Ritesh Ahuja
Founder - Bayun Systems, Inc.
Actions
Ritesh founded Bayun after having worked for 25+ years on different aspects of security in various domains - ranging from network security, media security (Digital Rights Management), cloud security, big data security analytics, mobile security, and automotive security. Most recently he was the primary inventor of Continental's Key as a Service (KaaS) product that enabled smartphones to act as a key for the vehicles. This is a scenario where nothing short of the absolute best security possible would be acceptable by the car manufacturers, some of whom protect their brand-image from any security issues more than what a bank would.
He started Bayun when he was struck with the big irony of the situation wherein, on one hand we had FBI, one of the most powerful law enforcement agencies in the world, struggling to get access to a criminal's mundane data on an iPhone; and on the other hand most of us feeling totally helpless when our highly sensitive data got leaked in Equifax breach. So he decided to genericize Apple Keychain techniques, which provides the best possible security available today for some of our most valuable data, and make them available for use by any app so that all our data can stay safe even if the entire server-side infrastructure of an application were to be taken over by a malicious entity (like a rogue state).
Web3 Security needs to jump ahead of Web2 before it can become really useful
Blockchain, and the accompanying web3 decentralized infrastructure, by definition provides a “trustless” mechanism for storage of public information only (with full transparency). However, for a lot of real-life use-cases, besides the transparent data-integrity provided by blockchain, we also need a mechanism to protect the confidentiality of any private user content that can not be made public, and make sure content owners themselves stay in control of their private data all the time (and without having to rely on a trusted centralized service, which would otherwise defeat the whole purpose of decentralization).
In the web2 world, data confidentiality has traditionally been achieved by using centralized authentication and authorization services hosted on trusted servers. However the decentralized and trustless nature of blockchains simply makes that model incompatible with web3. Lacking this basic data privacy & confidentiality, all the current use-cases of web3 have been either trivial, revolving around Bored Ape type public content only, or/and just become a privacy & security nightmare (e.g. https://www.wired.com/story/nfts-privacy-security-nightmare/). And this applies to not just the NFTs, but literally all content in web3 due to its public nature by definition, including even the user crypto-wallets themselves (e.g. https://techcrunch.com/2022/01/31/success-of-web3-hinges-on-remedying-its-security-challenges/). So its not a surprise that the universal gateways to web3 themselves are well known to be a security nightmare! No wonder that even the current leaders in web3 world, including the likes of Coinbase, Opensea, etc are all using old-fashioned centralized mechanisms to keep confidential content private (including the custodial wallets, and the recent launch of NFT marketplace by Coinbase). So, even though the potential of blockchain & web3 is enormous, a substantial part of this supposedly decentralized & trustless world is still a mirage, mired in contradictions! E.g. we don't want to trust banks, but it’s okay to trust Coinbase with our custodial wallet where the consequences of a hack can be much more disastrous. We don’t want to trust government recorder’s office for deed of our digital property, but it’s okay to trust Opensea's centralized platform where consequences of a scam can be much more dire.
For web3 to go beyond pure speculation & vanity, and attack some serious real-life problems in healthcare, real-estate, or social media, etc (and many more, in order to realize its true potential) this data security issue must be solved first. So web3 security is not only behind web2, but due to its public and trustless nature, it actually needs to jump ahead instead where even web2 doesn’t have a solution. We discuss a simple mechanism that can enable developers of these web3 applications to not only secure their user’s crypto-wallets easily, but also enforce arbitrary access controls on user data without having to rely on any trusted centralized services - thus opening-up use of NFTs and web3 to some serious utilitarian use-cases in healthcare, real-estate etc, to realize its true potential.
Enterprise Cloud Services need to behave as Digital Bank Lockers
SaaS is fast becoming the de-facto delivery model for most of the enterprise applications today, with increasing use of PaaS & IaaS infrastructure in the cloud for building these apps. When an enterprise customer trusts these SaaS apps with their data, the digital gold of today, these apps, and the underlying cloud infrastructure, are acting as banks of the modern world - keeping that enterprise's digital assets in their safe custody for use by enterprise's employees and partners.
When we rent a safety deposit box in any real bank vault, we get our own key to unlock it. And this key is needed along-with banker's key to access the contents. How would we feel if the bank manager could access our locker any time using their own key alone, without our permission, or even our knowledge? Will we rent a locker from such a bank? Yet, this is how almost all the digital banks of cloud services operate today - acting as custodians of our data, kept locked with the banker's key alone. And to top it all, the bank manager, that we need to trust with safekeeping of our locker key, itself relies on a trusted doorman (the authentication service) for checking our identity before releasing the locker key to us. And this trusted doorman could have vulnerabilities of its own, e.g. it can be fooled (hacked) or bribed (insider attack).
Even more so, with the proliferation of APIs, the bank manager can issue a key to another partner bank altogether (other SaaS services) based on our one-click approval. This allows the other bank's manager to access our locker any time in future. With so many keys to our locker in circulation, any of which can access our contents without our knowledge, and security of each relying on multiple trusted middlemen with their own vulnerabilities, is it really secure at all? Is it a surprise then that breaches keep happening using an uncountable number of techniques to trick these trusted bank managers (e.g. recent github breach https://thehackernews.com/2022/04/github-says-hackers-breach-dozens-of.html) or their doormen who check IDs (e.g. recent Okta breach https://siliconangle.com/2022/04/09/ripple-effects-okta-security-breach-worse-think/)?
It’s high time we start demanding that cloud services give control of our digital assets back to us, at least the sensitive or high-value assets. We discuss a simple mechanism using which the developers of such enterprise applications, built on top of any cloud service, can not only keep our data safe and under our control - similar to a bank locker, but also allow equally safe access through partner APIs. This is done by taking the Apple Keychain model of data security, and generalizing it such that access policies go with the data where-ever it may travel. Note that Apple Keychain itself holds some of our most sensitive data (e.g. passwords, credit-card numbers), and yet even Apple cannot access any of it (nor have we heard of a single hack/breach in Keychain so far). Keychain fixes the core issue with today's standard model that relies on separate authentication and authorization layers, both of which need to be trusted for enforcing access control. It does that by tying access-policy directly into encryption of data, and we show how any developer can use the same techniques for any enterprise app.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top