In this Brand Story episode of the Redefining CyberSecurity podcast, host Sean Martin is joined by guest Marc Manzano from SandboxAQ to discuss the importance of future-proofing cryptography and the role of Sandwich, a meta library that enables secure cryptography-enabled application development.
In this Brand Story podcast episode, host Sean Martin is joined by guest Marc Manzano from SandboxAQ. They explore the importance of future-proofing cryptography and the emerging field of quantum-resistant cryptography.
The conversation revolves around the challenges of migrating to new cryptographic algorithms and the unknowns surrounding this process. They discuss how NIST is leading the way in defining new standards and the need for organizations to prepare for the upcoming changes. Marc introduces Sandwich, a meta library developed by SandboxAQ, which provides cryptographic agility and an easy-to-use API for secure application development with cryptography capabilities built-in. Marc explains how developers can download and build Sandwich, customize it with specific ingredients or features, and integrate it into their application development environment.
In addition to Sandwich, the Security Suite by SandboxAQ is highlighted as a tool to help organizations modernize cryptography management. It provides visibility into where and how cryptography is used, along with modules for observability, compliance, and remediation. The Security Suite also offers optimization of cryptographic operations to reduce resource consumption and improve performance.
Sean and Marc also touch on the challenges organizations face in understanding and implementing encryption and the collaboration between developers and security teams in managing encryption within the broader engineering and security operating environment. They discuss how Sandwich can help overcome hurdles and elevate security posture, allowing developers to focus on application development while the framework takes care of security.
Overall, this episode provides insights into the evolving field of quantum-resistant cryptography, the importance of secure application development with cryptography at its core, and the role of tools like Sandwich and the Security Suite in enhancing cybersecurity practices, all aiming to educate listeners on the challenges and solutions in cryptography management.
Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-story
Guest:
Marc Manzano, Senior Director - Quantum Security, SandboxAQ [@SandboxAQ]
On Linkedin | https://www.linkedin.com/in/marcmanzano/
On Twitter | https://twitter.com/marcmanzano
Resources
Learn more about SandboxAQ and their offering: https://itspm.ag/sandboxaq-j2en
Read the Sandwich Press Release: https://itspm.ag/sandbonpda
Sandwich on Github: https://itspm.ag/sandbo3zq1
Learn more about Sandwich: https://itspm.ag/sandboqao6
Try SandboxAQ Security Suite: https://itspm.ag/sandbob3gy
Read the Security Suite Press Release: https://itspm.ag/sandboxb3e744
For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverage
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: And hello everybody, you're very welcome to a new episode of Redefining Cybersecurity podcast here on ITSB Magazine. Uh, this is part of our event coverage from Hacker Summer Camp, uh, more specifically Black Hat USA 2023, where, let's be honest, a lot of cool research, uh, takes place. Uh, hackers of all shapes and sizes and interests.
Come together to, uh, to share their new, new findings and new tools. And, uh, this includes cool people that, uh, that work at commercial companies as well. Bringing solutions to market to help us solve the big problems that we all know we face every day as security leaders. And, um, So our good friends at SandboxAQ are back.
We had a chance to chat with them a few months ago to get an overview of what SandboxAQ is and their role in simulation and cybersecurity and some other areas that they help with. Quantum Computing Capabilities, and uh, my guest today, Mark Manzano, will probably give us an overview of that briefly again, um, but more specifically, we're going to get into feature proofing, uh, cryptography and a new capability they've released called Sandwich, which you had me at Sandwich, Mark, uh, because I love food, uh, so there's an interesting, uh, parallel there, but uh, Before we get into this conversation, which I'm excited about, uh, a few words from you about who you are, what you're up to, your role at Sandbox AQ.
And, and then, uh, we'll go from there and have some fun.
[00:01:44] Marc Manzano: Yeah. Thanks. Uh, thanks, Sean. It's, it's a pleasure to, to be here. Um, so, um, it's my first time in the show, so I'll introduce myself. My name is Mark. I'm originally from, uh, Barcelona. Pain and, um, my background is in, uh, cryptography engineering. I did my PhD in computer security.
And then, uh, ever since I graduated, I've been working in cryptography engineering first as an individual contributor in, in some engineering teams, and then more as a kind of leader in the organization, um, on, in, in, in the same field. Um, I joined Sandbox a couple of years and a half ago when we were still within Google.
Uh, and I was part of the team that spun out, uh, last year in 2022. And then, um, what's Sandbox? Sandbox AQ, it's a company that works at the intersection of, uh, quantum technologies and AI. Um, we specifically focus on some areas. We cannot tackle the entire, um, the entire universe, but we focus on simulation optimization, uh, targeting, um, solutions that impact drug discovery and material science.
Uh, we also focus on quantum sensing, uh, targeting the healthcare sector and also the navigation sector. And then we have, uh, the Security Security Division, which is a division I'm part of. I'm the general manager of the security group at Sandbox. And, uh, we are mainly focused on helping our customers, um, modernize the way that cryptography is managed in a, in a given infrastructure, in a given enterprise ecosystem.
[00:03:27] Sean Martin: Um, that's. Uh, that's perfect. Great, great recap. I think of the conversation I had in the, in the one thing that I remember from that conversation that I had with Marco and I had with Clement is that, that cryptography, while they may, the algorithms and the, and the strength may, may be suitable for today.
Um, at some point they, the, the line will be crossed where, where the, the code's been cracked, if you will. And. Organizations will be forced to scramble to, to upgrade. Right. And, um, And I think that the point that, that I found really interesting is that they're cyber criminals aren't waiting for that moment, right?
They're collecting scores of data and, and, and information and keys and all this stuff to be ready for when that moment happens to just pounce on all the data and decrypt it. And... So I, I think the point is you can't wait for that moment as a defender, as a company building technology, you kind of have to prepare for that now.
Um, so hopefully I captured that conversation correctly. And the obvious question that follows then is, well, how do I prepare for that? And that's what, uh, that's what you guys are solving for. And so you've released Sandwich, um, To, to help make that easier, I presume. So maybe can you describe when Sandwich was launched and what the, what the driver was for that?
[00:05:07] Marc Manzano: Yeah. So we, we released Sandwich last week, um, together with the, um, yeah. Black Hat Conference. Um, and Sandwich, it's a project that we've been working on internally at Sandbox, uh, for quite some time. It's a meta library. We call it a meta library because, um, it's actually a piece of software that is, um, uh, built on top of other cryptographic libraries that are already existing, uh, for, for the community in the open source ecosystem.
Um, And the main objective of Sandwich is to help developers, uh, build applications in a, in a secure way, utilizing and leveraging, uh, modern practices. And by modern practices, we mean, um. Certain things related to cryptographic agility, which is strongly related to the point that you were making about, um, from time to time algorithms get weakened or broken and, uh, information security specialists, uh, get into trouble because they actually need to stop using those algorithms in their enterprise ecosystems.
And it's, it's actually not that, um, Easy to make that happen. So, uh, Sandwich, uh, provides a built in mechanism for crypto agility, which, um, allows a developer to actually leverage different cryptographic providers, uh, all at once and, uh, allows developers to actually switch from one to another one.
dynamically without the necessity to actually redeploy an application. Um, that's a very useful feature because it means that you don't have to suffer any downtime when you are performing upgrades, uh, or migrations or transitions of algorithms, uh, in, in your enterprise applications.
[00:06:58] Sean Martin: Um, And you're also building to the same API, right?
So underneath you're handling the abstraction and the differences and the calls and all the parameters that You know, well deeply That maybe not every engineer would know as a crossover between different different algorithms and the NISA Can you talk about that interface and and do you do other things there to help?
ensure best practices applied To the use of cryptography as well.
[00:07:31] Marc Manzano: Yeah, so um after many years working at At, uh, at the level of, uh, cryptographic libraries implementations. Um, and I'm going through a lot of pain with, uh, the specific, uh, APIs that some of these libraries provide. You actually need to have a fairly good understanding of how, uh, cryptography works in order to use those APIs in a secure way and not commit any, any.
So our aim together, uh, with what I mentioned before about crypto agility for sign, which was to provide an API layer that would bulletproof, uh, any errors that potentially developers could make when building applications of need. Um, what I mean by these high level API Bulletproof is, for instance, I'm building an application that has a server and a client and I want the client to talk to the server.
The only thing that I actually need is for the client to open a tunnel. A communication channel with a server. I really don't care which algorithm it uses as far as it uses something that it's proper, that it's secure. And, uh, I really don't care how that tunnel is established. I don't, I don't care about the protocol.
I don't care about the security level that it provides. Right. So. What we tried to do with the a p I was to provide these very abstract way, uh, for developers to actually say, Hey, sandwich, I want to, uh, establish a tunnel between here and there. Just like, make it happen. Give me a handler where I can input my data on and make sure that the data will arrive there and will be decrypted properly.
Um, so that's actually one of the, uh, really cool features that this library that we have, uh, released. And then, um, together with these, there is the, a configuration feature, which allows the developer to say, Hey, I actually would like to use these recommended parameters that we already provide beforehand.
And if there is something that. Needs to be changed because the developer needs to comply with specific enterprise policy. Let's say there is a specific policy that mandates the use of specific algorithms because we are in a geographical position in the world that actually dictates something. Then, um.
That's actually also possible, but not strictly necessary. There is a default policy that is provided that is already secure for everybody to use.
[00:10:13] Sean Martin: Yeah, and I can imagine a world where it might be difficult to build the app for different regions. Manually selecting different, different encryption, uh, algorithms and then rebuilding and redeploying it and retesting and all that stuff.
If you have it build once and then can reconfigure it to, to, uh, leverage different algorithms, the resilience, I don't know if resilience or the, uh, The quality is easier to validate longterm. I wanted to ask about, um, uh, I think I read in, in the, in the press release, the word experiment, um, because I think another area and you were just touching on a little bit is depending on the type of channel or the type of, of encryption you need, or the, the type of, uh, activities that the application is.
Forming could determine a lot of factors. I guess bottom line is can determine which, which underlying algorithm rhythm is best. And what I read is that this sandwich makes it easy for developers to experiment. So they can see which one meets the minimum. There were the requirements that they have, but also security perspective, but then also validated against performance requirements and regional requirements and other things like that.
Can you speak to, can you speak to that?
[00:11:44] Marc Manzano: Yeah. Um, yeah, definitely. So actually, um, to, to be able to answer you properly, I need to first mention. That sandwich, um, incorporates, uh, the possibility to establish communication channels leveraging quantum resistant cryptography. Um, this is something that most companies need to be looking at, if not now, relatively soon enough, because it's going to be a mandatory, um, area to, to work on, uh, very, very soon with new standards being published by nist, um, in, in, in the, in the upcoming weeks.
Um, So that's, that's actually one thing. And then, um, the other thing is we, we actually called the library sandwich because we wanted to mimic the, um. The choosing within a menu that a user would actually do. So a user might actually want a sandwich object that incorporates certain capabilities. And in this case it could be a protocol to talk with, as I was saying, between a client and a server.
And I would also like the sandwich to, uh, have different algorithms that I would like this object to have so that I can orchestrate some experiments. Uh, so a developer at build time can go to sandwich and say, Hey, I would like. Sandwich object to have these and these and this. And then the build system, uh, which is actually, uh, one of the, uh, additional, uh, interesting features that Sandwich provides, will create this object that will be the dependency that the developer then needs to drop into their application.
And then the developer just needs to actually call sandwich, uh, with the different, uh, configuration for different algorithms that he wants to test or she wants to test. That's actually the way that we're, uh, enabling this, uh, and so far, um, this has been extremely helpful. Why? The, the, the migration to quantum resistant, uh, to quantum resistant cryptography, it's, um, it's, it's, uh, going to be a multi year process.
There are, uh, a lot of unknowns. So far, we're going to have the first standards. Defined relatively soon.
[00:14:07] Sean Martin: Can you expand on that a little bit? I think our audience would really appreciate understanding some of the new stuff and I don't know if there are others outside of the U. S. that are coming as well.
[00:14:17] Marc Manzano: Yeah, no, definitely. So, um, when, when I talk about, uh, quantum resistant cryptography or post quantum cryptography, it's a field that has emerged in the last couple of decades that focuses on defining algorithms of public key cryptography. Um, That are resistant to potential, uh, attacks, uh, launched by a large enough, uh, cryptographically relevant quantum computer.
And, uh, these started as a research, um, field and has materialized, um, as a process that NIST has been leading in order to define new standards that are going to be mandated in, All, uh, infrastructure that we that we have nowadays. Um, so this migration towards these new algorithms, uh, it's going to be a multi year stage, uh, a multi year process.
Um, and, uh, while there are some things that the community has been working on and that are pretty clear how to tackle, there are still a lot of unknowns, uh, whether, uh, these new algorithms will be affecting certain things of existing systems. Um. And the reason is that these new algorithms have different performance, uh, metrics.
They have different sizes, so the cryptographic keys are larger than the keys that we used to have until now. And therefore there are a few things that once we plug these algorithms in might break or might not break, but maybe the performance impact might be relevant to actually look at how to solve or work around those, those issues.
So in order to actually, uh, prepare around that upcoming migration and, and be able to build, um, expertise, uh, on, on how to handle, uh, the new algorithms. So Sandwich, it's, uh, it's, it's, it's very useful. It's, it's a tool that can be used and that provides, uh, off the shelf, um, uh, capabilities to actually conduct this.
[00:16:23] Sean Martin: I know you, you, you shared a few bits of how it works. Um, can you paint a picture with words for how it fits into a delivery pipeline? Maybe some of the steps, what, what takes place before. Code development and API calls and then what happens after the build process and deployment. Um, how and where do they plug Sandwich in and what's, what's on premises and the kind of, you know, if you can kind of.
Paint that. Mm-hmm. picture form, that'd be great.
[00:16:54] Marc Manzano: Mm-hmm. . Yeah. So, um, a developer actually would go to a sandwich, would download it, and then would actually build it with the specific ingredients or features that the dependency that, um, that is needed, would need to have. And that would what the depend what, what the developer would actually do is.
It's take that dependency and integrate it into their application development environment. So it's, um, the utilization of Sandwich, it's something that happens while the developer is building, coding the application. And then it's embedded within the application and it's shipped within the application.
We, we are part of the developing process with, with Sandwich.
[00:17:43] Sean Martin: Got it. Got it. And so what I'm thinking folks might be wondering at this point is, so you, you mentioned new standards coming, uh, and needing to prepare for that, um, unless there's a law or something that says I have to, a lot of organizations will put that on the long finger, right?
Kind of push that out. But if I remember correctly, uh, well, as we've touched on briefly at the beginning. Previous conversation with the team. Uh, there are critical apps, uh, housing and having access to sensitive information that should take action now. And I know, uh, you really recently released the, uh, security suite, which helps kind of figure out.
Where best to focus your energy because you can't do every app all at once, right? So maybe talk a little bit about security suite Sandbox AQ and how that connects to sandwich maybe to help help teams organize and prioritize a good path forward
[00:18:50] Marc Manzano: Mhm. Yeah, sure. So, um, the security seed is our main product.
That's what we actually are building to solve our customers. Main use cases. It's a product that it's about helping customers modernize the way that cryptography is managed. It provides set, uh, it provides a set, a set of modules to give visibility to where cryptography is used and when is it used, and who it uses, uh, and who uses cryptography, uh, or what uses cryptography and how is it used?
So basically it provides a set of modules that enable observability, uh, in that space in a specific infrastructure. Everything is captured within a cryptographic inventory, which is a user friendly interface that an administrator can actually go and monitor the difference between the different snapshots on what's being used within a given infrastructure.
That can also be matched to an enterprise policy that needs to be mandated in order to actually see how far we are from being compliant or not with a given regulation or standard. So that's extremely helpful for compliance teams and for teams coming from the information security space. Um, and then not only that, the idea is, uh, The specific items that we identify that are not being compliant and that actually need remediation, need to be remediated, we provide a solution in order to make those things happen.
Most of the times, these are things related to keys management and certificate management. We find certificates that are using vulnerable algorithms, or we find, um, for instance, applications that are using keys, cryptographic keys in an unsecure way. So what we actually do is with the security sheet is we provide a set of modules that enable.
Companies fix those issues in a semi automated manner, depending on the specific process that the enterprise has for conducting these activities. And then we close the loop. We make sure that... Everything that we remediate keeps providing a feedback loop to the cryptographic inventory to keep monitoring what's going on.
And this is not only about cryptography. Here we're also talking about measurements. We take measurements in terms of performance. We can have information about... which particular cryptographic operations are being heavier than others in order to be able to find bottlenecks, optimize certain things, reduce resource consumption on the on the customer end, which if it's on the cloud, usually resource consumption is related to the final bill that you're going to get from From the deployment of your applications.
So we're able to actually optimize a lot of, of those things working through the security suite with, with our customers. And Sandwich, it's a parallel effort that we've built, which powers some of the things that I've been mentioning about the security suite, but it's a parallel effort that we actually think it's extremely useful for everybody to build secure, um.
So good communications and specifically also quantum resistant communication applications with, uh, within any environment.
[00:22:37] Sean Martin: And I'm curious, as you're engaging with organizations, I would, I would imagine somebody thinking about, uh, quantum ready encryption and they're, they're fairly mature in their, uh, and their security model and programs, but do you ever run across organizations that have, have opted to not employ.
Any encryption because they just don't understand it or or they think it's too hard might it might impact in performance or whatever the reason may be. Do you run across any organizations and perhaps? Sandwich can help overcome some of those hurdles.
[00:23:23] Marc Manzano: Um, yeah, so we, we are, we have actually seen a lot of different, uh, things.
Obviously we, we cannot, uh, we cannot mention any, any specific details or, or, or names, but we have actually seen a lot of things that are pretty worrying, um, Sandwich could be an extremely helpful, uh, tool for, uh, engineering teams within some of these organizations to actually, um, uh, Elevate the security posture of the enterprise applications that they are developing.
At the end, developers are usually worried about the velocity at which they, they develop and the quality, right? So, because they don't want to be fixing bugs all the time. Um, but, um, These bugs can also come from security issues. The idea here is that if they build applications on top of Sandwich, there are a bunch, a myriad of topics related to security that they don't have to worry about.
The framework dependency is going to take care of them by... So they don't have to, uh, to worry, and therefore it means that they can go faster and everybody should be doing, um, or should be happier by, by actually having access to this.
[00:24:44] Sean Martin: And, uh, forgive me for not, uh, not knowing, but how, how does this fit into a broader engineering plus security or development plus security operating environment?
And then what I'm wondering is, Who, who picks up the, and who owns the, the encryption part of, of the application? Does it end on the developers directly with advice or input from security? Or does the security say, we're going to own the, the encryption policy and the implementation and, and force that onto developers, because I know there's a big.
DevSecOps movement that's been underway for a while. I was trying to figure out who, who, who typically has the best success in, in, uh, managing this.
[00:25:39] Marc Manzano: Yeah, probably it's a combination of the DevSecOps, um, team or group within organization and the engineering team of software engineers. Those are the ones that actually can build certain things on top of these specific dependencies.
Um, the information security teams would be... Probably the ones recommending which things should be used and which specific, uh, security targets the developers should have. And the compliance teams would be monitoring that actually what they have developed. meets what the information security teams are dictating, right?
So this is kind of the loop that, uh, it's, um, it's in, in, in, in one way or another one, it's replicated across, across different industries and enterprises. Um, but yeah, so usually that would be a combination of DevSecOps and, uh, and the engineering, uh, teams.
[00:26:40] Sean Martin: Yep. Makes sense. That makes sense. So as, as we begin to wrap, Mark, I'm wondering if you have any, any stories cause I, I, I I recognize the value of future proofing here.
Um, uh, teams or the owners of the budget may not always agree with that. Um, so I'm wondering if, if Sandwich offers an opportunity, and I don't know if you have any stories or examples from, from people testing or using it in production, but where just, just the sheer fact that I can test a couple of different algorithms to find out which one offers.
The level of protection I need with perhaps improved performance, right? That, that to me would be a win if I can improve the performance of my apps and maintain, or maybe even increase, but then also with that future proof, um, Do you have any stories to share where some, some results like that or others have succeeded?
[00:27:43] Marc Manzano: Yeah, so we, we still cannot share a lot of things. We, we, we released it last week and there are still a few things in the making. Um, what I can say is that, uh, There's a roadmap around, uh, sandwich that, uh, will be, uh, publishing on certain things that we are planning to work on and that we would like the community to know that sandwich will incorporate.
So this is not a one-off release, it's a live project that we think has massive potential and the. We're going to be providing a roadmap there to keep, um, extending the amount of protocols, the different APIs that will be allowed, uh, PKI support, additional cryptographic backends support, um, other languages.
One thing that we didn't mention is that these high level API We have implemented different wrappers for that. So if a developer needs that dependency for Python, there is the Python wrapper. If a developer needs that dependency for a Go application, there is the Go wrapper, et cetera, et cetera. So the idea is that we would keep also providing additional wrappers that we have planned.
So all these things are in the making and we want to make that roadmap clear. To the community because one of our of the goals we have is to create a community around sandwich. We want, uh, open the open source, um, developers, uh, and the community, the cryptographic community in general to to be aware of what are our plans and invite them to also contribute.
The idea is that we would like everybody to be engaged and if someone that is external to Sandbox would like to contribute, um, to Sandwich, we would definitely love that. Also receive any kind of feedback. Um, and this, uh. Yeah.
[00:29:48] Sean Martin: And I, I mean, just there's so many good points here to make as we wrap. I think, uh, even just simplifying, uh, the process around implementing cryptography across your app portfolio, uh, reducing that complexity, uh, increases quality and resiliency.
And, and add to that, as we noted a number of times, the, the ability to future proof and then to experiment and test. Uh, it sounds like a win, win, win to me for, uh, the developers for security and the end users. So, um, yeah, with, with no, no little to no impact on the delivery, right. Which is always a big thing.
Don't, don't get in the way of releasing that app.
[00:30:41] Marc Manzano: We're very excited to be able to provide this to the community. We know that it can have a huge impact, um, and we're going to be working very hard to make sure that, um, this becomes, uh, uh, a very impactful, um, solution for.
[00:31:04] Sean Martin: I'm excited to hear how, uh, how things progress. Perhaps we can connect again in a few months or so and, uh, get some use cases and, and, uh, some additional stories. See how things are going with Sandwich and the security suite as well. So, um. Thanks, Mark, very much for, uh, for joining me here and for sharing, uh, sharing, sharing your sandwich with me.
I refrain from all the food jokes, but, uh, I love this. I love this. I love what you're doing. It's great for the community and, uh, obviously super important as a user of apps that host a great amount of my personal information. I'm hoping they're all listening, the developers of those apps. So thanks.
Thanks again, Mark. And thanks everybody for listening. We'll include, uh, some links clearly to, uh, to Sandwich where you can access that. And, uh, I found a paper on, uh, best practices for key management. I can include that. I found that interesting. So I'm happy to include that in the notes as well. And anything else Mark and the SandboxAQ team wants to, uh, wants to share with you to help you, uh, succeed with your cryptographic, uh, implementations.
So thanks everybody for listening. Thanks, Mark.
[00:32:23] Marc Manzano: Thank you for having me.