We were delighted to host three esteemed data and security experts for a webinar titled, “Deliver Data Access Security Governance at Cloud Speed Without Getting Bogged Down!”
- Moriah Hara, CISO and Security Consultant, Vigilance Security
- Elan Elango, VP Engineering, Zeta Global
- Seth Youssef, Security Field CTO, Snowflake
- Ganesh Kirti, CEO and Founder, TrustLogix
Below, we captured some of the key takeaways from each speaker along with the Q&A. You can also access the full webinar recording.
Key Takeaways:
Moriah Hara, CISO and Security Consultant, Vigilance Security
Key takeaway: Cloud data governance is a complex and growing problem, teams are challenged to securely provision access at the speed business needs due to diverse data platforms and stores.
- As a CISO, access management and data security is a complex and growing challenge. Especially today as most environments have multiple cloud platforms, multiple data stores. It gets harder to see who's accessing what.
- Overprivileged accounts is one of the most obvious issues around managing data access. The easy button is just to give users default role-based access and not really think about the fine-grained and the tuning that needs to be done.
- Role explosion happens as roles increasingly get created and opened to access various services. But when someone is off-boarded and leaves, they may still have access to a number of data stores that you didn't even realize that they had.
- There's a natural friction between data owners, and the need for business to access data at scale to innovate, and security, whose primary priorities are protecting the data. Security owners granting the right level of access or privilege to data consumers may take weeks. But the data consumers, which is the business who's trying to innovate, they're trying to move fast and need access immediately. When security is taking their time, it may definitely impact revenue and what the business needs to do.
- Giving people only the specific access that they need, to the specific data that they need, that's easier said than done. In reality, access is provisioned by many groups and the concept of least privilege is typically not executed very well.
"When you look at again the number of data platforms, when you look at most environments that may have Snowflake on top of their major data systems, there is a lot of granular access that needs to be considered here. The knowledge and ability [needed] to understand how to provision fine-tuned access is not simple."
Elan Elango, VP Engineering, Zeta Global
Key takeaway: As a data-centric business, it's critical to proactively manage access, governance and compliance to satisfy clients and regulators, something that's incredibly hard to do given the scale and complexity of the data and sources we're dealing with.
- We deal with massive volumes of data, using machine learning and AI, and we use that data to personalize marketing campaigns for our clients and customers. We hold user profiles of 241 million people on behalf of our clients. Amazon has about 250 million, Google about 210 million, so we have the same scale.
- We are actually talking about people. People’s personal profiles, user profiles, various signals, attributes, identity, postal address, e-mail address, phone numbers, what device they connect with and so forth. So our clients, from various verticals and various industries, are very particular about how their data is protected, how the personal attributes of their customers are governed.
- Our challenge is dealing with all this data, petabytes worth of data, right? This is across massive ecosystems Snowflake (more than 25 instances), AWS, MySQL, Hadoop, massive clusters, Kafka. We're both on prem as well as in AWS for low latency operations across various regions in the US and EU. So there’s all of these complexities. We have about a thousand-plus users using our cloud-based system and we have about 10,000 roles, and this is just a massive amount of explosion of all the security permissions and roles that we have to manage. Doing this manually is insurmountable.
- One of the biggest challenges that we have is answering compliance-related questions proactively. The most important thing that we wanted was a single pane of governance controls where we can look at all the users, roles, permissions and govern all of these, and also ensure that if any kind of violations and risks are happening, they are surfaced to us before it becomes an issue.
- With TrustLogix, we can go to a central console, the unified policy management console, to get a single view of what are all the violations, what are all the policies that we've implemented, how do you manage all the risks. And it works with Snowflake, and other databases MySQL, S3 and so forth as we are integrating with multiple things it.
- More regulations are coming up. If you want to say, “if a particular person is this particular age you can't show them these kinds of ads,” how do you implement that? It's extremely hard to do this across the variety of databases that we have. This is where TrustLogix comes and helps us with their ABAC policy, its attribute based access controls.
"It's impossible for us to go into each one of these instances and then find out what the policies are, what the risks are. With TrustLogix, you can go to the central console and across all the instances of Snowflake, get a single view of what are all the violations, what are all the policies that we've implemented, and how you manage all the risks."
Seth Youssef, Security Field CTO, Snowflake
Key takeaway: Defense in depth protects data in multiple layers across the Snowflake environment. To have visibility to entire data ecosystem, partners like TrustLogix allow you to leverage our native controls and provide visibility to full data flow, including outside Snowflake.
- Snowflake gets engaged with highly regulated industries and the public sector, because Snowflake is a mission-critical for those types of customers and we handle all the data governance, data privacy and data security discussions with the different stakeholders within our customers.
- Specifically with the data-driven companies that want to just go and put their data inside cloud platforms, the risk is even higher. They need to make sure the data is protected not by a single control but in multiple layers across the environments.
- Through the defense in depth that we use, there are layers so the whole environment, the data is always encrypted at rest, always encrypted in transit, and that you have full auditing and monitoring of all the user actions against this data during that whole journey within Snowflake.
- However, data sources can be inside Snowflake or can be outside of Snowflake, and this is where you need a platform that actually can be able to see the full data flow, the sensitive data flow that goes from source, all the way to consumption. You need to have visibility across the board.
"You need to apply policies across the environment. Snowflake doesn’t stand alone, we integrate with partners like TrustLogix where they run on top of Snowflake, out of band, and they consume the metadata only, they don't consume the data from Snowflake. So the data stays in Snowflake and they go and identify the policies across not only one Snowflake account, but across multiple Snowflake accounts, and that will make sure you have uniform policy enforcement."
Ganesh Kirti, Founder and CEO, TrustLogix
Key takeaway: Data access governance is a complex, but solvable enterprise problem. Our integrations to leading data platforms leverage native controls to provide visibility to top security risks, and enables access provisioning that's fast and secure with no coding required.
- Like Seth and Elan talked about, with hundreds and hundreds of data sources, and multiple data platforms sitting in the cloud, plus on prem, and then AI and ML and all the other workloads coming in, and that data continuing to grow, it’s very complex and it’s very hard to implement access controls in a way that scales massively.
- You’ve got to have a methodical way, a systematic approach to solve this, to streamline the process for enterprises. So that's really where we defined this four step process wherein you know it goes step-by-step, and we simplify implementing access controls for data in the cloud across multiple data platforms.
- And the way we do this is, we don't touch that data, we don't move that data from the data sources, we have a native integration into these data platforms and that's where we work complementarily. That's where our partnership with Snowflake comes from; we've partnered for more than two years. We are partner of AWS.
- Whoever has day-to-day responsibility for securing access to data doesn’t have to understand the complexities, they can provision access controls across all these data platforms, without having to be a data expert, without having to be a security expert, without writing code.
- We've combined the data access controls with security visibility architecturally, we believe that you need to have both data access and security working together, to collaborate.
- Security people, and even data architects and data owners, get instant visibility into what is going on with that data. They want to be able to remediate that if they see any risks. If they see any misuse of the data. If they see any violation of privacy. So TrustLogix lets them see and, through recommendations to remediate, can also take action on potential risks immediately.
- The beauty of the solution is the data consumers have got access instantly, and security and compliance is taken care of.
"To provision access controls across all these data platforms, it can become very complex. It's not just the roles and permissions. It can become very dynamic based on the business rules. It can go into attributes. It can go into entitlements. That's very difficult to implement if you're not a security expert or if you're not a data expert. The beauty of TrustLogix is you don't need to understand that complexity to create policy. And privacy and security folks using TrustLogix can get instant visibility into what is going on with that data."