Why Does This Have to Be So Hard? The Trade Off Between Speed and Security
April 11, 2022
Related Posts
Keep in Touch
© Copyright 2024 Symmetry Systems
- Why DSPM
- DataGuard DSPM
-
- DataGuard DSPM
- Secure your data with precision and scale.
- DataGuard DSPM
-
- How It Works
- Learn how our breakthrough DSPM Solution works.
- DSPM Approach
- See how we look at data differently.
- Zero Trust Assessments
- Gain an accurate understanding of your data challenges.
- How It Works
-
- Use Cases
-
- Use Cases
- Learn more about our DSPM solution through our hybrid cloud use cases.
- Use Cases
-
- Data Inventory and Flow Mapping
- Gain visibility into your data inventory and protect it.
- Investigation & Detection
- Answer your data detection and response questions.
- Zero Trust
- Implement and maintain zero trust.
- Compliance & Governance
- Prove and maintain your data security compliance.
- Digital Transformation
- Accelerate digital transformation and maintain data security at scale.
- Data Inventory and Flow Mapping
-
- Partners
-
- Partners
- Become a Symmetry Systems technology partner.
- Partners
-
- Become a Partner
- Join Symmetry Systems partner program.
- AWS
- Information on AWS partnerships
- Become a Partner
-
- Industries
-
- Industries
- See how our DSPM solution supports data-driven organizations of all types.
- Industries
-
- Financial Services & Insurance
- Solve your financial data security challenges.
- Technology
- Protect your proprietary data from IP theft.
- Federal Government
- Solve your federal government data security challenges.
- Healthcare
- Protect patient information and sensitive data.
- Retail & Ecommerce
- Protect your customers and brand reputation.
- Energy, Oil, & Natural Gas
- Solve your utility data security challenges.
- Communications & Media
- Protect your technologies and applications.
- Manufacturing
- Protect your most critical assets.
- Financial Services & Insurance
-
- Resource Library
-
- Resources
- Data security resources for security teams all in one place.
- Resources
-
- Education Center
- Learn about the latest in data security.
- Blog
- Expert industry insight from the Symmetry Systems team.
- Videos
- Watch webinars and videos on data security.
- Education Center
-
- Company
-
- Company
- Learn about our company’s values and background.
- Company
-
- Team
- Meet the minds behind Symmetry Systems.
- Careers
- Join the Symmetry Systems team.
- Company News
- Stay updated with the latest in the Symmetry Systems world.
- Testimonials
- See how we’ve helped organizations better enhance their data security game.
- Media Center
- See what we are up to in the media.
- Team
-
- Request a Demo
- Why DSPM
- DataGuard DSPM
-
- DataGuard DSPM
- Secure your data with precision and scale.
- DataGuard DSPM
-
- How It Works
- Learn how our breakthrough DSPM Solution works.
- DSPM Approach
- See how we look at data differently.
- Zero Trust Assessments
- Gain an accurate understanding of your data challenges.
- How It Works
-
- Use Cases
-
- Use Cases
- Learn more about our DSPM solution through our hybrid cloud use cases.
- Use Cases
-
- Data Inventory and Flow Mapping
- Gain visibility into your data inventory and protect it.
- Investigation & Detection
- Answer your data detection and response questions.
- Zero Trust
- Implement and maintain zero trust.
- Compliance & Governance
- Prove and maintain your data security compliance.
- Digital Transformation
- Accelerate digital transformation and maintain data security at scale.
- Data Inventory and Flow Mapping
-
- Partners
-
- Partners
- Become a Symmetry Systems technology partner.
- Partners
-
- Become a Partner
- Join Symmetry Systems partner program.
- AWS
- Information on AWS partnerships
- Become a Partner
-
- Industries
-
- Industries
- See how our DSPM solution supports data-driven organizations of all types.
- Industries
-
- Financial Services & Insurance
- Solve your financial data security challenges.
- Technology
- Protect your proprietary data from IP theft.
- Federal Government
- Solve your federal government data security challenges.
- Healthcare
- Protect patient information and sensitive data.
- Retail & Ecommerce
- Protect your customers and brand reputation.
- Energy, Oil, & Natural Gas
- Solve your utility data security challenges.
- Communications & Media
- Protect your technologies and applications.
- Manufacturing
- Protect your most critical assets.
- Financial Services & Insurance
-
- Resource Library
-
- Resources
- Data security resources for security teams all in one place.
- Resources
-
- Education Center
- Learn about the latest in data security.
- Blog
- Expert industry insight from the Symmetry Systems team.
- Videos
- Watch webinars and videos on data security.
- Education Center
-
- Company
-
- Company
- Learn about our company’s values and background.
- Company
-
- Team
- Meet the minds behind Symmetry Systems.
- Careers
- Join the Symmetry Systems team.
- Company News
- Stay updated with the latest in the Symmetry Systems world.
- Testimonials
- See how we’ve helped organizations better enhance their data security game.
- Media Center
- See what we are up to in the media.
- Team
-
- Request a Demo
Secure your data nowwith Symmetry.
© Copyright 2024 Symmetry Systems
If you’re anywhere near the security space you’ve heard it: “Security slows everything down.” And while we may roll eyes and offer up a quick, “yeah but…” in many cases, we know that sentiment is true. Of course security is needed; of course security is expected – but I often find myself challenging the notion that security is expected to be a hindrance to the pace of development. After all, security is here to enable the business to achieve its goals, right?
It has to work
I’ve been in 8 industries over the past 20+ years and one constant observation is that development teams are incentivized by speed and function. It has to just “work,” and it has to work fast.
Security, which requires hygiene and design time to consider various threat vectors and attack scenarios, is often put on the back burner – something that is bolted on at the end or left as a remediation feature when findings from a scan or a pen-test comes through often at a much higher cost. Rarely is security embedded into the development process itself and for companies bracing this effort – to truly bring security into the definition of function and quality, it’s always an uphill battle for speed.
…embed security… with as little friction as possible to enable the business to meet its goals.
As security pros, we have to find a way to embed security into technology and processes with as little friction as possible to enable the business to meet its goals. While noble and common sense – when you’re staring down years and years of security and technology debt, or complex hybrid architectures, the problem – while basic in principle- is daunting on the execution side.
Start with the data
For many companies, security is focused on protecting the data. Protecting the infrastructure, availability, and continuity of business is just as critical; but for many shops that are focused on regulation or compliance as a first step to security, guarding against the misuse or breach of sensitive data is usually top of mind.
What is interesting, is that although data security is a strong focus for many companies, very few know what their sensitive data is and even fewer know where it is stored, how it is used, and who has access to it.
As companies develop more products over time, merge with other companies, and blend their infrastructures between on-prem and the cloud, we see less and less clarity on what data is valuable and even less consistency on how it’s protected. Why? Speed.
…very few know what their sensitive data is and even fewer know where it is stored, how it is used, and who has access to it.
As more applications are developed, and even more become aged, companies lose track of maintaining the metadata or records of what each application stores, accesses, and uses. Definitions of “sensitive” evolve and in the absence of resources, maintenance, and focus, hygiene and organization of these principles erode over time.
We see an increase in scope for types and amounts of data being collected, stored, and shared without a strategy in place on how to safeguard it. Data stores become commingled, multiplied and shared in unintended ways; applications start to creep in scope and access. Labels and tags start to lose consistency and become less useful. For example – one application might label a social security number as “SSN” while another might tag it as “TIN,” “National ID,” or any variation in between.
The result? Repeated data calls (what does this app do?), increased audit scopes, longer IR investigations, slower response and containment. “I don’t know what’s relevant so everything is.” Basically – a blind mess.
How do we fix it — Data Stores and Object Security (DSOS)
Well-intentioned companies will eventually embark on efforts to “clean up” their data starting with the applications and what they access. This usually takes a herculean effort, but as new applications are developed or acquired, and established ones grow in features and scope, this clean up effort starts to degrade over time.
What if we started with a different approach? Instead of looking at the application, what if we looked at the data stores themselves? Instead of trying to define rules and entitlements around the connector, why not focus on the treasure and build defenses and hygiene around that first?
…focus on the treasure and build defenses and hygiene around that first.
If we watch the data, then we can learn what uses the data, where and how it should be stored, and more importantly – what should not use it and how it should not be stored. Doing so would mean that developers would not have to continuously define metadata around what their application touches – resulting in faster, cleaner development. If companies were able to understand data sensitivity and relevance at the field level, then answering the question “what is in scope?” for an audit, to meet regulation requirements, or to avoid a data breach would be easier and less time consuming.
As more companies embrace the importance of “watching the data,” there will be less need to choose between speed and security. The long-term goal is to see these priorities being met simultaneously and with equivalent emphasis.