As an application developer, it is very important to trust the data you consume. You need to believe that it is secure in order to create an equally secure application. However, this process can be difficult, especially with the challenges and threats in cybersecurity. Good thing that Ockam is offering solutions to make this simple. In this episode, its CEO and Founder Matthew Gregory joins the show to share how they are empowering developers to build applications they can trust. He also talks about the challenges in meeting regulatory requirements in the software industry and what excites him about the future. Tune in to learn more about getting trusted data back and forth between systems and how Ockam can facilitate that aspect.
Watch the episode here
Listen to the podcast here
Ockam: Empowering Application Developers With Matthew Gregory
In this episode, we’ve got an amazing guest who’s also an extreme sailboat racing person. He’s also the CEO and Founder of Ockam, Matthew Gregory. Welcome.
Thanks for having me. It’s good to see you.
We start off with every show with our first question and it’s probably the most important question that we’re going to ask on the show which is, If cyber risk was a pizza and the framework was the crust, what’s the riskiest topping you’ve seen and what topping would you equate that to?
You pulled the rug out from under me because my answer was going to be the crust. I think the crust is the riskiest part. It’s the thing that makes pizzas different. It depends on your point of view as a pizza eater and how you even get into the situation where you’re eating the pizza in the first place. My answer is the crust.
What would you equate that to? Is it gluten-free or gluten?
To give context, I love making pizza myself and there are three different ways I consume pizza. One, I go to the pizza shop and I buy a pizza with all the toppings I want on it. I’m usually making the decision based on whether I want New York style, Detroit style, Chicago style, etc. The second way I consume pizza is there is an Artesian bakery down the street from where I live. They make amazing pizza dough. It comes in a little cellophane wrapper and it’s ready to go.
You let sit on the counter for 30 minutes, puffs it up a little bit, and make it into a pizza. I have a big steel plate I cook my pizzas on in the oven. It’s super hot. That’s the second way I make pizza. The third is basically from scratch. You’re picking the flour, yeast, and water. It takes a day. The big variable in pizza is the crust, who makes it, and how you set the pizza up in the first place.
You’re not the first one to respond with the crust but we’ve seen many struggles with different toppings, but you’ve hit the nail on the head. Maybe our question is a trick question in the sense that the framework, we always start with the foundation. To cyber risk in general, if you have it, it’s your plan, but you bring up some good points and that depends on what kind of pizza the consumer or what the business needs.
Also, we’re talking about software development. As a software development team, it’s important to know what abstraction you are in this process. You can go get some platform-type solution that does it all because that’s the appropriate thing or you want to assemble your own and bake it. You could keep going down this rabbit hole of like, “Are you growing your own tomatoes for the sauce and all the herbs?”
You can get to a point where you are milling your own grain, but in the crust, there’s a pretty important part than just buying a pizza or when I go get my pizza crust from the bakery down the street. You can screw up the pizza crust in a lot of ways by basically having yeast that is old or doing weird things. It’s a huge variable. How much water or salt do you put in? Do you put in a little olive oil? How long do you let it sit out? All day long, if I’m down that track, I’m like, “How’s it doing? It’s going a little quick. I need to cool it down. I’ll throw it in the refrigerator for a half hour and then I’ll pull it back out.”
If it’s not going quite as fast, I know everyone wants to eat right now, but the pizza dough is not ready. I want to give it another hour, so everyone has to wait. When you go that route, you end up with a lot of variabilities and it takes a lot of time. There are a lot of levers to control. In the cybersecurity context, if you’re going to go that way, you have to take it back to the point of the context. Do you want to do that? By the way, there’s a great pizza shop half a block down from this bakery where I get my pizza dough from.
I can stay home and make it. I can go to the bakery to get the dough or I can just go get a pizza. Knowing what swimlane you’re in when you’re in the cybersecurity space is important because the whole is arguably infinitely deep compared to where most people are starting off when they start thinking about security, threat modeling, detection, or cryptography. There are people who have spent their whole lives and folks on minuscule little pieces of this. Do you or your team have what it takes to go solve these big problems and is that what your end goal is? Is that what you’re doing? My answer is the crust.
Matthew, in regard to your role as CEO, what keeps you up at night? What are the problems that you see?
You’re asking me all the questions. That’s another trick question. There is not much that keeps me up at night. It’s not that I’m dodging the question but I have this philosophy of controlling the controllables and don’t worry about the rest. If there’s something that’s keeping me up, I evaluate it. Is this something in my control or out of my control? If it’s my control, there’s not much you can do about that. There is no point worrying about it. Focus on things you can control and the stuff that I can control, that means I can control it so I go work on it. Usually, working on it makes me sleep better.
What challenges do you see in meeting regulatory requirements in the software industry right now? Are you seeing any of those types of challenges?
We’re a little upstream from thinking about regulations specifically ourselves. People can use Ockam to solve regulatory challenges. I feel like we’re a little bit upstream from that because we’re a tool that people use to build secured-by-design systems. If your system is secured by design, then in all situations like HIPAA or any financial compliance or GDPR, we’re fixing some of those holes in other people’s systems.
Tell us a little bit about that. What does Ockam do and how does it fix those?
We’re a tool that developers use to build end-to-end encryption and mutual authentication between any two applications that are running anywhere in the world. It’s a difficult problem to go solve. I would argue and to take this back to the original question about the pizza, we’re the pizza dough from the bakery solution. We’ve assembled all the ingredients and packaged them up for everyone. That’s what we do.
Is that software to software or a hub and spoke? How does that work?
We believe that it’s important to have trust between applications to the application layer. We believe in the concept of zero trust. As an application developer, you should not solely rely on the network or security layers to keep your application secure. We are a protocol that happens at layer seven. If we feel it is being written now, we go into the shift-left movement also. If you’re building an application, you are responsible for delivering data to wherever it needs to go. When you are consuming data, you should trust that it’s being delivered to you in a reliable way. It’s your responsibility as the person building that application. We make that simple for that application developer.
By doing that, what kind of applications are you seeing built on this that you can talk about? How are things now when people are using your solution?
There are two big use cases that we see. I’ll talk about the one I’m most excited about because of its most recent launch. We launched a product integration with Confluent Cloud and Kafka. We can do end-to-end encryption through Kafka and Confluent Cloud without the servers running Kafka or Confluent Cloud seeing any of the data. That’s one use case.
The other is anyone that has a remote application that needs to write to and/or read from a database. There’s a lot of configuration setup. There are ways you can screw it up and we make that very simple by essentially creating an inlet and outlet in the private networks so that the data can leave the private network and then enter the other private network. You can have these security guarantees that have been tampered with, spied upon, replayed, etc.
Are there any events that people can go to to learn more about this, your solution, and the problem?
We do everything asynchronously and virtually. We have a lot of content on our documentation page, Docs.Ockam.io. We have a Discord channel where we engage with the community. All of our code is open source. We have GitHub discussions. Also, physical events we usually go to. We’re coming out of COVID and we’re a young company. It’s more of a forward-looking statement than what we’ve done in the past, but we were at AWS re:Invent. We’d go to some of the bigger conferences.
Are there any books that you would recommend?
I have a stock answer to this. There are two books I like. The first one I was introduced to was when I was at Microsoft. It was something that Satya had everyone read. It’s a good way of starting with oneself. It’s a good place to start. It’s called Mindset. It’s about growth mindsets and having a growth mindset first and a fixed mindset.
It’s coming at things from an individual level and realizing that the amount you can learn and change yourself is without bound. It’s only a matter of having this mindset around like, “I’m going to go learn that. I’m going to go try that,” and then realizing that other people have this also. That because someone said something now, it doesn’t mean that they can’t grow and develop also. That also is a key part.
As a team builder and in my role as CEO, it’s a matter of bringing people together that have a growth mindset so we can all learn together and collectively bring all of our experiences wherever they may come from. The book Mindset does a very good job of challenging people. There are challenging ways of thinking, which might be perceived as growth-oriented, but are fixed. It’s one place to tell people to start.
The other book I like is Measure What Matters. I also think it’s very important when working from a team point of view to align everyone going in the same direction. I could even map this back individually. I do individual OKRs a lot of times because I get into the future feel of like, “I haven’t made that much progress or I haven’t done this.” There are all these things I feel like I haven’t done. It’s like, “What did you say you want to do six months ago? I’d checked the boxes on these. I’m making progress.”
It’s a good feedback loop for feeling that things are getting done and making sure individually and on the team that everyone is pulling in the same direction. It’s like work equals force times distance and there’s a little arrow over the force and where you’re trying to go. OKRs are not a perfect tool when we even on our team do our own style of them. It’s a good place to start and modify the right size for your team and style as you see fit.
I think everybody who’s read that book has to customize it a bit. Those OKRs and KPIs, the measurings, and all of those changes. No matter how many dashboards you build within the business, you’re always checking those things and seeing how you’re doing.
The other problem is you’d spend your whole time doing OKRs and KPIs and insert 50 other acronyms in here and you still have to go do them. It’s taking on enough work that it is beneficial, but not overbearing or over waiting for what you need to get done. There’s a point where you have to say, “Good enough and this is the way we’re going to do it.”
There is no paralysis in my analysis as well. Matthew, what excites you about the future? What do you see happening in the software industry and the communications between these?
I love the growth and the potential of everything that we’re all building and everything that people reading this are building. You asked about events and we’re in a mode right now where people are bummed out about the economy. Silicon Valley Bank just crashed. People are getting laid off. It’s like, we’re in this recessionary thing. My impression of going to re:Invent, people talking about cloud computing, and what we’re building still looks infinite from where we’re currently standing.
There’s so much to be done. There are so many people working on such cool things, the confluence of all these things coming together, and building the systems. We all have to realize the vision we have for the future where machines and people are interacting with machines, applications, and the cloud. All this data is usable in a compatible way so that we can have these more autonomous systems.
Everyone is jumping into AI right now. Imagine what that looks like when you have the data and the connectivity across platforms with the right permissions and only so much permissions without giving everyone all your data. There are many dimensions of this Rubik’s cube as you spin it around. You can think of all the cool stuff we get to build for decades. I’m not worried about what I’m going to do 10 or 20 years from now. There is still so much to build and as a builder, that excites me. I think there are a lot of cool interesting problems. As we solve some, it opens up doors to go solve the next set of problems.
Walking hand-in-hand in that, the cybersecurity industry as well as the software industry, there are lots of new challenges that are going to be created by both AI and the future. We haven’t been able to solve a lot of these problems in the past because it’s ever-evolving and I think that’s going to continue regardless of AI or other new technologies.
Not to be nostalgic, but I remember the very first AWS re:Invent conference.
I may have been there. I’m not sure if I was at the 1st one or the 2nd one. I was at Heroku at that time. We were a huge AWS customer. I went to the first 1 or 2, so we may have been there together.
We went to the first one and we were Amazon partner number 60-something at that time. We were one of their very first partners. John, maybe you remember better than I do, but there were a lot of people there. I remember being surprised by how many people were there. I consider it their inaugural conference. We talk about in general the future and maturity of utilizing what we call it now the cloud. How is that going to evolve? How’s that going to change? Back then, there were concerns. Everyone was afraid to use it.
The idea of still building things on-premise was that’s the only way to keep things secure but it didn’t take long for people to figure out that everyone was going to be compromised, whether they like it or not. Even now, you could argue that it’s still the case. Whether something is in the cloud or not, I don’t think that’s an issue anymore for most innovative companies, whereas you still have traditional brick-and-mortar companies that are like, “I’m not putting that stuff in Amazon.” It’s not as often wherever they think they want to put it.
One of the applications for Ockam is you don’t have to worry about your data passing through some cloud because you’re the only one with the keys to the data. I started off talking about this Confluent Cloud use case. Everyone should trust Confluent Cloud, but when you are thinking about your tax surface and stuff to manage, simpler is easier to secure. It’s so obvious. Even though you trust all these intermediaries that you have to deal with to build a complicated system, you should but control the controllables.
One of the applications for Ockam is you don’t have to worry about your data passing through some cloud because you’re the only one with the keys to the data.
If you can make it so you’re not exposed to all of these things because errors happen and people are still involved in the system. There’s an edge case here and an edge case there. You can’t be paying attention to everything all the time. Reducing your attack surface is something that is a very prudent thing for people to be doing. Did you, by any chance, go to the re:Invent in 2023?
We haven’t been to re:Invent in years.
I haven’t been in a while either because when I was at Heroku, I went to two of them. I was then at Microsoft so I was in the Microsoft Azure world for a while and it was frowned upon for us to be there. It was not on the event list I went to during that period of time. I started the company and was focused on getting Ockam up and going so I missed a couple more and then COVID. Being back in 2023 was like, “Wow.” Let’s round-up. It was ten years removed or whatever it’s been was like, “What a conference.”
There are a lot of different vendors that are doing these conferences but it’s very representative. It’s like jumping back into the conference world after having been not going to conferences because of COVID. The companies that used to be around many years ago are so much bigger and the amount of stuff that people are building and the tools are available. Also, seeing it all on the conference floor, the amount of space in the conference, and the people that are there. It was very impressive to get that reminder of how big our industry is and how many people are building cool and very important pieces of tech stacks that we all use. It’s a great time to be alive.
Matthew, you touched on it, but why don’t you tell us a little bit about your history? How did you get to start your own company? What steps did you take?
I’ve been fairly entrepreneurial for most of my life probably going back to starting a paper route in a new subdivision back when I was 9 or 10 years old. I started my career off in professional sailing. I was part of two America’s Cup teams. I was tasked with building data logging, instrumentation, and sensing systems. You call it IoT before IoT. We are moving a lot of data between boats of different platforms. This was a distributed data logging collection system. Anyone that’s watched the Netflix series about Formula 1, it’s that sort of stuff where you’re trying to figure out the real-time performance of the boats so you can make adjustments on the fly incorporating weather data. I did that for almost ten years.
It was not just wherever the wind would take you but trying to predict where the wind was going to go and how to deal with it.
Also, how to set up the boat to best take advantage of the conditions you were sailing into, making sure that we’d build models for taking past data to figure out, and given certain conditions. What should our performance be? If we’re not seeing that performance, what settings on the boat can we change to get to the performance as fast as possible? I did that for a little while. I took a small stint. I went to business school and then I went from being a builder of systems to a builder of tools for people that build systems. I essentially became a toolmaker in the early days of API business models. This was around 2009 and 2010.
I went to Weather Underground. I built a Weather API. If you’ve seen weather on Yahoo, Facebook Eventbrite, or your phone, it was probably using the weather API I built for Weather Underground. That got me into building tools for people that build systems. My next step was at Heroku. I was probably one of the top first 25 people on that team. I came right after Salesforce acquired the company, and that was my launch into the cloud world. That how I’m supposed to reinvent those early days.
From there, I went to Microsoft right after Satya took over as CEO. Essentially, this Red Team was created to figure out, “This Windows pass thing isn’t quite what we wanted to be. How do we shift into infrastructure IAS that can run open-source applications?” It’s so culturally difficult for Microsoft to do that, particularly coming out of the Ballmer years. They put together this group of us, specifically people not from Microsoft to go figure out how to build Azure into what it is now.
Now, you’re the CEO and Founder of Ockam. You’re providing end-to-end encryption software. Is it a library? Is it services? Tell us a little bit more about what that is.
The protocols and the core of the system are all open source. Essentially, it’s the pulling in ingredients. We didn’t roll our own crypto. We’re using noise protocol. We’re using a lot of best practices that people should be doing, but how many people know how to build complete systems like this? The answer to this question is, “What does it cost and how long does it take?” We spent about $7 million to $8 million in 4 years and had to build a completely distributed team to find the talent at a global scale to figure out how to build this thing.
That is all open source. It’s on GitHub. I encourage people to go check it out. We productize it by turning it into either package and then running it as a service. Ockam packages are the delivery of that software in a usable state. I’ll go back to that dough example from before. It’s wrapped in Saran wrap and handed to you. We have a product that runs in AWS. It’ll eventually be available in Azure and Google. It’s called Orchestrator and it does a lot of the orchestration. If you think of applications now, keep in mind, we’re a layer seven. You have ephemeral services that are spinning up and down. I like the management of all of that stuff.
If you squint a little bit, I put it in the category of a mental model that some of your readers might have. It is a little bit like the things that service meshes do or maybe even things like Mesos, Kubernetes, or Terraform do with infrastructure. Those types of management of things coming online, key exchanges, identities, identifiers, moving of messages, and all those types of things. If you want to run Ockam’s protocols at scale, you need the Orchestrator and that’s the service that we provide.
Matthew, if you could go back in time and give your younger self advice, what would that advice be?
It’s a long list. I feel like you’re asking me all the questions I have contrarian points of view on. I’m one of these people who have the butterfly effect. I like how everything is going so I wouldn’t change anything. I don’t want to disrupt the system. Maybe I’ll tie it back to what I said before. Have a growth mindset, go learn more things, talk to more people, learn other people’s points of view, and probably don’t worry so much. Things will sort themselves out and you got to keep chipping away. Things are built with one little itty-bitty piece at a time. I’d probably say to my younger self, “You’re too young to see the fruits of some of these things. It’s a lot of millimeters adding up to move a mile. You will get there eventually. Just take the next step.”
Where can people find you, Matthew?
I’m on LinkedIn. I’m a little bit more of a voyeur on Twitter, but I am on Twitter. You can find me there. I use my account to repost things that Ockam is doing. It’s applicable to this show. People can get my opinions there. Also, in our Discord channel or in GitHub discussions.
What is your company website?
Ockam.io. Thanks for having me on the show. It is great meeting both of you. The company is built on an open-source project. We’re building in the open. It also means that we’re fairly open to all sorts of discussions, disagreements, and opinions about what we’re doing. I look forward to hearing from you.
Matthew, thank you very much. We appreciate your time. We look forward to using your crust in the future for other customers trying to communicate and get data back and forth between their systems. For our audience, thank you for tuning in. If you’ve learned something or laughed or you want to communicate in an encrypted way, please tell someone else about this show. This has been another great episode of the show. See you next time. Thank you.
About Matthew Gregory
Matthew has a diverse background in cloud-native open-source software development. While at Microsoft he led Azure’s pivot to Open Source. He was at Heroku during his formative years, and he built the Weather API that your favorite weather app probably uses. He is also a former America’s Cup and Volvo Ocean Race navigator.