Podcast: Why is Data Security So Hard?

Quotes in this article have been lightly edited for clarity.

In this episode of Ternary Data’s Monday Morning Data Chat, hosts Joe Reis and Matt Housely engaged with Yoav Cohen, cofounder and CTO at Satori, in a deep dive into the evolution of data security and why it’s such a challenge for organizations today.

The three discussed the security issues large organizations run into during data modernization and migration projects, why data engineers are a crucial part of a security program, and some strategies organizations can implement to balance securing sensitive data with ensuring its utility for analytics and AI. 

Data has a few inherent properties that make it especially difficult to keep secure. On a fundamental level, data can be copied, modified, and shared without being traced. And when this data contains sensitive information about human beings, whether it’s health, financial, or internet usage data, the stakes are way higher.

“If you think about it, data is even more dangerous than cash. You can go into my house, grab some cash, and then go and use it, and no one would know. With data, you can take a snapshot on your phone of my sensitive data. You don’t have to actually get a copy of the data itself.”

Companies whose business model runs on sensitive data can implement least privilege and restrict access as much as possible – but someone will always have access to it. Even well-meaning employees can misuse their privileges, for example, by exfiltrating data under a social engineering attack.

In many organizations, data security is primarily managed by security teams, who don’t necessarily have the context needed to determine who should get access to what data.

But in recent years, there’s been a shift towards the concept of data stewardship, especially in large organizations. Today, security teams still own the requirements, but they’ve relinquished much of their control over data they don’t have the context to manage. Ownership is instead distributed among the business units with the context to approve them – for example, the marketing department owns marketing data.

“It’s often the company’s domain experts who can identify security issues better than anyone else. It’s very hard to see all the possible attacks on your company or all the possible surface for data leakage from a command and control position in a security organization. But often, individual data engineers will say, ‘Hey, this Hadoop cluster we’re running on-prem, here’s a way that someone could attack it and exfiltrate data,’ or ‘Here’s a dataset that has sensitive data that’s old, no one’s paying attention to it, we really should do something about this.’”

A decade ago, data teams focused heavily on dealing with the challenges of big data resulting from an explosion of data volumes. Today’s data warehouses and lakes have mostly dealt with the issue of scale, but the challenge is now in handling the increasing complexity of data stored across multiple systems. 

Large-scale data projects like data modernization or cloud migration tend to neglect security, simply due to these projects’ overwhelming scale and complexity. Yoav suggests adopting data security tools with universality – that is, solutions that support enough technologies you’re using today, and can evolve into supporting the technologies you’ll adopt in the future. Many point solutions on the market support a single technology, like a data warehouse, but leave the organization’s other data stores out of the picture. In a data migration project, the migration is not instantaneous, and the data in both the legacy and new systems must be secured simultaneously.

Another suggestion is adopting what Gartner refers to as late-binding security controls like dynamic masking. These controls enable fine-grained policy decisions at the point of access, unlike early-binding controls like encryption or static masking that transform data before it enters the database. This approach avoids the creation of multiple data copies with varying security levels and promotes user-friendliness in security tools, enhancing their adoption and effectiveness.

Yoav offered a few pieces of advice for anyone concerned about data security in their organization, undergoing a data modernization project, or migrating into a data warehouse or data lake.

Even in organizations with the strictest security, someone will always be able to access sensitive data. Your employees should be aware that their actions are being monitored, and that any abuse of data will be caught. Have a process in place to constantly remind people and keep them aware of the importance of being responsible with their data.

“If I work at a company and I get an offer to exfiltrate data for a big sum of money, if I know there are no consequences to my actions, then I may consider it. But if I know there’s a good chance of my actions being detected and me getting caught, a sum like $50,000 won’t be enough for most people to lose their jobs or go to jail.” 

If someone needs access to data they don’t have, they’ll need to request access from whoever owns it. The process of requesting and granting access needs to be easy and intuitive enough that they won’t consider working around it. An example could be building an access request workflow into Slack, so even the friction of switching tools is accounted for.

“If you make it hard, people are just going to try and work around the system. They’ll get credentials from someone else, fiddle with the system, or otherwise try to get access from somewhere else. People are resourceful when they don’t want to do something, so make it easy for them.”

The landscape of data tools is constantly changing, and enterprise data stacks can look completely different within a few years. Avoid being locked into any particular vendor or feature so you can adjust quickly when new technologies and developments enter the market.

“Data teams really like to experiment with tools. We’re engineers at the end of the day and we like to tinker with new stuff, we like to pick the right tool for the right workload. We’re not necessarily big on the ‘one tool to rule them all’ mentality.”

This episode discussed a few reasons modern data security is so challenging for organizations, from a people and technology standpoint. During data migration or modernization efforts, companies may delay security due to the overwhelming scale of the project. At the same time, many security tools cater to specific data stores, creating gaps during transitions like cloud migration and introducing the risk of vendor lock-in. Additionally, data teams are aware of the tradeoffs between securing data and maintaining the velocity of engineering and analytics teams. Data masking and tokenization are essential for security and compliance, but they can impair the speed of analytics and AI.

Satori’s Data Security Platform provides flexibility across various data stores, supporting a universal, adaptable approach. Access requests become simple and intuitive, with integrations with tools like Slack to streamline access workflows and prevent workarounds. Satori also offers dynamic masking that can be adjusted based on the user’s needs, following a process that includes providing business justifications and obtaining approvals for accessing sensitive data.

To see if Satori can help your organization implement secure self-service data access, book a demo.