As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Varun Talwar, CEO and co-founder of Tetrate.

Varun has created not one but two very widely used projects — Istio and gRPC. He wants Istio to do to networking what Kubernetes did to compute. His philosophy that has driven him to create these open source projects: Solve a hard problem and make it easier for people to adopt the technology. He first hand understood the challenges that enterprises are going through with modern applications on heterogeneous infrastructures and wanted to solve for those. He started Tetrate along with JJ to create a safer and more responsible path to application modernization for enterprises.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Delhi and got my first access to computers in the mid-1990s when Linux was starting to become mainstream and the web was just taking flight. My computer interest was born out of mathematics and I dove deep into logical experiments. I had a high-energy teacher we called “Dash” who drove me to have a deeper interest in PASCAL and was very instrumental in getting me interested in computer science. For a few years, I was part of a club that improved our programming skills. My friend Virat and I won 80% of programming competitions in Delhi. In 1998, I “earned” my first personal computer once my parents were convinced I could do something with it.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

It was a bit by chance that I pursued a career in cybersecurity. I was initially enamoured with the cloud and large infrastructure (YT, Maps, Google Cloud), and upon joining the Google Cloud Platform (GCP) team, I began to grasp the impact that cybersecurity would create in the future. The Snowden leaks were happening around the time I joined GCP in 2014, and this was mega news for months and months. It gave me a new perspective and a bit of appreciation for what can happen if things go wrong. Cyber attacks were happening frequently at Google, and some of the technologies that we are building today are inspired by some of those attacks. The consequence of one certificate being bad could be catastrophic, so Google built very strong security. But people without the engineering power of Google struggle to build security that can prevent attacks. At Tetrate, we build application networking products where security is the default and not something that app devs need to add separately.

Can you share the most interesting story that happened to you since you began this fascinating career?

One of the most exciting projects of my career was at YouTube in 2012, when the skydiver Felix Baumgartner jumped to Earth from space. This was one of the biggest live events in the history of YouTube at the time. Six months of planning went into this, with a “war room” and multiple fire drills. As Baumgartner was going up, traffic kept building. At the peak moment, when he was about to jump, 8% of all internet traffic was on this live stream. Working on the infrastructure to keep all that traffic flowing and the experience seamless was invigorating. This experience also got me more interested in infrastructure and ultimately played a key role in me co-creating the Istio and gRPC Open Source projects.

None of us can achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

This reminds me of the quote from Steve Jobs about Connecting the Dots. I truly believe that all of the people in my life have been instrumental in some form or another in helping me get to this place. I’m grateful to Ben Lin, a serial entrepreneur in SG, who gave me a shot at his startup, MethDOS, in 2003 when I was fresh and starting out. I am also grateful to Charles E. Leiserson who taught algorithms at MIT. The way he would explain things… I have never met a person like that ever in my life.

He was one of the founders of Akamai and he made me want to have a career in technology. He would bring water guns and balloons to class to explain concepts and have fun while doing it. Every computer science graduate in the world read his book, “CLR.”

Are you working on any exciting new projects now? How do you think that will help people?

I am extremely passionate about solving the network problems of today. We have had two revolutions in the cloud: first, for computing with AWS, GCP and Azure, and second, for agility with microservices and container orchestration. But along the way, we have missed out on a key aspect of cloud: the network. This is what I am currently working on and I believe it will spur the third cloud revolution. Networks today are proving to be unreliable in a hybrid environment. Legacy and new computers coexist and need to be seamlessly connected, and, at the same time, the access points for these are not limited to a perimeter any more — internally or externally. So, today’s enterprises require a layer of infrastructure that allows applications to communicate — in any environment, on any computer. Our product, Tetrate Service Bridge (TSB), released last year, is an application networking platform built using the best-in-breed open source projects Istio, Envoy, and Apache SkyWalking. TSB provides a management plane for a service mesh that spans the enterprise’s entire infrastructure. In simplest terms, its job is to harness the complexity of hybrid, distributed systems and make it simple for application developers and operators to deliver their software more quickly, safely, and reliably. I was the project manager behind GRPC and Istio while I was at Google and my current project is to connect the world’s traffic with networking at the application level. One of the reasons I co-founded Tetrate was to create tools and technologies that will help organizations go through the journey of modernization and public cloud adoption. We’re helping customers with availability, security, and manageability of their applications as they undergo this transformation. We have done this with our flagship product TSB and the connectivity for any workload and environment that it facilitates. We are excited about partnering with NIST to define some of the standards of zero trust architecture for microservices and to be implementing their visionary framework for access control. We are also developing Tetrate Cloud to make it easier for teams to manage their infrastructure.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Get to know your relaxation muscle. Know what relaxes and rejuvenates you, and do that. Don’t be embarrassed to say what you need at any point. It is very important to first take care of yourself before you can be helpful to others.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

What excites me most about the cybersecurity industry is its importance, its growth and business potential, and the enormous opportunity out there for making an impact and filling the gaps of existing knowledge. So many companies are affected.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Critical threats we know we need to be prepared for include ransomware, data exfiltration, insider attacks, and multi-cloud vulnerability. Another big challenge and big threat is the lack of skills or security knowledge in developers. Many don’t care and don’t want to know — but they’re responsible for solving this problem. So companies need to have developers build in a way that is secured by default.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I have stories that I am not at liberty to share, but the takeaway is to bake as much security by default into the platform. Don’t leave it up to individual teams to create their own security practices. It creates inconsistent practices and leaves your systems open to vulnerability.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

In the past, you only used a firewall and virus scanner. Now you need a complex set of tools: intrusion detection systems, vulnerability scanners, malware detection systems, etc. Attacks have become more sophisticated as well. Your best friend is simplicity and keeping only those doors open that are required for business to be done. Istio, the open source service mesh, is a critical cybersecurity tool for enabling a “zero trust” security posture. A key benefit is that it allows you to build controls outside of the application code that can be deployed and updated dynamically by security teams consistently across your fleet.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

We recommend organizations use Tetrate Service Bridge when they need to apply security policy consistently in the mesh so app devs don’t have to do it. It’s really useful to organizations that have split infrastructure, from on-prem to different cloud providers, and they need to enable communication of those components across the different environments. TSB would help you ensure you have consistent controls in place across all of your environments and that you can prove to an auditor that they are consistent and enforced everywhere. The centralized control brings sanity to the split infrastructure world and gives you out-of-the-box conformance with NIST standards for microservices security. It’s less about the size of your team than it is about the operational complexity that you need to manage.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Lay persons should know to follow up if they see unauthorized charges or activities in an account — communications, password change notifications, two-factor authentication prompts, etc. — that they did not initiate. Any small change from the usual patterns needs to be investigated further. Also, organizations should be using observability tools to detect inconsistent traffic patterns that may indicate suspicious activity and that should be investigated further. Tetrate Service Bridge includes monitoring tools that help organizations keep an eye on overall system health and help them detect unusual patterns.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Secure your data! Consult with legal, notify the relevant parties of the breach, and correct vulnerabilities to prevent future breaches.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Relying only on perimeter security. Even before the pandemic, companies were already getting more distributed. But you have companies giving access to people based on their IP alone. That doesn’t work anymore. The pandemic has exposed the vulnerabilities and accelerated the need to improve. Companies have vendors, employees, and contractors distributed across various locations and a lot of companies are still relying on perimeter security to handle this. Systems need to adapt to changes in how people operate.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Yes, we are clearly seeing that. Companies are not well prepared to tackle remote access from users, developers, and partners to their applications and infrastructure, and that is leading to gaps in their security posture. Perimeter-only security, lateral movements, and lack of tight API access controls are leading to more compromises.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Separate application delivery from application deployment. While companies adopt DevOps and other practices to make their development cycle more agile, they often miss out on the crucial aspect of making networking traffic management easier for developers. Having multiple developers handle this in their own way opens up the applications to multiple points of security risks. Adding a lot of checks and balances could make a simple traffic pattern change take weeks. The best way to get agility with security is to separate the application delivery from deployment and bake in security by default in delivery.

Workload is the new perimeter especially as you move towards microservices. Perimeter security is extremely risky. The often quoted hack of Target via its wifi, back in 2013 was enough proof of the broken system but organizations continue to use this. They need to move towards ABAC or the more sophisticated NGAC methods of access control.

Security should be built into DevOps. As mentioned, relying only on developers to implement security is not enough. This should be part of the common service stack like service mesh that works across workloads. DoD actually was able to take their development cycles forward by 100 years with their DevSecOps.

Think about AAA (Authentication, Authorization, Audit) for all your API accesses. A big benefit of the service mesh architecture is that the key piece that allows you to build these controls — the sidecar proxy deployed next to every application — has quite a few security benefits over the traditional approach of building these operational assurances into your application code. These sidecars can enable a unique cryptographic identity for each service which simplifies strong authentication. If you are rotating certificates in an automated fashion, incidents like the Marriot and Equifax attacks will be hard to replicate.

Maintain continuous assessment of the runtime. With rapid deployments in containerized environments, it is easy for runtime security policies to drift from what was defined. You need ongoing monitoring of security policies from your runtime and meaningful alerts to correct owners.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

As a leader, I think a tremendous amount of good can stem from making opportunity accessible to everyone. Look for talent wherever it may come from, recognize it, nurture it, and continually express your gratitude for it. That is the ethos we follow at Tetrate.

How can our readers further follow your work online?

You can find more information about Tetrate, including cybersecurity and Zero Trust resources, at tetrate.io. We cohost an annual conference with NIST and hold free weekly webinars on YouTube, so I’d encourage people to subscribe and follow us on Twitter or on LinkedIn.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!