Have we lost sight of data security with defense in depth? Recent trends have seen a focus on applications and roles, but do we need to refocus on the fundamentals?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Lamont Orange, CISO, Cyera.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Cyera
Full Transcript
Intro
0:00.000
[David Spark] Have we lost sight of data security with Defense in Depth? Recent trends have seen it focus on applications and roles and identification. But do we need to refocus on the fundamentals? We are protecting data.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me as my co-host, you’ve heard him before and you’re going to hear him again right now, it’s Steve Zalewski. Steve, say hello to the nice audience.
[Steve Zalewski] Hello, audience.
[David Spark] By the way, I always say nice audience because I’m giving them credit. For those of you who are not so nice, you can speak up if you would like. Our sponsor for today’s episode is Cyera, holistic data security in one cloud platform. In fact, that’s what we’re going to talk about today.
And Cyera is responsible for bringing our guest today, who I will introduce in a moment. But first, let’s set up the topic. Zero-trust frameworks have been the talk of cybersecurity for well over a decade now. I would say in the last two, three years, it’s been really, really hot. But I’ve yet to hear anyone say they’re against zero trust.
The problem is nothing in the zero-trust mandate speaks specifically, that I’ve seen, to data security. So, Steve, have we added too much complexity that we’ve lost sight of our core mission? I mean, cyber’s all about protecting data, isn’t it?
[Steve Zalewski] I agree. I mean, one of my observations at RSA was we’ve introduced so many products and so much complexity that we’ve really lost sight of being brilliant at the basics. And especially data because I think data has taken an even more central role with identity that we have to be focused on that brilliant basics.
So, I agree with you. That was why we posed this today was to have that conversation around, as a security practitioner, truly, how do I need to think about what is absolutely critical and how am I refocusing zero trust on being brilliant at the basics?
[David Spark] As we’re setting this up, our guest is nodding his head over and over again because he’s all on board with this topic. He lives and breathes this topic, so he is the right person to talk about it. It is our sponsor guest from Cyera, the CISO, in fact, none other than Lamont Orange. Lamont, thank you so much for joining us today.
[Lamont Orange] Thank you for having me and hello, audience.
Where does the solution fall short?
2:34.742
[David Spark] Duane Gran of Converge Technology Solutions Group says, “Data security is simply harder and more muddy to get our arms around.” Referencing what you said, Steve. “For an example of the struggle, look at the rollout guidance to use Microsoft Copilot. If you don’t want everything indexed, you need a foundation of good data governance and classification.
A lot of organizations are experiencing a ‘check has come due’ moment as they want to use powerful AI tools, but data hygiene may be lacking.” Again, exactly what you just said, Steve. Let me also mention Venkat Paruchuri, who’s the CISO over at Cox Automotive, he said, “Core data security relies on basics.
Understanding your data, that’s a classification. Knowing where it sits, discovery. Ability to provide safe and just-in-time access, need- and time-based access, and safe environment to process such data. That would be encrypted channels or secure enclaves for confidential compute and robust disposal as well.” So, I think actually Venkat really outlined why it’s so darn tough.
There’s a lot involved here, isn’t there, Steve?
[Steve Zalewski] Yes. And the overlay on both of these, and I think they’re great, is that we’ve had historically a network-centric edge, right? We try to protect our network edge, and we can be soft in the middle. So, where we’re not so good at role-based access controls and data classifications, we kind of manage it by looking at the network edge.
But a lot of what cloud has done, if you think about it, is it’s made it a data edge. We’re having to expose the data first. We can’t rely on that network to cheat where our ability to do data classification and other things haven’t been so good, and now we’re really being called out for it. And so therefore, I think between those two, this is why we’re having this conversation around what are the things we really have to be brilliant at now to truly get data protection in place.
[David Spark] Lamont, as Venkat pointed out, it’s unbelievably complex. And again, I’m throwing this out as a theory. Do you think people haven’t been attacking it on all these different levels just because it’s so darn tough, and that they’ve been looking for other ways to create shells around data?
And if we can just keep creating shells, then we don’t have to worry about all this complexity that Venkat pointed out? What do you think, Lamont?
[Lamont Orange] So, first off, I think Venkat’s comment is spot on. I think that as leaders, we tend to understand all those different components, and then we start to componentize them and not understand how they all work together. And when we start componentizing these things, we don’t realize that the tool costs money, and then the resources that have to be attached to the tool costs money, and then the complexity is the outcome that costs even more money to execute on it.
And we end up coming back to something compartmentalized as a smaller set. So, when we start to try to grab hold of this vastness of the data, we come back to what we know. We know PI, and we know credit card numbers. We can’t get to the rest of it because it’s too costly and too complex to wrap our controls around it.
[David Spark] That’s a really, really good point. We’ve pulled those two off. That seems like the simple ones because the identifiable marks on it are so easy. And I’m going to actually jump to this right away. The reason this conversation is coming back again has a lot to do with AI has made this a solvable problem, which we really couldn’t have done three years ago, could we, Lamont?
[Lamont Orange] No, I don’t think. AI gave us the avenue to actually solve it efficiently. It could do more at scale, more fast than we’ve ever been able to do in the history of our profession. Again, we don’t have unlimited resources. And then the accuracy of all the tools that we’ve used before, they all measure these different data types in different ways, they all have their own special slice of how they configure it, and we can’t share them across anything.
So, you could have as many as three or four different classification tools that all really talk different languages around classification, and it’s hard to protect that. And it only knows and can discover what it can see. That is the other problem. We have a data explosion today. If I had to characterize it, and I think you said it in the entry, it’s one of the fastest growing attack surfaces.
And if that’s the case, I think we need to have a better solution that can crawl and scale and move at the speed of light to those services.
What are the best practices?
7:31.730
[David Spark] Tony Gonzalez of Innervision Services said, “Data security is the inner layer of any defense in depth strategy. Having a clear understanding of what data you have, where the data is stored, how transient the data is, and where it goes to, knowing who has access to the data and what type of access, and identifying the criticality and sensitivity of the data, all components of data security.
It’s a lot. If these principles of data security are adhered to, they enable the other layers of defense and make them more valuable and successful.” That’s a really good point, the last one.
Let me also mention Bill Harmer, who’s the CISO over at Craft Ventures. He said, “I would venture to say data security is the reason for defense in depth. Controlling the access to information is the why we add layers to a program, and what is at the core of zero trust. There should be no implied trust in accessing data.
Access to data should be validated and verified on a continuous basis. It’s why the building of AI systems at the rate they are being built scares me. We’re implicitly trusting data scientists with massive amounts of data in training and tuning phases.” All right. So, it’s interesting Bill’s last comment because Steve, I’m throwing this to you, we’re able to do this because of AI, but at the same time, AI is making this a monstrous problem.
So, it’s an interesting problem we got going on here.
[Steve Zalewski] And so what I see here is, and we’ll use the generic data scientist, right? Which was historically with security, what we try to do is control the access to the data, put it behind a firewall, decide who needs it. And we may give them more access than they have the need for, but we can do it in a controlled fashion, right?
Because we have a hard edge. And that’s what we said now is… But now instead of controlling the data, we’re having to embrace the sprawl. The business is demanding that we move data much quicker in many more places, right? And if you look at how long it has to be there, maybe not that long.
And so this is why I’m saying back to be brilliant at the basics, right? Go back to understanding now, we have to get classification right. We have to get role-based access controls right. We have to be able to do it at the API level, not at the business level. But in many of these cases, the business has a role to play here, and so it’s not that we can’t build the technology, but the people in the process are thwarting us at this point.
And so we’re having to, I think, kind of go back again and reevaluate what is reasonable for us to expect out of the business versus is it reasonable for the business to expect out of us as security practitioners, given this new demand to put data everywhere?
[David Spark] Lamont, what do you think of this whole idea that AI is solving this problem, but at the same time, it’s making a worse issue to solve? But I think the fact that it’s solving it allows us to have the wonders of AI to us. Yes, Lamont?
[Lamont Orange] Yeah, I definitely would agree with that. I think that AI as the tool is absolutely something that we can build upon. But as you look at it to increase its efficiency across the business, it also perpetuates the data sprawl. It creates its own set of data as well. So, there are new policies and new practices and new ways to classify that the traditional systems just don’t even incorporate.
So, as you are synthesizing data through AI and creating this new asset, you need to also be able to update your protections and controls to enable the defense in depth concept that we are making so complicated today.
[David Spark] Let me ask you because I was talking to your colleague about this. Can you explain, because I said that we’re able to do this because of AI, but can you give an actual hard example of now that we have AI, we can actually do something we couldn’t do before? What is it exactly AI is affording us to do in this essentially data classification?
Which I will point out, once we can classify it, this sort of domino effect of everything else falls into place. It’s all about the classification, correct?
[Lamont Orange] 100%. Well, it’s about discovery and classification, I’ll say. But the classification component of it, it really speaks to we have this mountain of data sprawl. We don’t have enough resources and time to get through it, so AI helps us there. That’s the no-brainer use case, in my opinion.
But the other piece is we only know what we know. Going back to these categorizations around PCI, healthcare data, IP of sort, or PI, I say of sort, we understand that piece. But the data that you write on the whiteboard and say, “Hey, this is my M&A strategy. I want to look at all of these companies and I want to pay this amount of money for them,” and take a picture of that and run it through your email systems or store it on your OneDrive or your G Drive, traditional DLP is just going to show it as a picture.
AI is going to tell you that’s an M&A strategy. And I think that’s the capability that AI unlocks for us. We can get more granular and more context around the data that we see.
[David Spark] Context, I think, is the key word right there. Because certain data by themself has no damage. It’s once things are connected and have context, it becomes sensitive data, like in an M&A type strategy situation.
[Lamont Orange] 100%. I think with the context piece of it, you know exactly how important the data is to the business. And we don’t have to guess anymore because it’ll tie back to some sort of financial indicator, some sort of third party that has access to what we consider classified and sensitive data, and it does it at speed and at scale.
That’s what AI really enables us to do today.
Sponsor – Cyera
13:38.326
[David Spark] Who’s our sponsor this week? Why, it’s Cyera. And let me tell you, this is pretty darn cool what they do. So, data is the largest and fastest growing security attack surface in the world. We’re all aware of this. Every business is using data to collect insight and create new products, but they have to do so without placing the business at risk.
Solving data security starts with knowing your data. This is where Cyera’s data security platform can help. Discover your data attack surface, monitor, detect, and respond to data risk, and help govern data use. Imagine if your organization’s OneDrive was compromised by ransomware. Would you know what data was in the OneDrive?
Would this trigger a compliance issue? How much would it cost you to use outside counsel to determine materiality?
Cyera delivers the insights you need in all of these. It all starts with their agentless approach to data discovery, which occurs across any environment – cloud, SaaS, even on-premises, making deployment fast and simple. Cyera’s classification is based on their own LLM and has an accuracy of 95%. Companies like Paramount Pictures trust Cyera to discover their data, its sensitivity and who has access to it.
To learn more, go to their website, it’s cyera.io.
Is anyone happy with this solution?
15:09.695
[David Spark] Snir Ben Shimol of ZEST Security said, “Data security defense in depth for us was defined by answering, using technology, the following. Is it sensitive? Who can access it? Who is actually using it? Then enforcing the policy of zero trust plus least privilege. When you have it automated, it can be successfully used for both posture and instant response during bad times.” And Justin Pagano of Klaviyo said, “We need a data access policy engine that is able to make sense of and orchestrate the implementation of attribute-based access control or ABAC-style policy rules that state things like, ‘Account executives based in the EMEA should only have access to customer contact information and customer account information for customer accounts in the EMEA.'” All right.
I’ll start with you, Lamont, on this one. This whole idea of just attribute-based access control, this is where the identity comes and connects with the data, which ultimately is what you want. And you will be able to get super granular if you’re able to sort of tie all this context like we were just describing, right?
[Lamont Orange] 100%. I think identity does play a role. So, going back to the zero-trust model, zero-trust model built on identity sourcing, right? And access to all the different systems. But just because you know the systems, you still don’t know the data, and you don’t know if it’s the appropriate access to the particular data components.
So, I think going back to if I know my data, and I go backwards and know my identity and know my systems, I have my opportunity to understand the blast radius of an unfortunate incident if it occurs. It doesn’t always result in a breach. Sometimes it results in just mishandling of data. And you want to understand that because there are obligations that you may have contractually or regulated.
And you need to be able to report on that. And it’s not necessarily about the identity; it’s about the asset that was actually accessed. And I think the only way to do that is be able to discover it. You cannot protect what you cannot see.
[David Spark] Steve?
[Steve Zalewski] Everything Lamont said, I agree with. There’s one phrase that I picked up here. Is it sensitive? I think ultimately that’s the big problem is that a piece of data by itself, other than a social security number, you know what I mean? Or a credit card number. We’re now realizing it’s a gray answer.
Is it sensitive is now all being determined on the context at the point in time that the data is being used. And that’s what we’re being challenged to do now. And that’s where things like AI are going to be helpful is because everybody talks about it. It’s the context. Okay? A piece of data could be sensitive in one context and not in another.
An email address is an example. GDPR says it is sensitive data in certain contexts, right? But from a business perspective, it is not. So, part of what we’re really coming to grips with is determining is it sensitive is not a static exercise. It’s now dynamic and AI is going to be part of that solution.
But in the meantime, it’s actually part of the problem. And role-based access controls and IAM, like Lamont said, is an additional component to determining what is the context for the sensitivity for us to be able to determine should we or should we not allow that access, and saying no is really no longer an answer.
[Lamont Orange] I think so. And Steve, I like something you said about the context and the individual use cases around certain data components. I think the other thing that AI brings forward is the ability to take care of lineage. We’ve never had the capability to understand the source and what comes out of concatenation of different data sources to create one data element.
And I think AI gives us that opportunity to solve that. And again, getting that granularity and context to say this is our new, uncategorized, sensitive, confidential, or data that we just don’t even care about because of how it was built.
[Steve Zalewski] And this goes back to brilliant at the basics, right? That’s what we’re saying. We’re rethinking brilliant at the basics as security practitioners, knowing what the business use cases are that are being presented to us in the recent couple of years, where we’re just simply having to understand that the way we’ve done it is not the way we’re going to have to do it.
Sometimes it’s really not that difficult.
20:07.130
[David Spark] Abhishek Singh of Qualys said, “Data cannot self-defend.” Although we’ve had sponsors who claim this, I should mention. “You need an encapsulating app to guard access to data. The only direct security on data is encryption, and that leaves you as vulnerable as passwords and such.” And Alex Bodryk of Netcracker Technology said, “Data security is a foundation for zero trust.
A man can start with data classification, and after that, label security scopes, zones, and environments using that, and apply networking, people, and application controls in a relevant way. Data classification itself can be pretty simple. Promoting, designing, implementing, running, and sticking to data security-driven technology framework is quite hard.” I mean, you’re all shaking your head, but isn’t data classification the tough part that we struggle with?
But – and I’m saying this, Lamont, and coming back to what I said earlier – the fact that AI can do a lot of this for us without us manually having to do any of it is actually turning something that was quite impossible to something quite manageable. What do you think?
[Lamont Orange] So, I’ll say we overlook the part that’s not the most appealing, it’s not the sexy part of security and everything, and that’s the discovery before we can classify. And we’ve always been taught, “Classify, classify, classify first,” but we haven’t discovered it all. We don’t know where it is.
We only know what we know. So, I think one of the challenges is how do you discover all of this data? The cloud explosion, the modern company today, the on-premise, the shadow IT, the shadow technology, I think there lies the question to is this difficult. The concepts? No. How to execute against it?
Yes. And you need something that’s going to act as your director, your brain, the place where you send all the signals, to all of this other technologies that we bought, to say that, “I know where it is, I know what the type is, and I want to apply this particular control to it.” Right now it’s individual disparate systems per data store that we find [Phonetic 00:22:30] that we have to enact that type of protection around the data, which makes it difficult.
It doesn’t scale. We don’t have the resources to do it. This is why we need the AI, this is why we need the ability to discover agnostically, and this is why we need the more scalable and more contextual robust classification engines.
[David Spark] Very good point. Steve, I’ll let you finish this out.
[Steve Zalewski] So, the business is the weakest link when it comes to data security because data classification historically comes from the business telling us, “Is this critical? Is it important? Is it public?” Because we as security practitioners can implement classification, but we don’t want to own the classification policy, and GDPR says the lawyers do that.
Well, foundationally then is if we can’t apply classification at the point that we see data, and we’re seeing more and more data, and we have to keep going back to the business and doing it as a static exercise, this is the [Inaudible 00:23:35] we’re in. So, I think what Lamont is saying, and I’m agreeing, is that what AI is doing is giving us the ability to, as we see the data, classify it based on the context, based on the sensitivity, without having to go back to the business and the lawyers and explicitly asking them to do it.
And that is the aha moment that we’re approaching that’s now going to let a lot of that technology actually execute and be effective at what it’s designed to do once we get the classification into a continuous updating mode.
[Lamont Orange] And Steve, I like the other point that you’re hitting on too. I think we’re talking data security, and it’s being talked about more than it ever has, I think, since I’ve been in the profession. We’ve always been stuck at data governance. We’ve tried to govern the business, govern the use, and essentially security telling everybody how to do it.
And that didn’t work out so well for us. So, now we’re actually getting to the data discovery and response. We’re getting to the controls. We’re getting to being able to understand the identities that access the data, whether human or non-human. And that’s the highest level. That’s data security at its greatest, most defining moment.
But everything we’ve been trying to do to date and the technologies that we’ve implemented have really just been around governance. That’s what we’ve been chasing.
[Steve Zalewski] Well said. Excellent.
Closing
25:02.136
[David Spark] And that brings us to the portion of the show where I ask both of you which quote was your favorite and why. And I’m going to start with you, Lamont, looking at all these quotes that I read throughout our show, which one was your favorite and why?
[Lamont Orange] I think Tony Gonzalez nailed it. I think everything starts with discovery and classification as an enablement to a lot of the other technologies that provide the capabilities around data protection, around zero trust, and all these things. If we don’t know what we’re protecting, how can we have zero trust to it?
So, we have to understand data and classification and be the best at it, even though it’s not the most sexy part of security. Be the best at that, and you can foundationally build all of your controls and protections around the data from there.
[David Spark] Steve, your favorite quote and why.
[Steve Zalewski] So, I have to dovetail on what Tony and Lamont have said, and I’ve got to go with Alex Bodryk, right? Data security is a foundation for zero trust. That is where we’re moving the needle. And what Tony said is so therefore we better get classification right, and the rest will follow.
And the key is that is, right, data security is the foundation for zero trust. That is getting brilliant at the basics by realizing we have to recharacterize the foundational problem we’ve been trying to solve, and it’s not the one we’ve been doing for 20 years.
[David Spark] Very good. Well, that brings us to the very end of this episode, and I want to thank your company, Lamont, Cyera, for sponsoring this episode. Cyera, holistic data security in one cloud platform. Much of what we’ve discussed today, Cyera does exactly that. You should go check it out at cyera.io.
Lamont, I’m going to let you have the very last word. And actually, why don’t we do it here right now? Anything you want to say to our audience about Cyera? Any offers? Are you hiring over there? Let’s hear it.
[Lamont Orange] We’re always hiring, looking for the best and brightest people. We’re doing something very, very good for the industry and spearheading data security. So, I urge you to come and just talk to us and give us some feedback on our strategy. We’d love to hear it.
[David Spark] Good point. You’ll be very interested in what they have to say and what they’re showing off. I took a look, and I thought it was pretty darn cool as well. Thank you very much, Steve. Thank you very much, Lamont. And thank you to our audience. We greatly appreciate your contributions and for listening to Defense In-Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.