Data security isn’t about infrastructure — it’s about objects.
In a recent LinkedIn Livestream installment of The Confident Defense podcast, Mohit Tiwari (Co-Founder and CEO Symmetry Systems) and Conor Sherman (Head of Security at ezCater and host of Confident Defense) unpacked the present and future of data security. You can watch the full Livestream below or keep reading to get some of the most critical insights from the session.
Contact us today to see how Symmetry Systems DataGuard can enhance your data visibility.
A New Era of Data Security
Traditionally, infrastructure security has been the focus of data security efforts. But according to Sherman and Tiwari, infrastructure — database, servers, etc. — is not what security teams need to protect.
Instead, it’s the data objects themselves.
“Data objects are what we actually care about,” says Sherman. “It's the first name, last name, birthday, zip code, etc. The whole record is the object, and it's really the object that we need to focus on.” Tiwari expands on this sentiment: “We need to move from classic data security tools that focus on database servers to a different place. We need to have tools address the data objects as they flow from, for example, S3 to RDS and downstream into a data lake. So rather than just asking ourselves, ‘is my database server doing okay?’ we need to have a handle on all our data objects as they flow across the data stores.”
Key Tactics for Data Security in the Cloud
Sherman explains a key challenge for cloud data security: “Conway's Law is this idea that companies will develop software whose logic mirrors how it is designed with its people. If, for example, you're a highly functional business with segregated, specialized functions, guess what? The software you produce is going to be like that as well. And your security program is going to feel like that too. There are these hard boundaries that show up, and you don't have one security program: You have three.”
“Most tooling, most programs, most frameworks, which we've put in place to try and solve this problem have been phase one, phase two, team one, team two, etc.,” he continues. “They’re all very siloed. To truly solve the problem, we need to care about the data object and watch it through everything, regardless of where it lives.” Sherman went on to explain that this ultimately amounted to a compliance team challenge that necessitated cooperation with security architecture and SOC teams.
According to Tiwari, that solution lies in organizational design and new tech. “I feel like your company, ezCater, is the template of how a really productive organization can be set up. Your compliance, SEC ops, and infra folks work super closely together, and that collaboration breaks down a lot of the siloing we discussed. The other part of this is data flow tracing technology: a tool that can go through all of your environments and trace the flow of these data objects across the organization. So it's a combination of the right kind of team and horizontal data flow tracing technology.”
Dealing with the Privacy-Centric Present
This ability to trace data through its entire lifecycle is becoming increasingly essential, especially as Apple, Google, and other major tech players embrace a new standard of privacy. A growing number of users are exercising their ability to ask companies to delete their data — a tricky prospect, especially when it comes to legacy tech. So how should companies approach this problem? Tiwari had two pieces of advice.
“I think step one is being able to put tooling in place to answer a fundamental question: ‘where's all the data of interest?’ Which breaks down into smaller questions like, ‘Where is this data lying around? How's it being protected? What kind of controls are around this data?’ Then, that tool needs to allow you to trace how it's being accessed through all the layers. In other words, getting visibility is the first step.”
“The other big lever here is your company’s SLA. How long do you give yourself to get the data out of our system? For instance, Alice can request that her data get deleted immediately, but the company's SLA can allow a minimum of 90 or 180 days of processing time to flush the information out of the system. You want to calibrate that time to match your capabilities.”
Get Visibility into Your Data Today
As Sherman and Tiwari discussed in the Livestream, achieving data security these days is primarily connected to your ability to achieve data visibility. This is a crucial reason that Tiwari developed DataGuard, a data store and object security (DSOS) solution that provides security teams with a complete line of sight into their data landscape. DataGuard creates this visibility through a comprehensive, custom risk map of an organization’s data stores that surfaces hidden vulnerabilities and speeds up incident response. To see the power of DataGuard first hand, reach out, and our team will set you up with a demo immediately.