Safeguarding data rather than building walls around the database

My chat with Shane Curran, CEO of Evervault

Dec 08, 2022

Today’s Scatter Brain is brought to you by Eden!

Eden is the all-in-one hybrid workplace software suite to make your flexible office run easily and efficiently. With tools built for desk and room booking, a better lobby experience for office visitors, managing deliveries, and more, Eden is used daily by great companies like Wealthsimple, IDEO, and Noom. Learn more by signing up here.

All of us have precious things in our homes. We don’t want them to get stolen. But, sometimes, shit happens, no matter how careful you are to keep yourself safe. Someone robs your house.

You are now scared and want to prevent that from happening again.

There are two ways of doing that.

One way is to add home security and motion sensors to set up a protective layer around your house. That’s reasonable! Another way is to add a protective layer around the precious stuff. You can set up a better password for your laptop with secret stuff. If it is jewelry and watches, you can put them in a better safe. The idea is to maximize the protection of the stuff with the mindset of minimizing damage if and when the house gets broken into.

That’s roughly the model of what my chat with Evervault’s CEO, Shane, is about. The database of the software you use is the home and the precious stuff is your data.

Growing up

Shane grew up in Ireland.

I asked him about the influences on and cultural outputs of Ireland.

“Ireland is geographically nestled between Europe and the US, and growing up here you get a blend of both influences. That’s not to say we don’t have our own strong identity and culture.” Shane told me. “There is something special about the storytelling here. Since the middle ages, Ireland has been world-renowned for music, literature, and the arts: everything from Celtic monks illustrating The Book of Kells to James Joyce and contemporary artists today.”

When asked what might be lesser known, he told me that Ireland has a strong legacy of mathematicians and scientists: George Boole, inventor of Boolean logic; Robert Boyle of Boyle’s Law; William Rowan Hamilton of quaternions, and Ernest Walton, the Nobel Laureate who split the atom.

Shane on values :

“Personally, I’ve always had a cultural affinity with the US and deeply resonate with its founding principles — namely, a sense of individual agency and liberty. I think these beliefs are widely held by many in Ireland, which makes Ireland a good place to build a company with deep connections to the US compared to other countries in mainland Europe.”

Crypto

The word “crypto” has become mainstream.

The zeitgeist associates it with cryptocurrencies rather than cryptography, which is what it has historically meant in academic, security, and engineering circles.

Shane has a long history with cryptography, even though he is in his early 20s.

He considers “crypto” entering the common parlance as a good thing. Putting aside the speculative aspects, he is glad that much of the narrative around the merits of cryptocurrencies is about immutability, privacy, and decentralization.

“There has been a clear cultural shift where these things matter more to younger internet users. Under the hood, cryptocurrencies use tried-and-tested cryptographic primitives like elliptic-curve cryptography (ECC) and have exposed previously-unaware people to the power and importance of cryptography,” he said.

There is a downside to the redefinition of crypto from “cryptography” to “cryptocurrency,” which Shane believes makes building underlying infrastructure harder.

“All of the noise around “crypto” has made it much harder to reinforce a consistent and clear narrative. In the past couple of years, some unnecessarily complex product offerings have directly contributed to overcomplicating the entire space, which has devalued creating a useful product that solves a problem for companies. For most developers, security and privacy are always a priority, but rarely priority #1. These overly complex product offerings in crypto have put people off implementing the best possible security.”

Cryptography, he told me, “is a simple concept: you take a piece of sensitive data, encrypt it using a key, and as long as the key is kept safe, the encrypted data can be stored and shared with few security concerns. Everything else is just noise.”

Privacy versus security

They get conflated in the public discourse around technology and information.

Part of the problem is we lack easy-to-understand, shared definitions for these hot-button topics for regular people.

I found Shane’s crisp framing interesting:

“Privacy is a regulatory term, and security is a technical term.”

A lot of confusion also stems from the revealed preferences of consumers and how heavy-handed and unintentionally backward top-down measures can get.

“I think privacy is the end result of well-implemented security. Consumers want their data protected and actively seek privacy in new products. There’s a tension here, however, as very few consumers want to pay for privacy through increased friction or worsened user experience,” he said. “There is a further paradox in how privacy regulation has been designed, in that the only companies that can afford to comply with regulations like GDPR are big tech companies. The people who love to build software don’t typically love reading regulations. Encryption helps with this. GDPR has 99 Articles, but developers just want a few lines of code.”

Protecting data versus database

A database has valuable stuff that needs protection from internet leaks. There are things you can do to secure the database, and there are things you can do to secure the stuff and care less about protecting the database.

Evervault enables the latter and believes it’s a better way to secure stuff.

Shane believes software security has evolved into a Rube Goldberg machine of cybersecurity vendors trying to walls around the software.

“Building walls around software sounds great, but the challenge is that security teams need to be right every day, whereas hackers only need to be right once. Relatedly, much of the calories expended in cybersecurity recently have been for tools that detect or monitor cybersecurity incidents rather than creating robust preventative measures,” Shane said.

If you watch enough crime shows, I’m sure you have seen national security officials or CIA agents say something like, “We do thankless work. We have to be right every day. Terrorists only have to be right once to create harm and to cause people to lose faith in us.”

Shane believes that software security folks shouldn’t put software in that position.

“The issue isn’t that data breaches happen; most software inevitably gets breached at some point. What does matter is that the data that is leaked or exfiltrated is plaintext data. Theoretically, a company should be able to post their entire encrypted database on a billboard in Times Square and not worry about any sensitive data being leaked. This is where encryption comes into play. We believe encryption is the most important tool in cybersecurity, but it’s also the most difficult tool to implement correctly. Poorly implemented encryption is no better than no encryption at all, so we’ve been very focused on designing a platform that’s secure by default and hard to implement incorrectly.”

So Evervault makes it easier and faster for developers to implement it correctly. The main design characteristic of Evervault, Shane told me, is that sensitive data is encrypted before it reaches their customers’ infrastructure. Regardless of how poorly customers’ software is implemented, it’s nearly impossible to leak plaintext data accidentally.

Product principles

“Evervault could be considered a "Lego for encryption" – a set of building blocks that companies can use to create various applications without worrying about security.”

I was curious about what ideas or principles are top of mind for Shane in how he views what Evervault should build and communicate.

“Our core design principle is to craft best-in-class developer experience (DX), but with even better security. This is a lot harder than I initially thought it would be. I had assumed that an average developer had a reasonably strong understanding of encryption and how it should be implemented, but we have had to invest heavily in education. Developers understand why encryption is important, but they frequently assume that it’s not suitable for their use case and will come at a cost down the line.”

They have an internal mantra of “don’t hinder the builder” — encryption won’t get used if it makes life harder for developers who just want to build.

“Our goal is to make security the default by making it easy, so that developers can focus on building great products without being forced to make sacrifices. We want to provide developers with all the tools they currently have for processing data, but without restricting them just because they've implemented encryption.”

They aim to move beyond the simple encrypt/decrypt process and allow developers to encrypt, process, and share data in new and powerful ways.

Shane, on sweating the details in the early days:

“Despite the conventional wisdom that startups can easily rebuild things at a later date, the early design choices often become "sticky" and can be difficult to change. This stickiness is why it's crucial to carefully consider design choices and ensure they align with the company's long-term goals, even if it seems way too early.”

Challenges

Given the ambitious technical vision for what Evervault wants to do, I wondered what the most challenging problems were.

“Because every failed request to Evervault is potentially important, like a payment, health record exchange, or authentication flow, we can never afford to drop requests. As a result, we need to be very careful when making changes and releasing updates. This can create tension between the desire to ship quickly and the need to ship correctly. The notion of “move fast and break things” has never been an option in our engineering culture,” said Shane.

To balance the trade-off between speed and care, Shane said they had separated the mission-critical infrastructure from the rest, giving them more flexibility to release small changes with minimal customer-facing risk at greater speed.

“We shouldn’t be as worried about releasing, for example, small developer experience improvements in our Dashboard as we should be with code changes that could potentially degrade the performance of the core infrastructure.”

Regarding the product, the biggest challenge has been making what is happening behind the scenes more obvious externally to minimize skepticism or misunderstanding.

“It's been difficult to create an abstracted product that is still intuitive and easy to understand for our users. Sometimes products can be a little bit too magical, and we made a number of these mistakes in the earliest days when developers didn’t even realise a feature was working because it happened so seamlessly. That’s been a strange paradox!”

What if Evervault gets hacked?

It’s easy to grok that companies storing their SSNs and passwords in plaintext in a database is a bad idea.

It is also easy to understand that encryption turns the information into garbage text by passing it through a cryptographic function. The garbage text can be decrypted using a key.

Now, someone has to store those keys in a database! And that’s Evervault!

So it is reasonable to think Evervault hasn’t quite reduced the risk for a leak but just shifted the surface area for the risk.

Shane first explained the issue with the status quo of how encryption works

“All encryption does is split a single piece of sensitive data into two parts of sensitive data (the encrypted data and the key). When developers implement encryption, they usually keep the key in the same place as they keep the encrypted data. Doing this defeats the purpose of encryption because a potential attacker who has access to your application just has to take the encrypted data from your database and decrypt it using the key that’s also available to them.”

Per Shane, Evervault is a “bank for encryption keys.”

It is based on the principle that encrypted data and the keys should not live within the same house. Evervault stores the encryption keys but doesn’t store any encrypted data, and their customers store encrypted data but not the keys.

“For any sensitive data to be stolen, Evervault and our customers must be breached simultaneously. It’s difficult to quantify exactly how much this reduces risk, but the reduction is almost certainly exponential. That being said, with the potential threat posed by state-level actors or well-resourced attackers, we still have to take that risk extremely seriously, so we’ve always designed our security model to just store as little data as possible,” he told me. “Even if somebody managed to get full access to our infrastructure, we don’t store any of our customers’ data and we don’t even store the full key for our customers.”

Evervault has some skin in the game and takes more accountability than reputational damage and customer churn in case of a hack :

“The “bank” model also gives us a lot of flexibility to provide our customers with commercial guarantees alongside the technical guarantees, where we can indemnify customers against any potential breaches assuming they have integrated Evervault according to our guidelines.”

Security as an afterthought at startups

Security is not an immediate concern in the early days. Not because developers are dumb or irresponsible but because there is nothing to secure if the startup doesn’t build a product that people want to use!

Making it easier and cheaper helps make it a bigger priority in the early days.

“We subscribe to the Werner Vogels philosophy of “Dance like nobody's watching; encrypt like everyone is. Encrypt everything.” Our goal is to encrypt the web, by making encryption accessible enough to a point where building an encrypted app is as easy as building an app without encryption. This will be a forcing function for companies to integrate security much more easily than they currently do. Right now, we’re focused on startups handling sensitive data and folks facing specific compliance like PCI DSS and HIPAA compliance.”

Shane thinks that security is often deprioritized because companies don’t realize how much sensitive data they’re already collecting. For example, he said that any product that integrates with another product handles authentication tokens, often granting extremely broad control over a customer’s various SaaS services.

“Our first question during conversations with potential customers is, “what data are you most scared of losing?”. This has been the best way for us to have startups verbalize and think about what they should be securing.”

On balancing building a product worth securing and investing in security early:

“Historically, many startups in the "YC trope" have prioritized other aspects of their business over security, often delaying security measures until they lose customers. This almost always happens eventually, and can occur much earlier if the company prioritizes enterprises. While it would be ideal for startups to think about security when building products, the reality is that their survival is most important. Startups need to verify that they are building something people want, and part of that process is identifying who their customers are. Some customers may require security by design, particularly if it handles sensitive data like financial or healthcare information.”

On varied security considerations of startups versus incumbents:

“The challenge in building security startups is that startups feel like they have to win their place in the market, whereas enterprises and incumbents feel like they have to avoid losing the foothold they have built over many years. For a large enterprise, the consequences are generally immediately catastrophic if they get security wrong. Media reports and losing customers generally induce enough anxiety for enterprise CISOs not to sleep well at night. If a startup gets security wrong, the effects may not be as immediately apparent, and a security vulnerability could go undetected for much longer.”

Security versus compliance

It is common to conflate securing software and staying compliant. Of course, there’s an overlap between the two spiritually, but there’s a fundamental difference in terms of outcomes and mindset.

Compliance certifications do not necessarily mean you are secure — they just attest that you follow a set list of security procedures.

Shane told me the security checklist compliance auditors look for consists of table stakes companies should be doing anyway, like two-factor authentication or firewalls.

“Startups generally start with compliance as a first step, as they go from selling to other startups to selling to enterprise customers who ask to fill out a security questionnaire before they even look at a demo. At this point, there’s the jarring revelation that they need to “become compliant” — fast. They rush to Google and spew in an alphabet soup of compliance certifications — SOC 2, ISO 27001, PCI DSS, GDPR etc. Six-figure deals hang in the balance. Some great companies make this a lot less painful — we partner with Vanta and Secureframe — but I think it’s a mistake to design security solely for the compliance teams, not for the real enemy — hackers!”

Security as an organizational commitment:

“Security is different to compliance. True security goes beyond just having a security team and checking off a list of basic requirements. Instead, it needs to be a culture and a design consideration throughout the product (and indeed, an entire organization). Only once security is a cultural tenet can a company truly prioritize and protect its security.”

Breakthroughs in encryption

“Encryption hasn’t really changed in the last 100 years. For example, many developers still use the RSA algorithm, first published in 1978. That’s not necessarily bad, though — good encryption is encryption that has stood the test of time.”

Shane believes the biggest breakthroughs over the coming decade will be in usability and ease of cryptographic configuration.

“I believe encryption needs a Steve Jobs character who liberates encryption and makes it accessible to normies. Signal’s encrypted messaging and Apple’s privacy strategy in recent years have both been good bellwethers of what’s to come in consumer technology, but the same hasn’t been true for B2B software.”

Shane said fully homomorphic encryption (FHE) would be a major breakthrough from a technical perspective.

“FHE allows somebody to manipulate encrypted data while it’s still encrypted — even if they don’t have the keys. That idea has existed in academia since 1978 (less than a year after the publication of the RSA algorithm), but only in the past ten years or so (since the publication of Craig Gentry’s PhD thesis) has there been any meaningful movement on a plausible FHE scheme. FHE is very promising but, unfortunately, still too slow to use for any general-purpose use cases at scale. It also doesn’t solve the challenge of managing keys.”

Building an organization

“Historically, Silicon Valley companies (or companies that aspire to emulate the “Valley mindset”) have had a tendency of over-innovating on organizational design (academically interesting, but impractical examples like holocracy spring to mind here) at the expense of creating net-new technology,” he said.

Shane believes we should innovate on our core product and try not to reinvent the wheel in building an organization.

“We’re building our core team in Dublin. That hasn’t been done before, at least at the scale we’re aiming for. Two of the greatest Irish success stories, Stripe and Intercom, were largely built in the Bay Area before building out operations here. It’s exciting to be part of a cohort (alongside companies like Tines and Inscribe) working on big problems from Dublin. At Evervault, we believe in the office as a center of gravity, and I think that’s lending itself well to the complex problems we tackle every week.”

Shane finds Conway’s Law helpful in thinking through the org design. It states that companies build products that mimic internal communication and reporting structures.

“Knowing that this effect exists gives founders a superpower in overcoming the effects of Conway’s Law simply by designing a company the same way they want their products to look. Product design and organizational design are inextricably linked. Teams should own an individual product but still derive cohesion and interoperability from a simple reporting structure and clear communication between teams.”

Recent chats :

Modern entertainment payroll for the project economy with Ali Javid, CEO of Wrapbook

Road projects in Toronto could use a few product managers with Brandon Chu, VP of Product Acceleration at Shopify

Building compact, intelligent, retractable solar awning systems with Rohini Raghunathan, CEO at Xponent Power

Embedding sustainable actions to meet global climate goals with Brennan Spellacy, CEO of Patch

Scatter Brain