Cybersecurity boils down to securing your data or data protection. But that simple concept has turned into a monumental task that is only exacerbated every time we move our data to a new platform. How do we secure data today, to be ready for whatever comes next in computing?
Check out this post and this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and guest co-host Gary Hayslip (@ghayslip), global CISO, SoftBank Investment Advisers. Our sponsored guest is Elliot Lewis (@ElliotDLewis), CEO, Keyavi.
DISCLOSURE: Gary is also on the board for Keyavi.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor Keyavi
Full transcript
[David Spark] Cyber security boils down to securing your data, but that simple concept has turned into a monumental task that is only exacerbated every time we move our data to a new platform. How do we secure data today to be ready for whatever comes next in computing?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series, and I have a special treat for all of you, my guest cohost today. He is here in the studio, along with my guest who I’ll introduce in a second. But first let me introduce my guest cohost who has been a cohost on, I don’t know, was it this show or the other show before? Which one was it?
[Gary Hayslip] I think I’ve done both.
[David Spark] You’ve done both. Well, I know you’ve done both, but I don’t know which one you actually did as a guest cohost. But anyway, it’s Gary Hayslip. He’s the CISO for Softbank Investment Advisors. Thank you so much for being here.
[Gary Hayslip] Oh, this is awesome.
[David Spark] And the other big thing is it’s Gary’s birthday today. Although it’s today when we’re recording, not when this actually airs. So, I don’t want to confuse anybody. But when you see Gary, wish him a belated birthday. Our sponsor for today’s episode is Keyavi, who has been a spectacular sponsor of the CISO Series. Actually kind of our growth and their growth are kind of going in parallel right now. It’s kind of fantastic to see both of us, but we’ll get to that later. But I want to get to our subject at hand, and that is how do we go about building a data transformation program that’s platform agnostic. So, every time there’s a new platform, the movie is never lift and shift. As much as we would like it. And we all know from going on prem to Cloud, we all know you can’t do that. So, whatever the next thing is we’re going to have the same issue. So, if we keep reinventing the data protection wheel every time we move to the next thing cyber security costs will simply go up like a hockey stick. So, Gary, you’ve been a CISO for a long time, been in cyber security a long time. Every time you do a jump, there is a massive sort of cost [Inaudible 00:02:05] not just for the move but for all the security around it, yes?
[Gary Hayslip] Oh, yeah. Not just the security around it but the training, having to train the staff on what we’ve got that’s new and where data is at. Oh, yeah, the costs are usually 20 to 30% more than what you expect.
[David Spark] So, the guest I have who’s here who’s actually a neighbor of mine… He lives just a town over. It’s fantastic. We’re all San Diego residents here. But I just want to just speak something about Elliot… I met Elliot a number of years ago at Black Hat, and we’ve been extraordinarily good friends ever since. He’s been early, early supporter of the CISO Series. I have leaned on him for many things in the past. And in turn he’s also been a spectacular sponsor of us as well. So, I’m thrilled to have him back here. His company, by the way, they are a sponsor, but I am really amazed with what you’re doing with Keyavi and how much you’re taking off. This topic of data protection is very much in your wheelhouse here. So, anyways, I want to thank Elliot for coming here. He is the CEO of Keyavi. Elliot, thanks for coming.
[Elliot Lewis] Thanks, David. It’s great to be here, especially live with you guys. This is a real treat.
[David Spark] And I also want to mention that Gary, while his it eh CISO over at Softbank Investment Advisors, as his closer, he is actually also an advisor for Keyavi as well.
[Gary Hayslip] Yep, I’m happy to be there. Like you said, it’s amazing what we’re doing.
How would you handle the situation?
3:24.774
[David Spark] So, Jonathan Waldrop of Insight Global sort of said some really kind of basic outline of cyber security. He just says the right perspective here is triangulating the data, the application, and the identity, and maybe the device. So, this comes down to one, knowing who needs access, two, how they actually access, and three, what controls are in place to ensure one and two occur only under approved conditions. So, is this a good simplistic basic explanation of cyber security, Gary?
[Gary Hayslip] When I talk about cyber I talk about cyber is there to manage risk. And honestly you go to Cloud…the more you move your organization to Cloud, security moves down to the data layer. It moves down to the endpoint. It is. You’re very focused on how you’re authenticating and what you’re accessing. And so he’s right. In a simplistic point of view, oh, yeah. I’m scared to death of who’s logging in, what they’re accessing, what they’re sharing, and constantly needing visibility into that.
[David Spark] And, Elliot, I know you have said this so many times – things change, platforms change, the way we handle identity changes. But the thing that stays constant is we’re dealing with the data.
[Elliot Lewis] That’s it. It’s the one common denominator out of all of it. This is what we had to focus on. The whole point of all the cyber security to date has been data cannot protect itself, so you have to put all these layers around it, use controls around it, and everything else. The point that they had here… When you look at what Jonathan said, he’s spot on. The question is not what we have to do, it’s how it can be done. The one common denominator, the one center point that is agnostic to all platforms, all control types, all applications is the data layer itself. So, we can make the data that smart that it knows who it’s allowed to work for, when it’s allowed to work for them, on what devices, with what applications. When the data is that center point and you make it that smart, now everything becomes a compact construct. And this goes wherever the data goes. So, you have that kind of capability, and you have the how really summed up.
[David Spark] All right, just as a devil’s advocate – in traditional security terms, you don’t want your attacker getting that physically close to your crown jewels.
[Elliot Lewis] But they do anyway. That’s the point. They’ve always been able to get that close to the crown jewels. They have been able to steal it at will. They’re penetrating these systems because the hard part about all these layers… And they are the right layers. How do you keep them in sync? Especially when you’re going to go from a new platform, from data center to Cloud, from one application to the next through your ecosystem. You have to sync all this to keep the bad guys away from your data. It’s an impossible task. They’re always going to get to it. We just have to accept that. So, what do we do? Make sure the data knows what to do at that level and then let it work with everything you want to. But it is smart about where it’s allowed to be, who it’s allowed to be with, on what device.
[David Spark] We’re going to get more into how your solution is because the next segment is really going to speak to that. But historically how we have we dealt with this, Gary?
[Gary Hayslip] Well, you basically put layers of controls in place. You’re inventorying your data. You’re inventorying your users. You’re documenting not just what they’re allowed to access but where they’re allowed to access. Yeah, it’s just layers of controls that you put in place, and then you’re continually reading logs, and you’re continually inventorying. It’s just a never ending process.
[David Spark] It’s interesting – could being further away from the data be… Yes, you’re keeping potentially the bad guys out, but they’re not because as you said they’re getting in anyways. But also you’re obscuring your knowledge of understanding what’s happening with the data as you’re further away? Is this the right way of thinking about it or no?
[Elliot Lewis] I have a different way of looking at that. There’s a second half to making data intelligent and being the center point of all this. The other feature is that it tells you everything that’s happening to it as it goes. This is turning the entire model around. Not only is data being intelligent, but every time someone tries to touch it, it says who, what, where, on what device, and whether it opened up or not, and what the violation policies may have been. But it controls itself and tells you all of it in real time. Now, that is a big key piece, because what Gary was saying is we have to go through all these systems and try to parse it all together. When data can tell you itself in real time that is another major shift.
[Gary Hayslip] The thing about this is… Coupling on what he said, the controls that we have traditionally right now, many of them are still going to be in place. You’re just pulling your data to be able to authenticate from a different spot. So, I do think it does shift a lot of the things that we’re looking at now for visibility.
Can it be solved?
8:17.405
[David Spark] All right, I’m just going to say, Elliot, it’s as if you called these people up and asked for quotes because these three quotes I’m about to read so speak to your solution. So, there’s definitely a desire and a demand for this, and I didn’t ask for any of these quotes. But they very much speak to your solution. So, Mike Wilkes, CISO over at SecurityScorecard said, “The luxury problem of building data privacy and control policies that can follow your data around even after it has left your network and file shares is being addressed by very few organizations.” I’ll throw out one of them being Keyavi. “That said…” Going back to his quote. “…I have heard really good things about TDF, Trusted Data Format, where you can even have an embedded policy around the data within a document that enables redaction based on policy inputs and definitions.” Which this sounds like it’s an explanation of your product, yes?
[Elliot Lewis] It’s one of the features.
[David Spark] One of the features. Let me go on. Mark Eggleston, CISO over at CSC, said, “The data controls either need to be tagged to the data or validated at every access.” And another CISO, Matthew Biby over at Satcom Direct, said, “Making data easier to access/use by way of standardized APIs is essential to protecting it. As the industry moves forward, leveraging technologies that embed security attributes within the data like location use, awareness, etc. is possibly the next evolution of data protection.” So, I’m throwing this straight to you, Elliot. This is what Keyavi does, right?
[Elliot Lewis] It is a good overview of several of the features we do, as well as how we do it, yeah. It reads right to it. And I’m thrilled to hear all this because when you try put something together and you work through it, you try to be intuitive about what’s going to give the overall solution, you’re making your best guest as a product designer. That is a spectacular overview from a third party of exactly what we’ve designed, and it’s all fully operational today. Yeah.
[David Spark] I’m going to ask, what has been the hiccup of not allowing something like this to happen in the past, Gary? This seems like why didn’t we do this before.
[Gary Hayslip] It’s interesting because traditionally… And understand, I’ve been in organizations both private and federal government where you tend to put the data in containers. You tend to go ahead and label the data. You classify it. And then you only allow certain people to open up the containers and only take out what they want. That’s been the traditional way to do it. No one has ever thought of, “Okay, well, what happens if you get rid of the container and the data itself is the container?” And the data itself makes the decision as to how it’s accessed and where it’s accessed because it’s been told that. And then instead of having to babysit the data you manage your policies and make decisions. You wouldn’t believe some of the projects I’ve had to do where we’ve had to move terabytes of data and to try to arrange them in specific folders or specific share drives for certain departments. And now when I think of where this is going now where if data can do…it’s my policy to where it’s able to protect itself I could have just left the data stored where it was at. It’s already sorted because it knows who it’s allowed to talk to.
[David Spark] Right, and this gets to really the theme of this episode, which is what do we do when we got to move it to the next thing.
[Gary Hayslip] Honestly I think what’s happened is it’s traditionally we’re used to everybody gets their own piece. Everybody gets their own bucket. Everybody has specific permissions as to who’s allowed to play with that bucket. But as we’ve moved into the Cloud and as more of these things become flexible, you don’t need that bucket anymore. Yeah, it’s revolutionary. For me, I’m thinking about what changes am I going to be making my stack because I still need visibility. I still need to be able to control authentication and access. But now I can actually talk to the data, and the data can tell me this. I can pull information straight from the data itself to make decisions on how to protect it, which is something totally different than what I’ve seen before. Yeah, we’re used to doing it the old way. Technology is catching up with this extremely fast.
[David Spark] I’m going to ask the same question I asked to Gary to you, Elliot. You’ve been in security for a long time. Why do you think this took so long for solutions like this to come about?
[Elliot Lewis] That’s a great question. I’ve been doing cyber security for over 30 years at companies like Microsoft, Cisco, and Dell, and at Merrill Lynch where I was the CISO there. This was the solution that I envisioned I needed to do my job properly, as Gary just described all this time. And it got to the point where here I am spending all this time, effort, money, stacks, products, everything else. It is not that these aren’t good products. It’s not that they aren’t good technology. It just was clearly not solving the problems, and this is the way we had to center it. The data couldn’t protect itself. What if we change that base premise? You can’t see where the data went. What if the data tells you in near real time? Now, the whole point that took so long… I don’t think it’s anything other than it took this much time to crack this silver bullet that we had to get this right and do it right. Some of the features we’re talking about here, Keyavi makes data smart. It expects others to tell it what to be smart about. For instance we use everybody’s identity system with what they have. We use your own group policies. We use your own intelligence systems. We use your own pieces here. We feed the data into your own SIEMs and forensics. The data just has muscle now. It has the ability to think and tell you what’s happening and control it at that level. That way now the data is enabled to be, as Gary said, its own container with its own security policy embedded in. It’s able to interact with everything you have now and then take on more responsibility moving forward so that you now have a path today moving forward into your next phase, and you can be platform and capable agnostic, go from web 2.0 to 3.0 with complete control, and let the data help you do it rather than being the detriment.
What aspects haven’t been considered?
14:21.001
[David Spark] Dutch Schwartz of Amazon Web Services… You may know them as AWS. He says, “Containers, serverless, no code, low code are all approaches that could lower operational and management burden for your revenue generating or otherwise critical apps. Attributes common to all of these are abstraction, APIs, and automation. My intuition is that any scalable, easily developed, manageable data protection approaches for the future will need to leverage those three.” I will say, I’m going to throw to you first, Gary, on this. This is the current buzz in the space. Like, “If I’m not there now this is where I want to go.”
[Gary Hayslip] Oh, yeah. And I look at it from a security standpoint when you’re managing your stack. Everything you’re looking at, does it have an API? Can I pull data from it? How am I going to automate? How can I go and integrate this into the SIEM, or how can I go and integrate this into what my SoC is doing for their runbooks? If I can get the individual data pieces now to be able to do this, yeah, I can’t even… I’m sitting here… I’m excited just thinking what I can do with this. I’m kind of at a loss for words. I’m just sitting here, and I’m just running through my head right now, just click, click, click. What can I do with this all of a sudden if I can pull this kind of information off of each piece of data? What kind of policies can I build?
[Elliot Lewis] I think this is spot on actually after reading through this and listening to what he had to say because first of all, every part of that is absolutely true. But I would just add and extrapolate that down to the data level as well. Everything he’s saying is absolutely accurate. You also think about how the industry evolved. If you look ten years ago, if you wanted to pass a packet or send a packet anywhere, you had to have a router, IOS capability. You needed to know Cisco routers. You needed to know switching architecture. Those same engineers now know JSON code and AWS. This is the same kind of transition. Anybody who is sitting here trying to contain data with all the different systems in cyber, you’re now going to learn data policy as a service through Keyavi engine. I think it matches very clearly to what AWS did to the networking world. This is an extrapolation right down to the data level, too. And it aligns right to what he was saying.
[Gary Hayslip] I also think because of what it’s doing with automation and APIs, it dovetails right into what CISOs were trying to do when they’re building their SoCs, when they’re building their stack, and how they’re trying to go ahead and actually pull data to make decisions in real time.
Whose issue is this?
16:51.501
[David Spark] Neil Saltman of Sotero said, “If data in the Cloud is encrypted by the Cloud or application provider, the provider holds the encryption keys, leaving a security gap. A data first approach is the best approach where the customer has control of their own data and secures it on their own.” And Sylvia Ihensekhien…I hope I’m saying that right…CISO of ShipServ, said, “Start with the analysis of the business impact of your data, your data classification scheme, identify the owners, and maintain the data asset inventory.” Which by the way, what Sylvia is saying there at the end is that’s the holy grail for everybody, right? Yes?
[Gary Hayslip] Oh, yeah.
[Elliot Lewis] Yes.
[David Spark] That’s what you all would…
[Elliot Lewis] Absolutely.
[Gary Hayslip] And everyone says do that. Easier said than done, right?
[Gary Hayslip] Do that even get started, and then it’s a continuous process because it’s constantly changing. It is. It’s very hard.
[Elliot Lewis] This is some of the features that has come out of self-intelligent data. When you talk about the business impact of your data and how to visualize it, who’s using it, when, where, and how… In today’s world because the data cannot speak to you, that’s an almost impossible task. Even if you get an image, it’s an out of date image in seconds. Some of the side effects of having intelligent data, being able to protect itself, it’s telling you in near real time, “Here’s who has me, how they’re trying to use me, on what device, in what location, under what conditions, at what time.” And this turns into a full natural response real time data visualization system.
[David Spark] It makes forensics, I’m sure, a lot easier.
[Elliot Lewis] It turns forensics on its ear. Everything so far has been, “Let’s try to piece together what happened to the data,” in today’s world. Now because you made the data smart, the data is telling you, “Here is what is happening to me right now. And every time somebody touches me, replicates me, copies me, moves me.” When you have that kind of a change, this changes the entire thing. So, when I’ve had conversations with CISOs and CIOs, they’re like, “All these projects we put on the shelf because it was too risky for the data, let’s pull them back off the shelf. All that revenue put on the side, let’s reexamine it. Because now the data can do this.” This is a game changer to a lot of them, and it’s led to a lot of innovation even in the last year, what we’re doing with the platform. The ability to do loosely coupled federation is in our plan now. So, you can have a full set of Keyavi operations, and your partners in supply chain will be able to do so in the next rev. You’re going to see data classification engines coming out where the data can self-classify itself and reclassify itself on the fly based on what you do with it. These features have always been at arm’s length in a very hard to manage and only on static data at rest way. When the data is able to do this on its own and feed it into your current systems, the real question is what do you want data to think about, and what would you like it to tell you, and how would you like it to protect itself while it’s out there while doing it. It’s a complete paradigm shift.
[David Spark] I want to ask you one more question, and that is one of the great things about when a company grows and you have a product that sort of lights people up, your customers let you know what your product can do before you even realize it.
[Elliot Lewis] Absolutely.
[David Spark] So, what have your customers taught you that your product can do that you didn’t realize it could do?
[Elliot Lewis] We are about to go into several different initiatives. Actually we’re changing the company model a bit. We were doing this all along as a platform for data intelligence and for self-protecting data. We have now been… So much of customers coming to us with their different use cases… We’re going to be modifying things to actually do vertical focused solutions based on the engine and policy sets that the data can do. We have customers that have asked us to go beyond just protecting data into how can we use this on protecting cryptocurrency, how can we do this with doing self-protecting crypto wallets – something we can do in 2.0 today. We’re coming out with an initiative on that with a partnership play with several different players this summer. How do we do new things around smart contracts, smart NDAs, intelligent data flows. Ransomware is a big one because you can’t just ransom self-protecting data. It’s probably the ugliest thing you can try to do as a hacker because the first time you try to touch it it’s going to immediately say, “I don’t know who you are, how I got here, but I’m going to send your physical address to the authorities right now before I delete myself.” That is a complete paradigm shift. And every time a new customer looks at it, they look at when they’ve been roadblocked on initiatives and say, “Can we do this?” It just really comes down to a matter of data policy, and we found that a lot of the use cases keep fitting into our current rev plans for our 2.0 platform and the 3.0 platform coming out this year.
Closing
21:48.696
[David Spark] All right, and we’ve come to the part of the show where I ask the two of you which is your favorite quote, and why. I’ll begin with you, Elliot. Which is your favorite quote, and why?
[Elliot Lewis] I think that Mike Wilkes from the SecurityScorecard was spot on. He’s thought about every single piece about what we’re trying to do, and he actually laid out what the specification models for the whole platform are independently. I think he has a really good vision about what we’re matched to, and I think the platform matches to it.
[David Spark] All right. And, Gary, your favorite quote?
[Gary Hayslip] Same thing.
[David Spark] Mike’s quote.
[Gary Hayslip] I’ve been in multiple projects where I’m trying to…I’ve had these frustrations. And as soon as Mike started saying that, I was having flashbacks. I was like, “Yeah, that’s definitely…”
[Elliot Lewis] It’s huge validation.
[Gary Hayslip] Same for me.
[Elliot Lewis] Yeah.
[David Spark] Awesome. All right, well, it comes to the end of the show. Thank you both for being here. Our first in person full… I’ve had people here but just one person and one person virtually. This is the first time I’ve had all three of us in the studio, so I greatly appreciate it. You will see a photo of it, those of you listening, when you go to look at this blog post. But in closing, Elliot, I’ll let you have the very last word. Gary, your final thoughts on our topic. And also I always ask everybody are you hiring. Are you hiring at Softbank Investment Advisors?
[Gary Hayslip] I’m hiring for my security team.
[David Spark] Excellent. Any last thoughts on this topic?
[Gary Hayslip] I don’t think this is a technology that’s coming. I think it’s a technology that’s here. I honestly think many of us that are so used to building security programs, this is really going to change a lot of our stack. Because when you think about it, we’re there to basically protect data and to manage risk. And if the data protects itself, it does – it changes the way we’re going to go ahead and do things because now we’ve got a new indicator to be able to tell us where the bad guys are at. And, “Hey, I need help here. And here’s my gaps.” And having intelligent data, it just basically…I think it makes your security program better for the organization, better for the business.
[David Spark] Elliot, your last thoughts? And I know you’re hiring at Keyavi, right?
[Elliot Lewis] We are hiring at Keyavi. Yes, we are heavily.
[David Spark] And all virtually everybody.
[Elliot Lewis] Yeah, it’s a virtual company. It’s been interesting, starting a company across the time we’ve had with the pandemic. But we are staying virtual, and we are looking for really great talent to want to join the team that’s taking this thing out to market and growing it to new levels. So, absolutely check us out on LinkedIn and let us know if you’re interested, if there’s stuff that we can do with you. But my thoughts on this whole thing is everything that the customers have been telling us. Just like the quotes here, just like what Gary has been saying – this has been coming for a long time. This is here. It’s fully functional, fully operational. Seeing is believing. I know it’s hard to believe. Everybody starts off with you can’t possibly have done that. Come see it. Take a look at it. It’s for real. Data is self-protecting now. Let us show it to you, and you’ll be very happy about what you’re going to get to see.
[David Spark] Best way to do it is just to go to Keyavi.com.
[Elliot Lewis] Absolutely, go to Keyavi.com. Let us know, and we’ll be happy to set something up.
[David Spark] That is spelled Keyavi.com. You know how to spell com. I don’t need to explain that to you people. Thank you again to Elliot Lewis of Keyavi and Gary Hayslip of Softbank Investment Advisors. And thank you to the audience. As always, we greatly, greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.