Episode Summary

The future of cyber resilience lies at the intersection of data protection, security, and AI. In this conversation, Cohesity CEO Sanjay Poonen joins Danny Allan to explore how organisations can unlock new value by unifying these domains. Sanjay outlines Cohesity’s evolution from data protection to security in the ransomware era, to today’s AI-focused capabilities, and explains why the company’s vast secondary data platform is becoming a foundation for next-generation analytics.

Show Notes

In this episode, Sanjay Poonen shares his journey from SAP and VMware to leading Cohesity, highlighting the company's mission to protect, secure, and provide insights on the world's data. He explains the concept of the "data iceberg," where visible production data represents only a small fraction of enterprise assets, while vast amounts of "dark" secondary data remain locked in backups and archives. Poonen discusses how Cohesity is transforming this secondary data from a storage efficiency problem into a source of business intelligence using generative AI and RAG, particularly for unstructured data like documents and images.

The conversation delves into the technical integration of Veritas' NetBackup data mover onto Cohesity's file system, creating a unified platform for security scanning and AI analytics. Poonen also elaborates on Cohesity's collaboration with NVIDIA, explaining how they are building AI applications like Gaia on the NVIDIA stack to enable on-premises and sovereign cloud deployments. This approach allows highly regulated industries, such as banking and the public sector, to utilize advanced AI capabilities without exposing sensitive data to public clouds.

Looking toward the future, Poonen outlines Cohesity's "three acts": data protection, security (ransomware resilience), and AI-driven insights. He and Danny Allan discuss the critical importance of identity resilience, noting that in an AI-driven world, the security perimeter shifts from network boundaries to the identities of both human users and autonomous AI agents.

Links

• Cohesity
• Nvidia
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

As AI systems become increasingly integrated into enterprise workflows, a new security frontier is emerging. In this episode of The Secure Developer, host Danny Allan speaks with Nicolas Dupont about the often-overlooked vulnerabilities hiding in vector databases and how they can be exploited to expose sensitive data.

Show Notes

As organizations shift their focus from training massive models to deploying them for inference and ROI, they are increasingly centralizing proprietary data into vector databases to power RAG (Retrieval-Augmented Generation) and agentic workflows. However, these vector stores are frequently deployed with insufficient security measures, often relying on the dangerous misconception that vector embeddings are unintelligible one-way hashes.

Nicolas Dupont explains that vector embeddings are simply dense representations of semantic meaning that can be inverted back to their original text or media formats relatively trivially. Because vector databases traditionally require plain text access to perform similarity searches efficiently, they often lack encryption-in-use, making them susceptible to data exfiltration and prompt injection attacks via context loading. This is particularly concerning when autonomous agents are over-provisioned with write access, potentially allowing malicious actors to poison the knowledge base or manipulate system prompts.

The discussion highlights the need for a "secure by inception" approach, advocating for granular encryption that protects data even during processing without incurring massive performance penalties. Beyond security, this architectural rigor is essential for meeting privacy regulations like GDPR and HIPAA in regulated industries. The episode concludes with a look at the future of AI security, emphasizing that while AI can accelerate defense, attackers are simultaneously leveraging the same tools to create more sophisticated threats.

Links

• Cyborg
• OWASP LLM Top 10
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

Can multi-factor authentication really “solve” security, or are attackers already two steps ahead? In this episode of The Secure Developer, we sit down with Paul Querna, CTO and co-founder at ConductorOne, to unpack the evolving landscape between authentication and authorisation. In our conversation, Paul delves into the difference between authorisation and authentication, why authorisation issues have only been solved for organisations that invest properly, and why that progress has pushed attackers toward session theft and abusing standing privilege.

Show Notes

In this episode of The Secure Developer, host Danny Allan sits down with Paul Querna, CTO and co-founder of ConductorOne, to discuss the evolving landscape of identity and access management (IAM). The conversation begins by challenging the traditional assumption that multi-factor authentication (MFA) is a complete solution, with Paul explaining that while authentication is "solved-ish," attackers are now moving to steal sessions and exploit authorization weaknesses. He shares his journey into the identity space, which began with a realization that old security models based on firewalls and network-based trust were fundamentally broken.

The discussion delves into the critical concept of least privilege, a core pillar of the zero-trust movement. Paul highlights that standing privilege—where employees accumulate access rights over time—is a significant risk that attackers are increasingly targeting, as evidenced by reports like the Verizon Data Breach Investigations Report. This is even more critical with the rise of AI, where agents could potentially have overly broad access to sensitive data. They explore the idea of just-in-time authorization and dynamic access control, where privileges are granted for a specific use case and then revoked, a more mature approach to security.

Paul and Danny then tackle the provocative topic of using AI to control authorization. While they agree that AI-driven decisions are necessary to maintain user experience and business speed, they acknowledge that culturally, we are not yet ready to fully trust AI with such critical governance decisions. They discuss how AI could act as an orchestrator, making recommendations for low-risk entitlements while high-risk ones remain policy-controlled. Paul also touches on the complexity of this new world, with non-human identities, personal productivity agents, and the need for new standards like extensions to OAuth. The episode concludes with Paul sharing his biggest worries and hopes for the future. He is concerned about the speed of AI adoption outpacing security preparedness, but is excited by the potential for AI to automate away human toil, empowering IAM and security teams to focus on strategic, high-impact work that truly secures the organization.

Links

• ConductorOne
• Verizon Data Breach Investigations Report
• AWS CloudWatch
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn