What's Up with Tech?

What Does It Mean To Trust A Machine Anywhere

Evan Kirstel

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 21:14

Interested in being a guest? Email us at admin@evankirstel.com

RSAC Season Is Here. Your Certificates Expired Last Month.


RSAC is coming, and I'll be there — so expect more conversations like this one dropping in the weeks ahead.


But here's the thing: the most important security story this season isn't happening on the conference floor. It's already inside your network, running on devices most organizations barely think about.


In this episode, I sit down with OmniTrust co-founders David Sequino and Bill Lattin to unpack what "trust" actually means when CPUs are embedded in everything: cars, medical devices, industrial controllers, payment terminals, routers, and the AI agents that are increasingly making decisions in the physical world, not just on a screen.


We build the conversation from the ground up — starting at the silicon root of trust, then working through secure boot, operating systems, applications, and the network infrastructure that ties it all together. And we get specific about where organizations actually fail. Expired certificates on a switch that drop a VPN tunnel. Static credentials that never rotate. "Fix it later" thinking that simply does not survive contact with embedded and IoT environments. These aren't edge cases; they're common, and they're preventable.


We also draw a line between certificate lifecycle management and identity lifecycle management — and make the case that passwords, secrets, cryptographic keys, and certificates cannot be managed in silos. They're one lifecycle. Treat them as separate problems and you'll have separate failures.
The back half of the conversation puts AI under pressure. It can help defenders move faster, analyze more, and surface what matters. But it also hands attackers new tools: prompt injection, automated attack chains, and "vibe coding" that generates plausible-looking cryptographic implementations that don't actually hold up. Nuance matters in cryptography. Vibes do not.


We close with what CISOs should be measuring right now: PKI posture, SBOM paired with a cryptographic bill of materials, and a credible roadmap toward post-quantum cryptography. Regulation like the EU Cyber Resiliency Act and DORA is raising the bar, and "we're working on it" isn't a compliance posture.
Subscribe for more RSAC-ready conversations, share this with your security team, and leave a review if it was useful. And tell me: what's the weakest link in your chain of trust today?

Support the show

More at https://linktr.ee/EvanKirstel

RSAC Preview And Introductions

SPEAKER_01

Hey everyone, we are RSAC bound, and I have a couple of great guests giving us a preview of some of the key themes and topic at RSA this year. David, Bill, how are you?

SPEAKER_00

Great, thank you.

SPEAKER_01

Great to see you. Really intrigued by the mission at Omnitrust. And before that, maybe introduce yourself, David, and um a little bit about your journey over the years at Omnitrust.

SPEAKER_00

Sure. So my name's David Sequino. I'm co-founder and CEO of Omnitrust. We're uh I affectionately call us a work in progress. We're a 15-year-old, um fairly large startup. We just went through a rebrand. Bill and I have been together for 26 years or so, or 25 years, and uh we've been securing things from silicon to now AI. And uh this is our this is our next step in the journey, and uh it's very exciting.

SPEAKER_01

It is indeed really an important time to be talking these topics. And Bill, introduce yourself if you would. And how do you describe Omnitrust these days from your perspective and the kind of problems you're working on?

Omnitrust Origins And Mission

SPEAKER_02

Sure. So uh my name is Bill Latin. I'm co-founder and chief security architect with Omnitrust. And uh I've been in the field of applied cryptography and information security since 1981. I built some of the very first public key encryptors, some of the very first DES-based encryptors, and uh have been hard at work at securing uh all kind of information flows uh within enterprises and also, but now with um Omnitrust in particular, uh focusing not just on enterprises, but also on the embedded space and IoT spaces. Uh, because as we know, uh the attack surfaces are increasing. And Omnitrust's mission has really been about helping companies build better products uh from an embedded side, from an IoT uh side, and then expanding up into the enterprise uh to manage uh basically digital IDs for all devices, whether it's servers, uh OAuth tokens, or up into AI, uh into AI agents. And this is a huge thing because you know, if you think about uh well, I've seen the rise of the whole computer industry and the internet. I'm sounding like an old one now. Um but uh, you know, uh it's gone from uh CPUs just being in desktops to CPUs being in washing machines, refrigerators, doorbells, phones everywhere. And the attack surface is therefore greatly increased. And what we've seen through ransomware campaigns, of course, is that attackers are targeting these digital IDs. And so uh they can't be fixed, they can't be static, uh, I mean, programmed and live forever. They need to be managed, and this is where we're coming from.

SPEAKER_01

It's an important mission. And David, you know, omnitrust, great name. What does the trust part actually mean in the modern enterprise today? Uh, we need we we trust no one, of course. Uh, but where where are we and where are we uh headed?

SPEAKER_00

Yeah, it's it's a journey, right? And it's you know, in in the embedded space where you've got a bunch of headless devices with 32-bit CPUs, we have one advantage. We sort of know what software will run on a sensor that controls a you know uh oil refinery, you know, pump or something. Whereas in the enterprise, whether it's a PC, a server router hub, everything wants to be promiscuous, right? So the the transition for us going from embedded to enterprise to AI, right? Omni means everywhere. And and we have this concept of an omnitrust chain of trust that goes from the silicon to the secure boot OS layer of a device, then it goes to all of the network infrastructure, switches, routers, hubs, firewalls, and then it goes to the cloud. So you've got more and more virtual switches, routers, and hubs. And then you've got physical AI where you're gonna have, you know, planes, trains, automobiles, robots, you know, making decisions, right, in the physical world that have real consequences, where we need to authenticate that agent the same way we would authenticate a secure boot layer, an OS layer, an app layer, a data layer in an embedded device. So omnitrust is the continuum of trust from the smallest piece of silicon to AI anywhere.

Designing Security Into IoT

SPEAKER_01

That's fantastic. I love to start with the smallest piece of silicon. I'm here at HIMS, and of course, the Internet of Medical Things is everywhere. So literally we have wearables and endpoints and remote patient monitoring, and these are all such huge attack services. Uh, Bill, you know, when you think about the platform, the Omnitrust platform, what kind of organizations are getting the most value from you guys today?

SPEAKER_02

Sure. Well, just to uh feed into where you're at, uh, you know, uh Dick Cheney, uh former VP, was famously noted for disabling the remote control features on his pacemaker because he didn't want to have somebody kill him. And uh one of the important things and where companies are seeing value from Omnitrust is that uh security needs to be designed in. And this is really Omnitrust's mission, is to help companies think about security upfront. If you think about enterprise security, well, we're always adding on, right? We're adding an antivirus program, we're adding uh endpoint controls, we're adding firewalls. Well, in the IoT embedded space, you can't add on afterwards. It just doesn't work because the CPUs are too constrained, the applications can't take it, there's not enough memory. So, our goal, as David mentioned, is to work with companies to get them to think about security from the silicon layer, right when they start, what kind of CPU should they use, et cetera. And so companies that are realizing benefit from us are medical firms for sure, but also we've done quite a bit of work in the automotive space. If you think about uh, you know, the automotive industry is a classic example where they didn't recognize any any issue with cybersecurity. And then they said, oh, you can only attack a single car at a time and you have to physically attach to it. But then in 2015, you know, it was shown that the Chrysler Jeep Cherokee could be remotely hacked through the cell phone network and not just a single vehicle attack, but the whole class of vehicle attacks where, you know, power steering could be turned off, braking could be disabled. Uh and this really woke up the automotive industry. And so Omnitrust has done a huge amount of work in the uh with uh auto OEMs, helping them build more secure platforms. Uh, we've done the same in the industrial control spaces, David mentioned. Again, this is where uh, as you've seen, if you look at the at the security advisories, uh they're out all the time because a lot of companies haven't thought about how to secure their uh their controllers, their remote devices. And again, it cannot be fixed after the fact. Uh some uh manufacturers of autom of uh control systems are advising their customers they have to do a forklift upgrade. Well, you know, core security makes for unhappy customers as well as unhappy companies. It's uh, you know, and so uh basically if we can help companies build more secure products out of the gate, then uh it can enable new revenue features for them. It protects their customers, provides a future upgrade path, et cetera. So that's that's really our mission. And and we've been quite successful over the years, but there's uh unfortunately much more to do.

RSAC Claims Versus Real Delivery

SPEAKER_01

Much more indeed. And David, uh, with RSA coming up, we'll switch gears to marketing a little bit. Uh RSA is always full of bold claims and pronouncements and PR. Um, what makes your approach different from all the noise on the show floor and uh delivering you know practical solutions to problems?

Managing Certificates Secrets And Passwords

SPEAKER_00

Yeah, that's a great question, Evan. It always frustrates me to go to RSA and see all the marketing that's out there, right? And it's you know, most of enterprise security and many CEOs of enterprise companies have come out and said, you know, we can't we can't secure the internet. It's it's it's like trying to have say our Navy can secure all the oceans. That's actually not the charter of the Navy. The Navy is there to secure the critical ports, the trade lanes, and the goods and services that go off the trade across the trade lanes. And, you know, when we started this and embedded, we built, Bill and I built provisioning systems for every major semiconductor company in the world. And we we do it today for some of the biggest semiconductor companies. Um, but with that route of trust comes the ability to have the whole device that is being powered by that piece of silicon be secure from design, as Bill just said, through its decommissioning, right? So when it's being operated. So we have we have products to do the security provisioning, we have embedded uh software that runs on the device, and then we have services that once that device goes into the wild, we can do over-the-year update, we can provision it. So when you think about things like the Europeans, you know, CRA, the Cyber Resiliency Act, we meet those standards out of the box with the products we have today. So what we're gonna say at RSA is we're now moving into the enterprise, and there are companies that are doing certificate lifecycle management, but they're doing it poorly because our base DLM trust platform that provisions all these embedded devices at their manufacturing sites, they have switches, routers, hubs between our head end that generates the secrets and our distribution stations that provision it into the device. And we have customers that call us and say, Hey, your DLM trust system isn't working. And I say, I bet you 25 cents it is working. And they say, Okay, I'll take your bet. So we go and we find the switch router hub that has a certificate that's expired and takes down the VPN tunnel that makes a point-to-point encrypted DLM trust supply chain management platform. So we've said, forget it. We're getting into the enterprise, we're gonna do a CLM product, certificate lifecycle management, but we're gonna go one step further. CLM isn't good enough. There are passwords that are being attacked all the time. So we're coming out with a part of our trust lifecycle management platform. We've got DLM on the embedded side, we've got ILM on the enterprise side, identity lifecycle management. And what that means is we can do passwords, secrets, cryptographic keys, and certificates. And as you probably know, there's a hundred times more passwords than our certificates in devices. So that's where we're going. We're also adding a threat and threat and risk assessment tool we call certify. You'll people will be able to take data sheets or code, put it into the engine, and generate a Tara. And that's fundamental because our issue is the C-suite. The C-suite doesn't understand embedded security, and that's the heart of everything, right? And we are trying to raise the visibility and show everyone that you have to think about this from design. And it's sort of like back in 1999 when CEOs said, if I don't have a presence on the internet, I have an existential threat of existence. And in today's world, every CEO should be saying that about every embedded device that touches their corporate network. And we're focused from end-to-end, from embedded to enterprise.

AI Agents And New Attack Paths

SPEAKER_01

Wow, that's such a compelling proposition. And Bill, uh shifting gears a little bit, AI and animation automation according everything, uh, not just in cybersecurity, but with security teams that are looking at practical ways to leverage AI in their day-to-day. What's your point of view? What still needs to be done, what can be done, what's the best practices when it comes to AI these days from a security team perspective?

SPEAKER_02

Well, that's a great question as well. And it's I I think you know, we're just in the very early days. I I think there are two two different angles on this. I think from the analytic capability for helping a security team improve security across the enterprise, AI can augment that for sure. Uh but you know, AI, as we've seen, uh is full of uh security issues. Uh, you know, when it's running, it's subject to prompt injection attacks. So it's reading your email, the hacker sends you an email with other instructions in there, and your AI agent takes off and does something it shouldn't. Uh so you know, these are it's a brave new era for us. We've heard a lot about vibe coding and so on. And with cybersecurity and cryptography in particular, this is the land of nuance, and great care must be taken. It's a fact right now that vibe coding, AI coding is not best practice coding. And so if you're using it for security, you're likely getting flaws in your code. And so uh, and also implementing cryptography. There are many attacks on cryptography on cryptosystems, such as timing attacks, where if an algorithm uh branches and gives you a different result depending on the ease of computation, uh, and that can be measured, that gives an attacker some insight into a cryptographic key. AI is unaware of these things. And so uh there's there's uh companies need to beware, I guess. Uh AI is my personal opinion is AI is not your friend. Uh it's it's uh it's there. Hackers are using it, right? What is security about? It's about human creativity. Um and so you know, AI is helping defense, but it's also helping the attackers, right? There's a Xanthrax AI that was developed for hackers. Well, the the uh owner of the site says it's for research purposes, but basically you can use it to develop attacks. AI has been documented, Anthropic's been very forthcoming about use of Claude uh in a variety of attacks, augmenting attacks, automating attacks, doing the whole attack chain. So AI is is definitely uh raising the bar. And uh just one point, you know, getting back to David's comment about uh the rise of the web and every company needing to be on the web. That was true, but it was easy, relatively easy to get on the web. Our mission is to point out to the C-suite that security is is deep and takes thought. And it's not just something that you can like put up a website and say we're secure. You can't make a statement, right? And fortunately, regulation now, like the CRA, like Dora, and others are driving the industry focus to where they must comply. The CRA has penalties of 15 million euros or two and a half percent of your of your uh earnings worldwide. So, I mean, it's very serious legislation, and it's meant to stop people just saying, oh yeah, we're secure. And you know, the medical industry for a long time has has looked the other way. And, you know, they're now caught in a vice. You know, the jaws are being screwed closed. Uh they need to step up. We've seen ransomware attacks, you see attacks against infusion pumps, against implanted devices, and it's because security hasn't been considered from the from the get-go. ISS and Omnitrust, our former name, sorry, I'm still using that. But Omnitrust, you know, we're really focused again, as David said, right from the silicon. And this is about protecting your critical assets, not just in design, but on the manufacturing floor. If you're building in China, you're building in Vietnam, you're building in India, you're building in the US, how do you keep your critical assets secure on the manufacturing floor? How do you know that the correct digital assets are being programmed into your product? If you look at digital picture frames, for instance, they were a great innovation. You put them on your desk, connect them to your enterprise network. Oh, wait a minute, it came preloaded with malware. Or wait a moment, it's got an agent in it that's dialing out to a server to download malware. This is the stuff that's happening today. And so, you know, companies need to be more proactive and they need to think about this from the get-go. And Omnitrust's mission is to help educate the Suisse, the C-suite, help educate executives about what it takes to build a secure product and keep it secure.

What CISOs Should Measure Now

SPEAKER_01

Wow, that was quite a um statement. A lot to dissect there, and we're gonna have time at RSA to go deeper. A final thought or question, David, if a CISO is walking the RSA show floor this uh next week, you know what's one thing you'd want them to understand or take away about Omnitrust?

SPEAKER_00

Well, I think they can they can understand that they can come to a company that has absolute experts in cryptography from embedded to enterprise to AI and to cloud. So if you think about the CISO's problem, he's got a bunch of employees, he's got an internal network to manage, he's got increasing cloud environments to manage. They have no idea today of their what I'll call public key infrastructure posture, their maturity, right? How many of their devices actually have up-to-date certificates, cryptographic keys? How are they going to transition from standard RSA and ECC to the post-quantum algorithms that are coming out? We have a product called Seek that can go on your network and catalog everything. We can do S-bombs, right? Software bill of materials, cryptographic bill of materials with that product, and show them exactly what their trust maturity uh diagram looks like for their enterprise. And, you know, we don't have small customers. I mean, we have Fortune 50 customers, and so we're we have, you know, five or six of the biggest banks in the world as customers already, but we also have the biggest, you know, we secure 25 car OEM brands, we secure the biggest payment terminals, we secure the biggest industrial controller companies. And, you know, our tagline is right, securing what matters from silicon to AI. And what that means, very simply, is we secure the things that are either going to create loss of life, create brand, you know, destruction, or create revenue leakage. Those are the three fundamental things that we're focused on. So in your car, it's a braking or steering controller, an engine controller, and an industrial controller, it's managing nuclear power plants or oil refineries and medical devices. It's you know, all the devices that could could have real-world consequences.

RSAC Meetup And Closing

SPEAKER_01

Indeed. Well, that's just uh a mic drop moment. So on that note, I'm gonna wrap it up. And um, I look forward to meeting you and the team at RSAC and learning more. Uh, thanks so much for joining. You bet. Thanks, Evan. Really appreciate the time so much, Evan. See you in a couple of weeks. Thanks, everyone. Yeah, thanks everyone for listening and watching and sharing this really important episode. Also, let's connect at RSA and check out our TV show, techimpact.tv on Bloomberg Television and Fox Business. Thanks, everyone. Thanks, guys. Thanks, Evan. All right, cheers.