InfoSec Strategies

EP#49 – Sanjeev Verma – How PreVeil Drive Makes Storing and Sharing Data More Secure

Virtual CISO Podcast Episode 49 Sanjeev Verma

powered by Sounder

PreVeil Drive is a cloud service that lets users encrypt, store and share their files for CMMC Compliance and personal use. Unlike other cloud services such as Dropbox and OneDrive, PreVeil uses end-to-end encryption which ensures that only intended recipients can access their files.

In this episode of The Virtual CISO, we interview Sanjeev Verma, Co-Founder & Chairman at PreVeil, about using their tool as a mechanism to compress the timeframe and level of effort to move towards CMMC level three.

What we talked about:

  • PreVeil Drive as both a file exchange mechanism and a security mechanism. 
  • How PreVeil Drive improves access control and configuration management.
  • How PreVeil Drive leads to greater improvement in security scores. 

To hear this episode and more like it, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (intro/outro) (00:06):

You’re listening to the VirtualCISOPodcast, a frank discussion providing the best information security advice and insights for security IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive. Welcome to the show.

John Verry (00:25):

Sanjeev Good afternoon, sir. How are you today?

Sanjeev Verma (00:29):

I’m very well, John, as always good to be with you.

John Verry (00:32):

How do you feel about the glory of being only the second time second guest in the history of the VirtualCISOPodcast? I mean, this is an honor that just not anyone gets.

Sanjeev Verma (00:49):

You know what? I’m honored [crosstalk 00:00:49] I think the world of you and of your organization. So it’s not only an honor, but it’s a pleasure to be here.

John Verry (00:55):

That’s why I like Sanjeev so much folks, because he lies well. You couldn’t even tell that he was lying. That’s how good he is.

Sanjeev Verma (01:02):

I did not. One of the few things my wife would say about me is that he doesn’t lie.

John Verry (01:10):

I think that’s probably one of the few things my wife would not say about me. All right, for those of you who have not listened to the first podcast I had with Sanjeev, I would encourage you to go back. It’s probably been almost a year now. It’s crazy how fast time goes. But even if you did listen, just to remind you who Sanjeev is, Sanjeev, can you tell us a little bit about who you are, and what is it you do every day?

Sanjeev Verma (01:33):

My name is Sanjeev Verma, I’m co founder and chairman of PreVeil. It’s a cybersecurity company born out of MIT, I’m based out of Boston. And we build end to end encrypted email and file sharing systems that are, I’d say, incredibly popular right now for storing, sharing, controlled and classified information and other sensitive data in the form of electronic mail that’s integrated into your Outlook and Gmail. And through a file sharing system, we call it PreVeil drive, which looks very much like a Google Drive or OneDrive, and it’s integrated into your file systems. We’re a Boston based company that delivers these systems, and we try to make security top notch and compliance easy and inexpensive for companies.

John Verry (02:26):

Cool. And before we get down to business, we have a tradition of asking what’s your drink of choice? Now if I recall correctly, you and I had a long conversation about wine the last time. And if I recall correctly, you never sent me the bottle, well never mind. Never mind. Still drinking wine as your drink of choice?

Sanjeev Verma (02:43):

I am. And I’m actually going to say that when we last spoke, we were going through COVID, we still are. And so one of the indulgences that kept me going was that I discovered in your neck of the woods in New York City, a fabulous wine merchant, and I’m going to name them they’re called Chambers Street Wines. And I struck up a good relationship with David, Lilly and Jamie Wolf, who are the founders of this incredible wine shop in New York. And I just called him out of the blue and said, “Listen, I’m interested in experimenting with some red wines.” And I tell you, David is a superb expert in French wines, and wines from Burgundy, and from the [inaudible 00:03:30] and Rhone Vallées.

Sanjeev Verma (03:32):

But what I particularly like is that he advocates for sort of bio organically grown wines from lesser known producers. And none of these are named brand things and wines that he truly loves. And Jamie Wolf does the same for Italian wines. So I was really privileged when I just gave them a carte blanche and said, “Why don’t you just ship me wines?” And lo and behold, I ended up with several cases from them, because I loved them so much. And I think they’re the real deal.

Sanjeev Verma (04:02):

They are authentic, they are passionate about what they drink, and care about what they’re sharing. So I actually learned a lot about new types of bio organic wines. I hadn’t drunk a Rouvre for example, and I found that that’s a great addition to my wine drinking behavior. So I had a great time.

John Verry (04:28):

That’s funny, when I was in Italy, we did a trip, unfortunately, a number of years ago now because time goes so fast, and you can’t travel right now. But we went through Florence Castagno Chianti and then down towards Montepulciano and that area, and drank some fabulous wines. And we actually spent time at a bio organic, completely off the grid. They don’t use any energy. They would sell Salctdo S-A-L-C-T-D-O or something like that. But yeah, I ended up having a case of wine shipped back. It was very good wine. It wasn’t like the best wine that I drank there. But it was just such a cool story to see them.

John Verry (05:05):

They did this really cool thing where they cast the wine and they vat the wine. They had this patio area, and then they had these Fresnel lenses, like these mirror tubes that went down like 20, 30 feet into these rooms, so that they wouldn’t have to put any lighting in. So that was the only lighting was through these really cool lighting tubes they referred to them because that was one of the ways that they were able to conserve energy. Anyway, we’ve gotten off on a huge tangent like you and I have a tendency to do.

Sanjeev Verma (05:37):

I have one more thing to add to the tangent. I learned from my conversation since you asked about wine, what’s the right way to decant and drink a Barolo? And I’ll leave you with this. I was stunned that if it’s a 20 year or more order Barolo, open it four hours before and decant it. But if it’s less than 20 counter-intuitively, it’s fabulous if you open it up seven hours before, which is mind boggling and I tried it and I truly enjoyed it and end of tangent, but I thought it was the best advice because otherwise Barolos are hits and misses. But thanks to Jamie at Chamber Street, I truly truly enjoy my Barolos, including some of the young ones by just decanting them about seven hours before.

John Verry (06:24):

Yeah, Barolo’s an excellent wine. That’s how that Barolo and Barbaresco. They have the same I don’t know what the right word is same grape I think it is, yeah.

Sanjeev Verma (06:34):

Yeah.

John Verry (06:34):

And what is it?

Sanjeev Verma (06:34):

Nebiollo.

John Verry (06:37):

Nebiollo, yeah. I don’t know that I’ve ever drank a 20 year old wine to be honest with you Sanjeev. So you run in different circles than I do. So with that out of the way, let’s get down to really what the business is. So the white paper that I’m kind of showing there, you guys were kind enough to share a copy with me. And it’s funny, I looked at that white paper and I started, I’m a big fan of Vilfredo Pareto, you probably know who he is. Italian economist engineer. And he’s famous for the Pareto principle, right? His first observation was that 20% of the wealth, excuse me 80% of the wealth was held by 20% of the people, that was one of his first observations.

John Verry (07:16):

And then what he realized is that this 20, 80 ratio seemed to happen all over the place. 20% of your business, 80% of your business from 20% of your customers. 80% of the food that’s served in a typical diner comes from 20% of the items on the menu. 20% of the roads in the morning have 80% of the cars on them, but one of the beauties of using the Pareto principle, the 80 20 rule is if we use it intelligently, with 20% of the effort, we can achieve 80% of the result.

John Verry (07:46):

And when I looked at your white paper, it struck me as Pareto. Did I miss the boat? And can you talk a little bit about what you guys were able to find when you kind of looked at this idea of using PreVeil as a mechanism to shorten if you will, or compress the timeframe and level of effort it is to either improve your 171 score, or more move towards CMMC Level three.

Sanjeev Verma (08:11):

John, much like Pareto. I’m a firm believer that the best way out of complexity is simplicity. And you want to simplify things, but not make them too simple. I mean, I’m not saying simplistic, but simplify things to get the optimum results. And there’s so much of conversation going on right now about NIST 800-171 DFARS self assessments and CMMC. But the essence of those programs, if you step back, and simplify, revolve all around protecting controlled unclassified information in a manner that is not afforded by existing, commercially available systems.

Sanjeev Verma (08:55):

Because think about it, you were able to store controlled unclassified information and share it using the existing popular systems like Office 365 Commercial, or Google etc, there would be no problem, there would be no attacks, etc. So if the goal is primarily to go and protect your controlled unclassified information, and the objective is simplicity, how do we do it? And this paper’s all about describing how PreVeil is a simple overlay over your Office 365 or Exchange or Gmail systems. And its sole purpose is to protect your CUI in the form of electronic mail communications, and storing it in files and folders that you collaborate on.

Sanjeev Verma (09:46):

And the act of a simple overlay and I call it simple because it’s simple to deploy, simple to use, and quick to deploy. That leads to as this white paper was showing on average 40 points of greater improvement in your self assessment scores and your security scores. And that’s what this white paper is about. So it’s an action that you can take in a matter of hours. And that action can lead to one of the biggest gains when it comes to your self reporting scores, which for most organizations is that they often hover around either negative, too low, certainly less than 50 points.

Sanjeev Verma (10:30):

And if you are to become NIST 800-171 compliant, you need to be getting to 110. And if you want to be on CMMC level three, there is another 20 other controls beyond the 110. So you got to be perfect in NIST 801-171 and PreVeil is one of the simplest, quickest and painless ways by which you can achieve that remarkable improvement in scores. And when I say remarkable, I’m actually going to follow up by actually substantiating how.

Sanjeev Verma (11:04):

So this white paper that you’re showing, showed a hypothetical user or company that was self assessing, and then it used PreVeil and you saw that they gained 11 points through access controls, config management another five points and so on for a total of about 40 points. But since we wrote this white paper, a PreVeil customer, which was pretty similar to the one that we described, actually went before a DIBCAC auditor.

Sanjeev Verma (11:35):

So they were five auditors from DIBCAC, DIBCAC is the Department of Defense’s audit agency, and five auditors conducted a thorough audit on this SMP. And they came up with a near perfect score, which is Epsilon close to 110. And so I’m quite excited to share that what we shared in this white paper is now being validated in real life, and let’s talk more about that as we go through this conversation.

John Verry (12:04):

So you must be a fan of I think it was the Vinci that said, “Simplicity is the ultimate sophistication.” And then I think it was Einstein who said, “Make it simpler, but not simplistic.”

Sanjeev Verma (12:16):

Yes.

John Verry (12:16):

I think was his line or something similar to that.

Sanjeev Verma (12:19):

One thing very similar, I’m a huge fan of Einstein’s and a big believer in this, Einstein was an enormous giant, who was able to, in the form of a simple equation, tell us what reality is, and how the planets move and how the Earth moves around, and how gravity itself is. And to be simple requires deep understanding. Simplisticness is basically making off the cuff sort of observations not grounded in depth. Whereas what Einstein was able to do and what most people who strive for simplicity are doing, are trying to truly understand something and truly understand something very well, you have the ability to simplify it. And that’s truly what’s beautiful, in really how the universe works.

Sanjeev Verma (13:17):

Because it is simple that the entire universe has the same laws of physics that apply on Earth. So it’s not a complicated universe, where it’s so huge, and everything is different everywhere, but it’s the same laws that apply. And similarly, through deep understanding, we strive for simplicity. And in our little way, we’re trying to do that for security and for compliance.

John Verry (13:40):

All right, so let’s talk about that. So you mentioned here that you provide value in five domains. So just to be clear, we’re talking about deploying PreVeil, and deploying in a model where it is being used both as a file exchange mechanism, and a security mechanism, correct?

Sanjeev Verma (13:57):

Correct. And when you say file exchange, it implies that it’s for exchanging files, but I want to clarify, it’s not just for exchanging files, it’s also for storing files and for collaborating on them. So in the PreVeil system, if you have a file, and I’m collaborating with you, you and I can work on that same file, I’ll get your edits, you’ll get my edits, etc. But I can share my files with you. And more importantly, for compliance. If I want to, I can revoke that access with a right click or I can give you limited time access, so that I can share with you for example, for a three month relationship, and at the end of it, the information disappears. So just a little color on to how you describe the email and file exchange system.

John Verry (14:42):

Cool. So in terms of from an example with access control, can you give me a little idea like when we talk about access control and configuration management, some of these areas, how does PreVeil actually provide those improvements?

Sanjeev Verma (14:55):

So when you look at CMMC as an example, there are 17 domains in CMMC. And those 17 domains span 130 controls. And so the path to CMMC and NIST 801-171 by the way, is step one. So if you think of CMMC, as the peak of Mount Everest, which is 29,000 feet high, NIST 800-171 is probably 28,000 feet high because you’re [inaudible 00:15:22]

John Verry (15:22):

It’s like Basecamp Three, right?

Sanjeev Verma (15:27):

It’s actually summit camp, probably. But when you simplify it, again, the essence of these programs is about storing, sharing, controlling classified information in a manner where it is substantively better than the systems that you’re used to, which means that you’re using encryption a lot. And you are using sophisticated means to access information as an example. In the past, we were using passwords, those passwords became more complex and we added two factor. So let me show you how PreVeil does it.

Sanjeev Verma (16:13):

So when you look at these mechanisms for access control, etc, in PreVeil, there are no passwords, you access the system through encryption keys that are stored on your devices, which has two benefits, you can’t guess the key unlike a password, because the key is like the atoms in the universe. And since the key is tied to your device, you cannot access the system remotely. And the user doesn’t have to do a thing. It just happens automatically when you join PreVeil.

Sanjeev Verma (16:43):

And I’ll give you an analogy, most people that are listening are probably familiar with signal more than PreVeil. So in Signal, it’s a similar concept, you join the system in a matter of minutes, it creates a key that’s tied to your device. And now only you can access your information and no one else. And so attackers remote can’t do so. So similarly PreVeil, uses a system of password less access through keys, and it radically improves the way in which you can basically go and access your information.

Sanjeev Verma (17:19):

There are rich sharing permissions in terms of providing access to the person you share information with, in terms of jeez, can you just read the information? Or can you edit it and read it? Can you share it further? Or can you just view it without any download? So it’s a series of capabilities that PreVeil provides in terms of cryptographic mechanisms to protect your information, cryptographic mechanisms to share that, and cryptographic mechanisms to access it, all of which is built in with the user not needing to know anything about the cryptography underlying it, that provide you with the benefits over here.

John Verry (18:04):

Got you. So that was pretty good. And as we were chatting, I kind of was following along, I think to some extent with the access control portions of the tables that you guys had put in there, which I think did a good job of explaining that.

Sanjeev Verma (18:16):

Look at this as an example, if you could scroll up over here. You’re seeing over here, access control three 113, employ cryptographic mechanisms to protect the confidentiality of remote access sessions. And so here, again, you’re seeing that PreVeil, again, uses end to end encryption, which protects the confidentiality of the information such that only the sender and the recipient can access it, such that you know that only authorized devices can access it, etc. And so this is an example of how the system provides you with the additional scores.

Sanjeev Verma (18:54):

But the beauty of it is you get all of it just by the act of deploying it, and using it as your file sharing mechanism for CUI, and sending and sharing emails, again, through Outlook and Gmail, which is what you’re used to.

John Verry (19:09):

Got you. So what I like about PreVeil is you get a lot of this value, but for a relatively low investment of effort. So in this Cisar example, or the company that you’re going to be putting out the broader white paper, I’ll talk a little bit about what did it take, this was a what? 250 person company, I think you were-

Sanjeev Verma (19:32):

In this case we did and the actual customer of ours that went before DIBCAC is under 100 users.

John Verry (19:40):

Okay. So talk about so this 100 person company bounces their score up by 30, 40 points, some significant amount, how long did that take them? What was the level of effort? What did it involve?

Sanjeev Verma (19:52):

So this firm that actually achieved near perfect NIST 800-171 scores did a few things right. One, they work with a consultant that gave them an early start. So they developed a nice SSP, the consultant looked at their strengths and weaknesses. And when it came to CUI, the consultants said, “Look, we would recommend that you go with a PreVeil system.” And the actual act of actually deploying PreVeil on to the customers network was a few hours. And our onboarding team on boarded them. And you might say, “Well, that sounds too good to be true.”

Sanjeev Verma (20:42):

But there is a technical reason why you can be on boarded in a couple of hours as an enterprise. And the reason is because the PreVeil electronic mail and file sharing system, even though it’s fully integrated with your file system, and mail with your Outlook and Gmail, etc, is not actually touching your Office 365 commercial, etc. So the actual onboarding can occur and you can be off and running with PreVeil in a matter of a few hours.

Sanjeev Verma (21:12):

And from that point on, you do two things. The first step that you take is you take your legacy CUI data, drag and drop it into your PreVeil drive, which is just a series of folders on your computer. And then you can go and right click and share them with whoever you want to. But the actual onboarding is a couple of hours, and then you take control of your legacy data. And that can vary by organization, it can be a few hours, or it could be days, or it could take a few weeks, if you’ve got a ton of legacy data and you want to just basically drag and drop it because you’ll just do it at your pace that can be [inaudible 00:21:49]

John Verry (21:50):

And just to be clear, because you said you’ll drag and drop it on your computer, you’re not technically dragging it and dropping it onto your computer, you’re dropping it into a folder. But that folder is actually, that data is being stored in an AWS FedRAMP file for environment, correct?

Sanjeev Verma (22:08):

You’re absolutely right. So when I gave that simplistic answer, and [inaudible 00:22:13]

John Verry (22:14):

I just wanted to make sure that we weren’t being too simple and somebody wasn’t going, “Wait a second, I’m going to keep all these files on my own computer? Maybe I need a bigger computer.”

Sanjeev Verma (22:27):

No, what happens is so when will join PreVeil, a master folder is created and it’s in your file system. So if you’re in a finder or an explorer, you’ll just see the real drive over there. And if you want, you can drag and drop your CUI into this PreVeil folder so that you’ll have your sub folders because you’ve dragged and dropped it. Or you can create new sub folders and take files, etc. and drag and drop them in.

Sanjeev Verma (22:56):

When you drag and drop a file, it gets automatically encrypted, uploaded. And there is a cloud version of it that is stored as you correctly point out on Amazon Web Services GovCloud, which is FedRAMP high impact level four or five cloud and that’s the master copy. When you change anything on your end it will be synced with that. But the nice thing is since the system is end to end encrypted, all that is sitting on GovCloud is an encrypted copy. And neither Amazon and nor PreVeil can look at it and so neither can the attacker.

Sanjeev Verma (23:33):

So we have now seen recently where you saw even a sophisticated server like an Exchange Server got breached on a massive scale, 250,000 servers, 30,000 organizations. And the way the breach occurred was exploit a vulnerability, get to the server, since the server can see the information so could the attacker. The end to end encrypted PreVeil data that’s sitting on AWS GovCloud. Since it’s end to end encrypted, the server sees nothing. So in the event that either an attacker gets to the server or an Amazon admin is breached or admin at your end is breached, or PreVeil admin, nothing is visible because we have no access to the information whatsoever.

John Verry (24:19):

Right. Well, just to be clear, the data is visible, the data is just locked with a key that the folks that can see the data have no access to that key. So they can’t unlock it so there’s no way that they can actually read what’s in the file, correct?

Sanjeev Verma (24:36):

That is correct. So when you say it’s visible, I want to make sure that we’re clear that the cloud version of the data is an encrypted file. So it is gibberish basically to anybody. You will just see a bunch of garbage over there. But of course, when the end users are looking at it, to the end user, it will just look like a normal file. It looks no different at all than any other file on your computer system.

John Verry (25:04):

Right. Yeah, I mean, I think this is one of the things that we talk about a lot with folks as they move to the cloud is and they’re like, “Well, that’s encrypted.” Yeah, but where is the key?

Sanjeev Verma (25:13):

Yes.

John Verry (25:14):

Right? I mean, at the end of the day, whoever has access … So what you’re basically saying is that passwords are keys in a way, and the fact that I have a password to a file, if someone can go on or access to that my password, that means they have the key to unlock the file. What you guys are doing is putting a direct token on each of the individuals devices in such a way that that person doesn’t know about that token and an individual I mean, I guess, in theory, there would be an attack where somebody if they garnered access to the device and configure them. But I mean, you’re talking about a solution, which is about as secure as a solution I can envision at this point in time.

Sanjeev Verma (25:51):

It is. And in fact, last year, when you and I spoke about it, I’m the excited kid in the block who’s saying, “Look, John, the future of data protection lies in systems that don’t trust the server, that don’t trust the administrator, that don’t trust passwords. And this is the future.” But we are in a completely different world today that it was me saying it at that time. And I was saying this, because that was state of the art research from MIT and Stanford and Berkeley.

Sanjeev Verma (26:25):

But in response to the SolarWinds attacks, in response to the Microsoft Exchange service attacks, the NSA came out clearly and said, “Look, the existing methods for security rely on perimeter defense, and they are made up of disjointed pieces of security and access controls, and they will not work. And so we and I quote, strongly recommend zero trust systems, which assume that the attacker will get to the server, which assume that the attacker will get to your password. Which assume the attacker will get to the admin.” And that’s the NSAs recommendation from February 25th. And now the DOD is saying it’s their number one priority. And that’s exactly what’s happening over here, which is that everything is encrypted all the time. But to the user, it is all behind the scenes,

John Verry (27:28):

Right, it’s transparent. I mean, they don’t even realize that and [crosstalk 00:27:33].

Sanjeev Verma (27:32):

They don’t realize that it’s all happening in the opposites, yeah.

John Verry (27:35):

Yeah, I run PreVeil because we would not potentially recommend it to someone if we didn’t have any first hand experience with it. So I use PreVeil, and like you said, you would never know that you’re using encryption.

Sanjeev Verma (27:50):

Yeah.

John Verry (27:50):

I have another email or inbox, I go there, I send a file out, I send an attachment out, I send an email out, and it’s encrypted, and that’s all there is to it. And when I get a file back, I know that it was encrypted but have no idea that it even happened.

Sanjeev Verma (28:07):

And that’s the beauty of it that again, I point to systems that people aren’t familiar with, probably. A lot of people in your audience are familiar with WhatsApp, and perhaps Signal. And these systems embody the same principles that I’m talking about. They don’t trust the server, everything’s encrypted from the sender to the recipient. There is no password on these systems, it’s a key based password that is attached to your device. But yet, a billion people use it because it’s happening behind the scenes, you never thought when you used WhatsApp, that you’re using a state of the art encrypted system.

Sanjeev Verma (28:48):

And you don’t think the same way when you’re thinking about Signal. And that’s the same thing with PreVeil. It’s all happening under the covers. And the guiding principles of the company are a zero trust attitude to security, assume everything will be breached, including PreVeil. And the second is make it very, very simple for the end user.

John Verry (29:11):

Got you. So we can turn on prevail with a day’s worth of effort or less, we’re banging the heck out of a lot of the more challenging elements of CMMC. And one of the things you and I hd talked about when we had this idea for the podcast was it reminds me of the way that a good SIM style solution can provide pretty much the same value proposition that we’re able to with 20% of the level of effort, we’re able to generate let’s say 80% of the value or cover about 80% of the controls. I think that’s a pretty good example.

John Verry (29:43):

So one of the products that I particularly like for smaller organizations with CMMC is what used to be AlienVault. Now it’s referred to as USM Anywhere, which is AT&T cybersecurity. They got a really slick solution, and what I like about it is that not only does it package in your sim capability, but it also it packages into asset discovery and asset management and you can do vulnerability assessments through the tool, network IDs, some behavioral monitoring, I talked about the sim and log management.

John Verry (30:17):

Even has what they refer to as open threat exchange. And what’s cool about that is that literally you can get someone up in generating events and alerts and running scans and seeing data in their environment, like literally in hours, right? And you can begin to really optimize the solution over the course of days or weeks. WWhich, from a complexity standpoint is pretty remarkable. And what’s cool is that it touches on 15 to 17 domains of CMMC.

John Verry (30:47):

You get a sense here of this little picture here, you can kind of see that it hits about 80 of the 130 controls either directly supports, the blue is what it supports, that’s about 48% of the controls are supported by that. What I mean by that is that those type of controls where it says let’s say restrict access to let’s say, separation of duties. It doesn’t directly separate duties, but you can use it to validate, and monitor, validate that the separation of duties is occurring, monitor and make sure that nothing changes. And then most importantly, I think with CMMC, is it’s critical that you generate the artifacts that you need to be able to pass an audit, right?

John Verry (31:29):

Because an auditor has a responsibility to look for habitual and persistent execution of controls, and they need two forms of objective evidence for each of the 130 practices. So a sim solution of this nature, you’re literally looking at 60% roughly of your controls, you can actually use it to either directly implement or validate that they’re actually operational. If you kind of break it down based on the different domains, you get a sense of really how much coverage you get, as you might imagine the domain around audit and accountability is largely addressed completely by the tool.

John Verry (32:06):

And then a lot of the other ones are really supported by a couple of domains of course, it has no, no impact on. So when I was thinking about what you do, and I was thinking about what this does, to me, it sounded like a very similar story. And I thought the idea of somebody who’s sitting there with this overwhelming task in front of them, who could look at your product. could look at this product and say, “Wow, I can knock out an awful lot with a minimum amount of effort.

Sanjeev Verma (32:35):

I think that’s very well said, and I was actually a few weeks back speaking to Barmac Mefta, who was the CEO of AlienVault, and I’ll be sure to mention to him how you’re a fan of his product. But it shares the same philosophy that it’s a simple onboarding process gets you in substantial compliance, and again, on PreVeil with PreVeil, we have our white paper that goes through and shows you how providing 85 of the controls, how do we support it? And what’s the language that you need from us on substantiating that support?

Sanjeev Verma (33:21):

I’d also say that you made a very important point about the artifacts. So one of the lessons that we learned from the DIBCAC audit, and the consultant that worked with us with a customer was Jose Nietos, Dr. Jose Nietos of PC warriors, he did a remarkable job in being prepared for and addressing needs for additional artifacts if they were asked for by the auditor is during the audit process. And it was no small measure due to these efforts that the end result was so remarkable to get a perfect score.

Sanjeev Verma (34:01):

And basically, I think, John, what you’re showing over here is that a few core systems, a good sim system, a good CUI storage and sharing system like PreVeil. And I personally also feel a couple of other rudimentary things. For one, a strong antivirus client based system, and some attention paid to two factor authentication. If you basically take care of these four products slash capabilities, you’re well on your way to compliance. And the rest of it is working with entities like yours, to make sure that you have a systematic program, electing the right artifacts, providing the right documents, and demonstrating that you’re doing what these products and capabilities are enabling you to do.

John Verry (34:51):

Yeah, well said. I mean, I think the only other thing you might add to that list might be some type of MDM if MDM is in play, but I agree with you completely. That’s that whole idea of kind of recognizing where with minimal effort, we can return maximum gain. And I think PreVeil is definitely an excellent solution to do that. We have multiple clients that have implemented PreVeil to this point all thrilled with what they’re doing, all very, very happy with how the level of effort was very little compared with the return on investment.

Sanjeev Verma (35:29):

Well, we’re pleased to hear that and more to come.

John Verry (35:32):

Yeah, excellent. So anything else? I mean, you live in the same world I do every day, and I probably spend more time these days talking about CMMC and 800-171 than I do about any other standard. I know you right now, it’s probably 90% of what you deal with every day.

Sanjeev Verma (35:50):

Absolutely.

John Verry (35:51):

Anything else you want to touch on? Anything else that’s new and exciting out there? Anything that you’re hearing? Any insights you might give the audience?

Sanjeev Verma (36:00):

I think that, I personally am very excited by the real world validation of the content of these DFARS and CMMC white papers being actually validated in a real DIBCAC audit. Proving again, definitively that the path to compliance doesn’t need to be extraordinarily hard, you can achieve security and compliance in a relatively straightforward manner. But I don’t want to imply obviously, that it’s a piece of cake. I mean, there are a few things that I will say, start early, start the planning process, and work with a competent guide.

Sanjeev Verma (36:40):

I will also say that I use the analogy of Mount Everest. And even if you are a fit person, nobody should attempt to climb Mount Everest on their own, you want to go with a team of very skilled guides. And here, this is a process that is new, there is no doubt about it that it’s complex so you need a good guide. And that guide is a trained team of compliance experts, including the capabilities that you guys provide. So I would simply say, simple systems and competent guides in an early start is the way to get to the promised land.

John Verry (37:23):

I think that might be on your motto. It’s funny, I don’t know if you know this at one point, we had a marketing guy who my title for a long period of time was security Sherpa.

Sanjeev Verma (37:35):

Oh, [inaudible 00:37:36].

John Verry (37:35):

And I was thinking you kept using the word guide and I was waiting for you to use Sherpa and you disappointed me by not going with Sherpa.

Sanjeev Verma (37:45):

I didn’t know that the majority of the audience would relate to that. But I’m a huge fan of Sherpas.

John Verry (37:52):

You’ve made a lot of references to Everest. Have you ever climbed?

Sanjeev Verma (37:56):

I have climbed Kilimanjaro in Africa, which is not quite a wrist. It’s about 20,000 feet high 19,000 and change. And it was a nine day trek. And I went with a series of guides and it was a great thrill. I climbed with my family and was able to do that. I am hugely dissuaded by my family, even though I have an itch to climb Everest, because it’s just a very-

John Verry (38:24):

It’s a totally different beast. When you did Kilimanjaro, I probably have never been up above maybe 12,000ish feet skiing, I’ve never hiked that high But I’m an avid skier. And I will tell you, you can feel the oxygen going dowN even from like 9000 to 11,000 because a lot of skiing happens in that eight to 9000.

Sanjeev Verma (38:47):

Yeah.

John Verry (38:47):

And you’re suddenly at 11 and then you’re like, did you notice it at 20? Do you have to climb with oxygen at 20,000?

Sanjeev Verma (38:58):

No, you don’t have to climbe with oxygen but you have to … I mean at 20,000 feet, the oxygen is a huge deal. And so you go with guides and you acclimatize. So what we would do is it took about nine days for the whole climb and getting down. So what we would do is once we started approaching 13,000, we’d go to 13,000 to say 15 and 16, spend a night there and then come back and then monitor our blood oxygen levels to make sure that they’re in the safe zone. But it’s the acclimatization process. I also ski a lot and the highest lift in North America is I think at Breckenridge, the Empire lift. I don’t know if you’ve done that.

John Verry (39:40):

No.

Sanjeev Verma (39:41):

It’s about 13,000 feet. I don’t feel it personally that much. But you cannot even at Kilimanjaro at 20,000 feet just sort of go one shot. And some members of my family despite the acclimatization felt the altitude sickness and it hit them. And [inaudible 00:40:01] who it’s going to hit.

John Verry (40:01):

Yeah, I think I mean, I don’t remember for sure. I know Altia is reasonably high. It’s like 11 four, 11 seven.

Sanjeev Verma (40:10):

Yeah.

John Verry (40:11):

And I know that the way I became aware of it and I thought it was really funny was I got to the top of a lift at Park City Mountain Resort. And I think we were trying to get to something Canyon, Killebrew Canyon, maybe. Anyway, there’s two ways there because you had to hike, and with your skiis on your on your back. And he says, “You can go this way or you can go this way.” I said, “What’s the difference?” He says, “Where are you from?” I said, “New Jersey.” He goes, “That’s your way.” He said, “You’ll run out of air going that way because you’re not acclimatized to live it up this high.” So all right, so any last thoughts with regards to our good friend CMMC?

Sanjeev Verma (40:53):

I think that it’s getting complex, and it’s getting real. And I was just listening to the CMMC AB Town Hall and people were yelling and screaming for all their great alternatives to GCCI, and the answer is yes. What we would like to conclude by is saying that either through you guys, you’re a wonderful forum, or by visiting WWW.PreVeil.com, you can have access to the CMMC and DFARS white papers, we are also writing a full case study on the actual DIBCAC audit, and we expect to release that by the middle of May.

Sanjeev Verma (41:37):

So these resources are available to you. And we we think that again, get a great guide. Hopefully, it’s john and his team, and the resources that are provided and start planning your journey. Because the earlier the better, you cannot cram for it at the last minute and make it so that’s the only last piece.

John Verry (42:00):

Yeah, I agree completely. And the only other thing that I think is remarkable that we’ve learned over the last, certainly in the last couple of months is these audits are a lot more robust than I thought that they would allow them to be. When we were talking with the good folks from DCMA, John Ellis from DCMA. And they run DIBCAC, as you probably know and-

Sanjeev Verma (42:21):

I do.

John Verry (42:21):

And John was explaining what DIBCAC audits were, they were roughly 25 man days. I asked, is that what’s going to happen? And he kind of smiled a little bit and didn’t say it exactly. But yeah, we’re talking about when we’re seeing scopes come out now from some of the C3POs, you’re talking about 25 to 30 man days worth of actual auditing. Now, of course, some of that’s preparation, some of that’s reporting, those types of events. But these are serious audits, in most audits, you’re going to have three auditors on site. And it’s not unlikely that those three auditors are going to be on site for four or five days.

John Verry (42:54):

So this is an audit that’s unlike most audits that people have been through. And making sure that they’ve got great solutions that produce auditable artifacts, and have been fully operationalized is the only way you’re going to get through an audit with a passing grade.

Sanjeev Verma (43:11):

That’s exactly right. And I can attest to it that I have to say I was myself shocked when I actually found out the number of auditors on this SMB customer of ours. They were five.

John Verry (43:24):

Yeah, well, that’s what DIBCAC always does, five auditors for four or five days.

Sanjeev Verma (43:27):

Five DIBCAC auditors and they rate them through the cold.

John Verry (43:32):

It’s a brutal audit.

Sanjeev Verma (43:34):

It’s a brutal audit, no question about it. But the good news is that at the end of it, the fact that we were able to get our customer to a new perfect score, and I’m itching to tell you what the score is, but I’m prohibited, but it is Epsilon close to perfect. And it would have been perfect but for one certificate for an appliance that they were using. But it’s a great validation for what we have been preparing for, the documents that we’ve been creating and the white papers. So the DFARS white paper is all about, hey, you can achieve that 40 points thing, and this customer achieved way more. And it was exactly as the white paper said, so the rigor of the audit. I don’t want to have these all the time, but I will say that it was a great validation for the strength of ours.

John Verry (44:26):

Yeah, especially because they didn’t audit you. You might be saying a different story if they had been auditing you.

Sanjeev Verma (44:32):

Look John, we go through them as well because I mean, we are FedRAMP baseline moderate and that’s not a walk in the park.

John Verry (44:39):

Oh my God, no, moderate is a heck of a journey. 325 fairly significant, fairly prescriptive controls. I mean, NIST 853 is a wonderful standard. But NIST 853 is a very hard standard to conform with.

Sanjeev Verma (44:56):

It is and so we last year, I mean, it took us a year to get to FedRAMP-

John Verry (45:01):

Easy.

Sanjeev Verma (45:01):

[crosstalk 00:45:01] moderate.

John Verry (45:01):

It’s the standard amount of time.

Sanjeev Verma (45:04):

And I mean, PreVeil also has to have FIPS 140-2 validated encryption algorithms. Trust me, we’ve got our teams busy with the audits and preparation ourselves so that we can again, you provide that as a pass through to our customers.

John Verry (45:22):

Okay, so the last time you embarrassed yourself, you had a brilliant appearance the first time on the podcast up until the very end, and then you stumbled very badly.

Sanjeev Verma (45:32):

Yeah.

John Verry (45:32):

You had failed to prepare for the question.

Sanjeev Verma (45:35):

Yes.

John Verry (45:35):

So we’re going to give you a chance to come back the second time, and you’re going to hopefully get it right this time. So I’ll ask it. Give me a real world or fictional character that would make a either great or horrible CISO? And why?

Sanjeev Verma (45:49):

So I’ll give you I’m better prepare this time and I’m going to give you an example of a great CISO and I think one that I would cringe at. So a great so I think the late Steve Jobs would have made a great CISO. I think he was [inaudible 00:46:04], instinctively, meticulous in his attention to detail, and a champion of cutting edge, he was never satisfied with the status quo. And we are in cybersecurity, looking at evermore sophisticated attackers. And having the basic notion that anything, and everything can be attacked and use the best technology to kind of get at it would have been the ethos of Steve Jobs. So I think he would have made a great CISO.

John Verry (46:37):

I’d agree with that.

Sanjeev Verma (46:38):

And I-

John Verry (46:39):

That’s really cool and CISO should dress really cool.

Sanjeev Verma (46:42):

There you go. And I will say Mark Zuckerberg at Facebook would make a horrible CISO.

John Verry (46:54):

I hope you guys are not advertising on Facebook in any way, because your rates just went up.

Sanjeev Verma (46:59):

I know, they’re an organization that is intent on making its living solely by looking at people’s information and selling every aspect of it out there. So I often give the analogy that, you know, if I was to have a party at my home, and I invited everybody for a glass of wine, and they say what a great guy, he got to his own great conversation and so forth. But I forgot to tell you that I recorded every interaction that you have, every single piece of word that was said, and then I sold it later. That’s the antithesis. So you’ve got to have a mindset that is inherently respectful of security and privacy of information. And it’s for that reason that I am unhesitatingly throwing my friend Zuckerberg under the bus.

John Verry (47:52):

Yeah, and he’s an MIT guy, isn’t he?

Sanjeev Verma (47:54):

I don’t think so. He’s a Harvard guy.

John Verry (47:57):

Oh, he’s a Harvard guy. Hold on a second. This isn’t a Harvard MIT spiff is it? Bran is from Stanford.

Sanjeev Verma (48:12):

Bran is from Stanford.

John Verry (48:13):

Because you could have gone Google.

Sanjeev Verma (48:15):

I’m a little bit kinder to them. So I was [crosstalk 00:48:19]

John Verry (48:20):

Besides, you might run some PPC.

Sanjeev Verma (48:31):

We help Google customers become CCMC [crosstalk 00:48:32].

John Verry (48:31):

So we don’t want to bite the hand that feeds us.

Sanjeev Verma (48:33):

That’s the little politician in me that [crosstalk 00:48:38] But Zuckerberg, look-

John Verry (48:44):

I think the Winklevoss twins would agree with you. And we’ll close on that note that the Winklevoss twins would support your argument.

Sanjeev Verma (48:54):

Oh my God. You bring that up. I was on a board with Larry Summers, who was the president of Harvard. We were on the nonprofit board together in Boston. And I’m sure you heard the story of the Winklevoss twins going and complaining about Zuckerberg to Larry. And Larry never told me that, but I read it that he said, “Well, pkay, come on, go invent something else now.”

John Verry (49:17):

All right. How can folks get in touch with you if they’re interested in PreVeil?

Sanjeev Verma (49:21):

Www.preveil.com. P-R-E-V-E-I-L.com. And or on the website, you can just contact sales or ask for demo or reach out at [email protected] P-R-E-V-E-I-L.com. And I promise you our sales guys are looking at it as a relationship journey. So they are here to help you understand, provide you information, provide you guidance, and none of it is geared towards I need you to buy Anything. You can learn and buy absolutely nothing, and that’s absolutely fine.

John Verry (50:06):

Cool. Well, thank you again, sir. Always good to catch up.

Sanjeev Verma (50:10):

Always a pleasure, John. And once this COVID thing’s over I’m looking forward to actually-

John Verry (50:15):

Yeah, listen, it might be the first time I get to drink a 20 year old wine.

Sanjeev Verma (50:20):

It’s all good.

Narrator (intro/outro) (50:23):

You’ve been listening to the VirtualCISOPodcast. As you probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected] And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.

Related Posts