Internet Security and Building Trust: A Conversation with Taher Elgamal

Michael Rivo: Welcome back to Blazing Trails, I'm your host, Michael Rivo from Salesforce Studios. The threat of cyber attacks is on the minds of a lot of people these days. From politicians to CEO's, to small business owners, everyone seems to be on high alert and with good reason. Now, more than ever companies and organizations need to think about cyber security. So, we wanted to check in with our own Taher Elgamal, the cryptographer and the" Father of SSL", who is also Salesforce's CTO of security. Taher and I will catch up a little bit and then rerun our conversation from last summer. And it's a chance to celebrate Taher's recent election to the national academy of engineering, something that we're all very proud of here at Salesforce. So, let's get into it and hear my conversation with Taher Elgamal, Salesforce's CTO of security. Taher, welcome back to Blazing Trails.

Taher Elgamal: Thank you, Michael. Good to be back.

Michael Rivo: Congratulations on being elected to the National Academy of Engineering. What a huge honor. Tell me a little bit about that, did you get the call like the Nobel four o'clock in the morning call, tell me a little bit more about the organization.

Taher Elgamal: I got an email at four o'clock in the morning. The advantage is emails don't wake you up.

Michael Rivo: Wonderful.

Taher Elgamal: They actually sent me an email. Yes.

Michael Rivo: Well, that's great.

Taher Elgamal: And I had no idea before, it just came.

Michael Rivo: Oh, that's great. Well, it's a huge honor for you and for Salesforce, so we're super excited. And we also wanted to take this opportunity to reconnect as there's so much happening in the world right now, around security generally and cyber security specifically, and just wanted to get some of your thoughts about what's happening in the world of cybersecurity. Are we seeing big changes with what's happening in the world or are things kind of staying the same, what's going on out there?

Taher Elgamal: So, obviously there's an increased sort of urgency when people talk about cyber security these days and different organizations deal with cyber security and different in different ways. For a company like Salesforce, security is already at the top of our priorities. So, the reality is, we've always known threats and threats of several different types and we built our security program to address the different threats.

Michael Rivo: I mean, and are you seeing out there in the community with your colleagues? Are you seeing any changes in how people are thinking about it or what's the in the community right now?

Taher Elgamal: Sometimes people wake up a little bit. So, for organizations that do not put security at the top of their priorities, I would tell them, hey, take a look at your priorities in terms of securing the organization, the enterprise. And that maps into most of the time blocking and tackling into just catching the important things about cyber security. Are you patching your infrastructure well? Have you upgraded from using passwords to using multifactor authentication? The basics are actually the most important thing? Do you know how to collect logs to detect things? It turns out that the basic things about managing security in an enterprise is the most important thing, always been and always will because that's how the attackers find ways into an organization.

Michael Rivo: And that's just like so many things, if you get the fundamentals right, then the rest of it takes care of itself. Okay. Let's go back to the beginning. I would love to hear about growing up Cairo and when you first fell in love with math.

Taher Elgamal: Yeah. So, I fell in love with numbers before I fell in love with math. My father was a high level official in the Egyptian government for quite a long time, he actually ran the health department for the country for several years and it was difficult to fine, but that's the case for all busy fathers, but I actually fell in love with numbers first. My parents tell me, I don't actually recall that myself, but my parents told me that when I was like four or five years old, I picked up the Cairo phone book and added all the phone numbers together. And if you know anything about Cairo, it's not a small city, there's quite a few phone numbers in that thing.

Michael Rivo: Right.

Taher Elgamal: And then apparently I did some statistical analysis of why there were more 8's than 9's or something crazy like this.

Michael Rivo: Wow.

Taher Elgamal: So, numbers were kind of very therapeutic for me and when I grew up, I kind of analyzed it as numbers never changed their mind actually, it's a beautiful thing. People on the other hand change their mind all the time, every second sometimes. And when I went through school and college and so on, it was obvious that math was my favorite subject. When people asked me, what was your favorite subject at school? It was actually algebra and there are very few people that have that answer to that question.

Michael Rivo: Right.

Taher Elgamal: But I found algebra to be wonderful.

Michael Rivo: And just to get back to that topic and that led you to Silicon Valley and to Stanford in the early 80's and the days of computing, and I would love to hear about some of that history at your time, getting your PhD at Stanford and what it was like in the Valley in those days.

Taher Elgamal: Oh, it was a wonderful thing. I mean, I came in'79 and I came to get a PhD and I wasn't exactly sure what topic it was going to be. And I kind of found Martin Hellman, who's the person who invented public key cryptography out of all subjects and we chatted and I kind of liked the subject. But I was studying my favorite topic, which is actually in mathematics called number theory. So, with the help from Martin Hellman, I was able to study cryptography and write a thesis that became famous and graduate and build a career in cyber security. But the Silicon valley was very different 40 years ago, it was full of fruit orchards. You don't see fruit orchards anymore. There were like Stanford and Hewlett- Packard, the national semiconductor and that was it. Apple was barely starting and it was very different. The whole Silicon Valley was basically centered around Stanford, which is a good thing for me at the time.

Michael Rivo: And could you feel at the time that the value was on the precipice of something big happening or was that later when that feeling came?

Taher Elgamal: I remember a conversation I had with my boss at Hewlett- Packard. So my first job right out of school when I finished my PhD was with Hewlett- Packard labs, in parallel to here right across the street from Stanford, so it was kind of the same neighborhood. And I had a conversation with my boss at that point, so that's 40 years back. And I told him, hey, look, I think the internet is going to take over the world. And we were connected, the internet existed by either way at the time, there was no web or HTTP or any other stuff that we take for granted these days. But we were connected, we sent emails and we understood what connectivity meant. And he reminded me after the IPO of Netscape in the mid 90's, he actually called me and said, you know, you were right, 15 years ago or whenever it was. I remember that, he said he remembered that conversation which is kind of hilarious actually.

Michael Rivo: Well, it took a little while to get there and you were right at the center of it, working at Netscape in the early days of the dotcom era. And that's where you developed SLL and you have this wonderful moniker of the" Father of SSL". So, tell us about that a little bit, those days at Netscape and developing that.

Taher Elgamal: I do not actually know who invented that" Father of SSL" thing, it just sits in the web for some reason. I am called that. But you're saying it took a while for us to get here, actually, if you look at the base of change in the society, and I mean, the global society, it's the fastest change ever. In 25 years, we live in a completely different world from just 25 years ago. We take all of these connectivity things for granted, SLL played the central role in securing things, which it's sort of fun to see. You work on things because you feel good at the time and you're never going to be able to predict that there is going to be billions of copies of something that you worked on being used in every single machine in the world, which is kind of funny. It is true today and this father thing, although it was not... I did not call my myself" Father of SSL". I have two kids that my wife and I love.

Michael Rivo: Not including SSL?

Taher Elgamal: Not including SLL. But I think that the reason that it was named that, because they actually sort of nurtured SLL until it became a standard. I didn't just write something or write a paper or a pen, although we did write the pen at the time at Netscape, and we had a whole team that built these real detailed protocols back and took it to the world and... But I actually took it to the IETF and made sure it became an industry standard and we convinced Microsoft that it was the right thing to do, to agree on a single protocol rather than build multiple ones and it just became what it is today.

Michael Rivo: I'm curious that that process is similar now of developing of protocols. At the time it seemed like there was such a spirit of everybody was in trying to grow the internet, everybody had a view into what the potential was, and maybe there was more collaboration. Would it be this same process to develop a new protocol now as it was back then?

Taher Elgamal: Actually it feels like not exactly what you're saying, because even back then, there were other protocols that people were working on that even the IETF itself was trying to standardize, but people were still building and shipping things with their own proprietary stuff. If you look at the payments industry, for example, which obviously we did eCommerce in the early Netscape days, that was sort of the number one goal, that was the target. The payment industry has so many protocols, it's hilarious. The only thing that even the payment industry agreed on is to use SLL for internet payments. It's the only one thing that the entire payment industry ever agreed on, which it was because it was available, it was there, it was in all browsers and all servers, and because it was the one standard everybody implement, it was interoperable and it was easy to use. But there has always been the desire to build proprietary things for control and I don't think that was different back then from now actually. I think there has been, even back then a desire to build a proprietary thing because you think you're going to control an ecosystem, but clearly controlling billions and billions of machines talking to each other with security built in would not be done by any one entity, there's just no way. It doesn't matter how big the entity is. So, I think now we recognize the value of the collaborative effort and people still remember.

Michael Rivo: Yeah. The open standards really opened up that whole opportunity. And since then, you've been involved with securing global network at set scale for many years now and you're leading that effort along with Jim Alkove here at Salesforce. What do you see the challenges ahead in the security space?

Taher Elgamal: So, there are some dirty secrets in the answer to this. In the early days we looked at how do we use this internet, it's an open network, how do you use it to do eCommerce? And eCommerce to us was conduct a transaction over this open network. What does that mean? Because an open network means that anybody can see everything or people can even modify things if they can't see them. So we said, we have to hide these transactions from the open network, that's where the SLL idea came from, it was a company effort. Unfortunately, what happened after this, SLL became a standard and successful, and the world believed that we solved security. Security is done, let's build the eCommerce and they just moved on. And we did not at the time analyze threats that might be coming afterwards very well. So, we analyzed a particular number of threats that have to do with an open network and we'll let the business grow and then a few years later you discover that people attacking the corporate network. So, you could get people's transactions, sitting in databases, it's nothing to do with the open network. They did not actually attack SLL itself, they attacked something else. And then they got innovative. I do not know exactly who came up with the ransomware idea, it's pretty innovative. You go, you just get a hold of some machine or some group of machines and you tell the owner, pay me a dollar and I'll give it back to you sort of thing. So the attacks, the threats grew out of proportion faster than the controls could be done.

Michael Rivo: Yeah. I just saw a headline today, the G7 meeting is today and that it used to be nuclear security that was the topic of conversation and now it's cybersecurity. How should senior leaders be thinking about these security issues and communicating with their teams about that?

Taher Elgamal: So, there is the good, there is the bad and there is the ugly. The good is, everybody's realizing the nature of the threats. Now they're becoming infrastructure. The bad is, companies and agencies and entities are coming up to speed on how do I protect myself as a business or as an agency, so each entity is building knowledge about how do I protect myself? The ugly is, we forget that it's actually a global issue. It's not a company issue, it's a global issue and we will not be able to solve this until we cooperate. There has to be a level of collaboration between entities globally for us to make this new ecosystem risk level sort of correspond to the risk level of the normal human being life that we're used to for the last million years or whenever human race started. The problem with the high connectivity is that it is making the risk much higher percentage wise and a lot closer. In the old days to attack someone, you had to cross borders and bring people, there was a lot of physical activity. Now you can conduct these things just by sitting at home, so it's a very different world. I'm glad the G7 are talking about it, I hope they work together. I hope we work together with all of them and with others, because the level of connectivity is just higher than what we can protect globally until we actually know how to work with each other correctly. And it's not going to get fixed now by somebody doing one or two things, it's going to take a number of years, maybe decades to actually get it done correctly, I think.

Michael Rivo: And when you think about the level of connectivity and then you start to bring in what's happening with IoT, what's happening with peer to peer and 5G, the connectivity is exploding < it has been for years and it continues to, with so many connected devices. How do you think about an overall sort of security protocol as this grows so much? How should companies be thinking about that?

Taher Elgamal: Yeah. So, as a community of human beings living in different places, we have not come to a realization yet that anything we build and can connect into this connected world is both value, but also produces risk.

Michael Rivo: Right.

Taher Elgamal: The level of attacks is much bigger than anything we've used to, so I think we need to sort of come to the realization, the conclusion that any and everything we build needs to understand that it's connected and it needs to take into consideration it is protecting and what it can get access to that can hurt us.

Michael Rivo: Yeah. I mean, I think about that in my own life now when I realize with all these connected devices. Wait, you're bringing in another access point into your house, how do you think about that, like when you're putting things in your house? What's your thought?

Taher Elgamal: It's a good point. And there is the immediate and there is not so immediate thinking. So, the immediate is, if you connect your door, for example, which a lot of people now do to the network, somebody can open your door sitting in their house. That doesn't sound like fun. And so, this is even the immediate thinking. The not so immediate thinking is, somebody can use your fridge and everybody else's fridge to attack some other thing, nobody's thinking of this. And the fridge companies clearly don't think of that, but they're all nodes on the same network, they're all connected to each other. There's no two networks, it's all one network. And if any group of nodes are available for an attacker to get a hold of, you're going to see amazing things. So, we are not protecting even from the first immediate things. As in can someone in fact open your door over the internet sitting at their house. And it takes a lot of thinking to make that product, but certainly people are not thinking of the bigger story.

Michael Rivo: And now Salesforce has security and trust is a number one value here at Salesforce and securing our customers data as paramount to what we do. But we're not in the consumer security business, how does Salesforce connect to some of these larger global issues that you're talking about?

Taher Elgamal: So, Salesforce has access to a lot of customer data, you are absolutely correct. And if you look at everything that gets done in Salesforce, it's all centered around protecting customer data, it's actually one of the number one goals, just protecting customer data. And the growth of Salesforce is like exactly one to one corresponding to growth of customer data. And when that happens, it's not just the growth of the data, it's the nature of the data. There is more data, but there's also more sensitive data, there is more important data. So, the focus at Salesforce on security is huge, because it's sort of a core part of the business. You're right. Trust is our number one value and to me as a security professional, trust means protecting customer data. And the notion is the more security aware people in the world, the better the whole cyber security situation is going to be. It's going to take a worldwide activity, which obviously Salesforce is always part of, but we need a lot of collaborations. We need a lot of governments to kind of... Even governments that don't exactly see eye to eye, we need these people to talk to each other.

Michael Rivo: And when you think about that for a whole organization, what should be top of mind for CIO's and CTO's right now? What are you hearing in the conversations that you're having with leaders of enterprise companies? What's top of mind for security right now?

Taher Elgamal: The fact that we have to protect our businesses, our organizations, our agencies from attacks that are yet to come is actually the number one issue. Because we do not know what the attackers are going to come up with, there is a lot of machines and computers and processes and cloud services and everything connected to everything. And the adversaries are very smart at finding weaknesses, finding a weakness in one computer in the sea of computers can actually yield to an issue that could eventually yield to a breach that is harmful. So, the attacker has the edge, right? The attacker needs to find an entry point and then follow it, while people who are protecting needs to protect the entire thing. So, it's actually not a fair game as far as that goes. The attackers work with each other, they're actually extremely connected, they build on these tools. They continue enhancing the tools and they protection, people who are protecting their own companies collaborate, but to a much less degree. So, when you're, when you're thinking top of mind, the top of mind is, can somebody utilize some weakness someplace and launch an attack that I'm not aware of, and how many layers of defense and protect and detection do I need to build to optimistically prevent an attack, but at minimum detected early enough, so it doesn't cause real harm. We all know in this industry, there is this new thing in cyber security that we all call zero trust. And what it means, you have to assume that some bad person, some adversary found their way through and they're actually in the middle of a network that you care about and you want to minimize the impact of that.

Michael Rivo: I mean, you've been in this role for your whole career really, in this defensive position. What is that feel like to be there all the time?

Taher Elgamal: I mean, on one hand, it's kind of really fun because you're solving difficult problems, which is what in the technical world we strive for. We all want to find solutions to difficult problems. Every once in a while, you kind of wish that people will work together a little bit more to make the situation better. Every once in a while you wish that the infrastructure was built in a somewhat different way that is easier to protect. But at the end of the day, we play the Cat and mouse game, we're good at it. And you protect against these massive amount of attacks by building layers and layers of protection.

Michael Rivo: Well, I know this comes out of your love of cryptography and that's your field of study. I don't know a whole lot about it, I would love to you hear some of the fun stuff that you worked on or just tell me a little bit more about it as a field and beyond security, how are you still involved with it right now?

Taher Elgamal: People did ask me, why did you get in cryptography? And my answer to that question is, cryptography is the most beautiful use of mathematics I've ever seen. It's just absolutely gorgeous mathematics. It changes with time, it's not a fixed thing. So, it forces you to continue to think and change, and you want to apply it in different ways so that you can protect the important things, but it teaches you how to think differently. Everybody tells me, we need more security enabled people, we don't have enough. The world does not have enough, that is correct. And cryptography is an example of a use of mathematics, it just... I do not know I was extremely lucky maybe or whatever, but it's really awesome to think through it.

Michael Rivo: Well, it's been such an incredible time of innovation that you've contributed to and learned so much and it's changed the world, there's no doubt about that. So, this has just been a wonderful opportunity to catch up and learn about your career and about security at Salesforce. So, thank you so much for joining today, it was a great pleasure.

Taher Elgamal: Thanks, Michael. It's been great to be here, I appreciate the opportunity.

Michael Rivo: That was Taher Elgamal, the legendary cryptographer and Salesforce CTO of security. For more, we've got some great resources on Trailhead, our learning platform to help companies and individuals of all levels develop security knowledge. Just go to trailhead. salesforce. com/ cybersecurity. That's trailhead. salesforce. com/ cybersecurity. And if you want to hear more Blazing Trails, be sure to subscribe wherever you get your podcast. I'm Michael Rivo from sales as for our studios, thanks for listening today.