Symmetry Systems is a provider of cutting-edge Data Store and Object Security (DSOS). And this week, they emerged from stealth only a year after raising $3 million in seed funding. Symmetry Systems’ flagship solution is called DataGuard, and it provides what the company describes as unified visibility into data objects across all data stores, answering data security and compliance questions that traditional tools cannot.
To better understand the company and the problems they are addressing, VMblog reached out to Mohit Tiwari, CEO at Symmetry Systems, to learn more.
VMblog: Not
many professors are willing to give up a tenured professorship to develop
an unproven startup. How did you come up with the idea to launch Symmetry
Systems?
Mohit Tiwari: UT Austin loves it when its research makes it into the
real world, and my colleagues have co-founded companies on everything from full duplex radios to robots in hospitals. Therefore, it was
natural for our team to also think about practical impact.
Symmetry's DataGuard helps a small team of security
engineers to protect data across a large organization. Our research lab has worked on data-centric
security for more than a decade, and over time, kept getting pulled into
collaborations with regulated industries where security was blocking
innovation.
In all cases -- a hospital, a major defense contractor, a
cloud-services provider -- the problem was that every application or
containerized service had to be hardened to get it over the security and
compliance hurdles. Small flaws or exploits could mean major data breaches; and
that meant (e.g.) the hospital couldn't use great collaborative tools to care
for complex-case children because they weren't HIPAA-compliant.
Our goal, and the goal of our entire research area, is a
platform that directly secures data, even if applications and identities are
exploited, and as a result be the focus of compliance and security
evaluations.
We met our investors at Forgepoint and Prefix last year,
who introduced us to 50+ security teams and we've been very fortunate to have
had their feedback while building DataGuard as the first step towards a
data-security platform.
VMblog: Symmetry Systems delivers Data Store and
Object Security (DSOS). Can you tell our readers what that means, in simple
terms?
Tiwari: DSOS is about measuring data risk and improving it
systematically.
Consider a team that maintains data stores (such as S3,
RDS, etc... on Amazon AWS) that are used by hundreds of applications or
micro-services in the organization.
This team needs to map out how sensitive data is used
(including PCI, PHI, or PII data, but user data broadly), and focus security
‘pen'-testing, compliance reports, auditor's attention, etc... towards the most
risky data and applications.
The infrastructure security members need to know data
flows to reduce the blast radius of compromised applications and identities.
Security teams will also have to respond to an incident -- to precisely
determine the data spilled from a potential breach -- with very little time.
More strategically, a security architect or executive has
to prioritize quarterly initiatives to safeguard data -- without visibility
into and across all data stores, security teams can end up navigating blindly.
DSOS is thus a focused set of problems for a customer. It
requires understanding data stores and objects' attributes, permissions, and
usage patterns. DSOS admits several types of solutions -- you could build a
code analysis based ‘shift left' solution, a `paved path'
production-infrastructure solution, focus only on service meshes or a family of
applications, etc. As long as the interfaces are open and customers can answer
the above questions, the DSOS gods will be happy.
VMblog: The company has launched a product called
DataGuard. Could you tell us more about the vision behind DataGuard?
Tiwari: DataGuard effectively creates "firewalls" around all your
data objects. Firewalls are a metaphor for a range of detection and protection
measures (rule- and behavior-based) that have to be re-thought for data stores
and objects in the cloud.
We designed Symmetry DataGuard for data stores in a
hybrid-cloud. Amazon S3 is such a different beast that it has a reputation of
being hard to secure, but there are production data stores (SQL, NoSQL, caches,
queues, ...), analytics data lakes, etc... that contain sensitive data and talk to
the internet. And each data store exposes a different set of knobs --
encryption, access control, etc... -- that are hard to set up and keep
synchronized. So being able to scale -- operationally -- across data stores was
a major goal.
The other big design goal was to build it for security
engineers who guard data stores (vs. making developers label data and re-write
authorization logic). This was inspired by the paved path model that Netflix
has pioneered for building cloud-services and drives data-related security and
compliance. Clearly, this also means DataGuard will not address
application-safety questions -- i.e., if your check-scanner service breaks,
your bank balance will have an error, however, DataGuard will help ensure
someone else's malicious check-PDF will not breach or ransom your data.
VMblog: DataGuard was fine-tuned based on
feedback from more than 50 CISOs and security practitioners. How important was
this feedback in the development of the product?
Tiwari: This feedback has been critical -- several practitioners
used "data firewalls" as a metaphor for their goals.
Their feedback has helped with strategic decisions like
deciding on a persona to build for or picking between a cloud-native or hybrid
cloud deployment. And with many tactical choices about workflows for IAM- or
security-operations teams.
A key lesson across the board was that business-risk is a
huge barrier for adoption. For example, putting in-line defenses is risky and
has to be justified to the engineering and business teams with RoI and
reliability metrics (a chicken and egg situation). We had an in-line storage
side-car when we spun out of UT Austin, but learned quickly that it is only one
of many (and often not the best) ways to protect a specific data store or
object. Personally identifiable information (PII) etc... classifiers, users'
context, etc... are all statistical measures and enforcing a statistical policy
will almost certainly edit out legitimate business usage.
Instead, you can start with DataGuard in a few minutes
with just the auditor role; then add more permissions (read-only accesses to
data stores and their access logs) to create data firewalls using IAM or
detection logic. As patterns settle down, they can be moved into an 'intrusion
prevention' like system.
VMblog: It has become increasingly challenging
for organizations to protect their sensitive data. What are some of the biggest
challenges you are helping companies address?
Tiwari: Understand their data stores to specifically drive down
risk of breaches or ransomware; and keep this information handy to drive
penetration-tests (security evaluations) and compliance-checks.
VMblog: Who is the target audience and user for
DataGuard?
Tiwari: Security teams, especially those who have to protect
cloud-based data stores such as S3, RDS, RedShift, or MongoDB on AWS and
similar stores like BigQuery on Google Cloud.
In smaller teams, less than 100 engineers for example,
the security engineering role is informally shared by developers or
infrastructure engineers -- DataGuard can amplify these engineers' outputs.
VMblog: Finally, what can we expect from Symmetry Systems
in the coming months?
Tiwari: We are heads down building DataGuard with our design
partners and will be adding 1-2 organizations each month into pilots over the
next 4 months. In parallel, we'll share more of our work, especially about open
interfaces so that organizations can tailor their defenses without fragmenting
them.
##