Delivering stronger security for enterprise data [Q&A]

Data is among an enterprise's most valuable assets, no matter where or how it's stored, having visibility and unified access control is essential.

Mohit Tiwari, CEO at Data Store and Object Security (DSOS) company Symmetry Systems, left a professorship at the University of Texas in Austin to start the business and develop a new approach to data security in the form of Symmetry DataGuard which maintains authority over data even when all else fails. We spoke to him to find out more.

BN: What made you make the move from a professorship to launching a data security start-up?

MT: The University of Texas at Austin loves it when its research makes it into the real world. Thus, it was natural for our team to also think about practical impact of the work we are doing.

Symmetry's DataGuard helps a small team of security engineers to protect data across a large organization. Our research lab has worked on data-centric security for more than a decade, and over time, kept getting pulled into collaborations with regulated industries where security was blocking innovation.

In all cases, the problem was that every application or containerized service had to be hardened to get it over the security and compliance hurdles. Small flaws or exploits could mean major data breaches; and that meant, for example, the hospital couldn't use great collaborative tools to care for complex-case children because they weren't HIPAA-compliant.

Our goal, and the goal of our entire research area, is a platform that directly secures data, even if applications and identities are exploited, and as a result be the focus of compliance and security evaluations.

We met our investors at Forgepoint and Prefix last year, who introduced us to more than fifty security teams. We've been blessed to have had their feedback while building DataGuard as the first step towards a data-security platform.

BN: What are the most common problems leading to data exposure?

MT: The two most dangerous root-causes are vulnerable applications and over-privileged identity and access management (IAM) policies -- and often, these problems amplify eachother.

Applications act as gatekeepers through which users access data, but it is almost impossible to ensure that authorization checks are perfect and that the millions of lines of code (including libraries and framework code) have no exploits.

Similarly, access management policies are a sprawl of permissions that are exceptionally hard to keep consistent over time and across services and clouds, especially as people/applications are added, move, or leave.

In steady state, think of one application -- it has internet access on one side and sensitive data stores on the other. Then make a network of these applications and layer on a spider web of 'service-roles' and attributes and identities. The result is you get a system where attackers can quickly amplify small toeholds (a vulnerable application or a compromised identity).

BN: How does data store and object security (DSOS) address the difficulties of data security?

MT: DSOS is about measuring data risk and refining it systematically. For example, consider a team that maintains data stores that are used by hundreds of applications or micro-services in the organization. This team needs to map out how sensitive data is used, including PCI, PHI, or PII data, and focus security pen-testing, compliance reports, auditor's attention, etc. towards the most risky data and applications.

The infrastructure security members need to know data flows to reduce the blast radius of compromised applications and identities. Security teams will also have to respond to an incident -- to precisely determine the data spilled from a potential breach -- with very little time.

More strategically, a security architect or executive has to prioritize quarterly initiatives to safeguard data -- without visibility into and across all data stores, security teams can end up navigating blindly.

Therefore, DSOS is a focused set of problems for a customer. It requires understanding data stores and objects' attributes, permissions, and usage patterns. DSOS admits several types of solutions -- you could build a code analysis based 'shift left' solution, a 'paved path' production-infrastructure solution, focus only on service meshes or a family of applications, etc. As long as the interfaces are open and customers can answer the above questions, the DSOS gods will be happy.

BN: How can companies better measure and improve their data security posture?

MT: Companies have to balance proactive and reactive measures -- we just lump them all together as 'data firewalls'. Proactive measures understanding data objects across data stores, learning how it is used, and placing controls around it -- IAM, encryption, etc -- while keeping a small trusted code base and minimal standing privileges. Reactive measures generate alerts and evidence when data moves along illegal or anomalous paths. The goal behind data firewalls is to build controls to systematically reduce data risk.

While new applications can start adding controls from scratch, the most interesting product challenges are for legacy infrastructure where data firewalls have to be inserted without affecting business-critical services.

BN: What can we expect from Symmetry Systems over the next few months?

MT: Our mission is to amplify security engineers. Security is a fascinating, yet very specialized, field. If it's a part of a 'paved road', it allows functionality developers to innovate safely -- and, in an ideal world, unlocks regulated industries, such as healthcare and education, to modern applications.

We are currently heads down building DataGuard with our design partners and we expect to add one to two organizations each month into pilots over the coming months. In parallel, we'll share more of our work, especially about open interfaces so that organizations can tailor their defenses without fragmenting them.

Image credit: Tashatuvango / Shutterstock