Personal blog of Yzmir Ramirez

When it comes to how humans communicate with each other or with machines, voice is a major interface, with growth in the latter fuelled by the rise of artificial intelligence, faster computing technology and an explosion of new devices — some of which only, or primarily, work with voice commands. But the supreme reign of voice has also opened a window of opportunity for malicious hackers — specifically, in the area of voice fraud.

Now, a security startup called Pindrop is announcing that it has raised $90 million to tackle this with a platform that it says can identify even the most sophisticated impersonations and hacking attempts, by analysing nearly 1,400 acoustic attributes to verify if a caller or a voice command is legit.

“We live in a brave new world where everything you thought you knew about security needs to be challenged,” said Vijay Balasubramaniyan, co-founder, CEO and CTO of Pindrop, who built the company (with co-founders Ahamad Mustaque and Paul Judge) originally out of his PhD thesis.

The funding is a growth round aimed specifically at two areas. First, taking US-based Pindrop into more international markets, starting with Europe — Vijay spoke to me in London — and coming soon to Asia. And second, to expand from customer service scenarios — the vast majority of its business today — into any applications that use voice interfaces, such as connected car platforms, home security devices, smart offices and smart home speakers.

To that end, this Series D includes a mix of strategic and financial investors: led by London’s Vitruvian Partners, it also includes Allegion Ventures (the corporate venture arm of the security giant), Cross Creek, systems integrator Dimension Data (“As you grow you want to be able to sell through partners,” Balasubramaniyan says), Singapore-based EDBI (to help with its push into Asia), and Goldman Sachs. Google’s CapitalG, IVP, Andreessen Horowitz, GV and Citi Ventures — all previous investors — were also in this round.

(The latter group of investors also has at least one strategic name in it: Pindrop is already working with Google, the CEO said.)

Valuation is not being disclosed, but in Pindrop’s Series C round in 2017, the company was valued at $600 million post-mioney, according to PitchBook, and the valuation now is “much higher,” Balasubramaniyan said with a laugh. The company’s raised $212 million to date.

The crux of what Pindrop has built is a platform that makes a voice “fingerprint” that identifies not just the specific tone you emit, but how you speak, where you are typically calling from and the sounds of that space, and even your regular device — something we can do now with the rise of smartphones that we typically don’t share with others — with each handset having a unique acoustic profile. Matching all these against what is determined to be your “normal” circumstances helps to start to build verification, Balasubramaniyan explained.

Founded in 2011 in Atlanta, GA, most of Pindrop’s business today has been built around helping to prevent voice fraud in customer service engagements. That business, Balasubramaniyan said, is on the path to profitability by the first quarter of 2019 and continues to grow well, with a voice fraud problem in the space that costs the industry $22 billion ($14 billion in fraud, $8 billion in time and systems wasted on security questions). (Pindrop claims it has stopped over $350 million in voice-based fraud and attacks so far  in 2018.)

Current customers include eight of the 10 largest banks and five largest insurance companies in the U.S., with more than 200 million consumer accounts protected at the moment. 

“There are 3.6 million agents in customer service jobs in the UK, with one in every 89 people in the US in this role,” he noted. “But last year, there there were 4.4 million new assistants added to the market,” referring to all the devices, apps and services that have hit us, “and that’s where we realised that it’s about expansion for us.”

In cases like connected home or office scenarios, some of the ways that these might get hacked are only starting to become apparent.

Balasubramaniyan noted that it can be something as innocent as a little girl ordering an expensive doll house while playing with Alexa (Pindrop is also now starting to work with Amazon, too, as it happens), or something more nefarious like a fraudster calling your answering machine to command your smart home hub to unlock your front door.

But we are unlikely to turn away from voice interfaces, and that is where a company like Pindrop (as well as competitors like Verint) come in.

“Voice-enabled interfaces are expanding how consumers interact with IoT devices in their everyday lives – as well as IoT manufacturers’ ability to offer smarter and stronger solutions,” said Allegion Ventures President Rob Martens, in a statement. “We’re excited about the future of voice technology and see Pindrop as a pioneer in the space. We look forward to working with Vijay and his team to accelerate the adoption of voice technology into new markets.”

More generally, as we see the rise of more voice services it’s only natural that we will start to see more ways of trying to hack them. Pindrop puts an interesting focus on the aural details of an experience as a way of helping to fight that. It’s detail that we often overlook in today’s very visual culture, but it’s also in a way a return to more analogue days.

Balasubramaniyan said one of his inspirations for the startup was a story he read as a child in 2600, the Hacker publication, that stuck with him, about Bell Labs. There, they had a team of blind engineers who could identify problems on a phone line by listening to the dial tone. “They had golden hearing,” he said.

 

Grafana Labs has released an important security update, and as you’re aware PMM uses Grafana internally. You’re probably curious whether this issue affects you.  CVE-2018-19039 “File Exfiltration vulnerability Security fix” covers a recently discovered security flaw that allows any Grafana user with Editor or Admin permissions to have read access to the filesystem, performed with the same privileges as the Grafana process has.

A wave of security startups have built solutions for enterprises that are meeting the challenges of “consumerization”, where IT organizations are tasked with securing a range of devices and apps — some brought in by employees, not issued by IT — that are on the organization’s networks. Today, a startup based out of Israel that is taking a similar approach, but aimed at consumers and the plethora of devices now connected to their home networks, is announcing a round of funding. SAM — which provides a system administered by way of a home or small office/home office internet router to monitor connected devices for suspicious activity — has raised a $12 million in funding.

The Series A includes interesting strategic investors. Led by Intel Capital, the round also includes participation from home security giant ADT, NightDragon (a cybersecurity-focused VC founded by Dave DeWalt, the former CEO of FireEye and McAfee) and Blumberg Capital.

Intel is already integrating SAM’s tech into its hardware, and ADT is evaluating how it can do so right now, said Sivan Rauscher, the CEO who first cut her teeth working on cybersecurity in the Israeli army before co-founding SAM with CTO Eilon Lotem and Vice Chairman Shmuel Chafets.

Prior to this round, SAM first emerged from stealth in February 2018 with $4 million from backers that included Team8, the well-supported VC-company incubator, whose co-founders Nadav Zafir, Israel Grimberg, and Liran Grinberg now also serve as advisors to the startup.

One of the reasons for following that up relatively quickly with more funding is because SAM has already signed some deals and it’s making its way into the market. Rauscher said that the first services using the startup’s tech will go live in Germany, Belgium and UK soon. (She declined to name the telcos that will roll it out, since “they want to keep the element of surprise,” she said.) It’s also already deployed across some 4 million devices by way of Israeli carrier Bezeq.

The company is notable because in the world of cybersecurity, many of the most talented people and companies are focused on targeting the enterprise market. In a way, that is not a surprise, since these typically are larger and more complex networks, and a larger amount of data is more immediately at stake.

(And you could argue that in fact this is also an enterprise play, since SAM is working with telcos to provide services to consumers: “We have an agenda to protect the end user but also the carrier as well,” Rauscher said.)

SAM is coming into the market at a key time.

Home networks are increasingly including a range of devices — not just phones, laptops and tablets; but set-top boxes, home security systems, lighting and fire detection, home ‘hubs’, connected appliances and more. Gartner estimates more than 7 billion connected devices in the consumer market for this year, with that number rising to 12.9 billion by 2020.

But perhaps an even bigger urgency is that home routers — which Rauscher describes as “low-hanging fruit” — have increasingly become a target for malicious hackers. A report from Akamai earlier this year estimated that 65,000 home routers have been accessed by hackers; the US and UK governments have further issued warnings that Russian hackers are lying in wait, using compromised routers to lay out long-term cyber warfare operations.

In that context, while the concept of securing a home router might not sound like as lucrative a target on its own compared to multi-million-dollar enterprise contracts (and the billions of dollars and thousands of data points that are at stake), the wider problem is clearly one that is ripe for addressing.

In a nutshell, Rauscher — also, I should add, notable for being one of a handful of female founders in the world of cybersecurity — says that what SAM does is operate by way of the router, but by identifying and providing security wrappers for every device that connects with the router.

“Our software is agnostic to any home router,” she said, adding that once you secure the router, “you secure everything in the network.” The essence of what SAM does is search out suspicious links into and coming out of these devices, and when it detects them, they are blocked, essentially taking the role of an IT department or presenting an enterprise-style deployment designed to work in the home.

“We were impressed with SAM’s technology and level of security for the home network, which is a critical part of building out the future of 5G,” said Dave Flanagan, vice president of Intel Corp. and group managing director of Intel Capital. “Unlike existing solutions, which necessitate buying a new gateway or replacing it with a secure gateway, SAM’s solution provides end-users security, without them needing to do anything. And for telecommunications companies and ISPs, its AI and machine learning capabilities monitor behavior on the network to detect unusual activity and prevent attacks. With the global market for smart home technology predicted to hit $100 billion by 2020, Intel and its partners know security is essential.”

Encryption has become an important function in the database industry, as most companies are taking extra care to keep their data safe. It is important to keep the data safe on disk as well as when it is moving in the network. This restricts any unauthorized access to the data. These two types of protection are known as encryption at REST for the data in storage, and encryption in TRANSPORT for the data moving in the network.

In upstream MongoDB software, data encryption at rest is available – but in the Enterprise version only. So those who are using the community version and want to implement encryption at rest have to use disk level encryption or file system encryption (like LUKS or DM-crypt) to achieve the same effect. This seems to solve for encrypting the data, but it comes with the added complexity of implementing and maintaining an extra set of operations. We have seen some customers face trouble after implementing the encryption at storage level due to the bugs in the encryption software.

Now the good NEWS!

Percona Server for MongoDB now provides WiredTiger encryption at rest with Percona Server for MongoDB 3.6.8-2.0 in BETA, and it is free to use. This useful feature applies encryption to only the MongoDB data, rather than full storage encryption. More importantly, it requires very minimal steps and is easy to implement when starting the DB. This is available only for the WiredTiger engine now, and can encrypt the data with the local key management via a keyfile. We expect that future releases will support third-party key management and vaults.

How to implement encryption:

The example below shows how to implement WiredTiger encryption at rest in Percona Server for MongoDB:

Add the encryption options below into mongod.conf:

[root@app ~]# grep security -A2 /etc/mongod.conf
security:
  enableEncryption: true
  encryptionKeyFile: /data/key/mongodb.key

By default, Percona Server for MongoDB uses the AES256-CBC cipher mode. If you want to use the AES256-GCM cipher mode, then use the encryptionCipherMode parameter to change it. In general, CBC and GCM cipher modes work differently. CBC is faster and GCM is safer (compared to each other). I found some interesting discussion and benchmark here and here.

encryptionCipherMode: AES256-GCM

Create your key with openssl as below:

[root@app ~]# mkdir /data/key
[root@app ~]# openssl rand -base64 32 > /data/key/mongodb.key
[root@app ~]# chmod 600 /data/key/mongodb.key

Now start Percona Server for MongoDB:

[root@app ~]# systemctl start mongod
[root@app ~]#

How to confirm that you have enabled encryption at rest in Percona Server for MongoDB:

To check whether you have enabled the encryption successfully in the database, you can use the command below to check:

> db.serverCmdLineOpts().parsed.security
{ "enableEncryption" : true, "encryptionKeyFile" : "/data/key/mongodb.key" }

Search for the string “percona_encryption_extension_init” in your log file:

[root@app ~]# grep -i "percona_encryption_extension_init" /var/log/mongo/mongod.log
2018-10-30T10:32:40.895+0000 I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=256M,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),cache_cursors=false,compatibility=(release="3.0",require_max="3.0"),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),statistics_log=(wait=0),verbose=(recovery_progress),encryption=(name=percona,keyid="/default"),extensions=[local=(entry=percona_encryption_extension_init,early_load=true,config=(cipher=AES256-CBC)),],cache_size=256M

Hope this helped with how to encrypt your MongoDB data with the Percona Server MongoDB 3.6.8-2.0 package. We will let you know as we make future versions support third-party key management and vaults soon!

Authorisations and encryption/decryption within a database system establish the basic guidelines in protecting your database by guarding against malicious structural or data changes.

What are authorisations?

Authorisations are the access privileges that mainly control what a user can and cannot do on the database server for one or more databases. So consider this to be like granting a key to unlock specific doors. Think of this as more like your five star hotel smart card. It allows you access all facilities that are meant for you, but doesn’t let you open every door. Whereas, privileged staff have master keys which let them open any door.

Similarly, in the database world, granting permissions secures the system by allowing specific actions by specific users or user groups, yet it allows database administrator to perform whatever action(s) on the database he/she wishes. PostgreSQL provides user management where you can can create users, and grant and revoke their privileges.

Encryption

Encryption, decryption can protect your data, obfuscate schema structure and help hide code from prying eyes. Encryption/decryption hides the valuable information and ensures that there are no mischievous changes in the code or data that may be considered harmful. In almost all cases, data encryption and decryption happens on the database server. This is more like hiding your stuff somewhere in your room so that nobody can see it, but also making your stuff difficult to access.

PostgreSQL also provides encryption using pgcrypto (PostgreSQL extension). There are some cases where you don’t want to hide the data, but don’t want people to update it either. You can revoke the privileges to modify the data.

Data modifications

But what if an admin user modifies the data? How you can identify that data is changed? If somebody changes the data and you don’t know about, then it is more dangerous than you losing your data, as you are relying on data which may no longer be valid.

Logs in database systems allow us to track back changes and “potentially” identify what was changed—unless, those logs are removed by the administrator.

So consider if you can leave your stuff openly in your room and in case of any changes, you can identify that something was tampered with. In database terms, that translates to data without encryption, but with your very own signature. One option is to add a column to your database table which keeps a checksum for the data that is generated on the client side using the user’s own private key.  Any changes in the data would mean that checksum doesn’t match anymore, and hence, one can easily identify if the data has changed. The data signing happens on the client-side, thereby ensuring that only users with the required private key can insert the data and anyone with a public key can validate.

Public/Private Keys

Asymmetric cryptographic system uses pairs of keys; public keys and private keys. Private keys are known only to the owner(s). It is used for signing or decrypting data. Public keys are shared with other stakeholders who may use it to encrypt messages or validate messages signed by the owner.

Generate Private / Public Key

Private Key

$ openssl genrsa -aes128 -passout pass:password -out key.private.pem
Generating RSA private key, 2048 bit long modulus

Public Key

$ openssl rsa -in key.private.pem -passin pass:password -pubout -out key.public.pem
writing RSA key

Signing Data

Create a sample table tbl_marks and insert a sample row in that. We’ll need to add additional columns for signature verification. This will understandably increase the table size as we are adding additional columns.

postgres=# CREATE TABLE tbl_marks (id INTEGER, name TEXT, marks INTEGER, hash TEXT);

Let’s add a row that we’d like to validate.

postgres=# INSERT INTO tbl_marks VALUES(1, 'Alice', 80);

We will select the data to store the value into into query buffer using

\gset

  command (https://www.postgresql.org/docs/current/static/app-psql.html). The complete row will be saved into “row” psql variable.

postgres=# SELECT row(id,name,marks) FROM tbl_marks WHERE id = 1;
     row   
---------------
(1,Alice,80)
(1 row)
postgres=# \gset
postgres=# SELECT :'row' as row;
     row   
---------------
(1,Alice,80)
(1 row)

Now let’s generate signature for the data stored in “row” variable.

postgres=# \set sign_command `echo :'row' | openssl dgst -sha256 -sign key.private.pem | openssl base64 | tr -d '\n' | tr -d '\r'`
Enter pass phrase for key.private.pem:

The signed hash is stored into the “sign_command” psql variable. Let’s now add this to the data row in tbl_marks table.

postgres=# UPDATE tbl_marks SET hash = :'sign_command' WHERE id = 1;
UPDATE 1

Validating Data

So our data row now contains data with a valid signature. Let’s try to validate to it. We are going to select our data in “row” psql variable and the signature hash in “hash” psql variable.

postgres=# SELECT row(id,name,marks), hash FROM tbl_marks;    
Row           hash                                                                                                                                                                                                                                                                                                                                                                                            
---------------+-----------------------------------------------
(1,Alice,80) | U23g3RwaZmbeZpYPmwezP5xvbIs8ILupW7jtrat8ixA ...
(1 row)
postgres=# \gset

Let’s now validate the data using a public key.

postgres=# \set verify_command `echo :'hash' | awk '{gsub(/.{65}/,"&\n")}1' | openssl base64 -d -out v && echo :'row' | openssl dgst -sha256 -verify key.public.pem -signature v`
postgres=# select :'verify_command' as verify;
  verify    
-------------
Verified OK
(1 row)

Perfect! The data is validated and all this happened on the client side. Imagine somebody doesn’t like that Alice got 80 marks, and they decide to reduce Alice’s marks to 30. Nobody knows if the teacher had given Alice 80 or 30 unless somebody goes and checks the database logs. We’ll give Alice 30 marks now.

postgres=# UPDATE tbl_marks SET marks = 30;
UPDATE 1

The school admin now decides to check that all data is correct before giving out the final results. The school admin has the teacher’s public key and tries to validate the data.

postgres=# SELECT row(id,name,marks), hash FROM tbl_marks;
    row    | hash                                                                                                                                                                                                                                                                  
--------------+--------------------------------------------------
(1,Alice,30) | yO20vyPRPR+HgW9D2nMSQstRgyGmCxyS9bVVrJ8tC7nh18iYc...
(1 row)
postgres=# \gset

postgres=# \set verify_command `echo :'hash' | awk '{gsub(/.{65}/,"&\n")}1' | openssl base64 -d -out v && echo :'row' | openssl dgst -sha256 -verify key.public.pem -signature v`
postgres=# SELECT :'verify_command' AS verify;
      verify      
----------------------
Verification Failure

As expected, the validation fails. Nobody other than the teacher had the private key to sign that data, and any tampering is easily identifiable.

This might not be the most efficient way of securing a dataset, but it is definitely an option if you want to keep the data unencrypted, and yet easily detect any unauthorised changes. All the load is shifted on to the client side for signing and verification thereby reducing load on the server. It allows only users with private keys to update the data, and anybody with the associated public key to validate it.

The example used psql as a client application for signing but you can do this on any client which can call the required openssl functions or directly used openssl binaries for signing and verification.

Early-stage venture capital firm Shasta Ventures has brought on three new faces to beef up its enterprise software and security portfolio amid a big push to “go deeper” into cybersecurity, per Shasta’s managing director Doug Pepper.

Balaji Yelamanchili (above left), the former general manager and executive vice president of Symantec’s enterprise security business unit, joins as a venture partner on the firm’s enterprise software team. He was previously a senior vice president at Oracle and Dell EMC. Pepper says Yelamanchili will be sourcing investments and may take board seats in “certain cases.”

The firm has also tapped Salesforce’s former chief information security officer Izak Mutlu (above center) as an executive-in-residence, a role in which he’ll advise Shasta portfolio companies. Mutlu spent 11 years at the cloud computing company managing IT security and compliance.

InterWest board partner Drew Harman, the final new hire, has joined as a board partner and will work closely with the chief executive officers of Shasta’s startups. Harman has worked in enterprise software for 25 years across a number of roles. He is currently on the boards of the cloud-based monetization platform Aria, enterprise content marketing startup NewsCred, customer retention software provider Totango and others.

“There’s no area today that’s more important than cybersecurity,” Pepper told TechCrunch. “The business of venture has gotten increasingly competitive and it demands more focus than ever before. We aren’t looking for generalists, we are looking for domain experts.”

Shasta’s security investments include email authentication service Valimail, which raised a $25 million Series B in May. Airspace Systems, a startup that built “kinetic capture” technologies that can identify offending unmanned aircrafts and take them down, raised a $20 million round with participation from Shasta in March. And four-year-old Stealth Security, a startup that defends companies from automated bot attacks, secured an $8 million investment from Shasta in February.

The Menlo Park-based firm filed to raise $300 million for its fifth flagship VC fund in 2016. A year later, it announced a specialty vehicle geared toward augmented and virtual reality app development. With more than $1 billion under management, the firm also backs consumer, IoT, robotics and space-tech companies across the U.S.

In the last year, Shasta has promoted Nikhil Basu Trivedi, Nitin Chopra and Jacob Mullins from associate to partner, as well as added two new associates, Natalie Sandman and Rachel Star.

Egnyte launched in 2007 just two years after Box, but unlike its enterprise counterpart, which went all-cloud and raised hundreds of millions of dollars, Egnyte saw a different path with a slow and steady growth strategy and a hybrid niche, recognizing that companies were going to keep some content in the cloud and some on prem. Up until today it had raised a rather modest $62.5 million, and hadn’t taken a dime since 2013, but that all changed when the company announced a whopping $75 million investment.

The entire round came from a single investor, Goldman Sachs’ Private Capital Investing arm, a part of Goldman’s Special Situations group. Holger Staude, vice president of Goldman Sachs Private Capital Investing will join Egnyte’s board under the terms of the deal. He says Goldman liked what it saw, a steady company poised for bigger growth with the right influx of capital. In fact, the company has had more than eight straight quarters of growth and have been cash flow positive since Q4 in 2016.

“We were impressed by the strong management team and the company’s fiscal discipline, having grown their top line rapidly without requiring significant outside capital for the past several years. They have created a strong business model that we believe can be replicated with success at a much larger scale,” Staude explained.

Company CEO Vineet Jain helped start the company as a way to store and share files in a business context, but over the years, he has built that into a platform that includes security and governance components. Jain also saw a market poised for growth with companies moving increasing amounts of data to the cloud. He felt the time was right to take on more significant outside investment. He said his first step was to build a list of investors, but Goldman shined through, he said.

“Goldman had reached out to us before we even started the fundraising process. There was inbound interest. They were more aggressive compared to others. Given there was prior conversations, the path to closing was shorter,” he said.

He wouldn’t discuss a specific valuation, but did say they have grown 6x since the 2013 round and he got what he described as “a decent valuation.” As for an IPO, he predicted this would be the final round before the company eventually goes public. “This is our last fund raise. At this level of funding, we have more than enough funding to support a growth trajectory to IPO,” he said.

Philosophically, Jain has always believed that it wasn’t necessary to hit the gas until he felt the market was really there. “I started off from a point of view to say, keep building a phenomenal product. Keep focusing on a post sales experience, which is phenomenal to the end user. Everything else will happen. So this is where we are,” he said.

Jain indicated the round isn’t about taking on money for money’s sake. He believes that this is going to fuel a huge growth stage for the company. He doesn’t plan to focus these new resources strictly on the sales and marketing department, as you might expect. He wants to scale every department in the company including engineering, posts-sales and customer success.

Today the company has 450 employees and more than 14,000 customers across a range of sizes and sectors including Nasdaq, Thoma Bravo, AppDynamics and Red Bull. The deal closed at the end of last month.

Just a day after Google decided to drop out of the Pentagon’s massive $10 billion, 10-year JEDI cloud contract bidding, Microsoft announced increased support services for government clients. In a long blog post, the company laid out its government focused cloud services.

While today’s announcement is not directly related to JEDI per se, the timing is interesting just three days ahead of the October 12th deadline for submitting RFPs. Today’s announcement is about showing just how comprehensive the company’s government-specific cloud services are.

In a blog post, Microsoft corporate vice president for Azure, Julia White made it clear the company was focusing hard on the government business. “In the past six months we have added over 40 services and features to Azure Government, as well as publishing a new roadmap for the Azure Government regions providing ongoing transparency into our upcoming releases,” she wrote.

“Moving forward, we are simplifying our approach to regulatory compliance for federal agencies, so that our government customers can gain access to innovation more rapidly. In addition, we are adding new options for buying and onboarding cloud services to make it easier to move to the cloud. Finally, we are bringing an array of new hybrid and edge capabilities to government to ensure that government customers have full access to the technology of the intelligent edge and intelligent cloud era,” White added.

While much of the post was around the value proposition of Azure in general such as security, identity, artificial intelligence and edge data processing services, there were a slew of items aimed specifically at the government clients.

For starters, the company is increasing its FedRAMP compliance, a series of regulations designed to ensure vendors deliver cloud services securely to federal government customers. Specifically Microsoft is moving from FedRAMP moderate to high ratings on 50 services.

“By taking the broadest regulatory compliance approach in the industry, we’re making commercial innovation more accessible and easier for government to adopt,” White wrote.

In addition, Microsoft announced it’s expanding Azure Secret Regions, a solution designed specifically for dealing with highly classified information in the cloud. This one appears to take direct aim at JEDI. “We are making major progress in delivering this cloud designed to meet the regulatory and compliance requirements of the Department of Defense and the Intelligence Community. Today, we are announcing these newest regions will be available by the end of the first quarter of 2019. In addition, to meet the growing demand and requirements of the U.S. Government, we are confirming our intent to deliver Azure Government services to meet the highest classification requirements, with capabilities for handling Top Secret U.S. classified data,” White wrote.

The company’s announcements, which included many other pieces that have been previously announced, is clearly designed to show off its government chops at a time where a major government contract is up for grabs. The company announced Azure Stack for Government in August, another piece mentioned in this blog post.

Quantum computing represents tremendous promise to completely alter technology as we’ve known it, allowing operations that weren’t previously possible with traditional computing. The downside of these powerful machines is that they could be strong enough to break conventional cryptography schemes. Today, BlackBerry announced a new quantum-resistant code signing service to help battle that possibility.

The service is meant to anticipate a problem that doesn’t exist yet. Perhaps that’s why BlackBerry hedged its bets in the announcement saying, “The new solution will allow software to be digitally signed using a scheme that will be hard to break with a quantum computer.” Until we have fully functioning quantum computers capable of breaking current encryption, we probably won’t know for sure if this works.

But give BlackBerry credit for getting ahead of the curve and trying to solve a problem that has concerned technologists as quantum computers begin to evolve. The solution, which will be available next month, is actually the product of a partnership between BlackBerry and Isara Corporation, a company whose mission is to build quantum-safe security solutions. BlackBerry is using Isara’s cryptographic libraries to help sign and protect code as security evolves.

“By adding the quantum-resistant code signing server to our cybersecurity tools, we will be able to address a major security concern for industries that rely on assets that will be in use for a long time. If your product, whether it’s a car or critical piece of infrastructure, needs to be functional 10-15 years from now, you need to be concerned about quantum computing attacks,” Charles Eagan, BlackBerry’s chief technology officer, said in a statement.

While experts argue how long it could take to build a fully functioning quantum computer, most agree that it will take between 50 and 100 qubit computers to begin realizing that vision. IBM released a 20 qubit computer last year and introduced a 50 qubit prototype. A qubit represents a single unit of quantum information.

At TechCrunch Disrupt last month, Dario Gil, IBM’s vice president of artificial intelligence and quantum computing, and Chad Rigetti, a former IBM researcher who is founder and CEO at Rigetti Computing, predicted we could be just three years away from the point where a quantum computer surpasses traditional computing.

Whether it happens that quickly or not remains to be seen, but experts have been expressing security concerns around quantum computing as they grow more powerful, and BlackBerry is addressing that concern by coming up with a solution today, arguing that if you are creating critical infrastructure you need to future-proof your security.

BlackBerry, once known for highly secure phones, and one of the earliest popular business smartphones, has pivoted to be more of a security company in recent years. This announcement, made at the BlackBerry Security Summit, is part of the company’s focus on keeping enterprises secure.

Palo Alto Networks launched in 2005 in the age of firewalls. As we all know by now, the enterprise expanded beyond the cozy confines of a firewall long ago and vendors like Palo Alto have moved to securing data in the cloud now too. To that end, the company announced its intent to pay $173 million for RedLock today, an early-stage startup that helps companies make sure their cloud instances are locked down and secure.

The cloud vendors take responsibility for securing their own infrastructure, and for the most part the major vendors have done a decent job. What they can’t do is save their customers from themselves and that’s where a company like RedLock comes in.

As we’ve seen time and again, data has been exposed in cloud storage services like Amazon S3, not through any fault of Amazon itself, but because a faulty configuration has left the data exposed to the open internet. RedLock watches configurations like this and warns companies when something looks amiss.

When the company emerged from stealth just a year ago, Varun Badhwar, company founder and CEO told TechCrunch that this is part of Amazon’s shared responsibility model. “They have diagrams where they have responsibility to secure physical infrastructure, but ultimately it’s the customer’s responsibility to secure the content, applications and firewall settings,” Badhwar told TechCrunch last year.

Badhwar speaking in a video interview about the acquisition says they have been focused on helping developers build cloud applications safely and securely, whether that’s Amazon Web Services, Microsoft Azure or Google Cloud Platform. “We think about [RedLock] as guardrails or as bumper lanes in a bowling alley and just not letting somebody get that gutter ball and from a security standpoint, just making sure we don’t deviate from the best practices,” he explained.

“We built a technology platform that’s entirely cloud-based and very quick time to value since customers can just turn it on through API’s, and we love to shine the light and show our customers how to safely move into public cloud,” he added.

The acquisition will also fit nicely with Evident.io, a cloud infrastructure security startup, the company acquired in March for $300 million. Badhwar believes that customers will benefit from Evident’s compliance capabilities being combined with Red Lock’s analytics capabilities to provide a more complete cloud security solution.

RedLock launched in 2015 and has raised $12 million. The $173 million purchase would appear to be a great return for the investors who put their faith in the startup.