VMblog Expert Interview: Mohit Tiwari Talks Symmetry Systems Emerging From Stealth To Transform Data Store And Object Security
Symmetry Systems is a provider of cutting-edge Data Store and Object Security (DSOS). And this week, they emerged from stealth only a year after raising $3 million in seed funding. Symmetry Systems’ flagship solution is called DataGuard, and it provides what the company describes as unified visibility into data objects across all data stores, answering data security and compliance questions that traditional tools cannot.
To better understand the company and the problems they are addressing, VMblog reached out to Mohit Tiwari, CEO at Symmetry Systems, to learn more.
VMblog: Not many professors are willing to give up a tenured professorship to develop an unproven startup. How did you come up with the idea to launch Symmetry Systems?
Mohit Tiwari: UT Austin loves it when its research makes it into the real world, and my colleagues have co-founded companies on everything from full duplex radios to robots in hospitals. Therefore, it was natural for our team to also think about practical impact.
Symmetry's DataGuard helps a small team of security engineers to protect data across a large organization. Our research lab has worked on data-centric security for more than a decade, and over time, kept getting pulled into collaborations with regulated industries where security was blocking innovation.
In all cases -- a hospital, a major defense contractor, a cloud-services provider -- the problem was that every application or containerized service had to be hardened to get it over the security and compliance hurdles. Small flaws or exploits could mean major data breaches; and that meant (e.g.) the hospital couldn't use great collaborative tools to care for complex-case children because they weren't HIPAA-compliant.
“It was natural for our team to also think about practical impact.”
Our goal, and the goal of our entire research area, is a platform that directly secures data, even if applications and identities are exploited, and as a result be the focus of compliance and security evaluations.
We met our investors at Forgepoint and Prefix last year, who introduced us to 50+ security teams and we've been very fortunate to have had their feedback while building DataGuard as the first step towards a data-security platform.
VMblog: Symmetry Systems delivers Data Store and Object Security (DSOS). Can you tell our readers what that means, in simple terms?
Tiwari: DSOS is about measuring data risk and improving it systematically.
Consider a team that maintains data stores (such as S3, RDS, etc... on Amazon AWS) that are used by hundreds of applications or micro-services in the organization.
This team needs to map out how sensitive data is used (including PCI, PHI, or PII data, but user data broadly), and focus security ‘pen'-testing, compliance reports, auditor's attention, etc... towards the most risky data and applications.
The infrastructure security members need to know data flows to reduce the blast radius of compromised applications and identities. Security teams will also have to respond to an incident -- to precisely determine the data spilled from a potential breach -- with very little time.
More strategically, a security architect or executive has to prioritize quarterly initiatives to safeguard data -- without visibility into and across all data stores, security teams can end up navigating blindly.
DSOS is thus a focused set of problems for a customer. It requires understanding data stores and objects' attributes, permissions, and usage patterns. DSOS admits several types of solutions --
“DSOS is about measuring data risk and improving it systematically”
you could build a code analysis based ‘shift left' solution, a `paved path' production-infrastructure solution, focus only on service meshes or a family of applications, etc. As long as the interfaces are open and customers can answer the above questions, the DSOS gods will be happy.
VMblog: The company has launched a product called DataGuard. Could you tell us more about the vision behind DataGuard?
Tiwari: DataGuard effectively creates "firewalls" around all your data objects. Firewalls are a metaphor for a range of detection and protection measures (rule- and behavior-based) that have to be re-thought for data stores and objects in the cloud.
We designed Symmetry DataGuard for data stores in a hybrid-cloud. Amazon S3 is such a different beast that it has a reputation of being hard to secure, but there are production data stores (SQL, NoSQL, caches, queues, ...), analytics data lakes, etc... that contain sensitive data and talk to the internet. And each data store exposes a different set of knobs -- encryption, access control, etc... -- that are hard to set up and keep synchronized. So being able to scale -- operationally -- across data stores was a major goal.
The other big design goal was to build it for security engineers who guard data stores (vs. making developers label data and re-write authorization logic). This was inspired by the paved path model that Netflix has pioneered for building cloud-services and drives data-related security and compliance. Clearly, this also means DataGuard will not address application-safety questions -- i.e., if your check-scanner service breaks, your bank balance will have an error, however, DataGuard will help ensure someone else's malicious check-PDF will not breach or ransom your data.
VMblog: DataGuard was fine-tuned based on feedback from more than 50 CISOs and security practitioners. How important was this feedback in the development of the product?
Tiwari: This feedback has been critical -- several practitioners used "data firewalls" as a metaphor for their goals.
Their feedback has helped with strategic decisions like deciding on a persona to build for or picking between a cloud-native or hybrid cloud deployment. And with many tactical choices about workflows for IAM- or security-operations teams.
A key lesson across the board was that business-risk is a huge barrier for adoption. For example, putting in-line defenses is risky and has to be justified to the engineering and business teams with RoI and reliability metrics (a chicken and egg situation). We had an in-line storage side-car when we spun out of UT Austin, but learned quickly that it is only one of many (and often not the best) ways to protect a specific data store or object. Personally identifiable information (PII) etc... classifiers, users' context, etc... are all statistical measures and enforcing a statistical policy will almost certainly edit out legitimate business usage.
“You can start with DataGuard in a few minutes with just the auditor role; then add more permissions… to create data firewalls using IAM or detection logic.”
Instead, you can start with DataGuard in a few minutes with just the auditor role; then add more permissions (read-only accesses to data stores and their access logs) to create data firewalls using IAM or detection logic. As patterns settle down, they can be moved into an 'intrusion prevention' like system.
VMblog: It has become increasingly challenging for organizations to protect their sensitive data. What are some of the biggest challenges you are helping companies address?
Tiwari: Understand their data stores to specifically drive down risk of breaches or ransomware; and keep this information handy to drive penetration-tests (security evaluations) and compliance-checks.
VMblog: Who is the target audience and user for DataGuard?
Tiwari: Security teams, especially those who have to protect cloud-based data stores such as S3, RDS, RedShift, or MongoDB on AWS and similar stores like BigQuery on Google Cloud.
In smaller teams, less than 100 engineers for example, the security engineering role is informally shared by developers or infrastructure engineers -- DataGuard can amplify these engineers' outputs.
VMblog: Finally, what can we expect from Symmetry Systems in the coming months?
Tiwari: We are heads down building DataGuard with our design partners and will be adding 1-2 organizations each month into pilots over the next 4 months. In parallel, we'll share more of our work, especially about open interfaces so that organizations can tailor their defenses without fragmenting them.