Virtualization Technology News and Information
VMblog Expert Interview: Guillaume Montard of Bearer Talks Protecting Data and the Data Security Problem


Security consumes more and more of an enterprise IT's budget, even as more workloads move to the cloud. Zero Trust, pioneered by Google after a massive breach by a nation state many believe to be China, is a promising start. What more should a company do? I recently spoke to Guillaume Montard, the CEO of Bearer, a data security startup that announced $4 million in additional angel funding last month. He sold his previous startup and ran engineering at the acquiring company Skillsoft overseeing a staff of hundreds of engineers. He thinks developers are the answer. But to shift left, as the saying goes, it's critical that organizations avoid adding to the workload of overwhelmed developers. The solution needs to remove friction - not add more work - while also ensuring that shipped code better protects data.

VMblog:  What is the problem Bearer is solving?

Guillaume Montard:  The next frontier in security is data, especially sensitive data. Sensitive data is what organizations don't want to see leaked or breached. This includes PHI, PII, PD, financial data. Sensitive data, if breached, carries real penalties. Those penalty costs are tangible - such as GDPR fines (€10m or 2% of annual revenue), FTC fines (e.g. $150m against Twitter),  legal fees - and intangible harm such as loss of customer trust (e.g Chegg exposed data belonging to 40 million users), restructuring pain, and so much more. 

VMblog:  What's wrong with how organizations protect data today?

Montard:  Data security technology today overly embraces bolt-on approaches. For example, look at identity management to verify who's who. These approaches contain inevitable points of failure. Once authorized by identity management, users typically have carte blanche to access important data with minimal constraints. We wondered what would happen if you made data the center of the security universe? Let me acknowledge that data is a weird concept by itself in security. Data doesn't exist in a vacuum. Contrary to what EU lawmakers may think, if you've struggled to comprehend and abide by GDPR you know that data is tightly coupled to many systems. Data is processed, essentially stored, copied, modified, transferred by and between systems. At every step, the vulnerability potential increases. That's because the systems associated with them are vulnerable, not because the data is.

VMblog:  How do you tackle the data security problem?

Montard:  We call our approach data-first security. We make data the center of the security universe. If you think about it the concept is simple. Instead of focusing on every system individually - without any knowledge of the data and links between them - we start with data, and then pull the thread. Is sensitive data involved in chatty loggers? Is data shared with non-authorized third parties? Is data stored in S3 buckets missing security controls? Is data missing encryption? The potential vulnerabilities list is long. The challenge with data security is that data flows almost infinitely across systems, especially in a cloud-native infrastructure. In an ideal world, we should be able to follow the data and its associated risks and vulnerabilities across every system, at any time.

At Bearer, we strongly believe the best approach for a data-first security approach is to start at the beginning of the journey, following the shift-left security trend. Data-first security should start in the code. Considering the challenges associated with security and data, every security solution will have to become at least "data aware" and possibly "data-first" at whatever layer of the stack they exist. We can already see cloud security posture management (CSPM) solutions blending with data security posture management (DSPM), but will it be enough?

At Bearer, we think a data-first approach is associated with a drastic change in how security teams operate, thanks to DevSecOps, and the extension of their scope of responsibility with compliance related activities - requiring more than just a "data coating".


Published Tuesday, November 15, 2022 1:00 PM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2022>