EP#21 - Sanjeev Verma: Simplifying CMMC Compliance

July 17, 2020

If your company works with the DoD…

You might be worried about CMMC compliance.

But it doesn’t have to be hard or expensive.

In this episode, I caught up with Sanjeev Verma, Co-Founder at PreVeil, a company offering one solution for CMMC’s requirement for encryption of email and file sharing that can save you money and hassle, while giving you unparalleled security.

What we talked about:

The stakes of migrating from O365 Enterprise to O365 GCC High
How a simple end-to-end encryption solution can save you big
How to be as secure as the U.S. nuclear arsenal
Why we are all active combatants in a new kind of war

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (00:00:06):

You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice, and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:00:26):

Hey there, and welcome to another episode of the Virtual CISO Podcast. As always, I’m your host, John Verry, and with me, unfortunately, as always, like Garfunkle said of Simon, Jeremy Sporn. Hey, Jeremy.

Jeremy Sporn (00:00:38):

So if I’m Art Garfunkel, and you’re Paul Simon, does that mean we’re going to get really famous together, and then you’ll just ditch me to do your own thing? Is that the plan?

John Verry (00:00:48):

I think we did it backwards. I think I was famous, and brought you on board afterwards. So, either way. So, by this point, you should have had an opportunity to listen to what I thought was an awesome conversation with Sanjeev.

Jeremy Sporn (00:01:03):

Absolutely. He is the first self proclaimed serial entrepreneur I have ever heard, that cares more about the products he creates than the money he will make, and he made a damn good product. And I mean that in an extremely complimentary way. He just really cares about how PreVeil is helping customers stay secure, and bring legitimate good into the world.

John Verry (00:01:27):

Yeah, it’s interesting, because they had developed this product, and I think the CMMC use case came up, and it’s just absolutely perfect, right? I mean, this is really a potential game changer for a lot of the companies that are going to need to conform with CMMC.

John Verry (00:01:40):

I know this podcast has a lot of CMMC feel, because it’s an important issue at this point in time. But really, anyone that needs to ensure that emails, and files that are critical, and need to be shared or kept in a highly secure fashion, should really have an interest in this. For example, if you’re a law firm, this product is a really interesting one.

Jeremy Sporn (00:02:03):

Agreed, and the coolest part about Sanjeev’s, and PreVeil’s story is they set out to just make a great end-to-end encryption email, and file sharing product, which they did. But that journey led them head on with the CMMC, completely by accident. It’s wild how the world pushes you in places you just don’t expect.

John Verry (00:02:23):

Yeah, and I think smart people, “Make their own luck.” So, which basically means it isn’t luck. So, anything else folks should know before we jump to the episode?

Jeremy Sporn (00:02:34):

Yeah, anyone in the CMMC space who is concerned about the control requirements around email, and file sharing, you’ll find this immensely helpful. Although Sanjeev hopes anyone and everyone leverages PreVeil to have CMMC compliant email, and file sharing systems, he does such an amazing job of just educating on why this is important, and how business and technology leaders in the defense industrial base can address this challenge. Plus, you really need to hear who he thinks would make a terrible CISO. Just a must listen.

John Verry (00:03:07):

Now I’m trying to remember who he said. I start to forget them after a while. All right. Now I want to listen to the interview, and I barely ever listen my own podcast. So, with that, let’s get to the show. Thanks Jeremy. Sanjeev, how are you today?

Sanjeev Verma (00:03:27):

I am good. And you, John?

John Verry (00:03:29):

Good. Good to catch up.

Sanjeev Verma (00:03:31):

Likewise, excited.

John Verry (00:03:33):

I am too. CMMC is definitely on my list of favorite subjects at the moment, which is why you’re here. So, let’s start easy. Oh, is that a plane?

Sanjeev Verma (00:03:43):

That’s a plane. I happen to live near Hanscom Field, a big airbase, and occasionally people are learning how to fly these days, because they’ve got time to kill. So, occasionally you’ll hear a little plane.

John Verry (00:03:59):

All right, where is Hanscom?

Sanjeev Verma (00:04:01):

Hanscom is in the Boston area, that’s where I live.

John Verry (00:04:05):

Okay, cool. I’m praying that you’re not a Boston Red Sox, or a New England Patriots fan. And if you are, please don’t tell me until after the podcast is over.

Sanjeev Verma (00:04:15):

Consider yourself warned, I am both.

John Verry (00:04:18):

I told you not to tell me that. It’s not going to be a good podcast now. So, I like to start easy. Tell us a little bit about who you are, and what you do.

Sanjeev Verma (00:04:30):

So, my name is Sanjeev. I’m a serial entrepreneur, about the only thing where you can add the word serial in somewhat of a respectable way. I’m based out of Boston. I’m chairman and co-founder of a cybersecurity company called PreVeil, borne out of MIT, and we build end-to-end encrypted email, and file sharing systems that happen to be a great fit for CMMC compliance.

John Verry (00:04:54):

Cool. Yeah. And full disclosure, that’s why you’re here. You had reached out to me, we had taken a look at this and said, “This is something that anyone who is potentially pursuing CMMC should be aware of.” In addition to some of the other good alternatives from an email perspective. Before we get down to business, we have a tradition, we always ask people, get to know you a little bit. What’s your drink of choice?

Sanjeev Verma (00:05:16):

Well, it’s summer right now. So, my drink of choice is white, crisp, French Burgundy. Reminds me of wonderful trips that I’ve had there. And particularly, I like Batard Montrachet. So that’s my favorite drink at this time.

John Verry (00:05:33):

What is that Burgundy that you’re talking about?

Sanjeev Verma (00:05:36):

It’s a French Burgundy. If you like white wine, it is sublime. So, in Burgundy, they make red Burgundies, obviously. But the white Burgundies are absolutely exquisite. And those of your listeners who love French wines will know that the areas of Puligny-Montrachet, Montrachet, are the areas where the best wines come from. And Batard Montrachet is between Montrachet, and actually Batard, I’m told in French means a bastard. It’s the area in between, but they are exquisite white wines, and so dear to my heart.

John Verry (00:06:19):

Okay, so you’re going to have to send me a link to one of those, and we’ll put it in the podcast as well. And from a French wine… I like Italians. On the French side, the only French that I regularly drink is a Macon-Villages Chardonnay, which is quite good. But what happened was that used to be our go to, and then we got into Russian River Valley Chardonnays, out of Sonoma, and fell in love with those, and that’s our current drink. And my wife has a glass of wine most nights, white wine, and that’s what she drinks. So Russian River Valley Chardonnay.

Sanjeev Verma (00:06:51):

Yeah, I’m an equal fan of the Russian River Valley. And so there’s a couple of vineyards out in the valley, winemakers that are particular favorites of mine. One is Kistler, and the other is Rochioli.

John Verry (00:07:09):

I’ll have to look those up.

Sanjeev Verma (00:07:10):

They’re awesome.

John Verry (00:07:13):

I’m a member of the… White Oak, is one that we like.

Sanjeev Verma (00:07:16):

Yup.

John Verry (00:07:16):

Very, very small, family owned. We’ve been a member there for a while. And then Sonoma-Cutrer.

Sanjeev Verma (00:07:24):

Yeah.

John Verry (00:07:24):

They do a nice job, and it’s a relatively reasonably priced one.

Sanjeev Verma (00:07:28):

When we get together-

John Verry (00:07:29):

Another airplane.

Sanjeev Verma (00:07:31):

Yeah. When we get together sometime, I’ll introduce you to a Kistler, or a Rochioli.

John Verry (00:07:38):

All right.

Sanjeev Verma (00:07:38):

[inaudible 00:07:38] I’m on their lists, and they are sublime. So, you’ll try it out sometime.

John Verry (00:07:44):

You’ve got a deal. Okay, so let’s get down to business here.

Sanjeev Verma (00:07:47):

Yeah.

John Verry (00:07:48):

So, when you talk about email, and we talk about file storage, relating to CUI, controlled unclassified information, and/or FCI, for that matter, federal contract information, that is beholden to NIST SP800-171, and/or CMMC level three, what are the requirements that apply to your email, or files in terms of security?

Sanjeev Verma (00:08:15):

So the first thing is that if you just sort of step back, you, being quite familiar with, I think, NIST 800-171, and CMMC basically takes all of the NIST 800-171 requirements, and augments them, with I think another 20 odd, and the totality of those basically constitute what CMMC is.

Sanjeev Verma (00:08:40):

And so, in essence, these requirements mandate you to have information encrypted as much as possible, stored in appropriate facilities, accessible for forensics. But, from a practical perspective, what it means for CMMC is that two of the sort of go to systems that people have in the cloud, which are, you O365, and often G Suite, both are ineligible systems.

Sanjeev Verma (00:09:14):

Microsoft has a version of O365 that it calls GCC High. That’s a system that is allowed for CMMC. But, the first thing that you have to recognize is that the go to systems aren’t valid. You can also parse the requirements one by one. And for those of your clients that deal with on-premise systems, they can sort of go step by step, and ensure that all of the data encryption, the data storage, the data hygiene, the data forensics requirements are met. And they can be. It’s a lot of work, but you can do so with an on-prem solution. But I think I would start by just articulating that both for email, and file sharing. What’s most important is what you can’t use. And O365 and Gmail are out. So, let’s start with that.

John Verry (00:10:18):

All right. So, I think you said, if I am running my own exchange server, that if I’m reasonably sophisticated, and I’ve got a pretty decent IT infosec team, that I should be able to make that “compliant,” correct?

Sanjeev Verma (00:10:34):

Yes. There’s a bunch of work. You’ll have to do a lot of configurations to ensure there’s a proper level of encryption, that you’re using appropriate certificates, et cetera, but you’re absolutely right, that you can, with a sophisticated infosec team, and perhaps also support from folks like yourselves. The combination of your inputs, and a sophisticated team, together can go make such a system work on premise.

John Verry (00:11:06):

Gotcha. But if we look at the, you hear numbers of somewhere between 315, and 350,000 members, the DIB, and I’ve actually heard some people say that numbers gonna get a lot higher, because as we start to look at the flow down to the flow down, that this number could reach a million. I would assume that, and I don’t know if you have the number, that in that many of those clients are using a hosted hosting provider like Office 365 or Google, right? For their email.

Sanjeev Verma (00:11:34):

That is correct. So, I think that one of the mega trends has been in the past five years, and it’s rapidly accelerating, is the movement to the cloud. So, no matter what the number, whether it’s 350,000 companies, or it’s a million, nobody knows for sure. But what’s inescapable is the fact that, I would surmise that a vast majority of them are now on a cloud based system, like the two that you mentioned. O365 probably being the dominant share, and then Gmail being the second one.

John Verry (00:12:09):

Gotcha. And have you seen any statistics on what an estimate might be out of that number? I mean, would it be, if you had to venture a guess, would you think it’s half of those 350,000? Or two thirds, or no idea?

Sanjeev Verma (00:12:22):

I have no idea, John, but I’d be guessing. So, I would probably stay away. But I think that just based on seeing statistics of migration to the cloud, I’d be shocked if it’s less than 50%.

John Verry (00:12:37):

Yeah, I think you’re probably right. And especially because if you think about it, I mean, a significant percentage of those 300 and odd thousand are relatively small organizations, between… I’ve talked to folks that are talking about 800-171, and GCC that are as small as two or three people, and many of them are in that 50 to 1,000 person range. And I think a lot of those types of organizations are in a hosted mail platform.

Sanjeev Verma (00:13:05):

You’re absolutely right. When I look at statistics, I think that if you look at the 350,000, I would say 90% or more of them are in the sub 1,000 employee category that you mentioned. And the vast majority of those guys will be on cloud hosted platforms like O365, or Gmail, and there, the numbers are quite clear. I think that probably somewhere in the 80 to 90% of them are on O365, and probably the rest, 10 to 20% on G Suite. That’s our [inaudible 00:13:43].

John Verry (00:13:44):

Yeah, I would agree with you. I mean, an inordinate percentage are on Office 365. So, let’s talk about Office 365 for a second. They’re a monster. We’re actually running on Office 365. I’m a fan of the Office 365 product suite. They have been hesitant, and I don’t blame them, until the CMMC-AB, CMMC Accreditation Body, really comes out with the clarification. But all indications are, they have I think it’s four levels of government cloud. I think it’s GCC, GCC High… Three. GCC, GCC High, and DOD, correct? Are there three levels?

Sanjeev Verma (00:14:20):

I think that you should just look at it as Microsoft guidances. O365, they call it Commercial Cloud, is the GCC, and then there’s GCC High.

John Verry (00:14:28):

Okay. So, and everything that I’m seeing unofficially, is that you would need to get to GCC High to conform with either 800-171, and/or CMMC level three. Do you agree with that?

Sanjeev Verma (00:14:40):

Well, that is the official guidance from Microsoft itself. So, if you look at it, I think that… And we’re happy to share Microsoft guidance. I’m sure you have it. But they have a neat little table that compares these three systems, and they basically say that, “If you want to comply with CMMC, or 800-171, you’ve got to be on GCC High.

John Verry (00:15:06):

Yep, they have a really smart guy over there, by the name of Richard Wakeman, and usually, when you look at the top of the blogs that talk about this, his name is on top. He’s a really smart, and nice guy. I’ve chatted with him. And so, that appears to me to be the guidance. The other thing, too, is that I’m noticing an increasing number of the folks that I chat with are talking about ITAR, and I think you’ve also got to get to either GCC, or GCC High, to get to ITAR compliance, as well.

Sanjeev Verma (00:15:30):

Yes, I think GCC High, and ITAR represents a Byzantine, and very complex set of requirements. And the official Microsoft guidance for that is that you can, again, through setting up proper key management, proper servers, et cetera, that you could use cloud systems like GCC High to do ITAR. But it requires… It’s not by default. You’ve got to do a lot of work, and configuration to do so.

John Verry (00:16:04):

Yeah, my understanding is that you have to go with one of those that ensures that the data is kept in a certain end data centers, that meet that requirement. And then of course, you’ve got to have a lot of controls on your side, to ensure that only US citizens have access to the data, and that data has no mechanism to be transported, et cetera.

Sanjeev Verma (00:16:22):

Well, that used to be the requirement, and certainly is the requirement. And in fact, one of the things that GCC High does is that it has US persons manning the data centers, et cetera. But, I think your viewers will find something fascinating has come out. The State Department came up with a ruling, which was interim in December of last year, and became permanent in March of this year, which changes the game totally.

Sanjeev Verma (00:16:52):

It basically says that if you are using a cloud service, and you use end-to-end encryption, the keys to the end-to-end encryption are never accessible to the cloud provider. In that case, you can actually use basic end-to-end encryption to carry, transport, and store ITAR data. And as I will share with you later, that completely changes the game, because you now have the potential to basically share, and store ITAR data extraordinary simply, via appropriate end-to-end encrypted systems like the ones that we provide for regular email, and simple file sharing.

John Verry (00:17:38):

Oh, cool.

Sanjeev Verma (00:17:38):

But we’ll talk more about that.

John Verry (00:17:40):

Yeah, you and I, when we had chatted originally, we hadn’t addressed that issue of ITAR. If you would be so kind as to also… I need you to start making a list of things you need to send me. So we got the wine stuff, now you’ve got to send me a link to that, and we’ll make sure we put that into the podcast notes, because I think that’s valuable information.

Sanjeev Verma (00:18:04):

Yeah, I will absolutely make sure that I send you the ITAR State Department regulations.

John Verry (00:18:05):

Thank you.

Sanjeev Verma (00:18:05):

Yeah, I’ll be happy to do that.

John Verry (00:18:06):

They should come after the wine recommendations just in order priority. Just making sure.

Sanjeev Verma (00:18:09):

I got it. I got it.

John Verry (00:18:14):

Okay. So, if somebody is already on Office 365, the commercial license, conventional E3, or E5, or license, or something of that nature, and they want to move to… Let’s start with, and I know you don’t want this to happen, but they want to stay fully on Office 365. What has to happen? What do they need to do? Tell me a little bit about how that works. What are some of the issues? What are some of the challenges? If you can give us an idea, what does it take to migrate? If you know anything about costs, and things of that nature, give us an idea what that would look like.

Sanjeev Verma (00:18:42):

I think that, first of all, if you are on O365, you’d go to Microsoft, and what Microsoft would say to you is, “Look, in order for you to be CMMC compliant, you need to go, and migrate to GCC High, because that’s how we can comply with all the regulations on data access, data forensics. And, on the GCC cloud, we have the ability, GCC High cloud, we have the ability to do so.”

Sanjeev Verma (00:19:10):

So the steps that are involved, in a simplified manner, work something like this, that the organization says, “I want to explore my options.” Then come to hopefully a person, or an entity like you, and you’d say, “Please guide us.” And so, first thing is that there’s a few GCC High resellers, and they would set up a consulting agreement. And so, they would essentially say, “Look, you’ve got to rip O365, and replace it with GCC High.”

Sanjeev Verma (00:19:45):

And so, there’s roughly somewhere between four to six months of consulting time period. It costs approximately $50,000 to $100,000 to do that consulting. And so, the organization then determines, “What do I need to do, to do a cut off from my O365 to GCC?”

Sanjeev Verma (00:20:10):

And once you’ve determined it, you’ve looked at your systems, then the migration will occur. And at that point, you are now, instead of storing your emails and files and on commercial cloud, now you’re storing them on GCC High cloud, and you have now paved the path to be compliant with CMMC. So, if you’re following the recommended path from Microsoft, that’s what the sequence of steps looks like.

John Verry (00:20:47):

Yeah. That’s a big number. And honestly, seems a little illogical to me. I mean, it feels like I’m just migrating from one data center to another. But that being said, things cost money. Would that differ a lot if, let’s say I’m a five person company? I mean, is somebody’s going to charge me 50 grand, or 30 grand to migrate a five person company from O365 to O365 GCC High?

Sanjeev Verma (00:21:16):

Well, I can’t comment much on whether that number is in that zip code if you’re a five person company, but I certainly know that if you’re in the 25 person or above, you’re looking at a minimum of $30,000.

John Verry (00:21:33):

So even that small?

Sanjeev Verma (00:21:34):

Even that small.

John Verry (00:21:35):

Even that small, you’re talking about that much of a cost?

Sanjeev Verma (00:21:38):

It’s a big cost. And that’s going to be the heart of what we’re going to be discussing. And that’s just the way it is. So, there’s a major problem if you’re a small company. If you’re a big company, you’re 1,000 people and so forth, you kind of look at it as this cost of doing business. It’s still a huge, disruptive headache. But, you’re more apt to be able to follow that kind of number. But it is simply an unacceptable choice when it comes to a 10, 20, 30, 40 person company.

John Verry (00:22:16):

Okay. Let me ask a question. So, I have a client that they’re a valve manufacturer. And they’re probably 200 people, but probably only 25 to 50 of them are in the CUI scope. So, can they just migrate? How would that work? Would they migrate just those 25 or 50 people to the GCC High cloud, and leave the rest on Enterprise? Is that the model?

Sanjeev Verma (00:22:47):

So the second, you raised some very good points. So, again, one would think that a logical choice would be that, let’s say you swallowed the $30,000, $50,000 fees, and you migrate, that you would want to migrate the 30 to 50 people that are handling CUI. And the second aspect of it is that the GCC licenses, ongoing, are more expensive than O365.

Sanjeev Verma (00:23:22):

But it turns out that the way GCC is implemented, is that that’s not a practical choice. So, what the GCC recommendation would be, that you migrate the entire organization, which is in your case, as you said, 200 people, to GCC, and not have just the sub segment of the 30 to 50 people that are handling CUI be like a sub zone.

Sanjeev Verma (00:23:51):

And, if you insist on making that a sub zone, all kinds of problems ensue between communication, between the sub zone, and the parent company, so the default recommendation for GCC is, go migrate the entire company. And that again, causes problems because, fine, you were talking about the 10% companies earlier, but now you’re coming into the spot of say, a 200 person company, 50 people doing defense work, 200 people doing non-defense work, and now it becomes prohibitive. So, I actually have very accurate statistics, because we’ve done this thing. So, if we have a client that was exactly almost that size 250 people.

John Verry (00:24:34):

Okay.

Sanjeev Verma (00:24:34):

50 of them are handling CUI, and so the GCC High bill for them was $100,000 for that. So, that was part-

John Verry (00:24:43):

I’m sorry, the GCC High bill to migrate to GCC? The consulting cost to migrate?

Sanjeev Verma (00:24:48):

Consulting costs, plus the now cost to go, and recur. And the reason was that they had to move all 250 people on to GCC High. The GCC High licenses are, as I understand it, two to three X the price of an O365 license, plus the consulting costs. So it becomes a fantastic number very, very quickly.

John Verry (00:25:13):

Well, fantastic number for Microsoft, and their consulting companies. Not a fantastic number for the firm that needs to be CMMC certified, right?

Sanjeev Verma (00:25:22):

Well, I am using the word fantastic in a [crosstalk 00:25:26].

John Verry (00:25:25):

Oh, you’re being sarcastic. They say sarcasm is wasted on fools. So that explains why I didn’t get it. So, let me peel that number back a little bit, because I want to make sure I understood it. So, what you’re saying is that 250 people, 50 were CUI beholden, 200 weren’t. It cost them, in the order of magnitude of $50,000 or $100,000 to migrate, and then you’re saying-

Sanjeev Verma (00:25:51):

30 to 50.

John Verry (00:25:52):

Okay, so let’s say it cost them $50,000 to do the migration, working with this Microsoft GCC High partner, and my understanding is only like seven of them, or something, that are approved or something odd like that?

Sanjeev Verma (00:26:04):

That is correct.

John Verry (00:26:05):

Okay.

Sanjeev Verma (00:26:05):

Seven resellers of GCC High.

John Verry (00:26:07):

Okay. So they work with one of those seven resellers. That reseller helped them make the migration, the bill to do that was around $50,000. Then we have 250 people. I don’t recall the exact price of our licensing, but I think we’re… I can’t remember if we’re E3 or E5, and I guess it depends if you have the voice or not. But let’s say it’s around $30, $35 or something like that. And shake your head if I’m guessing right. Around $30, to $35 for a conventional Microsoft commercial license, right? For the full suite. So you’re saying that it might cost them somewhere between $60 and $90 per user, per month?

Sanjeev Verma (00:26:46):

That is correct.

John Verry (00:26:47):

From that point forward?

Sanjeev Verma (00:26:48):

Yep. Depending on the economics, yep, that is exactly your… Again, please don’t hold me to precise numbers, or whatever [crosstalk 00:26:55].

John Verry (00:26:56):

Oh, no, no, no, no.

Sanjeev Verma (00:26:56):

The ballpark. That’s exactly in the zip code of what we’re talking about. Yes.

John Verry (00:27:00):

So that’s a lot. I mean, so you’re talking about if you were 250 people, at $30, right? It’s $7,500 a month. You’re saying that that might go somewhere between $15,000, and $22,500 per month.

Sanjeev Verma (00:27:15):

It becomes a big number. And that’s why when you’re looking at a migration, it starts to add up, and it becomes a pretty serious dent.

John Verry (00:27:25):

Okay. Okay, so, alternative solutions, right? So obviously, you’re on the call to talk about PreVeil as an alternative solution. So, let’s talk about PreVeil. Let’s talk about, if you’re aware of other alternative solutions, like, if I’m listening to this, and I’m going like, “Hey, crap, I can’t afford $50 grand, plus an additional $10,000 bucks a month forever.” What are my options?

Sanjeev Verma (00:27:51):

So this is where a company like PreVeil comes in. And I’ll tell you, before I go into the numbers, and the logic of it, that we hadn’t created PreVeil to solve the CMMC problem. I mean, we had basically built an end-to-end encrypted email, and file sharing system, that was really simple to use, because it handled the fundamental challenges that are faced by any computer system, including O365, Gmail, et cetera, and to protect users from this ever persistent threat.

Sanjeev Verma (00:28:33):

But it turns out that PreVeil is an exceptionally good solution for handling CMMC in an economic way. So, let me explain first of all, what PreVeil is, and why it addresses the challenge of CMMC compliance so well. So, PreVeil basically is an end-to-end encrypted email, and file sharing system. So, in email, you basically retain your email address. You don’t have to change it. And you send and receive emails with end-to-end encryption, by which we mean that the emails are encrypted on your device, and can can only be decrypted by the recipient, and no one else. They are always encrypted on the server, and even the provider of the service, which is PreVeil, cannot decrypt those on the server. By default, they are stored on AWS GovCloud, but if somebody wants to, they can also store them on premise.

Sanjeev Verma (00:29:36):

The same holds for file sharing. File sharing, you should think of PreVeil basically like a Dropbox, or a Box, or OneDrive. So it’s a file sharing, and collaboration system. But it’s different in that underneath the covers, even though as a user would interact with it, just as they would with like a OneDrive. But underneath the covers, everything is end-to-end encrypted. So your files get encrypted right on your computer, or your phone. They stay encrypted in the cloud, again on AWS GovCloud, and the only people that can decrypt it are the recipients. So that’s the PreVeil system.

Sanjeev Verma (00:30:15):

So, when it comes to CMMC, the way the system works is that it actually says to the small to medium business, “You don’t need to go and replace your O365, or Gmail.” You simply add PreVeil as an overlay service. And so, what happens is if you were to look at your O365 Outlook client, you would see a second inbox in there, and this is where all your encrypted emails come in, and they have the same email address.

Sanjeev Verma (00:30:51):

If you are in Gmail, it adds a secure inbox to your Gmail. And this is where, again, your encrypted emails come in, and these are, again, fully compliant with CMMC encryption techniques, and so forth. So, when you are sending an email to another person who’s handling CUI, and you just identify the people in your company that handle CUI, then that email goes end-to-end encrypted, it’s stored in the appropriate cloud, complies with CMMC regulations.

Sanjeev Verma (00:31:23):

But for every other stuff, if you’re dealing with people that aren’t handling CUI, you just continue to go and use O365, which, as you said, you liked very much, and it’s a nice, clean system. So, it’s a system that allows you to retain what you’re doing, not have to rip and replace anything. And in fact, you just provision PreVeil, it takes days to go and provision. And so, the first thing that happens is you just start emailing in a CMMC compliant manner, with other people that [inaudible 00:31:59].

John Verry (00:32:00):

Let me ask a question there.

Sanjeev Verma (00:32:02):

Yeah.

John Verry (00:32:03):

I think I understand what you’re saying. So what you’re saying is that, I stay on my Office 365 commercial solution.

Sanjeev Verma (00:32:10):

Correct.

John Verry (00:32:11):

That the people in my organization that handle CUI, I install PreVeil for them, whatever that means. You can explain that. And then all of the emails that they send, from that point forward, will be CMMC, or NIST SP800-171 conforming?

Sanjeev Verma (00:32:31):

That is correct.

John Verry (00:32:32):

Okay.

Sanjeev Verma (00:32:32):

All the emails that are going between the people for whom PreVeil has been installed. So the first thing that you will do is, remember, you were saying, “I have a company that has 200, people 50 of them handle CUI.” So you would install PreVeil for those 50 people.

John Verry (00:32:48):

Okay.

Sanjeev Verma (00:32:49):

And now all of the emails that are flying back and forth between these 50 people, are encrypted end-to-end, compliant with CMMC.

John Verry (00:32:58):

Gotcha. Quick question, is it all of their email? So as an example, if that guy sends an email home to his wife saying, “I’m going to be late.” Is that? Or do we specify that, “Oh, anytime I’m sending an email to this other entity within, that handles CUI, those emails are encrypted. But if I send an email to somebody that’s outside of that domain, if you will, or outside of that field of use, those emails are not encrypted.” How does that work?

Sanjeev Verma (00:33:27):

That is correct. Your understanding is absolutely correct. And so, if you’re sending, for example, an email to a colleague who handles CUI, that email will go encrypted. But if you’re sending an email, as you said, to your wife, then that email will just go through regular O365, unencrypted, just as you were used to. But the system has the ability to keep the same email address. And I’ll demystify it for you. You do it all the time, and it’s not that complicated.

Sanjeev Verma (00:34:00):

So, those of your users that use iPhones, when you send a text message on an iPhone, it’s an iMessage. It’s the same phone number. But if you send a message to another Apple user, on an Apple phone, the message goes blue, and it’s actually going through the Apple servers, and it’s an iMessage. But if you are communicating with somebody who is not on Apple, the message is green, and it’s going through the SMS network. But from your vantage point, you’re communicating with the same phone number, you didn’t have to change anything.

Sanjeev Verma (00:34:34):

So PreVeil works very much like that. You’re sitting in your Outlook, and if you’re communicating with another PreVeil user, which is a person who’s handling CUI, the message is going encrypted end-to-end, it complies with CMMC. And if you send a message to someone who’s not a CUI entity, it basically goes through the regular O365 network.

Sanjeev Verma (00:34:58):

And there’s one further nuance. You can, for example, if you are sending a message to a person who’s not currently handling CUI, but you anticipate handling CUI in the future, you want that to be encrypted. Then you simply turn encryption on button in the email, and what it will do is it will invite the other person to join, and they can join for free, just like WhatsApp and others.

John Verry (00:35:21):

Oh, that’s cool.

Sanjeev Verma (00:35:23):

So, that’s how the system works, and the analogy hopefully helps in understanding it. If you’d like, I can also do a quick share of my screen.

John Verry (00:35:34):

Yeah, real quick. Yeah, do that. But I’d like that… So first of all, the analogy was great, and I think that will help people understand it really clearly. I did have one question, so, I can force somebody to… By default, it’s going to encrypt, if I’m sending it to the right person. What if I sent my wife CUI? Would it have any mechanism to recognize that I’m sending CUI, and encrypt it, and prevent her from doing that? Or is that not the field of use?

Sanjeev Verma (00:36:04):

No, that’s not the field of use.

John Verry (00:36:04):

Okay.

Sanjeev Verma (00:36:04):

So I mean, obviously, if you make the mistake-

John Verry (00:36:07):

They could do that with DLP. We could overlay DLP, or some other mechanism on top of that. So you’re not a DLP solution. You are basically creating a community of understood users that are communicating CUI, and ensuring that all communication relevant to that community is being encrypted in accordance with 800-171, or CMMC.

Sanjeev Verma (00:36:30):

That’s correct. And now, I’ll just draw your attention to the screen. So this is your favorite Outlook, as a user, Alice. You see her regular emails are coming in, no change. And when you join PreVeil, it automatically adds an encrypted inbox, and here you get your encrypted emails. It’ll say it’s encrypted, but you interact with it, just as you would. So for example, you had sent me this Virtual CISO Podcast details, I forwarded it, and since I have encryption on, it came encrypted. So from a usability perspective, it’s just the same as you’re used to.

John Verry (00:37:05):

So I’m not adding a password. I’m not adding an encryption key?

Sanjeev Verma (00:37:10):

No.

John Verry (00:37:11):

I’m literally just sending email. But if I’m in box one, it goes out unencrypted. If I’m in box two, it goes out encrypted.

Sanjeev Verma (00:37:18):

And it can be even better than that. And I’m going to show you that. So for example, let’s say you create a new email.

John Verry (00:37:24):

In my [inaudible 00:37:25] inbox.

Sanjeev Verma (00:37:26):

The message is, by default, unencrypted. But let’s say you’re sending the email to Ed Murphy, who happens to be somebody who handles CUI. The moment I put Ed Murphy’s name in, much like iMessage, it understands that this is a person who handles encrypted, and it goes encrypted. But if you are sending your email to [email protected], the system will basically say, “Oh, [email protected].” It just goes through regular O365. So I hope that clarifies that.

John Verry (00:37:59):

It very much does. So, what I… And I’ve seen this once before, that was what impressed me, was the fact that it’s super transparent. Yeah, it’s super transparent. It’s easy to deal with.

Sanjeev Verma (00:38:12):

And the same thing holds, by the way, for file sharing. So, in file sharing, you’ll have a folder in your file system, on your Mac or your PC. And all of the CUI, you just drag and drop into it, you’ve got folders in there. The first thing that happens is all your information syncs to your devices, so you’ve got your information available to you on your phone, on your computer. But if you want to share it, you simply right click and say, “I want to share it.” Say, with John. I enter your regular email address, and it shares it.

John Verry (00:38:43):

Gotcha.

Sanjeev Verma (00:38:44):

So you now have a mechanism by which you retain your O365, you don’t have to rip and replace. But now the economics come in, and here’s how. So, first and foremost-

John Verry (00:38:54):

Wait, wait. Hey, Sanjeev real quick?

Sanjeev Verma (00:38:56):

Yeah?

John Verry (00:38:57):

Can you turn your camera back on?

Sanjeev Verma (00:38:58):

Yeah. Is the camera not on?

John Verry (00:39:00):

I like to see your smiling face. No, I don’t see you. I don’t see your smiling face anymore.

Sanjeev Verma (00:39:04):

Oh, okay.

John Verry (00:39:05):

For some reason when you shared the screen, you disappeared.

Sanjeev Verma (00:39:10):

I see. Here I am.

John Verry (00:39:11):

There you are. So now… See, listen. You’re doing my job now. I was about to ask you, I’m assuming you guys don’t work for free. So you’re going to charge for this service, so why would the economics be better to use what you’re doing, versus what you can do by migrating to the GCC High cloud?

Sanjeev Verma (00:39:31):

So, I think you teased out the answer very well in the prior part of our conversation. So, let’s go step by step. So, number one, you don’t have to go and pay the consulting bill, to do a rip and replace. So, right off the bat, you go and save all of the money that is required for any consulting services, because PreVeil basically to deploy it, it’s a consumer friendly kind of system. So you can deploy it for a typical organization of 10, to 250 people, and it’ll probably take you hours, if you’re a 10 person organization. Perhaps more appropriately, you do a little bit of planning and so forth, you’re talking a couple of days, but certainly over a span of a week, you can go and add PreVeil. And so there is no disruption, and no fees associated with the consulting.

Sanjeev Verma (00:40:27):

The second is that the PreVeil system, again, since we had never designed it with any CMMC, or anything in mind, we basically designed it for it to be competitive with commercial systems like O365, and Dropbox, from a file sharing perspective. And so, the price of PreVeil is $20 a user a month if you’re on a commercial cloud, but for government, and CMMC compliant customers, you’ve got to be on AWS GovCloud, and the price over there is $30 a user. And the reason for the increase is because the price to store on AWS GovCloud is about 70% more.

Sanjeev Verma (00:41:08):

So, the transparent pricing is that for every CUI person, you’re paying $360 a user a year, and you get unlimited email, and you get unlimited storage for your CUI. So if you’ve got a terabyte of information, you can store it, and so forth. But also the nice thing is that, for flow down, let’s say you’re a vendor, but you want to flow down that information to a supplier. So then you share it with the supplier, and as a paying customer, you can share up to 100 gig of information to the supplier, and the supplier can join for free.

Sanjeev Verma (00:41:45):

And again, the system was designed inherently for virality to go and make it easy to communicate. Now, we’re obviously not in the charity business. So, we make it easy for the defense company to share the information, but it’s our subsequent hope that if they’re sharing it with another company, that that company at some point would say, “Listen, I want to be CMMC compliant.” And if my choices are better with PreVeil, then they also become a paying customer, and now I have access to more controls, et cetera. But that’s sort of how the business works.

Sanjeev Verma (00:42:20):

And so, if you look at the combination of this, I go back to the example that you had of a 250 person company, that has 50 employees that are handling CUI. So the GCC High bill was $100,000. The PreVeil bill to do so would be in the $15,000 a year zip code, because you’re not paying any fees, and it’s the number of employees times turning $360. That’s roughly the price that you pay. So it’s a very, very simple math. There’s nothing more to it.

John Verry (00:42:51):

All right. So to be clear, going GCC High, I move 250 users from, let’s say $30 to $80, to keep the math easy.

Sanjeev Verma (00:43:02):

Whatever, yeah.

John Verry (00:43:03):

Right? So I have $50 times 200 people that didn’t need it, right? Which is $10,000 a month. And what you’re saying is that in your solution, I’m only putting those 50 on I need. So I save that $10,000 a month that it would have cost me to upgrade everyone. And I didn’t have as large a consulting fee.

John Verry (00:43:23):

I might have had a small consulting bill on the front end, but instead of a $30,000, to $50,000, to $100,000 consulting bill, I might have a $2,000, or a $4,000 consulting bill, if I don’t do it myself. I mean, again, assuming that we’ve got people listening to podcast that are like, “Oh, I’m just going to have somebody do it.” You’re saying that even a consultant could do this for them in hours, to days. It’s a pretty small project. Or you could do it for them, for that price.

Sanjeev Verma (00:43:49):

That is correct. In fact, we do it for no charge. But let’s say you’re working with say-

John Verry (00:43:56):

Sanjeev, they’re going to hold you to that.

Sanjeev Verma (00:43:58):

Yeah, well-

John Verry (00:43:59):

You might want to roll that back.

Sanjeev Verma (00:44:03):

Today we do that, but [inaudible 00:44:05] I think your logic is more appropriate, that if you are doing it, having somebody do it, say Pivot Point’s doing it for them, it will probably cost you a small amount for the time that you guys spend to do it. But, it happens in a matter of days, versus spending three to six months, and $50,000. So, the combination of these three attributes-

John Verry (00:44:28):

And it sounds like the speed, too.

Sanjeev Verma (00:44:30):

And no disruption.

John Verry (00:44:32):

One of the problems we’re going to have here is that very often I think you’re going to see people have to get to a GCC… Excuse me, to a CMMC certification fast. And if there’s only seven people that can do these upgrades, and there’s three hundred thousand people in line, you could be waiting in line for a year to get upgraded. Right? So the reality is, is that you could be in a situation where this might be your only choice to get there fast, otherwise you’re waiting for a while.

Sanjeev Verma (00:45:01):

Well, I actually don’t know. I mean, right now there’s not that groundswell. I mean, hundreds, soon moving to thousands of companies are now in the process of now-

John Verry (00:45:13):

Think about it logically. If there’s seven companies-

Sanjeev Verma (00:45:15):

No, you’re right.

John Verry (00:45:17):

That are the only ones that could do this, and it takes them months to do it, there’s a finite amount of bandwidth they have to be able to do these migrations, which means that you’re going to get in line for them, just the same way you’re going to get in line for a CMMC audit at the beginning.

Sanjeev Verma (00:45:29):

Yeah, I guess you do. The only reason, I would love to say that that’s the case, but the reason I sort of hesitated a little bit is that Microsoft is a very respectable, highly capable organization. So, I’ve got to assume that if there’s a groundswell of 24,000 companies that want their services, that-

John Verry (00:45:54):

They’ll figure it out.

Sanjeev Verma (00:45:55):

It’s a great company, they’re going to figure it out.

John Verry (00:45:55):

They didn’t become Microsoft by not figuring this stuff out.

Sanjeev Verma (00:46:00):

Absolutely. So I have a great deal of respect for Microsoft. I mean, it’s a great company.

John Verry (00:46:04):

I’m actually a huge fan. Like I said, I’m a Microsoft fanboy. And that’s one of the reasons I like your solution, is that if we hadn’t had the first conversation, you told me that you were going to become the DNS MX record, and you were going to be the email host, we probably wouldn’t have had another conversation. But the idea that you can use the two best platforms for mail and file sharing, and use that transparently, but still comply with CMMC, to me, you just made a lot of sense, which is why I thought it was such an interesting idea to have you on the podcast.

Sanjeev Verma (00:46:38):

Well, thank you. I think that’s the whole notion, that again, our birth was out of MIT, and it was all about providing the very best security. And so, much as our conversations going, you and I have spoken about the fact that we’re a lot cheaper than Microsoft GCC High. And that’s true. We’ve also spoken about the fact that we are far easier to deploy, in a matter of hours to a day versus months. And that’s also true.

Sanjeev Verma (00:47:13):

And so, SMBs, small to medium businesses, love us for those reasons. But I’ll tell you something, that the real reason I want people to love us is because at the end of the day, we are radically more secure. And it’s an important thing, and something that’s very, very, very important for us to discuss. But ultimately, what we get with PreVeil is, not withstanding the economic and the disruption business benefits, is absolutely state-of-the-art security, that in this particular case, not withstanding my admiration for Microsoft, as a wonderful corporation, is hands down better than what Microsoft offers, at its highest level of security, and we should talk a little bit about that.

John Verry (00:47:59):

Okay, well, let’s do that. Explain that.

Sanjeev Verma (00:48:01):

So let me explain why that is the case. So again, five years ago, I went to my alma mater, MIT. And I told you, I was an entrepreneur before, and built the US wireless data network for 3G, for maybe about 30% of the company. And I wanted to understand what makes for great computer security.

Sanjeev Verma (00:48:27):

So I went to my alma mater, MIT, and I spoke to two of the top security experts over there, Nickolai Zeldovich, professor of computer security, and my now co-founder Raluca Popa, who’s 35 under 35 for top technology visionaries, and a professor of computer security at UC Berkeley. And they educated me, and said, “Look, the basic paradigm for security, why hacks are happening over and over again, is that the old model of security is like that of a fort.”

John Verry (00:49:00):

Keep talking.

Sanjeev Verma (00:49:03):

So, you build a wall around the information.

John Verry (00:49:08):

My glass went dry, Sanjeev, I apologies. Gotta have priorities in life.

Sanjeev Verma (00:49:12):

Yeah. So the old model of security is all about, like the medieval forts, you build a wall around the information, and you hope that the wall prevents the attacker from getting to the information.

John Verry (00:49:27):

Or the moat, right?

Sanjeev Verma (00:49:29):

Or the moat, whatever. But in information technology, the wall, or the moat is made of software, and what the academics, and the NSA, which is the other entity that knows everything that there is to know about security recognized, was that no matter how tall the wall, or how deep the moat, the attacker is going to get through, because these walls and moats are made of software, and software has got bugs.

Sanjeev Verma (00:49:59):

So you’re in the software business, you know that patches keep coming for servers, and they’ve been coming for the past 40 years, and you’ll still be installing patches. So the moment that there is a vulnerability discovered in either the server software, or there’s a chink in the armor of the firewalls that protect, the attacker and exploits it, and they will inevitably get to the information.

Sanjeev Verma (00:50:24):

Second, legacy systems, and that’s how O365 works, Gmail works, the servers see the information, and they try to protect you by building walls around it. But ultimately if the attacker gets to the servers, they see the information. That’s the first principle.

Sanjeev Verma (00:50:43):

The second thing that I was educated was that the information is protected also by this notion called a password. But we all know that they can be easily guessed, you can phish, you can steal them, et cetera. And so now you give access to accounts remotely, because you got a password.

Sanjeev Verma (00:51:05):

Third, they said, “Look, who’s guarding the entire system in an enterprise? And that enterprise’s guardian is an admin. But the admin represents what we call a central point of attack. The admin needs access to the information, but if you get to the admin, you get to the whole candy jar, and the entire organization is compromised.

Sanjeev Verma (00:51:30):

So that was the old paradigm, and for more or less, the walls are taller, and the moats are deeper with GCC, and O365, but the paradigm is just the same. What the academics, and the NSA say, is if you want real security, you’ve got to assume that the adversary was far more sophisticated. It’s a state level sponsored guy, is far more sophisticated than you. They will inevitably get to the servers, they’ll get to the admin, and they’ll get to your passwords.

Sanjeev Verma (00:52:06):

So how do you protect the information when that happens? And so, the NSA guidelines, and the academics model is encrypt everything end-to-end. So, as we discussed, that means information is encrypted on your device, and can only be decrypted by the recipient, but the server only sees encrypted information.

Sanjeev Verma (00:52:27):

So now, unlike the moat, or the wall model, if the attacker gets to the server, all they get is encrypted gibberish, and there’s no means for them to decrypt it, because they have no keys to decrypt it. The keys are only with the recipient. So, that’s the first thing.

Sanjeev Verma (00:52:45):

The second is modern systems like PreVeil, and that’s what PreVeil does, by the way. So, when your information is going in a PreVeil email, or on a PreVeil file share, it’s stored on AWS GovCloud, and we, the provider of the system, have no ability to hack it, to look at that information. We’re seeing it, but it’s encrypted gibberish. And so, neither can the attacker. If you are-

John Verry (00:53:12):

I was just going to say, just because people might not be following something. So, when you encrypt something, right? It’s like the equivalent of a lock on file, right? And that lock has a password, if you will. And I think what you’re saying is that, and a key point for them to understand is that, it’s where the key is, right? So either it’s not locked, and then if I gain access to the system, I have access to it. Or it is locked, but if the key is kept in a similar location, so if you have a safe in your house, and it has a key, but you keep the safe in your house, an attacker getting into your house is going to get into your safe. So I think what you’re saying is that you’re storing this data in a location, and it’s encrypted, and the key to unlock that file is not being kept within that AWS cloud, correct?

Sanjeev Verma (00:54:00):

That is absolutely correct. And furthermore, true security comes from the provider of the system, namely us. We designed the system. We should never, ever have the ability to access that key. And we don’t. So the keys exclusively belong to the users, or the organizations that handle them. And that’s a cardinal principle. And so now you’ve got a system, that if the attacker gets to the server, and even if the attacker is a mal-intended PreVeil employee, all they can see is just encrypted gibberish.

Sanjeev Verma (00:54:38):

Whereas, what has happened in attack after attack, take the Capital One attack on Amazon Services. It was an admin, the admin attacked through a firewall, they got to the server, the information was viewable on the server. And so therefore, all the Capital One records were disclosed.

Sanjeev Verma (00:55:00):

So that’s the first principle, that keep the information encrypted, exactly like you described John, where the keys are never visible to the server, and therefore the information is secure. And that’s why the NSA, in its recent guidance in May, when it basically said, “Listen, there’s the pandemic, people are now working from home, we’ve got to guide government agencies on how to protect information.” And so the first criteria was, use services that have end-to-end encryption. So that’s the first principle.

Sanjeev Verma (00:55:34):

The second principle is, don’t use passwords. So, passwords, no matter you use eight letters, or some characters, a fast enough computer can crack it in some time. It could be hours, it could be days. But if instead of using a password, you use a key on your device, which enables access, and that’s an encryption key, that cannot be guessed.

Sanjeev Verma (00:56:03):

So I’ll give you a very neat statistic. So, an encryption key, basically is like the number of atoms in the universe. Not just our solar system, but the entire universe. The universe has 100 billion galaxies, each with 100 billion stars. So, no amount of compute power can go and guess that. So, if you’re using that to access it, it is something that is way more secure than even your biometric fingerprint. And so now, the attacker can’t guess that, and they can’t remotely log in.

Sanjeev Verma (00:56:38):

And then the third thing that you do, is that for enterprise systems, you allow the admin the ability to access the information, which they must for, say, e-discovery, forensics, or if the employee emails need to be archived, or whatever. But don’t give the single admin the ability to do so unilaterally. So, we borrow a concept from the nuclear launch codes. So in the United States, if you want to launch a nuclear weapon, you don’t give one individual the ability to say, “I feel like it, I press a button, and I launch it.”

Sanjeev Verma (00:57:14):

Some number of people have to come together, to go and enable that. So we do the same thing cryptographically in PreVeil, and it’s a concept called an Approval Group. So, an organization sets up an Approval Group, it could say, “Hey, I need a minimum of two people to agree.” Out of, say, six admins, or two out of eight employees, whatever you want. And so, what happens is the users keys are broken up into little pieces.

Sanjeev Verma (00:57:42):

So now, each admin has only a little fragment of the key. So, if you attack and compromise a PreVeil admin, you get nothing, because the admin only has a fragment of the keys to access your encrypted information. But if the admin wants to get added, say you’ve been sued, you want access to all your emails and files, the admin will get access to the keys by asking for permission. And now the little fragments of the keys, if you can put in your mind’s eye, come together, and the organization has the ability to do everything that they were used to doing.

Sanjeev Verma (00:58:16):

And when you put these three things together, you now have a system where you cannot attack the server, you cannot attack the admin, and you cannot compromise passwords, and remotely access content, and so you provide true security. And that’s the security that NSA guidance is saying, “You ought to be providing.” And that’s where my heart is, which is that yes, you like PreVeil because we’re cheaper. That’s great. Yes, you like it because we’re faster to deploy, that’s great. But ultimately, the reason you should pick PreVeil is because we are way more secure than even a GCC High system, or an O365 system. And I’ll share with you momentarily, after we talk, why that matters.

John Verry (00:59:07):

Okay, so real quick for you, so a couple… Unravel a lot of content there. To echo what you said about passwords, right? We have a box in our office, that will guess 300 billion passwords per second, something like 24 quadrillion per day. We can compromise a 10,000 person network if we get their hive from active directory, and any eight character password in seven hours.

John Verry (00:59:33):

So, to your point, passwords are no longer a really secure way. And that’s a box that we built for $5,000. If we built one for $50,000, you can imagine what the number would be. So passwords are a problem. So when you’re using encryption keys, which are a much longer length, I agree with you, that’s a great way to do it.

John Verry (00:59:49):

The second thing is that I just want to make sure people understood, and make sure I understood for that matter, I love the [NMN 00:59:56] administrative scheme. That’s a common use of when we store keys in hardware storage modules, to make sure that we don’t have one person take action.

John Verry (01:00:04):

So I think what you’re saying is that if a file has been encrypted by John, an email that went out from John, and it’s got an encrypted file attached, that even if I were to compromise an admin of the organization, that one admin would not be able to see John’s file. He would need to partner with how many we’ve specified, need to be involved, in order for that file to be decrypted by somebody other than John. Is that correct?

Sanjeev Verma (01:00:32):

That is absolutely correct.

John Verry (01:00:33):

Okay, cool. And one last question for you. And I don’t know the answer to this. Does Microsoft’s GCC High, are the files stored in an encrypted format there? They’re encrypted at rest, but where’s the key? Is that the problem, is that the key is at Microsoft, in there, either on that server, or in a key server somewhere?

Sanjeev Verma (01:00:55):

That is exactly right. So obviously, Microsoft’s a sophisticated organization. And any email system worth its salt, including O365, and Gmail… Well, I’ll exclude Gmail for now. But certainly any of the Microsoft systems, they do two things. One, they encrypt in transit, which means the email is encrypted when it goes from your computer to their servers. And the second is, when it’s stored on the server, the email is encrypted at rest, when it stopped being accessed.

Sanjeev Verma (01:01:27):

But you articulated the vulnerability very well earlier, which is the keys are accessible to the server. So therefore, if the attacker gets to the server, they are able to… How does the email get rendered, if you’re seeing it on a web browser? It’s because you get the key, you decrypt it, and you render it. And therein lies the problem, because if the attacker has compromised the server, he or she is seeing everything that the server is seeing. And if the server says, “Fetch me the key.” The attacker says, “Fetch me the key.” And it’s a very subtle, but a profound difference. So, absolutely Microsoft encrypts in transit. Absolutely, they encrypt at rest. But the system is not secure, because the keys are accessible to the server.

John Verry (01:02:19):

Right. And you’re talking about an attacker. You could also have a rogue admin, right? You could have a guy that’s an admin, whether it’s in your own company, and you’re hosting your own email, or there, and a rogue admin has access to all of that data. Okay.

Sanjeev Verma (01:02:33):

There is precisely that, and again, a recent example of that, Twitter had two admins, and there was all this brouhaha about Khashoggi, and all this unseemly mess about the gentleman being murdered by the Saudi administration. In Twitter, there were two admins, and they basically had legitimate access. They were Saudi nationals. And again, I don’t want to be hand wringing in any sort of nationalistic stuff, but they happened to be Saudi nationals.

Sanjeev Verma (01:03:05):

They, in essence, got access to information that Saudi Arabia presumably needed access to, and as admins got it, transferred it, and then took a flight out the next day, and they were gone. But the point is that if it’s a rogue admin, or even if it’s not a rogue admin, it’s a compromised admin. The results are the same.

John Verry (01:03:28):

Yup, I would agree.

Sanjeev Verma (01:03:31):

And that’s what makes a system fallible. And so you identified yourself, very methodically, that the vulnerabilities lie in these systems, because the information can be accessed in the server, notwithstanding encryption in transit, and at rest. They can be accessed through passwords. You’ve got a $5,000 box that can crack it. If you have a key based system, you can put all the computer power on earth, and you can’t crack it.

John Verry (01:03:59):

No, right.

Sanjeev Verma (01:04:00):

And then the third thing that you have is this admin conundrum. And when you take the totality of it, what we do at PreVeil is, no ability to crack on the server, no ability to crack the password, which is the key in our case, and no ability to breach the admin from the vantage point of, even if you breach the admin, since there’s an NRFM scheme, you’ve got to breach all admins that are necessary before you can get to it, which is a much tougher act to [inaudible 01:04:31].

John Verry (01:04:31):

Gotcha, gotcha. And I would imagine if you ended up also potentially storing data in Azure, that Microsoft would probably prefer to partner with you, because in some ways, you actually solve a problem for them, right? They need that access to that data, because of what they do, and in a weird way you give them a better solution, and solve one of their problems. I guess the only thing that Microsoft probably wouldn’t love about your solution right now, is that you’re putting the data in AWS, and paying them the freight for that, as opposed to Azure.

Sanjeev Verma (01:05:05):

Yeah. And security has so many ironies. You brought up a fascinating point. So, Microsoft systems were built over time. And Microsoft is itself frustrated by its own ability to access the data. So, it happens all the time, that they’re actually often suing the Justice Department, because they complain that the Justice Department can go to Microsoft, and compel them to give [crosstalk 01:05:31].

John Verry (01:05:31):

Yup, and you solve that problem. In fact, you and I have a conversation we need to have, because there’s a client of ours that views the US government as a nation state adversary, and they would prefer to use Office 365 for the convenience, but they don’t want that… Or SharePoint, for that matter. But they don’t want that ability for the government to mandate the turnover of data. And you’d actually solve that problem. And I hadn’t thought of that prior, because they could demand it from Microsoft, but Microsoft doesn’t hold the keys. So, that’s kind of a clever thing.

Sanjeev Verma (01:06:09):

And that’s the reason again, we built PreVeil from the grounds up, because our perspective is exactly that, that whether it’s the US government… But if it’s the adversary, the adversary is a sophisticated adversary. So if the government, or whatever is attacking the system, we have nothing. We’ll just go pass on the data, even if they… They’ll compromise us, they’ll get access to the encrypted information, but there’s no key to decrypt it.

Sanjeev Verma (01:06:39):

And likewise, I mean, we take a very methodical approach. We will cooperate with the government at every aspect, but in essence, if they ask us for the data, we’ll hand it over. But we don’t have the Microsoft problem where they decrypt it, and hand it over. If you want, we live in a lawful society, the government can go to the organization, and say, “Hand over the data.” And the organization will hand over the data and the keys. But, we offer a secure system, and we don’t have the ability to go and look at the data, so that’s a key difference, as well.

John Verry (01:07:16):

Gotcha. All right. So we’re going to probably need to wrap here, because I would think no matter how much people like CMMC, and your face, and my face, or our voices if they’re listening on our regular podcast, an hour and 15 minutes is a long time to hear us chat. So, one quick question for you.

Sanjeev Verma (01:07:32):

Yeah.

John Verry (01:07:33):

As an organization, so if I’m listening to you, I’m like, “Wow, this sounds pretty cool.” Right? “He’s saving me money. He’s more secure. I’m still using Microsoft, so I still have a great underlying tool set.” How do I know that when CMMC auditors come in, that they’re going to look at what I’ve done, working with PreVeil, and say, “Yep, that works.” Are you CMMC approved? How would somebody know that if they used you, that the answer at the end of the process is going to be a thumbs up?

Sanjeev Verma (01:08:03):

So I think that here’s what I would say: So, on our website is a CMMC whitepaper, and in it, we looked at all 130 requirements that you need to comply with, and we worked with third party auditors, that are in the business of auditing, and they looked at the controls, and said, “Look, here are the controls for handling CUI in emails and files, and here’s why PreVeil meets them.”

Sanjeev Verma (01:08:35):

So, I cannot, and I will not say that we are compliant, because the rules are still moving, and so it’s not at… I can’t say that there’s an ironclad assurance. But, since these rules were based on the NIST framework, auditors are very familiar with them, and we work with them. And the language is there, per each control. So, you can take a look at that. But going forward, that’s our proactive strategy. So, we’ll continue to work with leading auditors, to ensure that as the standard sort of evolves, that there’s an assurance that we are meeting the requirements, and updating them. But there should be a fair level of confidence, based on just the CMMC whitepaper that we have. But also, others have looked at the system as well, including several that authored the CMMC, and so there’s, again, not a guarantee right now. No one can, not even Microsoft can guarantee it.

John Verry (01:09:56):

No, absolutely.

Sanjeev Verma (01:09:56):

But [inaudible 01:09:56] we are taking the right steps to do so.

John Verry (01:10:02):

Yep.

Sanjeev Verma (01:10:02):

And if I may, I want to make one last point before we conclude.

John Verry (01:10:08):

Sure.

Sanjeev Verma (01:10:08):

Which is that, look, we stand in a very interesting era, where the nature of war itself has shifted. So, for your listeners, they may be listening and saying, “Oh my God, the CMMC, it’s a pain in the rear, and I’ve got to do work, and so forth.” But I want to make the case for why it matters. So, in the past, our model for war is that we have world class forces, the best that the world has ever known, and they are going to go fight the wars, and protect us.

Sanjeev Verma (01:10:43):

But I submit to you, that we are, as the defense industrial base, now active combatants in war. So, the military relies on two things, superb personnel, and training. But second is advanced technology, and weapons systems. And what has happened in the past five to 10 years is that we have technological advantage in weapons, in technology, but that those weapon systems are built by the DIB companies.

Sanjeev Verma (01:11:19):

So if the adversary, who is again, far more sophisticated than nation state actors, if they compromise the supply chain at various levels, and do two things, one, either steal the technology, in which case our advantage is neutralized in terms of time, or two, mess with it, tinker with it so that when it comes to combat time, the specification of the screw that I had, that I built, was slightly messed up, and the weapons don’t perform as desired. In both cases, we have basically neutralized our enormous competitive advantage that we hold today for national security.

Sanjeev Verma (01:12:02):

And this war is going on. As human beings, we have evolved to just respond to an adversary that you can see. I can see somebody who’s got a gun in front of me, and I react to it. But we are not well trained to respond to an actor that I can’t see, but nonetheless exists, and the warfare is happening seven by 24. And for that reason, I say that we should take security, because it’s a shared responsibility of the DIB, and really, every company in the DIB is an active combatant.

John Verry (01:12:38):

Yeah, no, you’re [crosstalk 01:12:39].

Sanjeev Verma (01:12:39):

You’re an active combatant.

John Verry (01:12:40):

Yeah, it’s so funny. I was listening to you talking, and a thought occurred to me, and I’m sure somebody else smarter than me has probably mentioned this before. But, in the same way that the American Revolution was a shift in battle approach, right? Well, you could make an argument that how we fought in the American Revolution was the genesis of guerrilla warfare. Right?

John Verry (01:13:01):

And realistically, I think, in the same way that that shifted at that point, and that probably has persisted through some of the Middle Eastern issues that we’ve been involved in, we’ve made that transition from that world, and we’re making that transition to the same cyber warfare world.

John Verry (01:13:20):

And I agree with you 100%. I had Katie on the podcast, and some people might say it’s corny, but I actually think what we’re doing is critical to both our national defense, and our economic well being. I think this is really important stuff. I mean, if we want to remain a world power, I don’t think the CMMC is BS. I don’t think this is not worthwhile to do. In fact, I’m very proud to be doing the work, in with the CMMC. So, you and I are on the same page.

Sanjeev Verma (01:13:52):

Yeah, I think, as with anything, the standards got its heart at its right place, and it certainly will have shortcomings, and it will need to be improved. It will need to be made friendly to the small business. But what you and I are talking about is the more deeper issue, that the security of the nation is not in the hands of our own forces. But really, the battleground is in the hands of the DIB companies. And it wasn’t that five years ago, or 10 years ago. You made your armaments, and you handed it to the competent men and women of the armed forces, to execute war.

Sanjeev Verma (01:14:32):

But that’s not how the battle is being fought. And it is for that reason we do what my mother said, that if you’ve got one finger pointed somewhere else, three point at you. And so, for that reason I think we ought to take the matter of cybersecurity so seriously, and it’s for that reason I say that the real reason I want people to prefer PreVeil is really for the extraordinary security we provide, less so for the reasons they will probably choose us for, which is economics.

John Verry (01:15:05):

All right, I have two last questions for you. One is fun, and one is serious. The fun one is, give me a fictional character, or real person that you would think would make an amazing, or a horrible CISO, and why?

Sanjeev Verma (01:15:18):

Oh, God. Who would make a…

John Verry (01:15:22):

You didn’t prepare for this. We gave you this question ahead of time, Sanjeev.

Sanjeev Verma (01:15:29):

I will have to think about it.

John Verry (01:15:30):

Folks, he’s unprepared.

Sanjeev Verma (01:15:31):

I am unprepared for this one.

John Verry (01:15:33):

You’re from MIT. I expect that those high IQ guys can really quick come up with something off the cuff.

Sanjeev Verma (01:15:38):

Yeah, yeah, yeah. I have to go to the second one. [inaudible 01:15:42].

John Verry (01:15:42):

Oh, man. I’ve got to be honest, you disappointed me Sanjeev.

Sanjeev Verma (01:15:45):

Yeah.

John Verry (01:15:45):

Second question is easier. You talk every day with business leaders, and information security leaders. Any other interesting topics for another episode that you’d recommend?

Sanjeev Verma (01:15:56):

I feel that security is not quite well understood, and I would suggest that the NSA did us all a big favor by issuing a nine point guidance, which is very clear on what constitutes security. So, I think that a panel where we can talk about, and bring probably a security expert, like a great professor from a university, or folks from the NSA, would be an excellent topic for conversation.

Sanjeev Verma (01:16:27):

And frankly, also the discussion of the economic impact. I think, here, I do refer to General Keith Alexander, who was head of the NSA, who said that, “Listen, the theft of intellectual property through cyber attacks represents the biggest transfer of wealth in the history of mankind.” And so I think it is for those reasons that we probably should warrant a good discussion, and probably a nice topic to have.

John Verry (01:16:59):

Yep, I would agree. I actually like that. The NSA nine point guidance would be a good topic for a podcast.

Sanjeev Verma (01:17:05):

Yeah.

John Verry (01:17:07):

Cool. So did you… You stalled long enough, do you have a [inaudible 01:17:11] answer for… Or am I going to have to just… You’re going to be the first. I don’t want to put the pressure on you. I think we’re up to episode podcast 20, or 25. Everybody else had an answer, Sanjeev, I’m just saying.

Sanjeev Verma (01:17:24):

So, I will say this, that in general, a politician, and I give a category. A politician, with one exception, would make a bad CISO, because politicians are interested in sounding good, and looking good, and not caring about the substance. And in security, you’ve got to pay attention to the details. And so, they would make a bad choice. And the one exception I have to hand it, is Katie Arrington. I have to say that she is a politician, but I think because of her background as a military…

John Verry (01:18:05):

Yeah, she came out of the DIB space, right? I mean, she was in the defense [inaudible 01:18:12].

Sanjeev Verma (01:18:12):

Out of the DIB space. Her spouse was wounded in combat.

John Verry (01:18:16):

Yeah.

Sanjeev Verma (01:18:16):

And because of that, I think a politician, which was also her training, she was in the House of Representatives, would also make a great CISO. So I’ll give this answer in the same way, that the general variety politician makes a terrible CISO. And in particular, they get my goat, because, and I’m an independent over here.

John Verry (01:18:45):

Yeah, I am too.

Sanjeev Verma (01:18:48):

But with all of the stuff that has happened with the attacks on the DNC, with the elections being hacked, and so forth in 2016, I am galled, and appalled at the fact that there’s still no real security being put on the political parties side. And this holds both for the Republicans, and for the Democrats. They’re still sending Gmails, and they’re still doing their things. And so, they represent… They love to talk about security, but never do anything about it.

John Verry (01:19:24):

Not when it impacts their ability to communicate. We were working recently with someone in a very political role, and it was amazing. They were like, “Well, this is great. We need to be super secure.” And when we suggested maybe using an iPhone, with conventional apps like Twitter on it wasn’t the right way to be secure, they were like, “Oh, no, we can’t do that.”

Sanjeev Verma (01:19:46):

Yeah. And I even go and say, “Listen, guys. Do something as simple as, again, use end-to-end encrypted apps like WhatsApp. I mean, it’s super simple for messaging.

John Verry (01:19:56):

Yeah. Signal, Signal, Signal.

Sanjeev Verma (01:20:00):

Or Signal.

John Verry (01:20:00):

Signal is a great product. Even these IP… These things which randomize, that you can have up to nine numbers, and it randomizes them. Yeah.

Sanjeev Verma (01:20:07):

But they were not going to do that. And that’s why my answer to your question is that politicians, you literally pick almost any one of them, would make the worst CISOs possible. But there’s one exception to the rule, happens to be a politician, but she makes a damn good CISO.

John Verry (01:20:28):

But actually, in a weird way, you cheated, because I would say, Katie is no longer a politician. Katie is technically a CISO.

Sanjeev Verma (01:20:35):

No, she is a CISO.

John Verry (01:20:37):

Yeah, I know. So you just said that the most amazing or horrible CISO, is actually a CISO. So I actually think it was a cop out Sanjeev. But I’m not going to argue with you any longer, because you’ve already… For anyone who’s still listening, you’ve already set the record for the longest podcast that we’ve done. So, with that, I’m going to ask for a farewell. So, if anybody who’s still listening said, “Hey, this guy sounds pretty smart, and this product sounds pretty cool, and we might want to talk about it.” How can people get in contact with you, or with the good folks over there, at PreVeil?

Sanjeev Verma (01:21:09):

So I think I will give three easy answers for that one. You can always go to www.preveil.com, and contact us. I’ll give you my email. It’s [email protected]. And I’ll put John in the hot seat. You can also contact John, and he knows how to reach me.

John Verry (01:21:38):

Do not contact John. That was payback, wasn’t it? Well, with that, Sanjeev, thank you for being on the podcast. Super appreciated. A lot of great information here. Appreciate it.

Sanjeev Verma (01:21:51):

And it’s been a real pleasure. You are so clear in your thinking, and I appreciate the opportunity, John, and I want to get together, and have some nice wine, sometime.

John Verry (01:22:02):

You’ve got a deal.

Sanjeev Verma (01:22:03):

Thank you.

Narrator (01:22:04):

You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.

Pivot Point is now part of CBIZ. Click Here for more information.

EP#21 – Sanjeev Verma – CMMC Compliance Doesn’t Have to be Hard (or Pricey)

Time-Stamped Transcript

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security