Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is Warwick Ashford. He is a Senior Analyst with KuppingerCole working out of London, right?
Hi, Matthias. Good to be here.
Great to have you. And I want to start with a quote that is my main impression of a podcast episode that I did a few weeks ago with our colleague Alexei Balaganski, who said “there are no crown jewels”. And he hinted at the alleged importance of data or the lack thereof. Today we want to talk about data protection, so we want to help us still finally protecting data, whether they are crown jewels or not. So data protection, why is this still a thing?
Well, because business is now more reliant on IT than ever before, and we're generating more data than ever before. And this is kind of what drives business and business intelligence and that kind of thing. So to me, it's all... cybersecurity, in a way, is all about data protection. That's what it boils down to. Not to mention the need to comply with a whole raft of international data protection regulations.
Right. So if we take as an unofficial title of this episode, the five most important methods to protect your data from malicious third party, what would be number one?
It's not very sexy, It's not very new, but it's access control. I mean, at the end of the day, this is a core component of cybersecurity, isn't it? But not every organization does this effectively. So it's the basics. It's about limiting access to sensitive data only to authorized users. So only the right people getting access to it at the right time. It's about giving users access only to systems and data that they need to perform their job. So again, a very basic principle, the principle of least privilege, no more than is absolutely necessary. And so good access control can help organizations prevent unauthorized access to sensitive data. And we're talking more and more at KuppingerCole about moving towards passwordless multi-factor authentication. For us now, this is kind of the immediate goal now, is to get rid of the password and have multi-factor authentication that's done in the right way.
Right. And when you say access control, I mentioned I'm the director of the Practice Identity and Access Management. This is where I smile because access control goes hand-in-hand with strong and reliable identities. That is a good starting point for me. So what is number two then? Access control is noted.
Okay. And then we move on to data encryption. I mean, since ancient times we've been encoding or encrypting information to prevent unauthorized access. There's nothing new about this. It's an obvious thing to do. So it's essential to encrypt sensitive data such as financial information, personal data, and confidential documents to prevent unauthorized access. But the thing is, it's not very widely deployed, but encryption systems have evolved so much in recent years that it now it's much easier to do and manage. And as far as I'm concerned now, there's really no excuse for organizations not to be doing this
Right. And I fully agree. So encryption is increasingly important. And we omit the complete discussion around cryptographic mechanisms that look at the post quantum error, etc. There will be encryption that will have to be strong enough and it will be in a way that it is not breakable by even stronger computers. So encryption will be there for a longer time. We've been talking now about preventing access to the data by adversaries, by people who are really malicious and what other kinds of protections could we think of maybe the loss of data?
Well, you're right. You're absolutely right. So, again, something that's absolutely fundamental, but that is, again, not handled very well, is regular backups. Regular backups of important data has always been important, but I think ransomware in recent years has made it more important than ever. And indications are that ransomware is not going anywhere. It's a great cybercriminal business model. It's easy to do, it's easy to deploy and it makes money. So now regular data backups are vitally important. Obviously, they have to be offsite. You don't want them on the same systems that are also encrypted by the ransomware attackers. So in any budding, in any system, failure or data loss backup and recovery measures can ensure that data is recoverable and will prevent permanent data loss. Regular backups will also ensure that the data is not lost due to accidental deletion or other technical issues. So, you know, people make mistakes, things get deleted by mistake. So I guess in some circles you would refer to that as insider threat. And again, it's not as common as you would expect. It must be done properly, as I said, regularly, the data must be, the backups must be held offsite. And then the all important thing is, the recoveries must be tested. I have often heard of stories where companies say, well, yes, we backup our data, but we had an incident and we didn't get our data back because the recovery process didn't work very well.
Right, exactly. That's not something that our colleague Mike Small, has pointed out in several of the earlier episodes. The only way to make sure that your backup plan, including the backup procedure and the recovery of data, is complete when you have tested it. This is really the important part when it comes to a trustworthy backup strategy. And you mentioned malware, you mentioned ransomware. So that goes hand-in-hand with treating data, treating systems properly. What would be then one key for you to look at when it comes to protecting data from hostile access?
Well, in this context, I think employee training or training of users is incredibly important. I mean, we've been talking for years about end users being the first line of defense. And I think it's true. I mean, it goes around in cycles. This becomes a popular topic and then it fades out again. But it remains still important and I think it can be overlooked, which is unfortunate. It's essential to educate employees about the importance of data security. I think the organizations that are successful are the ones that bring it home to their employees, just how important data is to their organization and what a loss of data could mean to their organization and to them indirectly. I mean, if the organization were to fold, they would be without a job. So I think employees need to be aware of how to identify things like phishing emails. They need to know how to use passwords safely if they're still using passwords, but hopefully their organizations are migrating onto passwordless solutions and how to protect sensitive data, know what it is and how to handle it properly. Because at the end of the day, their organization could be relying on them. Everybody has a role to play.
Absolutely. And we have been thinking back to other episodes before, and now I do it again. I look back to the to an episode that I did with Martin Kuppinger about this common saying that the weakest link is the employee and that they need to be trained and they need to be prevented from doing that role. And he was completely contradicting because he said, if there is a system that allows you to click on the wrong link, if there is a system that allows you to have a password that can be just stolen and reused by somebody else, then the problem is not the employee but the password. So there need to be systems that help employees in protecting them from doing something wrong because technology is weak. And that I think is your fifth element as well. So to prevent people from doing things wrong?
Yes. So I've just completed a Leadership Compass on Data Loss Prevention or Data Leakage Prevention systems and I found it really interesting because I've heard the opinion that DLP is kind of passé or outdated or whatever, and I completely disagree because it's a fairly vibrant marketplace. There are lots of vendors offering DLP, and for the reasons that we've been talking about, looking after data is important and also supporting people who are working with data is also essential in organizations where data is kind of the lifeblood and the new currency in these days and time. So DLP software is an essential tool that can prevent data loss or leakage by identifying and monitoring sensitive data. It can prevent breaches by monitoring and controlling access to sensitive data, and then also by detecting and preventing data leaks through various channels. I mean, now people are communicating through social media. They are communicating through messaging channels and all these things. These are all ways that data can be slipping out of an organization. And so unless you are monitoring them and they've got means to enforce controls around them, you're not dealing with all the risks there. And so as far as I'm concerned, DLP technologies remain relevant, and particularly because of this increased reliance on IT, the expansion of the attack surface, because now we are adopting cloud based and mobile computing. That means that never before has it been as important for organizations to ensure that sensitive data is not lost or misused, mistakenly deleted, as we were talking about earlier, or accessed in some unauthorized way.
Right, and this is a topic that I see in various areas that we see technologies that are around for quite a while and which seem to be something like bread and butter and not really that sexy and not really that important anymore, are important. And they still remain important. And they need to be done properly because this is the groundwork to be done. When we look at DLP, this usually for me is something that is looking at the data getting lost to the outside. But I think as we all know from when we look from a cybersecurity perspective, the main threats can be inside the boundaries of an organization. It's not necessarily anymore this traditional, yeah, firewall, home base security approach, but nevertheless, it's the insider to protect from. Do DLP solutions help there as well?
Absolutely. And in fact, some of the what I consider to be the kind of new generation or the latest generation of DLP products, is an increased focus on insider threat and some DLP solutions, I think that that is their main focus. It's all around making sure that nothing gets inadvertently leaked and that insiders, those systems are monitored. And as I mentioned, all the various channels that people are communicating via these days, those channels need to be monitored and that also relates back to the employee education piece because a lot of DLP solutions will not sort of simply just block things, but will pop up information, will provide links, and they have a role to play in this whole education process where they inform users that what they're doing may be risky from a data protection point of view and can tell them what the better data protection practices are and how to manage data in a better way.
Okay, that sounds like assistance. That sounds like AI, machine learning. Is this making its way into that area as well?
I think ML is making its way into just about every technology. I mean, you know, they're just... human beings aren't able to process things at the scale and are not able to correlate things the way that the machine learning models can. And so there is a lot being done on the kind of, also on the classification side, because that's one of the things that DLP incorporates now, then it’s not only discovery of data that people may not even necessarily be aware is sensitive, may not be aware of where it is, but also is kind of automatically classifying it. Because again, for years we've been saying, you know, you can't protect sensitive data if you don't know what sensitive data is necessarily, or you don't know where it is. So I think ML is being used greatly in that area.
Okay. So this is obviously an innovation in this allegedly boring market of DLP. Is there other innovation that you would like to highlight?
Yeah, I think innovation in DLP is sort of characterized by, we already alluded to it, is the support for a wide range of communication channels, both in terms of coverage and use for alerts. So that, you know, teams can get alerts on Slack for example now, it comes directly to where they're working, where they're sort of working on a day to day basis rather than them having to look for it elsewhere. Also, there is a lot of automation now happening to prevent things from happening, you know, automatically just preventing people from emailing out a data, just saying, you know, this is a risky behavior, it's being blocked for these reasons. Then we also see things like the use of data fingerprinting algorithms, where, you know, even if people change file names, so now we're talking about the malicious insider, even if they change the name of a file and call it “holiday pictures” when it's kind of blueprints or whatever. The data fingerprinting algorithms can send an alert, this is the same data that I classified as being sensitive. This shouldn't be leaving the organization. Also the ability to examine encrypted data. So, you know, if you try, if a malicious inside is trying to encrypt data and push it out, these DLP systems can still look at it and identified as being sensitive data that shouldn't be leaving the organization. And you mentioned it earlier, there is now more support for post quantum encryption standards. A lot of the organizations are also looking at what they're doing with this kind of awareness, which is great. Obviously, we've got more support for software as a service and infrastructure as a service environments, as people go more onto cloud services. And we also see use of behavior analytics more than perhaps in the past. I've already mentioned the focus on insider threat management, and then we've also mentioned the use of machine learning. And then where I see, from my Leadership Compass, the research has shown that where we're going next is improving the ease of use by adopting a more user or customer centric approach to feature developments. So, you know, across the whole software industry is this greater focus on the user experience and, and DLP is no exception. And then also at reducing the complexity around DLP policy creation and management. This has traditionally been an area, a challenging area, and this is where the more advanced solutions are going, is they're looking to support that. Obviously, interoperability and support for operating systems is, is another important area and I think we're just going to go on expanding the use of ML and other AI technologies to improve the detection capabilities of both external and internal threats. So yeah, quite a lot of innovation in this area.
That sounds interesting. When we look at the deployment model, are there any solutions that still rely on-premises or are they all delivered from the cloud or what is the trend here?
There are none that rely on being on-prem. I mean, some, you know, have agents that are deployed on-prem. But the general move is obviously to cloud, as you say. But I think most of the vendors are concentrating on providing flexibility so that organizations can choose. They have a choice. So they can have a hybrid deployment or they can be all in the cloud, whatever kind of suits them, and what their on-prem situation is like.
Right. So if we summarize today's discussion, our talk right now, you've mentioned the top five mechanisms to protect data from access bye evils or not wanted people. So that's access control, that’s data encryption, that's regular backups, that's employee training. And it's DLP. So DLP, we've learned, is still relevant. And as it is relevant, we encourage our audience to head over to kuppingercole.com, pick up your Leadership Compass around DLP Solutions and learn more about that. About the innovations that are there, but also about the basic functionalities to protect them from losing their crown jewels. Whether or not you call them that way, data is to be protected. Any final words from your side before we close down? When it comes to talking about DLP, what was most striking to you?
Just how good it's getting and how comprehensive it is and how a lot of the things that we, the points 1 to 4 that we spoke about are being rolled into DLP, so DLP is a really good starting point for data protection because it's doing your data discovery, it's doing your data classification, it's doing your insider threat management and all those important things. It's enforcing the principle of these privilege. So a lot of the basics are being taken care of, or at least supported by these kind of new generation DLP Solutions.
Right. Thank you very much, Warwick, for being my guest today. That was really interesting, far from being boring. And protecting your data is still a challenge for many organizations, as I've learned. So thank you and talk to you soon again and maybe see you in Berlin for the EIC.
Absolutely.
Thank you. Bye bye.
