Guest: Thomas Kwon
Bio:
Tom Kwon is an industry veteran and serial entrepreneur. Under his leadership, Tom has deployed over 700 sites and online applications, and has founded a number of successful ventures that improve online marketing, business operations, and various government initiatives.
With his first venture, DynaMind, he connected every school and library in the state of Connecticut to the Internet. At DMIND, he developed one of the industry’s first multilingual content management systems and eCommerce platforms. In his last venture back company, Altruik, Tom designed and architected the world first SEO production platform.
In parallel, Tom was assigned to a private sector task force conducting research and missions to improve perception and relations on anti-American sentiments, worldwide. Today, a task force member of the Under Advisement group at US Cyber Command.
The list of organizations Tom has served includes Akamai Technologies, AIG, American Express, American Greetings, BJ’s Wholesale Club, LG Electronics, TDK, The US Peace Corp, Mitsui, The White House, US Cyber Command and more. He was the finalist for Ernst and Young’s “Entrepreneur of the Year Award” in 2001 and recipient of the "50 Outstanding Asian
Americans in Business Award in 2005.
- Connected the School systems in CT to the Internet (Connect96)
- Consulted White House and development of the first White House Web Site (1997)
- Task Force Board member for Business for Diplomatic Actions (US Government Intelligence Community)
- Create awareness about anti-American sentiments and accentuate the positive aspects of America
- https://www.sourcewatch.org/index.php/Business_for_Diplomatic_Action
- US Cybercommand, Task Force Zero Member
Summary:
In this episode of the Virtual CISO Podcast, host John Verry speaks with Thomas Kwon, CEO of FenixPyre, about the importance of file level security in data management. They discuss the differences between traditional perimeter security and file level security, the architecture of FenixPyre’s solution, and the significance of a zero-trust approach. The conversation also covers the challenges organizations face in adopting file level encryption, the role of secure
sharing and compliance, and the importance of bringing your own key (BYOK) solution.
Additionally, they address the risks of malware and ransomware, and the future of file-level encryption in a rapidly evolving cybersecurity landscape.
Keywords:
file level security, data encryption, zero trust, cybersecurity, FenixPyre, secure sharing, compliance, BYOK, ransomware, data management
Takeaways:
- File level security is essential for protecting sensitive data.
- Traditional perimeter security is no longer sufficient.
- Zero trust architecture is integral to modern data security.
- PhoenixPyre offers a unique approach to file encryption.
- BYOK enhances security by allowing customers to control their keys.
- Secure sharing solutions are crucial for compliance.
- Organizations need to shift their mindset towards data-centric security.
- User experience is key in adopting new security solutions.
- File level encryption can prevent data breaches even if credentials are stolen.
- The future of cybersecurity lies in advanced encryption technologies.
John Verry (00:00.174)
And by the way, this will be fully edited if we need at some point to take a break or something of that nature, they’ll cut it all in. If you happen to screw up really bad on the answer and you’re like, can I roll that back? You can, but little mistakes are great because it makes it sound that conversation that we want it to. right. Awesome. All right. Hey there and welcome to yet another episode of the Virtual See-Sow Podcast with you as always, John Herr, your host and with me today, Thomas Kwan. Hey Thomas.
Thomas Kwon (00:13.919)
Sure, I’ll be as genuine as possible.
Thomas Kwon (00:28.543)
Hello there. Thank you so much for having me here.
John Verry (00:31.052)
Yeah, I’m looking forward to the conversation, Let’s start simple. Tell us a little bit about who you are and what is it that you do every day.
Thomas Kwon (00:38.773)
My name is Tom Kwan. I’m the CEO of Phoenix Pire. We’re a file centric data security company with headquarters in Ohio. Staff all around the country. That’s what I am right now. My previous experience, I cut my teeth, I guess my bones. Maybe you were there also, but in the dot com era when people were first building.
John Verry (01:05.678)
Do I look that old time? just… Wait a second. We’re like two minutes into the podcast and you’re insulting the host? I mean, did you just want to end the podcast now? I mean, I’m like 22 years old. I wasn’t born in the dot com era, Tom.
Thomas Kwon (01:08.789)
I apologize. It’s an honor. That’s hilarious. So that’s why I cut my teeth. My first project, I connected every school and library in Connecticut to the internet. The White House took a look at that. I sold that, ended up consulting for the White House, developing their first web infrastructure.
Along the way, I developed a multilingual CMS platform. Fast forward, served eight years supporting the intelligence community. I’m currently also a under advisement task force member for US Cyber Command, whatever that means. But yeah, I’m happy to be here, happy to share.
John Verry (01:57.932)
Yeah, I’m looking forward to the conversation. I always ask before we get down to business, what’s your trigger choice?
Thomas Kwon (02:04.613)
well maybe when we have that lunch next week. Recently, it’s been this gin called Empress, I-M-P-R-E-S-S. I’m not promoting it. Of course, it’s not healthy for the mind, but it’s a delicious, edelberry-infused gin.
John Verry (02:24.802)
I will pick up a bottle because my wife is, my wife is, my family, my wife and son are both gin drinkers. They tend towards the drier gins, the Hendrix, the Beefeaters and things of that nature. My son was recently in Iceland, I guess it was. He brought back this, I forget the name of it, it’s a purple, it’s a gin that changes color.
Thomas Kwon (02:32.958)
Okay.
Thomas Kwon (02:50.227)
Yeah, this is it. I mean,
John Verry (02:52.218)
Might have been the same one then or maybe the same branch, maybe not the same vendor. All right, so that’s fun. Yes, yeah, that’s hysterical that we’d end up like in such short order both drinking something. It was pretty cool.
Thomas Kwon (02:56.019)
Yeah, I’m not sure if it’s from Iceland, I just know that it changes color. Yeah. It turquoise, yellow. Yeah.
And it’s manual. It’s got an indigo hue to it, it’s not an adult drink.
John Verry (03:12.957)
Yes. All right. If I had more time, I’d run out to the liquor cabinet right now and take a look at it. I don’t think, I mean, people barely tolerate me at this point and any longer than necessary. It’s going to go that way. All right. So let’s get down to business here. You you mentioned file level security. That’s what I’d like to chat about. And inherently file level security makes sense to me because
you know, risk is tied to information and the most common unit of information is a file, right? So if putting the lock, if you will, you know, on as discreet an element as is possible fundamentally makes sense to me. So I’m excited to have this conversation and find out if I’m as smart as I think I am. So tell me what is file security and how is it different from
historically more traditional perimeter network device based security models.
Thomas Kwon (04:16.018)
Yeah. So that umbrella, I guess it’s called the elephant in the room, DLP, data loss prevention. Traditional security is based on thicker doors, bigger locks, access and control. Who gets access to what data? And it’s pretty simple if you think about it. And all the vendors with their amazing marketing teams all say, we lock down your sensitive files. We lock down your files.
That’s traditional perimeter-based security. It’s akin to having a big castle, moats, draw bridges, and even guards. But if somebody gets inside your castle, you’re a trusted visitor or member, and you have access to everything that’s in that castle. In this case, a file folder, a network shared drive, or folders in the cloud. And organizations like law firms have
to legally hold on to case files for seven plus years, right? Five to seven years by law. And over time, that’s grown to be very large. I’m talking in the tunes of 450 terabytes of very sensitive data. The only thing protecting it is basically access and control in perimeter-based security. What we do is we bring security right down to the folder, down to the file level.
And our IP is a very dynamic and advanced key management solution that provides a new key, a new master key for every single file that’s either edited or opened and or closed. So we keep the files encrypted at rest, whether it’s on your premises, in the cloud, on your phone, in transit, secure sharing when you’re emailing it, and then even while in use.
That’s a huge difference between file level security and perimeter based security, right? Perimeter is you just have big doors. File level is even if somebody has valid credentials and that’s how these breaches happen, by the way, it’s stolen credentials. They get inside your network. They go into your LDAP directory and they’re accessing your files. So what we do is even if that happened, those files, know, the theft is just basically ciphertext.
John Verry (06:42.282)
Yeah, a couple of things you said that were interesting. no, no, that was good. A couple of things you said that were very interesting. So in a weird way, many breaches are authorized, unauthorized taxes, right? Which is, which I’ve never really quite thought of exactly that way. That’s pretty cool. The other thing, was interesting. Yeah, you can’t, I just 10 % tithing for any, any money you make off of it. Yeah. And then the second thing is that I thought was interesting is.
Thomas Kwon (06:43.635)
I was long-winded.
Thomas Kwon (06:54.612)
Yeah.
Thomas Kwon (06:59.603)
I’m gonna use that. I can, is that alright?
Thomas Kwon (07:05.955)
No problem.
John Verry (07:11.372)
The way you talked about the difference is the way you hear zero trust talked about. So do you perceive file-based security as being either integral to or consistent with a zero trust architecture?
Thomas Kwon (07:16.713)
Yeah.
Thomas Kwon (07:26.655)
Yeah, absolutely. I mean, our entire architecture at the core is zero trust. So we have a set of master keys, but the customers bring their own hardware security module with their own set of keys. So we don’t have access to any of our customers’ data. Only they have access to it. We have a rollout or de-rollout button as well so that you can very easily decrypt the files in scale.
John Verry (07:38.924)
Okay, so.
Thomas Kwon (07:54.037)
And the only thing that we actually store is a 64 kilobyte alphanumeric identifier for each of those files. So we’re not storing your files. So our cost to doing business is a lot lower than some of the bigger older guys.
John Verry (08:07.03)
Okay. All So, so let’s take a step back for a second because you are talking about, some of the benefits and explaining some of the things in a way, understanding the overall architecture of the solution probably would be beneficial to someone listening. So, so at a, at a 10,000 foot level, right, it just explained the, the architecture so that someone who’s listening can kind of put these pieces together.
Thomas Kwon (08:34.047)
Sure, sure. It’s a SaaS-based platform. It’s multi-redundant, kind of akin to the internet. So if one deployment goes down, another takes over. That’s to start. It’s SaaS-based. We have a very advanced rules and policy engine that integrates directly into identity access management, whether it’s Okta or Active Directory. And
Our encryption is AES 256, military grade 140-2 modules. And we encrypt every single file in scale. And what we also do is we generate a master key for every single one of those files. And we scale into the billions. And so when that file is sitting inside your network shared drive or on your hard drive, on your computer, your laptop, or in the cloud,
We’re able to secure those files where they sit and even wherever they travel to. So I think the magic with Phoenix Power is that we don’t just for the end user, it’s you’re opening the files, interacting with the files with your native application. Whatever those files are, we’re agnostic. have, know, CAD files, heavy duty CAD files. have, you know, voice recordings from a hotel that’s taking customer data on the phone and
get off the phone, it encrypts the data. our security travels wherever they are and wherever they reside without storing those files.
John Verry (10:09.302)
Okay, so if I was going to oversimplify this, right, someone provisions themselves on your platform, a, transparently to me based on my
Thomas Kwon (10:12.105)
Yeah.
John Verry (10:22.478)
Having access to said files those files are going to end up encrypted strongly encrypted That encryption stays with the file, right? If I try to open the file, it’s transparent to me What happens I go to open the file the file doesn’t look up Effectively up to to validate that I that that I have access to it decrypts It displays it for me if I sent it to a friend Right that friend would not be able to open it unless I set some type of permission that would authenticate them at that point in time
Thomas Kwon (10:51.285)
Correct, yes.
John Verry (10:52.056)
So someone could steal my file, there’s really no way. And I could act, and at any point, I’m assuming I have, I’m controlling that access. I could give you access for a day or a week, or I could automatically, I could have documents that automatically, effectively, they don’t destruct, but they become impossible to open without quantum cryptography or some amazing tool. So fundamentally, that’s the idea, right? Okay.
Thomas Kwon (10:56.821)
You keep your file.
Thomas Kwon (11:19.561)
Yes, that’s exactly correct. Thank you. Yeah.
John Verry (11:21.474)
That’s pretty cool. That’s pretty cool. So in light of the fact that that’s like fundamentally makes just a lot of sense. Why is it not more common? Why, you know, why are there not more people doing this with
I’m sure there’s competitors in your space, right? Why are more organizations not yet leveraging file level encryption? Because it would seem to me that that doesn’t sound very complex and it doesn’t sound very expensive, right? Because like you said, you’re just maintaining either a directory or access to a directory and a set of permissions and a key that’s unique to each file. So it’s not a massive amount of data in the cloud, right?
Thomas Kwon (12:03.153)
That’s really good question. Many factors to it. I think one of them is, we’re not a rip and replace, right? We’re not in there to tell all these CIOs and amazing CISOs that what they’ve been doing for the past five years is incorrect. We’re there to say, hey, we can help augment and we could prevent data theft. And so why haven’t they?
done this, the traditional perimeter security is there, it’s embedded, you know, the big guys are selling that that’s not going to go away. The ones that are fastly becoming our customers and the ones that reach into us are the ones that have either been breached or they have a major security concern regarding their sensitive IP in their organization, right? Beyond what is known for DLP, right? So it’s honesty, right? And then the other is
There’s this change of mindset that has to occur in our sales cycle where people are confusing us with disk encryption versus file level encryption. And there’s a myriad of things that coupled with the fact that about five years ago, other companies have created file level encryption, but it’s left a bad taste because the user experience is very arduous, right? You’re using a separate tool to open the files, decrypt the files.
edit the files and then you have to re-encrypt the files and then send it. Sometimes all that activity at the kernel level in the systems creates crashes also. I think those are all some of the factors that are there, but I think we’re onto something. think file level security is the future. The intelligence community had a call to arms May of 24, just last year, calling all the agencies for data-centric security module.
you know, model, away from the network paradigm. So that shift is happening. The adversaries, the bad actors, whether you’re state backed or not, they’re, you know, they’re, they have way more advanced tools now, right? Like, as you know, AI based polymorphic, malware, right? You know, malware coming in, literally having a brush behind their footsteps, you know, erasing all the traces.
Thomas Kwon (14:29.289)
and then couple that with AI and they’re all coming after data, right? So I think it’s inevitable for this to, this shift to happen. I hope this podcast creates that shift or creates a catalyst. Yeah, yeah. Yeah, absolutely. So.
John Verry (14:42.636)
Well, I mean, as you mentioned to me, you thought this was right below Joe Rogan in terms of popularity and audience. mean, if he can get Trump elected, I I can certainly drive file-level encryption forward, So it would seem to me that another… Look, everyone wants to keep their data secure and no one wants their data stolen and then no one wants to be exploitation-ware, right? Like, hey, we’re going to leak the data, right? So this solves that problem.
But I think the other use case to me, which we’re increasingly seeing, is how do we securely share data? As we become more more interconnected, our data is going in lots of different places. And if you look at certain use cases, like law firms need to share their work product with their clients, but yet have a requirement, and even some level of obligation, of protecting that data adequately to the boundary. even if the data gets
stolen outside of their boundary, if it was the data they were working with them with, there’s a dissatisfaction with the end client, right? You you’ve got CMMC, right? You know, like how do we share, you know, CUI in a way which is going to be compliant with the CMMC and this 8171 regulations. You know, even stupid stuff like, and I see it all the time with like my CPA firm and sharing files, right? Like how do you share files securely with your customers as a large CPA firm?
Thomas Kwon (15:43.081)
Yeah. Yeah.
John Verry (16:06.446)
It would seem to me like this solves a lot of these problems,
Thomas Kwon (16:06.559)
Yeah, I’m going to really, yeah, yeah. You know, I got to tell you, and I’m not just blowing smoke, but I’m going to really enjoy working with you. Secure sharing is a big deal. The proliferation of the migration of content to the cloud in mass and also remote work environments, know, coffee shops, your car, whatever. It’s only increased the
the threat landscape, right? The attack surface. With us, we ensure that wherever that data goes, it’s locked down. And no matter where it is, whether you’re working from home or you have your files that you’re actively editing on the cloud, it’s really simple. It’s just pure file level security locked down. And we even have, even if you’re local,
document is opened, right? And if the administrator takes access off of you, those files will automatically close within about seven to eight seconds. So there’s no way of actually copying file.
John Verry (17:21.304)
So it’s actually got some kind of periodicity by which it’s, that’s interesting.
Thomas Kwon (17:24.489)
Yeah, we call it the data heartbeat, but that’s a marketing term.
John Verry (17:28.77)
Very cool. So in full disclosure, you heard Tom mention this, I was recently introduced to Tom and his team through another person at Cibiz, which is where I work.
and we’re working with them on a project with a large law firm. So that’s how I got introduced to Taman. I had a preliminary meeting with them a couple of weeks ago. was like, okay, we really need to figure this stuff out because I think it’s got a lot of applicability because we do a lot of work in law firms. I think it’s a good solution for law firms personally. So the other thing which I think is important from our conversation that I understood, and maybe you can talk about the significance of it is it is a BYOK, and bring your own key solution.
Thomas Kwon (17:58.831)
Awesome. Thank you.
Thomas Kwon (18:10.101)
Mm-hmm.
Thomas Kwon (18:13.471)
Yes, sir.
John Verry (18:14.246)
Why is that so important for people to understand?
Thomas Kwon (18:18.041)
okay.
If I had all the keys for all the customers in one environment, also known as a tenant, it would be a multi-tenant environment with all the master keys for the billions of documents that we’re securing. That would be a one-stop shop for a hacker to come in and just exfiltrate, which would also be difficult anyway. But for every single organization, any midsize company has their own hardware security module, as you know, John. And it’s…
Our deployment dashboard is super automated. The deployment of our product is super easy. And they actually integrate their hardware security module right off of a dashboard. And by doing that, it’s completely zero trust. Only the customer and the policies that they’ve set inside their identity access management, only those people will have the rights to view and or edit those documents.
John Verry (19:21.944)
real quick for anyone that’s not familiar with an HSM or hardware storage module. If you look up a company like Encypher or Crystallis or somebody of that nature, they produce a hardware-based enclosure, a device in which your private keys, which are you, so the private key needs to be the most protected thing in the world, that private key actually lives inside of that hardware device and is…
I would argue is inaccessible to anybody that is not authorized to get to that key. So super strong protection for the key. If I recall correctly, you guys are using the in-place communication where you can actually embed code into the, what they call a secure execution environment, I think is the term that they use. So what’s actually happening is you’re doing that decryption, but the key is never being exposed, right? It stays within the HSM, which means that there’s really no way for somebody to get to that key.
Thomas Kwon (20:06.677)
Yep.
John Verry (20:19.76)
good HSM, you can deploy what they call NMM administrative schemes, where you need to have two or three or three or or five administrators, sort of like the way the nuclear bombs work, right? You have to have multiple people working in concert to actually access or change a key, correct? Yeah, so that’s pretty cool.
Thomas Kwon (20:38.165)
Gosh, you’re like literally an encyclopedia.
John Verry (20:41.998)
I know a little bit about HSMs because that was like when when pivot point security was originally started our first major project was In a HSM supporting email for a major university So I ended up ended up doing a lot of work with in Cypher back in back in those days really cool stuff what they can do the other thing which I think is the other benefit that you didn’t mention is the fact that
Thomas Kwon (20:48.842)
Mm.
Thomas Kwon (20:56.317)
god. Okay. Wow, wow. Very cool. Yeah. Yeah.
John Verry (21:08.65)
If you had the key, you’d the ability to read the files. I mean, so it’s actually a win for you and a win for them because you have no exposure, right? As long as they protect their key, you have a key and without the other key, you can’t do anything.
Thomas Kwon (21:25.461)
Yeah, and that lends itself into compliance as well, right? Because we not only secure the data, but we also meet the compliance criteria. You mentioned CMMC prior with CUI data. We have a secure sharing solution for CMMC that’s pretty popular. The company cut its teeth on that with manufacturing customers.
John Verry (21:51.95)
So when you say secure sharing, that the idea of effectively that you’re creating a CUI enclave and then the third party?
can reach into the CUI enclave, can see the data, but can’t download it, can’t access it. And what that does is that solves a problem that a lot of, second tier, second tier CUI, CMMC, need to being CMMC compliant people is they need to flow down that requirement, right? Under the DFARS 252.204.70.12 clause. Yep.
Thomas Kwon (22:26.357)
Correct. CMC also, are also law firms that are doing big bank audits. You know, I’m not gonna say who, but there are law firms and accounting, big accounting firms, because they don’t trust the traditional data rooms anymore, right? Because you could download documents, you could create copies, you could send it everywhere. So they’ve been doing Zoom.
John Verry (22:36.301)
Yep.
Thomas Kwon (22:55.963)
know, screen sharing, you know, six hours at a time, you know, that’s, but we cut through all that because essentially the chain of custody, the originator will always have the ownership of that document. You’re, essentially leasing the files. If when you’re sharing, you could put a time expiration on it. You could individualize it with, with people. And then.
they would have to be validated and then they could get access to those documents.
John Verry (23:26.84)
So tip.
So here’s a question for you.
One of the things which we try to do with enclaving is we try to keep that data, like a of times they’re like the VDI type interface, right? Where someone can see something, they can’t screen cap it, they can’t copy it, but in theory they can take a camera, a camera would be the only way that they’d be able to capture that.
can you accomplish the same thing or if, so as an example, if I have a file that’s encrypted with your solution and I give you access to it, okay, when you open that file, it goes and looks you up and says, yeah, know, Tom has been authorized to access this file. When you’re inside of that file, do you have the ability to copy from it or do you have the ability to screenshot it? Like, do you have?
Thomas Kwon (24:17.119)
That’s up to the originator. You can let the individual even download it, but it gives you a receipt that says, here’s the chain of custody. was downloaded at this time at this location to this individual. We don’t recommend that. if you say view only, they cannot make any edits to that doc.
John Verry (24:25.902)
Mm-hmm.
John Verry (24:36.686)
Okay, and it wouldn’t be able to copy or paste out of, know, copy or paste it. Okay, I got you. But to be clear, right, this isn’t a case of the well, so there’s two use cases here. So let’s make sure I’m not screwing them up. Of course, or no one can stop somebody from taking their iPhone out of their pocket and doing it. Okay.
Thomas Kwon (24:39.925)
All right, yeah, those functions don’t work on the keyboard.
Thomas Kwon (24:49.237)
I mean, you could hand copy it, write it down or.
Right, right, right. But we do prevent mass exfiltration, right? We prevent malware from going in and taking volumes of data.
John Verry (25:04.768)
Okay, and then talking about malware, right? So you solve a problem with unstructured data, right? Really structured data is still encryption or restriction needs to be done through the database tools, not through your tool, correct? Okay, good. All right, and then.
Thomas Kwon (25:16.809)
Yep. That’s.
Thomas Kwon (25:21.629)
Right. And we have, we have API’s, you know, framework developed for that. It’s on our roadmap, specifically towards, you know, electronic health records. and that’s a, that’s a different ball of wax, but in a nutshell, what if we were able to intercept the queries coming directly out of the fields and encrypt that. Right. You know, I’ll just see on that, that aspect.
John Verry (25:28.803)
Really?
John Verry (25:48.706)
Hmm. That’s interesting. Okay. I’ll look forward to having that conversation when you’re ready to have it. And then, and I’m assuming that this wouldn’t protect against ransomware, right? Because if somebody released ransomware,
Thomas Kwon (25:54.91)
Yes, sir.
Thomas Kwon (26:08.435)
We’ve been called we’re like the white hat version of ransomware. were basically, they’re not.
John Verry (26:13.23)
No, I know that. what I’m wondering about though is that, so let’s say I’ve got a file share, old school file share, you know, with all of my files encrypted using your tool, right, using file level encryption. If malware began to propagate to that drive, it would be able to encrypt those files on top of the encryption and then I would no longer have access to them, Okay, okay. All right, just trying to understand like the field of use and what it protects and what it doesn’t protect against.
Thomas Kwon (26:35.849)
That would be correct, yeah. That would be correct. Yeah. Yeah, that would be correct. But what they could do is roll back and get the original data. That would typically happen. But if they’re ransoming the data itself, they wouldn’t have any. The data is ciphertext.
John Verry (26:45.998)
Mm hmm. If they had if they had a backup, right?
John Verry (26:54.998)
Right, so the bad news is that it’s an availability risk still, but it’s no longer a confidentiality risk.
Thomas Kwon (27:02.741)
Correct. mean, our saying internally, we say, you you could have a system breach, but you can’t have a data breach. And some of our clients have echoed multiple times that the reason they like what we have is because even if they had a breach, they don’t have to report it because they essentially didn’t have a data breach, you know? So…
John Verry (27:11.49)
Very cool.
John Verry (27:24.418)
Gotcha. there, yeah, but we still have the risk. I’m assuming that the one risk which we can’t really can’t manage as well is if somebody steals my credentials, right? So, you know, cause you know, there’s no, there’s no second factor authentication. I mean, you could, you could have an opt or, or, or authenticator or whatever Microsoft, but, technically if somebody becomes me, then they’re going to, they’re going to have my permissions to the files even other.
Thomas Kwon (27:35.144)
Right.
Thomas Kwon (27:52.737)
not with PhoenixPyre. If somebody gets in with valid credentials, they would not be able to open those files. Because it’s the individual files are encrypted themselves. So, I mean, technically, yes, for a set period of time, but it won’t be.
John Verry (27:58.414)
Mm-hmm.
John Verry (28:04.119)
Why?
John Verry (28:10.83)
Mm-hmm.
John Verry (28:17.358)
Yeah, it would be until somebody recognized it and says, hey, let’s shut those off. So even if that person accessed the file or took that file and went somewhere with it, the minute that we determine, so that would be kind of cool. Like part of our incident response process would have to be updated to address that.
Thomas Kwon (28:19.571)
Right. Correct.
Thomas Kwon (28:25.289)
Yeah.
Thomas Kwon (28:34.387)
Yeah, you know, I’m very keen on identity access management solutions because I think that’s another area that needs disruption. You know, there’s an interesting company beyond identity. Mine runs that, you know, they do it based on device and all the vectors from those devices, not.
John Verry (28:38.616)
Mm-hmm.
Yes.
John Verry (28:45.102)
Mm-hmm.
John Verry (28:52.866)
Yeah, would add, you know, that to, bounce you like I had on, really, smart woman by the name of Anna Poblitz. She’s at one password. and she was a guru in pass keys before they bought her company, but that’s another thing, which I’m a little like,
Thomas Kwon (29:01.619)
Hmm. Okay.
Hmm. Wow.
John Verry (29:09.986)
Like sometimes stuff just makes too much sense. I sit here and I wonder why, why are we not like file level encryption just makes sense to me, right. And the other thing that I, that makes complete sense to me is pass keys. And I, and I’m just, you know, like if you took pass keys and combine them with your solution, like, mean, that even someone who, who, know, that there is no credential to steal. Right. I mean, I mean, like, I mean, the likelihood of you having a
Thomas Kwon (29:15.369)
Good. Yeah.
Thomas Kwon (29:32.627)
Right, right.
John Verry (29:38.602)
security incident of significance combining those two technologies seems to me to be pretty damn low.
Thomas Kwon (29:45.365)
Yeah. And we have the ability to do that. And having dinner with the CEO Beyond Identity next month. Yeah. Maybe you should join us. Yeah. Yeah. I’ll send that link over. Free promo for Beyond Identity. Yo, me one, Jason. Anyway.
John Verry (29:51.51)
Of who? Beata Deme? Okay, are they big into like pass keys?
John Verry (30:00.522)
Yep.
John Verry (30:03.918)
Yeah, I mean, I think he’d appreciate a Joe Rogan reference more than a John Berry reference, but I guess he’s going to have to settle for the John Berry reference. So I think we beat this up pretty good. Anything else you’d like to point out?
Thomas Kwon (30:10.374)
Hahaha!
In our space, you are the Joe Rogan of the IQ World here.
Thomas Kwon (30:26.197)
I mean, the rollout for our solution is you don’t have to turn the organization upside down. You don’t have to classify and label data and ask your employees to do the same. It’s really simple. Most organizations know where their sensitive data resides. They sign up with us. They onboard via a dashboard.
Connect identity access management. All those rules apply directly to any of the files that they apply their security to. And it’s really simple and you just activate it.
John Verry (31:03.758)
Is there a cost per file? Like, so it’s an, you know, like, look, we all know that there are certain documents that are, say that again?
Thomas Kwon (31:10.581)
Very good question. We’re doing this. We’re for-profit company. Yeah. Yeah, we are a for-profit company. So I’ll highlight this. Compared to anyone in our field, we don’t store the files, right? So we don’t have to pay anyone for storing the files. So that makes it cost effective. We have a revenue model that’s based on volume of encryption. We charge as low as 10 to five cents per gigabyte.
sometimes even lower depending on the volume. And the average environment that we’re protecting is about 350, I would say, terabytes. So it’s five cents per gigabyte. And then we also put a ceiling on it. So it’s not a creeping AWS type of faucet.
John Verry (31:58.798)
Yeah, I was trying to figure out the reason why I was asking that was, you know, did they, there, do we intentionally only encrypt certain files, right? Like, so general purpose business files, like if you’re, like it would seem to me like in a perfect world that wouldn’t get to a point where like, oh, the minute that we get into, let’s encrypt this, let’s not encrypt this is the, is where we, where we introduce risk based on, okay.
Thomas Kwon (32:10.483)
No, you know, we start…
Thomas Kwon (32:20.437)
Yeah, that’s yeah. We do it by departments. We do it by departments. We start initially with the finance department, then we roll and take on. Yeah. And the new firms have a certain network shared drive. They even have, you know, servers on the floor in manufacturing that DLP can’t go into. So we, you know, we protect the files wherever they sit. It’s unique for every company.
John Verry (32:29.518)
Human resources, Anything around intellectual property, Right.
John Verry (32:41.518)
Mm-hmm.
John Verry (32:49.838)
Okay, interesting, interesting. Sorry, sorry.
Thomas Kwon (32:53.993)
That’s pretty much it. It’s easy to deploy. It’s low cost. It’s volume of encryption plus user seats.
John Verry (33:01.57)
Yeah, I I would I would. I’d like to see like how this works for us, because so we have that. But we have the same challenge everybody else does right? Yeah, specifically our group is ISO 27001 certified and we go to like insane like so not only we you know in like we keep files on Microsoft SharePoint.
But what we do is we actually encrypt files with a client unique. Each client has a unique password that we have to manage. And we have a client unique password and we encrypt all those files before they go up on the SharePoint. So that way Microsoft’s compromised, you can’t get to it. And even we live in the bigger CBIS family. CBIS, PowerPoint security is the only people that know those passwords. And we even restrict through security groups that even access outside of our group within the 11,000 person company that we’re part of.
But it’s a pain in the royal butt and it’s hard to enforce. It creates challenges with sharing files with clients. They lose the passwords, things of that nature.
Thomas Kwon (34:06.697)
Yeah, those are our ideal customers. Those are the ones that have used it and they come to us because they’re like tired of getting all the help there’s.
John Verry (34:14.67)
So it would seem like, let me ask you, so again, now we have this workflow where files gotta get up into SharePoint, work product has to be in a particular folder because we don’t want the client to have access to work product before it’s actually ready. Then it’s gotta move from there to the deliverables folder. Then the client’s gotta be notified that their things are ready for delivery, et cetera, et cetera, right? And it works, but it’s kind of a pain in butt. It would seem to me at this point,
Thomas Kwon (34:32.073)
Yeah. Yeah.
Sure. And even for an IT professional, it’s a pain in the butt.
John Verry (34:40.162)
Yes, so it seemed to me with a product of this nature, right, file level encryption, whether yours or somebody else, if they do a good job, right, it would be the kind of thing where we’d be able to, you could send it via email, because that’s no longer a risk,
Thomas Kwon (34:51.175)
And I’m going to know what I’m going to do after this or this week or early next week. I’m going to give you a lab environment so you could, you know, have a go at it. And it would be an honor if C-Biz took that on. It would be awesome.
John Verry (34:57.614)
Cool. All right. That’d be fun. That’d be fun.
John Verry (35:06.99)
Cool. We missed anything else,
Thomas Kwon (35:10.215)
No, it’s been amazing. Thank you so much. It’s been an honor being here with you.
John Verry (35:13.558)
Same? No, I appreciate it, man. I appreciate it. If folks wanted to get, find out more about PhoenixPyre and file level encryption and some of the stuff that you guys are working on, how would they get in touch with you? Were the right people on your team?
Thomas Kwon (35:26.217)
Yes, go to phoenixpyr.com. F-E-N-I-X-P-Y-R-E.com. My email is very simple, tomtom at phoenixpyr.com.
John Verry (35:38.984)
That’s the privilege. That’s the benefit of being the CEO, right? can have it.
Thomas Kwon (35:41.781)
You just have one. I don’t know if CEOs, you know, was joking around my daughter because I’m like, you know, there’s two types of CEOs. There’s the chief executive officer and then there’s the chief entertainment officer. That is the latter.
John Verry (35:54.798)
Well, I listen based on this podcast, I’m going to hope that you’re the first. All right. So I actually did have one last question. Stupid question. Phoenix Pyer. It’s a weird name. What does it mean?
Thomas Kwon (36:10.005)
All right, so there’s a few things to it. It’s play on Phoenix. Yeah, so it’s a mythical firebird coming out of the ashes. Personally, I came up with that name because I got a divorce seven years ago. And at some point I’m like, I thought of myself as a phoenix coming out of the ashes. I’m flourishing in the air now, happy financially, emotionally.
John Verry (36:14.958)
I know what a pyre is and I know where a phoenix is. Is it literally a phoenix?
Yep.
John Verry (36:31.924)
Hahaha
Thomas Kwon (36:38.655)
a little bit lonely at times, that loneliness comes with running this company.
John Verry (36:44.334)
Isn’t a pyre like a fire? isn’t a pyre like… It’s ashes? Okay, I knew it had something to do with flame and fire. Yeah, alright.
Thomas Kwon (36:47.573)
Ash, I think it’s Ashes. It’s old English language. And then on top of that, I’m a little bit of a Dungeons and Dragons freak, you from back in the day. And it kind of is a cool, you know, name. If you look at any of the bad actors names, it’s like Tarantula, Oculi, you know, we look like and smell like, you know, a bad actor, but we’re the good guys. We’re to prevent the bad guys from getting in. Thanks so much. You got it, man. Later.
John Verry (36:59.096)
Mm-hmm.
John Verry (37:11.438)
All right, man, this has been fun. Thank you again.
