VB: The facial part of that, how much of that is just continuously looking to see that it’s the same face?
Menon: The combination, I think, would be foolproof. Facial recognition alone is not foolproof. This swiping system may not be foolproof. But we think the combination, that would be nearly foolproof. Here, you can swipe up and down a couple of times and pretty soon it will recognize that you’re not me.
Long term, a lot of people are working on getting rid of passwords entirely. People really don’t like passwords. A lot of people don’t feel that passwords are very foolproof, and they’re kind of annoying. Maybe this combination of facial plus gestures is a way toward looking at the option of a password-free way to authenticate yourself.
VB: Would you call this context awareness?
Menon: We have a number of directions in that respect. What we’re trying to determine is, what is normal behavior and what is not? We’re also looking at the context in which you do things. Today the way things work is, “Jai is an admin, and an admin gets access to all kinds of stuff.” I want to change it to, “Jai gets access to stuff, but not if he’s currently using a non-Windows device and happens to be in Russia at the moment.”
That’s context-aware in the sense of, I’m trying to understand what are normal and abnormal behaviors. It’s not normal for you to be using an Android device from Russia. Using the context of how you’re using the device, what device you’re using, what the threat level is today, where you’re coming from, whether you’re inside the firewall, all these things factor in. We also want to factor in business context. If I know that Dell and some company just signed a big contract yesterday, maybe there’s a reason a bunch of money is getting transferred from here to there. If I know the business context, I may allow something that would otherwise seem suspicious. That’s what we’re looking at with the context-aware security work.
VB: Do you have any partners in that area? I know there are some folks who use keyboard analysis to figure out some things like, are 100 people using one subscription, or just one? Some of this stuff is available out there already. Where do you think you’re pushing forward into original work?
Menon: The continuous authentication stuff, using swipes and gestures, we’re pushing forward without partners. We think there’s a lot of research still to be done there. We’ve submitted a proposal to the Department of Homeland Security. They’re very interested in this problem and they’re willing to spend a lot of money. We’ve passed a first round with them. We’re in the top 20 percent of proposals. But we have to work our way. They have what they call a broad agency action, like a call for, “All you smart guys out there, tell us how to solve this problem.”
The work on facial recognition, there are some partners for some of that stuff. But a lot of it — Tying it to mood is interesting, tying it to emotion. The voice-based work is something that we’re driving here. Integrating all that is where — People might have said, “Let me try this, let me try that,” but there isn’t a clear state of the art as far as what really works, what combination of things is really foolproof.
In the area of encryption, there’s very significant research yet to be done about homomorphic encryption. The basic idea here is that we know how to encrypt data when it’s stored on a disc. You can encrypt data when it traverses the wires. The interesting question is, what about when you need to perform some operations against the data? When you bring the data off the disc and now you want to perform actions on it, you bring it into memory, and now you have to decrypt the data. It has to be in the clear so you can compute on it — add and subtract and do whatever you need to do.
VB: What do you call this?
Menon: What homomorphic encryption lets you do is, it lets you compute on encrypted data. You don’t have to decrypt and it still works. Let’s say that I have a tax accountant doing my taxes for me. I have to send him my salary information. I can send it to him encrypted, but he can’t run something like TurboTax unless he decrypts it and sees my information. Similarly, once he’s done, there’s a number for how much I have to send to IRS. He can encrypt that and send it to me so nobody else sees it, but he himself got to see it while it was in the clear at the end of the operation.
With homomorphic encryption, I can encrypt my salary and send it to my tax guy. Then he can do all his computation on encrypted data and send the results back to me, but he doesn’t actually know how much I’m sending to the IRS, because the result is encrypted too. Only I have the key. I can use a tax guy and he never gets to see my income or my tax.
That’s homomorphic encryption. It’s an area we’re quite interested in. We’re exploring that. There’s still about three or four years of research to be done to make it really practical, but that’s within the five-year horizon of what we’re looking at in Dell Research. Smart people in universities are working on it. We’re trying to partner with people like that to continue to make progress in this area.
We talked a bit about predictive security as well. The analogy I like to use is waiting until your house gets burgled and then changing the lock. That’s a little late, but it’s a lot like what happens today. Once you have an attack, you change the settings on your firewall to protect yourself from the same attack in the future. The next step would be waiting until your neighbor’s house gets burgled and then fixing your locks. We can do that, because we have two million Dell SonicWall appliances out there. If we can see a hack happening in India or China, we can change the firewall settings on all our other SonicWall appliances.
You really want to go even further, to the point of being more predictive. You want to see if you need to make the lock better even as the attack is taking place, as opposed to waiting for the attack to take place.
VB: Now that you have research underway in these areas, does that give you more optimism about security in the future? Its current state seems to be kind of dismal.
Menon: That’s one of the reasons why we started thinking around things like data leakage protection. That’s really hard, making sure that data never leaks out. That’s why we’re starting to think in a completely different framework about this. What if it doesn’t matter if the data leaks?
VB: Do you feel like we’ve been losing a security war, and that we can eventually start winning?
Menon: I wouldn’t say we’re losing the war. I think we’ve not yet connected the dots in a way that we could. That’s part of what we’re trying to do. When you have information about what’s coming through the SonicWall appliance, information on your identity and access management software — We’re starting to do things now, for example, where the client has encryption software. Let’s say that someone goes to Dropbox and starts to move some data out there. If you go through our firewall, we can see that you didn’t encrypt the data when you moved stuff out. Then we can automatically load the encryption software onto your client and get that done before it goes out.
I think there’s a lot of optimism in terms of what is possible. Those are some of the pieces that need to happen in order to win this thing.
VentureBeatVentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more