Atul Tulshibagwale

Amir Bormand: [00:00:00] On this episode of the podcast I have with me Atul Tulshibagwale. He’s the CTO of SGNL. We’re gonna be talking about an interesting topic that I haven’t covered before, and it’s about open standards and why engineers should pay attention and participate. Atul’s got a deep background in this area.

We’re gonna talk about, why standards, and why you should care about them. What are they, how you can get involved. We’re gonna talk about how he developed a standard and he’s gonna walk us through that. And I’m excited to have you on to thank you for being on the podcast. Yeah, 

Atul Tulshibagwale: thanks for having.

Amir Bormand: Absolutely. All right, two things before we dive in. Let everyone know what Signal does, and I know your title’s a CTO O but obviously you might wear the hat differently. Let us know what some of those responsibilities are before we dive into the episode. 

Atul Tulshibagwale: So Signal is a very new company. We are just about a year old.

We are working in this area of access management. So what that means, Once you have been authenticated by [00:01:00] your employer what are the things that you could do? And this becomes a really complicated question. When you think about the sort of the zero trust, we are doing things where, you’re logged into all kinds of cloud services and, nothing is in one place as such.

And so what Signal does is it offers a just in time access management solution. So what that does is instead of having. Static privileges or maybe in addition to having static privileges, like your role, in your company and all that, we are able to build a a graph of your current enterprise activity, and then based on that graph you can write human readable policies, which then you can enforce at the time of access.

So you can say things. A user who belongs in the customer service department may access a particular customer’s data only if they’re assigned to a case that is currently open which relates to that customer. And so that way you can dynamically alter these access [00:02:00] permissions as the enterprise activity changes, right?

So that’s and then obviously all this is audited and you you can get very good compliance reports and all that. That’s what Signal was. 

Amir Bormand: Very cool. And I know you’re a cto. What are some of the hats you wear there? 

Atul Tulshibagwale: Yeah, so my role is a little bit detached from the day-to-day sort of product development of the company.

I provide the high level product development, product management kind of guidance, but my, I mainly focus on the sort of the external representation of the company technic. And then also I am very active in the standards body. So that’s a big part of my job. And we think that standards are critical to signal success.

And so from that point of view, I’m active in the, both the Open ID foundations and the internet engineering task force or I E D F. 

Amir Bormand: Awesome man. I like it. I think this is a great topic. I It’s in your wheelhouse and I think it’s interesting [00:03:00] cuz obviously engineers deal with, different varying standards, whether they are aware of it or not, and you mentioned when we were talking earlier before, before the show, we talked about, why engineers should pay attention to it. I guess before we dive in, let’s actually start at the real top just to, set the stage for everyone and talk about what open standards are and maybe use that as a jumping 

Atul Tulshibagwale: off point.

Open standards are a way in which everyone in the industry agrees. That, this is how we are going to communicate with each other, or we are gonna interop operate with each other. And, that could be something like the u sb standard that we all use. Or it could be something very specific to a, an area like, you do SAML for single sign on, which is a very common way of doing things.

These are standards. Now, the open part of it comes from. The standards body being a body that is open for all it has specific governing policies. It has a governing board [00:04:00] and rules that doesn’t do not prevent people from contributing from influencing the standard. And, it has a, generally a democratic, consensus based approach to evolving a standard.

So that’s what open standards. . Awesome. 

Amir Bormand: And I guess, when I think about that I think about the open standards are defined for me and, I use them. Obviously a lot of the stuff that, that you see, you mentioned U S B user would never think about it.

I’m not an engineer, but I never think about, how’d I get involved. But, and I know you’re very deeply involved in standards and whatnot. Like when, from the outside looking in, when if you’re an engineer and you’re like it’s an interesting area, getting involved seems interesting, but I don’t have the time commitment.

Like how does that look? And we’re assuming someone who’s never been involved in open standards development or contribution of any kind. 

Atul Tulshibagwale: Yeah. Certain areas may be more more demanding of open standards than. But you could analyze in your idea whether it makes sense for something to be [00:05:00] done, in a way that everybody can inter operate with each other no matter who the vendor is.

Like when you buy a USB device, like the speaker and the microphone and speaking on it does coming from a completely different vendor than the monitor, it connects to. and then that is a different vendor than the computer that is, is connecting to, right? So it’s all this works only because of the open standards and in your area of work, when as an engineer you’re working on something, you gotta ask the question whether it makes sense for this to be an open standard.

Because hey, this is not something that we derive a business advantage from, but it is actually something that can enable the market. That where we can provide a very good service of product. Okay. So that could be a good way to figure out if what you’re doing is something that can benefit from open standards.

Amir Bormand: I’m just of curious cuz I’ve Yeah it’s interesting, you’re right. If you’re seeing, if you’re observing a phenomenon that might actually, extend [00:06:00] past your company and actually benefits the market. That’s one thing to maybe see that, but to take the next step to actually go, Hey, you know what?

I’m gonna actually do X, Y, Z to see if this is valuable. Cuz we all have ideas, which is which is great, but then it’s the next step of how do you actually go, Hey, I think this might work. And extend that into, just maybe. Yeah may, maybe it’s a false, false positive. It’s Hey, this isn’t exactly something that everyone else needs, but if you don’t explore it, you’d never get there.

If you do observe something like this, what’s, what are some steps to even consider that you should, talk to others, think about open standards? 

Atul Tulshibagwale: Yeah, so I think we do have those situations come along, often. And there’s some work that I’m doing in the I E D F right now.

that’s clearly in that sort of area where we believe there’s a need for security of, authentication, authorization information at the microservices level, right? Once you have somebody calling your API and then, there’s a whole [00:07:00] call chain there that gets created in inside your virtual, private cloud.

And then that communication is often not secured in the sense that a service. May decide to impersonate a user that is not actually the user who’s making the API call, or they may use a privilege that is not expected out of that call that comes in. And so that kind of security doesn’t exist right now at least as a standard.

I know certain companies have that internally. And the thing that we are trying to do right now is, hey, does it make sense for these two biggest a standard? Because every company out there is gonna. A multi-cloud deployment so that they’re gonna have something in aws, they’re gonna have something in Google Cloud, in Azure.

How do these services communicate with each other in a standardized sort of way so that you don’t have to roll your own sort of security. Every company doesn’t have to roll their own security essentially, and it moves the industry forward. Now, how we went about doing this, We observed the problem that this seems to be a problem, [00:08:00] and we were convinced that this needs work.

We published a blog post on our own website that, Hey, you know this, this is why we think this problem needs to be solved. And then we had independent conversations with some of the, other key players in the industry. And then we formed an informal working group of Hey, all of these, all of us believe.

That this problem needs to be solved in a standards open standards kind of way. And then we came up with a charter, right? That, a charter document that this is the problem that we’re gonna solve. What are the goals? What are the non goals? How are we going gonna go about building the standard and all that.

And then we have currently sort. Presented it to the I E T F, as, be a part of the OC working group within the i e tf and we’ve got support from that group to, to be a part of that. And so this is how we’ve come up with a completely new sort of way of doing things just from nothing effectively.

[00:09:00] And this process so far has taken about, I would say about six months. So I think we, it’ll still be a long time before we actually have a draft standard that people can start implementing to, but, we are making good progress, at least the indu industry mind share is there. And once you start talking, you have people come up to you and say, Hey, our customers are asking for this, and they expect us to provide this this capabil.

And it’s great that we are working on this because, now we can have an offering that is standard based 

Amir Bormand: that’s great to walk through. And I was just thinking as I was listening to you, I was going, man, seems like it would be, is to get others to listen. Because you might actually be, you might have stumbled on something that could, he help a lot of people, but obviously when you’re small, you don’t have brand.

No one knows who you are. People, are always seemingly skeptical of, all these ideas that everyone always has and getting somebody to buy in is a challenge. So building that followership or getting that next person to buy into the vision, how does [00:10:00] that work?

Just because I know you’ve gone through this, I’m just curious what you’ve seen work or not work from that standpoint. 

Atul Tulshibagwale: Yeah, so that is a very good question. And sometimes there are, Industry driving factors, right? So long ago when I was involved in this development of the standard called the Liberty Alliance Standard, right?

This was driven by a fear in the industry that Microsoft is gonna release a proprietary way of doing things, doing single sign-on, which was at that time I think called Microsoft Passport. And the whole industry kind rallied behind. Good ideas that could actually, you know create a sort of a non-centralized way of doing single sign on.

And that’s how the Liberty Alliance project was born. So there was a driving factor in the industry, which was the fear that one vendor might dominate the market and cut everyone else out. That’s one thing. The other. Possibility is that, back when I was at Google, I worked on this thing called the Continuous [00:11:00] Access Evaluation Protocol.

Okay. And we put out a blog in Google with the ideas that, hey, this is something that we can potentially do to solve some of the problems we see in the industry, right? The zero trust at all the zero trust architecture, and. The response to that blog was enormous. Like I was getting emails every day and we had a informal meeting in Google.

We thought, five or 10 people might attend. We had 30 people fly all from all over the world to attend that meeting at Google. Now, obviously there’s a portion of this, which is, it was Google and therefore, maybe there was some benefit to doing that. But of course, there is also this thing.

The problem that we were talking about was very relevant, right? And now this fine grain transactional authorization stuff that I’m working on now in the I E T F is actually a, an effort that we started in Signal, which is a very small company but still because the problem is so relevant to everyone in the industry we are getting [00:12:00] interest from both big and small companies, right?

So some of the biggest companies in the world, as well as maybe some of the smallest ones. Are all involved in the development of the standard. So I think the building, the followership, I would say requires a strong need in the industry. It helps to have some credibility in the area of work. Because even though, let’s say I’m not at Google anymore, I have the heritage of having worked on the Samuel Standard and the Cape Standard behind.

And so that gives a little bit of credibility to this process. But I think, finally if you’re talking the right things, if you get the right people in the industry to listen then you can build that followership. 

Amir Bormand: Yeah, I mean I think it’s interesting cause I think as you kinda, listen to some of that and.

You’re thinking if I was sitting there and I was thinking, how would I start, I think it’s like any community you have to put the IP and content out there. You have to get out there, network, talk to people. It’s a little bit of that sales process where you have to get people to buy in.

You have to sell people [00:13:00] on your idea. Obviously, coming from Google and the two standards you’ve worked on, that gives you some of that built in social. Your next idea, your next standard. People are more willing to listen. But I think when you’re starting out, let’s just say, or you know you wanna participate, Maybe even j join an existing project so people get to know you.

I’m just thinking if I’m listening to the podcast and I’m like, Hey, this sounds interesting. I see these things happen all the time, not all the time, but I see things happen. I’d like to be uh, involved is joining and existing projects similar to, I guess how is that, because I’m assuming there’s.

When we talk about standards there’s maybe more formal process people might be used to jumping onto projects on, GitHub or being involved in, projects like that. How different or how similar is joining o Open standards project? 

Atul Tulshibagwale: So I think it’s actually quite similar to maybe joining an open source project where you’re ma making some submissions to the GitHub, repository and then, people are reviewing it and deciding whether.

that needs to be folded [00:14:00] into the main sort of code standards bodies are very similar. And so you can find the idea of your work in a standard body that is open and allows participation from everyone, right? And like for example, if you wanted to join the I E T F, you can do so as an individual member, right?

You don’t have to have a company. Even. And there are, in the i f there are people working on, very important standards that actually don’t have a very big company backing or anything like that. They are, sort of small companies or even individuals who are contributing to that standard.

And so you can do that, right? So you can join the these standards bodies. You can participate in the mailing list. Sometimes to participate in the mailing list, you may not even need to pay anything to to be a member of that standards body. But as an individual or as a small company, typically the open standards body won’t charge you, any, anything that would really cause you a lot of pain.

I think it’s very easy to. To participate [00:15:00] in any of these standards bodies, the thing that you need to be aware of is that there are intellectual property rules of following this. So you can’t put something in, for example, the I E T F list and then say that’s my patented idea. Right?

Because it’s something by way of sending that email or saying that in an IDF meeting, you are actually you are giving that intellectual property up essentially to the standards party. And which is why the openness of that standards but is important. It doesn’t mean you’re giving it to some other vendor.

You’re just giving it for the hopes at the common good at that point. 

Amir Bormand: And now that you’ve mentioned that, I’m like that’s obvious until you mentioned it. I hadn’t even thought about that implication. But that’s good to know if somebody is gonna, create an open standard they need to maybe realize that’s not gonna be the idea they can patent and make a fortune on.

It’s to actually improve the betterment of the community. I guess you mentioned a few standards, you’ve worked on and some initiatives that you have. Do you know of any good resources, and I know you [00:16:00] could link to them as well for people to start looking at, some of these concepts above standards.

Is there someplace we could direct people? 

Atul Tulshibagwale: Sure. The I E P F is a great sort of very broad standards body. You, we recently had the ATF meeting in London that. I think 700 or 800 attendees, and it covers, areas like, even sort of modulation of signals on the wire, like analog signals too, all the way down to number formats and whatnot.

So it’s it’s a very broad body and, I think that would be a very good place for the audience to, to look at standards that may be of interest to. There are specific bodies, like in the identity space there is the Open ID Foundation that I’m also active in where, you can actually participate in, let’s say there is a standard about, financial api, right?

So this is how financial services can exchange data about users in our privacy sensitive, secure fashion. [00:17:00] and so these kinds of standards are being developed in the Open ID Foundation, which is all about the identity of the user, right? I would think of those as two good starting points.

i etf.org and open id.net, they are the two sort of standards buddie that I would recommend. 

Amir Bormand: I think it’s so broad and I think based on what you’re, what you’ve mentioned I think if somebody starts looking for their area of interest, it seems like there’s gonna be an open standards body that probably is related to, this is identity based, but I could imagine there’s tons of areas that maybe we all overlook that, that you could participate in.

Atul Tulshibagwale: Yeah. Yeah. Like for example, I think in the internet of Things space, I’ve heard of a standard being developed right now called matter, which is gonna make it much easier for you to have different internet of things devices in your home or in, in your office. Right now if you buy a doorbell from one company, you pretty much have to use their own app and, it doesn’t work very well with anything else.

And, those kinds of things. , all that’s gonna go away with [00:18:00] the development of the standard called matter. So there are standards bodies like that, which are specific to different areas and you can always find them. 

Amir Bormand: I think a super interesting episode, I I knew about open standards, but I didn’t know about the involvement in kind of some of the different Yeah, I guess nuances too.

It, so I appreciate you coming on and sharing. I guess I’d like to ask all my guests to, this question and it is, if you could have a future guest talk about a topic or answer a single question, whichever you prefer, what would you like to hear about? 

Atul Tulshibagwale: Obviously my gut is to be able to talk more about improving the security of systems.

I think there is a crisis that is happening right now, which is due to numerous kinds of ways of sub supporting systems. People are starting to lose faith and trust in systems, and I would like to bring on a guest who’s leading the charge and in making things more secure, and I think that would be a great topic to cover.

Awesome. 

Amir Bormand: Awesome. If [00:19:00] somebody wants to reach out to you at, to, and talk about anything you’ve mentioned they might have questions about being involved in open standards or maybe one of the, the standards you’ve created. What is a good way of reaching out to you? 

Atul Tulshibagwale: So I’m very active on Twitter. My Twitter handle is zero trust.

Z I r o trust. And then I’m also active on LinkedIn. So those are two, public avenues or you could just send me email at Tel signal ai sgn l.ai. 

Amir Bormand: Okay. We will make sure to put some of those handles in in our show notes and make sure everyone has access to that. But ul, thanks for coming on.

Thanks for sharing. I think super informative and I appreciate all your insight. 

Atul Tulshibagwale: Yeah. Thanks for having me. It was a enjoyable conversation. Thank 

Amir Bormand: you. That’s it for this episode. Back in different guests, different topic until then. Two things. One, I’d love to get more people talking about improving the security systems improving.

That’s, that is a growing problem. Anyone that’s actually putting in fixes to solutions love to hear about it. So if you are involved in that space, reach out. Love to have [00:20:00] you on second. If you enjoy the podcast, share it with somebody else. Open standards is a pretty interesting area.

Could be good for others to hear about and drop a rating in whatever platform. You’re listening to this podcast, that’s how we’ve been growing organically, so can’t thank you all for doing that enough. That’s it. I’ll see you guys next time. Thank you and goodbye.