Security consumes more and more of an enterprise
IT's budget, even as more workloads move to the cloud. Zero Trust, pioneered by
Google after a massive breach by a nation state many believe to be China, is a
promising start. What more should a company do? I recently spoke to Guillaume
Montard, the CEO of Bearer, a data security startup that announced $4
million in additional angel funding last
month. He sold his previous startup and ran engineering at the acquiring
company Skillsoft overseeing a staff of hundreds of engineers. He thinks
developers are the answer. But to shift left, as the saying goes, it's critical
that organizations avoid adding to the workload of overwhelmed developers. The
solution needs to remove friction - not add more work - while also ensuring
that shipped code better protects data.
VMblog: What is the problem Bearer is solving?
Guillaume
Montard: The next frontier in security is data,
especially sensitive data. Sensitive data is what organizations don't want to
see leaked or breached. This includes PHI, PII, PD, financial data. Sensitive
data, if breached, carries real penalties. Those penalty costs are tangible -
such as GDPR fines (
€10m or 2% of annual revenue), FTC fines (
e.g. $150m against Twitter),
legal fees - and intangible harm such as loss of customer trust (
e.g Chegg exposed data belonging to 40 million users), restructuring pain, and so much more.
VMblog: What's wrong with how organizations protect
data today?
Montard: Data security technology today overly
embraces bolt-on approaches. For example, look at identity management to verify
who's who. These approaches contain inevitable points of failure. Once
authorized by identity management, users typically have carte blanche to access
important data with minimal constraints. We wondered what would happen if you
made data the center of the security universe? Let me acknowledge that data is
a weird concept by itself in security. Data doesn't exist in a vacuum. Contrary
to what EU lawmakers may think, if you've struggled to comprehend and abide by
GDPR you know that data is tightly coupled to many systems. Data is processed,
essentially stored, copied, modified, transferred by and between systems. At
every step, the vulnerability potential increases. That's because the systems
associated with them are vulnerable, not because the data is.
VMblog: How do you tackle the data security problem?
Montard: We call our approach data-first security. We make data the center of the
security universe. If you think about it the
concept is simple. Instead of focusing on every system individually - without
any knowledge of the data and links between them - we start with data, and then
pull the thread. Is sensitive data involved in chatty loggers? Is data shared
with non-authorized third parties? Is data stored in S3 buckets missing security
controls? Is data missing encryption? The potential vulnerabilities list is
long. The challenge with data security is that
data flows almost infinitely across systems, especially in a cloud-native
infrastructure. In an ideal world, we should be able to follow the data and its
associated risks and vulnerabilities across every system, at any time.
At Bearer, we strongly believe the best approach
for a data-first security approach is to start at the beginning of the journey,
following the shift-left security trend. Data-first security should start in
the code. Considering the challenges associated with security and data, every
security solution will have to become at least "data aware" and possibly
"data-first" at whatever layer of the stack they exist. We can already see
cloud security posture management (CSPM) solutions blending with data security
posture management (DSPM), but will it be enough?
At Bearer, we think a data-first approach is associated with a drastic change
in how security teams operate, thanks to DevSecOps, and the extension of their
scope of responsibility with compliance related activities - requiring more
than just a "data coating".
##