ITSPmagazine Podcasts

The Past of the Future: Pioneering Decryption with AI and Quantum Physics | A Their Story Conversation from RSA Conference 2023 | A SandboxAQ Story with Clément Jeanjean

Episode Summary

Clément Jeanjean shares how SandboxAQ aims to tackle difficult problems by combining quantum physics and. He discusses the timeline, risks, and migration challenges linked to quantum computing's arrival.

Episode Notes

In this Their Story podcast episode, Clément Jeanjean, Senior Director at SandboxAQ, joins Sean Martin and Marco Ciappelli to discuss the company's unique mission to combine quantum physics and artificial intelligence to address some of the world’s most difficult problems in three main industries: simulation, cybersecurity, and quantum sensing. Jeanjean delves into how SandboxAQ can significantly reduce the time it takes to develop new drugs, improve cybersecurity with quantum-resistant cryptography management, and create innovative sensing capabilities in healthcare and terrestrial navigation.

The conversation also covers the timeline and risks associated with the arrival of quantum computers, particularly regarding the current and future states of cryptography. Jeanjean emphasizes the growing consensus that fault-tolerant quantum computers may be available within 8 to 12 years, highlighting the challenges that major organizations face in migrating to post-quantum cryptography, which can take up to 10 years for mature organizations – possibly longer for less mature organizations.

Jeanjean also describes the various industries that have started moving towards quantum-resistant cryptography, such as financial services, healthcare, telecommunications, and the public sector. He explains the need for companies to gain visibility and control over their cryptographic assets and how SandboxAQ is helping them build an inventory and prepare for the migration to post-quantum cryptography.

Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-story

Guest:

Clément Jeanjean, Senior Director, SandboxAQ [@SandboxAQ]

On Linkedin | https://www.linkedin.com/in/clementjeanjean/

On Twitter | https://twitter.com/clemjohnjohn

Resources

Learn more about SandboxAQ and their offering: https://itspm.ag/sandboxaq-j2en

Try SandboxAQ Security Suite: https://itspm.ag/sandbob3gy

Read the Security Suite Press Release: https://itspm.ag/sandboxb3e744

For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverage

Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story

Episode Transcription

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.

_________________________________________

SUMMARY KEYWORDS

cryptography, quantum computers, sandbox, quantum, migration, quantum computing, remediation, data, called, cybersecurity, inventory, keys, organization, customers, application, business, aq, instance, visibility

SPEAKERS

Voiceover, Marco Ciappelli, Sean Martin, Clément Jeanjean

 

Voiceover00:10

Welcome to the intersection of technology, cybersecurity, and society. Welcome to itsp magazine. Thank you for joining us for this conversation

 

Sean Martin00:35

Shawn, I have to run really fast backwards to catch up with yourself, myself and, and I want to keep moving forward, but I have to look behind to see what's, what might happen from things in the past that could bite me in the butt later. Yeah. And lessons that hindsight 2020 while running a 440 I don't know what I'm probably making no sense. But people listen to us. They know I make no sense anyway. It's not about us. It is not about us. It's not about us. But I was trying to have a little fun because there's, there's something pending in our digital world that will have a big impact on society and business and our personal lives. And it's the the wow factor of quantum computing and all that it can bring to do things that are our human minds can't do on our own. And with that there's some risk with cryptography that the the cybersecurity industry has been talking about for a while, but I don't know that we have a real good until now perhaps a good way to to understand what the impact would be in a way that we can do something about it. And I'm thrilled today to have Calum Antoine from sandbox AQ. Join us to talk a bit about what quantum computing and AI and those technologies together can kind of help us prepare for the future where quantum does exist. And we know the risks and we can kind of run backwards really fast, and get ahead of it. So before we get into the conversation, though, come on, I want to give you a few moments to share a little bit about yourself for our audience, so they know who you are, and some of the things you've you've done leading yourself to this point, I would sandbox IQ.

 

Clément Jeanjean  02:44

Thanks, Shawn. Thanks. Thanks for having me. I'm very excited to be here with you today. So I'm commercial roll eyelid commercial business globally for the cybersecurity division of sandbox AQ, which is called the Q SG group, USD stands for quantum security group, I guess we'll talk a little bit about what sandbox AQ does. Among other things, cryptography management, but also, we have two other lines of businesses. And how I came here is what it's been a an entrepreneurial journey. I have a scientific background, I'm an engineer at the beginning. And also I also took political sciences degree after engineering. And right after that, I started created printing technology companies in different fields, nothing related to quantum at the beginning. One of my most significant companies was a startup tech startup in the perfume industry. So quite quite far away from quantum physics. And one of them was crypto sense. So what I call developed this cryptography management startup company based out of Europe, that was acquired by sandbox AQ eight months ago now so this is how I joined the sandbox journey. I was the CEO of crypto cents, mostly in part of in charge of business development. So that that's how I'm here today with you guys.

 

Marco Ciappelli04:14

Well, that's interesting. I'm not gonna go in the in the in the first company, although I am coming trigger anyway. But there's so much to talk about this convergence of putting together for me like quantum and AI I think we can talk we can write a book about it, maybe three, seven books. So big picture into the future, as John was shown was making fun like, you know, we, why are we doing it now when I don't think we have functional and commercial definitely quantum computing going on. So what what is the perspective that sandbox AQ is having in this big picture?

 

Clément Jeanjean  04:59

Yeah, that's All right, so we have a pretty original positioning, we said sandbox AQ and AQ stands for AI and quantum, because the mission of the company is to exploit the new possibilities that quantum physics and AI offer to solve very difficult problems. And I said quantum physics, it's not only quantum computers, it's really the, you know, the low level physics to particle physics. Combined with with AI, and of course, quantum computing is part of the play. So we try to address three main industries. And to really change the game in these three verticals. We have one division called simulation and optimization that looks at how this new computational power coming from AI and quantum computers when when they arrive, we'll be able to run algorithms that today we're not, we're not able to learn, and how we can leverage this to reduce dramatically the time it takes to develop new drugs, and maybe cure diseases that we're not able to cure. Today, this industry requires a lot of investments developing a new drug, it cost between 1.5 and $2 billion, the failure rate is extremely high, because you have to try new things and just, you know, many of them fail, and developing new drugs is very long, we're talking about years and years. So we want to try and improve that. We're not sure that we're gonna be able to do it. But the first results we have only after one year of very promising and we're partnering with very prominent universities in the US and research centers around that. And they are already very impressed with the first results that we were able to put together with these algorithms. And that's even before quantum computing is generally available. So that's that's the first line of business simulation optimization. The second one is cybersecurity. So, where I sit, where we help large organizations prepared for the migration to quantum resistant cryptography. So as as you said, quantum computers are going to create opportunities that we probably cannot imagine today. But they also create threads, one of the threads that they create is on the cryptography. Or let's say part of the cryptography that we've been using for a few decades now, which is the the RSA cryptography. So when these computers are going to be available, when we will have full tolerant quantum computers, they can use an algorithm called the Shor's algorithm to break this cryptography. And this cryptography is used everyday everywhere. Everything digital uses this type of cryptography. So there's a need for global upgrade, basically, global updates and regulators. Standard decision bodies, like NIST have started looking at that years ago already. And this is what the cybersecurity division is going after we are helping big companies, big organizations prepared for that migration. And this is happening now. And I guess we'll talk about that in a minute. That's the second division after simulation optimization. And the third one is called Quantum sensing. And here we develop hardware, where we use quantum physics to create new sensing capabilities with two main applications. One is in healthcare, where we develop cardiac Magneto sensing devices to improve the accuracy to improve the speed at which you can run an analysis, you know, on someone who's going through some heart event. And when you need to determine whether it's severe, is it a heart attack? Does the patient need surgery or not? Today this this can be very long, because you need to prove several assumptions, one after another. And we're trying to replace this with with with this magnetic field sensing device and deliver diagnosis in something like one to two minutes. A second type of sensors that we're developing is useful terrestrial navigation. Today, we mostly rely on GPS everyone is using GPS, even the military are using GPS. But GPS is very vulnerable because satellites are vulnerable. Because GPS can be scrambled to when today if you go to Ukraine, there is no GPS anywhere anymore because it's completely jammed by the Russians. Moreover, GPS doesn't work under the sea. So for submarines, for instance, it doesn't work. And we've we're developing these terrestrial navigation devices based on In physics, so quantum sensors, to backup GPS or replace GPS, in places where you cannot use it. So these are the three business units that the three big problems that we're tackling, through simulation, optimization, cybersecurity, and quantum sensing.

 

Sean Martin10:19

And what, oh, I'm gonna hold the vision, I'm gonna hold the beat, I'm gonna let's let's stick with kind of the current state or perhaps a look into the past. Because I mean, as I mentioned, as we started talking, that the understanding that cryptography will have some challenges when when quantum computing comes around, and forgive me for not knowing the complete difference between physics and computing. But we're, we will face a situation where a good portion of our cryptography no longer stands up to the rigors that we expect it to, and

 

Marco Ciappelli11:01

how,

 

Sean Martin11:03

obviously, the security industry is talking about it. But how are cyber criminals? Kind of using this understanding to their benefit? Because it's the space that cyber criminals always leverage technology and leverage information and have a view of the future to how they're going to make money as well. What's their view of this?

 

Clément Jeanjean  11:23

So there are, I think, several, several questions in this one. One is how can quantum computing be exploited someday? And what what threads it represents today? And the second question is, is the timeline? I think, so when when do we need to worry about that. So as I said, it's when recognized that's when these quantum computers are available, which is, which is not a date that's identified. So we don't know when it's gonna happen. There's a global scientific consensus to say that this is happening. Some people say it's going to be in eight years, some people say it's going to be in 15 years, some people say it's gonna be 50. Some people less and less, say it's never going to happen. But there's a general consensus to say we're looking at something probably between eight to 1212 years, before we have these fault tolerant quantum computers. And that's based on the progress that have been made in recent years. So criminals, when these computers are available, they can break these RSA encryption, so they can access sensitive data. This is not the case today. But what they can start doing is harvest information. So harvest data by eavesdropping, you know, like submarine cables, for instance. So one thread that is well identified today, and people call that the harvest now decrypt later threads is that these criminals or state actors, could collect data and store it for many, many years. And of course, that means, you know, that will target sensitive data, meaningful data, like state secrets, or data that have a very long lifespan, like like health care data, or personal banking details from for instance. So these criminals, they could harvest the data now stories, keep them in a data center, and then use a quantum computers considering 810 15 years to decrypt that data, and use the value that this data will still have. So not all the data, or not all the sensitive data that we're dealing with today, can be threatened by that, because some of the data in 15 years won't have any value anymore. But again, for the very sensitive for the long lasting sensitive data from the states you create for industrial IP, for instance, or geological exploration for oil and gas companies. These data have 3040 50 years of lifespan. And these these are at risk. This is the main thread that's identified today. Another one that is not coming directly from attackers, but which is a risk that more and more corporations have identified is that going through the migration will take time. And when I say time, it's not a couple of years or three years, it's generally admitted that for a big bank, this gate is something like 10 years. Because cryptography is everywhere in there it they have every possible IT system that have been, you know, ever conceived and designed and produced on Earth. So it's very heterogeneous. And it's a topic that they have never really, you know, needed to address or to manage before, because cryptography was just solid was resistant. The keys were long enough, the algorithms are good today, then I'm not going to be broken next year, you know, but the fact that cryptography is everywhere, and that we have completely digitalize our economy by just spreading cryptography, you know? In all big at organizations, and with having cryptography, coming from many, many different sources inside of it, it makes it very difficult just to know what cryptography you have work cryptography is work with a fee comes from. So that migration is going to take 10 years. So if you think back and shown you like to walk, walk backwards, think back of the, this this timeline story where we say quantum computers full turn around quantum computers, might be available in 810 12 years. And actually, when this happens, we might not know because the first organization, the first country, you know that we have this, this computer, maybe we'll want to keep this as a secret, because that's, that's a huge advantage. So when this happens, you need to be ready before that you cannot start the migration, when someone says, Hey, guys, I have this computer, because if it needs tenure, then you're 10 years late, and all your sensitive data is, is broken and accessible.

 

Marco Ciappelli16:05

Well, you know, I have this picture in my head of the movie Back to the Future where the character started disappearing from a pitcher in the past, because they never happened in the future. So I have this really weird vision. But I think it's kinda helped me to get a picture of what we're talking about here. So talking about getting the picture, is there some kind of business, some verticals, that are seeing what you're presenting, because they they embrace it, because they can project themselves into this future and realize that their data? I mean, you throw some example there, or maybe more, more specific, some other case scenario, some verticals that are really receptive to, to this concept?

 

Clément Jeanjean  16:58

Yeah, so the federal space, that public sector is moving really fast, especially in the US, but also in the entire Western world. Because regulators, governments have identified this you know, the development of computing quantum computers as both a threat for the security of data, but also as an opportunity, because they can solve these big, complicated problems. So when you deal with, let's say, complex logistics, issues, like running an army, you know, or, or running scenario E for a ballgame. Probably the first one where there's a valid quantum computer running, that's going to be a huge advantage. So governments, regulators, they have started creating a framework. And in the US, there has been a White House memoranda and state agencies have to have to move forward, they have to start inventing the cryptography. They're using building a plan for migration. So this is happening already. Now. That's the public sector in the commercial world. Financial services are probably the heaviest users of cryptography, which is good for us, because that is what protects, you know, your access to your online banking application on your iPhone. So they have a lot of cryptography. And they have a lot of sensitive data. And of course, they're managing your money and our money. So they're very sensitive to that. And the journey has started there yet. They're too sorry. So in the US, large banks, they are all moving forward, and building a plan to migrate to post quantum cryptography again, because they know it's going to take 10 years, and that they have to start now. And also because they're they're seeing short term benefits in getting this capability of inventorying cryptography getting visibility, maybe we can say worried about that. So financial services. Clearly, healthcare industries are very interested in this. They're not as mature in the journey as the Financial Services. telcos to security networks, because they're operating these physical networks, where they're using a lot of cryptography also to authenticate communications and authenticate users, which is going to be a turning point to quantum computers. So telcos are very interested in starting upgrading the network. Now, also because they know it's going to take a few years, and then we're seeing a longer tail of other verticals where the maturity is starting. Especially around OT or IoT, like the automotive business because a car today's is you know, a big ot with four wheels, and a car when you when you sell a car it's going to be on the markets or on roads for maybe 1520 years. So that's part of these objects that you need to think now about how you're going to update them in 1012 1515 years. Oil and gas are interested in this, too. And some of these verticals, they're they're also looking at the opportunities, you know, that they can get from quantum computing. Like, can they improve exploration for oil and gas or drilling, you know, scenarios? And for healthcare, of course, can they improve the way they discover drugs? So this is this is the landscape basically, today as we see that sandbox.

 

Sean Martin20:38

So I love that broad broad view of the different sectors and, and the things they have to think about. One thing that's coming to mind, I mean, I'm the ops guy, generally I everything looks like a project to me, with some timeline and some outcomes at the end. And what I'm trying to trying to figure out here is, as the telcos and the oil and gas and automotive industries, recognize the need to do something now. And we'll touch on why now, they have to do something in the moment. But I guess what I'm wondering is because sandbox AQ in the cyber security division is about managing cryptography. So my question immediately, in my mind is, do they manage cryptography? Now? Is it just a free for all? What does that world look like? And then what does it need this shift and transition into? To really get ahead of this? Yeah, so

 

Clément Jeanjean  21:36

I think it's, it's fair to, when you look at these organizations, it's fair to say that cryptography has been left behind in the in the entire digital transformation that we've seen in the last five to 10 years, which is adopting agility and what's called DevOps, you know, when when you merge basically development and operations, or you bring them very close together, so that you can deliver new features and new releases of your product. Really fast. Cryptography has been left behind that because it was not really needed, you know, you didn't need to be a giant with cryptography because, again, the keys weren't long enough, the algorithms were good. So one of the things we talk a lot about with our customers today is how we can bring cryptography to the giant era, because the way they're they're managing there it is through more and more automations more and more, you know, large databases, data lakes, solutions, like software solutions, integrated all together so that you can deal with a massive amount of information, data and make it actionable. Cryptography is not there yet. So customers, you know, they use a lot of cryptography keys, they use certificates, they have some platforms to issue keys to issue certificates. But a lot of the keys that they have come from different places come from open source components come from dependencies, vendor software, and that's the case for keys and certificates. So they don't really have the entire visibility on where these keys and certificates are coming from. Same with cryptographic operations. So every time one application encrypts data, decrypt data, signs an operation, every time someone authenticates. And by someone I mean, it can be a human being, or it can be one application talking to another application. So every time there's cryptography, coming into play, and that cryptography can come from many, many different places, again, in the organization, today, they don't have that visibility. And this is what we're building with them. We are providing them with an enterprise software that connects integrates with the other ones, and gives this visibility on what cryptography they have inside it today. And that's the first step when you look at what NIST says what Homeland Security recommends what Gartner recommends in this migration towards modern cryptography management and quantum ready cryptography. In the end, the first step is to build an inventory, which makes total sense. And there's nothing groundbreaking here because you cannot change you cannot manage what you don't know. So, today, most of these organizations are lacking this visibility, this comprehensive visibility on cryptography that they have. And that's the first issue that we saw with them, providing visibility and observability.

 

Marco Ciappelli24:45

So, I'm gonna go back to because I can always think about people. That's what I do, I think about how people are going to digest this. And so one of the thing is to say Say why now. And I know you're ready to talk a little bit about this, but also thinking like our other sector, like cybersecurity in general, like, you know, everybody and I was talking to show intelligence is going to resolve a problem, also creating a lot of problem because the bad guys use it as well. So what I'm thinking I like is it the you see this to be a big shake, to not just cryptography on his own, which is part of the big picture of cybersecurity, but it's like a lot of the cybersecurity now are going to become obsolete and obsolete unless we do something right now. I don't know if it's a question that makes sense. But it's going to in my head,

 

Clément Jeanjean  25:47

though, it does make sense clearly. So quantum computers, for what we know are good at solving specific problems. So you cannot ask everything to a quantum computer. So as far as we know, you will not have a super GPT for you know, powered by quantum computer that can break any any any

 

Marco Ciappelli26:09

AI to is not general. Alright, so you can ask anything.

 

Clément Jeanjean  26:13

Yeah. So this this problem around cryptography is the one that has been identified purely because there's this this algorithm that was discovered by a guy called Peter Shor in 1994. And that allows to basically factor very large prime numbers, which is the big problem that existing computers can not solve. Even if you were able to take all the computational power available on earth today, breaking one of these Andre then would take 1000s, if not more of yours. And this is what we call secure. It's not unbreakable. But with the system means it's going to take so much time to break that, you know, God knows where we'll be in five years. And of course, the data doesn't have any any any value. So what the quantum computer is allowed to do is break this, this existing cryptography in a matter of maybe hours or maybe days, which of course makes them much more relevant. Other dimensions of cybersecurity are not directly threatened by that as as far as we know today.

 

Sean Martin27:22

I'm going to want to go back to the office, because that's where I like to live. And the the security suite, the sandbox AQS security suite, is comprised of many elements, writing on top of an architecture and what I'd like for you to do if you can maybe paint a visual picture for us with words, how this fits into an organization, there's the discovery and inventory and management all the way through to remediation. How maybe the first question is, who in the organization kind of oversees this? Who who are you speaking with to to tackle this problem in the organization? And how does that fit into their their processes and their teams and existing technologies?

 

Clément Jeanjean  28:13

Yeah, so typically, our customer is the CFO or the the seaso. Team, the chief information security officer in an organization. As you said, Our software is like many cybersecurity software basically built on three modules. One is about discovery. So collecting information from the 82nd. One is storing the data that we've collected, controlling the data, looking running analysis on the data, issuing reports, automating the creation and reports like policy enforcement reports, or performance reports, and the third block, so after discovery and control, the third block is remediation. The way it's deployed today, with our customers, it's mostly on premise. Because the nature of the data that we collect, in most cases is highly sensitive, you know, information about how a big bank encrypts data or manages keys is not information that they want to send in the cloud. So the software is deployed on premise. And one of the key consideration concentrations or needs that our customers have, beyond the core features that I've just described. So inventory in cryptography, analyzing it and remit remediating is around integrations. Because again, they don't want to deploy something that's going to be a standalone system with its own dashboard. And that's going to require dedicated workloads that doesn't work today in a big, big organization. A lot of them are moving to DevOps, all of them are moving to automation. And so we have to integrate our software with their existing IT management solutions. So typically ServiceNow, for instance, typically Jira, you know, to manage tickets or remediation, or Splunk, elastic, this kind of thing. That's for the IT management system, even for the inventory part. So collecting information from there it, they want us to integrate with the systems they already have. So when they have an Endpoint Manager, of course, we will integrate with the Endpoint Manager, and we will leverage the existing scanners or sensors that they have deployed across, there may be 500,000 endpoints, or 1 million endpoints, we will leverage these existing sensors to collect information about cryptography, either by just taking the data that's already available, or by deploying an additional package on this sensor. We have integrations with a very widely deployed solution container, for instance, in the endpoint management sphere. So this ability to integrate with existing solutions is really key to our customers. And maybe I can provide a little bit more detail about what type of information we collect how we built this inventory. Because an inventory is only as good as it is comprehensive. If you're missing half of the cryptography that you're supposed to monitor, then there's no point in having an inventory. So we combine different discovery tools. And three dimensions, as we like to describe it. We collect information from the network. So we look at how information is encrypted when it troubles on the network. With something that's called a network analyzer, then we collect information from file systems or containers with a discovery tool that's called the File System Analyzer. And this one parses files, and looks for keys suffocates cryptographic libraries. And it's trained to identify those cryptographic artifacts, those interesting artifacts, that's the second analyzer that we have. So network analyzer File System Analyzer. The third one is called an application analyzer. And this one looks at how cryptography is performed inside application. At runtime. It doesn't mean in production runtime, in all cases, it's in pre production or in development environments. But what's interesting here is that when you are able to observe how applications do cryptography, so how your data is encrypted, decrypted how application authenticates between one another. This is where you have this very deep visibility about where cryptography comes from. Is it coming from a third party component? Is it in your code? Is it a dependency. So by combining those three analyzer, network analyzer five System Analyzer and application analyzer, that's what we call a three dimensional inventory, because you have a very flat and broad coverage across all five systems, if needed, and all your endpoints, and you have a very deep visibility inside, where application comes from in your workloads. And that that's very specific to the security suite.

 

Sean Martin33:26

I love that hike. I can granted I saw some of the diagrams on your website, but I can totally picture what you just described, which is fantastic. And I know Marco probably wants to go when I'm asked another question as well, just the some of the things we talked about early on, or the the migration aspects of this. And we talked about needing to start now, if you're going to if you're going to end up in the right place in time. So what does that migration look like from sandbox? AQS perspective? Where do Where do organizations usually start? I'm gonna guess, inventory, but kind of describe, describe the flow and, and how that kind of plays out. Yeah. So

 

Clément Jeanjean  34:10

clearly, the priority today is to start with the inventory. So creating this, this capability. It's within large organizations, it's already a multi year project. But of course, it doesn't make a lot of sense to create the inventory if you do not strategize the remediation behind that because you know, you have all these problems and how are you getting going to solve them? So, we have this remediation module that's available in preview for customers today, not for general availability or deployment. And what we're looking at here is not automating the remediation entirely, because our customers are not willing or not ready. Maybe someday they will be but they're not ready to Believe A software decides how this cryptographic operation will be replaced by another, you know, using a different underwriter. So it's we rather talk about semi automated remediation or suggested remediation. Because there has to be today, a human intervention, you know, before they change the way that they use cryptography, we have several ways of doing that. We can, for instance, wrap an existing cryptographic operation with an additional layer of cryptography with quantum resistant cryptography, for instance, we can also envision to redirect calls that an application makes to its cryptographic library. So since we see these operations with our application analyzer, we can just see the call happening and redirected to a library that would contain these quantum resistant algorithms. These are just two examples, among among several ways that we have to remediate. But in terms of priority and timeline, our customers today are really focused on building the inventory. And having this this continuous monitoring, because when we talk about inventory, it's not just a one off thing that you want to do. Because of course, if you do an inventory, that's going to take quite some time. But the next month, you know, your configuration has changed. You have new keys, new certifications, new new code that your developers have written. So you need to build this this capability as a continuous monitoring and continuous inventory. Which

 

Sean Martin36:38

continuous integration and delivery? Absolutely, yeah, that's where that's where it all boils down to right. If you can't, if you can't deliver your stuff in an agile way, because you're stuck trying to figure out cryptography, you're kind of kind of hosed, do you think

 

Clément Jeanjean  36:52

and, yeah, there's so just to that point, because that's, that's straight to the point with our more mature customers, where they deploy our solution directly in their CI CD tool chain, where they will already have a series of tests like security quality on the code, and the sandbox tests becomes just one of them. And we both built the inventory of cryptography before the code goes in production. And we control the content of the inventory. And this brings me back to one thing I mentioned before, which are the short term benefits of doing that. Now, if you if you're able to monitor your cryptography and control or cryptography today, you can solve issues that are much more painful now than the quantum threats. And the migration itself, things around compliance. So more and more, you know, compliance standards includes ways to encrypt data ways to manage keys, it's very, very difficult. Given the complexity, given the the hybrid dimension of any IT system today, it's very difficult to demonstrate your compliance with these standards. With excellent spreadsheets and manual processes, it just doesn't work anymore, it doesn't stay. So every existing process relying on this needs also an upgrade for cryptography. And several of our customers, including big customers today, they started the project with us not because of the quantum threats, but because they had a compliance issue. Or they had a policy enforcement issue. They have this security policy where there's an entire chapter about what cryptography they can use, what cryptography they cannot use. But then they rely on just manual reporting from business owners from teams, to make sure that the policy is enforced. Again, that doesn't scale. And we have big projects with big banks, where we're covering several 1000s of applications, where they suspect very strongly that some of the cryptography inside some of these applications does not enforce the latest standard of cryptography that they want to see inside their their applications and their workloads. So we're helping them solve this today in the C ICD tool chain, and then the quantum threads, you know, becomes part of the project because they say oh, okay, we're deploying this cryptography management tool, and we're gonna kill several birds, you know, with the same stone, we're gonna solve this compliance issue, we're gonna have a better policy enforcement, we will have more visibility on certificates. So we will reduce the number of outages, you know, created by certificate expiring and we are also paving the way for the quantum migration.

 

Marco Ciappelli39:49

Why you kind of went where I was gonna go, so the relationship with the public sector and also policy and regulation that as we know, he drives many times in cybersecurity, you do it because you have to do it. But also, I think there is definitely a role into the government in having a vision and plan into this dimension NIST, for example, which, you know, it's going to lay the standards. So what's your relationship with, with government? And you see regulation actually coming along with, with your message and your mission and vision?

 

Clément Jeanjean  40:28

Yeah, so governments in let's say, all developed countries, have started looking at Quantum and specifically the threads on cryptography or are starting to look at that. And we have ongoing conversations with most most of them. Because we're gonna have, let's say, Id visible in that field, naturally, st lock secure being a US company, there are a lot of discussions with federal agencies in the US government, some contracts have been made public at the beginning of this year, but also in the, let's say, US allied sphere, we're having a lot of conversations, both with government, with defense organization with state agencies and regulators. And that's, that's, you know, a very constructive process where we, we talk about what the technology can do, what it cannot do, how, how we've started, you know, these migration projects with our existing customers, because the regulators, they don't want to create something, you know, in like innovation. So they look at how industrials, who have started the journey are doing it. And that feeds the way they're thinking about the future regulation. We have been selected by NIST. So the US standardization body to be proud of their Cybersecurity Center of Excellence, with I think 15, other industrials, including Amazon samsu, very large companies, Microsoft, to work on what the migration framework should be. And so it's not about you know, pushing our product and saying our solution is better than the other ones, we have competitors there too. And we're very happy to be in that group with them. It's really to build the new framework together, you know, so to make sure that industrials will be able to migrate as smoothly as possible and in a meaningful, meaningful way, and that we are solving the problem in the end. And that's something that we're very involved into this relationship with NIST.

 

Sean Martin42:32

And I think it's worth talking about the software delivery model. And lifecycle, when we talk about policy for saving comes to mind is s Vahana. Software bill of materials. Another key piece, another important part of government's looking at to help raise the security posture of, of all software components. Yeah, so clearly, no lack of need and drive, and perhaps maybe some triggers coming coming soon to really enforce the need here. I want to start wrapping and I know, you have the security suite is out. People can get a preview, they can get a demo. I mean, clearly, start the migration now that's that's the message I'm hearing to get that visibility, get the get the assessment and the analysis so that you can take take some remediation actions within within your environment, plug it into ServiceNow and Atlassian. And see where where you're sitting, right. So how do people actually do that? Come on.

 

Clément Jeanjean  43:42

So the discovery and the control center modules can be deployed at scale. Today, we're deploying it in project with several hundreds of 1000s of endpoints covered in very large organizations. The remediation part, as I said, is available in preview today, a very simple way to do that is to get in touch with us start the discussion about what what the problems are around cryptography. And it can be I want to start this going to migration now or I want to understand, you know, how to do it's where to start with, but do we need to prioritize, you know, and we help organizations with these questions, as well. It can be something around okay, there's this quantum thing on the horizon that the board has identified, we need to address that. But we also have a key management problem or we also have an issue with policy enforcement. So how can we be in the project where we get these you know, short term benefits, low hanging fruits, business value, you know, in in one year in two years, and at the same time, we will be ready for the quantum migration when when needed. And no starting probably maybe in three years, something like that. Usually, we start with the Again, very standard enterprise software, sales motion, where we deploy proof of value. In usually in a lab environment where the customer can test our product, make sure that the features actually deliver the value that we say delivers, you know, so we work a lot with the customers to understand their use cases, that's really key in the process, and what they expect in terms of business benefits. Once we've done that, and we've proven the value, then we engage into our first deployment in production. And as with every deployment in production, it starts with very limited parameter like a payload. And then we scale with the ambition, all of our customers have the ambition to cover not 100% of their it, because that doesn't make sense. But something like 80%, which is almost everything, you know, apart from the exceptions, or the non sensitive data at all.

 

Sean Martin46:00

And when you do the proof of value, do you include some of the integrations as well, to kind of show how it fits in?

 

Clément Jeanjean  46:08

Yeah, that's, that's one of the things we do if if the expected benefits is to make sure that the organization can create this additional control in their CI CD tool chain, for instance. Then clearly, we will focus the POV the proof of value on the integration with their Jenkins pipeline, for instance, and make sure that we can have this this loop back to the developers to fix non compliant cryptography or cryptography, that is a policy breach for the organization and also build the inventory that would be needed for migration later on. I love it.

 

Marco Ciappelli46:49

Lots of things, think about, I know, that's you for once we think ahead. Is Human, we're not that good. Or do

 

Sean Martin46:58

we have to run backwards with looking looking back toward the problem? Because I think, yeah, if, as with most things, cyber security, right, if you ask the question, if you could ask a question. And the answer is, I don't know. You're in trouble. So the first is having having a clear view of what what the situation is. So you can at least answer that and and how you choose to address whatever you uncover there is up to the business to decide based on their own situation. But I don't know is not enough, in my opinion. So all right, well, come on. It's an absolute pleasure, chatting with you, great to hear this sandbox HQ story. And congratulations on on the delivery of the security suite and the new division and all that all that has to come. All the goodness coming from three divisions sensing and simulation, and cyber all together. I'm excited to see where where things head for sandbox, AQ, is all.

 

Clément Jeanjean  48:03

Well, thanks. Thanks a lot, guys. It's been my pleasure to be with you today. And I'll be happy to do that again, anytime. You want to know more or deep dive on one of these topics.

 

Marco Ciappelli48:15

Yeah, it's a big conversation. I mean, my head is spinning into into much larger scenarios and how this is going to apply to everything really, in our life in our business and the way we we behave just kind of like another another digital revolution, maybe even bigger than the more we've lived so far. And that's a lot. Alright, so just a reminder to everyone that all the links and to learn more and take action and get in touch with sandbox, AQ will be into the page that we're dedicating to this conversation and awfully again, many more because there's a lot to talk about. So again, thank you so much. It's been a pleasure. Thank you guys. Thank you.

 

Voiceover49:07

If you enjoyed this podcast, share itsp magazine with your friends, family and colleagues. Thank you for listening