Encrypt Everything

Well, hello and welcome to KuppingerCole's videocast or whatever you would like to call it. Today we are cooperating with Thales group, leading vendor in all things encryption. And unsurprisingly the topic of our today discussion is encrypting everything. My name is Alexei Balaganski. I'm the lead analyst at KuppingerCole. We are an independent analyst company headquartered in Germany, and I am focusing on all aspects of cybersecurity in this company. So my guest for today is Todd Moore of Thales group. Welcome Todd. Hi Alexei. Thanks. Thanks for having me here.

Just a quick introduction of myself. I'm I'm, I'm a senior vice president with Thales. I'm responsible for our encryption product family and excited to be here today. To tell you a little bit about the challenges that our customers are seeing around encryption and some of the best practices to help them as they work through this unprecedented time. So let's probably dive in directly into this whole topic of encrypting everything. What are the primary reasons? What are the primary driver of behind this mean? Obviously it did not start yesterday yet. Sure.

Everyone is talking about this new normal working from home and COVID-19, but it all started years ago. I would say the primary reason for companies to kind of come to grow with this whole digital transformation as they call it is the perimeter inflation. It's a fancy word, and I'm not even sure I'm pronouncing it correctly, but basically it just means we are no longer having this customer mode concept. When we are talking about corporate it and corporate security, maybe 20 years ago, it was just fine.

You had your firewall, you had only a single, a single gateway for external people died on into your company. Nowadays it's completely different. A huge problem of the data sprawl as reasonably recently. So we have the cloud, multiple clouds actually have mobile devices, operational technology. So your data can now be anywhere around the world, not just behind your corporate firewall. What's your thoughts on that thought?

No, I, I think when we talk to our customers, our large enterprise customers data sprawl is the right word or, or what was the other word you use deep? I can't even say myself the permission to station, but the idea that the perimeter is dead and data's going everywhere, mobile devices, our laptops at home, into the cloud, it it's amazing.

And in, COVID only made this worse working from home where data is proliferating all over the place we lost control as an organization where that data is going. And a lot of it's critical and we have to make sure that we're protecting it. I think some of the other trends that we're seeing during these times is the compliance and the need to protect that data. So you've got to find it, but then you have to be able to protect it based on different regulations and compliance laws. And that's also sprawling.

I think we're up to 1800 global regional compliance regulations out there and compliance. Isn't a bad thing, but, but we have to be able to protect that information as it goes out and about all over the place.

So I just, I see that that's an issue for companies like you said, well before the pandemic, but it's made even worse. Now that folks aren't becoming into an office, a brick and mortar office and working from home and, and really want to get the job done, they're doing the right thing, trying to get the job done, but they're creating data and that data is going in a lot of different places. And so we have to get, get control and, and really get our arms around that here at Thales. We kind of think about it as three pillars.

You have to discover, protect and control that data as it goes around and into all those different types of locations. Well, I guess probably it would be reasonable for us today. Just go through all those three pillars and time and look at them separately. And let's start with the discovery or discovery is absolutely kind of the step zero in Emery security or compliance architecture. That's kind of what should be obvious to every company.

And yet so many companies are failing even at that initial step, obviously, as I mentioned, compliance is, and as you mentioned, as well, compliance is difficult and compliance influences data discovery massively. What's your opinion on that influence? You're right. There's a couple discovery is at first step zero. You got to find the information that you want to protect no matter where that exists first. And once you find that information, then you need to classify it based off of your, your, your policy, your risk profile, what's important to you.

And once you've determined what the classification, that data is, you want to be able to protect it. But, but discovery is, is a, is a very important first element discovery applies to, we've already said the word compliance too much, probably on this video cast, but it complies to different laws around the world. So you can have each company is, is being burdened with multiple laws and regulations. So as you discover, you want to be able to find critical data that meets those laws and regulations, but it's also data privacy elements as well too. And we're moving away from that compliance.

I mean, things that are important to a company, whether you're a tech company or an automobile company, or maybe you're a, the government or a legal firm, what's important to you may be different than what is even included within a compliance will also data privacy, making sure you protect what's important to you and finding that information is a pertinent aspect before you can actually implement encryption and other forms of data protection. Right?

Well, again, going back to the technical aspects of data discovery, the biggest problem are I believe that it is really complicated and complex simply because of that. latest pro you have too many silos with totally different data formats and types structured was the structured SQL versus no SQL databases cloud and other cloud on prem hybrid, they have different technology stacks, they have different access control. They have different compliance regulations apply to them. And theoretically ideal data discovery and classification tool must be able not just to access all those silos.

It must be able to work across those silos, right? So it has to be able to assemble some data here, some data there and make a reliable conclusions because you cannot just download all the data from all your data silos. It will be too loan to performance or heavy on the actual applications, which will be accessing the data in parallel. And of course it will probably take months if not years, for us substantially large company. So a compliance platform, it has to make some compromises to have to sample only beat some data.

When we just look at the data schemas and guests, okay, this particular table might contain financial transactions because it's called transactions or, and then try to apply some logic, some intelligence. And of course we hear a lot of from different vendors talking about pattern matching and some kind of a regular expression search, but do you think it's enough or what about more intelligence solutions? Like do you see, for example, artificial intelligence playing any role in that?

No, that's a great question to your first point with the data sprawl. Yeah. Critical data is all over the place. On premise in cloud structured unstructured. It is difficult to find it all.

You know, ultimately there is no one solution that can do that, that can meet the performance and everything that you you've mentioned. And, you know, I talked about what's important to some companies are not as important to other companies, so that, that really is the custom data types. And being able to find what's unique to you. And I do think that to answer your question, that artificial intelligence machine learning is going to be an important aspect for data discovery and classification.

I think there's a lot of vendors out there that are, are looking beyond context, to be able to be able to find, you know, what's important from a behavioral perspective to an organization and then be able to protect it. I think that it's a simplified this whole process and well, let's, let's say there is false positives and we can't meet everything.

You know, it does come back to risk. You know, what is the risk that an organization can tolerate in terms of what they need to protect, to be able to maintain their business, their customer base, meet the law, all those good things. And so once you have that defined, I think an important aspect is finding that critical data classifying, but then automatically protecting it in a way that, you know, it doesn't require another step. And I don't know, Alexei, maybe I'll turn it around to you.

What, what your thoughts are on machine learning and artificial intelligence, but that, that next step of once you find that critical data and how you protect it, you know, we're, we're understanding that's a big problem. We're, we're trying to solve it, but, but what are you seeing in the industry? Did you think there's a one size fits all solution there? It sounds like from your comments, you don't, but I'm just curious, you know, how, how you feel about it.

Well, you know, For me as an analyst or two words you just mentioned are like my two favorite words and never discussion. One is context, and the other one is risk, right? Context is key for anything, not just insecurity, it's key for any kind of decision or in vacuum. Even if you're looking at a specific table that's specific database and you have found specific data, you can never actually decide how risky, how sensitive whether is without context. Right? If you have found, let's say the word, Mexican, is it a nationality or is it the type of restaurant?

The risk would be totally different in the end. And another aspect to consider is yeah, sure. No suppose you have deployed a data discovery solution. It has found all your sensitive data. Now you have 5,000 page long report. What am I going to do with it? Does it make any sense who is supposed to read it in the end? And I guess the point of that would lead us to the next or pure try it we discussed earlier is how does data discovering classification plugs into the whole data protection life cycle in the game? This is one of my favorite terms.

A colleague of mine here at KuppingerCole came up with that definition recently. And we have quite substantial research doing in that regard.

And again, lifecycle is probably one of those buzzwords, which applies to everywhere, API life cycle, application, life cycle, cloud management, life cycle. And of course data protection life cycle, unless you are constantly monitoring and following all the changes and developments in your data, you are not protecting it, right. That's correct. And I'm sorry to interrupt that.

I mean, I liked, I liked that word lifecycle as well, too. I mean, when you talk about data, you really want to be at a point from a risk perspective that you're managing data from throughout its whole life cycle, right? From the time that it's created all the way through to the point in time, we know data's no longer needed and it's shredded or deleted in some way. And so data discovery and classification, you know, moving from that first pillar, isn't a one-time thing. It has to happen constantly from a monitoring perspective.

And as, as new data is being created in databases, as you mentioned, or it could be a file folder, it could be in a cloud storage, it could be in an application and we want to be able to capture that information and we want to be able to protect it that second pillar and whatever makes the most sense and protection comes in a lot of different forms. I mean, it does come back to a policy that you put across your organization. So let's say for example, that you do find a piece of intellectual property and a technical firm, and that intellectual property is in a cloud database.

The first thing you want to do is you want to set up a control or a policy, a management philosophy to say that once you find this intellectual property, you classify it. You want to either encrypt it. That's one way of data protection. There's tokenization. There's also access control, just deciding who has access to that data. So there's different a continuum, a different degree of how that information quote unquote gets protected. But I think back to your original point about lifecycle, you know, we want to make sure that those controls are applied throughout the whole data life cycle.

And, you know, it might change over time. It might start out just being an access who has access to that data when the data's first created, but after the, you know, the viability or that data actually becomes more important over time.

I mean, your example of Mexican, maybe that Mexican word becomes very important throughout that data life cycle. And so you may move from a, an access control to an actual data encryption at a file folder or a storage level, depending on, on your company's policy. Hopefully that, that, that makes a little bit of sense, but I, I definitely, I appreciate your firm's view of a data protection lifecycle. And I think that that is important as we think about data, you have to be able to manage the whole life cycle. And that's important for us in those pillars versus just a, one of the elements.

You're not doing the whole life cycle. If you just don't have one in the element. That Makes sense. Yeah.

Yeah, absolutely. And of course, everyone should also realize that there is always more than one way to do it in the cloud or elsewhere.

Of course, every vendor, every cloud service probably will tell you, well, we've got lots of tools at your disposal. It's up to you to deploy them. And or there is a short step to a very dangerous misconception. And that misconception is that if you have a lots of tools and somehow those tools alone, somewhere on the shelf to protect you, they won't. So in the cloud, especially even if you are giving away the control for your data to a third party, the cloud service provider, you are still responsible for all the consequences of not protecting the data sufficiently.

And even if you have all those tools at this portal, it's up to you to implement those tools. And the cloud service provider might help you and guide you, but they are not losing anything. If your data is breached and leaked, you are responsible not them. So if there is one takeaway from our discussion, that would be that there are too many tools, but too many tools do not translate into better the security automatically.

Yes, absolutely. There is a shared responsibility model and every cloud, every SAS application, well, at least every cloud service provider defines that pretty well, but you're absolutely right.

It's a, there's a lot of tools out there, but the responsibility still comes back to you as a, as a user and as employees of companies, it comes back to the company as well, too. So it's, yeah, it's a very daunting world out there when it comes to all the amount of tools and all the capabilities that has Provided.

So I agree when you are thinking of kind of long term, if you are defining your strategy, you might opt for solving some sort of quick wins with all those tools, specific tools, point solutions, but in long-term you have to, again, to think about centralized policy management and covenants, because again, many tools when they are not kind of, when they're not connected to each other, when they're not managed by a single pane of glass, for lack of a better term, that means more work for you for your admins and security people.

And we know that whole story of skills gap and lack of qualified specialists, and it's only growing. So centralization, intelligence and automation, I would say, are the key recipes for building a long term efficient data protection solution?

Well, I think, I think you're talking a lot about the aspects of that third pillar that we haven't really spoke about, but you've lived, I think you described it there very well. And in our conversation control, right? Having a centralized control of, of policy, but also of encryption keys in particular.

But, but also there's another aspect there, you know, you can trust the tools that are out there, but, but you don't want to, I think we just talked about that as a takeaway, but you want to put it a layer it's defense in depth, multiple layers, you know, for example, you don't want to give a database administrator the keys to the kingdom. You don't want them to have access to everything you want, your encryption or data protection policy or philosophy to allow you to have different levels of control.

So no one actually can with an escalated credential, be able to get access to all the critical information. So there's, there's differently from a control perspective, different levels that you wouldn't put in place. And the one aspect of control we haven't talked about, you kind of touched on it was monitoring and auditing.

You know, we go back to the compliance idea. You have to be able to show to an auditor that you actually put the right data protection approach or framework risk controls in place. And so you do need to have a very strong logging auditing, and that can happen with third party tools as well, or a dashboard or a single pane of glass, like you said, but you gotta be able to identify that when something bad does happen, you want to find that quickly, but you also want to show that you're meeting requirements as you go forward.

So I, I didn't, I just want to make sure that element came into that control piece. I think the monitoring and the auditing is extremely important for us to be able to, you know, meet our security approaches within their companies and for our employees.

Well, Todd, you are, again, you're absolutely right. Or it's usually complicated topic and we probably could talk for another hour, but we are limited in our allocated time. So maybe we should just finish up here and try to summarize our ideas and tidings today. So if you were to outline like three or five key messages for our viewers in regards to data protection, what would that be?

Wow, that's a true me with five there. So, so I think that, you know, I Alexi I really appreciate the conversation and I, I agree we could go for a long period of time for me. We understand that the operational complexity around encryption and data protection is hard. It's complicated. So we're trying to simplify that. Remember the three pillars discover protect control.

I think that those three elements can help every organization as they think about the full data life cycle, not just elements of the data life cycle, but the full data life cycle from the time data is being created throughout its whole life, as well as the keys that go along with that, the associated key management. So I think those are some best practices that we all can live by here at Thales. We are building a platform strategy to try to put all these elements into a single platform.

So you do get one holistic platform that does all of these different elements along with a single pane of glass, to help you with the different pieces that go along with the centralizing and managing all that data. Some of the other takeaways I would say for, for the team here and, and for the audience is, you know, we didn't talk a lot about access control and remote working if you're not using multifactor authentication and VPNs. I think that resolves a lot of the vulnerabilities that our customers are seeing. And then the last element that I would mention is just cloud.

We are seeing a huge uptake uptick within cloud. We talked about the shared responsibility model. You have to recognize when you use cloud tools that the cloud providers is not always going to protect you. And so there's different elements there, there's different degrees of protection, and we want to make sure you have to make sure that in your, in your policy and your governance and your, in your, the way you want to work with those types of environments, that you're taking that into account. And you're putting the appropriate controls in place to protect data no matter where it goes.

So thanks again, Alexei, it's, it's been, it's been great to meet you and spend some time and give me a call. If you ever want to do this again, be open to having another conversation.

Well, I pretty much taught absolutely. I hope this is not our last discussion because we have so much, I guess, in, in shared experience and it's kind of common topics to discuss and talk about. There are so many things which we could not simply put into the discussion today. Like how do you protect your workers at home, or how do you deal with ransomware?

But again, if there is only one single takeaway from me from the discussion that would be centralization is the biggest is the biggest friend metal in complexity. So try to break your silence, try to centralize your policy management and governance avoid when they're looking, looking for extent, kind of extensible in open platforms and so good luck stay healthy and goodbye You as well. Thank you. Thanks all.