Storage security used to be about hardware, says DataGravity's Paula Long, but the data is what is most at risk. Firms need more visibility into their data to better protect it.
Security pros, says DataGravity cofounder Paula Long, have a mantra of Zero Trust. Storage pros continue to "focus on speeds and feeds, and, when data protection comes up, they talk about improved backup and disaster recovery." This is according to Long the "traditional definition of data protection." But it's the data, she insists, that is most at risk — not hardware failure. That's what hackers and rogue insiders are after.
What is needed, and what her firm has engineered, is a non-invasive way to monitor storage for security risks. Storage and security pros don't always see eye-to-eye, but both "want to do the right thing." Enterprises need a holistic IT security plan, and that starts with some data demographics to know what you actually have in storage.
Long, a veteran tech entrepreneur, launched DataGravity a year ago with cofounder John Joseph. The firm's goal is to move storage technology forward. DataGravity's main solution, the Discovery Series, is a data-aware storage platform that permits customers to store, protect, and search their data.
In this email Q&A, Long also discusses the elements of robust IT security, how to get employees to support data security, and the DataGravity's priorities based on customer feedback.
TechRepublic: What is your view on the current trends in both the storage and security markets?
Paula Long: Security vendors are focused on the firewall, the network, and the endpoints with a mantra of Zero Trust. They have been creating sophisticated methods to identify and predict issues before they happen. They are also creating decoys (honey pots) to send to suspected bad actors.
Storage continues to focus on speeds and feeds, and, when data protection comes up, they talk about improved backup and disaster recovery. This is a very traditional definition of data protection. Your data is at more risk than just a hardware or site failure. It can be stolen, kidnapped (ransomware), murdered (malware), and/or misused. Traditional storage does not help protect against these more likely attacks on data. This will change, and DataGravity is leading the way.
TechRepublic: At your talk at the Privacy.Security.Risk conference in Las Vegas in September 2015, you noted that security and storage pros have not had the best of relationships. What would teamwork in the all-important task of data protection look like to you?
Paula Long: There are non-invasive ways to monitor and detect security issues at the firewalls and in the network. Once issues are detected, they can proactively be defended against. Unfortunately, storage, where the data lives, can't be monitored non-invasively with most technologies available today.
Policy-driven data security makes sense. What doesn't make sense is creating policies about the data without having some demographics on the data that is being stored and how it is being used. This has led to security policies on the data not being implementable or sustainable. Both teams want to do the right thing. To meet the security requirements, storage struggled to meet the needs of end users and applications. To protect data, security teams have struggled without the cooperation of the storage teams.
What needs to happen is a holistic plan. First, visualize the data you have. Review the information as a team, creating policies based on the information you learned. For example, executables should only be stored in certain places. All files on the finance share must be encrypted, and so on. If you aren't going to use a storage product like DataGravity that has built-in security features that don't impact normal production, create common-sense schedules that allow the security scans to happen timely enough to be as effective as possible but not so frequent that storage usage is impacted. When you do this, you are accepting some risk, since you don't have near-time coverage. Security is about evaluating risks, and deciding how and if to address them.
TechRepublic: How can data storage become part of a company's cyberdefense?
Paula Long: We built a new storage architecture that starts by providing a 360-degree view of your data. It lets you set up rules to define sensitive data exposure, suspicious data patterns, and end-user behaviors. It allows you to be proactively alerted on this and provides built-in defenses. The defensive techniques will get more sophisticated over time.
For example, if the storage system sees an unusually high spike in writes, it will take a backup (behavioral-triggered backups). The anomalous activity could be a sign of ransomware. Taking this proactive backup will let you drill into who was patient zero and help you repair the damage, as well as identify suspect user behavior and address this as well. DataGravity collects information about people, content, and activities across time and allows you to create rules to detect issues and policies to defend against them.
TechRepublic: Building on that, what does comprehensive, robust IT security look like to you? What are the necessary elements?
Paula Long: Start with the assumption that your IT infrastructure is under siege. The most desired objects to steal are your company's data. This data has significant value, whether it's customer information, employees' personally identifiable information, company intellectual property, or financial information. Build a plan that makes it difficult to get to the data, but assume in your plan the data will be vulnerable. Look at products that are data-aware from companies like Palo Alto Networks for next-generation firewalls, Bit9 for endpoint detection, and DataGravity for storage.
Also, you need the ability to rapidly identify how a data theft occurred, what was exposed, and how to limit that exposure.
TechRepublic: What should enterprises do to have all employees actively supporting data security polices? What are the benefits of doing so?
Paula Long: Educate your team to think of data as a valuable company asset that is at risk of being stolen and misused. This may seem obvious, but people don't think this way.
It's simple things, like being aware of how you are moving and sharing data. You can easily move sensitive data from a database or spreadsheet that was secure into a document or location that isn't. To have a data breach, someone needs to find data worth stealing. Let's make this a little harder. The benefit of this strategy is that when there is a breach, there won't be much found worth taking.
Be aware of the links you are clicking on. It is very easy to get fooled and find yourself a victim of ransomware. If you don't know the sender, don't click on the link.
Don't move your corporate data to your public sync-and-share account. This could put that account in scope for audits and can cause you and your company grief.
TechRepublic: My interview with you and John Joseph, when you were launching the Discovery Series, was just over a year ago. I'm curious — what is your take on the path you've covered over the past year, and where DataGravity is headed?
Paula Long: When we started DataGravity and announced data-aware storage, we introduced four pillars in the next-generation storage infrastructure: search and discovery, integrated backup with instant granular recovery, data security, and storage. Our customers have told us they are most interested in behavior-based backup and data security. While they are interested, in the future, in using their existing data to improve their business, their first priority is to secure and protect their data.
We continue to keep our customers in the forefront of all that we do. Based on their feedback, while you will see us continue to build out all four pillars, we'll be focused on behavior-based backup and data security as priorities.
TechRepublic: Based on your experience, what does it take for an enterprise tech startup to make it in the current marketplace?
Paula Long: There are a lot of copycat companies right now, with marginally better solutions from each other. Many do not have sustainable differentiation, and some don't even have differentiation customers care about. To be successful, you need to solve a real problem that isn't already being addressed. This is risky, since you will be opening a new category and will need to take on the task of market education and solution provider. It is easier to follow someone else to get to initial success, but difficult to scale this way into a successful company.