Safety Detectives spoke with Julian Durand, CISO and VP of Product Management at Intertrust, to gain insights into what an XPN is, how it differs from a VPN some of the cybersecurity benefits it provides, and more.
Can you talk about your background and your current role with Intertrust?
I like to describe myself as a recovering engineer. While I am primarily a product manager and Certified Information System Security Professional (CISSP) today, I have loved engineering all my life. For anyone interested in ancient history, I was a Banyan Vines network admin and programmed in dBASE III+, IV, FoxPro, FolioViews (yes, pre-internet, early SQL, and pre-HTML) and created country of origin information databases to support the Refugee Determination Process (RDS) of Canada’s Immigration and Refugee Board. The system worked well and was noticed by the United Nations High Commissioner for Refugees, which led to an opportunity to re-create my RDS databases on a global level. The horrific slaughter in the ex-Yugoslavian war and Rwanda were the backdrop and dark inspiration that led my team and me to create Refworld. Refworld continues to be the UN Refugee Agency’s tool to affect change and protect the world’s most vulnerable people. It is the most important and difficult work of my life and my proudest achievement.
This also introduced me to the vital importance of data security. It was 1993, and UNHCR field officers were embedded in Sarajevo. They bore witness to the genocide at Srebrenica and informed the world of the heinous rape camps run by the Serbs. When my friends would return to Geneva from the field, they would ask me why my databases didn’t reflect the true numbers of the massacred. It turns out the internet servers were under the control of the Serbs, and they would modify or delete these emailed reports in transit. It was then I discovered PGP and its implementation of brilliantly elegant mathematical equations that could assure the integrity, authentication, and secrecy of messages. I’ve been passionate and inspired by the principles of cyber security and applications of cryptography ever since. Standing on the shoulders of giants, I have been fortunate to innovate on these security applications all my life, leading to being a named inventor on patents ranging from virtual eSIM (at Qualcomm) and Explicit Private Networking (XPN) at Intertrust.
Today I lead product management for Intertrust Platform, which is our platform for next generation trust services for the IoT and beyond. I am also the company’s Chief Information Security Officer (CISO).
What are the main solutions offered by Intertrust?
Intertrust Platform provides end-to-end trust and interoperability services for IoT and data. We are focused on energy and making use cases such as Energy as a Service and real-time operations highly resilient, reliable, and secure. We’re solving the hard problems of data governance in the energy industry that, in a way, is also broadly applicable to all data-driven IoT use cases. We also offer distributed trust services to the media industry, and we are the leading multi-DRM vendor with our flagship products ExpressPlay and our new offering, MarketMaker, which combines Web3, token rights management, and DRM technologies to give creators, digital marketplace operators, and media companies the ability to create new innovative business models for both digital and physical goods.
What exactly is XPN, and how does it differ from other similar solutions in the market?
XPN is a security protocol optimized for data and command protection in IoT systems. It’s an end-to-end protocol to protect data integrity, authenticity and secrecy from the deep edge to the cloud and is the transport for commands to direct automated infrastructure in a highly trusted fashion.
XPN is an evolution of well-known protocols such as Virtual Private Networking (VPN) designed for enterprise connections and TLS designed to enable e-commerce. While the foundations of public key crypto, ciphers, and hashes were sound in these protocols, the session-based nature was insufficient for the many networks and environments of the IoT. As a result, we’ve been observing terrible ransomware and other cyber-attacks on critical infrastructure. We knew there must be a better way. Together with leaders such as CTO and crypto visionary David Maher and Pierre Chavanne, a veteran of decentralized trust systems, we deconstructed and re-built these into a protocol to meet the extreme needs of IoT data security.
Unlike VPN and TLS, XPN is lightweight and can run on the most constrained devices, ensuring blanket security for IoT systems. It is easily deployed and managed and has built-in configurable automated security renewability. It can bridge the so-called “air gapped” architectures of industrial systems. It protects data in ad-hoc self-forming meshes found in smart meter networks and home IoT secure by tunneling through them.
4. How does XPN integrate with an organization’s existing security infrastructure?
Take our XPN SDK Client and integrate with your app on the device, and connect it to our XPN Service in the cloud. Much of the setup and configuration is available out of the box. If you choose a chipset that already has our XPN Client SDK integrated, it’s even faster and easier.
We’ve been running a hyper-scaled world class private Certificate Authority called iPKI that’s been WebTrust certified for 13 years. We also create a customer’s root of trust, key hierarchy, and management system to ensure devices are uniquely and cryptographically bound to the service owner.
Can you provide some examples of threats that XPN addresses or helps to mitigate?
XPN makes it safe for very sensitive sensor and control data to traverse unprotected networks and environments.
It’s a profoundly new approach to the problem of data security. While protecting sessions and hardening devices remains vital, we fill the yawning gap in persistent data protection and governance that has been so expertly exploited by malicious actors around the world.
How has the cyber security landscape changed over the past few years, and what trends do you see emerging in the near future?
In one word: scale. The hacking community has become more experienced and lethal with the ability to extract real profitable revenue from ransomware attacks on corporations, and critical infrastructure. Zero-day vulnerabilities are bought and sold like the billion dollar weapons of mass destruction they are, and exploit kits based on these are bought and sold through the very active market places of the dark web. Cryptocurrency ensures criminals and terrorists can profit and invest in new, more sophisticated attacks, and they are managed like Fortune 100 firms, complete with HR, marketing, and public relations departments and expertly staffed. It is this scale that has made them so effective and the cyber security landscape so perilous today, particularly for the IoT