Welcome to our Blog

The Foundry Files

READ OUR BLOG

Students vs Startups Episode 34: Secure Messaging for All Organizations

Students vs Startups Episode 34: Secure Messaging for All Organizations

studentstartup_logo

Featuring ArmorText

Read Time: 15 minutes

Welcome to Episode 34 of Students vs. Startups. This week, moderator John Gilroy talks with the CEO of ArmorText, Navroop Mitter. With 15 years of experience in identity access, security, encryption, collaboration solutions, and consulting, Navroop and his company created a "next-generation collaboration capability," which operates in the cloud and allows users to exchange messages, files, etc. all at an encrypted level. Read below to learn more about ArmorText, as well as how their services can provide benefits to your business!

[audio src="https://easternfoundry.files.wordpress.com/2017/08/students_vs_startups_podcast_episode_34-final.mp3"][/audio]

If you would like to get weekly updates sent straight to your phone, you can subscribe below on iTunes!

itunes-logo

Thanks to our Sponsor:

trg-radiant-nobg-250x300

Transcript:

John Gilroy: Welcome to Students VS Startups: Showdown in the Potomac. My name’s John Gilroy. I’ll be your moderator today. Let's have a big round of applause for podcast number 34! All right, I can't believe we've survived 34 shows. No one believes it. If you've listened to us before, you know what happened. There's a community of startups in Arlington, Virginia, called Eastern Foundry. They have a big old' meeting room. We took over the meeting room. We got a table. One side of the table, we got students, one side of the table, we got a startup, and they have at it for 26 minutes. We walk out of here as fast friends, or hopefully as close to friends as you're gonna get.

Let's start off with our students. Our first student is Yasir Khalid. Tell us about your background, please, Yasser.

Yasir Khalid: I come from a marketing analytics research and insights background. I have experience in finance, operations, and procurement. I am currently technology management graduate student at Georgetown University.

John Gilroy: So your goal is to get a master of professional studies in technology management from the School of Continuing Studies at Georgetown University. That's a mouthful, huh?

Yasir Khalid: Yeah.

John Gilroy: Well, sitting right next to you is a guy who's got one of those master's degrees. We have Wes Lewis. Wes, your background please.

Wes Lewis: Sure. Hi, I'm Wes Lewis. I'm 14 years of experience in user experience design development and research. I've been an IT consultant for a number of years. I started with a startup of my own. Cerebral Innovations Web Development. That lasted about 7 years. I continued doing that and got into IT consulting for the federal arena. So I've been doing that for some time, now. Glad to be here.

John Gilroy: And Wes is a serial collector of baseball cards or master's degrees. I think master's degrees, huh? And Ikenna is a wannabe graduate from Georgetown. Tell us about your background, Ikenna.

Ikenna: I'm a student at Georgetown in a technology management program. I currently work in community development and looking at ways to apply technology to them.

John Gilroy: Wow. That's good, good, good, good. And on the other side of the table, we have our startup, and our startup's name is Navroop Mitter, and he's the CEO of a company called ArmorText. So, Navroop, ArmorText, what's that all about?

Navroop Mitter: It's what the name implies. It's about secure collaboration. In today's world, we've clearly seen how vulnerable and how valuable your communications are. We've decided it's time to protecting them both in messaging and file share. Hence the name ArmorText.

John Gilroy: Tell us about your background, please.

Navroop Mitter: You know, I grew up in startups out in California. Pre-dotcom era. We went to school for biomedical engineering and decided that was really boring. Got a degree in religion at the same time. Love that. And somehow wound up at IBM in IT security when they had purchased their first identity management product, and my career took off from there. So the last 15 years of my career have all been built in and around identity access, security, encryption, collaboration solutions, and then consulting all around the world. Built three global practices and had quite a bit of fun.

John Gilroy: Now, my question for you is ... I went to your LinkedIn profile, and tell me about "Board Advisors for Ladies America." What's that all about Navroop? Fess up here, buddy.

Navroop Mitter: So I have a really good friend, Lindsey Mask who is the founder and chairman of Ladies America. One day a gentleman that she had been seeing at the time came home complaining that someone had just ripped their new startup a new you-know-what. It turns out, as she heard this suitor's description of what this gentleman had done to their idea, and how he questioned the business model, the finances, the technology, the whole nine yards, she in the back of her mind was going like, "Oh my God, that's exactly what I need as I run through ideas for Ladies America."

IMG_1882 Navroop Mitter, CEO & Founder of ArmorText

So, long story short, she tricks me into meeting up for bourbon and donuts. Whiskey and donuts.

John Gilroy: Oh my God. Whiskey and donuts?

Navroop Mitter: A great way to trick you.

John Gilroy: The whiskey and donuts podcast.

Navroop Mitter: I love whiskey, I love donuts. It turns out I received neither of the two. It was an ambush. Turns out it was actually a board meeting she was actually having with the other board members at the time. I got roped in to sit in and listen in, and at the end she cornered me and said, "Hey, I'm not gonna let you leave until you agree to sit on this advisory board." Interesting tactic. Clearly it worked, because years later we're still fast friends. Still sit on the advisory board. She is the most wonderful person you'll meet here in DC.

John Gilroy: Oh, interesting. So my question to you is, what business problem does your company solve?

Navroop Mitter: Yeah. Great question. If we look back in 2016, it was the first time that a lot of us became aware of how valuable and how vulnerable messaging is. We saw the aftermath of Sony communications that were breached. Private conversations, sensitive conversations were now in the headlines. We saw what happened during the election. Private conversations between Hillary Clinton and other staff members, where even internal conversations at the DNC were now splattered across the headlines. In both cases, the costs were pretty high. No matter which way you fall on the political spectrum, the reality is we know that had and made a difference in the election. Right? So the outcomes were affected.

"What we solve for is the need for companies to be able to have a better collaborative experience."- Navroop Mitter, CEO & Founder of ArmorText

A next-generation collaborative experience that they are chasing after as they move to cloud-based messaging products, while actually solving for not only the outsider threat that's now opened up, potential for data-mining or vulnerabilities around bulk theft of data or subpoenas that bypass your general council, but also it can solve for some of that insider threat, too.

So we created a next-generation collaboration capability, runs in the cloud. Allows you to exchange messages, exchange files, but have a whole new type of encrypted messaging that you weren't getting in your internal communications platforms, and now actually helps you further segment the organization to better protect yourself, even when things do go wrong.

John Gilroy: So Yasir, I'm allow you to takes the first question for this gentleman with a degree in biomedical engineering and comparative religions. Good luck with that.

Yasir Khalid: Thank you. So ...

Navroop Mitter: They do go together, I promise. There's a clear tie-in.

John Gilroy: So like whiskey and donuts.

Navroop Mitter: They clearly go together.

Yasir Khalid: So what makes your product defense from the likes of so many others like Signal,  . .  the countless other messaging and data encryption service providers that have popped up, and yet we still feel like there is nothing that is foolproof, right?

Navroop Mitter: It's a great question. So if we think about messaging in general, right, traditionally messaging is protected using something called SSL/TLS, Transport Layer Security over the wire. Eventually it was on your servers, you handled it. It might encrypt the database on which that information sits, it's all sat behind your firewall. As your messaging moved beyond the firewall and into the cloud, that same security model was being used by all these cloud-based providers. So on the enterprise side of the house, the information that you once protected internally behind your own firewall is now sitting in that same minable form. Same readable form out in the cloud.

There are a lot of consumer applications that provide really good end-to-end encryption. Signal, WhatsApp which actually uses a signal protocol, and a whole host of other applications do a really good job of running end-to-end encryption for consumers. What they lack are enterprise controls, and the kinds of information lifecycle management that you can dictate by palsy. What do I mean by that is, let's say you and I were sharing messages securely. You've lost your device, and your company determines that, "Wait a minute, we need to be able to pull those messages, those files back to make sure they don't get inadvertently breached or leaked out to someone else." How do they do it? Maybe they have an MDM installed, maybe they don't. Maybe your contractor working for someone else, right? You're a consultant, Wes, right?

Wes Lewis: Yes.

Navroop Mitter: If you were working for a customer and they suddenly said, "Hey, come join us in this chat program," they don't have an MDM on your device. You've now lost all those chats. How do they go back and wipe those clean? People have actions that can help remediate different problems as they occur. Lost, stolen, confiscated devices, whether it's a mobile device, a tablet, or PC, or Mac, those kinds of controls are by and large missing from those consumer applications. They were, to some degree, attached to some of the enterprise applications. The marriage of those two areas all in one place will still allow you to maintain the secure and reviewable archives that you need, especially as a regulated industry like finance or healthcare or defense manufacturing. That's something that doesn't actually exist in the rest of the marketplace. We tied all three together.

John Gilroy: Let me jump in here real quickly. So MGM is the movie company, MDM is "mobile device management." Just to throw out ... Some people don't understand these acronyms and some people know, so I just have to clear that up. It helps manage your mobile devices. Wes-

Navroop Mitter: That's the legacy hangover from those IBM days of speaking in only acronyms.

Wes Lewis: Yeah. So I'm sitting here and I'm scrolling through my phone. I promise you I am not texting anyone. That would be really rude.

John Gilroy: Insecurely.

IMG_1886 Yasir Khalid, Wes Lewis, & Ikenna

Wes Lewis: Insecurely. But I'm looking at your website. I came across a line that ... As I mentioned in my intro, I'm really into user experience, design development research, and so forth. And I saw something alluding to the fact that this product has a great UX. How did you go about constructing this application, and how have you vetted it, how have you tested it, how have you iterated on it, and so forth, with regards to the user's experience?

Navroop Mitter: So, I will definitely tell you, it didn't start with a great UX. It started looking kind of like the original Amazon website. A little less than what we see today. It actually starts as a rather barebones, desktop first application, and as we used it, we ourselves knew that there were clearly problems in the UI and the UX. But what really helped us figure out what we need to do next was immediately putting it in the hands of potential customers. We've launched our alpha, we got into the hands of a large telecom, they were running a bake off between us and multiple other companies. All the companies were required to come onsite and on premise with their technologies. We ended up being the only one approved to run in the cloud. They looked underneath the covers, they saw the security model, [inaudible 00:09:49] running the cloud. "You're secure enough. Everyone else has to be on prem."

They immediately, then, turned around and said, "By the way, while you guys nailed security, here's where the UX is a little lacking. Here's what we're seeing in some of the other products. How would you bake those in, give them a security model, precludes some of those capabilities." And we said, "Well, no, no. The whole point of what we're launching on, what our mission is, is to have security and user experience at the very least not disrupt each other, but ideally actually move together in tandem and both improve." Right? Typically, if security goes up, usability goes down. Usability goes up, security goes down. These are diametrically opposed. We wanted the opposite. We either want them to not be detrimental to each other or move in concert together moving forward.

A lot of it was putting it in the hands of those early alphas and then the betas. Ever since then, what we've done to vet it out is we literally sit and listened to the feedback people give during pilots. Because during pilots, before a company has actually adopted the technology, they'll give you the worst of their thoughts on anything. And the biggest compliment we got, just last week actually, we were listening to the CIO of a 1.8 billion dollar company. And they're piloting the technology, they actually kicked off our pilot without telling us what they were doing first. Started downloading the application, they're using it, they're like, "Hey, we need the enterprise controls, can you light those up for us?"

We do. Flew out to go see them. They said, "Look, the biggest compliment I can pay you guys is, this feels like messaging. None of our people knew that this kind of security model and all these different types of encryption and everything else you're doing for this user plus device unique encryption, it's also unique per message, things like that ... None of that was visible to the end user. They didn't see it in terms of time lag, they didn't see it in terms of latency, all the capabilities or features they would want are now there. It feels like messaging. It's intuitive." Once we nailed that, we're like, "Alright, we know what we're doing, now."

And we're still continuing to evolve from there. We're constantly looking at the competition, we're looking at other messaging products, but we're also looking at the way we use the product ourselves, and saying, "Wait a minute, this isn't working." And one of the things we did along the way that a lot of companies I don't think invest in necessarily around here, is we actually picked up an app anthropologist. Yeah, this is amazing, right? This is a young-

John Gilroy: Write this one down.

Navroop Mitter: She comes out of Rackspace, has a background in actually doing anthropological work and study on the way you interact with applications. And all this focused around user experience and UI. Conducts interviews, blind videos, multiple types of interviews both with and without leading questions, the whole nine yards. And she puts together this large book. Ultimately the capabilities people wanted, we had already nailed. We knew what capabilities they wanted. Our roadmap clearly laid out what was gonna come next. But some parts of the form factor were definitely different once we realize how people are actually using it in the field. Once we had to digest all of those videos. So we have employed an app anthropologist in the past, and we're likely to in the future.

John Gilroy: So, Ikenna, we've gone from whiskey and donuts to the cloud to an app anthropologist. Do you have any questions for Navroop, here?

Ikenna: Yeah. Navroop, this sounds really expensive. So, how do you fund all of this? How did you fund this startup? Could you discuss that a little bit?

Navroop Mitter: Yeah, so when we originally got started we were actually on the consumer side of the house. In some ways, even more expensive to fund. All of us who started the company had done well in our careers. I come out of multiple years of consulting, was a senior manager at Accenture, step away from partner. We'd all done well. So we agreed to effectively finance our own lifestyle for a significant period of time. And at the same time, continue to work full-time on the company and the product and everything else we were doing. As we pivoted to the enterprise, we picked up some additional angel investors, and then we went after venture capital. We decided that it was worth it, we had enough proof points, we knew what the technology needed to be, and we went out and we raised venture from both BCs out here, locally, in the DC metro, as well as on the West coast.

John Gilroy: Yasir

Yasir Khalid: What was the incubation period?

Navroop Mitter: Which part?

Yasir Khalid: Like where just you started off and you picked up some angel investors and you developed the product.

Navroop Mitter: So, our consumer lifespan was a little over two years, and that's when we decided we could see the hockey sticks start to occur. Actually, you named off one of the messengers that got started the exact same time as us literally days apart, interestingly enough. And we're looking at the usage curves, and we're looking at everything else, and we're saying, "God, if we stayed on the consumer side, and this is the mission we're going after, more than likely this turns into a non-profit. If we're really gonna do this as a business" ... We always knew we wanted certain capabilities to breach us into the enterprise. Look at our first deck ever. It's actually closer to what we built today than what we were building in the interim for those two years, right? We'd strayed from the mission for a while.

We looked at it and we said, "There's a reason we built up these capabilities and these tie-ins that we worked the enterprise." So we went back to that, pitched that back out to the market, and that period of raising enough capital to get our enterprise pivot off the ground and moving forward ... I think that was about eight weeks. I think maybe with all the wires being completed and paper and everything else, something like ten weeks? And then we went from, "Maybe we should close down," to, "No, screw it, we're gonna go all the way with this." It's probably about an eight to ten week process.

Ikenna: So can organizations ... can they actually use ArmorText to encrypt their messaging apps, or is they need to use the ArmorText messaging?

Navroop Mitter: Yeah, so, great questions. There are some companies out there that will say, "Hey, we've got a solution that lets you pre-encrypt messages. You can drop it onto any messenger you want." When you do that, though, you actually destroy the usability over that experience for the user of that native product. Let's say I encrypt something and I throw it on, for example, Gchat. Google. Gchat, today, lets me go back and search my messages and find what I had spoken about. But if I pre-encrypted it and Google doesn't have access to that key, they can't index and enable you to have search, so suddenly when I go to Gchat, I can't find things. I'm to my archive, I can't see it.

Ikenna: Oh, user ... Yes.

Navroop Mitter: So, it's all about the user, right? The user experience is paramount. What we do is we spend a lot of time talking to guys like Wes in addition to those anthropologists and all these other fancy titles, trying to figure this part out. To answer your question, you could do it that way, but you're gonna destroy so many parts of the user experience. It's better to just build the right product from the ground up with a security so baked into the back end of it that it becomes transparent. And that's what we did. So we have those full text search capabilities, we have all those things that you would expect in these non-encrypted, non-or-less secure environments, and yet we've done the consistent large security model permanently keeping ourselves locked out of the data.

John Gilroy: So it sounds like this fellow went beyond just the screen user interface, and actually does stuff that you do. UI, UX. That's what it sounds like to me as far as just ability to use with Gchat.

Wes Lewis: Right. So it seems, from what I'm hearing, you've taken your product around the entire UI design ... The globally-accepted UI, UX design process from research, design development, test, launch or release, and then just kind of back around the standard product lifecycle, which factors in those various elements of research input, informed decision-making, and coupling it with best practices. I really respect that. Now, with regards to your product roadmap, where do you see yourselves in the next, I'd say, maybe five years? I know that may be a little bit difficult to reach out that far, and if you can't project out that far, then how about the next year or so? What's next for you?

Navroop Mitter: No, great question. We've definitely got a roadmap that extends out pretty far. We're currently building what we call "phase one." ArmorText itself is phase one. Phase two and three are actually based on a rather unique biometric approach that we've designed, and that we actually have patents on already. They're actually seeking more patents for it right now that are all patent-pending, and I think one of them is actually about to be granted right now too. So we're about to do the second one in the space. And

"it's all about bringing increased trust to high-value transactions and sensitive conversations on messaging. It's not enough to say we protected the body or the composition of the message."- Navroop Mitter, CEO & Founder of ArmorText

You really want to know who is behind the screen when critical actions took place. Right? How do I know, Wes, my doctor prescribed 10,000 milligrams of penicillin or wherever it is versus Yasir grabbing Wes' phone and typing that message in instead trying to kill me? How do I know that? Not to say you would ever do that.

Yasir Khalid: Not in a recorded format.

Navroop Mitter: Right. But do you see what I'm saying? You want to have a better sense of trust. While the user experience around that kind of trust-building today is broken. I can't tell you a type of message that says, A, iris scan, D, iris scan, M, iris scan, and every single letter typed on a messenger that says "Administer 10,000 milligrams of penicillin." That would take forever and the user would shoot you for making them go through that user experience. Right? We would see more violent doctors doing that than anything else you . . .

John Gilroy: If anyone had actually completed a message.

Navroop Mitter: Right.  . .  it got one message out. So when it comes to the game of security, you're only as secure as what your people will actually use. So the user experience has to be focused on even more, because if you don't, your people are gonna find other ways of collaborating and getting work done, and they're gonna find a way to sidestep you. And that's classically what's happened in the security space, right? Everyone focused on security at all costs, according to these classic paradigms, and you went for it, and then what happened is people found a way around it. They brought shadow ITN. They went to go work a different way.

So what we're seeing now is this evolution back to saying, "Wait a minute, we need less security products. We need more secure products." Give me the product that actually intended to have, just make it so that it's also secure already. So why don't you go and throw more security on top and destroy user experiences. Give my people something that they will actually use.

"Our longer-term vision phases two and three all relate to increase in trust for high-value transactions and sensitive conversations on messaging."- Navroop Mitter, CEO & Founder of ArmorText

I can't tell you that much more about what that is, because my VCs would kill me.

John Gilroy: Ikenna.

Ikenna: I'm glad you actually brought that up. I work in community development and it's a lot of smaller organizations, and sometimes they don't prioritize cyber security. How do you think your product ... What will smaller organizations or enterprises, how can they use your product or afford it? Because of course they have limited staff, limited resources. Is this something available to them? Is this something you think is important for them? Or is this something for larger organizations?

Navroop Mitter: So, Ikenna, I think most organizations are taking on undue risk by continuing to communicate the way we have in the past. The reality is your e-mail is vulnerable, you're constantly up against potential phishing attacks where the simple compromise of user-known password automatically gives away the keys to the kingdom and everything has stored you've ever communicated. There are a lot of problems with the way that we communicate today. That's true whether you're a small company or a large, global one thousand. Right? We've actually got customers that span that entire range. We've got a customer that's got less than ten people. We've got other customers that are rapidly growing to 4x their initial usage when they told us, "There's no way in heck we're gonna cross x number of seats." They're already at 4x that. They have room to go by another 5x. With another customer, that is about to go 25x their initial deployment. Companies of all different sizes and shapes are coming onboard.

One of the interesting things is part of our value proposition. I brought this up earlier, is that, we give you end-to-end encrypted messaging, we give you secure and reviewable archive. We also give you a really robust policy and informational lifecycle management framework. Those enterprise controls on lifecycle management. To get that kind of power if what you really need is just messaging and file share, you would end up having to deploy something like five to seven other technologies in your enterprise, and the total cost of those would be pretty cost-prohibitive. But if you look at the ArmorText model, it's $14 per user per month, or $168 dollars per user per year. That's pretty affordable for most organizations.

If it's truly a non-profit or smalls, we'll work with them to make sure that they have the protections they need. But if you think about those other five to six products, multiply that cost from anywhere from 6 to 20x, our cost is, suddenly ... We look like a pretty cost-effective option.

John Gilroy: Yasir, you want to jump in?

IMG_1897 Yasir Khaled, Wes Lewis, & Ikenna

Yasir Khalid: Yes. We talked about UI, UX, and the increasing importance of security. Over the past few years there has been a big drive towards collaborative ... Using collaborative tools, like for Slack, and more project management tools, and having a lot of those chat elements form part of the solutions. So does your product has limits to the sort of target market that you can capture?

Navroop Mitter: So, if we think about the messaging world, right, as three concentric rings ... We've got this outer ring that includes consumer messaging. This ring is huge. It's basically an entire planet has access to some form of messaging or another. Four billion people are using some form of messaging at this point. We know the world uses messaging. You've got this inner ring, this enterprise messaging that, just domestically, is probably something like an eight billion plus dollar market. Okay? You think about what the economist said when they were looking at the total adjustment market for one of the larger cloud-based enterprise messaging capabilities or cloud ration capabilities. They said it's 855 million dollars worldwide. Of which, maybe, less than a couple million at best, on every single possible one of these enterprise messengers are actually paying customers now across all of these. So there's a lot of green space left to go after.

If we look at that inner circle, though, which is what we call "secure enterprise messaging," these are folks who want the collaborative capabilities of that broader enterprise messaging market, the products you just named off. But because of either government regulations, their own internal security requirements, or because of the kinds of data they house or where they're located geographically in this world and the laws that they are subject to, they can't use those collaborative capabilities because the security just isn't there. That inner market, just domestically, is probably on a 3.5 billion dollar domestic market.

John Gilroy: Navroop, we're running out of time, unfortunately here. If people want to know more about your company, what website should they visit?

Navroop Mitter: ArmorText.com. A-R-M-O-R-T-E-X-T.com.

John Gilroy: Oh, that's great. We're running out of time here. I'd like to thank our sponsor, the The Radiant Group. If you are interested in getting involved in geospatial projects, contact The Radiant Group.

We are hosted by Eastern Foundry, a community of government contractors who are bringing innovation solutions to the government marketplace. For more information, go to eastern-foundry.com.

If you would like to participate as a student or a startup, contact me, johngilroy@theoakmontgroupllc.com

And thanks for listening to Students VS Startups: Showdown at Potomac.

Subscribe