The DTC Interview: BastionZero’s Sharon Goldberg
Sharon Goldberg and Ethan Heilman founded BastionZero to leverage cryptography in reimagining how remote access to servers, containers, clusters, applications and databases is managed. In this DTC Interview we talk to Sharon about the critical need to modernize how the cloud is secured and explore why, after becoming a tenured professor in Computer Science, she decided to take on a new challenge of founding an enterprise tech company.
DTC led the Seed round investment in the BastionZero team. We’re looking forward to being along for the journey as they build their threshold-based security technologies into company of consequence.
WHY THIS, WHY NOW
I really like crufty things. My first job out of college was as a telecom engineer at a telecom company. My second job was a telecom engineer at a power company. I’ve been looking at the Internet’s plumbing and finding interesting cryptographic problems there since I started my PhD in 2005. It started out in telecom networking and ended up being a PhD in cryptography and network security by the time I had finished.
So, if you’re asking “why this, and why us,” essentially BastionZero is a very “Sharon and Ethan” thing to do, which is to say “let’s look at something that hasn’t changed in the last 20 years like remote access and let’s see how we can use cryptography to do it better.” And if you think about a bastion host, it’s not a very sexy object. But it *is* a very important object that underlies a lot of our infrastructure.
In cloud security, a couple of things have changed. First, the complexity of cloud and infrastructure environments has increased. There are more kinds of environments and more kinds of targets. What used to be a simple problem of SSHing into targets has now become a complex problem of accessing different kinds of targets in different kinds of places with lots of different protocols. The second thing that’s changed is that SSH is under attack constantly as a protocol. Now you have the combination of more complexity and more aggressive attackers.
There’s a world where there’s a desire to innovate with cryptography and there’s a lot of energy that goes into that. If you think about what’s happened with the deployment of TLS over the last decade, which has been fantastic, lots of little threat vectors and TLS people are locking them down to provide security to most of the internet. It’s an area where there’s innovation, but it’s not like lightspeed innovation.
And then you look at blockchain where there is lightspeed innovation — just insane levels of cryptographic innovation. The baseline in the blockchain space was way beyond what you would see anywhere else.
Most cloud security technology uses very traditional security models that would be considered highly outdated in ecosystems like TLS or blockchain. We think this is a fantastic opportunity.
And then we came into cloud security and it’s behind even where TLS was a decade ago. Specifically, certificate authorities as the root of trust of TLS. In 2011, DigiNotar (a Dutch certificate authority) was hacked affecting the security of the entire TLS ecosystem, including completely unrelated things like Google. There was this relationship that allowed an attack on a certificate authority in the Netherlands to break the security of Google. It’s crazy. Right? So, the TLS community created technology to prevent these types of attacks from happening again. But for me, by 2010, 2011, it was clear that certificate authorities were super outdated as a technology.
And then I go to cloud security and I see, oh, we have a certificate authority. And I’m like, what? So modern. Ethan and I thought clearly that there’s work to be done here.
LEARNING AND INSPIRATION
I became a CEO because I wanted to do something really challenging and grow. I had this unstoppable desire to try to do this – specifically, to run the business side of the company. Ethan (Heilman) and Mike (Milano) run engineering; I’m doing the commercialization.
I’m drawn to the business aspect. I will say though – who am I actually talking to? I’m talking to a bunch of cloud and backend engineers. Those are my people, right? The kind of people that’ve taken my classes and that I’ve interacted with my whole career. So, it doesn’t feel that businessy. It feels like lots and lots of technical conversations.
I made the jump into management through my mentors. I’ve been advised by a lot of former and current CEOs – People who have been successful and have decided to give back by mentoring others. I have been the beneficiary of that on basic things to incredibly strategic business decisions.
“What does a good salesperson look like? What should I be doing for my marketing plan? How do you think about employee compensation?” These are all things I didn’t used to know. Now I do. Thanks to people who have been and have decided to give back by mentoring others.
What’s interesting is that my last job was a professor at Boston University. And a professor is a highly respected role. You’re almost never in the position of having to ask people for things; you’re always being asked. Then I became a CEO and I started running sales. And, you actually are, despite what people may think about CEOs, you’re always asking others for things. That is what you do. You’re asking your employees, you’re asking your customers, you’re asking your investors. So it was a complete shift in how I interact with people that was really good for me.
I could have sat on my academic chair and waited to be asked or I could go out there and make things happen by convincing others and working with others and talking to others. That’s been both really hard but also really cool.
OFF THE CLOCK
Everyone’s always pointing me at these great business books. I read some of them, but not all of them. It almost feels like at times like you’re being yelled at by the author, like, “Hey, you built your business the wrong way, do it this way!” There are lessons but sometimes I think you have to trust your instincts, trust what your customers are telling you, and build your business.
I’m always reading. It’s probably strange but I read InfoSec News every night right to relax. I like to know all the little things that are going on in the InfoSec world and I’ve been doing that for years.