Interview: Why Assuming You Are Already Breached Is The Best Way To Improve Your Cyber-Defenses 

Breaking news of a data security breach that affects millions of consumers or costing hundreds of millions of dollars has become a common occurrence. We’re almost desensitized to these risks to our security and our privacy – it’s seemingly the price to pay for doing business in the digital world. 

While these breaches might seem like an insurmountable wave, Titaniam is a data security provider pushing against the tide. They offer a data protection platform designed to protect businesses, SaaS providers and government departments with advanced data and privacy protection systems. Titaniam was founded in 2019 and is headquartered in San Jose, California, with additional offices in India. 

After RSAC 2022, we sat down with Titaniam’s CEO and Founder Arti Raman to discuss Titaniam’s data security platform, why better data protection is so important in today’s digital landscape, and how organizations can protect themselves against ransomware and credential compromise. 

Can you give us an overview of Titaniam, and the solutions that you offer? 

Absolutely. Titaniam exists to solve one of the hardest problems in security. Specifically, most cyber-attacks today involve compromised credentials. When you have a credential compromise, what happens is that every security control in your enterprise fails, because it cannot tell the good guys from the bad guys. In these scenarios, attackers are leaving with really, really valuable data, right out of the front door. We created Titaniam to address exactly that. How do you keep data safe when you have a compromised credential, when you can’t tell who is the legitimate user and who’s not?

And to do that, we have applied some pretty cutting-edge technology called ‘encryption-in-use’. Titaniam offers one of the only practical, high-performance encryption-in-use solutions. This means that we can keep data encrypted while it’s actively being used. That’s amazing, right?  So, if the bad guys get in with the most privileged credentials, such as administrator credentials, they’re still only getting access to encrypted data. That’s one of the three key pieces we do. 

The other thing we do is Adaptive Private Data Release. This means that any large enterprise that has hundreds of different data platforms, with thousands of data fields, can provide data to each platform exactly in the way that it needs, while protecting privacy. So, imagine you plug Titaniam into a data platform and do all that fancy encryption-in-use stuff, when it releases data from there, it can send it to many downstream systems in its own privacy preserving way. 

Sometimes this means data is going in encrypted. Sometimes it means it’s masked, sometimes it’s going in format preserving tokens. Sometimes we redact it, sometimes we hash it, there’s nine different ways to do it, and we do them all. And the reason it’s important to put this together with an encryption-in-use system, is that companies don’t have to buy three different types of technologies. So that’s the second piece of what we do, which is, hey, we’re going to give you everything privacy preserving, in one place. 

And the last bit of what we do is what I call “HYOK”, which is ‘hold-your-own-key’. The world is being ‘SaaS-ified’, right? So many companies are going to SaaS platforms, and they’re giving their data to these large SaaS companies. SaaS companies, in turn, have twenty thousand, thirty thousand enterprise customers, and they manage one set of keys in the back. So, what if that SaaS platform gets compromised? You have a real problem.  

What Titaniam does is called HYOK, because we’re running these platforms encrypted and we’re letting every data owner, every enterprise customer hold their own keys. Not just bring them, but hold them, in their own key vaults. When we do that, in combination with encryption and privacy, you’re getting some pretty bulletproof protection. And what we try to say is attack immunity. You can get attacked, but we’re going to give you immunity, specifically from a data standpoint. 

Why are Titaniam’s solutions so important in today’s digital landscape? 

The world is seeing a meeting of three mega trends, that really speak to the importance of the technology Titaniam brings. The first one is data. Regardless of how much we complain about how much data is being captured, the world is moving towards more and more data driven decisions, have larger and larger data sets.  There’s no turning away from big data, massive data, enormous data. That’s a train that has left the station.

The second thing is privacy.  There is no turning back from the demands for privacy. The minute you put that much data in the hands of these many companies, you really need an easy way to deal with privacy. People aren’t going to say, “Oh I realize you need this data, so I’m not going to worry about privacy.”

And the third thing is attacks. I think that the attack reality is just something that’s not going to change. It’s too profitable. There are too many actors that are too well trained. So, when you put those three things together, you can’t live in a world where you have these piecemeal technologies that sort of give you a little bit of coverage. You need to just get organized, and get systematic, and put-up dedicated technology in place that solves just this: how am I going to deal with massive amounts of data in a world that requires privacy where I’m going to be attacked every two seconds? 

And that’s the genesis of why we exist because we anticipated that, and it’s what we offer.

Who Titaniam’s typical customers, for these data and privacy solutions? 

Our typical customers fall into four categories. They’re pretty distinct. We have CISOs, from regulated enterprises. These are people that know they have sensitive data. And for them we are basically providing a platform with five different modules. And they are looking for two things, they’re looking for security but they’re also looking for compliance, easy ways to meet all these checkboxes to make sure they meet privacy standards, regulatory standards, because we’re doing it all in one platform. So, for the regulated CISOs it’s a really easy sale. 

The second type of customer we have are SasS companies. So really broad, anybody that has other people’s data, that want to be the center of an attack. So, most of the time there we lead with that hold-your-own-key because that’s really critical for them. The value proposition, there is very much minimization of risk and maximization of revenue. 

The third type of customer we have are what I would call ‘data intensive products’. These are people whose entire product consists of data, that they really don’t want to get out. So sometimes, it’s security platforms that have a ton of security data in the backend, sometimes it will be people from the gig economy. For these guys, it’s about building a platform that is ethical and private, is making sure that they are respecting all the data that they have.

The fourth type is government: the government has tons of confidential information, and they care about confidential computing. Those are the four we’re going for.

Titaniam is a relatively young company, founded in 2019, but has been recently recognized by Gartner as being one of the best ransomware protection solutions. What sets your protection against ransomware apart from competitors? 

You’ll hear many providers acting like they’re the sole preventer of ransomware, I don’t think that’s true. I think ransomware requires three distinct categories of products to come together, and we have one of three. 

So, the first one would be prevention and detection tools. Think about all the EDR, XDR firms out there, CrowdStrike, SentinelOne, those guys whose job it is to make sure attackers don’t get in, and if they do get in, that they are found really quickly. We don’t think that goes away; you want to do as much of that as you can. The second category is backup and recovery. So, if you do get attacked, if they take your systems down, you can bring them back up as soon as possible. That’s not us either. We integrate with them. But that’s not us. So, it’s the Rubrik, Cohesity, all those companies. 

And what has happened is, the world has believed that those are the only two things you need. So, up until the middle of 2020, early 2021, you had all these people that implemented backup and recovery but were still paying ransom because the data was still getting out. 

We believe we are the third missing piece: extortion prevention. We make sure that your data does not leave the company in clear text. And when we do that, when we attach our encryption-in-use technology to these data platforms, you don’t lose unencrypted data. 

So now, you can really ignore those ransom demands! Because we give you evidence, like certificates from NIST, that will say that, yes, we know we were breached, they left with the data, but here are certificates that say that data was encrypted. You don’t worry about being extorted; you have all of your compliance in place. 

So, from a ransomware defence standpoint, we think all three are needed: prevention, detection, backup recovery, as well as data protection.

What is your advice to organizations, such as those regulated industries, SaaS companies, data companies or government agencies that are looking for ways to improve their data protection and privacy systems?

I think that taking an assumed breach posture is really important. Because as we learn of more and more compromises, we hear how long attackers have been in systems. Sometimes it’s months and years. I think assuming that you are okay because you have your perimeter defence, or assuming that you’re okay, because you have granular access is just a false position. 

Once you move to this assumed breach posture, you’ll be looking at the world differently. You’ll be asking: “what sorts of evidence, what sorts of audit, what sorts of last line of defence type of controls do we need?” And when you think that way, you immediately start classifying: “If attackers are on the inside, what are your crown jewels? What are you worried about?” Users start thinking differently. 

I think that is a fantastic first step for companies to just look introspectively and say: “If I were to admit or accept that I already have outsiders in my network, what would I do differently?” And that immediately kicks off a set of controls and improves your security posture. I would say that would be a first step. 

And second, I don’t think we should minimize just human training, human awareness. It’s really important for humans to know that, at the end of the day, they are either your most important strength or your biggest weakness. Never minimize that.

Learn more about Titaniam here: https://titaniam.io