Quotes in this article have been lightly edited for clarity.
In this episode of LEIT DATA’s Data Value Podcast, host Chris Tabb engaged with Eldad Chai, Satori’s co-founder and CEO, in a deep dive into the rise of the Data Security Platform, and what data teams should look for when evaluating solutions.
The two discussed how data security has evolved over time, the merits and pitfalls of RBAC and ABAC in specific situations, and how Data Security Platforms can help bring more peace of mind to both data and security teams.
Episode Highlights
Data security is constantly evolving
In recent years, security has become a more and more prevalent topic in business, making its way into the conversations of CEOs and board members. This includes data teams, who are increasingly responsible for keeping sensitive company data secure. The evolution of data security represents a significant journey from traditional approaches, such as securing data in vaults, to a more nuanced and proactive stance.
Initially, the focus was on fortifying data against breaches through physical and digital means. However, as the value and vulnerability of data increased, a reactive approach was no longer adequate. Companies like Checkpoint and Palo Alto stepped in with perimeter controls and cybersecurity solutions aimed to address this gap.
Yet, as data environments grew more intricate with the emergence of data warehouses, lakes, and more diverse use cases, the limitations of point solutions became apparent. This realization eventually led to more comprehensive data security platforms like Satori. The modern data platform was shaped by two aspects:
- Instead of an ever-growing number of point solutions, companies need one platform that’s cost-efficient, intuitive to use, and allows data teams to access their data easily.
- Privacy principles have been integrated into data security frameworks. It’s no longer sufficient to merely classify data as sensitive; there now needs to be an understanding of the business purpose behind data access. This paradigm shift acknowledges that legitimate data usage aligns with organizational objectives, while unauthorized access poses risks and potential legal consequences.
“Privacy teams came in and said, ‘We don’t really care if someone has a role, or whether it’s the right data or the wrong data. What we really care about is what’s your business purpose. If you have the right business purpose, you can access data, you can show it to the privacy committee and they’ll approve it.’
That pushed companies to look at platform-based solutions to solve their data security problems, beyond just the technological level. The question has become, ‘How do we internalize the business purpose concept, moving beyond the technical level and asking what each person is actually trying to do with the data?’ And that’s where the new generation of data security platforms like Satori move beyond just automating RBAC or ABAC.”
RBAC and ABAC are approximations
When we talk about Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), we’re essentially discussing the frameworks used to manage data access within organizations. RBAC operates on predefined roles, determining who gets access to what based on their job function, while ABAC factors in additional attributes like location and time. These models have been quite effective in more straightforward setups, where there’s a limited number of users and applications.
However, as data ecosystems have become more complex, especially with multiple data sources and evolving compliance requirements like GDPR, the scalability and adaptability of RBAC and ABAC have come into question. That’s where solutions like Satori come in, advocating for a more dynamic approach to access control. Instead of tying access policies to specific applications or databases, Satori proposes an externalized system where policies are based on real-time usage monitoring, allowing for more flexible and granular control. So, while RBAC and ABAC have their place, they’re no longer sufficient for managing access in large-scale data environments.
“It doesn’t make sense to have your policy tied to the data. Why? Because these two things change with no connection to each other. Data changes because people need more data. They want to develop it, they want to transform it, they have new use cases. The policy can change because the European Union is evolving to GDPR 3. It doesn’t have any connection to the data, to the database. And it doesn’t make sense to try and now build a huge role-based access control policy and expect that to address your security concerns three months down the road. It’s not reasonable.”
Leadership needs to lead the way in data security
Promoting trust and collaboration with the security department is paramount, as it ensures the integrity and confidentiality of data assets. There’s a common issue where individuals simply focus on their assigned tasks, without considering the broader business goals. This is why it’s so important that leadership, particularly the CEO, sets clear objectives that align with the organization’s overarching mission, which typically revolves around profitability and maintaining a competitive edge in the market.
Eldad described how when engaging with data professionals while building Satori, they sought to understand their metrics for success. Surprisingly, the key indicator they identified was the extent of data utilization across various teams and use cases on a daily basis. This metric signifies not only increased data-driven decision-making, but also enhanced operational efficiencies and business value generation. As a CEO, it’s crucial to recognize that investments in data infrastructure and talent won’t yield significant results if they don’t translate into tangible increases in data utilization and business impact. Thus, the focus shifts towards enabling teams to access and leverage data effectively. By standardizing data consumption practices and implementing robust security measures, organizations can create a conducive environment for innovation and the development of new products and services.
Key Takeaways
Eldad offered a few tips for data teams looking into introducing a Data Security Platform, so they can maximize the value they’re getting out of their data.
Focus on datasets over roles and people
Eldad described how when Satori was first being built, the team implemented the logic with a focus on data sets, rather than roles and people. Instead of organizations defining rigid roles in advance and asking what they need access to, they set rules on the data set itself. Customers can define access levels and set masking policies based on each level, applying additional RBAC and ABAC rules. This allows admins to significantly reduce their policies, often by up to 90%.
“In specific industries like healthcare and finance, the higher the stakes, the more complex the policy. In these organizations, they care about the data for sure, but it’s really the regulator that’s breathing down their neck and saying, ‘Do you have these controls, show me the audit, run a query to the table, show me that the policy is actually being enforced.’
Especially in financial organizations, there’s a lot of sharing information between customers and deal teams in ways that are pretty complex to achieve. People change, the data being stored and its schema changes, so don’t focus on those, focus on the data set. And the concept of the data set is really, really powerful at Satori, and this is how we remove a lot of that complexity.”
Prioritize reducing friction in the data access process
“When my wife and I were trekking in Nepal, one of the people we met there told us, ‘I have this friction in my shoe. It’s not that bad, but I don’t know. Should I go back?’ I told him he had to go back and get the right shoes, because it may look insignificant now, but it’s going to get worse later on. But they didn’t, and then a week into the trek, they went back. They had an infection in their leg. And when you think about a large-scale environment, with terabytes of data being used, ingested, and processed, every small thing matters. You have to remove that friction.”
The term “friction” encompasses the time, complexity, and effort involved in data pipeline creation, and it’s critical to reduce it in every possible task. From his experience working with numerous companies, Eldad described the trap they often fall into, where they underestimate the cost of small inefficiencies. On the scale of one or two tables, a small amount of friction really isn’t a big deal, but the time adds up significantly when you get to the order of thousands of users or data points. When it comes to data access, a lot of friction comes from data engineers having the burden of managing and enforcing security policies. Satori’s driving principle is to reduce friction for data owners and consumers, by introducing automation, creating real self-service data access, and centralizing access management across multiple data stores and cloud platforms.
Conclusion
This episode discussed a few ways that the latest generation of Data Security Platforms enable businesses to get more value out of their data, with less friction. Security is no longer a function of just security teams – data engineering and management, as well as DevOps teams, now share the responsibility for keeping sensitive customer data secure. Having a single platform to manage sensitive data across the entire data stack allows data engineers to work on critical projects instead of wasting time on manual access control and compliance projects. On the other side, the ability to create a self-service data culture has the potential to enable innovation on a massive scale. Being able to access and use data can be a huge competitive advantage, allowing different teams to respond to customer needs more quickly than the competition.
Satori’s Data Security Platform provides flexibility across various data stores, supporting a universal, adaptable approach. Access requests become simple and intuitive, with integrations with tools like Slack to streamline access workflows and prevent workarounds. Satori also offers dynamic masking that can be adjusted based on the user’s needs, following a process that includes providing business justifications and obtaining approvals for accessing sensitive data. To see if Satori can help your organization implement secure self-service data access, book a demo.