In today’s era, when almost everything is online, the most valuable asset of a company is the privacy of their business data and other intellectual property. In hybrid cloud environments, however, it’s often not clear where your data is being stored and who has actual control over it. Is it possible for users to control their data even when they utilize untrusted applications running in untrusted datacenters? To explore this question and similar ones, I recently had a chat with Mohit Tiwari, the CEO and co-founder of Symmetry Systems, a company that delivers data store and object security (DSOS) purpose-built to provide full visibility and unified access control over your most valuable data assets, no matter where or how they are stored.
I began my conversation by noting that a lot of enterprises today have adopted the hybrid cloud model for their IT infrastructures. I then asked Mohit what kinds of privacy concerns are associated with storing and handling user data in hybrid cloud environments. He responded, saying, “Hybrid clouds enable businesses to maintain legacy systems on-premises while using a public or virtual private cloud for new services and as overflow/on-demand capacity. Not using the hybrid cloud is a major business risk.”
Hybrid cloud and data: Risks and opportunities
I asked him to clarify this, and he replied, “Hybrid cloud brings both security risks and opportunities, and I believe the opportunities will end up outweighing the risks in steady-state. The security risk is that cloud services have many new security controls and have a large blast radius for small mistakes. For example, Amazon’s Simple Storage Service (Amazon S3) has bucket-, object-, attribute-, role-, account-, and organization-based access controls around data assets — and mistakes here land the data in the wrong hands. Since many companies process user/customer data, mistakes in setting up the hybrid cloud can indeed breach this data.”
“The opportunity,” Mohit continued, “is that infrastructure is managed through automation, and it gives small security teams with experts to have an outsize impact in rolling out best practices in a consistent manner and in responding to attacks or vulnerability reports quickly. As new tools and best practices are built, the security risks should go down significantly.”
I asked Mohit next what he felt is the hardest part about securing sensitive business data in hybrid cloud environments. “First,” he replied, “even defining ‘sensitive’ data precisely is hard. There are many cases of non-PCI/PHI data being used to infer sensitive attributes. Second, most authorization and access rules around data are embedded inside applications today, where the attack surface is huge — applications are complex and vulnerable, and exploits can turn applications into attacker’s deputies who shovel user data out over legitimate channels,” he said.
“Third, business requirements change fast, people move around, and keeping permissions defined for both speed and security is an exceptionally hard problem — especially when security teams have to make a case for minimizing damages that may not come to light.”
Mitigating data security and privacy concerns
Those are good points, I responded. But what can be done to mitigate these data security and privacy concerns? And how can Symmetry Systems play a part in this? “The first big step,” says Mohit, “is to understand data risk deeply — to map out the content of data stores into a ‘social network’ of data objects, to learn how data objects are used for business uses, and to operationalize this graph — improve data risk in a proactive manner and detect and help remediate when attacks are discovered. Data is the most valuable and persistent asset — accordingly, we have to think of moving our “firewalls” from networks to applications to now data as well. Symmetry has led the way in defining these requirements into a new category — data store and object security (DSOS) — and delivers DataGuard as a leading DSOS solution.”
I asked Mohit next about the challenges many enterprises face in the area of compliance and what can be done to ease the task of complying with GDPR, HIPPA, and other governance standards. “Today, most enterprises have data calls where developers and data owners have to write down what they think the applications are doing with the data. This is both hard to maintain and often not the ground truth. Many enterprises are beginning to put data-centric mechanisms in place, e.g., to request that all developer teams build APIs that enrich data objects with privacy-metadata and provide knobs to delete the data or account for it. Companies like Google and Facebook can do this internally, but most organizations have distributed control, and they will benefit from a solution that crawls data stores and bootstraps their privacy program with metadata and then help them answer audit-related questions. Automating this data preparation can move companies towards a compliance-ready posture and save employee-hours chasing down data.”
To end off our conversation. I asked Mohit if he had anything more he wanted to say on the subject. “The hybrid cloud model is a major opportunity to bring the best of cybersecurity research and hard lessons from practice into the next 20 years of infrastructure. Programmable infrastructure can help move security from being a bolt-on to being an intrinsic and evolvable part of infrastructure. And overall, enable dark data to be put to better and safer use.”
Featured image: Designed by OnlyYouqj / Freepik