Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the Practice IAM here at KuppingerCole Analysts. My guest today is Alexei Balaganski, he's a Lead Analyst with KuppingerCole, covering cybersecurity and much more. Hi, Alexei, and good to see you.
Well, hello Matthias, great to be on this show again. It's been a while, so thanks for having me.
It's been a while. And the last time, I'm not quite sure, but one of the last times that we talked with each other, we talked about debunking one of the myths that many organizations still live with or consider to be a sentence of wisdom. We had look at the use of VPNs and the role of protecting users from eavesdropping, from being spied at in hotels, in their home network, wherever. Another similar topic I've covered with Martin Kuppinger recently when we talked about the end user as being the key threat to organizations because they are the ones who click on the wrong links and everything like that. And we had a strong opinion about that as well. And we want to continue that discussion with another sentence of wisdom, some truism that many companies, many vendors deal with when it comes to talking about data security. They talk about data being the Holy Grail, being the crown jewels of an organization. And you, your stand statement today as a start would be “The Crown Jewels are a Lie”. Why is that? And where do you come from with this discussion?
Well, of course, the title itself comes from a famous portal game where their motto was “the cake is a lie”. So yeah, the crown jewels lie as well. And I guess we have to thank Martin Kuppinger again for inspiring me to talk about this today, because last time, it's your latest episode, he was talking about data quality and data lineage and other research he has been doing recently and published recently as a Leadership Compass. And of course, I'm also working on one of my own Leadership Compasses focusing on data security platforms. And of course, we have to not just think about data as an object to protect. But data as the actual reason for many businesses today to exist because many companies live or at lease they claim to live just from digital products, basically, they sell data. And this is why this idea is often promoted that data is actually their product and data is this precious metal, new oil, even more expensive than printer ink, I guess. And I have to say, no, it's not just plainly untrue, it’s actually a very dangerous assumption for many companies, especially for those who do not actually live from data directly. Not every company is Facebook, or Twitter, or anything like that, or Google. And those who are not, they have to probably slightly temper their expectations and adjust their data management and data security strategies because again, let's just talk about it, but your data is probably not your crown jewels, or at least not all of your data. Feel free to disagree with me Matthias, what's your opinion on that?
Yeah, I think that the term data is a bit misleading. So you've talked about data being the new oil and if you follow that statement, then data is the unrefined, the crude oil. And I think what is of importance is, that part of data that is then considered to be information that is set into context, that is used in a specific context, and that gains value through interpretation, through processing. And that might be something where this this sentence about the crown jewels might become more true. Could that be an approach?
I would say that, first of all, no data is created equal. And just like in real life, most data, probably like 99.9% at least, is just junk. Or maybe it's something like, you know, recycled waste, or like unrefined, or basically some substance which on its own isn't particularly useful. And you have to actually invest a lot of effort, time and money to derive some something interesting, something useful from that raw materials. And again, if we continue this kind of geological analogy, not every material we as humanity mined from ores, is actually gold. Sometimes we have to extract stuff like uranium or arsenic or lead, those materials are very useful for specific applications, but are also extremely toxic. And I guess the same analogy should apply to digital data as well. Some of the data you might be carelessly collecting from your customers, for example, or from scraping public sources or anything like that, can, and eventually will leak into your other stuff like toxic substance and poison your useful IT systems, and that will lead you to massive legal, financial and reputational losses. And I guess one of the challenges we have to think about is how to prevent that from happening in the first place.
So the idea is to not collect every data, not to be very decided what actually should be collected and what should be stored and what should be avoided, which is just junk. As you said, if I collect all the log data from all of my web servers, which may or may not contain PII from the user that are using it, that I gather lots of this junk that I don't really want to keep, that I don't even use. So it's really about refocusing, about reconsidering data storage in the first place?
Absolutely. PII, as you just mentioned, things like the most obvious example of “toxic data”. We all know that just keeping PII comes with a lot of regulations and dangers. And if you happen to mishandle PII, that's personal sensitive data, if you let it leak, you are in big trouble, especially if you are in Europe because the GDPR will come after you. But of course the similar regulations are coming up in the U.S., Asia and other countries as well. Basically, wouldn't it have been much easier for everyone involved if you had not collected the data in the first place? And do you really, really need to have all the contact data of all of your customers if you don't actually have a clear and balanced strategy for dealing with the data later, especially if you consider all the potential risks of mishandling that data. And of course, even more dangerous is data like health data, which is even more strictly regulated, financial records in the banking industry, for example, or anything like that. Sometimes you maybe have to consider that kind of even in the highly purified end state of the data, where you have already invested a lot of effort into processing the ore, filtering out all the dangerous stuff. Is it really worth it in the end, what exactly is your plan to do with the data? Is it the crown jewel or is it more like a block of uranium, which you have to carefully handle and never, ever poke with a screwdriver?
Yeah, I think maybe also one reason for this amount of data just piling up and nobody taking care of what is already stored, is the decreasing price of storage. So you can just store it and you don't need to take care of what you're actually storing. And I think you are calling to action for actually making sure to understand what you are actually storing. So it's not the price of storage, it's the price of having it there and having it capable of being processed for good or for bad and really making sure that you only store what is required. So it's really a concept that is in Martin’s Leadership Compass, surely will be in your Leadership Compass, is actually in understanding, in tagging, in assigning criticality to data and understanding its value and its worth and its danger, its risk. So maybe this is something that organizations should apply in general, apart from what you do in your LC and Martin did in his LC. So it's really understanding what to work with in general before applying these concepts. So it's a kind of hygiene then?
Absolutely. You are hitting the nail here and by the way, speaking of storage, this is probably another misconception. Yeah, storage is nowadays much cheaper than it was before, but it's still not free, far from it, and especially when you consider the different types of data for different applications require different tiers of storage. Sometimes it has to be extremely secure, even if it's expensive and small for example. But for other cases it has to be extremely fast. Some data you can only keep in memory, for example, otherwise it would be just too slow for processing. I guess the key takeaway here, that data on its own never exists in vacuum. Data only generates value when it's being processed. So if you only store your data for later, it doesn't generate any income, it doesn't generate any value. You're only losing money on it, even if it's stored in the cheapest tier of your storage. And as soon as you start actually processing some data, as soon you start exposing it to unprotected hardware, the cloud, the third party, untrusted partners, even customers. You are opening huge kind of worms, you’re expanding in your attack surface of the data immensely. And you really have to consider like, is it worth it at all?
Yeah, I think one of the calls to action or the recommendation that we would then give is first apply Martin’s Leadership Compass about Data Management Platforms to identify, to find data where it is right now, to understand what is there and understand why it's there and if it really should be there. And once you’ve boiled down to what you really need, then apply what you are looking at within your Leadership Compass when it comes to Data Security Platforms to apply the right means of protecting that little tiny left over set of data that is actually at the core of your business.
Right. Right. So again, just understand, not all of your data is gold, not even oil, not even ore, some of your data is probably just plain old manure and you have to get rid of it as quickly as possible. So, yes, you always have to know what data you have, where did it come from? What is it potentially worth? How risky in terms of compliance and potential security regulations and so on and so forth. So you have to manage, you have to refine, you have to trace your data lineage at all times, because this is, basically, this is metadata that actually turns potential value into a real value. And of course, yes, as soon as you start actually doing something with your data, as soon as you start investing in your data, if you will, you have to also invest into properly securing the data. And properly securing, I insist, means securing the data all the time, not just in transit, but also in use. And you have so many interesting and innovative developments coming up in that area, which I will be covering in my Leadership Compass. Unfortunately, it's not yet published, but probably it will be soon. I invite everyone to have a look in that and watch this space. But basically again: data is valuable only if it's the right kind of data and only if it's protected properly. And of course, only as long as it generates value. Maybe you have to even think about disposing of old data which is no longer useful. That's another topic to cover. Probably a separate discussion. Or generating test data or preparing desensitized data for business analytics and so on and so forth. So many interesting aspects to discuss here. But again; you always have to consider, not all your data, is worth the same, even potentially the same value for not all your data is gold.
Yeah, I think that is, you mentioned that, disposing this data might be really an issue. So if our audience, or some of our audience agreed to what you said, or if you disagreed, just leave it in the comments below this video. But if they agree and say, okay, I should get rid most probably of 95% of the data that I'm currently storing because it's old, there's no business use for it. It's just there because we could collect it. Is there tool support in identifying what is which type of data and what maybe even applies some analysis around what is this data actually? Is this a Social Security number? Is it email address? Is it a personal record? Is it health data? Is there to support, to understand, yeah, that is really something that I should get rid of.
Well, let me put it this way. Yes, of course there are tools. I would even say are way too many tools currently available on the market, both for data management and data security and all those things which are nowadays called DevOps and DataOps. And in order to not get lost in this huge market full of data tools, what you really need in advance is actually some kind of guidance and support in actually to understand how do you even assess those tools and how do you find the ones which are specifically for your requirements and for your business processes? And of course, I guess we should probably shamelessly say this is exactly what KuppingerCole does. So come to us with your questions and we will be glad to talk to you and support you and maybe even assist you with the tools of our own.
Absolutely. And I think we have different types of support. As you've mentioned, you've mentioned the Leadership Compasses, which are massive documents, but with a highly condensed and really correlated information that really covers one market segment. Of course, we provide a personal support as teams, as advisory teams that support organizations, and there's also a new way of getting to data. It's not yet covering the markets that we're looking at right now, or discussing that in that episode, but we are building on that and we will start with Passwordless Authentication in that area will be and we've mentioned that before, the KC Open Select platform, which can help you in identifying your own requirements and mapping that to a market segment and the proper tools that are of use for you as well. So there are different offerings here at KuppingerCole where you can really get to information regarding the markets that you're interested in. But we are interested in you as the audience in getting back to us. So please reach out for these more controversial discussions that we do in these episodes when it comes to debunking some of these truisms that we see in the market. If you agree, if you disagree, if you want to continue that discussion, please reach out to us either via the comments section here or just reach out to Alexei or me via email. Mail addresses are everywhere around our platform, our kuppingercole.com site. Thank you very much, Alexei, for raising that topic. Any final words that you want to add?
First of all thank you for inviting me. I am really glad that we have kind of the platform for raising those controversial topics from time to time. And I'm really looking forward to debunking even more myths. And you just mentioned, yeah discussions sound good, there is nothing that I like more than a really interesting and engaging discussion. So everyone, even if you disagree with us, let's just talk because in the discussion you will always achieve constructive, useful result in the end. And this is what we do and that's what we love to do.
No further comment from my side. That's a great final conclusion for this episode. Thank you very much again, Alexei, for contributing. I'm looking forward to having you soon again on this podcast, Debunking some myths. Thanks again, Alexei. Bye bye.
Thank you. Bye. Okay.
