In the modern world, developing sturdy cyber security practices is one of the most important and pressing tasks that we are faced with. As malware and other malicious efforts become more intricate, it is essential that we explore new ways of protecting our sensitive data. Jun Yu, founder of APF Technologies, feels that securing unstructured data is one of the most challenging yet important cyber security issues to address.
With his development of an Unstructured Data Shield (UDS), he and his team are leading the way towards securing this data and developing a “zero trust” strategy that works to protect organizations and individuals alike.
Hello Jun, thank you for your time. Can you tell us a bit about yourself?
Glad to be with you. I grew up in China and was trained to become a pharmacologist. Soon after I came to the United Start in the mid-90s, however, I was fascinated by the state-of-the-art equipment that I got to work with in a research lab and I became obsessed with the technologies that drove them. Because of that, I made a career change to enroll in the computer science program at the University of Chicago. After graduation, I worked on wireless infrastructure at Motorola for a decade, starting with the second-generation wireless data all the way through to 4G LTE. My lab was the first in Motorola that realized the full speed of 4G LTE in a real system.
That had to be exciting! What happened next?
After Motorola, I joined Gogo Inflight to bring their revolutionary ground to air wireless system from trial mode into full commercial service. Before starting APF Technologies, I worked at HP Enterprise Digital Safe, a big data SaaS of compliance and e-surveillance service to some of the world’s largest financial companies, where I led the effort to rebuild the system to facilitate the explosive growth of data volume and usage as the result of increasing regulatory demand after the financial crisis.
That’s where I gained intimate knowledge of the significance of cybersecurity and the possible fallout if data falls into the wrong hands. I also realized the challenge of securing billions of files, known as “unstructured data” as opposed to “structured data” which are stored in databases.
The unstructured data includes the files on every PC, in OneDrive and SharePoint, and many more files stored on servers. In the past a few years, unstructured data has become the primary target of cyber-attacks. As a matter of fact, more than 95 percent of stolen data during the same period comprises unstructured data. The reason for the surge is a very simple one: it’s almost effortless to steal unstructured data.
The increased network usage makes transferring a large number of files faster and easier to hide, and the rapid advanced machine learning capability makes extracting information from a large number of files not only possible, but extremely cheap.
How did you become interested in data protection and cyber privacy?
At the HP Enterprise Digital Safe where I worked, data security was very serious business. Use of encryption was common, and segmentation of data storage and data access control audits were routine. Those actions are performed on data stored in a closed data center where access from outside is tightly controlled. But when I looked at my (and everyone else’s computer), every file was in clear text. If I or someone else might have clicked on an incorrect link, all the files on the computer could be compromised and used to steal even more data.
The data was exposed at their most vulnerable point! Recognizing this ironic contrast, I started to understand why most current cyber security solutions fail and will continue to fail until the fundamental issue is solved: unstructured data on every device must be secured. That was when I started my quest to search for a solution for the problem that is deemed by many as unsolvable. Five years later, Unstructured Data Shield (UDS) became my answer and I think we’ve done a very good job on that…although the customer will have the final say.
Has there been any market ratification of that concept?
That’s an interesting note. The Biden administration just released its strategy to shift the U.S. Government toward a “zero trust” approach to cybersecurity which established unstructured data security and access management as one of five pillars of its new cybersecurity approach. I am glad to see the CISC finally getting around to the same conclusion that I did five years ago: protecting data, which is the ultimate crown jewel of any enterprise, governmental or corporate.
Can you tell us about APF Technologies and how it was founded?
APF Technologies was established four years ago after I developed a sketch of what the UDS could be. The APF name comes from the goal we set to achieve: Always Protect Files. We founded the company with our own savings and funds from family and friends, because those were the only people who believed in me and my ideas. As I mentioned, to many in the industry, securing unstructured data in place is an unsolvable problem.
I am an engineer who knows that it’s better to build a successful solution than it is to try to convince people of a miracle. To their credit, this isn’t a small problem to solve nor one with a simple solution. Think of the challenges we face: an average company might have hundreds of millions of files, and large ones could have hundreds of billions more and even trillions. Those files are scattered on the devices those companies deploy, which can easily add up to hundreds of thousands, and files are being moved constantly through email, backups, and uploads/downloads to and from clouds. Additionally, those files are useful only if they can be easily accessed by appropriate users when and where they need them.
So now we have volume, dynamics, and real time access control to deal with while maintaining file protection…did we pick the toughest problem or what?
I must admit that it isn’t easy to run a software company on a shoestring budget. Fortunately, we were able to take advantage of the programs provided by 1871, the famous Chicago technology incubator of which APF is a member company. It affords us the ability to build and test our solutions on both the Google Cloud and Amazon Web Services (AWS) to scale billions of files.
What services does your business offer?
That is a great question. APF offers subscriber-based SaaS service to enterprises and governments through UDS. UDS provides ubiquitous protection to every file on every device. When a business contracts our UDS service, we build an independent and unique solution for the customer on the cloud providers of its choice.
There is no data sharing in any way among customers. Every instance is built with excess capacity and a dedicated business continuity site. UDS is designed to serve hundreds of thousands of users and can be continually expanded to the limits of the cloud provider. With this design, we ensure that UDS service will not be disrupted while the cloud provider is in service.
We also assign dedicated teams to each customer to provide optimal communication and reliable services.
Does APF have any other solutions?
Along with UDS, we also provide Embedded Shield, an SaaS service to those companies who manufacture or integrate embedded devices that run on critical infrastructure. This service provides immutable firmware to counter malicious attacks like “Stuxnet” to prevent devastating damage to the nation’s critical infrastructure.
Can you explain your principal UDS solution a little further?
Let’s start this with market expectations. The newly released strategy to shift the U.S. Government toward a “zero trust” approach to cybersecurity, as described by the White House in Executive Order 14018, adapts the five pillars by the Cybersecurity and Infrastructure Agency (CISA). The most important among those is the data pillar which cites:
- Data categorization and security responses, focusing on tagging and managing access to sensitive documents
- Audit access to any data encrypted at rest
- Comprehensive logging and information sharing capabilities
In simple terms, UDS meets all the CISC requirements in a single application that covers the entire environment. After working on UDS for five years, we are happy to see CISC agree on the same approach, although on a much smaller scale than UDS can provide.
What do you mean by that?
First, UDS allows users to categorize files when they are created, and tag them with designations including classification, compliance status and any other customized information. The tags and classifications permanently stay with the files and every copy made from those files. CISA targets the one file copy housed on the cloud.
Second, UDS encrypts files using one of strongest encryption schemes ever engineered. It uses a random key and IV for each file. There is no master key, password or algorithm of any sort which can be used to reverse engineer the key and IV. Contrast that with cloud storage, which uses a single key to encrypt all the files.
UDS uses a centralized access policy to determine access rights for every user on every file. When access is granted, the UDS client will decrypt the file and open it in the GUI application. UDS keeps every access request to every copy of the file and constantly uses artificial intelligence (AI) to identify anomalies for early warning.
UDS maintains extensive logs on all changes to the configurations. They are available for audit and forensic analysis. UDS-protected files are always encrypted on all devices, and so are all file copies. They are subject to the same access control processes.
Simply put, UDS not only meets but vastly exceeds the requirements from CISA to construct the data pillar identified in its guidelines.
Why is this such an important piece of technology for organizations to have?
If an organization has learned anything from cyber attacks during the recent past, from SolarWinds to the Log4j bug, it should be that moving towards “zero trust” is the only real strategy to survive in today’s digital world. CISA and NSA have provided a clear path for the transition, and the data pillar is the critical element. UDS is the only available solution that defines the data pillar. UDS not only meets all the functionalities outlined by CISA; it also expands the data protection from the cloud envisioned by CISA to all devices, which in our view is a game changer since cloud storage holds only one of many copies of the same file.
By using UDS to protect their data, organization can build the data pillar in the “zero trust” strategy in one easy stop, but the benefits of the UDS don’t end there. Since UDS’s protection includes all devices, organizations can reduce application fragmentation by dropping the data protection applications they are currently using, which further reduces the support resources they need, and the false alert rates they experience. The cost reduction alone makes the ROI on UDS extremely worthwhile.
On this note, we welcome and challenge any organizations to join our efforts. For those who are interested, please contact us for a self-guided demo which takes only about 30 minutes, a testament to UDS’s usability. We will reward those who work with us to perfect UDS with very favorable terms and priority status when they become customers. We are also welcoming cyber security organizations to try their hands in attempting to exploit any possible weakness in UDS.
Finally, what do you think the future holds for the cybersecurity industry?
The past a few years have been the worst nightmare for the cybersecurity industry. There have been no strong responses or new products considering the SolarWinds supply chain attack. Russian malware was undetected and unstopped at more than 400 of the world’s largest companies and many government agencies. Combined, those companies and agencies have deployed every available cybersecurity product, and none of them were able to detect or stop the malware from stealing their data.
Once the malware and copycats infiltrated the affected networks, all locatable data were compromised and/or stolen. The significance of the SolarWinds attack is that it provided a blueprint for future attacks. Today, as an example, many companies are fighting the fallout from log4j bug.
We believe the darkest time in cybersecurity could be behind us, but only if the “zero trust” strategy is adapted and executed quickly. We are glad that the federal government and CISC have begun to recognize the need to protect data and the importance to have immutable applications as part of a “zero trust” strategy, although CISC still believes that data is only protectable when housed on the cloud. UDS demonstrates that APF has what it needs – and more – to defeat the next cyber-attack. Once data is protected by UDS, the damage from cyber-attacks will diminish.
Thank you Jun for your time!
You can follow up with Jun Yu at www.apftechnology.com