Symmetry Systems co-founder and CEO Mohit Tiwari recently spoke with Ryan Naraine on an episode of the Security Conversations podcast. They discussed Mohit’s start in academia and how it prepared him for the world of startups, his research in information flow control, whether CISOs can fully achieve Zero Trust, and more. Watch the full video below, or read on for highlights from their discussion.
Information flow control processes may change, but the shape remains the same
Mohit has always been interested in how information flows through data systems and took a significant step to apply this concept to privacy in 2011. When sharing messages, whether through apps like Signal or with a healthcare professional or family member, he wanted to know how that data moved through the chain to ensure the recipient was the only person who could access it.
Despite the change in how organizations approach information flow control, knowing what’s happening to data and who is accessing it continues to shape those discussions. He brought up the recent Okta breach, pointing out that the most important things to look into include: is customer data affected; if a contractor is compromised, is there a direct pathway to customer data; and can these questions be answered promptly?
Mohit has always been drawn to those sorts of questions, wondering how best to provide that information practically in a way that doesn’t burden developers or users. He pointed out that security teams spend 80% of the time figuring out what data has been affected during a breach.
Always assume your organization is in a “steady state of boom”
The classic model for mitigation is usually a linear process: First, you identify the problem within your network, then you protect it, then you detect if something breaks, then you respond to the incident, and then recover. Because of this, it’s easy to think that there’s a pipeline of sequential tasks for data management.
“There are all sorts of small to big booms happening across your org,” Mohit said, “So as you go through and run services that provide visibility…once you see the problem, you can put in a seatbelt right away.” Even if security teams don’t have the full business context for why an analyst has access to sensitive data, they can put a seatbelt on it to notify their team of any potential issues.
With proper detection tools in place, CISOs can work with data teams and development teams to create long-term solutions while putting seatbelts on immediate problems when noticed to follow up on later.
Mohit remains an optimist when it comes to questions on attainable privacy measures and Zero Trust adoption, especially as regulations in the U.S. and other countries continue to push organizations toward it.
He described a paper one of his students is working on, which describes a form of “end version programming” where you can run workloads in three different “blobs,” and if one ends up getting hacked, you can still operate with the other two. “Breaches won’t go to zero, but we can improve it a lot,” Mohit said.
One way to improve data security is by implementing a data security posture management platform (DSPM), like Symmetry Systems’ DataGuard. DataGuard gives you full visibility of your organization’s data across hybrid cloud environments, allowing your teams to identify risks and prevent potential data breaches before they happen. Contact us today for a demo, and learn why we were named a 2022 Gartner Cool Vendor in DSPM.