Focusing on data objects unlocks evidence-based IAM and tighter permissioning practices for cloud-based security professionals.
Our co-founder and CEO, Mohit Tiwari, recently appeared on an episode of theConfident Defense podcast. Host Conor Sherman started with a discussion about the evolution of data security in general, Mohit shared his experiences transitioning from a career as a professor to becoming co-founder of Symmetry Systems, discussed his hopes for the future of data security, and much more. Watch the full video below, or read on for some key takeaways from their conversation.
Baking data security directly into the system infrastructure
One of the most important points Mohit made is the value of putting data security into a system’s infrastructure instead of layering it on after the fact. The information flow world was considered mostly niche and theoretical while he was coming up as a researcher and academic, until the stars aligned starting in 2013. At that time, people had started breaking up enterprise applications into microservices, putting them into containers, and orchestrating them independently. Simultaneously, many of those microservices were migrating to the cloud.
Those changes unlocked perfect conditions to apply information flow principles to trace data as it moves throughout an organization’s infrastructure, as Mohit said, “from machine to machine, application to application, and cloud to cloud.” Making those patterns of movement observable unlocks a detailed understanding of where valuable data flows and who has access to it. With a complete, even color-coded picture of where data flows naturally, security teams can begin to ask questions about where that data should be flowing and install the guardrails necessary to make sure it only travels to wherever it belongs.
Maintaining software-as-a-service in the customer’s cloud
While breaking down applications into services with APIs enabled traceability that was previously impossible, moving to the cloud has allowed companies to deploy their solutions organization-wide. In the past, improving information security required teams to remove data from wherever it was being stored, an immediate red flag for any security professional.
Deploying, updating, and maintaining the software solution inside the customer’s organization allows Symmetry Systems to answer companies’ three fundamental questions — what data do we have, where is it, and who has access to it — without their data ever leaving the premises. That cloud-tooled model positions Symmetry Systems as an example of the kind of security the company aims for. The problems with least privilege access permissioning.
Later on in the conversation, Mohit makes clear that while least privileging access is important, that practice on its own can only take security so far. Because most organizations have multiple storage services that all communicate with each other through APIs, huge blocks of data are flying in and out constantly. At the same time, granting every individual the appropriate access to buckets, objects, or databases isn’t feasible in a large organization.
Role-based and attribute-based permissions aim to compress that process into a series of group permissions, so that individual users assigned to a particular role will have access to a set number of resources. But many users typically have access to a single role, and some users have access to multiple roles at once. With so many permissions layered on top of each other, identifying how any given identity is accessing a particular data object can be murky. It’s incredibly difficult to be precise with this kind of compressed permissioning, and the larger an organization the more complex the process becomes.
Mohit makes the point that compressing security functions inherently introduces a certain amount of risk. The answer isn’t necessarily eliminating compression — that wouldn’t be feasible for most organizations — but rather implementing guardrails around the compressed functions. “It’s okay to compress roles,” Mohit said, “but let’s put a lot of endpoint detection and response (EDR) and other guardrails around the roles themselves.”
Arming security teams with tools to protect individual data objects
Mohit advocates for upleveling from database security to data object security. Focusing on protecting individual data objects instead of securing identities or service roles immediately eliminates a certain amount of risk. “Don’t sunset an identity,” Sherman summarized, “sunset the data. That’s where the liability comes from.” While compromised credentials open the door for risk to be realized, closing the metaphorical door is a less impactful solution than removing the sensitive data that’s behind it.
Making those data object-level decisions sometimes requires security professionals to sell executive leadership or other stakeholders on their plans. That’s why Symmetry Systems helps security teams inform themselves with the tools they need to drive their organizations toward change. Operationalizing that drive appropriately — through EDR or IAM, for example — requires security teams to identify the right lever to pull that will strengthen the organization’s security posture.
Evolving into an evidence-based approach to security
That’s why Mohit believes in an evidence-based approach that takes real usage into account. Providing organizational leaders evidence that taking a certain action will reduce risk by a defined amount is a convincing and positive way to lead toward change. Instead of taking action because the rules of least privilege access dictate it, security teams can leverage their own observations and expert judgments to confidently present the risk, the usage, the recommendation, and the reasoning behind it.
Another important idea Mohit raises in the podcast is the natural evolution linking high-level security goals, specific data types, and specific identity types. Once security teams set goals around data, their challenge is to translate those goals into the right guardrails. Mohit advises filtering your landscape to identify where the most sensitive data is located and understand what kind of exposure it has. Another way to implement those guardrails around permissioning is to make sure security teams and cloud ops teams — often two separate departments — are collaborating closely.
Tighten permissions without disrupting core business functions
The overarching goal of these changes is least privileging an environment in a way that tightens permissions without disrupting business. Security teams are responsible for protecting the vast quantities of consumer data that companies collect, but they’re also charged with making sure analysts and employees can work with the data however is appropriate for that business. If a security best practice is to assume that over the course of regular business, something is going to break, minimizing damage is the logical next step.
“How can you put pro-grade defenses around your trusted code base?” Mohit asked. The answer is giving specific identities access to specific data objects at specific times. For that, security teams need access to a high level of visibility and traceability at the data object level. That’s where information flow comes into play, and that’s where Symmetry Systems can help. Interested in how Symmetry DataGuard can help your cloud-security team take an evidence-based approach to tighten IAM policies around data? Contact us today to learn more.