Well, hello and welcome to another KuppingerCole webinar. Our topic for today is Using Data Security Platforms in a Modern, Hybrid World. My name is Alexei Balaganski. I'm a Lead Analyst here at KuppingerCole Analysts, and my guest for today is Terry Ray, who is a Senior Vice President and Fellow at Imperva. But before we begin, a few housekeeping notes. First of all, you are all muted centrally, so you don't have to worry about your audio settings, or you can just listen, take notes, and feel free to do it at your own pace.
We will be doing a couple of polls during the webinar, but we will only discuss the results during the Q&A part in the end. And, yeah, so there will be a Q&A, a question and answer session after our respective presentations, and you can submit your questions using the browser tool which you are using to watch this presentation. We will be recording the entire thing, and the video, along with the slides, will be made available to all registered participants of this webinar at kuppingercole.com probably tomorrow. And without further ado, let's just jump into our topic.
So, the agenda for today is split into three parts, as usual. I will start giving some kind of a high-level, neutral perspective on the entire state of the data protection market, its strengths and challenges, and I will dive a little bit deeper into the concept of a data security platform, what they do, what they should be doing, and how they have evolved recently. And then I will allow Terry Ray to provide you with much more technical expertise and industry experience on data protection.
So, since he will be talking about practical solutions, how they are implemented, deployed, and so on. And, as I mentioned in the end, we will be answering your questions.
So, let's start our first short poll. The question is really simple. How familiar are you with data security platforms as a concept or as a specific product? Please grade your knowledge from never heard of them before to being a real expert and knowing everything. Okay. And while we are at it, I can already see that some people already actually have a working implementation.
So, I'm wondering why are you even taking part in today's webinar? So, maybe you are not happy with your current chosen solution. If you stay longer, you will learn about some interesting alternatives. Okay.
So, I guess we had enough time for the first poll. Let's close it and move on to the rest of my presentation. Okay.
So, I guess we have to start by reminding again what we've done multiple times already that we are living in a profoundly insecure world because we face a lot of challenges, technical or non-technical, daily, starting from the political turmoil, elections, sanctions, wars, and recessions. We have to face industry espionage daily because of course everybody out there is after our quote-unquote crown jewels, most sensitive and precious bits of data like intellectual property.
We have a deluge of malware and ransomware because again everybody out there is trying to basically make our lives miserable by breaking our things, locking our files, and just holding our daily business activities to a ransom. And of course we have to deal with the modern technical challenges, multi-cloud as a new normal, increasingly mobile workforce, especially when they're working from home, cloud-based business and collaboration platforms, and of course lots of new emerging privacy and compliance regulations.
It's up to you to decide which risk to consider the biggest, but they are all here and we have to deal with them regardless where we are living or doing our business. But before going into details, I would like to address the elephant in the room. That whole story about protecting your crown jewels is essentially, in my opinion, a very wrong way of looking at data security. What you are often being told by vendors or marketing people is that basically data is the new gold. Data is the new oil, printer ink, crown jewels, you name it.
And I believe that while it, of course, partially is true because you do derive a lot of your tangible profit from that data, hopefully, or at least you are planning to, but you also have to consider the drawbacks. Most of the data businesses are collecting or sitting on basically just has no intrinsic value. You have to do something, you have to transform the data, you have to dig into it to find something useful or valuable. Some of the data you own or you have to store is just plain toxic and it can cause you a lot of potential problems if not handled properly.
Of course, everyone is talking about sensitive data like PII, PHI, and other types of legally protected information, but it's not just those types of data which can be dangerous. So are you actually, should you be more interested in securing your data or securing yourself from your data? I would argue that you have to consider both, and this is exactly what we are discussing in today's webinar. So what are the real business challenges companies are facing when dealing with digital data?
Again, the most obvious one is that data to value gap. You have lots of data, perhaps, but for whatever reasons, technological, legal, compliance, whatever, you cannot derive enough value from the data. So obviously you are looking for solutions which can ease the transition, which could help you to find more value in your data. And of course, one of the promises nowadays is to move your data to the cloud or in fact into a multi-cloud environment.
Another problem with Data Sprawl, you have lots of small data silos from legacy or even modern applications, data sources, third-party data, and so on. And they are all stored in different formats, in different technological stacks behind different security controls. And somehow you have to deal with all of those types of data sources, hopefully in a consistent way, otherwise you'll just be overwhelmed. And finally, data friction. How to make this data available to all the interested stakeholders, developers, data scientists, business people, marketing teams, contractors, and so on.
But again, not just quickly and easily, but also securely and in a compliant manner. And of course, you have to consider all those usual things you are thinking about when thinking about data security, confidentiality, availability, consistency, compliance.
But again, you should also think about the left part of this slide as well. So can you actually solve all those challenges with a single quote-unquote data protection tool? Does such a tool even exist or can it be built? Even if you find such a tool, who within your organization is supposed to purchase and set it up and monitor and operate this tool? Should it be your security team, your data team, your developers? Who will be paying for that?
And who will be responsible for all those challenges that many businesses still consider as kind of hindrances that drags your, that prevents you from going to your shining digital future as quickly as possible? Well, one thing to consider is that traditionally, security in the IT world has always been infrastructure-centric. So you would have to protect your network separately, your endpoints, your databases, your services, sorry, your servers and stuff. And an alternative that has emerged a few years ago was data-centric security.
So instead of focusing on infrastructure, why not protect the quote-unquote data itself? On paper, it sounds a lot easier and really, really interesting. Data should somehow be self-describing and self-defending. You should be able to create a single policy for protecting the data and it would somehow apply consistently across all environments, systems, and technology stacks. And of course, that those policies should apply at all times when the data is not just being stored, but also when it moves or being transformed. Sounds good, but how to build it?
Obviously, until all our data somehow gains conscience and becomes really self-defending, it would never happen. So we have to find some compromised solutions. And obviously, those boil down to if you must have capabilities, which every so-called data protection platform has to implement, such as data discovery, classification, monitoring. You have to know where your data is and what kind of data you have in different places. You have to understand which data is more important than the rest because you would have to apply different policies to it, at the very least.
And of course, you have to know what's happening with the data at any time. And finally, you have to somehow protect it from tempering, from stealing, from leaking to third parties.
Otherwise, you will have massive security and compliance problems. When thinking about data, a lot of people think about protecting data like they think about protecting, well, gold. Just put it into a safe that is encrypt your data and it's done. You are safe now. Your data is secure. As I mentioned earlier, data does not exist in vacuum. It has no intrinsic value unless you transform it, unless you process it, unless you move it between various systems which can be located on-prem, of course, but also in the cloud or even across multiple clouds.
On this slide, I just thrown together a quick example of how you would typically move your quote-unquote normal business data across different systems. And you have to understand that all those systems can be located on-prem or in different clouds. And sooner or later, you will start facing the additional challenge. How do you manage all those multiple clouds in a consistent manner? Because all those public clouds and private clouds and Kubernetes environments, whatever, they have different APIs. They have different identity and security controls and so on.
And somehow, you have to deal with it because if you're not protecting all paths to your data across all your IT environments, well, a hacker only needs one unprotected hole to completely negate all your data protection efforts. Another thing to consider is that data is a lineage. Data doesn't appear from nowhere and it doesn't disappear just like matter or energy in the universe. Data is created, processed, moved around, transformed, and somehow disposed of in the end.
When we are talking about information protection lifecycle, we have to understand that the data has to be protected at every step of the cycle. From the acquisition to controlling access to it and monitoring and containing and recovering from our data breaches. And finally, to security disposal. It all belongs to the core capabilities of every data security platform as well. And of course, again, it has to work across multiple IT environments, multiple clouds.
One way to actually turn data-centric security into a tangible set of existing technologies and capabilities is to implement the old and proven defense index approach, the layered approach to data protection, where you build a set of capabilities around your data sources, and you make sure that those capabilities operate in accord, that they actually know about each other's existence, that they at the very least produce a common set of telemetry events. But ideally, of course, they have to basically support each other in a, for lack of a better word, holistic manner.
So you not just have a set of individual tools which you would have to operate with different teams, different skill sets, those tools have to work together as a mesh or as a fabric, if you will. And only when they do operate together in that manner, we actually have the moral right, if you will, to call such a solution a data security platform. And one thing we did earlier this year, precisely in April, we have released a leadership compass of what we call our multi-vendor analytics report, where we have looked at the major players in this data security platform market.
And we try to compare their approaches towards combining these capabilities together and rank their capabilities. And on this slide, you can just see a list of the leaders, the overall leaders, basically the vendors which do, at least at Kubernetico, believes we do this the best. And you might be noticing Imporva as one of the leaders as well. And if you're interested in knowing their capabilities in more detail, I would recommend reading the leadership compass after the webinar, of course. But right now we'll give you a really quick overview of what we have analyzed.
We have identified a few of core broad categories of capabilities, which we believe every data security platform has to implement. It still has to be able to find vulnerabilities in database infrastructures, because they still exist and they still can be misconfigured or broken or just outdated. But of course, it has to also be able to discover and identify and classify your existing data across all environments to then provide this data for proper policy-based security controls. It has to actually be able to deploy and enforce those security controls.
So it has to support a lot of capabilities like encryption, masking, tokenization, at rest, in transit, and ideally also in use. It has to monitor and analyze all the security events consistently. It has to know what's going on around your data. And it has to be able to make some smart decisions about it. It will not just give you a list of millions of security events, but actually identify specific suspicious or malicious activities, align them with known techniques of hackers, and basically guide your remediation. And of course, it has to implement access management.
It has to provide rich audit and compliance support capabilities. And last but not least, it has to somehow not be in your way, because the last thing anybody wants from a security tool is to somehow inhibit your business processes. So an ideal security platform is one that just is there, transparent, invisible, does not prevent you from doing your daily work. And as I mentioned, we have covered around 30 vendors in total, and Imporwa is one of those. And as an example, I am showing here what our strengths and challenges we have identified for this particular vendor.
And of course, you will find the same kinds of coverage for all other vendors as well. So on a spider chart, for example, the closer this chart to the circle, the circle, the better. So I think Imporwa has been doing pretty well in that regard. So we will find out a little bit more about that later. And finally, I would like to summarize the takeaways from my presentation.
Again, data security is much more than just protecting data secrecy. So yes, you have to keep your data safe, but you cannot put it in a safe, because you have to let your data work for you. And this protection has to apply at any point in time, especially in use.
Again, data security on its own is difficult to sell, because first of all, nobody wants to pay for it, because it does not supposedly generate any business value. And what we want to demonstrate in today's webinar is that no, it actually does. A modern data security solution does much more than just securing your data. It can actually enable a lot of business processes, or at least remove a lot of that friction for accessing your data whenever it's needed.
Again, an ideal data security solution is one that does not get in the way. And this is probably the biggest thing you should be looking for in a great data security solution, as opposed to an average one. And of course, ideally, it has to cover all the gaps. We do know that we still face data in different formats, structured, unstructured, SQL or NoSQL. An ideal data security platform has to deal with all that data, because if you only have like one attack vector, one system, one data source, which is not covered by your data security, you have a lot of problems.
And that data protection has to be consistent at every stage of data lifecycle. We are not there yet, obviously, there is no one single solution which can do that. And the next biggest question everybody is asking themselves, should we look for one turnkey solution? Should we build it from the best of breed modules from different vendors? Is it really dichotomy? And what exactly is a data security fabric, as opposed to data security platform?
And I believe this is the right moment for me to give the stage to Terry Ray, who will be explaining all these terms and will show all the capabilities of a real life data security platform. So Terry, welcome.
Thanks, Alexei. Obviously, as always, you know, a great introduction from Alexei around the world of data security, data compliance, data criticality, threat detection, really being able to define what a data security platform is all about in terms of Kupinger Coal. We're going to talk a little bit about what Imperva's data security platform, what we call a data security fabric, is all about. I'm not going to get super technical in this portion of the presentation, but I am going to talk about how organizations do leverage this kind of technology. So let's go ahead and jump right into it.
If you don't know, I just like to begin with who Imperva really is. And I keep this slide really short and simple because there's usually two batches of people, three batches of people out there. There's the person that has never heard of Imperva. That's fine. And then there's the person that says, well, I know of Imperva because maybe I use your web application firewall, or I've looked at your application firewall before. That's part of our business, protecting the front-end access to all of your data, your web applications.
The other side of our business, and frankly, what we're going to talk to and talk about today is protecting that back-end where all of your data lives, resides, and is shared, if you will, as Alexei was talking about, all of your data stores in the cloud, on-prem, whatever kind they happen to be, and making certain that you understand where we work in that blue area as you see over here. I won't be talking about the green and the purple, but if you have questions later on, I can take them or at least direct you to the right people to get those.
The first thing I would say when it comes to data security is at the end of the day, data security means something a little bit different to each different role or each different person or function within an individual organization. You may have security.
Hopefully, you have security. You may have cloud architects. You certainly have executives that possibly compliance falls under, whether it's risk or legal. Then maybe you have a technical end user, someone who is technical enough to understand the criticality of their data and the security controls that apply to it. I realize a lot of times you don't really have those technical users that understand the criticality of their data. They're just technical users that know they need data. At the end of the day, each one of these individual roles defines data security a little bit differently.
Your IT security professionals may define data security as, please don't let me lose data, or please don't let my phone ring saying that there's a bug bounty and someone says they've gained access or potential access to my data. How do I make sure that doesn't happen? The cloud architect says, look, I need to enable moving more things to the cloud. I don't want a business unit saying I'm not going to the cloud because I don't trust the security or I'm not going to the cloud because I don't trust compliance. That cloud architect says, I want you to feel comfortable going to the cloud.
You should be able to move your assets to the cloud as securely, if not more securely, than what you already have where those assets already exist. Do that, as I said, in a secure way. Your executives and compliance, they want two different things. The executives say, I just want to make sure I'm not going to get in the news. I want to make sure I'm not going to get in trouble. Give me maybe a risk score. Tell me how I'm doing. Compare me to my peers. How am I going to not be like company XYZ down the street that just lost a lot of records or just filled a regulatory compliance?
And of course, your compliance auditor is saying, I don't need to protect everything, frankly, even protection. I love protection. That's wonderful. But really, here's the list of things you need to make sure I have a report on and I have a capability for. I need to make sure I can do all these things. Please deliver me proof that we have met these requirements. Sometimes people call that checkbox. Some people call that doing the right thing, doing best practice. All depends on your organization and your compliance organization itself, how they define those things.
Each one does it a little differently. And lastly, like I said, the technical user, they have their own requirements and their understanding of their data. The point here is this, is that data security means something different to each individual function of an organization. But data security actually is important across the board, across the organization, because it can impact every single facet of the organization.
When we look at successful data security teams, successful programs, successful strategies, there are some very common things that bubble to the top, what I would call these six requirements. Number one, you can't be limited to having technology or processes that only support the cloud or only support on-prem. You really have to have technology in today's world that is flexible enough to go wherever your business is today and where it's going to be tomorrow. Today you're on-prem or today you're in the cloud. Tomorrow you make an acquisition and all of a sudden you've got both.
Does your technology expand to be able to cover everything in your environment? It needs to and it should. Reduce the need for specialized security skills, cyber skills. It may not surprise you if you go to LinkedIn and you type in network security, in quotes, you're going to get a million and a half people that are network security professionals or claim to be. If you type in database security, in quotes, you're going to get about 36,000 people that say they're specialized in database security.
So you're looking for technology that doesn't really require a lot of specialized cyber security skills specific to data. You need automation. At the end of the day, data security is perceived as complex. It doesn't have to be complex. A lot of these technologies, ours included, bring automation to play to say, let us do all of this work for you. We've been doing it for 20 years. Let us help you do this, not from a people perspective, but from an automation, from an AI, from a machine learning perspective. Let the technology work for you. It has to be high performance.
It can't slow down your business. The technology that you bring to bear can't say that I can only support a little bit of your traffic because that's just too much. The technology has to say it doesn't matter what you have flowing through your environment. I can support and monitor as much as all of your traffic all the way down to a little bit depending on what you need. It has to have that scale and capability. When it comes to compliance, compliance should be easy.
Whether you're in Europe with GDPR and you've got 72 hours to respond to a breach notification, you need to be able to generate a report rapidly and say, I know exactly every single user over the last two, three, four, seven years who has accessed this kind of data. Now, maybe I don't need it for seven years. That's perfectly fine, but I need to be able to generate that report rapidly. I need to be able to get answers rapidly. What did Chuck do? Chuck being just a person, but what did Chuck do three weeks ago?
I need to know everything he did, everything he touched, and I hope I was looking at it. If I have a solid data security program, I can tell you everything that Chuck did because that's what you need for incident response. I need that map.
Lastly, knowing what somebody did is certainly valuable. Being able to say, not only do I know what Chuck did, I know that Chuck tried to access a million records, but I stopped him. We blocked it and we already know about it, so we're all good. I have the incident response and I've got that protection and being able to protect all paths to what I deem is sensitive data and what compliance deems as sensitive data from that perspective. This is not a slide I'm going to read here, but this is really a bit of a story.
The story is this, is good data protection really should be made as simple as possible. There's a lot of things. You saw Alexi's slides talking about the elements and I wrote it down here, the layered approach to data protection. When we think about that layered approach, there's a lot of stuff if you really break down each one of those, but if you sum up all of those items, they're right there in Alexi's layered approach to data security. If I simplify it even further and just put it really in three buckets, it comes down to the three primary drivers that organizations come to Imperva for.
They say, Imperva, somebody else told me I need to do data security. Now, I don't like it when that's people's reason because I think that data security should be just best practice, but a lot of organizations do come to us and say, someone else told me I need this. That's what I call compliance.
GDPR said, I need to protect my data. I need to classify my data. I need to monitor my data. I need to do all of these things.
Therefore, I'm going to go do it. Fine. That's on the compliance side with a little bit of crossover to the blue and the red. I have other customers that say, maybe I didn't lose data, but my competitor down the street did and now they're in the news and my executives are asking me, are we going to be like them? Are we going to have those same problems? I need to be able to demonstrate to my executives that I've done the right things. I've got security. I've got the tools and the technology in place to be able to prevent things happening from us that happened to other people.
As a big part of that, step one for a lot of people, even though in my opinion, it shouldn't be step one, it doesn't have to be, is classification, discovery of assets. Yes, it's true. You need to know where your assets are before you can secure them. It's kind of true that you need to know what kind of data that you have before you can secure it. Not really. If you have something that's fully scalable, you can monitor everything. You can secure everything. You might want to tighten those controls down a little bit more when it comes to your sensitive data. I totally get that.
Like network security, like endpoint security. Why would we have data security in only five or 10% of my environment? Why don't I cover everything like I do with network security and endpoint security? If you have a scalable product and a product capable of doing it, why wouldn't you just cover everything? That's a common question I hear from a lot of customers. The answer is, if you have a data security platform, what we call a data security fabric, then you absolutely can.
You can have this layered approach, as Alexei talks about, as the definition of data security platforms is having, and I'm going down the middle of the list, data activity monitoring, monitoring data. In my opinion, 20 years of doing this, you need to monitor everything. You cannot predict where people are going to begin their journey modifying, stealing, exposing, or just negligently sharing your data with other people. Monitor it all. Have you ever been to a museum? We talked about the sharing of data and the fact that data, as Alexei said, data is not the new oil.
It's like gold that maybe you normally just stick in a safe, but you can't. It's also like a museum. It's all this valuable stuff, but the whole purpose of this valuable stuff is sharing it with other people, but you have to do it in a secure way. Have you ever been to a museum that didn't have a camera in the corner of every single room, didn't have a security guard between the rooms watching you? They got it. Everything's important. It's not just the Mona Lisa and the girl with the pearl earring in the Vermeer. It's all of the other paintings as well.
They're all important, so they look at them all because they don't know which one you're going to take. The same thing exists here. You have to have this ecosystem of technology, monitoring data, controlling data, having analytics to look at for threats within that data, discovery and classification. You get the list here. The important thing when it comes to having a successful platform isn't just having this stuff. That's an important piece, but what do you do with that stuff and what coverage do you get?
You have to be able to bring all of that technology together on-prem and in every modern database in the world. All of those clouds that are out there, AliCloud, IBM, Oracle, AWS, Azure, Google, you've got to support them all because I don't know which one you're going to be in tomorrow. I've got to support structured, semi-structured, and even files, unstructured data. You've got to support all of that as well and do it well. You have to be able to support more than just your own company's technologies.
You have to have an ecosystem of technologies that you're going to work with, things like encryption vendors, masking vendors, content resource management vendors, CDMA vendors, and other type of vendors, your ServiceNows and others. Those all have to be done. The big piece is you have to bring it all together into one really simple story, which is to be able to answer simple questions in one place and say, what did Chuck do? What did Terry do? Who accessed this data? I don't want to have to go to 6, 10, 100 different places to figure out who accessed data. I want to ask one thing about data.
Who accessed my credit cards over the last month? It'll be a long list and I'm going to drill down to that list to exactly what I'm looking for. It's the worst day for a security department when someone says, who accessed your private data? Your answer is, I have no idea. I don't know. That data wasn't really considered important to me, but it's important to somebody else and now you're in trouble and you don't have an answer for it. This happens more frequently than you think where organizations thought they were protecting their sensitive data.
They lose data that was sensitive to somebody else, just not on their list. This goes back to why don't we just protect everything in data security like we do network security, like we do endpoint security? Are there some networks that aren't important as others? Of course there are. Do they have security on them? Of course they do. Are there some laptops that are less important than others?
Yes, you get the story. Point is, why do we do something different when it comes to data security? I don't necessarily have the answer for you except for maybe it's perceived as complex and really it shouldn't be.
From a high-level perspective, when we think about a unified platform, as I said, it's about being able to do everything that you see over on the right, on-prem, in the cloud, doesn't make a difference, taking it down to the bottom, doesn't matter what cloud it is or modern data store it happens to be, all the way to even healthcare and unified and proprietary data stores like some of the electronic medical record systems that are out there. Being able to support the technology that your business needs to be supported is what you're looking for in a data security platform.
Of course, that ecosystem that we see over on the left, in a very simple way, this is of course not an exhaustive list, there are over 2,000 integrations that exist within the Imperva framework. These are just the highlights of a few that pop up more frequently than others.
Again, not another exhaustive list necessarily, but I do find a lot of customers say, well, I wonder if they support my data store, I wonder if they support my environment. We put, yet again, some of the more common ones on here, but I just want to double down because it is this important. If your technology that you have today only supports one environment, you have to ask yourself, what happens when you move to another environment? Almost every user I have today is or is moving not just to the cloud, but they're moving to multi-cloud.
They still have many of them, especially established businesses like financial services, insurance, and healthcare, still have a lot of stuff on-prem. They need all of those things that you see on the left. Database as a service, certainly, there's a lot of things spinning up there.
Big data, no question, everybody's got some element of it. Certainly, I'm going to call them legacy, but the long tail of everything you've been doing for years and years, all of that on-premise work that you have, not because you don't trust the cloud, just because oftentimes, it's not possible or feasible to lift and shift or modernize an application that has an on-prem database.
Mainframe, AS400, ZOS, these are still things and there are businesses still making money from them, but they still need the security like everything else. Lastly, unstructured. It's not lastly because it's less important. It's lastly because, frankly, it's just at the bottom of the list, but unstructured is critical to being able to recognize where your data is and where your data lives and making certain that you have a technology that can support all of that.
Now, I've talked about ecosystems, but your ecosystem isn't just about having a technology like a data security platform like Imperva, sending data to a SIEM. Yes, that's something that we do, but it's about bringing data into an environment. It's about being able to say, what do I know about a user? I see a database user logging in. Can I pull information from Active Directory and learn more about that user? Maybe I can learn who their manager is, who their manager's manager, what department they're in, what they do for a job, because all of that lends context.
When I send an alert over to your SOC and that SOC engineer says, okay, I see a user doing something maybe they shouldn't be doing, what do I know about this user? Here's a lot of information about him. He's in technical support. His manager's here. He did not have a pre-approval from ServiceNow to go do what he just now did. All of these things make it so easy to do incident response and to triage an incident, bringing this ecosystem context into being able to support whatever technology you have.
One big piece of that simplicity is about translating structured query language into plain English. Now, yes, I can translate to Chinese and a lot of other things. We support a lot of languages, but in simple terms, being able to translate this into a language a SOC engineer can understand. The reality is, as I said earlier, there are only 36,000 experts or claimed experts in the world on database security, so why would I expect my SOC engineer to understand just the information in the first box? Select star from accounts where account number is like 1234.
Now, some of us may know what that means. Some of us may not. A lot of SOC engineers may not, but there's no context with that. If I can bring that context into this and say, okay, well, I see the query, but I can tell you that it's Joe. He's a human. I can give you his IP. I can tell you where he works. I can tell you that the data that he touched is sensitive data to your organization, and I can tell you that that select means that he looked at data or pulled data, and I can tell you he did it 50 times and the result was 1.5 million records.
And using analytics, I can tell you he doesn't normally do that. I can tell you his peers don't normally do that, and I can tell you, in fact, the only person that ever does that is actually an API that should be doing that, and they don't pull a million records. They pull one record at a time. All of that means your SOC engineer now does not need to be a cybersecurity expert in data security. They just need to be able to recognize that doesn't sound right. This is something I do need to investigate.
Takes you away from that world of just general alerts and things we ignore to something that is highly actionable into an organization, and all of this comes together in certainly our unified interface but can be fully externalized to, I've mentioned ServiceNow a thousand times, but BMC or a SIM of your flavor or choice, wherever you want this information to go because that's what your teams are familiar with, send the information over there. They can come back to our system if they need to at some point, but having that unified visibility means you have one place to go.
Now, there are some examples here that we have. I'm not going to spend a lot of time on these except to say when we look at the industries that we see here, global financial services, healthcare providers, retail, online businesses, certainly different capacities and different needs in each one of these. From an imperative perspective, the industry just flat does not matter because we do support on-prem, cloud, multi-cloud.
We have the scale to monitor everything from the largest banks in the world to the smallest mom-and-pop organizations with simple technology that just needs to cover one or two data stores. Doesn't make a difference to us or our users as long as it's something that does not require them to have significant data security skills. Does that mean none of our customers have data security skills? Absolutely not. Lots of our customers have significant data security skills and they do a lot of really interesting things with our technology, but they don't have to.
It's built out of the box to be able to solve for any industry that happens to be out there. Now, this is my last slide and I'd love to open it up for questions.
So, I'm going to preemptively say if you have questions, you can certainly start putting them in there while I finish up this last thought. So, there are some questions that I think you should ask yourself. A lot of users say to themselves, I'm good. I've already got a solid data security program. I think I'm doing a pretty good job.
Well, Imperva has technology coming out later on this year that's going to actually help you answer that for a quantitative perspective. But for now, I'm going to ask you to ask yourself these questions and I want to show you how you ask yourself these questions. I'm not going to read all of these, but the first one here is where specifically is your private data located? There's a lot of things to unpack in just that one sentence. Number one, what do you think is your private data? What does your organization think is your private data? Is it just intellectual property and credit cards?
But names, addresses, and phone numbers, because maybe you live in the U.S., don't matter. That's not really private data because it's not regulated. You live in the EU and certainly names, addresses, and phone numbers are private data. All of this matters to each individual organization. How do you define your private data? Is it just important to the organization or is it important to your users and how people would manipulate that data? The other thing to unpack here is where specifically is it? It's not enough to say and raise your hand and say, I know where my private data is.
My private data is just credit cards and it's in that server. That's my credit card server, so it's down there.
Of course, we all know your data, your credit cards are in simplifying this or in the credit card server. We know that, obviously. The question we're asking and a regulator and best practice is asking, can you prove, have you looked to see if any of that credit card data has moved anywhere else in the organization? You'd be surprised to find out that shadow data lives all over the organization. That's what we're talking about. When you ask yourselves these questions, ask yourselves these questions as what we call a devil's advocate.
Try to find holes in your answer and see if you can find those holes in your answer. If you can answer these questions and you can do a great job at it and really dig into these questions and have a solid, yes, I can do this, honestly, you probably have a pretty good data security strategy and pretty good data security program, at least compared to a lot of other organizations. I don't find a lot of organizations that don't have appropriate automated technology, I don't find that they can really answer these questions.
That's why I say, if you want to know if you really have a solid data security program, put yourself through this little test. Later on, later on this year, we'll be talking about some automation and technology that actually answers these questions for you. We'll come to that later on.
For now, I'm going to hand it back over to Alexei, who can take us through some of the questions that you might have. Alexei, I'm going to take it back over to you.
Well, thank you very much, Terry. That was a really interesting deep down insight into what those imaginary capabilities I was talking about earlier are actually translating to from a technology perspective. Just to remind our audience quickly that we do have some time left for a question and answer session. But before that, let's just quickly run another poll.
First, we asked, what did you know about data security platforms? And now we want to know, what has your perception changed somehow after this webinar? Can I please let our audience cast their votes? And in the meantime, I want to add another bite on that food for thought that Terry just presented. Specifically, I want to focus on this term, data activity monitoring.
Terry, you listed it as a first bullet point in your presentation, and I totally agree, it's really important, but we have to think about it in a slightly bigger way than most people probably think. Data activity monitoring is not limited to database activity monitoring. Absolutely, that's like the biggest mistake you could possibly have made. Because as I mentioned, data does not exist in one place, data is moving. Data is being accessed, data is being transformed, data is being consumed by people, by services, by apps, by APIs.
And at every moment, and at every location in that big graph-like structure, or with a data lifecycle, you have to know what's going on. This is basically like the most important part of this data-centric security concept. Because if you don't know where your data is, what it's undergoing at the moment, regardless where it's located in the database, on the wire, on its way to a consumer, in the API, in a web app, anywhere else in the cloud, you have to know what's going on. So in a way, data security basically covers the entirety of information security at all.
And either you have to do it this way, like the extensive way, or you have to think about potential alternatives, like for example, the Zero Trust. If you can guarantee that your entire IT architecture is designed with only a few allowed and closely monitored highways for your data, then you can of course focus your data activity monitoring only on those buckets. But you still have to know, you still have somehow to be able to prove that yes, this is actually, your coverage is 100%. That's probably like the most important question every auditor, every compliance regulation would be asking.
I think that's, I mean, that's, it's a really, first off, I totally agree with you. And I think that's one of the things, if you go back to like our very first slide, and I know you know Imperva very well, you know, the other half of Imperva is, what data is flowing over your APIs? Which APIs have private data, right? It's about understanding who's using my data? How's it being used? Because the reality is, is most data is going to be used by an application.
I mean, it's gonna be used by a human in many cases, but through an application. And so that's why I see a lot of these analytics and analysis that we do on the data security space and the app security space. I think at some point, I'd love to see them come together and say the reality is, is data is not just about databases and file servers, to your point, it's about the APIs and the applications. And how do you have that unified view?
I think that's, that's, that's positioned Imperva well with a lot of our users, because we do have that, that view from the front end, all the way to the back end. I agree with you.
Right, right, right. Okay, great. So let's close our second poll and quickly just kind of have a look at the results. So the first questions we asked was about familiarity of people with data security platforms. And I would say that only a tiny minority actually didn't know what it is, which is great. So the awareness is here, which is great. We have like 20% already having actually having the working implementation, which is really more than I have expected.
But the second poll has shown us that the vast majority of the attendees are wary of the effort and costs of implementing the data security platform. And I think that maybe we have not done a good enough job explaining.
Well, the point number one is, well, you have to do it anyway. Doesn't matter how wary or scared you are, you have to do it because if you don't, you have much bigger and costlier problems in the future. And the second, which I guess is like more or less on your ground, Terry, it's actually, if you find the right solution, it's actually much easier to do it as a platform and a fabric approach, maybe from one vendor, or at least from like one centralized management, policy management position, then do it with a toolkit, which is old school legal approach.
So you should absolutely kind of stop worrying about it and actually looking deeper into the capabilities. I really encourage everyone to read our leadership compass, kind of to understand more of the different approaches vendors have to data security. And there is definitely more than one approach. And I would not or say which one I personally find the best because again, this is less of a technological choice and more. It's like even a religious approach somehow. Some companies just, for example, want to put everything into one basket and one database and one kind of stack. If it works, fine.
Those who don't will inevitably face this whole zoo of multiple environments, multiple clouds. I would agree that will probably be the majority.
So yeah, you have to look into those capabilities and you have to be able to what's what's wrong with my screen? Not sharing anymore. So you have to be able to not do it alone. You have kind of vendors like Empower and others are the end of it's like coping a call. We are here to actually guide you on this way.
Okay, we still have some time left for questions. So can we please have a look at our questions? And the first one is interesting. How quickly can you analyze massive data stores like one petabyte or higher? So how quickly can you analyze what kind of data stores? Petabyte scale data stores.
Yeah, I mean, like like anything, right? So an organization that wants to scan significant volumes of data have to decide the impact of a very, very fast scan or a slow scan. What's the impact to your systems? The reality is, is a technology like ours can scan your system rapidly. Absolutely. But scanning a systems means IO, right? We're going to be working on that system. We're going to be using the system itself to do some of the work to look at the data on there, whether it's a query, the system, whether it's browsing a file share, what have you.
So the reality is, is, is from a petabyte perspective, it can take some customers a week, couple of weeks. Petabytes are a significant amount of data without impacting the business. Depending on the size of your file server, I've seen it take longer than that. Some customers say, look, I realize this is going to take some time, but I only want to do it at night. It's kind of like filling up your EV and doing it at nighttime, right? I don't want to impact my business. So I'll do all the majority work really, you know, scanning my system. I'll do that in the evenings.
Again, that'll take a little bit longer. So the point is, is mileage may vary just like an EV or anything else. In this case, it's how much power do you have in your data store? How much are you willing to give to the scanning of that data store?
And again, you don't have to think too hard about it. A lot of organizations will just take the defaults, which is a nice medium, comfortable scan, do it on a lesser critical system, take a look at it, see if that works for you.
And if so, then usually you'll fall somewhere in between that range. Now, I mean, usually when we're talking about petabytes, we're talking about file servers. We're not talking about databases versus the size of the particular table. Databases tend to get scanned significantly faster and easier than say a file server, which can take a little bit longer because of just the complexity of looking at different types of files.
Of course, one has to understand that basically to do data classification and discovery well enough, you don't actually have to scan every byte. I mean, the obvious approaches are like do a statistical sample, like only scan 5% of your entire data store. If that discovery already finds some sensitive data, that's usually enough to make a decision.
Yes, we have to actually apply security controls to this data store. You don't have to look for every byte and so on. And then again, it all depends on a lot of business decisions or criticality, specific compliance regulations in place, or even if it's your primary production environment or a test database. The requirements are vastly different and a data security person has to have this flexibility to adapt to every kind of environment.
Ideally, it also has to be smart enough to actually suggest a specific level of rigor in the scanning that's suitable for a specific environment. Okay, next question. Why isn't encryption enough for data protection? Do you want to elaborate on that?
Yeah, absolutely. We've been in the news recently for a lot of encryption stuff, but I think one of the interesting things about encryption is encryption is mandated by just about every cybersecurity data security regulation. You must encrypt your data at rest, across the board. But why isn't it enough? It isn't enough because every single one of those regulations also says you must monitor all access to whatever sensitive data is relevant for that regulation, PII, PCI, whatever. You must monitor access to it. So it's wonderful that you encrypted it because that's done and that's a requirement.
But now you need to monitor every single user, entity, application, API that has the right to unencrypt that. And it might surprise you, but in a lot of encryption, especially on databases, you don't encrypt one table or one column or one row.
Usually, you just encrypt the entire database, which means if somebody is authorized to access the database, they see all the data. So you still have to monitor access to it. Why is encryption not enough? It's not that it's not important. It's critically important. It's required. But there's other requirements that are equally important, and it's not a, can I do one or the other? It's the other Boolean expression. It's I have to do and. I have to do both. And on top of that, there is more than one kind of encryption, even in a sufficiently sophisticated database.
There is like a disk level encryption and table space level encryption and row based encryption. And you can even mask like half of your credit card number in a way, like half encrypt a single field. And they're all useful for different purposes, but none of those provide you protection against every kind of risk. And obviously, if your data is in use, at some moment, it has to be decrypted. Like if you are performing the actual credit card transaction with a third party payment provider, you have to tell them the real credit card number. You cannot just give them a tokenized version.
And as soon as your data is decrypted, you have more than one attack vector. It can be even hardware based attack like those bugs in modern processors. It can be something which, I mean, the hackers nowadays are so sophisticated.
They can, I don't know, they can monitor blinking of LEDs on your keyboard and steal your data through that channel, for example. If you are only protecting your data at rest or in transit, that's definitely not enough.
Okay, I think we have like one minute left for one final question. Which teams and what size of teams would run these products?
Yeah, the short answer is almost always. And almost is a really critical word because it kind of means the answer is it depends. But almost always it's the security team. And that has changed over the decades here.
But today, it's usually security who's going to be told, usually by somebody else, executives or otherwise, to say, what are we doing to solve this problem? What are we doing to go understand where my assets are?
Usually, it's the security team, that this is going to land in their lap. Sometime, there's a tangential organization, which is your GRC or compliance or otherwise. But usually, it's going to sit right there with those two teams that will live with that. I'll add because it's Coupanger Coal, and of course, we're talking about Europe, sometimes privacy will come into it and sit in there as well. But usually, security is going to own this technology and be the ones that are responsible for it. Right.
And on that, I could only add, again, because there's always the clash of expectations and reality. Of course, in an ideal world, everybody within the company should be using it, because it should be to everybody's advantage.
Again, as I mentioned in my part earlier, an ideal data security platform actually doesn't just secure your data, it gives you solutions to real business problems, reducing data friction, or giving access to analytics and stuff like that. So, there will be a lot of stakeholders, a lot of consumers of the data that would be ideally accessing the same platform. Whether we will see it in real life at every organization, it depends a lot on the technological debt and legacy and processes and stuff.
But again, we can only dream, right? Well, thanks a lot, Terry. Thank you very much for all the attendees who stayed with us till the end of this webinar. I'm glad you were with us. I'm looking forward to seeing you perhaps in a future webinar. And I guess, have a nice day. Goodbye.
Thank you, everyone.
