We were delighted to host Jerry Kowalski, Americas' CISO at Jefferies and Jonathan Sander, Security Field CTO for Snowflake for a webinar last week entitled Security-Business Collaboration is the Key to Cloud Data Security. We captured some of the key takeaways from each speaker along with the Q&A. Further below you can also access the webinar recording.
Key Takeaways:
Jerry Kowalski, Americas’ CISO, Jefferies:
- If you have multiple data sources (e.g. Snowflake, S3, etc.), you need to be able to consistently enforce entitlements and access policies across all those sources from a single platform
- Data security is a team sport
- Data owners / stewards articulate the policies
- Security implements those policies and owns the enforcement platform
- Created a new role within Jefferies InfoSec Data Security Admin
- At runtime, data owners approve data access requests, and security enforces them
- Don’t reinvent the wheel … leverage existing infrastructure to take advantage of best-of-breed
- Data classification
- Identity Management
- Architecture is key – Proxies and agents will impact performance which will make your internal customers unhappy
Jonathan Sander, Security Field CTO, Snowflake
- Don’t conflate Digital Transformation with “move to the cloud” because you’d be missing the point. DX is about users being able to request and get access to the data they need. You can move to the cloud and still miss the boat.
- In theory you could also enable DX on-prem but not recommended for all the normal cloud reasons (scale, elasticity, performance, etc.)
- There are multiple entities involved in implementing and enforcing data access control policies (think of authorization concepts like Policy Administration Point (PAP), Policy Decision Point (PDP), and Policy Enforcement Point (PEP))
- Snowflake’s role is to drive security through external code / orchestration solutions (like TrustLogix) that can use a business-driven outlook to enforce policies across Snowflake and other platforms.
Ganesh Kirti, Founder & CEO, TrustLogix
- Data Owners want to put their data in the hands of Data Consumers, that’s the heart of DX, but they need to do that in a way that satisfies CISO, Audit, Compliance, etc.
- We recommend a four-step process to effectively address this challenge
- Observe & Learn – Discover which datasets are being used, and by whom
- Enable – Make recommendations about data access control policies based on observed behaviors and best practices
- Control – Implement fine-grained access controls for your sensitive data
- (Re)certify – Validate access on an ongoing basis for audit and compliance
- We built TrustLogix to eliminate the friction between InfoSec and the business
- TrustLogix is a Data Security Governance platform that uniquely allows security and business users to collaborate to deliver safe and secure Digital Transformation
- Data owners save time by not having to get into the security weeds
- DataSecOps can model policies based on business rules
- Data consumers get instant or near-instant access based on existing IAM group memberships and attributes
Q&A
- Where does Compliance fit into this modern cloud data world? [15:30]
Jerry: Across the industry, compliance is now catching up to the concept of the Enterprise Data Lake in terms of how accessing this and how can we monitor it. InfoSec needs to provide assurance that access to the data is reviewed and approved.
Our Compliance and internal audit teams like the request / approval process we have delivered through JRequest. Lack of this kind of process is what gets organizations in trouble.
Something else that’s important is keeping data you’re supposed to get apart from data you’re not supposed to have, like Separation of Duties for data … this is something else that TrustLogix will be helping us with.
-
- For cases where policy already exists, how long does access take? [17:30]
Jerry: We put the onus for approval on the data owners and data stewards. Security implements and enforces the policy, but granting approval stays with the business. Because of this, the request - approval access cycle is fairly instantaneous if the policy already exists. Even if there are multiple approvers / data owners, it happens within 24 hours.
- How does identity and access management fit into this data access paradigm? [19:30]
Jerry: It’s fully integrated, that’s the beauty of it. We’re using user identities and AD group memberships to drive data entitlements because those identities are being passed through Python or whatever tools the data consumer is using.
Leveraging our existing identity management platform reduces a lot of noise and work because users are already getting entitled to things based on their group memberships and there’s no need to reinvent the wheel.
This all assumes that you’ve invested the work up front to catalog your data and define your policies. If you make this investment, it pays off in reduced friction, better security, and happier users.
- If Snowflake already has security built in, where does the ecosystem come in? [28:00]
Jonathan: It’s about each member of the ecosystem playing their role. There are many pieces that are not core to our platform (Policy administration, catalog, lineage, etc.), and the ecosystem is crucial in delivering on those pieces. Snowflake’s rich capabilities make it an ideal PEP (Policy Enforcement Point) and we’re opening up our platform more and more every day so that ecosystem partners like TrustLogix can make sure that Snowflake can fit nicely into the kind of sophisticated architecture that Jerry laid out earlier.
- How do you integrate with all these data sources? APIs or connectors or native integration? [49:20]
Ganesh: Cloud-native integration via vendor’s APIs or data layer integration as recommended by the vendor. The objective is to abstract the low-level details and complexity away from our customers so they can deliver a seamless experience to their data consumers.
Jonathan: TLX is a well-behaved partner 😀 in terms of using the appropriate integration methods and hooks that we recommend.
- How are data access monitoring and telemetry handled? [52:00]
Jerry: Data monitoring is handled thru TrustLogix. They give us visibility into who is accessing what. This also plays into the last step of the framework Ganesh shared, which is “Recertify”. Recertification is a concept we use on the Identity Management side as it relates to applications. TrustLogix removes the concept of the application and connects users directly with data – monitoring and recertification is handled thru TLX.
- How do you guarantee only those people internally and externally have access to a company’s data, and verify it remains up to date? [52:57]
Jerry: Recertification of access is crucial to this, and identity is a key part of it. You need to make sure that identity is tied to something you trust, which for us is AD.
- Can this be handled through traditional IAM? [53:45]
Jonathan: IAG used to be the only game in town. It’s no mistake that we see Jefferies emulating the same pattern for data. IAM has never focused on data though (so no, it’s not enough on its own) but provides patterns that we can learn and apply to the data layer.
- Is data downloaded or exported from UI / SnowSQL / Snowpark monitored? [55:25]
Jonathan: Nothing happens in Snowflake that is not monitored. That being said, Snowflake is *not* a DLP solution.
Ganesh: TrustLogix reports on who accessed your data, and what tools they used to access it to detect Shadow IT. TrustLogix also looks for key indicators of data exfiltration events.
- What were key criteria for selection for Jefferies? [58:10]
Jerry:
- Performance – We needed architecture that would scale well. Proxy-based solutions were no-go, because that architecture doesn’t scale well.
- AD and AD Group integration – Didn’t want yet another Identity solution
- Support multiple data sources from a single policy platform
We were not able to get to the following questions during the live webinar, but circulated them with the panelists afterwards:
- You refer to TrustLogix as a Zero-Trust solution [43:40], can you expand on that?
TrustLogix uses a proxy-less approach that doesn’t add new risk to the customer’s architecture. Because there’s no proxy, there are no new components that the customer has to manage, patch, ensure availability for, etc.
In the same vein, we also don’t touch any customer data so there is never any risk of TrustLogix being a potential entry point for a data breach.
- Perhaps not directly related, how have the Snowden revelations about what is possible with covert data collection by bad actors affect Data Security strategy today?
One of Snowden’s main points was the ubiquity of data collection so responsible CISOs and Data Stewards need to be hyper-aware of how their data moves through the organization and how it’s being handled.
- Avoid proxy-based architectures as your data is now flowing through someone else’s cloud
- Encrypt data in motion
- Have thorough tripwires to detect exfiltration indicators
- I now understand it is all about the data, how do you see the future of OLTP data that tends to reside in many individual databases?
OLTP data stores will continue to be the backbone of transactional systems though we will see it all shift from on-prem to the cloud. And the data and “digital exhaust” from those apps will continue to get flowed into warehouses and data lakes to power digital transformation at an increasing pace via platforms like Snowflake and others.
- How does this work in a multi-cloud scenario?
Since you can run Snowflake's Data Cloud across multiple cloud platforms, you can also apply TrustLogix to be the hub of policy management for these different Snowflake Accounts. And since TrustLogix is using the built in Snowflake controls to enforce policies, which are the same across the different CSP implementations, you can be sure you're getting both consistent policy and consistent enforcement.
TrustLogix is designed to work across Snowflake, Redshift, S3, and a broad variety of other cloud data platforms. Data owners can articulate their policy once in business context, and TrustLogix will consistently apply, enforce, and audit those policies across a myriad of platforms.