: Let’s talk a little bit about that delegation. There are a lot of computing companies out there, so how do you know which of the companies you should trust and which are the. You know, which of the companies should you trust and which are the companies you should outsource your work to and which are the companies you should probably avoid?
Joannes Vermorel: As a rule of thumb, trust large companies that are exposing tons of computing resources online. I’m talking about the big cloud computing providers like Amazon, Microsoft, and Google. These are survivors of the internet, being attacked every single day by hundreds of hackers. If their systems are still up after a decade of operation, it means they’ve survived all the punishment they’ve taken on a daily basis. It doesn’t mean they never got breached; it just means they’ve been diligently fixing and patching all the problems they’ve encountered. The more exposure your provider has and the longer they’ve been around, the more trust you can give to them. If they’ve stayed exposed, been relentlessly attacked, and survived, they’re probably quite good at security.
Kieran Chandler: Okay, so outsourcing to other companies is one way to ensure our systems are secure. What other techniques can we use to ensure our systems are safe?
Joannes Vermorel: The same principle of minimizing the attack surface area also applies to the inner part of your software. For example, at Lokad, we don’t internally use any relational database systems or SQL databases. It’s not that we don’t like them; they’re powerful and can do many things. However, having them in your storage layer creates a massive security problem. It can still be secured, but it requires a lot of effort. With SQL, you can write code, which means you can write malicious code. To protect ourselves against that, at Lokad, we use a very simple, naive data storage layer, like blob storage on Azure. The key idea is that we use a data storage layer that is orders of magnitude simpler than relational databases and has zero programmatic expressiveness. This means that entire classes of attacks cannot happen at the level of our data storage layer because it’s too simple to offer angles for those attacks. We apply the same idea to many other components, opting for simpler and less expressive options to minimize the amount of things that can go wrong.
Kieran Chandler: So being simplistic and a little bit dumb is actually very beneficial. That covers being secure by design. How about being secure in terms of the culture? What kind of cultural values should companies promote to increase their data security?
Joannes Vermorel: Openness is probably the key.
Kieran Chandler: So, how do you describe the fortress approach that I mentioned about supply chains and how things were done ten years ago?
Joannes Vermorel: If you have a fortress mindset, you want to lock your data in a vault that is buried and very hard to access. This makes everything opaque and obscure, and it’s difficult to access the data. But does that really make you secure? The problem is that, as far as IT is concerned, this type of behavior and corporate culture is very much adverse to security.
Kieran Chandler: Why are IT systems not secure?
Joannes Vermorel: IT systems are not entirely secure, not only because they have been designed to be secure, but also because of design practices. If you don’t have correctness by design in software, it’s very hard to secure anything. Once you have that, along with a high degree of scrutiny in your software, what you need to improve security is transparency and exposure.
Transparency means that people can see what’s going on inside your IT systems, and security is not an emergent property of the fact that nobody knows what goes into your IT systems. People should know how they work, their architecture, and they can see if it’s correctly designed and secure. Exposure means being exposed to hackers, and more importantly, to white hats, the good guys.
Kieran Chandler: It seems counterintuitive to expose your systems and let everyone see what’s going on. How does having people hack your systems make you more secure? What do these white hats actually do?
Joannes Vermorel: White hats are the good hackers. They try to get into systems as a way of living. At Lokad, we’ve experienced this a couple of times. People on the internet register for a free account at Lokad and try to poke things around, see if they can find security issues. Some of them have managed to find issues, but only within a single account, so the containment was tight.
When they find a problem, they come back and report it. They might ask for a bounty, but it’s up to you to decide the price. This motivates them to find more issues in your systems, making them even more secure. You want people to try to hack into your system, especially white hats, so when they find a problem, they diligently report it to you. You have to play the game and compensate them fairly for the effort they put into hacking your system. That’s how you get more secure.
If your systems are supposedly secure but nobody ever tried to hack into them, then it’s very risky, as you don’t know. In IT, there’s nothing like an obvious fortress. In a real fortress, you have walls of stone, and it takes brute force to get through. But in terms of software, security can fall apart sometimes due to the smallest mistake, like a tiny configuration issue in one of your secondary servers. So, you need to have people who try to pick and poke everywhere to ensure your security.
Kieran Chandler: Secure all the way through, it’s a bit of a bizarre concept, isn’t it really, that you’ve got these people who are hacking your system who are actually the good guys? So where do you draw the line between what is a white hat kind of attack and what is something that’s a bit more malevolent?
Joannes Vermorel: It’s completely different. White hats are like freelancers, but they have their reputation. They are good guys, very professional in the way they disclose the problems. Typically, they will disclose the problem first to you, and then say, “Well, what you pay me is kind of up to you.” Some companies even have official bounty programs. Fundamentally, they are like freelancers that help your system get better in terms of security.
Black hats, on the other hand, are the opposite. They are not going to do that. Once they find a hole in your system, they will exploit that hole until the end of time or until you’ve patched the hole. Then, they will try to resell your data or blackmail you. It’s very different. White hats, it’s not blackmail. They say, “If you don’t pay me, fine. I’m not getting paid, but don’t expect me to keep working on your system afterwards.” They did the first one for free so that you can see that it’s a real thing and they’re doing serious work, not just making empty claims. But then, what you pay is up to you. The more you pay, the more you will capture their interest in actually trying to find further issues on your system. And that makes sense because they’re freelancers who could work on improving the security of your company or other companies, so they have to prioritize.
Kieran Chandler: And you mentioned earlier, it’s very easy for there to be a little loophole that might exist somewhere, and that’s what hackers are good at – finding those loopholes. But can you ever really be confident in the security of your data? I mean, even governments are being hacked nowadays, and they seem to have more infinite resources to dedicate to these things. So can you ever truly relax?
Joannes Vermorel: The answer is really no. It’s interesting because I think all these security problems became more visible thanks to things like Bitcoin. Why? Because suddenly, it becomes obvious that it’s incredibly hard to secure anything. With Bitcoin, if your machine that’s holding your Bitcoins gets hacked, the Bitcoins get stolen. People started to realize when they were putting Bitcoins on servers online that pretty much everything was gone after a while. So, people realized how hard it was to actually secure anything.
If we take the example of governments, in terms of maturity, security-wise, you have at one end of the spectrum, the exceedingly good companies like Facebook and Google. Yes, Facebook can get hacked once in a while, but thousands of people try to hack into Facebook every single day. So they are survivors, and they are very good because they have massive exposure, massive attacks, and endless ongoing attacks on their systems. It’s the same for Google, Amazon, and Apple – all those companies that are B2C driven and super exposed.
Then, a notch down the ladder in terms of practice, are all the B2B software companies like Lokad. At Lokad, we try to be very exposed on the internet in the sense that our systems are not secure because they are opaque. Everything is documented online, and you can even register freely for and access an account online. So, basically, we give ourselves a high degree of exposure just like Facebook, on purpose. But let’s face it, when you
Kieran Chandler: Joannes, can you talk about the differences in security between small and large organizations, and even governments?
Joannes Vermorel: Yes, certainly. So, the amount of hackers that small organizations face is typically lower, and as a consequence, their security tends to be weaker as well. Then, one big step down, you have everything that is like mega corporations and governments. I would say that mega corporations that are not tech-driven, like the Googles of this world, tend to have very weak security. Why? Because they are still very much into this fortress mindset, security by obscurity, meaning that things are secured not because they are transparent and exposed, but because basically they try to lock them away. But guess what? If you are a very large organization, it just doesn’t work. You cannot have things locked away and have tens of thousands of young employees in the organization. That’s just not compatible. So, bottom line, security tends to be quite bad. And at the very, very extreme of the spectrum, you have the military, which is probably the worst in terms of IT security and practice. I know that people would think that it’s the exact opposite and say military should be absolutely secure, extra. But, on the contrary, they had decades of experience of having their own private networks, their own private systems, everything. And as a consequence, they are dramatically lacking in the exposure that they should have. And if you’re following some news, you would see that some various armies over the world have frequently tones of relatively backward IT problems that are a direct consequence of lack of exposure.
Kieran Chandler: What is it about those private networks that make them more vulnerable? Because if you have a military system that has been private for decades, surely they’ll be able to get their security sorted out and it’ll be something that’s safe?
Joannes Vermorel: The thing is that if you say my network is safe because it’s disconnected from the internet, well guess what? Again, if you’re the military, you are a large organization that is spanning across many locations with tens of thousands of people. If you’re actually an active military that is fighting overseas, your systems are going to spread over multiple countries. And how can you keep this network absolutely disconnected from everything else? You cannot trust your employees or the people that are members of our organization at that scale, not when you have thousands of people. The amount of acquisition that you have is pointless because we have discovered many frauds. Bernie Madoff, until he was convicted, had nothing in his track record. He had an impeccable track record until we discovered that he was the biggest fraud in history. So, that’s what typically happens. We trust people until they are discovered. They have an impeccable track record, and that applies in investment funds, but it’s the same thing for the military and whatnot. These are just human things. So, bottom line, if your network is…Completely disconnected, how do you get the exposure to all those hackers that try to pick and probe, for example, the vulnerabilities that exist in the Intel hardware? So, the CPUs processors have two classes of vulnerabilities that have been uncovered about a year ago: Spectre and Meltdown. It means that the hardware itself is vulnerable and that you have classes of software applications that become vulnerable because the hardware they run on is compromised. I don’t believe for a second that any military nowadays does not have any Intel hardware in their systems. I mean, Intel has something like over fifty percent market share in CPUs for desktops. So, I’m pretty sure that every single army in the world has literally hundreds, if not thousands, of workstations working on Intel hardware that has critical vulnerabilities. So, how do you deal with that if you don’t have people that try to patch the thing? Well, chances are that you’re just going to stay vulnerable until someone manages to connect to your supposedly private and protected network, and then it will be all in because everything is kind of weak and hasn’t received enough scrutiny.
Kieran Chandler: Starting to get a little bit worrying now. I might not be able to sleep tonight. Let’s try and finish on a more positive note then. The Googles and the Facebooks of this world are putting a huge amount of investment into research and development into data security. So, can we envisage a day when hacking is a thing of the past and never really exists at all?
Joannes Vermorel: I believe so. There is nothing like a physical law that says every single computer system is unsafe. There is no such thing as a fundamental law that says the amount of hacking is only going to increase over time. So, this is not entropy. But the bottom line is, it’s going to take time. And as far as supply chains are concerned, this evolution can happen much faster if you embrace a culture of openness and exposure for your supply chain and your supply chain systems. Which means that, having your systems more transparent, more exposed, but still secured. I’m not saying that you want to be exposed in the sense that anybody can access anything from anywhere, that’s not what I mean by exposure. By exposure, I mean that it’s not secure just because there is only one person in the IT department that is supposed to be able to access that. It’s not this type of security. But basically, the more companies have supply chains with systems that are more online, more secure with a defense-in-depth philosophy, then they will have much faster, something that is much more secure.
Kieran Chandler: We’re going to have to leave things at that. Hopefully, nobody’s going to hack us after this, or maybe you probably want them to hack us. White hats only, please. That’s everything for this week. Thanks very much for tuning in, and we’ll see you again next time. Bye for now.
