By Srinath Kuruvadi | Head of Cloud Infrastructure Security | Netflix
In the past decade, the number and magnitude of data breaches has grown exponentially -- and there’s no end in sight. Public recognition earned by hackers only encourages them to continue working to break down securities, while companies try to strategically place defenses in response. As security professionals, we need to start protecting data where it exists and then build complementary solutions outward to the IAM and WAF layers.
…we need to start protecting data where it exists and then build complementary solutions outward to the IAM and WAF layers.
Although bridging the gap between sensitive data and applications is not a novel concept, there are currently no agnostic approaches to data protection with access control limiters, sensitive data classification, and anomaly detection. The large clouds are starting to offer parts of this approach, but strategically it doesn’t make sense for them to build out solutions for multi and hybrid clouds covering both relational databases and data stores.
This opens up a huge opportunity for a new category focused on data store and object security. There will always be more ideas for initiatives than time to implement within organizations — the constant ‘risk reduction vs. cost’ conundrum.
Well-established companies have vast amounts of data across on-premise and cloud environments, intensifying the battle to reduce their vulnerability to attack surfaces not only for security purposes, but also with regard to compliance. Fast growing companies start developing in a single cloud reducing the attack surface from the start, but by the time their DevOps organization is mature they already have massive amounts of data stored in a web of tables and objects. In addition, the accelerated hiring of developers by these fast growing enterprises make IAM role configuration impossible to optimize as an afterthought. It is a known fact that many CISOs struggle to answer the question: where are my crown jewels with sensitive data and who is accessing them?
I have been thinking deeply about data security in the cloud space for about 5-6 yrs during my stints at Facebook and Snapchat. Over the past year, I have had the pleasure to meet Mohit Tiwari, Symmetry Systems CEO and Co-Founder. Mohit and his Co-Founder Casen Hunger developed DataGuard while running the Spark Lab at UT Austin. DataGuard provides unified visibility into data objects across all data stores, answering data security and compliance questions that traditional tools cannot.
…where are my crown jewels with sensitive data and who is accessing them?
It enables least privilege opportunities in your data access flows and anomaly detection to find suspicious access patterns. With comprehensive visibility into your data stores and access patterns, you can quickly converge upon a finite set of paved road data access flows reducing risk and providing additional comfort.
The team behind Symmetry has done a great job building DataGuard to scale across on-premise and cloud platforms while consuming massive amounts of data (without volume of data as a function of pricing). I am also impressed with the flexibility of the system. It is not a complete black box giving more flexibility into data access flows and detection of sensitive data while learning to flag anomalous behaviors.
Bridging the gap between data and applications layers is a multiyear development roadmap.
I think most importantly Mohit and Casen believe in the long game. Bridging the gap between data and applications layers is a multiyear development roadmap. From Detection to Prevention you have to crawl, walk and then run. The Symmetry Systems team has visualized access flows for massive datasets within their lab and are now working with companies to apply this analysis in the detection of anomalies and to identify least privilege opportunities.
For many companies, this will be a vast improvement to their existing security and compliance needs, reducing risks against data exfiltration by bad actors. Once DataGuard is detecting risks, enterprises can then proactively fight against threats by using DataGuard to enforce access control policies for data exfiltration prevention. This is the furthest along the path that data security has yet to venture.