Introducing J. Trent Adams of Proofpoint, who specializes in the development of internet security and online privacy standards. A cybersecurity specialist, he’s also a part-time film producer and lifelong Star Wars fan (who even fell into a walk-on role in The Force Awakens).
We recently sat down with Trent and had an engaging conversation about his diverse career and deep experience in the field of cybersecurity. As the Director of Ecosystem Security at Proofpoint, Trent is at the forefront of developing technical specifications and strategies that safeguard organizations from an increasingly complex cyber threat landscape.
Throughout this interview, Trent highlights cybersecurity technologies to watch, pointers for email security, and how a domain like .Bank strengthens the defense posture of banks.
In case you missed previous installments of our Executive Interview Series, bookmark these for future reading:
- Lorri Janssen Anessi from BlueVoyant
- John Carlson from the American Bankers Association (ABA)
Let’s get started.
Background and Professional Experience
Q: How did you start your career in cybersecurity?
I guess you could say it started by accident when I helped create one of the first 500 websites. I’d like to think I was prescient, but I just happened to be in the right place at the right time.
While earning my degree in astrophysics at Vassar College, I just wanted to get my work published. But, as any undergrad knows, publishing in the traditional sense is hard, and I wanted to share my research in a way that was easy and accessible.
Fortunately, a guy in my lab happened to know someone who worked with Tim Berners-Lee at CERN (the European Organization for Nuclear Research), and we got an early version of what became HTTP and HTML. That’s how I got my first research published online, without knowing that it would become “a thing.”
After graduating, and a brief stint as a digital effects designer for TV, I eventually became an executive producer for the Kraft Group [Editor’s Note: Trent has three Super Bowl rings with his name on them, thanks to his work for the New England Patriots]. I was initially brought on to produce a daily online video show back in 1996, which was long before YouTube. After more than a decade producing digital media for the Patriots, the Krafts asked me, “what’s next?”
As I thought about it, the question was less about producing yet more content, and more about how to present relevant content to the growing audience—how do they find what they want? The answer was a combination of matching content to personal interests. So the Krafts funded me to look into it, and I realized that two things were necessary for my personalization model to work: identity and privacy.
Once you’ve identified who they are and what kind of media they like, the real question becomes: how do you ensure the privacy and security of that identity? Because you don’t want to just run around with somebody’s identity and hand it out to everybody—it’s vitally important that you protect that information.
So I started working on privacy and security standards to identify the uniquely identifiable individual, and at the same time protect their privacy and secure it. That’s what led me to ISOC (the non-profit Internet Society) where I worked on their Trust & Identity initiative. This was at the time we were developing identity standards such as OpenID, OAuth, and FiDO.
When PayPal brought me on to help develop internet security standards, the first thing I did was to lead the development of DMARC. It was an ambitious project that resulted in an email security protocol that solved a very real problem that PayPal was having: rampant impersonation of email.
From there I helped manage a team of incredibly experienced folks developing security standards. That’s really where I started framing my work in terms of “ecosystem security”, as we all have to work together.
Q: How did you arrive at your current role with Proofpoint?
My personal approach has been to identify standards-wide or ecosystem-wide solutions. In other words, to figure out how to make all boats float, ensuring that the overall ecosystem is more secure today than it was yesterday.
Any company can come up with their individual solution to a security problem. They can then sell this product that does this one thing, but that doesn’t secure the internet community.
Proofpoint has a broader vision that very much aligns with my interest in the development and advocacy of open standards, so I joined to lead their ecosystem security projects.They recognize the value of multi-stakeholder solutions, and have a long track record in developing and supporting internet standards.
Because of that, they know the value of bringing collaborators together to solve hard problems, and that’s what I do now. I help shepherd standards and associated technology development on behalf of Proofpoint, our customers, and the internet at large.
The type of security work I lead isn’t treated as a feature of a product—instead, we contribute to the development of internet-wide security standards, making the internet more secure for all. It’s all about the ecosystem.
Q: How does this translate into your day-to-day work?
The main challenge we face is identifying the veracity of a message that you receive. This extends beyond email, to text messages and other forms of communications, such as our data loss protection (DLP) products. In fact, Proofpoint has a wide, and growing, footprint in securing communication.
For my part, I tend to focus primarily on email security. Even today, email remains the predominant means of electronic business communication, making it a vital channel to protect. And because it’s the most open and generative means of communication, there’s a lot of work still to be done.
If you could imagine a scenario where we could absolutely secure all email, then the security people I know would be thrilled. Unfortunately, there’s no way for this to happen without losing utility and adversely impacting the ease of email communication. So, I spend my days looking ahead and working on securing what’s yet to come.
So, how do you trust an email message?
The way communication works, you can’t just introduce into the message an understanding that it’s trustworthy.
Instead, we can introduce the strongest signal possible that can be verified as authentic. We can say we’re pretty sure a message came from this or that entity, and we have a very high degree of confidence in that entity. We can also say the message has not been modified between the time it was sent and when we received it.
We look at the entire conversational flow and make sure that each of those steps is evaluated, considered, and then passed along. In a nutshell, this is how email authentication works, and benefits those who employ the email standards of DMARC, SPF, and DKIM.
Cybersecurity Threat Landscape
Q: Are there emerging technologies that help mitigate email cybersecurity threats?
One of the technologies we’ve helped develop is Authenticated Received Chain (ARC). I already helped develop DMARC, which builds a relationship between SPF, and DKIM. ARC helps fill in some gaps when a message is handled by intermediaries. It’s still early in its adoption, but we’re always looking to further strengthen the ecosystem.
Our aim is to move away from a binary model—where a message is either accepted or rejected—and instead provide nuanced information about why a message may have been altered. And while ARC by no means represents a complete chain of custody for a message, it helps address this by providing more context about the message’s status.
More context allows the email provider to make a more effective decision based on what works for you and your customers. The customer should trust that their email security provider will only let secure messages into their inbox.
That’s what we’re trying to do with ARC: providing more context for that downstream provider to make a more nuanced decision regarding a message. It’s not deterministic, as it doesn’t say anything about the veracity of the message itself, but does provide signature points around which you can anchor a trust model.
Q: How important is it to educate end users?
As an end user, you should feel confident that when you get an email, it’s actionable.
Our job at Proofpoint is to identify the problematic emails and keep anything we are suspicious about out of your view.
In that sense, end users should not have to worry about anything. But, as good as I think we are about protecting inboxes against malicious messaging, we have to assume that we’re not perfect. Because of that, we have to educate end users not to open every email all the time.
That’s why at Proofpoint we have a set of email awareness products. They help our customers and their employees learn to spot—and avoid—suspicious email, especially phishing. Until email security can prevent 100% of malicious email, end user awareness will remain a part of a robust email defense program.
Organizations shouldn’t rely on awareness alone, of course, and should always focus on keeping as many malicious messages from end users in the first place.
Q: What role could a top-level domain play in cybersecurity?
What I think is fascinating about a model like .Bank’s is that you only allow banks to register domains, and when they use the .Bank domain the bank must follow certain security protocols and best practices (at .Bank, those are called the Security Requirements).
So a restricted top-level domain raises the security bar to a significant enough degree that far surpasses a regular, unrestricted domain. If you see a bank with a .Bank domain, you know they follow security rules that make them more trustworthy, as with a public domain a typical registrar who will provide those to anyone with a credit card.
With a .Bank domain, you have a strong registry authority that verifies entities and ensures they reach and maintain that security bar—that’s a huge net win for the banking sector.
Choosing a top-level domain like .Bank is absolutely a good choice, as that’s going to send the right downstream signal to the recipient that you’re a legitimate bank—and gives customer’s confidence to interact with their bank’s emails.
Q: What are some of the challenges when it comes to enforcing email security standards?
One significant challenge is ensuring that downstream mailbox receivers—like Microsoft, Gmail, and Yahoo—are aware of and comply with security protocols. Beyond that, they must remain actively engaged in the standards development process itself. If they’re not at the table, they’ll be left behind.
For example, if a .Bank domain publishes a DMARC record with a reject policy, downstream receivers should honor this record. Currently, compliance is more of a polite request than a requirement, which can lead to inconsistencies.
At Proofpoint we work closely with our customers and other ecosystem stakeholders to support compliance and enforcement, including the new public suffix and prefix domain policies.
I’m also leading the development of a new specification, the Domain Relationship Policy Framework (DRPF), which also helps provide context. The DRPF introduces a mechanism for domains, such as those registered to .Bank, to declare authorized relationships between their own domains and those operated on their behalf by vendors.
We’re continually advocating for these policies to be enforced so that if a domain publishes a DMARC or DRPF policy, downstream receivers have every reason to follow it. While we have good relationships with most major receivers, and they generally agree with our approach, strict enforcement remains voluntary.
It all comes down to trust. A really hard concept to articulate, codify, and act upon in a deterministic manner.
Wrapping Up
Q: Where do you see email security heading? What does the future look like?
There is no one-size-fits-all solution for every use case. Anybody can, and should, communicate with anybody. That’s a good thing for the world.
So while I encourage everyone to use different security mechanisms specific to their needs, there are a handful that are basic table stakes like DKIM and DMARC. At the same time, we’re looking to introduce more identification and trust signals. Let’s continue to make each step of the communication workflow more reliable.
Fortunately, I think we’re in the right place, with most of the right stakeholders involved. We understand the need to support fully open and generative communication systems like email. We can’t lock everything down behind walled gardens. That’s why open security standards are so vital to interoperability.
But, at the same time, we need to do a better job of identifying email senders and operators, so we can track their adherence to best security practices, all with an eye toward knowing they’re a trustworthy actor.
And that’s the value that email security gateways provide.
At Proofpoint we’re going to ensure customers are empowered with knowledge about the communication path, and then we’ll either put it in your inbox, or we’ll flag it, or we’ll add context aware statements in the message to keep end users more informed.
Our detection of malicious messages improves daily, and with our latest products being driven by the latest AI detection models we’re developing, I’m really looking forward to how we can feed the system additional standardized trust signaling.
Q: What is your advice for aspiring cybersecurity professionals?
Easy answer: follow your passion, do what’s interesting to you. There’s no requirement to get a degree in cybersecurity. It’s unfortunate that so many cybersecurity job postings state certification requirements. Fortunately, participation in the development of world-changing open security standards is open to all. Show up and participate.
The most important thing is understanding the threat landscape and being creative in your defenses against them. And being willing to put in the hours. Many, many hours. It’s not an easy job, but it’s incredibly rewarding when standards you helped develop secure billions of mailboxes.
If you want to follow more of my ramblings about security, I post on the infosec.exchange Mastodon instance.
To learn more about the many benefits of a .Bank domain, schedule a meeting. May the force (of email security and verification) be with you, always.
