Why data security is getting more complex: Vormetric

IDG.TV | Mar 4, 2016

At the RSA Conference in San Francisco, Sol Cates, CSO of Vormetric, talks with CSO about why securing data at companies is getting more difficult. The company released its 2016 Data Threat Report at the show.

[background music]
Presenter: I think customers are in denial because they focus so much on the perimeter. They're so used to fighting these wars closer and closer to the adversary, when in reality, the adversary is getting past those barriers. They're getting past those controls that they're very comfortable with.
One of the other challenges is why they're so much in denial is because, quite often, organizations don't even know where their data is, let alone how it's protected, who's in control of it, and what's governing it.
Some of the new tools that are needed for security professionals to really help focus around protecting the asset that the adversary is after, which is data...data, day to day, doesn't care what you call it. It could be HIPAA data, PCI data. It has no concept of that. It knows it's ones and zeros. It has no built in defense.
One of the things that a lot of organizations are starting to realize is controls like encryption, tokenization, access controls, and so forth can be a leverage to protect the information, the data itself, which is ultimately the goal of the adversary.
The last couple of years, we're starting to see a little bit of a shift towards getting more data centric. But I think the training, from a market perspective, we've trained security professionals it's very safe to be compliant. Your bare minimum to be secure is to be compliant. It's a laundry list of everything you should have.
These tools and controls that they end up purchasing are really focused around making sure they've met that requirement versus being strategic about, "What is the adversary actually after? What can we do to put better controls around the actual asset they're after?"
I think part of it is just learned behavior. They're used to the old way, which seemed to be not necessarily the best way. It was the way they knew, the way they were trained, and the way the organizations around them put requirements on them to protect the assets, the network, but never the data.
You look at encryption, not just what's in the news today, but over the last 15 years, encryption is just math. The application of applying encryption to data security in the past was very challenging for organizations. It was very costly, very inefficient, a lot of performance impact, and it was very complex. Most people had to understand PKI and key management, all these skill sets that a lot of organizations don't have natively.
I think one of the things that's interesting is, as encryption has evolved, it wasn't just so much the math that's evolved, it's the application and simplification of applying cryptography inside the enterprise. That's where we're trying to see a shift towards encryption as being a bigger conversation for a lot of organizations, because it's a known control that works really well. It works really well.
The problem is it's always been very hard to do. Your question was, "I'm an organization, and I sort of know where my data is." I actually find that very rare. A lot of organizations don't know where their data is. When they do, it's usually some kind of very specific information. It's intellectual property. It's PCI. It's customer data. It's something that they can easily identify, find, locate, and then they can put controls in to protect it.
One of the things that I see from a company perspective is, "Do I focus more on the data at rest or data in motion?" Data at rest is where ultimately that data has a long life. You're probably going to create it, manage it, use it. It creates value for you as an organization, so it doesn't get disposed of very regularly.
Data in motion in motion is constantly changing. I think most organizations can find their data better than they can find the paths to their data. Figuring out how to do data in motion encryption, a lot of tools already have it built in.
The majority of organizations that go through that exercise, they start just ticking off the ones they already have SSL, TLS. They've got secure communications for their systems management like SSH. A lot of the data in motion is covered from most tools they already have.
It's that last gap sometimes they focus on to close, but I think, in general, most people find more value about protecting their data at rest, because that's ultimately what you actually use to create value for your company, and ultimately the adversary wants that information.
As new frontiers emerge, like IoT, cloud, where more data is being created, the hardest part is not the creation of the information, it's understanding where it is. "Where is it going? How is it being consumed?" and ultimately, "How am I going to get value out of that information?"
Where we're seeing a lot of organizations focus on is, "Let's not look at boiling the ocean. Let's focus on the crown jewels. In this mess of things of things, is IoT valuable to me? I might get interesting results out of analyzing behaviors of sensors over time in a big data repository, but all that data, is that valuable to me? Should I protect it?"
Maybe what I care about is the results that come out of it. That's probably very valuable, that's go to market or it's some kind of new product I'm creating. I think the focus, regardless of where the data is coming from, or what ecosystem it's going into, organizations have to know exactly what they want to protect and why that crown jewels but also have the ability to protect it anywhere.
It might be in the cloud today, it might be in containers tomorrow, it might be in ARM param yesteryear. You have data in so many different forms and locations, you need to have the ability to protect it anywhere it could be going. The big message for CSOs and people that are in security is data security shouldn't be an afterthought. It should be your first thought. At the end of the day, that's the first thing that the adversary is after.
Really understanding exactly what you have, what's valuable, and what you're going to do to protect it are key objectives that organizations should look at, because, if you think about it, over the last three, four years, we've seen a lot of breaches. All of those breaches had one thing in common. The data got stolen. We probably want to avoid those, so focusing on the data is very important.