KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Lead analyst Alexei Balaganski joins Matthias for an episode on Data-Centric Security. Starting with a definition behind that term, they look at relevant technologies and market segments and discuss adequate ways of adding Data-Centric Security to an organization's cybersecurity strategy.
Lead analyst Alexei Balaganski joins Matthias for an episode on Data-Centric Security. Starting with a definition behind that term, they look at relevant technologies and market segments and discuss adequate ways of adding Data-Centric Security to an organization's cybersecurity strategy.
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm senior analyst and lead advisor with KuppingerCole Analysts. My guest today is Alexei Balaganski. He is lead analyst with KuppingerCole analysts. Hi Alexei. Hello Matthias. It is great to be here in the podcast again. Thanks for having me. Great to have you, and we want to talk about a topic that is getting more and more attention, and we want to talk about data centric security. To start out with that. Can you give me please a quick definition of what is, what is data centric? Sure.
That's actually not as easy as it might sound because data centric security is just as elusive a buzzword, just like for example, zero trust because originally data subject security was just a concept, a vague theoretical idea, which emerged almost 10 years ago and was introduced by one American scientists, rich mogul. And the original idea was quite simply, data has to be self defending. Sounds crazy. Sounds intriguing. Probably doesn't work in reality, but that was kind of the original idea.
We evolved into a set of rules and concepts like architectural patterns, if you will, which we will discuss today, but basically the original idea that imagine, or what, what would it be if your data could protect itself? It would be such a will be so easier and faster for analysts to shift the focus from the infrastructure protection, which we mostly do nowadays, because we have so many different types of infrastructure.
Now, like 20 years ago, your typical application would just have a database in the backend and probably a client in the front end. Nowadays you have clouds, you have cuber meters, you have databases, still micro services, API APIs, or mobile networks and so on and so forth. So you just have too much infrastructure. And if you focus on trying to monitor and protect each one of those separately just don't have enough resources. So would it be great to go back to basics and only focus on data, Right? And when you say so on the one hand, you mentioned data, desktop protect itself.
So this, this, this, this idea did not work. As you said, we don't want to protect any infrastructure. So what are the typical approaches when it comes to implementing centric security by protecting what you really want to protect, which is data. So what are the approaches to look at? Is it database security?
Well, one has to addition shape different kinds of use cases for some areas. It has been done already many years ago and it kind of works if unfortunately not adopted every way still. Or for example, if you remember the term information, information, rights management, IRM, it appeared again, or like a decade ago or something. And the idea was that every time you move around a piece of data, it has to be protected by some kind of container. Typically it's just an encrypted file with an attached security policy. And only those users obligations that have a key to decrypt.
This container can actually do something with the data. This works great.
Actually, the, for example has been long been implemented in our Microsoft office applications or Adobe PDFs. You can basically say that this particular document can only be opened by materials and he only can read it, but the print it out, or for example, for what somebody else on that level data centric security works wonders. Unfortunately, this is not just does not cover all the use cases that data-centric securities needed, right? Another area where there are some interesting developments nowadays is a homomorphic encryption.
We have actually discussed this topic in an early Analyst Chat episode, but basically this idea that your data is always encrypted. And even if you want to perform an operation on it, for example, some older transaction amounts over the last month, for example, or find an average in a block of data, you perform it directly on encrypted data with three evolves, lots of complicated mathematics and a lot of distributed computational methods involved, but it actually kind of works nowadays in some of already offer solutions.
Based on that again, unfortunately it only works when we are talking about like connecting large data centers or maybe doing some transactions between banks and stuff like that. It would never work on your mobile phone for example, or on the Microsoft level.
So yes, for all those reminder use cases, we have to find some kind of a balance of doing some kinds of data-centric security is the limited technical opportunities we have. You've mentioned that already. We have different platforms where data needs to be protected. So you mentioned from, from cloud, from database on premises and anywhere in between. And on the other hand, we have these, these status of, of data being in-transit being at risk and at rest and being in use. And so there, there are lots of options to protect data during its life cycle.
So how can we choose the right and the proper solution? I think it's also more than one category, more than one market segment to look at how neat people do when they really want to move towards data-centric security for their individual use cases, where to start, where to look Well, first of all, you're absolutely right pointing out that data memorized sexual it's always on in transition. It's always moves. It always changes. It might even kind of be split and then merged later.
Again, it might go through different paths in parallel. So data does not exist in a vacuum. You cannot just protect data once and they'll sit on it and do nothing else.
I mean, you can, but you won't derive any additional value from that data anymore. So the data has to be available all the time for processing for transmission. And so on. The question is how do you actually maintain confidentiality and integrity at any point?
Yes, you mentioned that now it's typically it's popular that people differentiate between data at rest data in transit and data in use, but from the data center point of view, all those states don't matter anymore. Data is data, whether it's stored in a database, whether it's being sent through the API end point, or maybe it's being processed or in some encrypted enclave on a cloud server, doesn't matter, ideally, or your data centric security should work seamlessly across all of those situations. Unfortunately, we are not there yet.
By far again, there are some edge use cases like homomorphic encryption, which actually do work exactly as I just tried to explain, but to only work for specific industries and scenarios, otherwise we have to be really inventive and probably reuse our existing tools, but in a slightly different combination. But I guess the biggest challenge here that normally nowadays you will probably have a team of people whose goal is to secure a database and a totally different team of people whose job is to maintain the API APIs and the networking team and whatever other compliance teams, somewhere else.
And again, this approach is kind of rooted in this historical infrastructure centric idea just doesn't work anymore. So first of all, we have to kind of reorganize our security completely. We have to reinvent it from the organizational point of view. Is there a typical starting point for moving towards data centric security or are the typical use cases? I would guess many organizations use something like SharePoint and teams and office 365, where they store their unstructured data in large areas, which are accessed by many people.
If you want to apply data centric security there, would that be a starting point? Are there solutions for that around And again, I guess we go back to this idea that a data centric security is actually more than one thing. It's not the technology. It's just the way to approach security. If you build just like zero trust, whenever you go shopping for zero trust, you, you cannot just buy it at once. You have to understand that here you have to implement some you access management controls.
And over there you have to add encryption and here yet you have to have some kind of a point to point network tunnel and all together, they form this foundation. The zero trust architecture, same applies here. Yes. If we are talking about unstructured data like SharePoint file servers and so on, there are already solutions which are more or less turnkey like Microsoft office IRM. Unfortunately they all have their limitations. This is why there is like, there are whole markets, market segments of socials, which only canceled to that use case.
And there is absolutely nothing wrong in just kind of huge and lots of little solutions continue using them. But you have to understand how it fits into the bigger overall security architecture. Because as soon as you are during this database, if the relational data, obviously you cannot apply the same technology if you want to for files.
And again, you probably have a database which has lots of security controls already. And some of those are, might be 30 years old. There is nothing wrong with them per se, but you have to know how they work together. So it all boils down to this idea that you have to have a layered security architecture.
Again, this is not, this is nothing new. This is the same approach which was developed even before computers existed because of defense in depth actually comes from medieval or war theory, but it still applies nowadays as well. Just have to know that those layers of defense have to talk to each other. They have to speak the same security language, have to speak to the same excess policy language and so on. If you can achieve it, basically you would have data-centric security without any magic technology. The question is, how do you do that? Right?
Usually at the end of an episode, we recommend looking at the resort search that we have, but from what you've said up until now, I assume there will be no such thing as a leadership compass data centric security, but there will be focusing leadership compass documents on individual areas, which might play a role in that area. Am I right? That will not be a data centric, security leadership compass. Yes.
I, I guess again, kind of a limitation of our approach towards a market analysis, because when you start looking at the market segment, it's usually already something which is established where you have competing vendors and thoughts. Yes. We absolutely have a leadership conference on database security, for example, and we have one on API security and we have lots of others on endpoint networking solutions. And of course, a lot of identity related coverage. The problem is that all of those separately won't give you the big picture.
And unfortunately there are very few vendors which already kind of starting to think in that direction. But I would say there are quite a few. And even if only for example, you will focus on securing your data through the quote unquote application chain. Like if you only say I have this complicated or infrastructure, which maintains my modern microservice based cloud, native whatever applications. So you already have like five to 10 different points where you would have to implement your web security. You can find a window which would offer you more or less a complete solution from one hand.
I'm not sure if are supposed to name those vendors in this podcast, but you can definitely talk to us and we will give you all the necessary guidance, Right?
And when we have these limitations, as you've mentioned, as we are looking at market segments, not concepts, when we're doing this leadership compass, I really want to recommend your white paper that you did, that actually is entitled why your organization needs data centric security, which gives a deeper insight into what we've discussed in just a few minutes here, which gives a bigger picture and a more strategic and more global approach towards data centric security.
So this is highly recommended and I really would like those who are interested to go to our website and just pick up that white paper, which is E which is freely available, I assume. And that can be an access there as well. So the white paper by you, Aleksei about data centric security. Yeah.
Yes, yes. Thanks for mentioning that.
But again, could there be prepared that after reading or such a high level theoretical publications, you'll probably end up with more questions than answers, but that's okay. Because those will be the right questions. You could be able to directly ask a vendor, for example. So get ready to kind of rethink your overall approach to, but again, it's okay. It would be the right change, Right. And really focusing on what needs to be protected instead of protecting infrastructure after infrastructure, after infrastructure.
I think that is really a good way to move forward, to really protect what's worth Protecting after all. I mean, they say that data is the new oil now, or data is more precious than gold. I will do an ad. It's more Russian than printer ink if you might it by weight.
But yeah, absolutely what you have to focus on. Like ideally your data has to remain secure and safe. Even if all of your infrastructure is fail, this would be your ultimate goal of cybersecurity, not the other way around. Right. Great final words for this episode. Thank you very much, Alex, for joining me.
Thank you for, for raising that topic and for pointing out that there needs to be some, some more work to be done, to get closer to as an approach for data-centric security for the time being, I'm looking very much forward to having another episode with you again about these topics as well for the time being thank you very much, Alex, and have a great day. Thank you.
