Bill Burns: A Journey through Time and Security
Welcome to the Masters of Data podcast, where we talk to the people on the front lines of the data revolution about how data affects our businesses and our lives.
Our guest today has had a front row seat at some of the most game-changing innovations in the internet era – Netscape, Netflix, and now Informatica. Bill Burns, (@x509v3) currently the chief trust officer at Informatica, has seen the information security industry change dramatically since he first cut his proverbial teeth on it in the ‘90s.
It’s no surprise that when Bill and I sat down for the interview that our discussion touched across 20 plus years of dramatic changes in the way business is done on the internet, and how we as a society think about information security.
Bill Burn’s Journey Into Information Security
You’ve done a lot of things in this industry. I was really interested in how you got into security monitoring, because that doesn’t seem to be where you started. So, how did your experience lead you into the security realm?
I got into internet security because I got caught in college. The story goes that my buddy and I needed to print our lab reports but the only place on Michigan Tech University’s campus where you could print from a Mac was in the humanities lab.
So, I wrote software that basically took over control from the print lab in order to print my reports.
After a couple months, I got caught. I was sent to go talk to the lab director, one of the few females on campus (who eventually became my wife)- getting in trouble and talking to the lab director was a pretty good thing in the end!
I was always curious, taking things apart and trying to figure out how they worked and, eventually, not just how they work but how they work when they’re poked a little sideways or told to do something that they weren’t designed to do. That turns into sort of fuzzing and security testing.
While I was getting my EE degree and my business degree, I realized that I didn’t like analog circuitry design and I didn’t really like putting a computer together at the molecular and physical level. I really enjoyed the networking and the communications aspect- how does data flow between computers over wide area networks. So I got into that part of electrical engineering and computer science.
Naturally, I fell into security. At the time, security was always homebrew. It was not something that you bought off the shelf. The very first firewalls were largely a kid. Now it’s a commodity feature in products.
That’s how I got into security – you had to figure out how to make your system secure. It wasn’t a button you turn on at the time.
I don’t know how many computer science-oriented people I’ve met that came from the electrical engineering of the physics department. I actually was originally in physics and I love playing with the lasers and the different toys, but I ended up enjoying computer science even more. I also realized that computer scientists were out there becoming millionaires, and no physicist becomes a millionaire.
That’s right. Lasers are cool, but… You know.
At some point, you have to feed your family.
System Security: the Cat and Mouse Game
Once you got into security, you got a taste of what it was like to really dig into the guts of things and build stuff from scratch. What kept you going in the world of security?
That’s a great question. At some level, you’re comfortable with building your system to meet your needs or to protect you against the things that you’ve thought of and the countermeasures you’ve put in place. But once you get into the real world, you get people who are motivated by different aspirations than you are.
Maybe it’s ideological. Maybe it’s monetary. There are always attack vectors you hadn’t thought of, so it’s the cat and mouse game.
It’s staying ahead of the hackers. It’s staying one step behind the hackers.
A protecting and educational lab is very different compared to our corporation. A small or medium- size company versus a large-size company has very different threat vectors and budgets that you can apply. The challenge for me was always the gamesmanship, “What will they think of next? And what can I think of next?”
It reminds me of the pitch that the National Security Agency (@NSAgov) was using when I was in college and they were trying to recruit people on campus. I like that way of thinking: it’s a competition and there’s some gamesmanship about it. It’s serious stuff, but it’s also an exciting challenge- “puzzle” is one of the words you used.
Yes. When we were at Netscape, we hired Paul Cotcher to help us build SSL. We needed to get the web browser to be a place where people trusted the browser enough to put their credit card information for electronic transactions. At the time, the early to mid ‘90s, that was a crazy idea.
One of the things Paul mentioned when we talked to him was that you have to treat IT security like a game, like chess. But you don’t want to design your security so that if it ever has a checkmate move, the game is over. You always want to design your systems so you at least have another move, even if it’s a stalemate. That’s a better solution than a checkmate.
Oh, that’s a really interesting way of thinking about it. And when you mentioned the credit cards, it is pretty amazing how things have changed so much. I remember when everyone was terrified of using their credit cards online.
I remember when I started doing that, I was like, “I’m more terrified of giving my card to the waiter at the restaurant, because it’s actually much more likely that they’re going to steal my credit card.”
That’s right. Yeah, that’s a crazy thought.
Well, especially thinking about what you did after Netscape, in particular.
The Evolution of Netflix to Cloud and AWS
I’m a big fan of Netflix- not only because my kids love watching cartoons on Netflix, but also because of the transition that Netflix went through. I’ve heard the operation story so many times about moving from sending the DVD in the mail to streaming, but I’ve never really heard it from the security perspective.
What was your experience, sitting in information security, watching that transition at Netflix as it moved from this very traditional physical business to a streaming business, being first in the Cloud, on AWS, etc?
By the time I started at Netflix, the company had already started the migration. We were really focused on how fast we could go. How fast can we move out of the DVD business into the streaming business? How fast can we grow that business? How fast can we grow it internationally but also grow the features?”
There were several interesting patterns and anti-patterns that I learned there. One of the first days I started, they did an experiment where they took the “on-premise” web server and put it in Amazon’s cloud. It failed spectacularly.
I’d thought that someone was going to get in trouble, there were a lot of bugs in the files, but it was seen as an experiment, and we learned a lot. It was interesting because we were all trying to figure out what we could learn and what we could improve. Failure wasn’t seen as failure, it was seen as an experiment- we learned a bunch, and we improved later on.
Early on, it was a culture that appreciated experimentation, but everything had to have a hypothesis, and everything had to have data to back up your next move.
Failure wasn’t seen as failure. It was an experiment in what we could learn and improve on later.
That was probably pretty uncommon at the time. Now that’s become the idea of experimentation, and data-driven decision making seems to be normal. Back then that wasn’t really what people were doing.
Right. And part of their culture deck was “We value data, we want the most informed person to have an opinion and to make a decision.” Otherwise, it just evolves into who has the biggest title, or who’s got the loudest voice in the room. That’s not really an appropriate way to make business decisions.
Absolutely. It’s a very human way to make decisions, but they’re not very effective.
The Importance of Guardrails in System Security
I remember when that was going on- everybody talked about the “no ops versus devops” thing and how Netflix played into that. What was it like being on the security side of that? How were you interacting with the teams that were working that way?
That was where I learned a really practical use of the security metaphor for guardrails. Instead of thinking of security in terms of controls, and yes and no, and beating people over the head with rules and policies, you really understood guardrails.
You thought about how to create a system that allows you to codify the security policy into it. That way, if you check in code with the right method, and if you follow the right routines, the security protects you. It’s like guardrails on a road, and if you test environment, the guardrails are really wide.
There’s a lot of innovation, a lot of chance for the developer to make mistakes because they’re probably not dealing with credit card data, for instance, or really sensitive information. They have wide guardrails. The closer you get to the sensitive and protected data, the guardrails get really tight, which means the developer has less freedom. That’s the production environment with credit card data.
Sarbanes Oxley (SOX) is also significant for IT security: the change controls and sign-offs are more stringent and the process feels a little slower. Everyone understands why, but it’s not like there’s a one size fits all change control system. You have these varying degrees and the controls that are a little bit looser in the less- controlled environment.
I love that analogy. When I was starting out in the dev-ops area in the early 2000s, I dreaded the security people getting involved because they slowed down and restricted activity, and actually broke things on a regular basis.
That was the department of no as opposed to the department of how.
Because it’s security being an enabler and enabling the right type of activities as opposed to just restricting things.
I think part of that comes from risk or risk management. Risk is not binary. The higher up in a company you go, the more comfortable you become with ambiguity and risk. In some cases, you have less data to work with to make a decision. You become more comfortable with knowing the least amount of data you need to make an accurate decision.
If you’re new to, let’s say engineering, you’re trying to get really precise with tons of data, and you end up being slower. You make decisions more carefully when in fact you just really need to understand the worst that could happen, the best that could happen, and the environment you’re dealing with.
If I’m in a dev test environment, and I don’t care about availability, I’m not playing with production data or regulated information. I can afford for the developer to be more creative and not worry about some of these other parameters.
You make the guardrail decision based on the risk. Then you start to understand the nuances of the business impact. You understand what’s the worst that could happen if the developer’s code crashes, or if it’s open to the world for an hour while we’re trying to figure out what the vulnerability was.
That doesn’t matter as much as a production system. What am I going to do to this developer’s job if I have one security policy that says “no” across the board?
I think that’s a great way of thinking about it. I also love the way you talk about being able to make decisions with less data because I would expect that in the roles that you’ve been in, typically there’s a sense that you have all the data you need.
Protecting Sensitive IT Data
It seems to me like when you come from a security perspective, the idea that you don’t have all the data is actually baked into the whole way of thinking.
You know that you don’t have all the data, so how can you make the best decision based on the data you have at hand and try to lower the risk?
I’m going to take a quote from one of your blogs, and I want to talk a little bit about it.
“As a security professional, I can attest that the lifeblood of any company is the sensitive data that they process. Protecting this data is the charter of a company’s information security team and the responsibility of all employees who work there.”
The lifeblood of any company is the sensitive data that they process. Protecting this data is the charter of a company’s information security team and the responsibility of all employees who work there.
I really like that picture of the lifeblood of a company. It seems like that’s actually something that’s changed pretty dramatically over the last few years. Tell me a little bit more about what you’re thinking when you say it’s the lifeblood, particularly with what you’re doing now with Informatica.
I think I wrote that before some of the bigger breaches that we’ve heard about. The OPM breach, and Equifax, and the companies that you literally entrusted your most sensitive information to, lost it. It got breached. There’s a myriad of reasons why. But people and other companies now make decisions to do business with those companies, wondering what they did with other sensitive data.
Consumers are making informed decisions based on if they can trust a company with their sensitive data.
It doesn’t have to be the most sensitive data. It can be mildly sensitive data. It could be information that I’m talking about freely. But in the aggregate, I might wonder, if they treat my data that poorly, what other poor decisions are they making?”
We talk about the Facebook scandal. People are chatting back and forth with their friends or clicking on survey results. In the minutia, all those little pieces of data and preferences are sort of innocuous.
But in the aggregate, they start becoming really important. They become very personal to people. I look at that and think about that quote. At the time, I was really focused on the most sensitive data. But in hindsight, it’s less “sensitive” data, it’s all of my personal information.
With GDPR coming out in May, people feel there are all sorts of attributes about themselves that they may not want to have shared, or maybe don’t explicitly want to share. So why would someone else release that information? I think there’s been a new awakening of asking companies how they treat our data. Again, it doesn’t have to be sensitive data. Maybe it’s just analytics, or it’s log information, or activity, clickstream data. All of that becomes valuable to companies.
There has been an awakening of people saying “How are companies treating my data?”
The companies are figuring out how to monetize that but customers don’t want all of their data shared without their knowledge. Or if it is with their consent, they need to make an informed choice about it. That’s what I meant when I said on my blog that security was the lifeblood of companies. Now we’re seeing that even the less sensitive data is still important and monetizable by companies and individuals find it personal.
Protection VS. Privacy in Information Security
For those who might be reading and don’t know what GDPR is, can you talk a little bit more about that?
GDPR is the General Data Protection Regulation. It went into effect May 25th, 2018. It’s been about two years since Europeans ratified this law. GDPR is data protection. Data privacy is what we think about in America, but it’s data protection for citizens in the EU. GDPR is about protecting that information from leaving EU soil. Data transfers, for instance. Any company that does business with people in the EU has to abide by the GDPR, and the fines are significant if you don’t.
I was talking with our chief information security officer, George Gurtail, about this a couple weeks ago. Eventually, there’s very likely going to be some big court case with a company that made a serious infraction. That makes me think of the way that you contrasted those two words – protection versus privacy.
It seems like privacy is more of a passive word describing stuff, but protection is more of an active word – making the point that they are going to actively protect people’s data. People have to ask for the right to be forgotten. It’s a much more active idea about data privacy than maybe we’ve had before.
Certainly, from an American’s perspective, I agree. I think it’s an awakening across the board that understands that the regulations the Europeans are putting in place, privacy is an innate right for a person.
That’s not the American belief, and I think people are starting to realize what that really means when they lose access to that data. They don’t want to have all of these online services for free in exchange for their private information.
Do you feel like some of that’s because of the way we developed internet services here, and the expectations we have for that, or is it really because of the way Americans think about it? Why do you think there is such a difference in the public perception of privacy of data?
I’m not really sure, to be honest. I think a lot of private information was used inappropriately in Europe years ago, and people have seen the ramification of using that information to target people. In the American economy, in exchange for receiving ads, we are getting additional services. As the marketers want to figure out how to target that person more efficiently, they want more information about their demographic.
The marketers would love to get information to identify a person or a class of people. This is where they start to gather information and then use that to more efficiently market to people in exchange for services.
Facebook doesn’t cost me anything to join. Back in the day, AOL was $15 a month. Someone has to pay for this, and I’m paying for it somehow. In the current internet generation, we pay for things by giving them access to our behavioral information.
I always wondered how much of the money that AOL charged went to making those CDs that they would mail everyone.
I remember getting so many of those that I made decorations with them- I’d put them in the microwave in the lab to get pretty colors and hang them from the ceiling.
Well, at the time, we had to buy thousands of modems and keep them in place. There were racks and racks, and buildings full of modems that we had to pay for. So, I’m sure $15 a month paid for a lot of modems, too.
I think data is core to a company’s business, in the sense that it’s a positive thing; this is the way they are able to provide better services. But then it seems like that analogy takes on a sinister effect.
It’s like our private data is the lifeblood of their financial model. It’s driving their business. There was a long period of time where I wasn’t thinking about what I was clicking on Facebook. I’m in the industry, and I know a lot more than the normal person about what I should do to protect my data, but I didn’t spend a lot of time thinking about what data was being gathered on me.
It seems there might come a point where there really is going to be a reckoning around how this works. Our sense of having free services versus these companies making billions of dollars off of our data that wasn’t necessarily given freely.
To take the less sinister view, a company could be a completely legitimate Cloud service provider, and they’re providing information and services to their customers. Now what customers or what companies are realizing is that because of this digital transformation wave, there’s a lot of data about usage that is data in itself, the metadata.
Now they can use that data to figure out how to give better services to my customers. They can start to mine that data and split up customer segments into sub-segments. Then they can realize that if this particular customer is behaving like that other customer, but those customers don’t have the same services, there’s an opportunity to upsell.
Now metadata becomes more interesting, more monetizable to companies. They realize that all the stuff that they used to not track is actually very valuable. Now you can start to make a business out of this behavioral data. It’s not for sinister purposes, it’s for completely legitimate purposes. We just didn’t have the log management or analytics before.
The positive spin to put on this is that we in the enterprise software business have an opportunity to learn from that experience in a positive way.
I’ve spent a lot of time with customers showing data about their usage and showing them what they can do. I remember having this discussion where we were looking at a particular customer and the type of searches they were running and this one guy had, for some reason, searched for God.
You know, capital G-O-D. Well, I made a joke about it. I was like, “Did you find God? How did that work out for you?”
He was not amused by that. And it kind of occurred to me that he didn’t realize that metadata is going somewhere. There’s a very fine line between the creepy and the helpful.
Being able to walk that fine line is going to be a challenge for this kind of data-driven business going forward.
The public expects a Cloud service provider to protect their data. At the same time, the company has to figure out how to use and mine the data. If it’s encrypted and “safe,” and no one can use it, it’s really not valuable. So, there’s a fine line.
Again, we talked about guardrails and we talked about policies. There has to be a fine line or distinction between doing something with the data but knowing who is authorized to use it. That’s where security versus privacy come in: they sort of butt heads. GDPR has something like 35 references to the word “security” in the regulation.
Although it may be a data protection privacy regulation, there is a lot of security requirements there. Companies now have to figure out how they have a viable business model. They take all of this data, sensitive or not, and they have to protect it. How do they monetize this in a unique way to be competitive?”
I don’t know what you’re seeing in your sphere of influence, but I don’t get the feeling that a lot of companies have really come to grips with that yet. There’s probably going to be some mad chaos in the next couple of months.
And a lot of this is based on precedent and case law, it’s really untested. A lot of the lawyers I talk to are just waiting to see what happens. Are there people staging lawsuits and investigations to figure out who’s not compliant with the law when it’s a brand new, untested law?
That’s a lot like some of the antitrust stuff that went on with Microsoft and Google a long time ago. You have to establish the precedent.
Artificial Intelligence and Information Security
Talking about where this is going in terms of taking customers’ data and metadata and seeing what their behaviors are to help them, a lot of conversations come up about artificial intelligence machine learning.
You really want data sorting to be automatic, you don’t want somebody looking through it. You might think that it’s safer because it’s a machine looking at it. But then, maybe not.
It goes back to that guardrail discussion: what do those guardrails look for in an automated algorithm behind the scenes? How do you think that’s actually going to play into this whole discussion?
Obviously, there are benefits to the speed at which computers operate on data. But the challenge with traditional computers versus AI is that we’re all comfortable with automation. We’re comfortable with computers automating repetitive tasks and doing them more efficiently.
The challenge is with traditional computers. There are humans writing the code, so when it breaks or even when it works, we understand what happened. We’re getting to the point now with artificial intelligence where we’re creating algorithms that then evolve and form new patterns.
In some cases, they make decisions that we don’t understand. The creators of some of these AI routines don’t understand the conclusions that the algorithms are coming up with. Couple that with the speed and the pace of innovation, and very soon we’re going to get to a world where the computers are literally making decisions that we don’t understand.
It could be the right conclusion, but we don’t understand how AI got there. Depending on what the sphere of influence this machine has or that AI algorithm has, it could have a profound impact.
Very soon we’re going to get to a world where the computers are literally making decisions that we don’t understand.
If machine learning determined how to best drive a car, do we really understand what it’s optimizing for? And what about other, more complicated, complex system-to-system interactions?
I worry that we don’t understand the failure modes. We don’t understand the guardrails that the system is willing to live within, to stay within. That’s concerning to me. Because it sounds like we’re having fun innovating, and we’re getting some benefit to it, but it’s getting to a pace now where scientists don’t understand what AI did. They don’t understand how it got there.
If we keep innovating down that road, what are we actually trying to accomplish now? That’s one of the areas of concern. When I was in venture capital looking in the security space, someone asked me, “What’s the most impactful innovation or invention in the security space in the last five or ten years?”
And people were expecting this box, or that appliance, or Cloud computing. My reply was, “APIs.”
APIs were the best thing to happen to security because now we don’t have people clicking on GUIs or installing physical boxes in order to keep up with the size or the velocity of growth in a data center.
APIs were the best thing to happen to security.
Now the security teams get to actually keep pace with the innovation from developers of software because everything is becoming software. Ten years ago, it was the dark days of security where everyone was on VMs and we were still trying to sniff the network traffic and figure out what was on these boxes.
APIs and automation give the security team a fighting chance. We have that at our disposal, and if we can apply machine learning and AI to our systems, we can at least keep up with what the bad guys are trying to do. But in the end, if we start applying AI to both sides of the equation and we start losing control, it’s really unclear what way things will go. How can we impact a system that’s essentially fighting itself now?
APIs and automation give the security team a fighting chance.
It sounds like some sort of war of robots where they decide who’s going to be our overlords.
Someone said recently, “All AI and ML discussions talk about AI, AI, and then it devolves into Skynet.”
Then the discussion is over. But we don’t want to just think about a dystopian future.
I would encourage anyone out there who is working in this area to think about this: how do we force the machines to tell you how it got to a decision so that we are still in control? We need to have a way to influence the system and the network.
How do we force the machines to tell us how it got to that decision so we are still in control?
Even the guys who write the code don’t necessarily understand the steps that the algorithm went through to actually arrive at the conclusions.
Yeah, which is both exciting and kind of a little terrifying at the same time.
The Future of ITSec and InfoSec
I love the title chief trust officer. I think that’s really great based on everything we talked about, because it really is about trust, particularly trust in companies, in this day and age. What are the challenges you think you’re going to be dealing with over the next year or two? What’s your focus?
As chief trust officer, I look at a couple different vectors. I have two main roles – I have availability and I have safety and security. I keep the data safe, keep the system’s integrity intact. Those are the two main areas of focus. And Informatica is going a through transformation. We’ve been in the Cloud space for a while, but we’ve had one small offering, and we’ve been slowly building it.
We’ve been largely selling on-prem software. Now we’re taking all of that, all those products and features, and turning them into software features on a platform in the cloud. One of the big things I worry about is just availability. How do we build the Cloud fast enough to keep up with customer demand for Cloud services?
How do I bake all the right guardrails and security controls into these new transforming business processes and development processes that the developers and the product teams are trying to build and evolve? We have a growing customer demand. We have an ever-increasing footprint in the complexity of our Cloud.
The biggest thing I worry about is how can I keep pace with the developers and their innovation on those vectors of availability and safety. There are lots of lessons learned from Netflix and from other folks, but putting it into practice and helping a company transform its culture to understand the value of those vectors, that’s really a challenge. Actually, it’s what gets me up every day, and it’s pretty exciting.
Helping a company transform its culture to understand the value of security is what gets me up every day.
Culture trumps strategy. If I can’t win the hearts and minds of the developers and the executives on a cultural level, what we need to change together – tactics and policies, all that stuff just seems like big friction when it’s at the cultural level. When it’s not even top down, but it’s at the cultural level of the company. That’s when it resonates with everyone and it becomes much, much more synchronous. It’s a much better way to work together.
It’s a real challenge to be able to figure out how to move culture, and how to work with the teams. But when you’re operating at that higher level of principles, as opposed to arm wrestling and the security team of “no,” that’s a much more fun challenge.
You sound like you got your work cut out for you.
Yeah, it’s good. Like I said, it gets me up every day. It’s fun.
Thanks, everybody, for listening to the Masters of Data podcast.