Myota appoints CISO as it touts shard-based data protection

Ultra-secure storage company Myota has appointed a chief information security officer (CISO) to help sell the idea that encoded and distributed metadata is needed to protect data from ransomware. 

The company's patented zeroBucket technology shards separately encoded data and metadata across geographically distributed computer systems, rendering the data immutable and resistant to ransomware. It also makes it unnecessary to back up data lakes, claiming a 50 percent or more saving on storage costs. Its Shard-and-Spread technology was invented by co-founder Jaeyoon Chung at Princeton University, who then set up Myota – a play on "my iota" – in 2016 with vice chair and CEO Stephen "Trip" Koury. Chung was then head of engineering. Now Jerry Hoff, with a CV history of security exec positions at NTT, Sony, and Morgan Stanley, has been hired as CISO.

Myota CEO Jim Walker said: "Jerry's combination of deep technical expertise and real-world experience in highly complex enterprise environments makes him an exceptional addition to our leadership team. As we continue to scale, his leadership will be instrumental in advancing our vision of delivering true cyber resiliency without reliance on legacy redundancy models."

Walker has been Myota's chairman since 2016, its CEO since 2022, and is also the exec chair of Zoomi. This table gives a quick review of the company's history:

This shows dribs and drabs of funding. Its exec roster is idiosyncratic, with a CEO, president and chief hacking officer (Gabriel Gumbs), Chung as an inventor, Sergey Slippenchuk as CFO, Michael Wright as head of product, and Cory Retherford as head of customer experience, IT, and compliance. There is no identified sales head. LinkedIn lists 21 employees, all in the US. Customers include private equity firm Sun Capital and the Clinical Data Interchange Standards Consortium, a global standards development organization in the clinical research industry.

We see Myota as a small operation that took in seed, and then a two-part Series A round of $5.8 million in 2021, followed by three top-up rounds. One possible reason for its relatively slow progress is that its technology is hard to place in terms of market fit.

The main concept is that current storage schemes with metadata and encoded data are susceptible to ransomware and hacking whereas Myota's scheme, with separately encoded and distributed data and metadata, is not.

As we first understood it, Myota's Shard-and-Spread technology encrypts, fragments, and distributes data across multiple locations at write time. So there will be metadata recording which shards constitute which file, and the storage controller uses this metadata. How is that different in principle from any erasure coded technology or RAID tech, which has the same storage controller central metadata store? Screw with the metadata and the shards are lost.

Gumbs corrected this view, telling us: "RAID and erasure coding protect against hardware failure within a system you already control. Myota protects against an attacker who has already gotten in. The difference is that Myota's shards are spread across locations with separate authentication, every file and its metadata are encrypted with a quantum-resilient mechanism before anything is written, and individual shards carry mathematically zero information about the original file. Destroying the metadata is an availability problem, not a ransomware problem – you still cannot read or reconstruct the data."

"On the 'screw with the metadata' attack: that is a valid availability concern, but not a confidentiality or ransomware problem. You cannot read or ransom data you cannot reconstruct. With RAID and erasure coding, the same attacker who corrupts metadata can also read the data. With Myota, those are two different attacks requiring two different sets of access across two different trust boundaries, against encrypted metadata that is itself quantum-resilient."

“The mathematical basis is also distinct. Information-theoretic secret sharing means individual shards carry zero information about the original file – not hard to compute, but probably zero. Erasure coding chunks contain actual data fragments that leak information even in isolation."

The details of the technology reside in US Patent No. 11,281,790, and one of its diagrams is helpful:

Comment

The Shard-and-Spread software has been patented; it's not open source. That means it has to be sold to customers rather than be picked up by developers. The data and metadata shards are stored in existing storage, whether on-premises or in public clouds and their regions. As we understand it, Myota client software receives file or object data to be stored, does its processing on that single large piece of data, then writes it and its metadata to multiple existing storage destinations. What would be a single file write or ingestion process for an on-premises array becomes dozens or hundreds or more of separate ingestion processes by remote arrays. Write time increases.

When the original file or object has to be read, the reverse process takes place and read time could be longer than from a single on-prem array.

Myota has not licensed its software to cyber-resilience suppliers. It's available in the AWS Marketplace, from some MSPs, and Myota is Veeam Ready – Object certified, meaning it integrates as object storage for Veeam Backup & Replication. 

Druva, Rubrik, and Veeam offer ransomware recoverability guarantees, without Myota-style separately protected metadata.

Bootnote

Myota's patent abstract says: "A method and system for encrypting and reconstructing data files, including related metadata, is disclosed. The method involves separately encrypting data and metadata as chaining processes and integrating a plurality of encryption/encoding techniques together with strategic storage distribution techniques and parsing techniques which results in the integrated benefits of the collection of techniques. As disclosed, the content data is separated from its metadata, encryption keys may be embedded in the metadata, and in a content data encryption chaining process, the method chunks, encrypts, shards, and stores content data and separately shards and stores metadata, and stored in a flexible, distributed, and efficient manner, at least in part to assure improved resiliency In addition, the processes are preferably implemented locally, including at the site of the content data or a proxy server."