Visible data beats encryption, and other security steps

In Part 1 of this article, we sat down with Terry Ray, SVP at data security solution experts, Imperva, and asked him about the main challenges of data security. He explained that the key to getting data security was full data visibility, and that you needed to be answer five main questions about your data: What is it? Where is it? Where else could it be? Who’s accessing it? And are they allowed?

In Part 2, we asked him for examples of how total data visibility worked to protect data in practice, and what else was necessary to keep your company’s data truly safe.

First, Catch Your Data Security Expert

THQ: So we have our crown jewels of data. We know all the things we need to know, except one – how do we keep it safe?

TR: First of all, I’d say get yourself a data security expert. Sure, I would say that, but here’s the thing. Most companies today know that data security is important. One of the challenges that we run into in the industry of data security is that the industry of cybersecurity is not run by people that know anything about data security.

Instead, cybersecurity tends to be run by people that are network security experts, endpoint security experts. If you go to LinkedIn and you put in “network security,” you’ll find a million and a half people in the world that claim to be network security engineers. If you do that same action and put in “database security,” you will find 36,000 people in the world that claim to be database engineers. You can increase your odds a little bit and say “data security,” which gets you 100,000 people to choose from. But it’s still a lot less than network security. So I think there are a lot of organizations out there that are still struggling to figure out how to protect their data.

Deep Impact

They know there’s nothing that would be worse than getting the email that says “You’ve lost a significant amount of data, you’re dealing with regulators, you get 72 hours to talk to a data specialist counsel and give them a response back. It’s your worst day if that day happens. And when somebody asks “What was taken?” and you say “I don’t know,” your day just somehow got even worse. What that means is if you lose 80 million records, they’re going to look at that and they’re going to determine based on their questions, whether you were negligent or not. If you can say “I know who accessed it. I know how much was accessed. Yes, it was a lot, but I was watching it. I had controls in place. And this was just a gap,” you’re probably not going to be found negligent.”

So, companies are beginning to understand both the importance of data security within cybersecurity, and the impact of not having eyes on their data. But getting the right people to ensure you have that level of data visibility is not as easy as, say, getting a network security expert to secure your network. So in terms of data security, you may have the wrong kind of expert trying to do possibly the wrong kind of thing to keep your data-jewels safe.

The Way To Go

THQ: So what’s the right sort of thing to keep your data-jewels safe?

TR: Well, we’ve spoken about the five big questions you have to be able to answer, and the kind of granularity of data visibility you need. If you have that, you’ve got a good foundation, because everything in keeping your data safe flows from that.

When it comes to your data, all it takes is for you to miss one thing and you’re done. So you have to watch it all. Then there are those other things that you need to do that are, in my opinion, less impactful, but still required by regulation. Things like encrypting your data.

Okay, data is encrypted anyway, when it’s in transit, that’s default. But people talk about how you have to encrypt your data when it’s at rest. When it’s not when it’s not moving, it has to be encrypted. That’s great, but to encrypt your whole database takes a long time, and all it gets you, ultimately, is the same level of security as identity access management (IAM). Because all you’re saying is the only people who can see this data are authorized people. Isn’t that the same thing as a login?

Encryption Vs Access

If you didn’t encrypt that data, you would say, “Terry, you’re authorized to see that data.” I would say, “Okay, great.” Therefore, I’m authorized to see the data. Whether it’s encrypted or not, I’m authorized to see it. If you encrypt the data, then I say, “I’m Terry.” And it says “You’re authorized to see this data.” So it decrypts the data, and I can see it. And if I’m John, and I’m not authorized to see the data, it’s going to say “You’re not authorized to see the data.” So it won’t decrypt the data, John won’t see it, and the world moves on. To me, encryption is a nice-to-have. Even though it’s a hard, firm requirement by regulation, it doesn’t actually add security to the data. It’s just another level of access control in the system.

When it comes to data security, it doesn’t really do very much. It’s just authentication, and if you’ve got the right authentication, you can see the data. And the fact is, it’s not just your administrators who have authentication, all of your critical applications out front have to be able to see that data, too.

APIs (application programmable interfaces) can access and look at your data. And we know that those aren’t always secure. While identity access management is key, another whole half of our business is protecting and securing applications.

We don’t naturally trust applications, and yet traditionally, they can decrypt all your data. So if I can pinpoint you, if I can put a hold on your application, and you have encryption, all that encryption just did nothing. Whereas if I’m watching that data, if I can see everything happening to it, whether it’s encrypted or not. I can tell you an application or an API or Terry just accessed that data in a way that you don’t want them to do.

Catching Creepy Guys On The Road

THQ: So, data visibility across humans and APIs beats all the encryption in the world?

TR: I’d say so, because with total data visibility, you can see every data journey. For instance, we have a contract with a toll road authority in the United States. Toll roads aren’t just about making money and paying for infrastructure, they’re also about watching for radioactive devices and all of the kinds of stuff flowing through the toll road system, as well as law enforcement, tracking license plates and so on.

Well, we were looking at their databases. Whether the database was encrypted or not didn’t matter to me, we were watching access to those databases. And we saw people accessing the data in that database that no human is supposed to access. In fact, only an application is supposed to access a certain part of this data. And the only people who are supposed to have access to that application belonged to our federal law enforcement, (FBI, Transportation Authority, and others) because the data in those databases is very personal information, like license plates.

We knew, because we’d been watching it for years, that apps were 99.99999% of all the traffic into those databases. All of a sudden, this one guy pops in there. And after an investigation, we find that he was watching to see what his girlfriend was going, where she said she was supposed to go down the toll road to get somewhere. It wasn’t data theft, no, but it’s a violation. It’s a violation of privacy, definitely.

You Cannot Mitigate For Everything

And the fact is, it’s not something you would have predicted we’d need to build policies around all of the data. Large financial institutions have tens of thousands of data stores, they can’t predict how everybody should or shouldn’t access this data. Sometimes, potential issues – and potential breaches – are impossible to forecast based on likelihoods. As I say, 99.99999% of the traffic in that database was from apps, so you’d never use that as the justification for building precautions against human data access.

That’s the difference you can only get from complete data visibility. It’s why monitoring the data is the core of everything. Because from that monitoring, if I have all of the data, now I can churn through that data and find the solution to more or less any data question that arises.